cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

110
Views
0
Helpful
1
Replies
craiglebutt
Enthusiast

iPSK For internal and external WLAN

We use iPSK for devices which don't belong to the company but require internet access, so this goes via a mobility anchor

 

I'm just testing for a internal version of the ipsk, but all traffic seems to be hitting the policy for the external setup.

The calling station is different, the end point group is correct, the policy allows access.

 

Question is can you have 2 separate policy sets for ipsk, one for a internal wireless network and 1 for a mobility anchor?


Cheers

1 REPLY 1
Greg Gibbs
Cisco Employee

If I understand correctly, you have two different SSIDs; one that is switched on an internal (Foreign) WLC and another that is tunneled to an external (Anchor) WLC. Both SSIDs are using PSK + RADIUS for authentication by the WLC and authorisation by ISE. Is that correct?

If the SSID names are unique, you can use the Called-Station-ID as a matching condition in your Policy sets to create differentiated AuthC/AuthZ policies. See the example in the ISE PoliciesISE Policies Based on SSID Configuration Examples technote.

With current versions of ISE, you can use the 'Called-Station-ID ENDSWITH :SSIDname' matching condition without needing regex.

Content for Community-Ad