Solved: WLC and ISE - Flex Connect ACLs and ISE policies

atsukane · ‎12-07-2021

Hi there,

I am struggling to get a specified ISE policy applied based on SSID.

Followed the below guide and get it to work on the test portal URL even with conditional access with MFA. ISE BYOD Flow Using Azure AD - Cisco Community

However, when I test access from mobile devices it doesn't hit the desired policy and appears to be processed by Default policy.

Default Authentication Policy

Wireless_MAB Internal Users If User not found = Continue

Default Authorisation Policies

Network Access.UseCase Equals to Guest Flow = permit access

Network Access.Authentication Status Equals to Unknown = WLC_CWA_Guest

We use FlexConnect with WLC and my understanding is that since we use CWA, we'd add ACLs under the Policies tab.

"WebPolicy ACL is used for Conditional Web Redirect, Splash Page Web Redirect and Central Webauth scenarios."

Configure Flexconnect ACL's on WLC - Cisco

I have the same ACL names under Security and FlexConnect ACL, then referencing that in the ISE policy as per the AAD guide. But I am not sure sure if this is working as expected/the way I want it.

Despite all of above it just get processed by the default policy and redirected to the Guest portal that's configured in the default policy.

Any suggestions on how to get round this is appriciated.

I can't figure out why it's processed by the default policy to begin with.

Many thanks,

Karsten Iwen · ‎12-08-2021

The RADIUS attribute "CalledStationSSID" is by default not only the SSID itself, but a combination of MAC-address and SSID. This is configured on your WLC.

One way to match the right SSID is to change the condition from "is" to "ends with" and you should see a hit.

View solution in original post

atsukane · ‎12-08-2021

Thanks. Tried policy condition RadiusCalledStationID 'ENDS_WITH' and 'CONTAINS' and Wireless_MAB and I'm now getting hits!

View solution in original post

Karsten Iwen · ‎12-07-2021

Network Access.Authentication Status Equals to Unknown = WLC_CWA_Guest

Here you should just match on the MAB and the WLAN the user is connected to as the condition. Than it should use this policy to return the correct attributes.

atsukane · ‎12-08-2021

Thanks @Karsten Iwen.

After posting the question, I've played around with the conditions and tried what you've suggested.

I have two SSIDs, let's say EMPLOYEE and GUEST, I want the EMPLOYEE to be redirected to Azure login page and the GUEST to be redirected to ISE portal.

Currently the Guest SSID is processed by the default policy and I'm working on a new policy for the Employee.

It seems that setting the Employee policy conditions as 'Wireless_MAB' and 'Radius.CalledStationSSID=EMPLOYEE' doesn't get any hits.

If I just leave the policy condition to only 'Wireless_MAB' I can see it is getting hits but this would mean ALL SSIDs would get processed under this policy, regardless of the SSIDs the device is connected to?

Thanks,

Karsten Iwen · ‎12-08-2021

The RADIUS attribute "CalledStationSSID" is by default not only the SSID itself, but a combination of MAC-address and SSID. This is configured on your WLC.

One way to match the right SSID is to change the condition from "is" to "ends with" and you should see a hit.

atsukane · ‎12-08-2021

Thanks. Tried policy condition RadiusCalledStationID 'ENDS_WITH' and 'CONTAINS' and Wireless_MAB and I'm now getting hits!