cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
475
Views
1
Helpful
12
Replies

WLC 9800 configure SSID to request ISE for authorization only

need to have SSID protected by PSK to authorize endpoints in different VLANs by their MACs.
is there a way to configure WLC to request ISE for authorization only?

1 Accepted Solution

Accepted Solutions

actually we r talking about the same & different the same time :0)
Same is, we authorize (read: land, use specific PSKs, etc) under single SSID even in more unified way we just put all corresponding endpoints into single dedicated EID-group - l.s. UnifiedNondefaultPSK, or UnifiedNondefaultDot1x. & we use dedicated AuthZ profile for this EID-group returning Custom Attributes of matched endpoint by referring to them in Result's attributes - Cisco AVP or Radius etc.
Different is for SSIDs which are authenticated on WLC (f.e. PSK) we dont need AuthC section on the ISE & for Cisco WLC it seems to be only way to avoid it to modify default AuthC policy (which doesnt return AccessAccept :0) to AuthFail=Continue/UserNotFound=Continue/ProcessFail=Drop .
hopefully it now makes more sense for u

View solution in original post

12 Replies 12

i guess u mix targets. all SSID's clients use the same PSK. No need in iPSK at all. instead, based on MAC-address specific VLAN must be assigned to client. for this to work we use "mac-filtering" in SSID, when we enable it we also can configure "Authorization list" parameter. Question is with both parameters configured does WLC pass full AuthC/AuthZ sequence on ISE (meaning there will be authentication & authorization parts)? bc we are looking for mean to skip AuthC as clients authenticate with PSK on the WLC & r only required to pass AuthZ part on ISE)
thanks 

Well if you are using mac-filtering already, you can create an endpoint custom attribute like "vlan-id" and the assign a value.  You can then use that custom attribute in your ISE AuthZ and define a new authorization profile to send the vlan to the controller. That is what I have done, except I use the endpoint custom attribute to define the PSK not using iPSK.  This allows me to change the PSK if needed for a set of devices or a single device if needed. 

-Scott
*** Please rate helpful posts ***

we already do it. we need a way "way to configure WLC to request ISE for authorization only"
we already know workaround - configuring advanced result properties for AuthC policy - Continue/Continue/Drop.
But is there a way to configure WLC to ask for Authorization only like it can be done for VPN client on ASA?

The only way is to define the radius like what you would do for 802.1x.  Even if its mac-filtering, you setup the AuthZ policy to look for the custom endpoint attribute unless you have another attribute you can use and then have ISE send that vlan to the WLC.

You are doing mac-filtering already on the WLAN to send auth to ISE correct?

-Scott
*** Please rate helpful posts ***

for the PSK-driven SSID we do mac-filtering exactly with purpose to AuthZ client in way different from AccessAccept.
we have similar differentiation on the .1x-driven SSID, but in this case AuthC is required part of authentication phase (as well as mac-filtering is not needed).
Only for PSK AuthC on ISE can be bypassed (coz even with different PSKs - iPSK - we can send it as part of AiuthZ) 

Sore @andy!doesnt!like!uucp maybe I'm just thinking different.  I have various way's I have placed devices using the same PSK on different vlans.  One, which was the old way was to look at the endpoint group and then assign the vlan based on what rule was hit.  That way I can place all devices that were in a specific endpoint group to a vlan and any new or mac address just not placed in any endpoint group would be given a different vlan.  I don't know any other way to take a PSK using mac-filter and assign a vlan when you are using ISE.

-Scott
*** Please rate helpful posts ***

actually we r talking about the same & different the same time :0)
Same is, we authorize (read: land, use specific PSKs, etc) under single SSID even in more unified way we just put all corresponding endpoints into single dedicated EID-group - l.s. UnifiedNondefaultPSK, or UnifiedNondefaultDot1x. & we use dedicated AuthZ profile for this EID-group returning Custom Attributes of matched endpoint by referring to them in Result's attributes - Cisco AVP or Radius etc.
Different is for SSIDs which are authenticated on WLC (f.e. PSK) we dont need AuthC section on the ISE & for Cisco WLC it seems to be only way to avoid it to modify default AuthC policy (which doesnt return AccessAccept :0) to AuthFail=Continue/UserNotFound=Continue/ProcessFail=Drop .
hopefully it now makes more sense for u

That is interesting because I use the default for my AuthC, however, I do have a AuthC rule just for MAB.  This is my home lab so I do change things around. This was my basic mac-filter using ISE just to see what I can control and so that I can capture the devices that are connecting to wireless.

ScottFella_0-1725552022065.png

AuthZ

ScottFella_1-1725552067304.png

 

-Scott
*** Please rate helpful posts ***

interesting... but if Policy-set is bound to arbitrary SSID which is dedicated for MAB & protected by alternate local authentication on NAD (WLC in wireless case), "Wireless_MAB & Wireless_Access" in non-default AuthC rule looks extra imho. that's why for PSK protected SSID its Policy-set in our case keeps only Default AuthC rule with advanced options Continue/Continue/Drop.
& BlackList AuthZ rule in your screen is apparently what we missing. tnx for reminder!
Getting back to options to skip AuthC & jump to AuthZ, RADIUS doesnt have separate sessions for 1st... So i dont get how in case of ASA RAS VPN we can configure AAA settings in such a way that ISE logs "Authorization only" 

It really depends on what you really want to do and if it makes sense and easy for others to support. I always try to create a new policy set so I know things are working as is. Then I look to see if I can incorporate it into another policy set which provides me with everything I want to see and is easy to troubleshoot. That is why I tend to create rules that I can see in the logs and also policy sets that are scalable for me in the future. I think there are many different ways you can go about achieving what you want, but others may do it differently.
-Scott
*** Please rate helpful posts ***

Haydn Andrews
VIP Alumni
VIP Alumni

iPSK will do it, just dont return the different PSK value and it will use the PSK configured on the WLC, alternatively you can with iPSK deploy the same PSK to each ISE results and a different VLAN ID

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
Review Cisco Networking for a $25 gift card