Showing results for 
Search instead for 
Did you mean: 

ISE 1.4 profiling just for AD users.


Hello, I´m implementing ISE 1.4 in a wireless enviroment with WLC.

I´m deploying CWA and if the user is guest sponsored user/password I give internet access, but if the user is from Active Directory I do a Client provisioning with EAP-TLS and certificates for 802.1x in a different SSID. Everything works correctly and the client after the provisioning can connect perfectly to the new 802.1x SSID.

The problem is that I would like doing some profiling just for devices connected with AD user/password, my client has a wide range of devices (apple, windows, Android....) and I can not apply any differentiated profiling policy with the conditions ISE can give me. I would like to profile devices when in the CWA the user is from AD. But trying to create the profiling policies I have no access to the dictionary of my AD, only Radius, DHCP,DNS...etc dictionaries.

I also tried to create a custom dictionary without any success for my purposses.

How can I create a profiling policy with the confition that only applies to devices connected with AD credentials?


6 Replies 6

Rising star
Rising star

Profiling can't be differentiated like that, it works for all devices with a session in ISE. What you can do, and what is normally done, is to let profiling do it's job for every device, and then use multiple conditions in the authorization rules, that relate to both profiling profiles, and AD group memberships for example. This way you can have rules that only require a specific profiling profile, if user is also member of a specific group, or just authenticated via AD.

Hi Jan, thanks for your repsonse.

I understand what you say. What I wanted to do is to configure a profiling policy to create a new identity group with the devices connected with AD user/password. Then use this created group in the authorization rules. Then I wouldn´t do any job with the rest of the guest devices purging the unknown group every week.

Why would you wan't to use profiling for that? ISE already knows they where authenticated via AD and you can just use the "Identity Store" attribute to select those in your authorization rules, no need for profiling to do that.

I don´t have any endopoint in the identity store until they access by CWA. In that moment I wanted to put the endpoint used with AD credentials in a specific endpoint group.

I´m using the attribute "BYODRegistration - equals - yes" to do it.

Thanks for your support.

FYI. There is a dictionary called CWA that contains the following attributes:

- CWA_ExternalGroups

- CWA_Username

Can be used in authorization (not for profiling).Don't think addresses what you are trying to do but worth calling out

Thanks. I will check.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers