cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2385
Views
0
Helpful
4
Replies

AAA

Shivu b
Beginner
Beginner

Hello Team,

 

I m looking for an option  enable AAA Radius in ISE for NAD both switches and wireless controller.

Currently, Wireless clients authenticating in ISE Radius Server, calling station id is AP MAC address SSID

 

i added network device ( wireless controller ) in ISE NAD Group and created a Authentication policy login via AD user ID and Authorization policy but no Radius request hitting at ISE end.

Question here, should i make change in called station ID from AP MAC address SSID in Wireless controller ?  does it affect for wireless client users if i made change in Auth called station ID type ?

what Auth called station ID should i use to authenticate and Authorization for both wireless client and Wireless NAD via ISE Radius..

Thanks in advance .

 

1 Accepted Solution

Accepted Solutions

thomas
Cisco Employee
Cisco Employee

Sounds like you have a RADIUS configuration problem. See these guides for AAA configuration:

Wireless controllers offer many options for the RADIUS Called-Station-ID:

image.png

You said you are using AP MAC address:SSID which is a perfectly fine. It is your choice depending on how you might want to use this information in your ISE Authentication and Authorization policies. This allows you to match the SSID in your Authorization Policy to provide the appropriate level of access for that wireless service (Guest vs Corporate vs BYOD, etc.) with a rule like:

Status Rule Name Conditions Profiles Security Groups Hits Actions
Guest_Wireless
AND ⌸ RADIUS:Called-Station-ID ENDS_WITH Guest
⌸ Guest_Flow
Internet_Only Guest 0

 

If you then change your WLC's Called-Station-ID to something that did not end with :SSID then you affect your authorization policy matching with potentially bad affects.

 

 

 

 

View solution in original post

4 Replies 4

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

If you're not seeing any RADIUS traffic in ISE from the Wireless controller, then the problem could also be elsewhere. E.g. if you're WLAN is configured for 802.1X (or MAB or iPSK) then of course you have to specify your RADIUS servers.

1) Are the IP addresses of the RADIUS server correct? Can you ping ISE from the WLC CLI?

2) Are the RADIUS shared secrets matching on WLC and ISE?

3) What does your ISE LiveLog look like? No activity at all? Then I would run a tcpdump on that ISE node to see if anything is coming in.

 

The Called-Station ID is correct for your needs. The SSID is very useful in Authorization Policies if you need to go down to that granular level.

Clients are not affected by this change made at the RADIUS level (of course as long as the RADIUS flow still works as expected and completes as expected - but the format of individual attributes is not visible to the clients.)

Hello Arne,

 

you're WLAN is configured for 802.1X (or MAB or iPSK) then of course you have to specify your RADIUS servers. - WLAN is configured for 802.1X and wireless client able to authenticate sucessfully

 

 

1) Are the IP addresses of the RADIUS server correct? Can you ping ISE from the WLC CLI? - Yes  ISE Radius IP rechable

2) Are the RADIUS shared secrets matching on WLC and ISE? yes its matching

 

My question here, what calling station id should i set on Authentication and Authorization under Security to login into wireless controller via Radius ISE using AD credential,

 

already 802.1X client using AP MAC SSID Attriubuite. How do i achieve login into Wireless controller via AD account,

 

Since you are not seeing the Login authentication request from WLC on ISE, I believe that you have not checked the Management checkbox under the Radius authentication server.

Regarding the attribute that you can use as a condition in the authorization policy, use Radius·Service-Type EQUALS Outbound along with WLC IP address and login user AD group membership instead of using the calling station ID attribute.

 

Now you can create 3 different “Authorization Profiles” under “Policy->Policy Elements -> Results” section with different RADIUS attribute values:

For full administrative access you have to choose”Service-Type” Radius Attribute setting to “Administrative“.

For the Read-Only user, this setting should be set to “NAS-prompt”

For Lobby Ambassador it should be set to “Callback Administrative ”

 

 

 

thomas
Cisco Employee
Cisco Employee

Sounds like you have a RADIUS configuration problem. See these guides for AAA configuration:

Wireless controllers offer many options for the RADIUS Called-Station-ID:

image.png

You said you are using AP MAC address:SSID which is a perfectly fine. It is your choice depending on how you might want to use this information in your ISE Authentication and Authorization policies. This allows you to match the SSID in your Authorization Policy to provide the appropriate level of access for that wireless service (Guest vs Corporate vs BYOD, etc.) with a rule like:

Status Rule Name Conditions Profiles Security Groups Hits Actions
Guest_Wireless
AND ⌸ RADIUS:Called-Station-ID ENDS_WITH Guest
⌸ Guest_Flow
Internet_Only Guest 0

 

If you then change your WLC's Called-Station-ID to something that did not end with :SSID then you affect your authorization policy matching with potentially bad affects.

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: