05-05-2016 12:23 AM - edited 03-10-2019 11:44 PM
Hi all,
Requirement:
We have categorized mobile users in three category (VIP, EMP, MGMT) and three SSIDs has been configured in flexconnect environment. Normal PSK is configured but we require some authentication such as mac/username, password from ISE.
Please guide me how to configure SSID profile & what is require in ISE to achieve the requirement. We have base license in ISE and not want profiling such as Apple devices...etc.
User can bring any vendor mobile phone in a group such as VIP and will get subnet A....EMP will get subnet B....etc.
How to configure policy in ISE so that we can add mobile mac address in ISE and it will be connected. Without mac entry it will not allow to connect ssid.
Thanks
Kamlesh
Solved! Go to Solution.
05-05-2016 06:35 PM
So let's say VIP devices connect to the VIP-SSID WLAN. The authorization rule would look like this:
That narrows it down so the MAC must be in the VIP group and connecting to the VIP-SSID WLAN in order to be permitted access to the network. You would require an authorization rule for each identity group. You can use END WITH instead of CONTAINS in case you ever have another SSID that could contain VIP-SSID (e.g. VIP-SSID2) but don't want this rule to be processed for that connection.
The authentication rule would need to be configured to use the Internal Endpoints identity sequence.
05-05-2016 06:35 PM
So let's say VIP devices connect to the VIP-SSID WLAN. The authorization rule would look like this:
That narrows it down so the MAC must be in the VIP group and connecting to the VIP-SSID WLAN in order to be permitted access to the network. You would require an authorization rule for each identity group. You can use END WITH instead of CONTAINS in case you ever have another SSID that could contain VIP-SSID (e.g. VIP-SSID2) but don't want this rule to be processed for that connection.
The authentication rule would need to be configured to use the Internal Endpoints identity sequence.
05-06-2016 01:04 AM
Thanks Joseph,
Your suggestion meet my requirement, thanks a lot. Only one problem facing in users authorization. We have another ssid for guest user which users authenticate from sponsor portal, which authorization rule is:
rule name: guest-wireless
condition: wireless_mab
result: centralize web auth......redirect acl .....sponsor guest portal.
Now if we are trying to connect VIP, EMP, MGMT ssid it also connect through sponsor portal database without mac entry and directly connect if mac is in identity group. SSID is configured only layer 2 mac filtering.
How to manage now only guest ssid user will be redirected to sponsor portal.
Thanks
Kamlesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide