ISE Authz rules with location based device

yong khang NG · ‎12-09-2011

Hi forumers'

I have a POC situation as below:

A policy to restirct contractor only able to log-in to the network using AP-01

There's no problem for me to do the authentication and authorization rules for me to get the contractor connect, but my challenge is how i should apply the "only able to log-in to the network using AP-01" requirement?

My AP is cisco 1041 AP, what and how should i to enable this happen any fulfill the requirement?

thanks

Noel

Tarik Admani · ‎12-11-2011

Noel,

Can you post the access-request that is sent from the AP to the ACS? Either we can use the NAS-IP-Address or see if the hostname is sent in one of the attributes and go from there.

Thanks,

Tarik Admani

yong khang NG · ‎12-14-2011

Hi Tarik,

Sorry for late reply.

I am using ISE v1.0, so where i can get this info from ?

Thanks

Noel;

Tarik Admani · ‎12-15-2011

It should be in the monitoring page under authentication, when you click on the magnifying glass you should be able to see the details of the attributes that are being sent.

Or you can run a report for radius authentication and export the pdf of the authentication details.

thanks,

Tarik Admani

kristjan.edvardsson · ‎03-13-2013

I think at least you should get the "Called-Station-ID=:your-ssid"

in your logs. So based on this you can define a policy that matches the AP radio and the SSID.

Take care if the AP is dual-radio, then you have 2 different mac addresses on each AP in question.

yong khang NG · ‎03-13-2013

Hi Kistjan,

Thakns for reply

So what's the deal with AP dual-radio? I need to insert two MAC addres as called-station-ID?

Thanks

Noel