Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
805
Views
0
Helpful
5
Replies

ISE 1.2 With WLC and AD

ddindevanis
Level 1
Level 1

‎11-12-2014 01:34 AM - edited ‎03-12-2019 05:44 PM

Hi everyone,

 

What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.

The wireless network is configured with 2 SSID (Staff and Guest) 

Active Directory, DNS, DHCP, and  NTP configured & synced.

ISE and AD running on C220 VMs, and WLC is 5760 Appliance.

 

Please provide your thoughts and assistance.

Regards

 

 

 

 

 

 

 

 

 

Labels:
0 Helpful
5 Replies 5

fogemarttt
Level 1
Level 1

‎11-12-2014 03:06 AM

Hello,

I supposed you have done communication between your NAD devices and ISE (Wired Switch and WLC). 

If done, that means for classification you have created two groups (wired and wireless) 

administration -->network resources-->network devices group-->group-->all devices Types. 

 

now go to the policy -->authentications and if you want modify the defaults. 

wireless MAB, Wired MAB, ect. 

You  can check the default authentication protocols (Default Network Access) and customize or modify it to use EAP-FAST, EAP-MD5, LEAP and so on. 

 

After authentication, you can then define authorization. 

 

 

0 Helpful

ddindevanis
Level 1
Level 1
In response to fogemarttt

‎11-12-2014 03:15 AM

I have made the reachability AD, WLC,ISE and 3850 SW, Appreciate if you can brief/send me the full steps to implement this solution.

Regards

 

0 Helpful

fogemarttt
Level 1
Level 1
In response to ddindevanis

‎11-12-2014 04:11 AM

You have to implement dot1x and radius between your NAD and ISE device.

 

Using the switch 3850, that are the steps: 

!
username RADIUS-HEALTH password radiusKey1 privilege 15
aaa new-model
!
!
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
!
!
!this password will be used to communicate with ISE and to verify reachability
!between ISE and Switch
aaa server radius dynamic-author
 client 172.16.1.18 server-key 7 radiuskey
 client 172.16.1.20 server-key 7 radiuskey
!
ip domain-name lab.local
ip name-server 172.16.1.1
!
dot1x system-auth-control
!

!
interface GigabitEthernet1/0/3
 switchport mode access
 switchport voice vlan 50
 switchport access vlan 10
 ip access-group ACL-ALLOW in
 authentication event fail action next-method
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
!
!
ip access-list extended ACL-ALLOW
 permit ip any any
!
!
!the comm between radius and ise will occur on these Port
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
!
!
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
!
snmp-server community ciscoro RO
snmp-server community public RO
snmp-server trap-source Vlan100
snmp-server source-interface informs Vlan100
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!
!defining ISE servers
!
radius server ISE-RADIUS-1
 address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
 automate-tester username RADIUS-HEALTH idle-time 15
 key radiusKey
!

Please be sure that NTP servers and time are synchronized. 

enable dot1X on windows machine, or using cisco NAM. 

you can enable debugging on aaa authentication to see the events. 

you have to create this user on ISE (RADIUS-HEALTH). 

 

3850#test aaa group radius username password new-code 

 

 

 

and observe the result. You are supposed to have user authenticated successfully. 

You Must also have define these device in ISE on the radius interface.

ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE. 

administration-->network resources -->Network Devices-->Add

input the name

input the Ip address for radius communication

select the authentication settings and field the corresponding shared secret radius key

select snmp settings and select version 2c. 

snmp community : ciscoro

you can customize the polling interval if you want and that all. 

 

you are supposed to received message communication between your NAD and ISE. 

 

 

After you can do the procedure for WLC device. 

I will fill it after you have passed the first steps (3850 authentication). 

 

 

 

0 Helpful

ddindevanis
Level 1
Level 1
In response to fogemarttt

‎11-12-2014 09:19 PM

Thank you fogemarttt , I will follow the same and update you soon.

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee
In response to ddindevanis

‎11-17-2014 12:45 AM

I have attached screenshots of authentication and authorization policy's for dual ssid  on boarding

Preview file
20 KB
Preview file
81 KB
0 Helpful
Customers Also Viewed These Support Documents