Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
196
Views
4
Helpful
8
Replies

ISE policy using ip subnet for authorisation

guy.whitehouse@ft.com
Level 1
Level 1

‎07-09-2025 01:21 AM

Hello All

We are running flexconnect wifi and using the same ssid across multiple sites.

We want to deploy a splash page at each flexconnect remote site for one of our ssid's 

We do not want to deploy all sites at the same time

So is it possible to authenticate against a ip subnet ? 

So we could say if the request comes from subnet x to ise please provide a splash page

Or is their another way we could do this

Thanks in advance

8 Replies 8

Arne Bier
VIP
VIP

‎07-09-2025 02:19 AM

With Flexconnect, the RADIUS Access-Request comes from the WLC (central authentication) and not from the WAP itself (which means we can't regard the IP address of the WAP) - if my recollection of how this works is still correct, then it will be hard to localise which site/WAP the request is coming from. The Called-Station-ID attribute in the Access-Request can be constructed to contain SSID and MAC address of the WAP involved - but that means your ISE Wireless MAB Authorization Policy would need a complex condition to check for all the MAC addresses involved - depending on your deployment, that might be infeasible.

ArneBier_0-1752052550191.png

The MAC addresses shown above use dashes as delimiter - best to validate this in wireshark via tcpdump.

If you can share a wireshark decode of a flexconnect Access-Request that shows all the attributes, perhaps there is a better one to use that would work.

 

MHM Cisco World
VIP
VIP

‎07-09-2025 02:23 AM

Sure Yes if wlc + AP add IP of wifi to radius request

Can I know the wlc or AP you use?

MHM

0 Helpful

guy.whitehouse@ft.com
Level 1
Level 1

‎07-09-2025 02:31 AM

Hello we are usinh 9120 AP's

0 Helpful

Arne Bier
VIP
VIP
In response to guy.whitehouse@ft.com

‎07-09-2025 02:54 AM

The model of AP/WLC is neither here nor there. The question to answer is what the RADIUS Access-Request looks like when an endpoint (client device) associates to the SSID on such a FlexConnect WAP.  My theory about the Called-Station-ID might be correct, but as mentioned, it's probably not feasible if there are many WAPs involved.

The Framed-IP-Address could also be used - this is the IP address of the end client - but ISE only supports EQUALS and NOT EQUALS operators - which means you can't write a regular expression to match an entire subnet (we need the MATCHES operator) - I don't think you want to write an ISE OR condition that contains all the IP addresses in a potentially large subnet.

0 Helpful

MHM Cisco World
VIP
VIP
In response to guy.whitehouse@ft.com

‎07-09-2025 03:42 AM

You mentioned flexcon so what is wlc plat you?

Did yoh try use calling-station-ID type ip-add?

MHM

0 Helpful

guy.whitehouse@ft.com
Level 1
Level 1
In response to MHM Cisco World

‎07-09-2025 05:00 AM

Hi

We are using 5520 WLC

0 Helpful

MHM Cisco World
VIP
VIP
In response to guy.whitehouse@ft.com

‎07-09-2025 05:37 AM

Calling-station-id ""wifi endpoint info""

Called-station-id ""AP""

MHM

 

0 Helpful

Torbjørn
VIP
VIP

‎07-09-2025 04:48 AM

I usually do this by setting called-station-id to "ap-name-ssid" and matching based on AP name. This is easier to understand for colleagues working with the ISE deployment and the AP name prefix is usually equally if not more suited to match the specific site.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
Customers Also Viewed These Support Documents