cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
787
Views
5
Helpful
1
Replies

ISE 2.6 - Wireless AAA-Override

Rene Einoeder
Level 1
Level 1

Hello @ all,

 

We currently operate a Wi-Fi network with 802.1x authentication based on a Freeradius distribution.

Now we want to switch to the ISE 2.6. As far as everything works, however, a fact bothers me.

 

In the "Policy Sets" we have created a new policy which uses the username to "AAA override". It bothers me that under "Authorization Policy" for each user a sub-rule must be created, which checks in which group he is and then uses the values from this group and assigns the appropriate VLAN.

 

Can one solve this not elegant? For every user, the group with the override values is already deposited.
Can one tell me what I need to do to make sure the user is authenticated after being put into the group from their settings?

Background, we distribute about 1500 VLANs, that would also 1500 under-rule in the authorization ... I would like to avoid.

 

Thanks in advance.
   René

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

Typically group membership would be used for VLAN override. However if you want per user VLAN, then you can use dynamic attribute. See per user/endpoint VLAN, ACL, SGT use case in the following document:

https://community.cisco.com/t5/security-documents/advanced-ise-tips-to-make-your-deployment-easier/ta-p/3850189#toc-hId--1701731432

View solution in original post

1 Reply 1

howon
Cisco Employee
Cisco Employee

Typically group membership would be used for VLAN override. However if you want per user VLAN, then you can use dynamic attribute. See per user/endpoint VLAN, ACL, SGT use case in the following document:

https://community.cisco.com/t5/security-documents/advanced-ise-tips-to-make-your-deployment-easier/ta-p/3850189#toc-hId--1701731432

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: