Configure cisco ISE for Cisco Access Points

Let’s say you have been asked to configure ISE to allow secured network access for Cisco Wireless Access Points.

To do so you should :

· Enable the ISE endpoint profile for Cisco Access Points

· Configure an Authorization Profile and Authorization Policy rule for Cisco Access Points

· Review the access switch configuration to authorize an access point using MAC Authentication Bypass (MAB).

· Verify proper authorization of a Cisco Access Point based on ISE policy


Login to ISE


The ISE Home Dashboard page should display. Navigate the interface using the multi-level menus.

Configure the Profiler Policy to assign endpoints matching a Cisco Access Point profile to an Identity Group  called  “Cisco-Access-Points” Caldo.

Navigate to Policy > Profiling and select Cisco-Access-Point from the list of Endpoint Policies, verify that the policy is enabled (Policy Enabled checkbox is checked) and check the option Create Matching Identity Group.

Do not forget to save Sorriso otherwise it will not work Occhiolino

Now define an Authorization Profile for Cisco Access Points.

Navigate to Policy > Policy Elements > Results and double-click Authorization to expand its contents.

Select Authorization Profiles from the left-hand pane and click Add from the right-hand pane and enter the values for the Authorization Profile as shown below:

Attribute Value
Name Cisco_Access_Points
Description Permit access to Cisco Access Points
Common Tasks
VLAN 90 (or 1:90)

The resultant Attribute Details should appear at the bottom of the page as the following:


Tunnel-Private-Group-ID = 1:90

Tunnel-Type = 1:13

Tunnel-Medium-Type = 1:6


finally click Submit to apply your changes.

Now we should configure a new Authorization Policy rule to assign the new Cisco_Access_Points profile to endpoints that match the Identity Group named Cisco-Access-Point.

To do so go to Policy > Authorization and insert a new rule below the Profiled Cisco IP Phones rule as shown in the policy table below. Use the clip_image006 selector at the end of a rule entry to insert or duplicate rules.

Enter the following values for a new rule named Profiled Cisco Access Points:

Status Rule Name Identity Groups Other Conditions Permissions
clip_image002[4] Profiled Cisco IP Phones Cisco-IP-Phone Cisco_IP_Phones
clip_image002[5] Profiled Cisco Access Points Cisco-Access-Point Cisco_Access_Points


Don’t forget to  Save when finished making policy updates.

Hint: Verify proper authorization of the wireless access point.

check the status of the port, eventually give the No Shut command in the configuration mode for the selected interface.

check the auth status with:

cisco-access# show authentication sessions interface gi0/x


cisco-access(config-if)# do sh auth sess int gi0/x

keep in mind you could need a few minutes to allow the result to be shown (between bootstraps and stuffs…)

To display the current dACL applied to the interface using the command show ip access-lists interface GigabitEthernet 0/3. The output should appear similar to the following:

cisco-access(config-if)# do sh ip access-list int gi0/3

permit ip host any


To verify the Cisco Wireless Access Point authentication in the ISE go to Monitor > Authentications log:

S Username Endpoint ID IP Address NAD Device Port AuthZ
Identity Group Event
#ACSACL#-IP-PERMIT_ALL_TRAFFIC 3k-access Authorize Only DACL Download
nn:nn:nn:nn:nn:nn nn:nn:nn:nn:nn:nn 3k-access Gi0/3 Cisco_Access_Points Cisco-Access-Point Auth Succeeded

Note: The access point periodically attempts to renew its IP address if no network connectivity. The default port ACL on the switch allows access to DHCP services, so the access point initially receives an IP address in the default access VLAN 10 ( Once authorized for VLAN 90, the access point will renew its IP address in the new VLAN (
The authentication event in the above log reflects the IP address learned at the time of authentication. The access list applied to this session reflects the final endpoint IP address using variable substitution of the “any” value in the dACL’s source IP address.

To the official site of Related Posts via Taxonomies.

CC BY-NC-SA 4.0 Configure cisco ISE for Cisco Access Points by The Puchi Herald Magazine is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.