cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4111
Views
0
Helpful
4
Replies

ISE Auth policy based on MAC OUI and SSID

kevin_miller
Level 1
Level 1

I was blocking certain consumer mobile devices from my production WLAN on ACS using this process -

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

The MAC OUI is referenced in the CLI field of the NAR, and the SSID is in the DNIS field.

Anyone know how to do this on ISE?  Two questions -

1) I can match based on WLAN-ID, but not SSID.  My WLAN-IDs for the same SSID don't match between controllers.  Do I need to change this and make sure all WLAN-IDs map to the same SSID on each controller?  Or, is there a different attribute I can use that refers to the SSID?

2) What attribute do you use in ISE Authorization conditions to match OUI?  And can I match a list of OUIs?

4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

Kevin,

Thanks for opening a TAC case, basically a bug was filed to fix the logging to show the correct calling station id, currently the ISE reports show the (:) as the delimeter the pcap shows a hyphen.

Here is the bug to track this issue:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtz41262

Thanks,

Tarik Admani

jan.nielsen
Level 7
Level 7

1) I have never seen the actual SSID name anywhere in the radius attributes coming from the controller, i always use airespace-wlan-id, and if you wan't to avoid creating multiple rules, make the id's the same on all controllers.

2) Well OUI is part of the mac, so you could maybe use RegEX to filter out specific OUI's. Another way, if you have advanced license, would be to use Profiling, then ISE would do all the hard work of classifying what device is attempting to connect, and you could use that in your authoriz. policy ex . "Profiled:Iphone"

kevin_miller
Level 1
Level 1

Hi All.  Thanks for the replys.

I was able to do this -

Radius:Called-Station-ID MATCHES .*(SSID)$

Radius:Calling-Station-ID STARTS_WITH 1C-AB-A7

The first does match the SSID properly - so I don't need to worry about matching WLAN IDs between controllers.

Great info, i never noticed the ssid name in the calling station id, maybe it's a new thing in the controller software ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: