We have a simple problem. We want to restrict our wireless users to certain business websites based on their username when they login. We have many kinds of wireless devices: voip phones, cell phone, laptops, barcode scanners, and tablets.
Suppose there are all these website categories, which we have an SSID and Vlan assigned for user source addresses:
- Internet (SSID-Internet, Vlan101)
- Voice (SSID-Internet, Vlan102)
- Accounting (SSID-Business, Vlan103)
- HR (SSID-Business, Vlan104)
- Inventory (SSID-Business, Vlan105)
- Research (SSID-Business, Vlan106)
- Quality Assurance (SSID-Business, Vlan107)
- Manufacturing (SSID-Business, Vlan108)
Each of our users might need to use their Windows login to authenticate into the wireless network, but they should only have access to certain services. Some examples:
- User1: Login using Windows credentials using VoIP phone to SSID-Voice, and can only access the Voice network from this phone
- User1: Login using Windows credentials using Laptop to SSID-Business, and can only access the Accounting websites from his laptop
- User1: Login using Windows credentials using cell phone to SSID-Internet and can only access the internet through a proxy.
- User2: Login using Windows credentials using VoIP phone to SSID-Voice, and can only access the Voice network from his phone
- User2: Login using Windows credentials using barcode scanner to SSID-Business and can only access the Inventory websites from his barcode scanner
- User2: Login using Windows credentials using cell phone to SSID-Internet and can only access the internet through a proxy.
Every user should be able to login with their cell phone to SSID-Internet, and wifi phone to SSID-Voice. This seems easy enough if we use mac-address filtering. We will use a firewall to ensure users in the Vlans don't go outside their access limits.
The problem is that we don't want to create a lot of SSIDs, so the number of different Vlans for SSID-Business is hard. We want to assign users to several different Vlans when they login to SSID-Business. Can Cisco ISE & Cisco ACS do this? If so, what features do we need to use in Cisco ISE, Cisco ACS and the WLC? Can all these functions work if we only have one Windows username per user?
Our WLC is a 5508 running 7.4. We have Cisco ACS 5 and Cisco ISE 1.2.
Best Answer
If you don't need to confuse your users with multiple VLANs, don't do it. Leverage the tools you have. You mentioned you have ISE and you should be able to do all this with one SSID. As AdnanG already mentioned, you can utilize the profiling features of ISE to classify the devices.
Your ACS should be able to tie into the MS AD authentication and be able to provide user authentication and group information.
From there, you just need to combine the user/groups with the device profiles and then tie it to a VLAN. So, for instance, if the device is identified as a cell phone and the user is part of "group A", then the get put in the "group A - internet" VLAN.
I haven't done it personally with ISE, so can't give exact steps, but this is how Cisco marketing is selling ISE in the BYOD space. I also know of several people who have done similar setups to what is suggested. I would start by looking through this Cisco BYOD document that would give you a general overview of how BYOD is done with with Cisco ISE.