Lab Minutes Forum

Technical Discussion => Security => Topic started by: bhatsy on July 19, 2014, 10:49:42 AM

Title: Wildcard on Compound Condition in ISE
Post by: bhatsy on July 19, 2014, 10:49:42 AM

I want to use the SSID as a condition in Authorization profile. The SSID I have is test123. The only place where the SSID gets sent out in RADIUS is Called Station Id. But that includes the AP Radio MAC:SSID. Is there a way I can wild card the AP Radio Mac:  in the condition? Can i use REGEX ?

Title: Re: Wildcard on Compound Condition in ISE
Post by: spark_rod on July 19, 2014, 01:19:49 PM

Hi, for what I understand. You want to create a policy that associate to the specific SSID? there's an attribute called wlan-id. for example, the test123 ssid assigned in wlan id 1 in your controller.. just add the attribute in your condition..airespace:Airespace-Wlan-Id equals to 1.

Title: Re: Wildcard on Compound Condition in ISE
Post by: bhatsy on July 19, 2014, 05:34:48 PM

My wlan controller is not cisco. It does not support airespace attributes in radius. I configured regex expression .*(test123) $ to match the SSID in called station id but it is not matching.  It seems like a bug in the ise code.  Does any one know other ways to implement policies based on ssids in ise ?

Title: Re: Wildcard on Compound Condition in ISE
Post by: MC on July 20, 2014, 11:46:16 AM

They way I got it to work is to use "Contain" instead of "Match" so you don't have to bother with regex. So just {Called-Station-Id (Contain) test123}. I believe Contain became available in version 1.2. If you have 1.1, you are stuck with Match but that should still work  with .*(test123).*.

Title: Re: Wildcard on Compound Condition in ISE
Post by: bhatsy on July 21, 2014, 10:50:21 AM

Thanks a lot. I cant believe i missed it in the drop down menu. That worked.