Solved: Differentiating Access Points with Radius Called-Station-ID

Madura Malwatte · ‎02-07-2019

ISE 2.3

I have a requirement to have visitors in a particular area of the building to use hotspot and third-parties in a totally different area to use sponsored guest. There won't be any overlap. So a certain set of Access Points will be used for hotspot and another set of AP's for sponsored guest. What is the best way to differentiate between the two types in the authorization policies?

I am planning on using Radius Called-Station-ID anda using the AP name to match and redirect to the required portal. My WLC has "Auth Called Station ID Type" set to AP Name:SSID. This is a global config on the WLC and would affect other radius authentication servers too. So I am wondering if this is the best way or is there an alternative method?

paul · ‎02-07-2019

If you don't want to use the AP name trick you can use the same SSID name on two different WLAN #s. You can create the same SSID on two different WLAN #s and use AP groups to push out the desired WLAN # to the desired APs. Then you can key off WLAN ID # in ISE to create your two policies.

View solution in original post

Mohammed al Baqari · ‎02-07-2019

Better option is to use 'Airespace > Airespace-Wlan-Id' condition for your
authorization profile. I am assuming that each set users will connect to
different SSID. In this case you can match the SSID number and redirect
them as required.

paul · ‎02-07-2019

If you don't want to use the AP name trick you can use the same SSID name on two different WLAN #s. You can create the same SSID on two different WLAN #s and use AP groups to push out the desired WLAN # to the desired APs. Then you can key off WLAN ID # in ISE to create your two policies.

Madura Malwatte · ‎02-12-2019

Hi Paul, thanks for this suggestion.

paul · ‎02-07-2019

Changing the RADIUS called station ID from AP MAC:SSID to AP Name:SSID should not affect anything with your other SSIDs. I make this change on all my installs to allow the AP name to be used in ISE rules if needed. I have done what you are describing before to treat the same SSID differently based on the AP they users are connecting to.

Madura Malwatte · ‎02-12-2019

Our WLC's have other radius servers so need to check if they are using the default MAC address: SSID. If they dont will flip it over to AP Name:SSID, as this will be the simplest way it seems to differentiate AP's.

paul · ‎02-12-2019

Most likely the other RADIUS servers aren't even using this value in their rule set so hopefully you can make the switch and have a good solution moving forward.

bern81 · ‎02-12-2019

Hi,

I had the same scenario where we had 2 WLAN ID, each one having a different type of authentication and both have the same SSID (Company WLAN)

What i did is that i changed the NAS-ID in one WLAN (lets say i called it Guest)

Then in the Authz policy of the ISE i made the differentiation based on the NAS-ID.

if Radius called Station -ID equals: Company WLAN

AND

if Radius NAS-Identifier equals: Guest Then Authorization Profile

I hope this helps

Please rate if answer is correct.