Wireless and Mobility - IPSK and ISE

Arash-BE · ‎03-06-2020

Hi all,

I would like to know if Cisco has the same feature like Juniper Mist.

We would like to broadcast one SSID, but that SSID has multiple psk configured with. Based on the PSK, the client will be put in a specific vlan. The ISE authentication policy should only based on the PSK, and the MAB or Endpoint ID/Group is not required.

Example:

SSID name = Work

PSK (test1) = vlan 2

PSK (test2) = vlan 3

PSK (test3) = vlan 4

I can only find that ISE need atleast a condition from which endpoint or ap/apgroup/.. should be matched before the policy got pushed. But is it not possible to match on the psk?

Juniper Mist has this feature, but the WLC does the match and does not pass this authentication to ISE.

Thanks for clarifying this to me!

grtz,

Arash

Cristian Matei · ‎03-06-2020

Hi,

The authentication performed by ISE is MAB, and the PSK is sent by ISE as authorization in the "Access-Accept" message, so it kinda make sense that you shouldn't be able to match on the PSK as condition in your authorization policy. The architecture/flow is different than on Mist/Juniper.

You need to be able to distinguish between the users/devices in order to apply the proper VLAN and PSK. Easy solution would be to configure multiple SSID's, one for each group of users:

- Group Admins connect to SSID ADMINS; you match on the SSID in ISE and return the VLAN and PSK

- Group Technical connect to SSID TECHNICAL; you match on the SSID in ISE and return the VLAN and PSK

Regards,

Cristian Matei.