Solved: ISE with WLC AND switches

Sheraz.Salim · ‎02-11-2016

Hi,

we are running 3xWLC controller with 800 AP using ISE 1.2 for wireless authentication 802.1x. I was looking into the config for the ISE and notice out of 400 edge swtiches only 2x2960s are configured with 802.1x (ISE config Radius and SNMP) and only 2 of the port there is 2 ap attach with swtich ports.and remaing the 3XWLC in Network Devices.

i do not understand how one ap is doing this job (802.1x) as it is location on different location and people are connecting to various different locations. ISE almost running/doing 11,876 Profiled endpoints.

version 12.2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$fokm$lesIWAaceFFs.SpNdJi7t.
!
username test-radius password 7 07233544471A1C5445415F
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
!
!
!
!
aaa server radius dynamic-author
client 10.178.5.152 server-key 7 151E1F040D392E
client 10.178.5.153 server-key 7 060A1B29455D0C
!
aaa session-id common
switch 1 provision ws-c2960s-48fps-l
authentication critical recovery delay 1000
!
!
ip dhcp snooping vlan 29,320,401
no ip dhcp snooping information option
ip dhcp snooping
no ip domain-lookup
ip device tracking
!
epm logging
!
crypto pki trustpoint TP-self-signed-364377856
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-364377856
revocation-check none
rsakeypair TP-self-signed-364377856
!
!
crypto pki certificate chain TP-self-signed-364377856
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363433 37373835 36301E17 0D393330 33303130 30303331
305A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3336 34333737
38353630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B09F8205 9DD44616 858B1F49 A27F94E4 9E9C3504 F56E18EB 6D1A1309 15C20A3D
31FCE168 5A8C610B 7F77E7FC D9AD3856 E4BABDD1 DFB28F54 6C24229D 97756ED4
975E2222 939CF878 48D7F894 618279CF 2F9C4AD5 4008AFBB 19733DDB 92BDF73E
B43E0071 C7DC51C6 B9A43C6A FF035C63 B53E26E2 C0522D40 3F850F0B 734DADED
02030100 01A37130 6F300F06 03551D13 0101FF04 05300301 01FF301C 0603551D
11041530 13821150 5F494D2B 545F5374 61636B5F 322D312E 301F0603 551D2304
18301680 1456F3D9 23759254 57BA0966 7C6C3A71 FFF07CE0 A2301D06 03551D0E
04160414 56F3D923 75925457 BA09667C 6C3A71FF F07CE0A2 300D0609 2A864886
F70D0101 04050003 81810062 819657B5 5B1CA52E B38AC231 12764661 E45F3AF6
F08D258E EAA2762F F90FBB7F F6E3AA8C 3EE98DB0 842E82E2 F88E60E0 80C1CF27
DE9D9AC7 04649AEA 51C49BD7 7BCE9C5A 67093FB5 09495971 926542C4 5A7C7022
8D9A8C2B 794D99B2 3B92B936 526216E0 79D80425 12B33847 30F9A3F6 9CAC4D3C
7C96AA15 CC4CC1C0 5FAD3B
        quit
dot1x system-auth-control
dot1x critical eapol
!
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 294-312,314-319,321-335,337-345,400,480,484-493,499,950
!
!
!
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig (STP)
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable recovery cause port-mode-failure
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-ia-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause small-frame
errdisable recovery cause psp
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet1/0/10
switchport access vlan 320
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

interface GigabitEthernet1/0/16
switchport access vlan 320
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

interface GigabitEthernet1/0/24
switchport access vlan 320
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

!
interface GigabitEthernet1/0/33
switchport access vlan 320
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

interface GigabitEthernet1/0/34
switchport access vlan 320
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/44
switchport access vlan 320
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

!
interface GigabitEthernet1/0/46
switchport access vlan 320
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

interface GigabitEthernet1/0/48
switchport access vlan 320
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/49
description Link-to-GH
switchport trunk allowed vlan 1,2,320,350,351,401
switchport mode trunk
mls qos trust dscp
ip dhcp snooping trust
!

interface GigabitEthernet1/0/52
description Link-to-CORE1
switchport trunk allowed vlan 1,2,29,277,278,314,320,401
switchport mode trunk
mls qos trust dscp
ip dhcp snooping trust
!
!
interface Vlan320
ip address 10.178.61.5 255.255.255.128
no ip route-cache cef
no ip route-cache
!
ip default-gateway 10.178.61.1
ip http server
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none
!
!
ip access-list extended ACL-AGENT-REDIRECT
deny   udp any any eq domain bootps
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit tcp any host 10.178.5.152 eq 8443
permit tcp any host 10.178.5.152 eq 8905
permit udp any host 10.178.5.152 eq 8905
permit tcp any host 10.178.5.152 eq 8906
permit udp any host 10.178.5.152 eq 8906
permit tcp any host 10.178.5.152 eq 8909
permit udp any host 10.178.5.152 eq 8909
permit tcp any host 10.178.5.153 eq 8443
permit tcp any host 10.178.5.153 eq 8905
permit udp any host 10.178.5.153 eq 8905
permit tcp any host 10.178.5.153 eq 8906
permit udp any host 10.178.5.153 eq 8906
permit tcp any host 10.178.5.153 eq 8909
permit udp any host 10.178.5.153 eq 8909
deny   ip any any
ip access-list extended ACL-WEBAUTH-REDIRECT
deny   ip any host 10.178.5.152
deny   ip any host 10.178.5.153
permit tcp any any eq www
permit tcp any any eq 443

ip radius source-interface Vlan320
logging esm config
logging trap alerts
logging origin-id ip
logging source-interface Vlan320
logging 192.168.6.31
logging host 10.178.5.150 transport udp port 20514
logging host 10.178.5.151 transport udp port 20514
access-list 10 permit 10.178.5.117
access-list 10 permit 10.178.61.100
snmp-server engineID local 800000090300000A8AF5F181
snmp-server community W143L355 RO
snmp-server community w143l355 RW
snmp-server community lthpublic RO
snmp-server community lthise RO
snmp-server trap-source Vlan320
snmp-server source-interface informs Vlan320
snmp-server enable traps snmp authentication linkdown linkup coldstart
snmp-server enable traps cluster
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps ipsla
snmp-server enable traps syslog
snmp-server enable traps vtp
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server host 10.178.5.152 version 2c lthise mac-notification
snmp-server host 10.178.5.153 version 2c lthise mac-notification
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 10.178.5.152 auth-port 1812 acct-port 1813 test username test-radius key 7 03084F030F1C24
radius-server host 10.178.5.153 auth-port 1812 acct-port 1813 test username test-radius key 7 141B060305172F
radius-server vsa send accounting
radius-server vsa send authentication

any hlep would be really appriciated.

please do not forget to rate.

Marvin Rhoads · ‎02-12-2016

I'm not sure I completely understand the question; but if ISE is only doing wireless policies, then none of the wired switches need any ISE configuration.

The APs tunnel all the wireless traffic back to the WLC over CAPWAP (unless you're using FlexConnect). It's the 802.1x configuration on the WLC that implements the policies defined in ISE.

The wired switches never need to act as a Network Access Device (NAD) and thus do not need to be defined in ISE unless or until you want to implement ISE policies for wired devices..

View solution in original post

Marvin Rhoads · ‎02-12-2016

I'm not sure I completely understand the question; but if ISE is only doing wireless policies, then none of the wired switches need any ISE configuration.

The APs tunnel all the wireless traffic back to the WLC over CAPWAP (unless you're using FlexConnect). It's the 802.1x configuration on the WLC that implements the policies defined in ISE.

The wired switches never need to act as a Network Access Device (NAD) and thus do not need to be defined in ISE unless or until you want to implement ISE policies for wired devices..

Sheraz.Salim · ‎02-12-2016

Hi Marvin.

Thank you very much for your responce. we are not using FlexConnect on AP.

I am curious to understand is it possible only one ap out of 800 ap is doing only 802.1x authentication of all the endclient in different locations? is it possible or i am missing something else here.

your answer would be highly appriciated.

Thanks in advacne.

please do not forget to rate.

Marvin Rhoads · ‎02-12-2016

You're welcome.

The 802.1x authentication is not done by the AP(s) - they only pass it back to the WLC where it is done (or not) according to the authenticaiton configuration settings for the SSIDs.

All APs (or AP groups) that have those SSIDs associated with them should be passing the traffic back for the WLC to handle 802.1x authentication in conjunction with your ISE deployment.

Sheraz.Salim · ‎02-12-2016

Thank Marvin.

just last question to clearfiy myself. I do agree WLC do the authentiaction on SSID. where we define the Radius server ip address.

I do understand what you said. but can one AP do this. as I see this in my organization only one AP is configured with this swtich (In ISE Devices Group).

so my undestanding is one AP is configured with these settings

interface GigabitEthernet1/0/34
switchport access vlan 320
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

is it right. but you mention WLC do all the authencation than there is no need for these above setting on this interface where the ap is connected to this port.

if wlc do all the authenction then the above setting dont need to be on the AP interface right?

i am sorry if i am asking too many question.

I do really appricate for your input.

please do not forget to rate.

Marvin Rhoads · ‎02-12-2016

Those settings are not needed for the wireless clients.

You may choose to still authenticate the AP itself as a device. I suspect if you check the authentication status of that interface, it is using MAB for the AP.

show authentication sessions interface gi1/0/34 detail

...will tell us.

Sheraz.Salim · ‎02-13-2016

Thank you very much.

please do not forget to rate.