06-28-2024 02:30 AM
Im building two Dot1x policies in ISE. One wired, the other wireless. As the end devices are the same and can connect either wired or wireless, the only difference in the policy is the wired or wireless dot1x condition selected from Condition Studio. However, when either wired or wireless connect they are using the wired policy as its the first policy.
Why is the wireless device hitting the wired policy if only wired_802.1x condition is set?
Solved! Go to Solution.
06-28-2024 06:49 AM
The connection is processed by the Wired-Dot1x Policy Set because you are currently matching on username starts with "host/" (albeit that rule appears to be currently disabled). Subsequently, the wireless connection is matching on the "Wired-Dot1x > Default" Authentication Policy because it's not a Wired authentication. Set the condition on the Policy Set itself to be "Wired_802.1X" only if you want only Wired 802.1X connections processed by that policy set.
Then make sure in your Wireless Policy Set you match on the condition "Wireless_802.1X"
06-28-2024 03:13 AM
can I see screen shoot of policy set
MHM
06-28-2024 05:23 AM
06-28-2024 06:49 AM
The connection is processed by the Wired-Dot1x Policy Set because you are currently matching on username starts with "host/" (albeit that rule appears to be currently disabled). Subsequently, the wireless connection is matching on the "Wired-Dot1x > Default" Authentication Policy because it's not a Wired authentication. Set the condition on the Policy Set itself to be "Wired_802.1X" only if you want only Wired 802.1X connections processed by that policy set.
Then make sure in your Wireless Policy Set you match on the condition "Wireless_802.1X"
06-28-2024 07:39 AM
Aw of course. That makes sense now you point it out.
thanks
06-28-2024 05:33 AM
in this screen i see its using wired-dot1x policy from a wireless device. NAS is the WLC
06-28-2024 07:22 AM - edited 06-28-2024 07:23 AM
Is there a reason you are not using the wired/wireless conditions in the policy set vs the rule?
You have to think of ISE like a firewall, the conditions at the start will drop them into that policy set and run the rules. Since you are calling the host name only it will hit weather wired or wireless.
07-01-2024 12:07 AM
Hi Dustan
just lack of experience, following guides and videos. There seems to be many ways to build ISE policies but I do see the benefit in the way you set it out. Its given me a bit to think about going forward.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide