Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ISE Design Question

I have few design questions regarding ISE v.1.0.4.573

  1. Do ISE 3395 gigabit ports support Link aggregation?  how can i utilize all 4 ports for uplink ?
  2. When doing a standalone HA setup of 2x3395, Is there a heartbeat link between the two ISE or they will use the same uplink to the network for heartbeat and synchronizing?
  3. I am designing ISE with WLC. My WLC (5508) setup is like 5 floors having different Vlans but same SSID. How can i make ISE authenticate in this scenario since WGB AP is not supported in ISE v.1.0. Is there a work around for this type of WiFi setup in ISE?
  4. Continuing from the above setup, while roaming from one floor to another floor after changing Vlan, the user will re-authenticate or use the same session?

Thanks for the help.

Regards,

Zohaib

2 ACCEPTED SOLUTIONS

Accepted Solutions
Community Member

ISE Design Question

1. The current version does not support Link aggregation..

2. They will use the same uplink to the network for heartbeat and synchronizing.

3. My suggestion is to assign your SSID an interface group, containing all interfaces belonging to your VLANs, on your WLC and set AAA override. Then, in ISE, create authorization profiles which include the appropriate VLAN. use RADIUS attribute Called-Station-ID with your AP MAC address as condition.

4. They will use the same session.

Community Member

ISE Design Question

You could use the following regular expressions to accomplish this:


String ends with Employee:  .*(Employee)$
String contains Employee:  .*(Employee).*

Please note the use of the dots.

7 REPLIES
Community Member

ISE Design Question

1. The current version does not support Link aggregation..

2. They will use the same uplink to the network for heartbeat and synchronizing.

3. My suggestion is to assign your SSID an interface group, containing all interfaces belonging to your VLANs, on your WLC and set AAA override. Then, in ISE, create authorization profiles which include the appropriate VLAN. use RADIUS attribute Called-Station-ID with your AP MAC address as condition.

4. They will use the same session.

Community Member

ISE Design Question

Thank you for the reply, it realy helped alot. For some reason the called-station-id attribute was not matching but the interface group solve most of my problem.

Is there a way to use wildcard symbols for defining SSID in the called-station-id? For example i want to use *Employee as the attribute value so that it matches any AP MAC with SSID Employee.

Community Member

ISE Design Question

You could use the following regular expressions to accomplish this:


String ends with Employee:  .*(Employee)$
String contains Employee:  .*(Employee).*

Please note the use of the dots.

Community Member

ISE Design Question

I tried both strings but its not matching the authentication policy. When i copied the whole called-station-id from the authentication failure report then it matches.

For example:    d8-24-bd-95-b8-80:Employee

But any thing else, it wouldn't matche. Is there a link that i can refer to for putting wildcard expressions in ISE for radius?

Community Member

ISE Design Question

There is some documentation in the Cisco Identity Services Engine User Guide, Release 1.0.4.pdf document, on page 16-14 and 16-19 to 16-21, but it is quite minimal.

Community Member

ISE Design Question

I found a document for the cli where the wildcard attributes are mentioned in details. Its seems that the expression you provided above is correct and the called-station-id should be not be used with "Equals" but with "Match" for wildcard attributes. I find this mistake and now every thing is working perfectly.

Thanks again Dennis.

Community Member

ISE Design Question

I am not sure if I am understanding the problem. But at least in ACS 5.2 there was a "compound selection" match that could be done. In cases where we need to match only the SSID the WLC sends AP radio mac and then the SSID at the end of the string. So if we only want to match the SSID the solution was to do a compound selection and use the "ends with:employee for the called station-ID. That at least worked fine for me. It must be similar for ISE.

2870
Views
0
Helpful
7
Replies
CreatePlease to create content