ā07-18-2016 01:43 PM - edited ā03-10-2019 11:56 PM
Hi
On a WLAN network for one of our customers we only allow APs to connect if they authorise against a AAA radius server using the mac address of the AP ethernet interface as the username and password. Currently we do this using an ACS as the AAA radius server.
We have a company wide password policy that wont change, that states all passwords need to be alpha numeric
Some new APs have been delivered and installed have the mac address that is numeric only
We also have an ISE for WLAN user authentication & authorisation.
Has anyone set up the ISE to act as the AAA radius server for AP authorisation and if so do you have any examples of the config used on the ISE
Could you also let me know what ISE licenses are needed to allow an AP to authenticate against an ISE.
Thanks
Martyn
ā07-18-2016 02:25 PM
I am assuming that you have all the MAC ADDRESSES of the APs locally store on the ACS DB and you are using MAB Authentication so in order to do the same thing on ISE, see the attached document.
1.-Create and Endpoint Group (administration --- > identity management --- > groups)
2.-Add an entry into that Endpoint Group and export the entire file (administration --- > identity management --- > identities)
3.-Export the file and fill it with the ACS information using copy and paste values only (not manually because the format can be changed) including the Endpoint Group.
4.-Import back the file with all the AP's mac into ISE (administration --- > identity management --- > identities). Now you have all the AP's MAC into ISE DB
5.-Create a condition for MAB authentication (policy -- > condition --- > authentication ---> simple condition --- > add --- > put a name for the condition and select ATTRIBUTE = Radius:Service-type, operator = equals, value = call-check.
Important: ON THE WLC, security --- > radius --- > authentication & accounting --- > AUTH CALLED STATION ID TYpe = AP Eth MAC Address:SSID or AP Eth MAC Address.
6.-Create a RESULT for the Authentication process (policy --- > policy element ---> results -- > authentication ---> allowed protocols --- > add --- > name of "result" --- > check only PROCESS HOST LOOKUP)
7.-Create a policy for MAB Authentication (SEE ATTACHED DOCUMENT.
8.-Repeat process from step 5 to 7 to create an AUTHORIZATION condition, authorization result and authorization policy.
ACS and ISE configuration are similar so if you know ACS then you should not have much issues configuring the device.
I am running ISE 1.4.0.253 patch 6. I am not interested yet on ISE 2.0 or 2.1 because the one I have is an stable version.
Regarding licenses are user based no AP. You can have any number of AP's
You can follow the next video but only use the Authentication part of the configuration. IGNORE the authorization because you are not using CWA. Once you finish and test the AUTHC (authentication) part post a note so I can give you a hand with the AUTHZ (authorization part).
http://www.labminutes.com/sec0199_ise_13_802.1x_cwa_chaining_2
ā07-21-2016 02:45 PM
thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide