cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Identity Services Engine (ISE) and Wireless LAN Controller (WLC) - Part 1

12729
Views
15
Helpful
48
Comments
Beginner

(view in My Videos)

In this video you will See -

1. Integration of ISE and WLC.

2. Basic configuration of WLC and ISE.

 

Cisco Identity Services Engine (ISE) is a next generation product that provides various types of solutions/services in a single box. Example – ACS, NAC, NAC Profiler, NAC Guest Portfolios.

 

PART 2:- https://supportforums.cisco.com/videos/2480

 

Cisco Identity Services Engine

Wireless LAN Controller

48 Comments
Beginner

Hi All,

Intention of the video to give basic info on posturing wireless client.

for more detail please refer following links -

ISE - http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_overview.html

WLC - http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_security_sol.html

Thanks

Hemant

Cisco Employee

Great content. Thanx for posting the same.

Beginner

I am trying to make WLC+ISE with no PSK for a SSID. When users connect I want to display a banner where users have to click OK to continue.

The info here talks about using 802.1x..which requires cert to be configured and NAC enabled in SSID which uses Global Radius config.

How can I achieve my objective with and without PSK?

Beginner

Hi,

1. so far only 802.1x authentications are supported. so it's not possible to redirect two times. anyhow, wht is need of displaying a different page before redirecting ? The default page itself is having complete info. is there any specific reason ?

2. PSK is not supported. probably it will be supported in next release and webauth as well.

Thanks

Beginner

Thank you very much. I wanted to do POC for WLC with ISE however I was not sure how and where to start with. This video sure gave me pointer. My intention is to identify personal mobile devices vs. company provided one (both using NT credentials). The ISE presenstaion has this use case however not sure how to get it done. Can you provide some assistance? Do I need to have to NAC client on these devices to identify device type?

Beginner

Hi Vishal,

This is not supported in 1.0....I think it will be supported in next release.

Thanks

Beginner

Strange. Our Cisco SE introduced ISE for mobile device classification and control. I have ver 1.0 and I could see lot of mobile devices ipod, iphone, ipad, android etc. under profiling. I have never worked on NAC and hence not sure use it. I used your video to configure WLAN with ISE as RADIUS server.

Beginner

you are right there is a big list of attributes...but you asked can we differentiate between company mobile and personal mobile, official it may be supported in next release. you can provide different profile to different type of mobiles...say if iphone come give him vlan-x and if android comes give him vlan-y.

Beginner

Hi Hemant, Thanks for the video, but want to know more about the configuration and integration of WLC with ISE. I am testing it in the LAB for the deployemnt, can you please tell me what all licenses I need for this to work. right now I have got a 4402 controller with 2 CAPWAP AP and evaulation ver of ISE on a VM machine. I tried to authenticate the user, but am getting username and pasword box agian and agian on the pc, but not getting connected. I can see the error loggs in the ISE says the client need some certificate. Also I am trying with wireless client, so would like know if am missing some license or I am trying with some wrong configs.

Beginner

Hi Bijo,

plz share ur WLAN config and what auth u r using at client side.

Thanks

Beginner

Hi Bijo,

Check the authentication logs. I had similar problem which I managed to partially resolved. I was using native wireless client on Win 7. The authentication logs on ISE were showing that the auth was working against host\<machine name> instead of username. I had specified the authentication mode to user authentication in wireless client (Security -> Advanced Settings -> Specify user authentication) and I could see ISE authenticating against username. Hemant's video is showing wireless profile configuration using Intel Pro Set utility and user authenticaiton may be the default configuration. In the authentication logs on ISE, I can see that the client is authenticated using internal database. I am stuck with authorization now as ultimately no access granted as it is matching the "default deny" rule.

Hi Hemant,

This is my first experience with NAC based product and it is too confusing. Can you please point to resources which talks more about the steps and provide more info about the involved elements for posture based authentication? Thanks for your video, I have made some progress . I still need to figure out why it is matching the default deny profile. I have defined apps to be open as telnet.exe.

Beginner

Hi Vishal,

It's confusing coz ISE has lots of option to configure...   but once you understand it...u will feel that you have very powerfull device in your hand....

client matching "deny profile" coz ISE fail to to match all the profile u configured....It work same like our ACLs...

This video is for basic posture only...if you follow the step one by one i think u will not face issue for basic posturing. Plz let me what you not able to understand in the video...

Plz let me know the config of ISE -

Policy Elements


Results -

  • Authorization Profile - create profiles - like complient and non-complient and specifiy ACLs
  • Posture Requirement – map the posture condition.
  • Client Provisioning – upload agent software (client or web agent).

Client Provisioning -

  • Here we map the NAC_Agent to the Identity Group.

Authorization -

  • Creating rules. Give the specific Authorization to clients..like non-compliant or compliant….etc.
Beginner

Hi Hemant,

I have followed all steps in your video only as so I dont know any other way to configure ISE .

Beginner

hahhaaha.... if possible plz let me know config of ISE as i mentioned in my previouse reply - screen shots...

Beginner

Hi Hemant,

How can I provide you screenshots? Can I directly post in reply? The logs shows that the client is failing authorization profile while authentication works.

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards
This widget could not be displayed.