10-24-2017 09:22 AM
Hi all,
I am working on a POV where I need to create an authorization rule that is the following:
Which gives the following:
But I realized it does not work as the output is the following:
Is there a way to remove #Location#All Locations in the location output?
Thanks in advance
Solved! Go to Solution.
10-25-2017 10:53 AM
Yep that should work. Again this is at the WLC level not AP level when you do network device stuff. So assuming you have a WLC at each of the 4000 locations, you load them all into ISE as a network device and fill out the model name correctly you can match to AD/LDAP attributes.
I just tested with my setup and worked perfectly. I setup a user in AD and used the Office field as my flag:
I then mapped that attribute into ISE:
I made sure that string was defined under my Network Device:
Then I built my rule:
Worked perfectly in the live logs:
So you should be able to do the same with matching an LDAP attribute.
10-24-2017 12:03 PM
Hi Remi,
If you are using AD groups, you need to download the groups from AD and use them in your conditions. You cant map an AD group to locations. You have to use an attribute in the AD group that contains the location if it is available in the AD.
Not clear what you are looking to do.
Thanks
Krishnan
10-24-2017 12:41 PM
Hi Krishnan,
Let me explain again :
- Objectif : Check if a user that connect to the network work in the place he is connecting from without using one rule for each of the office (4000) as it wouldn't scale
- Want we do is a comparison between the AD Group that this user belong (to check in which office he works) and the name of the device where the request come from (AD Group and Location defined in ISE match in terms of syntax)
Problem that I have when doing that - Location attributes gives me the following while I would just need to get HB9B8
If I was getting HB9B8 it would work as my rule is "memberOf" contains "HB9B8"
But with the Location#All Locations Iit does not. I was thinking to create a Network Device Group Root but I realized it would still have a chain..Is there any way I could define my variable HB9B8 when I configure my NAD to be able to do this comparison?
Thanks
10-25-2017 06:44 AM
Unless you have a WLC at every location this may not work. The NDG location is the location of the network device making the RADIUS request. If you have APs all over the place controlled by a central WLC then this probably won't work.
If you look a the RADIUS Called Station ID like Dustin recommended you have options there. On the WLC under RADIUS->Authentication you can change what the WLC uses for the RADIUS Called Station ID. The default is AP MAC:SSID. Change that to AP Name:SSID. Now you will have the name of the AP name the user is connecting to in the RADIUS Called Station ID.
Assuming your have good AP naming conventions, like HB9B8-AP1, HB9B8-AP2, etc. then you can write a condition to say:
RADIUS Called Station ID contains HB9B8 and them write a rule that says:
If Member of WIFIHotel-HB9B8 and RADIUS Called Station ID contains HB9B8 then allow the user to connect.
10-25-2017 06:58 AM
Hi Paul, Dustin,
Yes but this would be for a unique hotel : (there are 4000)
If Member of WIFIHotel-HB9B8 and RADIUS Called Station ID contains HB9B8 then allow the user to connect.
I would need to do :
If Member of ADGroup (WIFIHotel-HB9B8) contains RADIUS Called Station ID (HB9B8) then allow the user to connect.
I don't think it would work if RADIUS Called Station ID has something more than HB9B8 as an output...
Rémi
10-25-2017 08:05 AM
The RADIUS Called Station ID has whatever output you configure on the controller. Like I said if you modify it to “AP Name:SSID” you should be set. As an example the AP named Hotel1-AP1 and an SSID called Internal-Access would have a RADIUS Called Station ID of “Hotel1-AP1:Internal-Access”. So I could have a condition saying if RADIUS Called Station ID contains “Hote1” to know the user is connecting to Hotel 1’s Wifi. You are right this may not scale to 4000, but I wouldn’t think all 4000 hotels have unique access requirements.
I am assuming this is a hotel group like Starwood or something that may have brands underneath it. So you could AP name like this:
Marriott-LosAngeles-AP1
Marriott-SanFrancisco-AP1
Hyatt-LosAngeles -AP1
Then I could key off if the RADIUS Called Station ID contains Marriott then craft rules who can access the SSID at Marriott hotels.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
10-25-2017 10:24 AM
Yes Paul in that way a person working at Marriot-Paris will also be able to access network from Marriot-London.
Is there a way to just get the first part of RADIUS Called Station ID to compare it?
Can't I put my HB8B9 in model name for example and use that in the Authorization rule?
10-25-2017 10:44 AM
Don't you think that this could work? Would the output of Model Name will be HB2829?
Thanks
Rémi
10-25-2017 10:59 AM
This should work as well. The contains should work for AD group matching.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
10-25-2017 10:53 AM
Yep that should work. Again this is at the WLC level not AP level when you do network device stuff. So assuming you have a WLC at each of the 4000 locations, you load them all into ISE as a network device and fill out the model name correctly you can match to AD/LDAP attributes.
I just tested with my setup and worked perfectly. I setup a user in AD and used the Office field as my flag:
I then mapped that attribute into ISE:
I made sure that string was defined under my Network Device:
Then I built my rule:
Worked perfectly in the live logs:
So you should be able to do the same with matching an LDAP attribute.
10-24-2017 02:01 PM
I think I get what you are asking. Are there other things using that name that you could maybe call like radius call station ID?
Does each location have a WLC by that name and call the NAD name?
I'm not sure what is all possible, Would be nice to be able to use regex in rules.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide