06-08-2015 06:38 AM - edited 03-10-2019 10:47 PM
Hi.
We have several businesses, each of them have assigned a class B subnet, for example 172.21.xx /16, 172.27.xx /16, etc.
But each business has several locations, that normally has a class C subnet assigned to it
This is a structure I would very much like to build in ISE also.
This is very practical when making authorization profiles and you need to pinpoint where the customer are trying to access the WIFI. You know, to assign the correct VLAN, etc.
But when I try to do just that, I get this error:
Failed to create network device - given IP subnet overlaps with existing network device: Business1.
Why oh why?
Is there a way around this? If not, PLEASE implement this feature!
It was no problem doing this in ACS, so why should it be a problem here?
Thanks,
Solved! Go to Solution.
06-08-2015 08:16 AM
Another way to determine where the wifi client is located is to use a nas-identifier which you can specify on an AP group or WLAN (by default it's the WLC name) and you can use rules in ISE that make use of the nas-identifier radius attribute. The disadvantages with NAS-Identifier is that you have to configure the AP group nas identifier on the WLC, it cannot be done by template from PI and you cannot do a report in ISE using a nas identifier.
06-08-2015 08:16 AM
Another way to determine where the wifi client is located is to use a nas-identifier which you can specify on an AP group or WLAN (by default it's the WLC name) and you can use rules in ISE that make use of the nas-identifier radius attribute. The disadvantages with NAS-Identifier is that you have to configure the AP group nas identifier on the WLC, it cannot be done by template from PI and you cannot do a report in ISE using a nas identifier.
06-08-2015 08:29 AM
Hello.
This is an excellent tip! I was not aware of this, and I will try it out for sure. If it works as intended, it will solve my problem.
It would of course be easier to split the subnet, I cannot understand why this is not possible.
But I guess that is a feature we have to wait for, and I need a solution now.
Doing it from the WLC's is OK, since I have trouble assigning AP's into AP Groups made in PI anyway (from PI, not in the WLC's)
Thanks again, I will let you know how it turned out.
08-25-2015 02:36 AM
This worked like a charm! :)
Thanks again.
06-11-2015 03:53 AM
you can also have a option of location to group NAD
06-15-2015 11:58 AM
Hello.
Thanks for the tip.
But how do I do that, exactly?
Thanks.
09-02-2015 03:28 AM
I add all my NADs with a /32 address to limit auth access. I also add them to a group and then use the group in my authz rules.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide