08-13-2019 03:15 AM
Hello @ all,
We currently operate a Wi-Fi network with 802.1x authentication based on a Freeradius distribution.
Now we want to switch to the ISE 2.6. As far as everything works, however, a fact bothers me.
In the "Policy Sets" we have created a new policy which uses the username to "AAA override". It bothers me that under "Authorization Policy" for each user a sub-rule must be created, which checks in which group he is and then uses the values from this group and assigns the appropriate VLAN.
Can one solve this not elegant? For every user, the group with the override values is already deposited.
Can one tell me what I need to do to make sure the user is authenticated after being put into the group from their settings?
Background, we distribute about 1500 VLANs, that would also 1500 under-rule in the authorization ... I would like to avoid.
Thanks in advance.
René
Solved! Go to Solution.
08-15-2019 02:56 PM
Typically group membership would be used for VLAN override. However if you want per user VLAN, then you can use dynamic attribute. See per user/endpoint VLAN, ACL, SGT use case in the following document:
08-15-2019 02:56 PM
Typically group membership would be used for VLAN override. However if you want per user VLAN, then you can use dynamic attribute. See per user/endpoint VLAN, ACL, SGT use case in the following document:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: