Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE wireless : permit only conexion on specific ESSID

Hi

I have ISE ver 1.1.x, cisco 2960, cisco 1800 and controller 2100

There is active directory user (employee) and guest user

Active directory have many user group (finance, security, human ressouce ...)

For wireless conexion I created many ESSID in the controller for each group (finance, security, human ressouce, guest ...)

I configured one VLAN for each correspondand ESSID

There is not security key for wireless conexion

Is it possible to deny conexion for one user to different ESSID and permit only connexion of each user on each correpondand ESSID ?

Is possible to redirect user on it correpond ESSID(vlan) if he choose to connect on the wrong ESSID ?

Thanks in advance

8 REPLIES
Cisco Employee

ISE wireless : permit only conexion on specific ESSID

You have to configure profiling and posturing for the same and create the rule to put them on appropriate VLAN. For information over configuration you can see the below link.

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_user_guide.html

ISE wireless : permit only conexion on specific ESSID

Hi,

You can use the radius attribute "called-station-id" to make this work, typically in radius access-request packet the SSID is sent with this attribute value pair. You can then check this SSID and the AD group the user is connecting through to make your decision.

If you take a look at the authenticate detials in ISE of the user authenticaiting, under the "Other Attributes" the called-station-id will be present in the format I just mentioned.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

ISE wireless : permit only conexion on specific ESSID

Here is a config example about how to achieve that:

http://goo.gl/gpmpsV

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
New Member

ISE wireless : permit only conexion on specific ESSID

Hi Amjad

I have see the  exemple on the link

But If I have 2 ESSID (guest and coorporate)

If in each groupe (guest and coorporate) I have many VLAN

Vlan guest  groupe 1 : vlan 10

Vlan guest groupe 2 : vlan 11

Vlan guest groupe 3 : vlan 47

Vlan guest Corporate finance : vlan 45

Vlan guest Corporate management : vlan 110

Vlan guest Corporate administration : vlan70

I would like to know if it is possible to configure 2 ESSID (guest and coorporate)

and put each user in their specific VLAN when he connect on the wireless network ( ESSID guest or coorporate)

How can I configure it ?

ISE wireless : permit only conexion on specific ESSID

Hi,

based on what you want to choose the interface?

the corporate,  WLAN should be mapped to multiple VLANs, so how would you like to choose which user is mapped to which clan?

Rating useful replies is more useful than saying "Thank you"
New Member

ISE wireless : permit only conexion on specific ESSID

ISE can dynamically assign vlans.  It is a common setup to assign specific vlans to specific AD user groups.

You just create a auth z policy for each AD group / vlan.

On the wireless controller make sure you enable AAA override on the WLAN. 

I think dynamic vlans is now supported on both hreap/flexconnect and local/centralised mode with 7.2 firmware.

New Member

ISE wireless : permit only conexion on specific ESSID

That is exactly what I want

Each user should be assigneg in his specific vlan mapped on it active directory group

Please where can I found configuration exemple (ISE and WLC) to achieve it

Thanks

New Member

ISE wireless : permit only conexion on specific ESSID

  • •1.       I will suggest to create ACL.  Or
  • •2.       To configure MAC filtering on a specific SSID: ( enter the mac only the wireless devices you wants to give access to the SSID particularly)

• Configuration -> SSIDs -> [SSID Name]

• Optional Settings -> MAC Address Filters -> Available MAC Filters -> New

• In the MAC Filters>New window click on the "New" button next to the "MAC Address/OUI" list

• Add the MAC Address\MAC Address Range

• In the MAC Filters>New window select the newly created MAC Address\MAC Address Range and select "Permit" as the Action

• Save the new MAC Filter

• On the screen ensure the newly created MAC Filter is in the "Selected MAC Filters" area rather than the "Available MAC Filters" area

• Ensure the default action (under the "Available MAC Filters" area) is "Deny"

• Save the change to the SSID profile

• Update the affected access points

464
Views
0
Helpful
8
Replies
CreatePlease login to create content