10-31-2017 08:40 AM - edited 02-21-2020 10:37 AM
Hi,
I'm new to ISE and right now I was given a working ISE 1.4 only used for WIFI.
Right now, switch authentication is done via a Cisco ACS (radius, no tacacs+).We are talking about authentication for managing switches, not 802.1x on access port.
We want to migrate this management authentication on the ISE. So, the ISE will serve both WIFI and switches authentication.
I'm looking for a tutorial or some documentation for this. I'm interested in Auth and AuthZ policies...I'm not sure how to mix all this with existing WIFI policies.
I found some documents but nothing complete.
Thanks
Solved! Go to Solution.
10-31-2017 03:58 PM
There are quite a few sources of information on the web. I would recommend www.labminutes.com
But most importantly, create a lab for yourself to play around with this stuff. Really. That is the best teacher. Here would be my recommendation
Build an ISE 1.4 VM (4GB RAM, 2vCPU, 200GB HDD should do it) - restore your prod backup config in the lab so that you have the existing Policy Set to start off with.
Then, the killer ingredient - install radtest from Freeradius Utilities on a Linux install. E.g if you have a CentOS/Fedora setup then simply type yum install freeradius-utils
Add you CentOS as a radius client to ISE and off you go! Now you can test ANYTHING. Prototyping will become really fun and easy - and by the time you deploy this in prod you'll have a much more confident feeling that things will work.
You can look at my blog series on free lab testing tools in the Cisco ISE Community Forums - it's three parts but Part 1 is probably the one you need to get started.
Below is an example of a radtest from my lab
$ echo "User-Name = '03:20:00:00:00:02',User-Password = '03:20:00:00:00:02',Calling-Station-ID='03:00:00:00:00:02',NAS-IP-Address = 10.224.19.121,NAS-Port-Type = 19,Service-Type=10"| /usr/bin/radclient -x 10.224.19.121:1812 auth MyPassword!
Sent Access-Request Id 215 from 0.0.0.0:41383 to 10.224.19.121:1812 length 110
User-Name = "03:20:00:00:00:02"
User-Password = "03:20:00:00:00:02"
Calling-Station-Id = "03:00:00:00:00:02"
NAS-IP-Address = 10.224.19.121
NAS-Port-Type = Wireless-802.11
Service-Type = Call-Check
Cleartext-Password = "03:20:00:00:00:02"
Received Access-Accept Id 215 from 10.224.19.121:1812 to 0.0.0.0:0 length 262
User-Name = "03-00-00-00-00-02"
State = 0x52656175746853657373696f6e3a30616530313337395f7263654370785156497a687150324b7658473861766c70476a5147654d3334525735465a4978726e5873
Class = 0x434143533a30616530313337395f7263654370785156497a687150324b7658473861766c70476a5147654d3334525735465a4978726e58733a73636f383833346973653630322f3239383130303036382f3130
Session-Timeout = 28800
Tunnel-Type:1 = VLAN
Tunnel-Medium-Type:1 = IEEE-802
Tunnel-Private-Group-Id:1 = "18"
Cisco-AVPair = "profile-name=Unknown"
Airespace-ACL-Name = "GUEST_ACCEPT"
10-31-2017 03:58 PM
There are quite a few sources of information on the web. I would recommend www.labminutes.com
But most importantly, create a lab for yourself to play around with this stuff. Really. That is the best teacher. Here would be my recommendation
Build an ISE 1.4 VM (4GB RAM, 2vCPU, 200GB HDD should do it) - restore your prod backup config in the lab so that you have the existing Policy Set to start off with.
Then, the killer ingredient - install radtest from Freeradius Utilities on a Linux install. E.g if you have a CentOS/Fedora setup then simply type yum install freeradius-utils
Add you CentOS as a radius client to ISE and off you go! Now you can test ANYTHING. Prototyping will become really fun and easy - and by the time you deploy this in prod you'll have a much more confident feeling that things will work.
You can look at my blog series on free lab testing tools in the Cisco ISE Community Forums - it's three parts but Part 1 is probably the one you need to get started.
Below is an example of a radtest from my lab
$ echo "User-Name = '03:20:00:00:00:02',User-Password = '03:20:00:00:00:02',Calling-Station-ID='03:00:00:00:00:02',NAS-IP-Address = 10.224.19.121,NAS-Port-Type = 19,Service-Type=10"| /usr/bin/radclient -x 10.224.19.121:1812 auth MyPassword!
Sent Access-Request Id 215 from 0.0.0.0:41383 to 10.224.19.121:1812 length 110
User-Name = "03:20:00:00:00:02"
User-Password = "03:20:00:00:00:02"
Calling-Station-Id = "03:00:00:00:00:02"
NAS-IP-Address = 10.224.19.121
NAS-Port-Type = Wireless-802.11
Service-Type = Call-Check
Cleartext-Password = "03:20:00:00:00:02"
Received Access-Accept Id 215 from 10.224.19.121:1812 to 0.0.0.0:0 length 262
User-Name = "03-00-00-00-00-02"
State = 0x52656175746853657373696f6e3a30616530313337395f7263654370785156497a687150324b7658473861766c70476a5147654d3334525735465a4978726e5873
Class = 0x434143533a30616530313337395f7263654370785156497a687150324b7658473861766c70476a5147654d3334525735465a4978726e58733a73636f383833346973653630322f3239383130303036382f3130
Session-Timeout = 28800
Tunnel-Type:1 = VLAN
Tunnel-Medium-Type:1 = IEEE-802
Tunnel-Private-Group-Id:1 = "18"
Cisco-AVPair = "profile-name=Unknown"
Airespace-ACL-Name = "GUEST_ACCEPT"
11-01-2017 04:48 AM
wow ! thank you !
11-03-2017 12:09 AM
12-18-2019 10:30 AM
01-09-2018 07:23 PM - edited 01-09-2018 07:24 PM
Hi,
How did you create you authC and authZ policy for switch management on ISE? I also like to use our ISE as authentication server for switches but not with access port.
thanks!
01-11-2018 01:42 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide