08-13-2019 03:15 AM
Hello @ all,
We currently operate a Wi-Fi network with 802.1x authentication based on a Freeradius distribution.
Now we want to switch to the ISE 2.6. As far as everything works, however, a fact bothers me.
In the "Policy Sets" we have created a new policy which uses the username to "AAA override". It bothers me that under "Authorization Policy" for each user a sub-rule must be created, which checks in which group he is and then uses the values from this group and assigns the appropriate VLAN.
Can one solve this not elegant? For every user, the group with the override values is already deposited.
Can one tell me what I need to do to make sure the user is authenticated after being put into the group from their settings?
Background, we distribute about 1500 VLANs, that would also 1500 under-rule in the authorization ... I would like to avoid.
Thanks in advance.
René
Solved! Go to Solution.
08-15-2019 02:56 PM
Typically group membership would be used for VLAN override. However if you want per user VLAN, then you can use dynamic attribute. See per user/endpoint VLAN, ACL, SGT use case in the following document:
08-15-2019 02:56 PM
Typically group membership would be used for VLAN override. However if you want per user VLAN, then you can use dynamic attribute. See per user/endpoint VLAN, ACL, SGT use case in the following document:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide