Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1205
Views
0
Helpful
8
Replies

ISE wireless : permit only conexion on specific ESSID

nicanor00
Level 1
Level 1

‎08-07-2013 08:11 AM - edited ‎03-10-2019 08:44 PM

Hi

I have ISE ver 1.1.x, cisco 2960, cisco 1800 and controller 2100

There is active directory user (employee) and guest user

Active directory have many user group (finance, security, human ressouce ...)

For wireless conexion I created many ESSID in the controller for each group (finance, security, human ressouce, guest ...)

I configured one VLAN for each correspondand ESSID

There is not security key for wireless conexion

Is it possible to deny conexion for one user to different ESSID and permit only connexion of each user on each correpondand ESSID ?

Is possible to redirect user on it correpond ESSID(vlan) if he choose to connect on the wrong ESSID ?

Thanks in advance

Labels:
0 Helpful
8 Replies 8

Ravi Singh
Level 7
Level 7

‎08-28-2013 07:00 PM

You have to configure profiling and posturing for the same and create the rule to put them on appropriate VLAN. For information over configuration you can see the below link.

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_user_guide.html

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Ravi Singh

‎08-28-2013 11:57 PM

Hi,

You can use the radius attribute "called-station-id" to make this work, typically in radius access-request packet the SSID is sent with this attribute value pair. You can then check this SSID and the AD group the user is connecting through to make your decision.

If you take a look at the authenticate detials in ISE of the user authenticaiting, under the "Other Attributes" the called-station-id will be present in the format I just mentioned.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Amjad Abdullah
VIP Alumni
VIP Alumni

‎08-29-2013 12:20 AM

Here is a config example about how to achieve that:

http://goo.gl/gpmpsV

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

nicanor00
Level 1
Level 1
In response to Amjad Abdullah

‎09-02-2013 10:56 AM

Hi Amjad

I have see the  exemple on the link

But If I have 2 ESSID (guest and coorporate)

If in each groupe (guest and coorporate) I have many VLAN

Vlan guest  groupe 1 : vlan 10

Vlan guest groupe 2 : vlan 11

Vlan guest groupe 3 : vlan 47

Vlan guest Corporate finance : vlan 45

Vlan guest Corporate management : vlan 110

Vlan guest Corporate administration : vlan70

I would like to know if it is possible to configure 2 ESSID (guest and coorporate)

and put each user in their specific VLAN when he connect on the wireless network ( ESSID guest or coorporate)

How can I configure it ?

0 Helpful

Amjad Abdullah
VIP Alumni
VIP Alumni
In response to nicanor00

‎09-02-2013 11:39 AM

Hi,

based on what you want to choose the interface?

the corporate,  WLAN should be mapped to multiple VLANs, so how would you like to choose which user is mapped to which clan?

Rating useful replies is more useful than saying "Thank you"
0 Helpful

petermitchell
Level 1
Level 1
In response to Amjad Abdullah

‎09-02-2013 07:24 PM

ISE can dynamically assign vlans.  It is a common setup to assign specific vlans to specific AD user groups.

You just create a auth z policy for each AD group / vlan.

On the wireless controller make sure you enable AAA override on the WLAN. 

I think dynamic vlans is now supported on both hreap/flexconnect and local/centralised mode with 7.2 firmware.

0 Helpful

nicanor00
Level 1
Level 1
In response to petermitchell

‎09-03-2013 12:39 AM

That is exactly what I want

Each user should be assigneg in his specific vlan mapped on it active directory group

Please where can I found configuration exemple (ISE and WLC) to achieve it

Thanks

0 Helpful

blenka
Level 3
Level 3

‎09-03-2013 04:49 PM

  • •1.       I will suggest to create ACL.  Or
  • •2.       To configure MAC filtering on a specific SSID: ( enter the mac only the wireless devices you wants to give access to the SSID particularly)

• Configuration -> SSIDs -> [SSID Name]

• Optional Settings -> MAC Address Filters -> Available MAC Filters -> New

• In the MAC Filters>New window click on the "New" button next to the "MAC Address/OUI" list

• Add the MAC Address\MAC Address Range

• In the MAC Filters>New window select the newly created MAC Address\MAC Address Range and select "Permit" as the Action

• Save the new MAC Filter

• On the screen ensure the newly created MAC Filter is in the "Selected MAC Filters" area rather than the "Available MAC Filters" area

• Ensure the default action (under the "Available MAC Filters" area) is "Deny"

• Save the change to the SSID profile

• Update the affected access points

0 Helpful
Customers Also Viewed These Support Documents