cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

How to use Group-Based Policies with 3rd Party RADIUS using Cisco DNA Center 1.3.1

1084
Views
5
Helpful
0
Comments

Overview

This configuration document provides general guidance on how to integrate an existing, non-Cisco RADIUS based solution with SD-Access so that it is possible to leverage the advanced segmentation capabilities of Cisco DNA Center 1.3.1.  FreeRADIUS is used as the RADIUS server in this document.

Connection Overview

 

Picture1.png

 

  1. Users authenticate directly to the 3rd party RADIUS server
  2. RADIUS authorization returns VLAN and SGT
  3. Edge switch initiates a policy request if the policy associated with the newly connected SGT doesn't exist
  4. Edge switch downloads policies
  5. Edge switch enforces and/or traffic forwards traffic deeper into the network

Configuration Overview

The configuration objective is to configure the SD-Access edge to use the 3rd party RADIUS server for AAA authentication and authorization and use Cisco Identity Services Engine for group-based policy.   This is achieved via the use of templates on Cisco DNA Center.

Cisco DNA Center

    1. Navigate to Design-->Network Settings--><Site Name>.  Configure ISE as the AAA server

      Note: Configure ISE here instead of the 3rd party server because Cisco DNA Center automates the TrustSec provisioning and add the fabric devices in ISE when the AAA server is ISE.  No provisioning occurs when ISE is not specified.

    2. Create a Cloud DayN template with the following commands (see Cisco DNA Center Templates  for instructions on configuring a template.

aaa group server radius thirdparty
server name thirdparty
ip radius source-interface Loopback0
aaa authentication dot1x default group thirdparty
aaa authorization network default group thirdparty
aaa accounting identity default start-stopp broadcast group dnac-client-radius-group group thirdparty
aaa accounting network default start-stop group dnac-client-radius-group group thirdparty
aaa server radius dynamic_author
client <thirdparty IP> server-key 0 <secret>
ip radius source-interface Loopback0
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 5 tries 3
radius-server deadtime 3
radius server thirdparty
address ipv4 <third party IP> auth-port 1812 acct-port 1813
timeout 4
retransmit 3

 

  1. Provision the edge. Include the template configured above as part of the provisioning step. The resulting config would look similar to the following:

 

aaa group server radius dnac-client-radius-group
server name dnac-radius_10.1.200.126
ip radius source-interface Loopback0
!
aaa group server radius thirdparty
server name thirdparty
ip radius source-interface Loopback0
!
aaa authentication login default local
aaa authentication login dnac-cts-list group dnac-client-radius-group local
aaa authentication enable default enable
aaa authentication dot1x default group thirdparty
aaa authorization exec default local
aaa authorization network default group thirdparty
aaa authorization network dnac-cts-list group dnac-client-radius-group
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group dnac-client-radius-group
!
aaa server radius dynamic-author
client 10.1.200.126 server-key 7 073B32494D480A26474227
client 10.1.200.61 server-key 7 15261809076B380778631
ip radius source-interface Loopback0
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 5 tries 3
radius-server deadtime 3
radius server dnac-radius_10.1.200.126
address ipv4 10.1.200.126 auth-port 1812 acct-port 1813
timeout 4
retransmit 3
pac key 7 00300003071A18255F7160
radius server thirdparty
address ipv4 10.1.200.61 auth-port 1812 acct-port 1813
timeout 4
retransmit 3
key 7 0330480E054E326F1E5935 

 

FreeRADIUS

    1. Modify the /etc/freeradius/clients.conf file to add the Edge switch as a AAA client
    2. Modify the /etc/freeradius/users file to add the necessary attributes to pass back the VLAN and the SGT

Note: “Cisco-AVPair” is case-sensitive

Note: The SGT value must be represented in Hex e.g. the Doctor_SGT = 18 so the value for the av-pair is 0012

Note: The numbers trailing the SGT, eg. The “-00” in 0012-00, is important.  Omitting this will result in an incorrect SGT assignment of “65535”

Restart FreeRADIUS

 

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards