topic Hi, in Network Access Control

CIsco ISE wireless 802.1X with windows, android and IOS clients

Davion Stewart — Mon, 11 Mar 2019 07:48:43 GMT

Good day,

I need to configure Cisco ISE version 2.2 for 802.1X authentication. We are using WLC 5520 with version 8.2.150.

We want to use PEAP authentication and at the moment trying to use a single SSID.

Aside from the certificate on the server side, what is required to configure this?

Hi

Francesco Molino — Tue, 27 Jun 2017 06:45:38 GMT

802.1x and PEAP means you gonna allow only user/password authentication.

On the WLC:

- you'll need to setup your ISE server as radius on the authentication and accounting menu located under security wlc page.

- on your SSID, you need to setup dot1x authentication and under security tab, select your radius server as username database.

On ISE:

- you'll need to create your wlc as network device.

- join your ISE to your ad server.

- create an authentication policy allowing only PEAP as this is what you want right now.

- create an authorization policy saying that if the user is coming from a particular ssid (wlan id) and coming from a particular ad group (or ask users default AD group), they'll get s permit.

This is the simple authentication method.

Hope that's clear.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Hi,

Davion Stewart — Tue, 27 Jun 2017 16:20:00 GMT

Hi,

Thanks for your reply.

I believe i configured it as you said. But im getting the following error on ISE when trying to connect to the SSID:

ISE has not been able to confirm previous successful machine authentication.

Did some research and saw that this could be because of machine access restriction enabled on the AD settings. I disabled but still unable to connect.

I am hitting the Default policy which is to Deny Access

For my authorization policy, i am matching based on the Called-Station-ID Equaling the SSID and the AD Group that the user is in.

Hi

Francesco Molino — Tue, 27 Jun 2017 17:00:28 GMT

Can you paste some screenshots of your authorization policies please?

We see that you're hitting the deny access.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Hi Francesco,

Davion Stewart — Tue, 27 Jun 2017 19:13:19 GMT

Hi Francesco,

I was able to resolve it. Instead of using Radius:Called-Station-Id to specify the SSID name, im using the Airespace-Wlan-Id to match. Im now able to connect to the SSID fine.

Now that this hurdle has been passed 🙂 i have another question.

This SSID will be used by both Corporate users and Contractors.

The Authorization rules will be setup to match the users based on the AD group that they are in.

The Corporate users will get full access while the Corporate users will only get access based on what services they require.

When the contractor users connect, i am pushing them to a different VLAN using the Authorization Profile.

My question is, in terms of controlling what the contractors have access to, what would be the best way to do it?

I can apply an Airspace ACL in the Authorization Profile as well but then if a different contractor comes in then i will have to continuously adjust the ACL.

I was thinking about controlling it from AD using different AD groups but the Microsoft Admin indicated that they can control access to the servers but not to the network.

Hi

Francesco Molino — Tue, 27 Jun 2017 20:57:32 GMT

That's why i asked screenshot to see the real method you were using.

I don't know if you already did it but I recommend you setting ISE with policy-set. That allows you to have different authentication and authorization rules based on per ssid basis or whatever (it's a filter you apply).

I don't know how many contractors type you have but you can define a global acl and apply it through ISE authorization profile ( just a reminder the acl must be created on wlc before and the name setup on ISE must be the exact name).

There is another way that's called Trustsec SGT. You will assign a specific tag to each frame and will allow you to build rules based on that tag. To explain it as simply as I can, based on a AD group, you assign a tag and all your acls address based on this tag.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Hi,

Davion Stewart — Wed, 28 Jun 2017 18:48:59 GMT

Hi,

Yup i enabled Policy Sets on the ISE already.

TrustSec we may do later down :).

I will find the best way to make the global ACL work.

Thanks so much for all your help.

I have a problem with the iPhones getting to the HotSpot Captive Portal. Going to create a new post concerning that now.

Thanks again