We have a Cisco ISE 2.0 and WLC 2400's. We have an SSID for all company PC's to join through AD authentication. That works great.
This authorization rule currently allows any device to connect, meaning mobile devices and tablets. We have a policy that only exec and company paid for devices can be on wireless.
To prohibit mobile devices from connecting, we added a new Rule for Profiled devices to connect only if in a particular AD group(MobileWirelessAccess), which is for execs and those approved to connect. We also changed the Rule for the company to be Workstations instead of Any. This was very flaky and did not work most of the time. Only when we have the Rule for the SSID set to ANY does it work correctly.
Im not sure if the rules are not correct or if we need to create a portal only for execs or what. We are not sure how to create a portal that would allow access for execs only. We already have an SSID for visitors and guests that is controlled by accounts on the WLC.
As you can see from the attachment, ywlan is the rule for everyone to connect currently set to ANY
Also, the employee attachment is set to monitor only which was created for the mobile device restriction.
Any help is appreciated.
... View more