ISE 1.2 With WLC and AD

ddindevanis — Wed, 13 Mar 2019 00:44:51 GMT

Hi everyone,

What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.

The wireless network is configured with 2 SSID (Staff and Guest)

Active Directory, DNS, DHCP, and NTP configured & synced.

ISE and AD running on C220 VMs, and WLC is 5760 Appliance.

Please provide your thoughts and assistance.

Regards

Hello,I supposed you have

fogemarttt — Wed, 12 Nov 2014 11:06:19 GMT

Hello,

I supposed you have done communication between your NAD devices and ISE (Wired Switch and WLC).

If done, that means for classification you have created two groups (wired and wireless)

administration -->network resources-->network devices group-->group-->all devices Types.

now go to the policy -->authentications and if you want modify the defaults.

wireless MAB, Wired MAB, ect.

You can check the default authentication protocols (Default Network Access) and customize or modify it to use EAP-FAST, EAP-MD5, LEAP and so on.

After authentication, you can then define authorization.

I have made the reachability

ddindevanis — Wed, 12 Nov 2014 11:15:51 GMT

I have made the reachability AD, WLC,ISE and 3850 SW, Appreciate if you can brief/send me the full steps to implement this solution.

Regards

You have to implement dot1x

fogemarttt — Wed, 12 Nov 2014 12:11:55 GMT

You have to implement dot1x and radius between your NAD and ISE device.

Using the switch 3850, that are the steps:

!
username RADIUS-HEALTH password radiusKey1 privilege 15
aaa new-model
!
!
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
!
!
!this password will be used to communicate with ISE and to verify reachability
!between ISE and Switch
aaa server radius dynamic-author
client 172.16.1.18 server-key 7 radiuskey
client 172.16.1.20 server-key 7 radiuskey
!
ip domain-name lab.local
ip name-server 172.16.1.1
!
dot1x system-auth-control
!

!
interface GigabitEthernet1/0/3
switchport mode access
switchport voice vlan 50
switchport access vlan 10
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
!
ip access-list extended ACL-ALLOW
permit ip any any
!
!
!the comm between radius and ise will occur on these Port
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
!
!
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
!
snmp-server community ciscoro RO
snmp-server community public RO
snmp-server trap-source Vlan100
snmp-server source-interface informs Vlan100
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!
!defining ISE servers
!
radius server ISE-RADIUS-1
address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
automate-tester username RADIUS-HEALTH idle-time 15
key radiusKey
!

Please be sure that NTP servers and time are synchronized.

enable dot1X on windows machine, or using cisco NAM.

you can enable debugging on aaa authentication to see the events.

you have to create this user on ISE (RADIUS-HEALTH).

3850#test aaa group radius username password new-code

and observe the result. You are supposed to have user authenticated successfully.

You Must also have define these device in ISE on the radius interface.

ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE.

administration-->network resources -->Network Devices-->Add

input the name

input the Ip address for radius communication

select the authentication settings and field the corresponding shared secret radius key

select snmp settings and select version 2c.

snmp community : ciscoro

you can customize the polling interval if you want and that all.

you are supposed to received message communication between your NAD and ISE.

After you can do the procedure for WLC device.

I will fill it after you have passed the first steps (3850 authentication).

Thank you fogemarttt , I will

ddindevanis — Thu, 13 Nov 2014 05:19:00 GMT

Thank you fogemarttt , I will follow the same and update you soon.

I have attached screenshots

Venkatesh Attuluri — Mon, 17 Nov 2014 08:45:00 GMT