- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2018 05:22 AM - edited 08-08-2018 06:37 AM
Hello
I am currently trying to understand the effect of Called-Station-ID configuration on Cisco ISE infrastructure. I have noticed that some of our anchor WLCs are configured with IP Address as Called-Station-ID for both Authentication and Accounting and this forces Cisco ISE to display Endpoints using IP addresses, rather than MAC addresses (even though in my understanding Called-Station-ID should only affect NAD, while Calling-Station-ID refers to endpoint?).
Before I'll change it, I'd like to understand what is current RECOMMENDED way to configure Authentication and Accounting with regards to Called-Station-Id. I have noticed that default setting is AP MAC:SSID for Authentication, but System MAC for Accounting. Can anyone explain why is this inconsistency? Doesn't this affect accounting or Radius session if different?
Also, there are loads of options, such as
- IP Address
- AP MAC
- AP MAC:SSID
- AP Name:SSID
- AP Name
- AP Group
- Flex Group
- AP Location
- Vlan ID
- AP Eth MAC
- AP Eth MAC:SSID
- AP Label Address
- AP Label Address:SSID
What is practical use for all these different configuration options?
Has anyone had to use something other than default 'AP MAC:SSID'?
When and Why please (what have you tried to achieve)?
Many thanks!
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2018 05:58 AM
The fields you are asking about have no impact on ISE. If you want to use the field then use them, but ISE doesn't use them for critical operations. If you want to know the logic why Authentication is different than Accounting engage the Cisco Wireless team and find out their logic. The settings you are seeing are the default setting on the WLC. Like I said I usually change authentication to AP Name:SSID because I want to use that data in that field in my rules.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2018 06:06 AM

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2018 05:33 AM
I wouldn't think called station ID shouldn't affect how ISE displays the information for the MAC address in Context Visibility. The only modification I make to the called station ID is for authentication and I have my customers change it to AP Name:SSID. Then I can use Called Station ID in two ways:
- Use the "Ends With" condition to grab the SSID name and use it as the admission criteria to my policy sets for wireless. That allows me to have unique policy sets for each SSID.
- Use string matches on the AP name to know what site the user is connecting at to allow a SSID to behave different at one location vs. another.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2018 05:55 AM
In our environment we rely on SSID ID instead (Airespace:Airespace-Wlan-Id). All our SSIDs are configured in a consistent fashion across the board. But, yeah... I would agree that matching SSID by name is more flexible.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2018 07:02 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2018 03:25 PM
Can anyone from Cisco to comment? In particular, why by default Authentication is set to AP MAC:SSID, but Accounting is using System MAC? Shouldn't these two be configured identically? What's the impact on logging/accounting or session handling if these two things are configured differently / separately?
Regards

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2018 02:08 AM
By default Authentication is set to AP MAC:SSID, But you can change it to use any other attribute . It depends on how the customer would want to authenticate the endpoint.
In ISE, MAC-Address is the unique identifier for the endpoint. Hence session handling or accounting is on MAC address / session id . There is no impact on the logs
Thanks,
Nidhi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2018 05:33 AM
Thanks @Nidhi. Could you please explain why Accounting's default value is System MAC (which is WLC's MAC address), rather than AP MAC:SSID (Authentication's config). Wouldn't it be better to have both set to identical config? Any ipmpact at all? Does it only affects Accounting logging and nothing else?
Thanks

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2018 05:58 AM
The fields you are asking about have no impact on ISE. If you want to use the field then use them, but ISE doesn't use them for critical operations. If you want to know the logic why Authentication is different than Accounting engage the Cisco Wireless team and find out their logic. The settings you are seeing are the default setting on the WLC. Like I said I usually change authentication to AP Name:SSID because I want to use that data in that field in my rules.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2018 06:06 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2018 06:16 AM
@Jason Kunst thanks for these! I will have a read now.
@paul thanks a lot!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2018 06:24 AM
One more question if you don't mind. As I mentioned in my original post. When Radius Authentication on WLC is set to IP Address it also affects Calling-Station-ID which is displayed as IP address and not MAC of endpoint on anchor WLC.
Is it by design or bug behavior? I didn't expect Called Station ID to affect Calling Station ID behavior.
Regards

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2018 06:35 AM
