Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
909
Views
0
Helpful
6
Replies

Policy Set for web admin gui

Go to solution
Philip Vilhelmsson
Level 1
Level 1

‎10-05-2018 05:07 AM

Hi,

 

I have several web admin gui, like WLC and DNAC, that I would like to have RADIUS-login to. I am running ISE 2.3. 

The problem I am having is to write a Policy Set that will get matched when a web-login-request comes to ISE. 

In the RADIUS-log I can see that the attempts has these two attributes:

Authentication Method PAP_ASCII
Authentication Protocol PAP_ASCII

I do not see NAS Port type or any other attribute that is different from other RADIUS packets.

 

However I am not able to choose Auth Method or Protocol as conditions in the Policy Set. I tried making my own condition in the Library, but that one I can only choose in the Authorization Policy not the Policy Set. 

Do you know any way I can do a Policy Set that will match on web-login?

 

Regards

Philip

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip Vilhelmsson
Level 1
Level 1
In response to paul

‎10-05-2018 06:04 AM

Yep, that is exactly the reason. Don't have TACACS lic :(
Well if there isn't a way to have Authentication Method or Protocol as a condition then I have to have a rule at the bottom that catches all traffic that isn't dot1x or mab.
Thank you for your answer.

Regards
Philip

View solution in original post

0 Helpful
6 Replies 6

Go to solution
paul
Level 10
Level 10

‎10-05-2018 05:32 AM

Use device type and build a policy set for each device type.  Or are you trying to distinguish between CLI and Web access.  I don't usually do that for WLCs.

0 Helpful

Go to solution
Philip Vilhelmsson
Level 1
Level 1
In response to paul

‎10-05-2018 05:49 AM

Hi,

If I use only device type then all traffic from the WLC will hit that Policy Set, including dot1x and MAB traffic. It would be ideal to have one Set for Admin login (CLI and GUI), on for Dot1x, one for MAB and one for Guest.
I can put a general Policy Set at the bottom that will catch all auth requests that aren't dot1x,mab,guest, but I would rather have something that catches web auth traffic.
Regards
Philip
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Philip Vilhelmsson

‎10-05-2018 05:52 AM

WLC authentication is TACACS not RADIUS.






0 Helpful

Go to solution
Philip Vilhelmsson
Level 1
Level 1
In response to paul

‎10-05-2018 05:58 AM

No you can have RADIUS also. I have done this on earlier versions of ISE.

https://rscciew.wordpress.com/tag/wireless-lan-controller/

 

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Philip Vilhelmsson

‎10-05-2018 06:00 AM

I know you can but why would you? Or don't you have the TACACS license? Otherwise just put the WLC device type rules below your wireless SSID rules.


0 Helpful

Go to solution
Philip Vilhelmsson
Level 1
Level 1
In response to paul

‎10-05-2018 06:04 AM

Yep, that is exactly the reason. Don't have TACACS lic :(
Well if there isn't a way to have Authentication Method or Protocol as a condition then I have to have a rule at the bottom that catches all traffic that isn't dot1x or mab.
Thank you for your answer.

Regards
Philip

0 Helpful
Customers Also Viewed These Support Documents
Top