The 802.1X protocol is basically a method to control the network access for users, authentication with a username and password, and authorization using a Dacl or VLAN assignment for example.
The PC sends a EAP-Response message providing the username, for example “Employee” in this case, the NAD or the Switch encapsulates the EAP message in Radius Packet and sends a Radius Access-Request packet to Cisco ISE. This Radius Access-Request contains the Attribute Value Pair “AVP” “User-Name”=employee.
The Cisco ISE based on the credentials (Employee), validates the authentication using an authentication policy and based, let’s say the group the username employee belongs to, provide authorization using an authorization policy, in this case the authorization is provided through a Downloadable ACL called Employee-acl.
The Cisco ISE sends a Radius Access-Accept packet as a response to the Radius Access-Request originated by the Switch.
This Radius Access-Accept packet contains the Cisco-AVP (Attribute Value Pair Attribute) with the Value=employee_acl, to tell the Switch which ACL it should apply to the user Employee.
In the Wireshark capture below, we can see that the Cisco ISE does not provide the content of the Dacl, in other words the ACE entries. It provides only the name of the Dacl.
Then the Switch generates and sends a Radius Access-Request . This Radius Access-Request contains the Attribute Value Pair “AVP” “User-Name”=employee_acl, the Switch tells the Cisco ISE, OK I dont have a locally configured ACL with the same name, can you send me the content of the ACL named employee_acl?
Finally, the Cisco ISE sends a response through the Radius Access-Accept with the content of the Dacl as shown below, with the ACEs entries: permit tcp any any eq 443, permit icmp any any and deny ip any any.
The Cisco ISE does not push the entire Dacl with the ACEs once it receives a Radius Access-Request from the NAD for user authentication, instead it sends a Radius Access-Accept including just the name of the Dacl and without the ACEs.
The Cisco ISE will wait the switch to send another Radius Access-Request but the “User-Name” attribute contains only the name of the ACL, the purpose is to request the Cisco ISE the details (ACEs) of this Dacl.
I am confused about RADIUS groups, for Dot1X I would like to add my RADIUS servers by IP to ISE group, like this:aaa group server radius ISE
server <ip_address_1> auth-port 1812 acct-port 1813
server <ip_address_2> auth-port 1812 acct-port 1...
Hii have ASA5555-X with firepower modulei use ASDM for manage ASA and use FMC(18.104.22.168) for manage FIREPOWER(use inline mode for asa traffic to firepower)i have a web server in DMZi config Decrypt-Known key method for outbound traffic that access to my web...
I'm in a temporary configuration with two Nexus VPC switch pairs serving the inside network of my ASA 5520. Call the switch NX01 02 03 04. NX01 02 are a VPC pair and 03 04 are a pair. There are four real addresses and one HSRP VIP - say VIP 10.100.10...
Hello All,Here is our deployment, DC1 has a PAN and 2 PSN nodes. DC2 also has a PAN and 2 PSN nodes. Both the PAN nodes also hold the MNT roles. We are on ISE 2.7 with patch 5. We are having issues with logging, when the primary PAN fails...