Solved: Re: How to push an authorization profile from ISE to a 9800 WLC

etarnow · ‎08-03-2023

I am trying to create an authorization profile on ISE for machine authentication when using PEAP. (We are moving away from this but it has to be supported for now.) If a machine has never authenticated on wireless before, it should receive restricted access to only talk to AD to authenticate. I have been unable to figure out how to do this with ISE and a 9800 WLC (under version 17.10.x, I cannot use dACLs). Previously this was done by the Airspace ACL Name task but this doesn't seem to be supported by the 9800 controllers.

Is the way to go with web authentication? That seems geared more for guest access and not for this application.

Any help would be appreciated, thank you.

Arne Bier · ‎08-03-2023

Hello

Think of the 9800 like you would any Catalyst switch - you would use dACLs to achieve this.

Have a look at this link about dACLs on 9800.

In ISE, you would create the dACL, give it a name, and then in the ISE Authorization Profile, you can select that dACL from a drop down list.

View solution in original post

thomas · ‎08-23-2023

https://cs.co/ise-guides#WLC

https://cs.co/ise-resources#Wireless

both list the ISE and Catalyst 9800 Series Integration Guide which covers