cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
252
Views
0
Helpful
1
Replies
Beginner

ISE 2.6 - Wireless AAA-Override

Hello @ all,

 

We currently operate a Wi-Fi network with 802.1x authentication based on a Freeradius distribution.

Now we want to switch to the ISE 2.6. As far as everything works, however, a fact bothers me.

 

In the "Policy Sets" we have created a new policy which uses the username to "AAA override". It bothers me that under "Authorization Policy" for each user a sub-rule must be created, which checks in which group he is and then uses the values from this group and assigns the appropriate VLAN.

 

Can one solve this not elegant? For every user, the group with the override values is already deposited.
Can one tell me what I need to do to make sure the user is authenticated after being put into the group from their settings?

Background, we distribute about 1500 VLANs, that would also 1500 under-rule in the authorization ... I would like to avoid.

 

Thanks in advance.
   René

Everyone's tags (1)
1 REPLY 1
Highlighted
Cisco Employee

Re: ISE 2.6 - Wireless AAA-Override

Typically group membership would be used for VLAN override. However if you want per user VLAN, then you can use dynamic attribute. See per user/endpoint VLAN, ACL, SGT use case in the following document:

https://community.cisco.com/t5/security-documents/advanced-ise-tips-to-make-your-deployment-easier/ta-p/3850189#toc-hId--1701731432