This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
MS AD 2008R2
Two Groups: All Employees , All Students
Problem: Students connecting to the employee network
I have two wireless networks STUDENTS and EMPLOYEES. In ISE I have two authorization policies for these networks. In a prior effort to keep students from connecting to the employee network, I set the authorization policy to:
Employee: If (Wireless_802.1X AND AD1:ExternalGroups EQUALS mydomain/User Accounts/All Employees AND AD1:ExternalGroups NOT_EQUALS mydomain/Students/All Students) then: Employee_Profile
Unfortunately this did not work. Students have their own username and password in AD and so does each faculty/staff member. I have verified that the students are using their credentials and connecting to the employee network. Conversely, I can connect to the student network using an employee's credentials. The main issue is that with the students connecting to the employee network, they are using up all of the addresses in the applicable DHCP scope.
I need to disallow connection to the employee network by students and the student network by employees.
Any help would be appreciated!
Solved! Go to Solution.
A couple of questions/suggestions:
- Is there a chance that the students are also part of the employee AD group? I know it is a silly question but I must ask :) In fact, when a successful authentication happens, you can open the "detailed authentication screen" for that session and you can see all of the AD groups that the user is member of
- Have you tested this yourself? For instance, you can create a test account in each group and then try it for yourself
- Another silly question but can you confirm that each SSID has a unique interface in the WLC, thus going to a different subnet/DHCP scope
- I would make your authorization rule a bit simpler. I would like you to remove the:
"AD1:ExternalGroups NOT_EQUALS mydomain/Students/All Students"
When it comes to AD groups, ISE would process them in a "top-down" fashion and as soon as a match occurs, ISE would stop looking. I don't think this is the issue in your case but still worth the try.
- If the main issue is lack of DHCP addresses then why not address that? :) For instance, you can:
1. Expand the DHCP scope (From let's say /24 to a /23)
2. Assign a "secondary IP" address to the L3 interface, thus giving it more subnets
3. Utilize "Interface Groups" in the WLC, that way you can have multiple subnets tied to the same SSID
Thank you for rating helpful posts!
Thanks for the response but TAC provided me with the following document:
It fit the bill. We had already verified everything else you mention as our Jr. Admins are responsible for creating student users we wanted to make sure they hadn't done something wrong but they hadn't. Everything else was spot on correct.
The rule is much simpler by using a simple condition matching the WLAN ID and then Employee Group. Conversely, I applied the same principal to the student WLAN to keep employees from hitting the student network.