01-31-2024 12:38 PM
Hello!
I have a WiFi network with Cisco WLC 5520 running well connecting with Cisco ISE 3.0 integrated with Microsoft AD.
But I want to implement another layer in the authentication fluxe to permit that all MACs should be verified if are part of a specific group. If this MACs are in the specific group these will receive a different and specific vlan.
Can anyone here give tips or indicate a document with instructions for this?
01-31-2024 12:50 PM - edited 01-31-2024 01:00 PM
there are two attribute help here
calling station ID <<- this MAC of Wifi user and you can use it as condition to specify the VLAN
called station ID
MHM
01-31-2024 01:08 PM
Why, management of adding the MACs to a group is a pain. Then there is muliple operating systems starting to use randomise MAC address. Your setting yourself up for an admin nightmare.
You would be better doing EAP-TEAP authentication and verify the machine certificate and then user certificate/ PEAP for the user authentication.
That being said you can do it
WLAN: SSID 802.1x
ISE policy 802.1x, then in the Authz policy have line like if user in group A and calling station ID in endpoint group A return VLAN A
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide