cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

719
Views
0
Helpful
6
Replies
Highlighted
dal Participant
Participant

ISE - Network Devices - Split larger IP range into smaller ones

Hi.

We have several businesses, each of them have assigned a class B subnet, for example 172.21.xx /16, 172.27.xx /16, etc.

But each business has several locations, that normally has a class C subnet assigned to it

This is a structure I would very much like to build in ISE also.
This is very practical when making authorization profiles and you need to pinpoint where the customer are trying to access the WIFI. You know, to assign the correct VLAN, etc.

But when I try to do just that, I get this error:
Failed to create network device - given IP subnet overlaps with existing network device: Business1.

Why oh why?

Is there a way around this? If not, PLEASE implement this feature!

It was no problem doing this in ACS, so why should it be a problem here?

 

Thanks,

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Participant

Another way to determine

Another way to determine where the wifi client is located is to use a nas-identifier which you can specify on an AP group or  WLAN (by default it's the WLC name) and you can use rules in ISE that make use of the nas-identifier radius attribute. The disadvantages with NAS-Identifier is that you have to configure the AP group nas identifier on the WLC, it cannot be done by template from PI and you cannot do a report in ISE using a nas identifier.

View solution in original post

6 REPLIES 6
Highlighted
Participant

Another way to determine

Another way to determine where the wifi client is located is to use a nas-identifier which you can specify on an AP group or  WLAN (by default it's the WLC name) and you can use rules in ISE that make use of the nas-identifier radius attribute. The disadvantages with NAS-Identifier is that you have to configure the AP group nas identifier on the WLC, it cannot be done by template from PI and you cannot do a report in ISE using a nas identifier.

View solution in original post

Highlighted
dal Participant
Participant

Hello.This is an excellent

Hello.

This is an excellent tip! I was not aware of this, and I will try it out for sure. If it works as intended, it will solve my problem.
It would of course be easier to split the subnet, I cannot understand why this is not possible.

But I guess that is a feature we have to wait for, and I need a solution now.

Doing it from the WLC's is OK, since I have trouble assigning AP's into AP Groups made in PI anyway (from PI, not in the WLC's)

Thanks again, I will let you know how it turned out.

dal Participant
Participant

This worked like a charm! :

This worked like a charm! :)

Thanks again.

Highlighted
Cisco Employee

you can also have a option of

you can also have a option of location to group NAD

Highlighted
dal Participant
Participant

Hello.Thanks for the tip.But

Hello.

Thanks for the tip.

But how do I do that, exactly?

 

Thanks.

Highlighted
Beginner

I add all my NADs with a /32

I add all my NADs with a /32 address to limit auth access. I also add them to a group and then use the group in my authz rules.