ISE Policy Sets

In this video we review ISE policy sets and how they apply to typical installations.

Advertisements

5 thoughts on “ISE Policy Sets

  1. Pingback: Cisco ISE & Meraki How-To Videos | Wirelessly WIRED

  2. Hi – Just want to say these are a great series of videos.

    When I try to authenticate a client using the default Wireless MAB condition using the Cisco device profile everything works as expected however when I try to authenticate a client using the default Wireless 802.1x condition I am unsuccessful.

    The Cisco device profile has a default Wireless 802.1x condition that matches the following in the RADIUS request:
    – Radius:NAS-Port-Type = Wireless – IEEE 802.11
    – Radius:Service-Type = Framed

    According to Meraki support WPA2-Enterprise with 802.1x only supports the following attributes:
    – UserName
    – NAS-IP-Address
    – NAS-Port
    – Called-Station-ID
    – Calling-Station-ID
    – Framed-MTU
    – NAS-Port-Type
    – Connect-Info

    Obviously only NAS-Port-Type is matched.I can create a custom condition for Wireless 802.1x containing the following which works:

    Radius:NAS-Port-Type = Wireless – IEEE 802.11

    However I cannot use the default Wireless 802.1x condition for some reason – any ideas? Wireless MAB works fine which uses NAS-Port-Type and Service-Type but I do not understand why it works (service type isn’t in Meraki’s supported list)…

    Like

    • It may be due to “Radius:Service-Type = Framed”. This was for some reason not included in some past code revisions. What I would do for the time being is duplicate the wireless 802.1x policy and remove the “Radius:Service-Type = Framed” line. This has been resolved however in the current GA and Beta.

      Like

      • Where you say “This was for some reason not included in some past code revisions” are you referring to Meraki or ISE? Also, where you say it has been resolved in the current GA – What is GA? and again is this referring to Meraki or ISE?

        I have made the custom policy as you suggest and that works.

        Thanks

        Like

      • I am referring to this info was not included in the radius access request in some of the past Meraki code releases. When I say GA I am referring to General Availability – current stable release code that is considered up to date in dashboard

        Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s