cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3304
Views
0
Helpful
7
Replies
Highlighted
Beginner

ISE Design Question

I have few design questions regarding ISE v.1.0.4.573

  1. Do ISE 3395 gigabit ports support Link aggregation?  how can i utilize all 4 ports for uplink ?
  2. When doing a standalone HA setup of 2x3395, Is there a heartbeat link between the two ISE or they will use the same uplink to the network for heartbeat and synchronizing?
  3. I am designing ISE with WLC. My WLC (5508) setup is like 5 floors having different Vlans but same SSID. How can i make ISE authenticate in this scenario since WGB AP is not supported in ISE v.1.0. Is there a work around for this type of WiFi setup in ISE?
  4. Continuing from the above setup, while roaming from one floor to another floor after changing Vlan, the user will re-authenticate or use the same session?

Thanks for the help.

Regards,

Zohaib

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Beginner

1. The current version does not support Link aggregation..

2. They will use the same uplink to the network for heartbeat and synchronizing.

3. My suggestion is to assign your SSID an interface group, containing all interfaces belonging to your VLANs, on your WLC and set AAA override. Then, in ISE, create authorization profiles which include the appropriate VLAN. use RADIUS attribute Called-Station-ID with your AP MAC address as condition.

4. They will use the same session.

View solution in original post

Highlighted

You could use the following regular expressions to accomplish this:


String ends with Employee:  .*(Employee)$
String contains Employee:  .*(Employee).*

Please note the use of the dots.

View solution in original post

7 REPLIES 7
Highlighted
Beginner

1. The current version does not support Link aggregation..

2. They will use the same uplink to the network for heartbeat and synchronizing.

3. My suggestion is to assign your SSID an interface group, containing all interfaces belonging to your VLANs, on your WLC and set AAA override. Then, in ISE, create authorization profiles which include the appropriate VLAN. use RADIUS attribute Called-Station-ID with your AP MAC address as condition.

4. They will use the same session.

View solution in original post

Highlighted

Thank you for the reply, it realy helped alot. For some reason the called-station-id attribute was not matching but the interface group solve most of my problem.

Is there a way to use wildcard symbols for defining SSID in the called-station-id? For example i want to use *Employee as the attribute value so that it matches any AP MAC with SSID Employee.

Highlighted

You could use the following regular expressions to accomplish this:


String ends with Employee:  .*(Employee)$
String contains Employee:  .*(Employee).*

Please note the use of the dots.

View solution in original post

Highlighted

I tried both strings but its not matching the authentication policy. When i copied the whole called-station-id from the authentication failure report then it matches.

For example:    d8-24-bd-95-b8-80:Employee

But any thing else, it wouldn't matche. Is there a link that i can refer to for putting wildcard expressions in ISE for radius?

Highlighted

There is some documentation in the Cisco Identity Services Engine User Guide, Release 1.0.4.pdf document, on page 16-14 and 16-19 to 16-21, but it is quite minimal.

Highlighted

I found a document for the cli where the wildcard attributes are mentioned in details. Its seems that the expression you provided above is correct and the called-station-id should be not be used with "Equals" but with "Match" for wildcard attributes. I find this mistake and now every thing is working perfectly.

Thanks again Dennis.

Highlighted

I am not sure if I am understanding the problem. But at least in ACS 5.2 there was a "compound selection" match that could be done. In cases where we need to match only the SSID the WLC sends AP radio mac and then the SSID at the end of the string. So if we only want to match the SSID the solution was to do a compound selection and use the "ends with:employee for the called station-ID. That at least worked fine for me. It must be similar for ISE.

Content for Community-Ad