Solved: ISE 1.3 and multiple authorization conditions

Mike Elliott · ‎01-27-2015

I am building an ISE 1.3 box and I want to know if the following is doable

I have an AD forrest that has several user groups configured

corporate
BYOD
demo

What I want to do, is use these groups to assign wireless users to the correct VLAN based on membership of the above groups AND the type of device they are connecting from.

e.g. user1 logs into the wireless network from a Mac. And they belong to the corporate user group. I would like them to be put on the corporate vlan.

However if they login from their IPhone device and also belong to the BYOD group, they get put on the BYOD VLAN that has restricted access.

I am assuming I should add user1 to both the corporate and BYOD AD groups, then use conditions to determine what kind of device they are using and then create an authorization profile to manage what VLAN they get dropped into. Then use airespace acl to determine what resources they have access to.

Unfortunately the interface has changed quite a bit from 1.2 to 1.3 and I am not sure if this is doable.

jj27 · ‎01-27-2015

I would recommend using the BYOD functionality within ISE that utilizes device registration. All devices are put into RegisteredDevices (by default) identity group within ISE, so your authorization policy can look at If EndPointIdentityGroup=RegisteredDevices AND ADGroup=BYOD then = BYOD VLAN + ACL.

Put your BYOD registered rule above all others in the list so your corporate group rule doesn't override the BYOD.

View solution in original post

Mark Massheder · ‎02-06-2015

Hi Mike,

I had a similar requirement for Wireless devices to place specific computers that were authenticated against 802.1X but in addition needed to be put into specific VLAN's, etc based on AD Computer Group membership.

What I did was to pull the AD groups into ISE and then reference that group in the Authorization policy with an Authorization profile created for each group that could have the VLAN, ACL, and other radius attributes seperate from the the other groups. I also created a default rule to put non-AD group members into a default VLAN with limited access.

So to find Authorization Profiles you would chose Policy > Policy Elements > Results > Authorization > Authorization Profiles. Create an Authorization profile for each group that has the same attributes such as VLAN, ACL.

Then create the Authorization policy I chose two conditions but you could use just the one i.e. repleace the 1st condition Wireless 802.1X = If any > Condition > Wireless 802.1X and AD:ExternalGroup(ADGroup) > equals Network PC's > Then use (Authorization Profile) Network PC's.

Not sure if this offers any assistance.

Thanks

Mark

View solution in original post

jj27 · ‎01-27-2015

I would recommend using the BYOD functionality within ISE that utilizes device registration. All devices are put into RegisteredDevices (by default) identity group within ISE, so your authorization policy can look at If EndPointIdentityGroup=RegisteredDevices AND ADGroup=BYOD then = BYOD VLAN + ACL.

Put your BYOD registered rule above all others in the list so your corporate group rule doesn't override the BYOD.

Mark Massheder · ‎02-06-2015

Hi Mike,

I had a similar requirement for Wireless devices to place specific computers that were authenticated against 802.1X but in addition needed to be put into specific VLAN's, etc based on AD Computer Group membership.

What I did was to pull the AD groups into ISE and then reference that group in the Authorization policy with an Authorization profile created for each group that could have the VLAN, ACL, and other radius attributes seperate from the the other groups. I also created a default rule to put non-AD group members into a default VLAN with limited access.

So to find Authorization Profiles you would chose Policy > Policy Elements > Results > Authorization > Authorization Profiles. Create an Authorization profile for each group that has the same attributes such as VLAN, ACL.

Then create the Authorization policy I chose two conditions but you could use just the one i.e. repleace the 1st condition Wireless 802.1X = If any > Condition > Wireless 802.1X and AD:ExternalGroup(ADGroup) > equals Network PC's > Then use (Authorization Profile) Network PC's.

Not sure if this offers any assistance.

Thanks

Mark

Mike Elliott · ‎02-06-2015

Thanks Mark, this is essentially what I ended up doing. I setup a new SSID to onboard the devices which I force them to a sponsored guest type of portal. I ask them for AD credentials and then use the native supplicant to configure an EAP-TLS connection to the proper SSID.

I did find out, from Cisco TAC, there is a new way to identify what VLAN the user should be put on. This is done in the Auth Profile. You can use the directive "Airespace-Wlan-ID"

In the provisioning process, I profile the device and check if it's a corporate asset or BYOD then I check to see if it belongs to the proper AD group, it gets a specific provisioning profile which includes the proper SSID for the vlan they want to connect to. I then created a wlan for each of the vlans and attached it to the right interface on the WLC. I created appropriate ACLs on the WLC then I named those ACL's in the Authorization proile.

When the user goes through the provisioning process, they will be put on the proper WLAN based on AD membership and the type of device. Only EAP-TLS connections are allowed on the Corp/Demo and BYOD networks.

If user1 belongs to the Demo and BYOD AD Groups, their laptop will provision on the Demo Network and their IPhone will provision on the BYOD.

The only gotcha is that if the user wants to change from one network to another, they need to re-provision their device.

Mark Massheder · ‎02-06-2015

Hi Mike,

Glad it worked out

Best wishes.

Mark