Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
169
Views
4
Helpful
5
Replies

ISE Polcy Question

N3om
Level 1
Level 1

‎02-18-2025 12:32 AM

Hi

Internally we are ussing ISE for Wired/Wireless Dot1x,  We have users that work out of a site that is not ours and they have an SSID that we can connect to they forward the Radius requests over to our Palo Firewall which allows the flow to ISE on UDP 1812,

my question is what would my ISE Policy nedd to be to allow this,? all we want is for ISE to accept then our users VPN Client should kick in once the Raidus accept comes back.  just cant seem to visualize what the policy should be ??

 

Thanks

0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎02-18-2025 01:09 AM

@N3om you will need to use a condition to uniquely identify the incoming request from the 3rd party site, so you could match on Radius NAS IP address (of the remote WLC). You could either have a dedicated policy set or use an existing policy set.

If you need further clarification, can you provide screenshots of your current policy sets.

N3om
Level 1
Level 1
In response to Rob Ingram

‎02-21-2025 11:53 AM

@Rob Ingram The remote device is a Server that forwards requests on to our ISE when our uses attempt to connect to the SSID thats broadcast for staff on the remote site,  the SSID has nothing to do with us our staff should be able to connect then their RA VPN will kick in, So would it still be Dot1x I am unsure all the remote authentication server needs is a Radius accept message from our ISE then they should be allowed to connect, does that sound about right ??

0 Helpful

Rob Ingram
VIP
VIP
In response to N3om

‎02-21-2025 12:04 PM

@N3om it sounds like the remote device is the 3rd parties RADIUS server, which is sending a RADIUS request to your ISE server? In which case, yes I imagine they are expecting an access-accept message, then the device will be allowed network access (on their network). Once they have a network connection, your users should be able to establish a VPN tunnel (assuming this is not locked down).

 

N3om
Level 1
Level 1
In response to Rob Ingram

‎02-22-2025 07:17 AM

@Rob Ingram So if a user was on one of our sites then they would match the Do1x policy and be granted newtork access, as the users are not on our site then how would I get ISE to send an access-accept message would I just need to create another AD group or something or add something to a Policy ??

Thanks

0 Helpful

sjohn5
Level 1
Level 1

‎02-19-2025 08:42 AM

Hello N3om. 

I agree with the other reply regarding this question, as policies are highly specified to the organization and preference this question is impossible to answer. What stage are you stuck on with ISE? If you are getting dot1x failures, this is a great place to start. Take a look at the live logs and see the error, this should help you understand why you are failing. If you are not receiving any live logs then there is a disconnect between the Device and ISE in some way (Get a pcap to troubleshoot this.) Though older, the following document can help you with setting up a simple 802.1x flow with PEAP. I would recommend getting this to work first before trying to narrow down specificities based on preference. If you have a bare bones set up working and have queries regarding how to set up specific policies then please do reply with screenshots and further clarification. 

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/201044-802-1x-authentication-with-PEAP-ISE-2-1.html#toc-hId--617412440

Customers Also Viewed These Support Documents