Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2058
Views
5
Helpful
2
Replies

Wireless AP authentication using an ISE as a AAA server

martaylor
Level 1
Level 1

‎07-18-2016 01:43 PM - edited ‎03-10-2019 11:56 PM

Hi

On a WLAN network for one of our customers we only allow APs to connect if they authorise against a AAA radius server using the mac address of the AP ethernet interface as the username and password. Currently we do this using an ACS as the AAA radius server.

We have a company wide password policy that wont change, that states all passwords need to be alpha numeric

Some new APs have been delivered and installed have the mac address that is numeric only

We also have an ISE for WLAN user authentication & authorisation.

Has anyone set up the ISE to act as the AAA radius server for AP authorisation and if so do you have any examples of the config used on the ISE

Could you also let me know what ISE licenses are needed to allow an AP to authenticate against an ISE.

Thanks

Martyn

Labels:
0 Helpful
2 Replies 2

ajc
Level 7
Level 7

‎07-18-2016 02:25 PM

I am assuming that you have all the MAC ADDRESSES of the APs locally store on the ACS DB and you are using MAB Authentication so in order to do the same thing on ISE, see the attached document.

1.-Create and Endpoint Group (administration --- > identity management --- > groups)

2.-Add an entry into that Endpoint Group and export the entire file (administration --- > identity management --- > identities)

3.-Export the file and fill it with the ACS information using copy and paste values only (not manually because the format can be changed) including the Endpoint Group.

4.-Import back the file with all the AP's mac into ISE (administration --- > identity management --- > identities). Now you have all the AP's MAC into ISE DB

5.-Create a condition for MAB authentication (policy -- > condition --- > authentication ---> simple condition --- > add --- > put a name for the condition and select ATTRIBUTE = Radius:Service-type, operator = equals, value = call-check.

Important: ON THE WLC, security --- > radius --- > authentication & accounting --- > AUTH CALLED STATION ID TYpe = AP Eth MAC Address:SSID or AP Eth MAC Address.

6.-Create a RESULT for the Authentication process (policy --- > policy element ---> results -- > authentication ---> allowed protocols --- > add --- > name of "result" --- > check only PROCESS HOST LOOKUP)

7.-Create a policy for MAB Authentication (SEE ATTACHED DOCUMENT.

8.-Repeat process from step 5 to 7 to create an AUTHORIZATION condition, authorization result and authorization policy.

ACS and ISE configuration are similar so if you know ACS then you should not have much issues configuring the device.

I am running ISE 1.4.0.253 patch 6. I am not interested yet on ISE 2.0 or 2.1 because the one I have is an stable version.

Regarding licenses are user based no AP. You can have any number of AP's

You can follow the next video but only use the Authentication part of the configuration. IGNORE the authorization because you are not using CWA. Once you finish and test the AUTHC (authentication) part post a note so I can give you a hand with the AUTHZ (authorization part).

http://www.labminutes.com/sec0199_ise_13_802.1x_cwa_chaining_2

Preview file
54 KB

martaylor
Level 1
Level 1
In response to ajc

‎07-21-2016 02:45 PM

thank you

0 Helpful
Customers Also Viewed These Support Documents