08-07-2013 08:11 AM - edited 03-10-2019 08:44 PM
Hi
I have ISE ver 1.1.x, cisco 2960, cisco 1800 and controller 2100
There is active directory user (employee) and guest user
Active directory have many user group (finance, security, human ressouce ...)
For wireless conexion I created many ESSID in the controller for each group (finance, security, human ressouce, guest ...)
I configured one VLAN for each correspondand ESSID
There is not security key for wireless conexion
Is it possible to deny conexion for one user to different ESSID and permit only connexion of each user on each correpondand ESSID ?
Is possible to redirect user on it correpond ESSID(vlan) if he choose to connect on the wrong ESSID ?
Thanks in advance
08-28-2013 07:00 PM
You have to configure profiling and posturing for the same and create the rule to put them on appropriate VLAN. For information over configuration you can see the below link.
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_user_guide.html
08-28-2013 11:57 PM
Hi,
You can use the radius attribute "called-station-id" to make this work, typically in radius access-request packet the SSID is sent with this attribute value pair. You can then check this SSID and the AD group the user is connecting through to make your decision.
If you take a look at the authenticate detials in ISE of the user authenticaiting, under the "Other Attributes" the called-station-id will be present in the format I just mentioned.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-29-2013 12:20 AM
Here is a config example about how to achieve that:
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"
09-02-2013 10:56 AM
Hi Amjad
I have see the exemple on the link
But If I have 2 ESSID (guest and coorporate)
If in each groupe (guest and coorporate) I have many VLAN
Vlan guest groupe 1 : vlan 10
Vlan guest groupe 2 : vlan 11
Vlan guest groupe 3 : vlan 47
Vlan guest Corporate finance : vlan 45
Vlan guest Corporate management : vlan 110
Vlan guest Corporate administration : vlan70
I would like to know if it is possible to configure 2 ESSID (guest and coorporate)
and put each user in their specific VLAN when he connect on the wireless network ( ESSID guest or coorporate)
How can I configure it ?
09-02-2013 11:39 AM
Hi,
based on what you want to choose the interface?
the corporate, WLAN should be mapped to multiple VLANs, so how would you like to choose which user is mapped to which clan?
09-02-2013 07:24 PM
ISE can dynamically assign vlans. It is a common setup to assign specific vlans to specific AD user groups.
You just create a auth z policy for each AD group / vlan.
On the wireless controller make sure you enable AAA override on the WLAN.
I think dynamic vlans is now supported on both hreap/flexconnect and local/centralised mode with 7.2 firmware.
09-03-2013 12:39 AM
That is exactly what I want
Each user should be assigneg in his specific vlan mapped on it active directory group
Please where can I found configuration exemple (ISE and WLC) to achieve it
Thanks
09-03-2013 04:49 PM
• Configuration -> SSIDs -> [SSID Name]
• Optional Settings -> MAC Address Filters -> Available MAC Filters -> New
• In the MAC Filters>New window click on the "New" button next to the "MAC Address/OUI" list
• Add the MAC Address\MAC Address Range
• In the MAC Filters>New window select the newly created MAC Address\MAC Address Range and select "Permit" as the Action
• Save the new MAC Filter
• On the screen ensure the newly created MAC Filter is in the "Selected MAC Filters" area rather than the "Available MAC Filters" area
• Ensure the default action (under the "Available MAC Filters" area) is "Deny"
• Save the change to the SSID profile
• Update the affected access points
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide