Re: Can you do wireless device profiling and policy classification on Cisco WLC without external RAD...

Sam Brynes · ‎08-18-2019

I just found out that you can do profiling and policy classification on Cisco WLC to assign session timeouts, ACLs, and VLANs regardless of what those settings are set to on the WLAN.

For it to work though, it looks like you need an external RADIUS server to return the Cisco-AV-Pair setting and "role=role_value" so that the correct policy can be picked up (I can't match on device type or EAP type for my specific scenario).

Does anyone know how to use local authentication on the Cisco WLC to point the clients to the correct role string so that I do not have to use an external RADIUS server? My WLAN has layer 2 security enabled, and is using LOCAL EAP authentication.

MTOMASSINI · ‎08-19-2019

Hi Sam,

As far as I know, the role string is the only thing that should be provided by the well-known cisco-av-pair in a local policy. The Radius engine on the WLC is light. When you configure your local policy there are only 3 conditions that you can match to trigger the policy :

- Role (should be provided by a Radius)

- EAP Type (the WLC can snoop that)

- Device Type (the WLC can use its local profiling table assuming that you configured local profiling on the WLAN)

If you can't match the role because this attribute has not been sent by the Radius, you can only trigger your policy with the EAP type and the device type.

As you can see, the role is a MATCH criteria and not an action that will apply something to the client session.

ammahend · ‎08-20-2019

I don't think you can do by role string for local auth, however your matching criteria can be EAP-TYPE (I think device type also works but I have not used it myself), then you can allocate any of the values in Action field.

-hope this helps-

Can you do wireless device profiling and policy classification on Cisco WLC without external RADIUS server?