Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3891
Views
30
Helpful
11
Replies

Cisco ISE - Wireless Policies with Location Attribute

Go to solution
Matthew Martin
Level 5
Level 5

‎01-03-2018 10:45 AM - edited ‎02-21-2020 10:43 AM

Hello All,

 

Cisco ISE: 2.0.0.306

Patch: 2,3,4

 

Our ISE configuration was mostly done for us with the help of a consultant. We have about 12 locations around the country. But ,the setup for ISE's Policies for Wired/Wireless is that we have Compliant, Non-Compliant, and Unknown Policies where you are either in the HQ or you're NOT in the HQ (*so all other locations, i.e. Location != HQ). So there is Wireless_Compliant_HQ, Wireless_Compliant_Branch, etc...

 

We are now beginning to implement AnyConnect/NAM/ISEPosture into our remote branch offices. Wired is working just fine because each location's Network Access Devices (*Cisco switches) are all setup with their proper locations. So clients in the remote offices would match to the Wired Policies where Location != HQ (*i.e. Wired_Compliant_Branch).

 

However, I'm realizing this might be an issue with the Wireless Policies... Since we have 2 Wireless Controllers, and the Branch Offices' Access Points are connected to the HQ's WLC, clients attempting to connect to SSIDs in their locations, where those SSIDs authenticate through ISE, are getting put into the Wireless_Unknown_HQ Policy. So I'm assuming this is because the WLC Network Access Device's configuration has HQ set as the Location.

 

Am I thinking through this correctly? If I am, is there another attribute or Location option that I could do that would achieve the correct results..? Any thoughts or suggestions would be greatly appreciated!

 

Thanks in Advance,

Matt

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Octavian Szolga
Level 4
Level 4
In response to Matthew Martin

‎01-09-2018 04:51 AM

Hi Matthew,

There are many options you can use for 'location' based authorization:

- AP name (you can rename APs so that branch AP use a similar name) - say 'AP name begins with branch' type of condition. You have to change WLC's radius accounting format

- AP MAC (if you don't have that many APs)

- SSID name (maybe you use different SSID names for HQ vs branch)

- define AP location field on WLC and use it in authorization rule

 

Example: https://supportforums.cisco.com/legacyfs/online/ise_location-based_web_portals-v2.pdf

(page 10)

 

Thanks,

Octavian

View solution in original post

11 Replies 11

Go to solution
Ben Walters
Level 3
Level 3

‎01-03-2018 12:25 PM

First of all, you are correct in your assumptions about the WLC interaction with ISE, all clients connected on wireless are authenticated by the WLC so if your WLC is in the HQ location it will seem like all wireless clients are too.

 

I don't think there is a quick and easy way to do this, you might have to look at the IP address of the authenticating device and determine based on that which location they are at, that is assuming you have different subnets for your remote locations. Another way which wouldn't be as good might be to separate users into location groups and set up authorization based on that but if you have users that travel between sites routinely it would probably not work too well.  

Go to solution
Matthew Martin
Level 5
Level 5
In response to Ben Walters

‎01-08-2018 10:53 AM

Hey Ben, thanks for the reply. And sorry for the delay getting back to you.

We do use different Subnets for each of our locations, so that might be a good workaround. But, would I need to create new Policy Sets for each location, in order to specify each subnet? The way it is now, is basically if the authenticating device matches a few attributes, as well as "DEVICE:Location NOT_EQUALS All Locations#HQ", then it matches our Branch office Policies.

Not sure if this is possible since I haven't checked yet, but I assume it is. If I do something similar to above to say, if the authenticating device's IP Address is NOT_EQUAL <hq_ip_subnet> then Branch office Policy gets matched...

Would something like that make sense?

Thanks again for the reply, much appreciated!

-Matt
0 Helpful

Go to solution
Octavian Szolga
Level 4
Level 4
In response to Matthew Martin

‎01-09-2018 04:51 AM

Hi Matthew,

There are many options you can use for 'location' based authorization:

- AP name (you can rename APs so that branch AP use a similar name) - say 'AP name begins with branch' type of condition. You have to change WLC's radius accounting format

- AP MAC (if you don't have that many APs)

- SSID name (maybe you use different SSID names for HQ vs branch)

- define AP location field on WLC and use it in authorization rule

 

Example: https://supportforums.cisco.com/legacyfs/online/ise_location-based_web_portals-v2.pdf

(page 10)

 

Thanks,

Octavian

Go to solution
Matthew Martin
Level 5
Level 5
In response to Octavian Szolga

‎01-09-2018 10:15 AM

Hey Octavian, thanks for the reply!

1) AP Name: What is the attribute name when creating a Policy that checks the AP name, so I can give this a try? I can see that "called-station-id", which shows in the Authentication details page of a particular client from the Radius LiveLog. But, that attribute shows "<ap-mac-address>:<ssid-name>" and not the AP "Name". I actually don't see the AP names in there at all..?
*Also, for WLC's radius accounting format that needs to be changed, is that in WLC or ISE?

2) AP Mac: Would this be a part of the "called-station-id" attribute when creating the Policy? I would need to include about 25 AP macs for this. So probably not the best option in this case.

3) SSID Name: We are using the same SSID names in all the locations. So I guess this option would be out too...

4) AP Location: I have already defined the AP location field in all of our Access Points on the WLC. How can I access this "Location" attribute in ISE Policy? Currently, I have the location defined as the actual location they are in. But, I can add something like "Branch" to the end of each name, and I could look for that... Sounds like a good option. Or, I maybe I could just say something like "if AP location NOT_EQUALS HQ...", then...

Thanks again for the reply, very much appreciated!

-Matt
0 Helpful

Go to solution
Matthew Martin
Level 5
Level 5
In response to Octavian Szolga

‎01-09-2018 10:29 AM - edited ‎01-09-2018 10:30 AM

*Addition to previous comment...

I believe I found in the WLC where you modify what the Called-Station-ID attribute sends to ISE. I assume this is where you get most of the options for what you described in your comment, like AP Name, AP Location field, AP mac address, etc...? *Screenshot attached.

 

Before I modify anything here in the WLC. Is this something that should be done off-hours? When this setting is changed in the WLC, would any of the wireless networks drop or cause clients to drop/re-authenticate after I click Apply?

 

Lastly, we are currently using called-station-id to verify the SSID a client is connecting to. So since the current value of called-station-id is "AP-Mac-Address:SSID". If I choose one of the other options which also ends with "..some-value.. : SSID", would that cause any issues in the current Policy Sets using called-station-id?

 

Thanks Again,

Matt

Preview file
47 KB
0 Helpful

Go to solution
Ben Walters
Level 3
Level 3
In response to Matthew Martin

‎01-09-2018 10:59 AM

As with any change that could impact end users in a production environment, its probably best to make any changes after hours and conduct testing after changes are made to make sure everything is still operating as usual.

 

Making the change shouldn't have any impact on currently authenticated users though. New authentications from the WLC will just contain different information in the called-station-id attribute, since this is just changing the information the WLC sends to ISE during authentication.  

 

As for the called-station-id attribute, if you currently use the SSID information you will have to use an option that contains that but as you said you can use any option that has that information in it without issue. So say if you wanted to use <AP name:SSID> it would still contain the same SSID information as the <MAC : SSID> option.  

Go to solution
Matthew Martin
Level 5
Level 5
In response to Ben Walters

‎01-09-2018 11:13 AM

Hey Ben, thanks for the reply!

Ok, that sounds good to me. I'll probably go with the "AP-Name:SSID" option, since the option that includes the AP's "Location" attribute doesn't also contain the SSID. So the AP-Name should suffice. It would be nice if in the WLC you could manually choose which attribute to go in Option 1 and option 2, *i.e. as in "Option-1:Option-2". But, oh well, this will have to do...

This is probably a stupid question, and I've proabbly already done this before. But, just to be sure... If I change a AP's Name in the WLC, does that AP stay in whatever AP Group or FlexConnect group it was already a part of? I assume it actually uses the AP Mac Address to associate to a group and the name is just a label. But, wanted to be sure.

-Matt
0 Helpful

Go to solution
Ben Walters
Level 3
Level 3
In response to Matthew Martin

‎01-09-2018 11:15 AM

The AP name can be changed without affecting the AP group, however it may disconnect clients associated to that AP momentarily but they will just reconnect.

Go to solution
Matthew Martin
Level 5
Level 5
In response to Ben Walters

‎01-09-2018 12:54 PM

Hey Ben, got it thanks!

One last question... Do any of you know of any documentation for ISE that has explanations of all the available Attributes that can be selected when in: Policy > Policy Sets > New Rule > Conditions > Add Attribute/Value...?

This would be really helpful.

For example: What's the definition of this attribute --> "RADIUS:Network Access:Device IP Address"... Is it the Network Access Server/Device IP, or the client IP, etc...?

Is there any documents that explain this stuff? I couldn't find any explanations of these in the "ISE Administrator Guide v2.0".

-Matt
0 Helpful

Go to solution
Ben Walters
Level 3
Level 3
In response to Matthew Martin

‎01-09-2018 01:11 PM

That stuff isn't in the ISE guide because it is more generic to all radius capable devices.

 

Check this out and it should give you a better idea of what each one does.

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrdat1.html

Go to solution
Matthew Martin
Level 5
Level 5
In response to Ben Walters

‎01-12-2018 09:15 AM

Ok great, thanks Ben, much appreciated!

-Matt
0 Helpful
Customers Also Viewed These Support Documents