Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1581
Views
0
Helpful
6
Replies

ISE - Network Devices - Split larger IP range into smaller ones

Go to solution
dal
Level 3
Level 3

ā€Ž06-08-2015 06:38 AM - edited ā€Ž03-10-2019 10:47 PM

Hi.

We have several businesses, each of them have assigned a class B subnet, for example 172.21.xx /16, 172.27.xx /16, etc.

But each business has several locations, that normally has a class C subnet assigned to it

This is a structure I would very much like to build in ISE also.
This is very practical when making authorization profiles and you need to pinpoint where the customer are trying to access the WIFI. You know, to assign the correct VLAN, etc.

But when I try to do just that, I get this error:
Failed to create network device - given IP subnet overlaps with existing network device: Business1.

Why oh why?

Is there a way around this? If not, PLEASE implement this feature!

It was no problem doing this in ACS, so why should it be a problem here?

 

Thanks,

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
M. Wisely
Level 4
Level 4

ā€Ž06-08-2015 08:16 AM

Another way to determine where the wifi client is located is to use a nas-identifier which you can specify on an AP group or  WLAN (by default it's the WLC name) and you can use rules in ISE that make use of the nas-identifier radius attribute. The disadvantages with NAS-Identifier is that you have to configure the AP group nas identifier on the WLC, it cannot be done by template from PI and you cannot do a report in ISE using a nas identifier.

View solution in original post

Preview file
4 KB
Preview file
4 KB
0 Helpful
6 Replies 6

Go to solution
M. Wisely
Level 4
Level 4

ā€Ž06-08-2015 08:16 AM

Another way to determine where the wifi client is located is to use a nas-identifier which you can specify on an AP group or  WLAN (by default it's the WLC name) and you can use rules in ISE that make use of the nas-identifier radius attribute. The disadvantages with NAS-Identifier is that you have to configure the AP group nas identifier on the WLC, it cannot be done by template from PI and you cannot do a report in ISE using a nas identifier.

Preview file
4 KB
Preview file
4 KB
0 Helpful

Go to solution
dal
Level 3
Level 3
In response to M. Wisely

ā€Ž06-08-2015 08:29 AM

Hello.

This is an excellent tip! I was not aware of this, and I will try it out for sure. If it works as intended, it will solve my problem.
It would of course be easier to split the subnet, I cannot understand why this is not possible.

But I guess that is a feature we have to wait for, and I need a solution now.

Doing it from the WLC's is OK, since I have trouble assigning AP's into AP Groups made in PI anyway (from PI, not in the WLC's)

Thanks again, I will let you know how it turned out.

0 Helpful

Go to solution
dal
Level 3
Level 3
In response to M. Wisely

ā€Ž08-25-2015 02:36 AM

This worked like a charm! :)

Thanks again.

0 Helpful

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee

ā€Ž06-11-2015 03:53 AM

you can also have a option of location to group NAD

0 Helpful

Go to solution
dal
Level 3
Level 3
In response to Venkatesh Attuluri

ā€Ž06-15-2015 11:58 AM

Hello.

Thanks for the tip.

But how do I do that, exactly?

 

Thanks.

0 Helpful

Go to solution
phosawyer
Level 1
Level 1
In response to Venkatesh Attuluri

ā€Ž09-02-2015 03:28 AM

I add all my NADs with a /32 address to limit auth access. I also add them to a group and then use the group in my authz rules.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents