Solved: ISE only be authorization for wireless users

yongwli · ‎05-28-2019

Hi Experts,

My customer already had authentication server for their wireless network, and they want to add ISE only as authorization server, is it possible?

Thanks

DL

Mike.Cifelli · ‎05-28-2019

IMO from an ISE perspective I think you could accomplish this. In your authentication policy you would need to configure the default options as the following:
If Auth Fail THEN Continue
If User not found THEN Continue
This will then proceed to authz policies where you can utilize a plethora of conditions to drive authorization profiles. On the switch side your AAA statements will probably need to be tweaked as well.
However, why would the customer want to manage two separate servers when you can consolidate the AAA services down to one server, ISE. I think juggling two servers, different licensing structures and costs, etc. that using ISE and another solution could potentially result in an admin overhead nightmare depending on the size of the environment. Anyways, Good luck & HTH!

View solution in original post

Mike.Cifelli · ‎05-28-2019

IMO from an ISE perspective I think you could accomplish this. In your authentication policy you would need to configure the default options as the following:
If Auth Fail THEN Continue
If User not found THEN Continue
This will then proceed to authz policies where you can utilize a plethora of conditions to drive authorization profiles. On the switch side your AAA statements will probably need to be tweaked as well.
However, why would the customer want to manage two separate servers when you can consolidate the AAA services down to one server, ISE. I think juggling two servers, different licensing structures and costs, etc. that using ISE and another solution could potentially result in an admin overhead nightmare depending on the size of the environment. Anyways, Good luck & HTH!