02-07-2019 06:22 AM
ISE 2.3
I have a requirement to have visitors in a particular area of the building to use hotspot and third-parties in a totally different area to use sponsored guest. There won't be any overlap. So a certain set of Access Points will be used for hotspot and another set of AP's for sponsored guest. What is the best way to differentiate between the two types in the authorization policies?
I am planning on using Radius Called-Station-ID anda using the AP name to match and redirect to the required portal. My WLC has "Auth Called Station ID Type" set to AP Name:SSID. This is a global config on the WLC and would affect other radius authentication servers too. So I am wondering if this is the best way or is there an alternative method?
Solved! Go to Solution.
02-07-2019 07:49 AM
If you don't want to use the AP name trick you can use the same SSID name on two different WLAN #s. You can create the same SSID on two different WLAN #s and use AP groups to push out the desired WLAN # to the desired APs. Then you can key off WLAN ID # in ISE to create your two policies.
02-07-2019 06:57 AM
02-07-2019 07:49 AM
If you don't want to use the AP name trick you can use the same SSID name on two different WLAN #s. You can create the same SSID on two different WLAN #s and use AP groups to push out the desired WLAN # to the desired APs. Then you can key off WLAN ID # in ISE to create your two policies.
02-12-2019 05:33 AM
Hi Paul, thanks for this suggestion.
02-07-2019 07:47 AM
Changing the RADIUS called station ID from AP MAC:SSID to AP Name:SSID should not affect anything with your other SSIDs. I make this change on all my installs to allow the AP name to be used in ISE rules if needed. I have done what you are describing before to treat the same SSID differently based on the AP they users are connecting to.
02-12-2019 05:35 AM
Our WLC's have other radius servers so need to check if they are using the default MAC address: SSID. If they dont will flip it over to AP Name:SSID, as this will be the simplest way it seems to differentiate AP's.
02-12-2019 05:45 AM
02-12-2019 07:04 AM
Hi,
I had the same scenario where we had 2 WLAN ID, each one having a different type of authentication and both have the same SSID (Company WLAN)
What i did is that i changed the NAS-ID in one WLAN (lets say i called it Guest)
Then in the Authz policy of the ISE i made the differentiation based on the NAS-ID.
if Radius called Station -ID equals: Company WLAN
AND
if Radius NAS-Identifier equals: Guest Then Authorization Profile
I hope this helps
Please rate if answer is correct.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide