Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1025
Views
0
Helpful
13
Replies

ISE AD Integration

Go to solution
Indula1
Level 1
Level 1

‎10-30-2018 11:49 PM

There a login problem with ISE with Wifi in our organization .We are using Cisco WLC and integrated with ISE. The issue is any ssid can access in any Active Directory Group Users and also Active Directory integrated properly in ISE. What is the reason and how to solve.

 

Indula 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ognyan.totev
Level 5
Level 5

‎10-30-2018 11:58 PM

Hi , explain more detailed what happen and what you want to do.

Share with us some screenshot of configuration on ISE and in WLC.

What version of ISE you use ,be more detailed please.

View solution in original post

0 Helpful
13 Replies 13

Go to solution
ognyan.totev
Level 5
Level 5

‎10-30-2018 11:58 PM

Hi , explain more detailed what happen and what you want to do.

Share with us some screenshot of configuration on ISE and in WLC.

What version of ISE you use ,be more detailed please.

0 Helpful

Go to solution
Indula1
Level 1
Level 1
In response to ognyan.totev

‎11-06-2018 05:59 AM

ISE version is 2.1.0

ISE1.PNGISE2.PNGwlc.PNG

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Indula1

‎11-06-2018 06:13 AM

The only screen shot we need to see is your Policy Set that you have configured for each SSID.  You should have specific policy sets configured for each SSID and the authorization section should control exactly who can connect to that SSID.  My guess is you are using the Cisco default policy set (which should be the first thing you disable) that allows everything on.

0 Helpful

Go to solution
Indula1
Level 1
Level 1
In response to paul

‎11-06-2018 06:21 AM

This is the policy set in ISEpolicy.PNG

0 Helpful

Go to solution
ognyan.totev
Level 5
Level 5
In response to Indula1

‎11-06-2018 06:27 AM

As i see there you have 2 ssid ( staff and students)

What show in radius live logs ?

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Indula1

‎11-06-2018 06:28 AM

We need to see the authorization rules.

0 Helpful

Go to solution
Indula1
Level 1
Level 1
In response to paul

‎11-06-2018 08:12 PM

staff.PNGstudent.PNG

0 Helpful

Go to solution
ognyan.totev
Level 5
Level 5
In response to Indula1

‎11-06-2018 08:17 PM

Hi 

are you have radius live logs when they try to connect ? 

0 Helpful

Go to solution
Indula1
Level 1
Level 1
In response to ognyan.totev

‎11-06-2018 08:49 PM

live logs.PNG

0 Helpful

Go to solution
ognyan.totev
Level 5
Level 5
In response to Indula1

‎11-06-2018 09:21 PM

As i saw above ,they match correct Authorization profiles ,what you allow in this profiles. You must define Air Acl in the WLC and use it in Ise

0 Helpful

Go to solution
Indula1
Level 1
Level 1
In response to ognyan.totev

‎11-11-2018 09:48 PM

How can i define Air ACL in the WLC and how to use it in ISE

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-31-2018 02:25 PM

Adding to what ognyan.totev suggested, please check ISE RADIUS Live Logs for the authentication attempts. On WLC, use debug commands, such as "debug client ..." to see the info from WLC prospective. Also, consult Wireless LAN Controller Best Practices - Cisco Community

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎11-07-2018 03:12 AM

If your question is about how you can limit the rules to one specific SSID so that people logging into other SSIDs do not hit this rule, you can add an attribute to the current condition to check the RADIUS:Called-Station-Id contains <SSID name> . In the WLC make sure you set the called station ID attribute being sent is AP-Mac-Address:SSID under the RADIUS server authentication settings. If you need detailed instructions, let me know.
0 Helpful
Customers Also Viewed These Support Documents