cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
775
Views
2
Helpful
7
Replies

Dot1x ISE policy

michael18
Level 1
Level 1

Im building two Dot1x policies in ISE. One wired, the other wireless. As the end devices are the same and can connect either wired or wireless, the only difference in the policy is the wired or wireless dot1x condition selected from Condition Studio. However, when either wired or wireless connect they are using the wired policy as its the first policy.

Why is the wireless device hitting the wired policy if only wired_802.1x condition is set?

 

1 Accepted Solution

Accepted Solutions

@michael18

The connection is processed by the Wired-Dot1x Policy Set because you are currently matching on username starts with "host/"   (albeit that rule appears to be currently disabled). Subsequently, the wireless connection is matching on the "Wired-Dot1x > Default" Authentication Policy because it's not a Wired authentication.  Set the condition on the Policy Set itself to be "Wired_802.1X" only if you want only Wired 802.1X connections processed by that policy set. 

Then make sure in your Wireless Policy Set you match on the condition "Wireless_802.1X"

View solution in original post

7 Replies 7

can I see screen shoot of policy set 

MHM

screen shot attached. 

thanks

 

@michael18

The connection is processed by the Wired-Dot1x Policy Set because you are currently matching on username starts with "host/"   (albeit that rule appears to be currently disabled). Subsequently, the wireless connection is matching on the "Wired-Dot1x > Default" Authentication Policy because it's not a Wired authentication.  Set the condition on the Policy Set itself to be "Wired_802.1X" only if you want only Wired 802.1X connections processed by that policy set. 

Then make sure in your Wireless Policy Set you match on the condition "Wireless_802.1X"

Aw of course. That makes sense now you point it out.

thanks

 

 

in this screen i see its using wired-dot1x policy from a wireless device. NAS is the WLC

Capture1.JPG

Is there a reason you are not using the wired/wireless conditions in the policy set vs the rule?

You have to think of ISE like a firewall, the conditions at the start will drop them into that policy set and run the rules. Since you are calling the host name only it will hit weather wired or wireless. 

Screenshot 2024-06-28 091813.jpg

Hi Dustan

just lack of experience, following guides and videos. There seems to be many ways to build ISE policies but I do see the benefit in the way you set it out. Its given me a bit to think about going forward.

Thanks