06-21-2018 08:50 AM
Good morning,
I'm relatively new to ISE, so please bear with me.
I work in a hospital where we have 1 WLAN dedicated to wireless medical devices (wireless x-ray units) which authenticate to a Cisco 5508 WLC using WPA2-PSK. The WLAN is mapped to VLAN 7.
We are going to be adding a large number of new medical devices (wireless pain pumps and telemetry equipment) but they need to be mapped to a different vlan. The new devices also support WPA2-PSK (existing and new do not support 802.1x). I don't want to create another SSID just for these devices as we are trying to cut down on the number of SSIDs in production. How can I configure ISE to put the new devices into vlan 604 but keep the existing devices in vlan 7 while using 1 SSID?
The WLC is running 8.5.131 and have a mixture of 3702i and 3802i APs
Thanks,
Ryan
06-21-2018 09:36 AM
ISE can return authorizations to WLC based on Airespace-WLAN-Id attribute and you handle the mapping in the infra. Of course, you would need to reconcile subnet assignments. Another option is to authorize to a specific Airespace-Interface-Name which is linked to same or different IP address space which is then linked to a specific infra VLAN.
06-21-2018 07:40 PM
If your new VLAN is 604 everywhere you can also just assign VLAN 604 to the authorization result. If you are doing FlexConnect you will need to make sure VLAN 604 exists on the APs.
06-22-2018 11:20 AM
As you are using WPA2/PSK & the devices don't support dot1x, you will have to try with mac filtering in the ISE.
Can you try to create a MAB policy for new medical equipment in the ISE & push the new VLAN in the MAB policy
The default MAB policy will not push any VLAN back to the Wireless controller & will authenticate the existing medical equipment
plz note :- mac filtering authentication is not supported with flex connect local authentication
06-22-2018 06:06 PM
I agreed with all three comments.
You might also consider to combine it with Identity PSK Feature (and/or Cisco ISE & WLC - WPA2-PSK WLAN: Per-Device | Cisco Communities).
For non-flexconnect, the WLC needs to have an interface residing on VLAN 604 for the override to work.
06-25-2018 05:11 AM
Thanks everyone! I really appreciate all of your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide