Solved: Policy server based authorization profile

KevinR99 · ‎10-03-2022

Hi

Can I do an authorization profile based on what ISE the request hits? In the live logs I see Policy server has the ISE node name and AcsSessionID has the node name at part of that field. I can't see how to use that into in an authorization rule that would allow me to return a different result based on what ISE the request hits.

Thanks as usual for any input, Kev.

Greg Gibbs · ‎10-03-2022

Yes, it is entirely possible to apply a different AuthZ Profile result based on the ISE node that is handing the RADIUS session. It may not scale well for multiple use cases, so you should use the approach only where necessary. This is commonly used for customers that deploy a manual load-balancing approach for Wireless Guest redirection for large global ISE clusters.

You can use the AuthZ Condition match of Network Access·ISE Host Name EQUALS <hostname> to accomplish this.

Example:

View solution in original post

andrewswanson · ‎10-03-2022

Have you tried using the RADIUS "state" attribute for this.

From logs on ISE 2.7 patch 6, I can see the psn node name embedded in this attribute.

hth
Andy

Charlie Moreton · ‎10-03-2022

Seems to me that if you want to differentiate traffic based upon PSN, you should point your NADs/SSIDs to the specific PSNs for the access you want. Base your Policy Sets on the Device and for wireless clients, Device + SSID. This will give you the most control over the traffic and permissions.

Greg Gibbs · ‎10-03-2022

Yes, it is entirely possible to apply a different AuthZ Profile result based on the ISE node that is handing the RADIUS session. It may not scale well for multiple use cases, so you should use the approach only where necessary. This is commonly used for customers that deploy a manual load-balancing approach for Wireless Guest redirection for large global ISE clusters.

You can use the AuthZ Condition match of Network Access·ISE Host Name EQUALS <hostname> to accomplish this.

Example:

KevinR99 · ‎10-04-2022

Thank you Greg. That’s the attribute I need.

Charlie, I can’t use the device for the decision. I need to make sure the device goes to one preferred ISE and if that fails use the other. If I create a rule based on the WLC that won’t change to the other ISE if the 1st one fails. Greg’s suggestion is exactly what I was looking for. It’s just a case of finding where the correct attribute is.

Thanks again for all input. Even ones that may not solve my problem at least get me thinking about them.

Kev.

Aref Alsouqi · ‎10-04-2022

The way how I usually configure the redirection load balancing is by:

- Create a single authorization profile without specifying any ISE node

- Create a single authorization rule for redirection, and one for the returning guest users

- Create aliases on ISE PSNs from CLI, example "ip host xxx.xxx.xxx.xxx name guest1.company.com" and "ip host xxx.xxx.xxx.xxx name guest2.company.com"

- Create DNS entries for the above FQDNs

By doing so, you don't have to create any redundant policies on ISE or authorization profiles. When a PSN receives the guest traffic it will present its own alias, and that will be enough to allow that node to take care of the remainder traffic of that session. That happens by pointing to the same node by the endpoint.

KevinR99 · ‎10-04-2022

Aref

This looks like the solution I need. I tried it today with one ISE and it works a treat. I’ll lab a distributed deployment as soon as I can set a lab up but this seems the neatest way. It keeps the policy rules and auth profiles to a minimum and I like a tidy ruleset.

Thanks for your input, Kev.

Aref Alsouqi · ‎10-05-2022

You welcome, Kev.