Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4412
Views
0
Helpful
4
Replies

ISE Auth policy based on MAC OUI and SSID

kevin_miller
Level 1
Level 1

‎04-16-2012 07:59 AM - edited ‎03-10-2019 07:00 PM

I was blocking certain consumer mobile devices from my production WLAN on ACS using this process -

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

The MAC OUI is referenced in the CLI field of the NAR, and the SSID is in the DNIS field.

Anyone know how to do this on ISE?  Two questions -

1) I can match based on WLAN-ID, but not SSID.  My WLAN-IDs for the same SSID don't match between controllers.  Do I need to change this and make sure all WLAN-IDs map to the same SSID on each controller?  Or, is there a different attribute I can use that refers to the SSID?

2) What attribute do you use in ISE Authorization conditions to match OUI?  And can I match a list of OUIs?

Labels:
0 Helpful
4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

‎04-23-2012 08:36 PM

Kevin,

Thanks for opening a TAC case, basically a bug was filed to fix the logging to show the correct calling station id, currently the ISE reports show the (:) as the delimeter the pcap shows a hyphen.

Here is the bug to track this issue:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtz41262

Thanks,

Tarik Admani

0 Helpful

jan.nielsen
Level 7
Level 7

‎04-24-2012 01:21 PM

1) I have never seen the actual SSID name anywhere in the radius attributes coming from the controller, i always use airespace-wlan-id, and if you wan't to avoid creating multiple rules, make the id's the same on all controllers.

2) Well OUI is part of the mac, so you could maybe use RegEX to filter out specific OUI's. Another way, if you have advanced license, would be to use Profiling, then ISE would do all the hard work of classifying what device is attempting to connect, and you could use that in your authoriz. policy ex . "Profiled:Iphone"

0 Helpful

kevin_miller
Level 1
Level 1

‎04-25-2012 05:23 AM

Hi All.  Thanks for the replys.

I was able to do this -

Radius:Called-Station-ID MATCHES .*(SSID)$

Radius:Calling-Station-ID STARTS_WITH 1C-AB-A7

The first does match the SSID properly - so I don't need to worry about matching WLAN IDs between controllers.

0 Helpful

jan.nielsen
Level 7
Level 7
In response to kevin_miller

‎04-25-2012 10:03 AM

Great info, i never noticed the ssid name in the calling station id, maybe it's a new thing in the controller software ?

0 Helpful
Customers Also Viewed These Support Documents