08-17-2021 09:02 AM
Hey all.
Im trying to config SSID 802.1x with policy map on ISE and profilling change on WLC.
WLC - 9800CL - 16.12.4a
ISE Version: 2.7.0.356
I'm having trouble figuring out which attribute is needed in the "ISE policy result" so that the WLC controller inserts the authenticated client into a given policy profile.
Scenário:
I have three different policies profiles on WLC, with VLANS and ACLS.
ABCD
XYZ
1234
Depends on policy authorizantion result, after ISE authentication, id like to set a specific policy profile on WLC.
Config Exemple:
"ISE Policy Set"
If AD group = ABCD and Devide MAC on group ABCD = Policy result = ABCD.
If AD group = XYZ and Devide MAC on group XYZ = Policy result = XYZ
If AD group = 1234 and Devide MAC on group 1234 = Policy result = 1234
Which attribute in "ISE policy result" I need to configure so that the ISE informs the WLC in which policy the client should be allocated?
This is the correctly deploy to chose custom VLANs and ACLs on WLC for authenticated clients?
Tks for help.
08-17-2021 01:10 PM
Are you looking for Dynamic VLAN assignment based on Radius? Lets say if the user belongs to certain group on AD then assign VLAN X. Then you can refer the below link
I don't see a reason why you are trying to change the policy profile and I don't think it is possible to change the policy profile as well.
08-17-2021 03:46 PM
I thought could be possible assign a VLAN and ACL based on wlc policy profile with a return attribute from ISE.
I did something like this with Aruba user role. After ise profiling, a return code can be sent to wlc and clients have custom profiles to be assigned. With wlc cisco I don't know if it's possible. I tried cisco av pair, airspace guest role and many other attributes in policy results, but without success.
I put vlan assignment and acl name on ISE and it's OK, But Sincerely, all clients with same policy profile on wlc, with different VLANs and ACLs seems to be wrong. I didn't find reports from wlc that shows me real profile for a client after ISE profiling.
On ISE, I will see these clients with specific profile like ABCD or 1234.
On wlc, all clients will be in same profile.
It's correct??
08-18-2021 12:44 AM
It's not limited to VLAN and ACL, there are many other parameters supported like QOS policies etc. You can check the CIsco ISE and 9800 Guides for the supported features. Policy Profile allows you to specify the VLAN ID, local or Flex Connect Switching for WLAN, QOS, times like idle, session timeouts, QOS policies statically for a SSID. Using Radius parameters returned with Radius accept, you can change these statically assigned ones to custom ones as per the user or the group.
08-18-2021 04:04 AM
Tks for help Arshadsaf.
My idea was exactly that, Apply same parameters for a specific group, and I'm thought policy profile was best idea. Just because policy profile has all necessary configurations and wouldn't be necessary to apply custom parameter with many radius returns.
So, there's no way to change policy?
Has 9800 something like a dictionary for Radius parameters accept from ISE and functions?
I tried to find on guide, but for me it's so confused, there's millions of attributes for many solutions.
08-18-2021 12:31 PM
So, there's no way to change policy?
I dont think you can change the policy tag as it is statically assigned to the complete AP.
Has 9800 something like a dictionary for Radius parameters accept from ISE and functions?
I haven't seen such a document from Cisco, if you find please share it with us well.
08-19-2022 08:33 AM
i would also like to see if a document like this exists from cisco.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide