Solved: Thanks Joseph,

kamlenegi · ‎05-05-2016

Hi all,

Requirement:

We have categorized mobile users in three category (VIP, EMP, MGMT) and three SSIDs has been configured in flexconnect environment. Normal PSK is configured but we require some authentication such as mac/username, password from ISE.

Please guide me how to configure SSID profile & what is require in ISE to achieve the requirement. We have base license in ISE and not want profiling such as Apple devices...etc.

User can bring any vendor mobile phone in a group such as VIP and will get subnet A....EMP will get subnet B....etc.

How to configure policy in ISE so that we can add mobile mac address in ISE and it will be connected. Without mac entry it will not allow to connect ssid.

Thanks

Kamlesh

Joseph Johnson · ‎05-05-2016

Create an endpoint identity group for each category (VIP, EMP, MGMT).
Add the MAC address for the mobile device to it's respective identity group.
Configure authentication rule to use the Internal Endpoints identity sequence.
Create authorization rules that permit access based on endpoint identity group and SSID.

So let's say VIP devices connect to the VIP-SSID WLAN. The authorization rule would look like this:

Rule Name - VIP Wireless
Conditions - VIP and Radius:Called-Station-ID CONTAINS VIP-SSID
Permissions - PermitAccess

That narrows it down so the MAC must be in the VIP group and connecting to the VIP-SSID WLAN in order to be permitted access to the network. You would require an authorization rule for each identity group. You can use END WITH instead of CONTAINS in case you ever have another SSID that could contain VIP-SSID (e.g. VIP-SSID2) but don't want this rule to be processed for that connection.

The authentication rule would need to be configured to use the Internal Endpoints identity sequence.

View solution in original post

Joseph Johnson · ‎05-05-2016

Create an endpoint identity group for each category (VIP, EMP, MGMT).
Add the MAC address for the mobile device to it's respective identity group.
Configure authentication rule to use the Internal Endpoints identity sequence.
Create authorization rules that permit access based on endpoint identity group and SSID.

So let's say VIP devices connect to the VIP-SSID WLAN. The authorization rule would look like this:

Rule Name - VIP Wireless
Conditions - VIP and Radius:Called-Station-ID CONTAINS VIP-SSID
Permissions - PermitAccess

That narrows it down so the MAC must be in the VIP group and connecting to the VIP-SSID WLAN in order to be permitted access to the network. You would require an authorization rule for each identity group. You can use END WITH instead of CONTAINS in case you ever have another SSID that could contain VIP-SSID (e.g. VIP-SSID2) but don't want this rule to be processed for that connection.

The authentication rule would need to be configured to use the Internal Endpoints identity sequence.

kamlenegi · ‎05-06-2016

Thanks Joseph,

Your suggestion meet my requirement, thanks a lot. Only one problem facing in users authorization. We have another ssid for guest user which users authenticate from sponsor portal, which authorization rule is:

rule name: guest-wireless

condition: wireless_mab

result: centralize web auth......redirect acl .....sponsor guest portal.

Now if we are trying to connect VIP, EMP, MGMT ssid it also connect through sponsor portal database without mac entry and directly connect if mac is in identity group. SSID is configured only layer 2 mac filtering.

How to manage now only guest ssid user will be redirected to sponsor portal.

Thanks

Kamlesh

ISE 2.0 mobile authentication using mac address