Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2939
Views
0
Helpful
4
Replies

Cisco Wireless Controller authentication with ISE for both wireless users and device admin

Go to solution
josephqiu
Level 1
Level 1

‎09-29-2019 09:06 AM - edited ‎02-21-2020 11:10 AM

We deployed Cisco WLC and currently use the ISE/RADIUS to authenticate wireless users for network access. This is in a good working state right now. What I’m trying to do is to enable TACACS on the WLC and authenticate admin users for management access using the same ISE server. Is this at all possible? Reason I’m asking is WLC is already using a policy for RADIUS/EAP. How can I differentiate the WLC and match the TACACS request from the same WLC management IP and apply a different policy? Thanks
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
RaffyLindogan
Spotlight
Spotlight

‎09-29-2019 06:36 PM

Hi mate,

 

TACACS and RADIUS config on ISE and WLC are 2 separate things.
When traffic reach ISE, it will know if it is for TACACS or RADIUS and you can have separate conditions for them on the policy set.

So you don't have to worry about messing your existing RADIUS configuration.

On the ISE, when you click on WLC. there's part for RADIUS Authentication Settings and TACACS Authentication Settings.

Same as on the actual WLC config as well.

 

 

Cheers,


Raffy

Here are 2 good links that you can use as reference:

 https://networkproguide.com/how-to-configure-cisco-wlc-tacacs-cisco-ise-2-4/

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365#toc-hId--2121451074

View solution in original post

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to RaffyLindogan

‎09-30-2019 08:25 AM

As Raffy said the configuration for RADIUS and TACACS are completely separated. 

 

Policy->Policy Sets is the RADIUS side of ISE

Work Centers->Device Administration->Device Admin Policy Sets is the TACACS side

 

Also as a best practice you should part out your wireless policy sets into use cases based on SSID.  You can use the RADIUS called station ID attribute sent by the WLC to tell what SSID the user is connecting to and write different policy sets based on that. 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
RaffyLindogan
Spotlight
Spotlight

‎09-29-2019 06:36 PM

Hi mate,

 

TACACS and RADIUS config on ISE and WLC are 2 separate things.
When traffic reach ISE, it will know if it is for TACACS or RADIUS and you can have separate conditions for them on the policy set.

So you don't have to worry about messing your existing RADIUS configuration.

On the ISE, when you click on WLC. there's part for RADIUS Authentication Settings and TACACS Authentication Settings.

Same as on the actual WLC config as well.

 

 

Cheers,


Raffy

Here are 2 good links that you can use as reference:

 https://networkproguide.com/how-to-configure-cisco-wlc-tacacs-cisco-ise-2-4/

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365#toc-hId--2121451074

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to RaffyLindogan

‎09-30-2019 08:25 AM

As Raffy said the configuration for RADIUS and TACACS are completely separated. 

 

Policy->Policy Sets is the RADIUS side of ISE

Work Centers->Device Administration->Device Admin Policy Sets is the TACACS side

 

Also as a best practice you should part out your wireless policy sets into use cases based on SSID.  You can use the RADIUS called station ID attribute sent by the WLC to tell what SSID the user is connecting to and write different policy sets based on that. 

0 Helpful

Go to solution
josephqiu
Level 1
Level 1
In response to paul

‎10-01-2019 10:22 PM

Thank you Paul. Yes, that’s what I’m doing with the wireless auth policy. Much appreciated.
0 Helpful

Go to solution
josephqiu
Level 1
Level 1
In response to RaffyLindogan

‎10-01-2019 10:21 PM

Thank you for your reply. Looks like I worried too much. :)
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents