This document provides a sample configuration for Integration of ISE (Identity Services Engine) with Cisco Wireless LAN Controller.
NOTE:- This document is about posturing the client and based on 188.8.131.52. The same information is also mentioned in the VoD.
Cisco Identity Services Engine (ISE) is a security policy management and control platform. It automates and simplifies access control and security compliance for wired, wireless, and VPN connectivity. Cisco ISE is primarily used to provide secure access and guest access, support BYOD initiatives, and enforce usage policies in conjunction with Cisco TrustSec.
We have an AP and a WLC, connected to a switch. The traffic will be encapsulated using CAPWAP protocol between AP and WLC. An ISE is sitting somewhere in the network and have connectivity to the WLC for posturing, authentication etc. Clients are associated to the WLC.
Now, let’s discuss what are the things need to be configured on Cisco WLC –
WLAN is named as ISEnWLC. Keeping security with default Wpa2. Advance Tab --> Enable Radius NAC. When we enable Radius NAC, AAA-Override feature will be enabled automatically.
NOTE:- If we configure it through CLI, AAA override should be configured first before configuring Radius-NAC on the WLAN.
ISE differentiates client in to 3 categories and we need to configure 3 different ACLs in order to give specific access to clients. It’s not mandatory to have 3 ACLs. We can also use only 2 ACLs. Suppose an admin does not want to differentiate unknown and non-compliant users and do not want to give different access policy to them for him. In that case, he can use 2 ACL, One ACL for unknown and non-compliant clients and second ACL for compliant clients.
It all depends on how Admin wants to configure it. We have created only 2 ACLs. we are treating unknown and non-compliant client in the same way.
Go to Security -> click on Access control lists--> We have configured 2 ACLs -
Limited_Access and Full_Access
Limited_Access will allow only ISE traffic and Full_Access will not block anything.
Now we add the ISE as AAA server. On the Security Tab --> select Authentication –> give ip address, shared secret. Shared secret should be same on ISE as well.
As per Cisco recommendation, an admin should configure 3 ACLs. let’s discuss more on ACLs and Posture state of clients/users.
Basically ISE differentiates a client into three categories, in order to do Posture:-
So we need 3 different access profiles for unknown, non-compliant and compliant. Each profile will have an ACL. As per user/client’s state, ISE will send the profile to the controller. Then controller will apply the ACL and other attribute into the client database.
Let’s see what kind of traffic should be allowed:-
It’s recommended to configure 3 ACLs for posture but not mandatory
The main purpose of this Document is to discuss posture and integration of ISE NAC and WLC. There are so many options, combination, attributes on ISE to configure but it’s tough to cover all in this document, so we will discuss some of the basic configuration ISE for wireless clients in order to do posture:-
Client Provisioning -
We have Two Video's from Hemant Sharma. Hemant is a software engineer in the Wireless Business Unit at Cisco.