Solved: Wireless Client Authentication using ISE

jamaludeen_s · ‎07-25-2012

I am designing wireless controller solution for one of our customer network with Cisco 5500 series controller, I need expert advice on the wireless client authentication part.

1. There are 25 departments around the campus, each will be given one or two access points.

2. One Cisco AIR-CT5508-50-K9 Controller shall be used.

3. Single SSID/ VLAN shall be used for entire campus.

4. Wireless Authentication credentials used by one department shouldn’t work for other department

Example: Marketing department credentials

Username :marketing

Password :marketing123

These credentials should not work for sales or any other department.

Is there a way to achieve the 4^th Point using Controller AP Groups or Identity Services Management (ISE).

Thanks in Advance

Thanks

Jamal

Amjad Abdullah · ‎07-25-2012

let me exaplain on thing I forgot.

In the end-statoin filter you need to specify wildcard asterisk (*) before the SSID name. If your SSID name is "Sales" you need to write "*Sales". I updated the above post accordingly.

Sorry I did not get it that you want same SSID for all.

You can still do your requirement if you have users of each depeartment under same group.

You can create identity group for each department (or map corresponding external groups).

Then what you can do in the folloiwng:

in the end-station filter, instead of specyfing *SSID you need to write *.

for example. 11-22-33-44-55-66*

use the base radio mac address of the AP. (not ethernet address).

(mac address format to use hyphens or colons is determined from WLC under radius authenticatoin config. if you use colons put the MAC format with colons instead. The default is Hyphen).

The called-station-id is sent to the radius like the following:

11-22-33-44-55-66:Marketing (supponging Marketing is the SSID name).

so if you specify the mac address only in the end-station filter it is not going to work. you need to put the wild card * after the MAC address to work.

it is not going to work

in the Rule you specify that the following identity group if connecting to this AP (specified by its mac) then allow it. if not then do not allow it.

For example:

rule1: identity group Marketing is allowed to AP 12-23-34-45-56-67.

rule2: identity group Sales is allowed to AP 98-89-65-56-43-34.

I hope it was clear if not then please ask becaue I think what I write sometimes is not easy to be understood.

So please feel free to ask about ambiguous point.

Cheers,

Amjad

Rating useful replies is more useful than saying "Thank you"

View solution in original post

Amjad Abdullah · ‎07-25-2012

Jamal:

Yes it can be achieved. I never worked with ISE but I think it is almost the same behavior like ACS 5.x.

With ACS 5.x you can create an "End station Filter" to restrit conneciton to the SSIDs. The same you can can do with your ISE and create a policy that allows specific user/users to a specific SSID.

Let us know if you know how to do it or if you need extra help with this.

Amjad

Rating useful replies is more useful than saying "Thank you"

jamaludeen_s · ‎07-25-2012

Thanks a lot Amjad for your quick reply.

End station refers Access points or Controller? It would be helpful if you provide me with the steps to do it with ACS 5.x.

Thanks

Jamal

Amjad Abdullah · ‎07-25-2012

Here is how to do it from ACS 5.x (I am using 5.3 so not sure if any tiny differences may appear with older 5.x versoin):

Go to policy element -> Session Conditions -> Network Conditions -> End Station Filters.

Press on "Create" button. Provide a name for the filter

Go to CLI/DNIS tab.

Choose CLI to be -ANY-.

Choose DNIS to be *SSIDname. For example, if your SSID named Management then write *Management (case sensitive).

Press OK.

Press Submit.

You have now your device filter created. (this filters access to a specific SSID. you need to create one filter for each SSID).

Now you need to go to:
Access Policies -> Access Services -> (Your policy for wireless users) -> Authorization.

Press on "Customize" and choose to select "End Station Filter". Then Press OK.

Click "Create" Button to add an authoriation rule.

Fill the rule parameters based on which you'll authorize the wireless clients. In each rule you can specify an identity group (or external group) and specify the end station filtery ou created earlier.
For example,

create Rule1 that allows IdentityGroup sales to SSID named sales.

create Rule 2 that allows IdeitityGroup marketing to SSID named marketing.

...etc.

for each SSID you need to create a rule and specify that if the user in this group and connecting to this specific SSID then allow it to proceed. otherwise reject it.

I hope this is useful.

Amjad

Rating useful replies is more useful than saying "Thank you"

jamaludeen_s · ‎07-25-2012

Thanks Amjad,

In this example we are creating multiple SSID's (Sales and Marketing) and multiple Rules, the request is to use single common SSID around the campus.

Is it possible to create multiple Rules in the combination of User name + AP MAC (or) Username + End System MAC for single SSID ?

Thanks

Jamal

Amjad Abdullah · ‎07-25-2012

let me exaplain on thing I forgot.

In the end-statoin filter you need to specify wildcard asterisk (*) before the SSID name. If your SSID name is "Sales" you need to write "*Sales". I updated the above post accordingly.

Sorry I did not get it that you want same SSID for all.

You can still do your requirement if you have users of each depeartment under same group.

You can create identity group for each department (or map corresponding external groups).

Then what you can do in the folloiwng:

in the end-station filter, instead of specyfing *SSID you need to write *.

for example. 11-22-33-44-55-66*

use the base radio mac address of the AP. (not ethernet address).

(mac address format to use hyphens or colons is determined from WLC under radius authenticatoin config. if you use colons put the MAC format with colons instead. The default is Hyphen).

The called-station-id is sent to the radius like the following:

11-22-33-44-55-66:Marketing (supponging Marketing is the SSID name).

so if you specify the mac address only in the end-station filter it is not going to work. you need to put the wild card * after the MAC address to work.

it is not going to work

in the Rule you specify that the following identity group if connecting to this AP (specified by its mac) then allow it. if not then do not allow it.

For example:

rule1: identity group Marketing is allowed to AP 12-23-34-45-56-67.

rule2: identity group Sales is allowed to AP 98-89-65-56-43-34.

I hope it was clear if not then please ask becaue I think what I write sometimes is not easy to be understood.

So please feel free to ask about ambiguous point.

Cheers,

Amjad

Rating useful replies is more useful than saying "Thank you"

Amjad Abdullah · ‎07-25-2012

Important note: The above explanation works for SSIDs that uses EAP/dot1x as security. If you have web-auth SSID for example that utilizes the ISE as it's backend auth server then there is more configuratoin needed on the controller to make it working correctly because for non-dot1x/EAP SSIDs the SSID name is not sent by default with the called-station-id radius attribute.

Rating useful replies is more useful than saying "Thank you"

jamaludeen_s · ‎07-25-2012

Thanks Amjad, You made the solution clear.

All my doubts were cleared now I will go ahead with the deployment.

Thanks once again.

Jamal