02-26-2012 12:33 AM - edited 03-10-2019 06:51 PM
I have few design questions regarding ISE v.1.0.4.573
Thanks for the help.
Regards,
Zohaib
Solved! Go to Solution.
02-28-2012 01:26 AM
1. The current version does not support Link aggregation..
2. They will use the same uplink to the network for heartbeat and synchronizing.
3. My suggestion is to assign your SSID an interface group, containing all interfaces belonging to your VLANs, on your WLC and set AAA override. Then, in ISE, create authorization profiles which include the appropriate VLAN. use RADIUS attribute Called-Station-ID with your AP MAC address as condition.
4. They will use the same session.
03-05-2012 05:30 AM
You could use the following regular expressions to accomplish this:
String ends with Employee: .*(Employee)$
String contains Employee: .*(Employee).*
Please note the use of the dots.
02-28-2012 01:26 AM
1. The current version does not support Link aggregation..
2. They will use the same uplink to the network for heartbeat and synchronizing.
3. My suggestion is to assign your SSID an interface group, containing all interfaces belonging to your VLANs, on your WLC and set AAA override. Then, in ISE, create authorization profiles which include the appropriate VLAN. use RADIUS attribute Called-Station-ID with your AP MAC address as condition.
4. They will use the same session.
03-04-2012 11:49 PM
Thank you for the reply, it realy helped alot. For some reason the called-station-id attribute was not matching but the interface group solve most of my problem.
Is there a way to use wildcard symbols for defining SSID in the called-station-id? For example i want to use *Employee as the attribute value so that it matches any AP MAC with SSID Employee.
03-05-2012 05:30 AM
You could use the following regular expressions to accomplish this:
String ends with Employee: .*(Employee)$
String contains Employee: .*(Employee).*
Please note the use of the dots.
03-06-2012 12:40 AM
I tried both strings but its not matching the authentication policy. When i copied the whole called-station-id from the authentication failure report then it matches.
For example: d8-24-bd-95-b8-80:Employee
But any thing else, it wouldn't matche. Is there a link that i can refer to for putting wildcard expressions in ISE for radius?
03-06-2012 07:02 AM
There is some documentation in the Cisco Identity Services Engine User Guide, Release 1.0.4.pdf document, on page 16-14 and 16-19 to 16-21, but it is quite minimal.
03-06-2012 11:30 PM
I found a document for the cli where the wildcard attributes are mentioned in details. Its seems that the expression you provided above is correct and the called-station-id should be not be used with "Equals" but with "Match" for wildcard attributes. I find this mistake and now every thing is working perfectly.
Thanks again Dennis.
03-13-2013 07:19 AM
I am not sure if I am understanding the problem. But at least in ACS 5.2 there was a "compound selection" match that could be done. In cases where we need to match only the SSID the WLC sends AP radio mac and then the SSID at the end of the string. So if we only want to match the SSID the solution was to do a compound selection and use the "ends with:employee for the called station-ID. That at least worked fine for me. It must be similar for ISE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide