cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
473
Views
5
Helpful
3
Replies

ISE 1.3 Disallow authentication to network based on group

kknuckles
Level 1
Level 1

ISE 1.3

MS AD 2008R2

Two Groups: All Employees , All Students

Problem: Students connecting to the employee network

I have two wireless networks STUDENTS and EMPLOYEES. In ISE I have two authorization policies for these networks. In a prior effort to keep students from connecting to the employee network, I set the authorization policy to:

Employee: If (Wireless_802.1X AND AD1:ExternalGroups EQUALS mydomain/User Accounts/All Employees AND AD1:ExternalGroups NOT_EQUALS mydomain/Students/All Students) then: Employee_Profile

Unfortunately this did not work. Students have their own username and password in AD and so does each faculty/staff member. I have verified that the students are using their credentials and connecting to the employee network. Conversely, I can connect to the student network using an employee's credentials. The main issue is that with the students connecting to the employee network, they are using up all of the addresses in the applicable DHCP scope.

I need to disallow connection to the employee network by students and the student network by employees.

Any help would be appreciated!

Kevin

1 Accepted Solution

Accepted Solutions

Glad  you were able to solve your issue! Also thank you for taking the time to come back and share the solution with everyone (+5) from me. 

If your issue is resolved, you should mark the thread as "answered' :)

View solution in original post

3 Replies 3

nspasov
Cisco Employee
Cisco Employee

Hi Kevin-

A couple of questions/suggestions:

- Is there a chance that the students are also part of the employee AD group? I know it is a silly question but I must ask :) In fact, when a successful authentication happens, you can open the "detailed authentication screen" for that session and you can see all of the AD groups that the user is member of

- Have you tested this yourself? For instance, you can create a test account in each group and then try it for yourself

- Another silly question but can you confirm that each SSID has a unique interface in the WLC, thus going to a different subnet/DHCP scope

- I would make your authorization rule a bit simpler. I would like you to remove the: 

"AD1:ExternalGroups NOT_EQUALS mydomain/Students/All Students"

When it comes to AD groups, ISE would process them in a "top-down" fashion and as soon as a match occurs, ISE would stop looking. I don't think this is the issue in your case but still worth the try. 

- If the main issue is lack of DHCP addresses then why not address that? :) For instance, you can:

1. Expand the DHCP scope (From let's say /24 to a /23)

2. Assign a "secondary IP" address to the L3 interface, thus giving it more subnets

3. Utilize "Interface Groups" in the WLC, that way you can have multiple subnets tied to the same SSID

 

Thank you for rating helpful posts! 

Thanks for the response but TAC provided me with the following document:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115734-ise-policies-ssid-00.html

It fit the bill. We had already verified everything else you mention as our Jr. Admins are responsible for creating student users we wanted to make sure they hadn't done something wrong but they hadn't. Everything else was spot on correct.

The rule is much simpler by using a simple condition matching the WLAN ID and then Employee Group. Conversely, I applied the same principal to the student WLAN to keep employees from hitting the student network.

Glad  you were able to solve your issue! Also thank you for taking the time to come back and share the solution with everyone (+5) from me. 

If your issue is resolved, you should mark the thread as "answered' :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: