Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE Auth policy based on MAC OUI and SSID

I was blocking certain consumer mobile devices from my production WLAN on ACS using this process -

The MAC OUI is referenced in the CLI field of the NAR, and the SSID is in the DNIS field.

Anyone know how to do this on ISE?  Two questions -

1) I can match based on WLAN-ID, but not SSID.  My WLAN-IDs for the same SSID don't match between controllers.  Do I need to change this and make sure all WLAN-IDs map to the same SSID on each controller?  Or, is there a different attribute I can use that refers to the SSID?

2) What attribute do you use in ISE Authorization conditions to match OUI?  And can I match a list of OUIs?

  • AAA Identity and NAC

ISE Auth policy based on MAC OUI and SSID


Thanks for opening a TAC case, basically a bug was filed to fix the logging to show the correct calling station id, currently the ISE reports show the (:) as the delimeter the pcap shows a hyphen.

Here is the bug to track this issue:


Tarik Admani

Tarik Admani *Please rate helpful posts*

ISE Auth policy based on MAC OUI and SSID

1) I have never seen the actual SSID name anywhere in the radius attributes coming from the controller, i always use airespace-wlan-id, and if you wan't to avoid creating multiple rules, make the id's the same on all controllers.

2) Well OUI is part of the mac, so you could maybe use RegEX to filter out specific OUI's. Another way, if you have advanced license, would be to use Profiling, then ISE would do all the hard work of classifying what device is attempting to connect, and you could use that in your authoriz. policy ex . "Profiled:Iphone"

New Member

ISE Auth policy based on MAC OUI and SSID

Hi All.  Thanks for the replys.

I was able to do this -

Radius:Called-Station-ID MATCHES .*(SSID)$

Radius:Calling-Station-ID STARTS_WITH 1C-AB-A7

The first does match the SSID properly - so I don't need to worry about matching WLAN IDs between controllers.

ISE Auth policy based on MAC OUI and SSID

Great info, i never noticed the ssid name in the calling station id, maybe it's a new thing in the controller software ?