08-28-2012 11:34 PM - edited 07-03-2021 10:35 PM
Hi Team ,
My customer wants to have mapping of WLAN SSID with different authentication protocol as show below .
1: EMP-M for Mschap
2: EMP-G for Peap GTC
3: EMP-T for TLS
For example EMP-M SSID users should be connected with only PEAP(MSCHAPv2) and not on other methods like PEAP-GTC/EAP-TLS .
customer is currently having WLC 5508 and using ISE for AAA . Any tip how we can do the above requirement through WLC .
Regards
Sankar
08-29-2012 04:55 AM
Hi,
Not through WLC, But through AAA server. It can be done with ACS 5.x but i have no experience with ISE to tell but i think it is
Possible.
You can ask in security AAA forums.
Sent from Cisco Technical Support iPad App
08-29-2012 04:59 AM
Simple... if you want to have 3 SSID's, your create a new SSID and name the profile EMP-M and set the SSID to EMP-M. Then configure your WLAN SSID settings which would be WPA2/AES with 802.1x. Create your seconds WLAN and anme the profile EMP-G and set the SSID to EMP-G. Then configure your WLAN SSID settings which would be WPA2/AES with 802.1x. Create your third SSID and name the profile EMP-T and set the SSID to EMP-T. Then configure your WLAN SSID settings which would be WPA2/AES with 802.1x.
The lookup to what users belong or can authenticate to what authentication protocol is defined in your ISE. Your WLC will be a AAA client in ISE and you will define the ISE as a radius server and point each of the WLAN to use ISE for radius. Your ISE policy in order to differentiate the different SSID's, you will need to have three differnt policies and use the following to specifiy only from this SSID:
.*EMP-M
.*EMP-G
.*EMP-T
Hope this helps.... now you just have to figure out your vaious ISE policies.
08-29-2012 05:40 AM
Thanks Scott for your valuable input.
How we can map the SSID in the ISE policy . any pointers to link or configuration example will be helpfull.
08-29-2012 05:45 AM
You first need to understand what you want to do, which includes if you want to profile, posture, etc. That is where you have to understand what you can do and what you want to do. If its basic, take a look at this video and then when you create your polices, you can specify the .*SSID to differentiate the SSID's, of course you will have three polices just for the wireless.
https://supportforums.cisco.com/videos/2480
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide