Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1083
Views
0
Helpful
6
Replies

Perform client profile change on WLC 9800, with ISE policy Result

diogo_srocha
Level 1
Level 1

‎08-17-2021 09:02 AM

Hey all.

Im trying to config SSID 802.1x with policy map on ISE and profilling change on WLC. 

WLC - 9800CL - 16.12.4a

ISE Version: 2.7.0.356

 

I'm having trouble figuring out which attribute is needed in the "ISE policy result" so that the WLC controller inserts the authenticated client into a given policy profile.

 

Scenário:

 

I have three different policies profiles on WLC, with VLANS and ACLS. 

ABCD

XYZ

1234

 

Depends on policy authorizantion result, after ISE authentication, id like to set a specific policy profile on WLC. 

 

Config Exemple:

"ISE Policy Set"

If AD group = ABCD and Devide MAC on group ABCD = Policy result = ABCD. 

If AD group = XYZ and Devide MAC on group XYZ = Policy result = XYZ

If AD group = 1234 and Devide MAC on group 1234 = Policy result = 1234 

 

Which attribute in "ISE policy result" I need to configure so that the ISE informs the WLC in which policy the client should be allocated?

 

This is the correctly deploy to chose custom VLANs and ACLs  on WLC for authenticated clients?

 

Tks for help. 

 

 

 

 

Labels:
0 Helpful
6 Replies 6

Arshad Safrulla
VIP Alumni
VIP Alumni

‎08-17-2021 01:10 PM

Are you looking for Dynamic VLAN assignment based on Radius? Lets say if the user belongs to certain group on AD then assign VLAN X. Then you can refer the below link

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/217043-configure-dynamic-vlan-assignment-with-c.html

 

I don't see a reason why you are trying to change the policy profile and I don't think it is possible to change the policy profile as well. 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

diogo_srocha
Level 1
Level 1
In response to Arshad Safrulla

‎08-17-2021 03:46 PM

I thought could be possible assign a VLAN and ACL based on wlc policy profile with a return attribute from ISE. 

 

I did something like this with Aruba user role. After ise profiling,  a return code can be sent to wlc and clients have custom profiles to be assigned. With wlc cisco I don't know if it's possible. I tried cisco av pair,  airspace guest role and many other attributes in policy results, but without success.

 

I put vlan assignment and acl name on ISE and it's OK, But Sincerely, all clients with same policy profile on wlc, with different VLANs and ACLs seems to be wrong. I didn't find reports from wlc that shows me real profile for a client after ISE profiling. 

On ISE, I will see these clients with specific profile like ABCD or 1234. 

On wlc, all clients will be in same profile. 

It's correct?? 

 

 

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎08-18-2021 12:44 AM

It's not limited to VLAN and ACL, there are many other parameters supported like QOS policies etc. You can check the CIsco ISE and 9800 Guides for the supported features.  Policy Profile allows you to specify the VLAN ID, local or Flex Connect Switching for WLAN, QOS, times like idle, session timeouts, QOS policies statically for a SSID. Using Radius parameters returned with Radius accept, you can change these statically assigned ones to custom ones as per the user or the group.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

diogo_srocha
Level 1
Level 1
In response to Arshad Safrulla

‎08-18-2021 04:04 AM

Tks for help Arshadsaf.

My idea was exactly that, Apply same parameters for a specific group, and I'm thought policy profile was best idea. Just because policy profile has all necessary configurations and wouldn't be necessary to apply custom parameter with many radius returns.

 

So,  there's no way to change policy? 

 

Has 9800 something like a dictionary for Radius parameters accept from ISE and functions? 

I tried to find on guide,  but for me it's so confused, there's millions of attributes for many solutions. 

 

 

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎08-18-2021 12:31 PM

So,  there's no way to change policy? 

I dont think you can  change the policy tag as it is statically assigned to the complete AP.

 

Has 9800 something like a dictionary for Radius parameters accept from ISE and functions? 

I haven't seen such a document from Cisco, if you find please share it with us well.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

Sean Aindow
Level 1
Level 1
In response to Arshad Safrulla

‎08-19-2022 08:33 AM

i would also like to see if a document like this exists from cisco. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card