Cisco Ise 2.4 Ad Integration

broken image


  1. Cisco Ise 2.4 Ad Integration Module
  2. Cisco Ise 2.4 Ad Integration Module
  3. Cisco Ise 2.4 Ad Integration System

The purpose of this blog post is to document the configuration steps required to configure Wireless 802.1x authentication on a Cisco vWLC v8.3 using Cisco ISE 2.4 as the RADIUS server.

WLC Configuration

Oct 01, 2018 If you're using Cisco Identity Services Engine (ISE) 2.4 for your TACACS+ Authentication and you use Cisco Prime then you'll be happy to know integrating the two is dead simple. If you followed my Cisco ISE TACACS+ guides then it'll be even easier because my screenshots will be pretty close to what you're running. ISE 2.4 Intune integration. Device Posturing using Cisco ISE. Content for Community-Ad. Follow our Social Media Channels. For more information about the CLI, see the Cisco Identity Services Engine CLI Reference Guide for your version of ISE. You must be a Cisco ISE Super Admin user to use Wireless Setup. Wireless Setup requires at least two CPU cores and 8 GB of memory. Only Active Directory (AD) groups and users are supported. Task 1: Install ISE 2.4 VM. Access the VMware WorkStation / Esxi, and Power on the VM, Once you power on, you will see the ISE 2.4 Login Screen, Log IN with username Setup. Hence this is new VM so it will run installation wizard with localhost login:setup. Now follow the below figure to configure the ISE from basic.

Define AAA Servers

  • Login to the WLC WebGUI
  • Click Advanced
  • Navigate to Security > AAA > RADIUS > Authentication
  • Click New
  • Define the IP address of the RADIUS Server (ISE)
  • Define the Shared Secret
  • Ensure Support for CoA is Enabled
  • Click Apply
  • Navigate to Security > AAA > RADIUS > Accounting
  • Click New
  • Define the IP address of the RADIUS Server (ISE)
  • Define the Shared Secret
  • Click Apply

Create WLAN

  • Navigate to WLANs > WLANSs > WLANs
  • Select Create New and click Go
  • Define a Profile Name e.g. LAB_WLAN
  • Define a SSID e.g. LAB_SSID
  • Define an ID e.g. 1
  • Click Apply
  • Under the General tab, ensure the Status is Enabled and Security Policies is [WPA2][Auth (802.1x)]
  • Under the Security tab, select AAA Servers
  • Ensure the Auth Called Station ID Type is AP MAC Address:SSID
  • From the drop down list select the previously defined Authentication and Accounting Servers
  • Ensure Interim Update is selected
  • Scroll down and remove LOCAL and LDAP, ensure only RADIUS is used for authentication
  • Under the Advanced tab, tick the box for DHCP Addr. Assignment

Cisco Ise 2.4 Ad Integration Module

  • Under the Radius Client Profiling section, tick the box for DHCP Profiling and HTTP Profiling
  • Click Apply

AP Groups

  • Navigate to WLANs > Advanced > AP Groups
  • Click Add Group
  • Define a name for the group, e.g. LAB_GROUP
  • Click Add
  • Click the newly created AP Group
  • Define a NAS-ID e.g vWLC
  • Click Apply
  • Click WLANs tab
  • Click Add New
  • Select the WLAN SSID from the drop down list, click Add
  • Click the APs tab
  • Select the AP(s) to add to the Group, click Add APs

NOTE – the AP(s) will now be reconfigured and rebooted

  • Click when complete

ISE Configuration

Authentication Policy

  • Create or modify the Authentication Policy
  • Create a rule to authenticate using PEAP/MSCHAPv2, named appropriately
Cisco Ise 2.4 Ad Integration

Rule Name:-
MSCHAPv2

Conditions:-
Network Access-EapAuthentication EQUALS EAP-MSCHAPv2
Wired_802.1x

Use:-

Authorization Policy

  • Create new Authorization Rules as per the table below
Rule NameConditionsProfiles
Domain AdminsRadius Called-Station-ID MATCHES .*(:)$
LAB_AD-ExternalGroups EQUALS lab.local/Users/Domain Admins
Wireless_802.1X		PermitAccess
Domain UsersAirespace Airespace-Wlan-Id EQUALS 1
LAB_AD-ExternalGroups EQUALS lab.local/Users/Domain Users
Wireless_802.1X		PermitAccess
Domain ComputersLAB_AD-ExternalGroups EQUALS lab.local/Users/Domain Computers
Wireless_802.1X		PermitAccess
DefaultPermitAccess

When the user connects the AP MAC Address + SSID is sent in the radius packet, this can be used in the Authorization rule to distinguish users from the SSID they are connecting from. The first rule for Domain Admins uses the Called-Station-ID radius attribute with a regex to match the SSID the user is connected to.

In addition to using the Called-Station-ID radius attribute to determine the SSID the user is connected to, if the WLC/AP is Cisco we can use the attribute Airespace-Wlan-Id. For members of the Domain Users group we will use this value. It is important to note the value specified must equal the number of the SSID defined in the WLC SSID configuration.

For Domain Computers we will not require the computer can authenticate from a specific WLAN SSID, just that it is a member of the Domain Computers AD group.

Verification and Testing

With a wireless enabled device login as a user that is a member of the AD group Domain Users. From the ISE logs we can determine the user was matched against the correct Authorization rule and the conditions worked.

Logoff and login as a user that is a member of the AD group Domain Admins. From the ISE logs we can determine the user was matched against the correct Authorization rule and these conditions also worked.

From the detailed output we can determine the AD Group, the NAS-Identifier defined in the AP Group configuration and the Called-Station-ID.

From the WLC we can navigate to Monitor > Clients and determine the client properties. We can determine user2 associated to the correct SSID and used 802.1x authentication, with PEAP as the protocol.

ISE AD Integration

LAB 4: ISE AD Integration

Topology: Below is the topology provided to configure in lab.

Task:Perform below task as per above topology.

  • Integrate the AD demo.local to ISE Engine
  • Add AD groups and user attributes to Cisco ISE
  • Test User authentication via any two authentication types.
  • Integrate LDAP to Cisco ISE
  • Test ISE so that it can pull data from your AD via LDAP.
  • Modify ISE Authentication configuration to authenticate and pull data from AD server via LDAP.
  • Add LDP groups and Attributes to Cisco ISE.

Solution:

Go to Cisco ISE, Navigate to Work Center | Network Access | Overview. Click on Introduction and on right pane, Click to prepare | External Identity Stores

Now On Left Pane, Click to Active Directory | ADD

Cisco Ise 2.4 Ad Integration

Enter the following information:

  • Join Point Name: Local
  • Active Directory Domain: Local

And then Submit. Once done a popup window will ask do you want to join the ISE to AD, Click to Yes.

2.4

Rule Name:-
MSCHAPv2

Conditions:-
Network Access-EapAuthentication EQUALS EAP-MSCHAPv2
Wired_802.1x

Use:-

Authorization Policy

  • Create new Authorization Rules as per the table below
Rule NameConditionsProfiles
Domain AdminsRadius Called-Station-ID MATCHES .*(:)$
LAB_AD-ExternalGroups EQUALS lab.local/Users/Domain Admins
Wireless_802.1X		PermitAccess
Domain UsersAirespace Airespace-Wlan-Id EQUALS 1
LAB_AD-ExternalGroups EQUALS lab.local/Users/Domain Users
Wireless_802.1X		PermitAccess
Domain ComputersLAB_AD-ExternalGroups EQUALS lab.local/Users/Domain Computers
Wireless_802.1X		PermitAccess
DefaultPermitAccess

When the user connects the AP MAC Address + SSID is sent in the radius packet, this can be used in the Authorization rule to distinguish users from the SSID they are connecting from. The first rule for Domain Admins uses the Called-Station-ID radius attribute with a regex to match the SSID the user is connected to.

In addition to using the Called-Station-ID radius attribute to determine the SSID the user is connected to, if the WLC/AP is Cisco we can use the attribute Airespace-Wlan-Id. For members of the Domain Users group we will use this value. It is important to note the value specified must equal the number of the SSID defined in the WLC SSID configuration.

For Domain Computers we will not require the computer can authenticate from a specific WLAN SSID, just that it is a member of the Domain Computers AD group.

Verification and Testing

With a wireless enabled device login as a user that is a member of the AD group Domain Users. From the ISE logs we can determine the user was matched against the correct Authorization rule and the conditions worked.

Logoff and login as a user that is a member of the AD group Domain Admins. From the ISE logs we can determine the user was matched against the correct Authorization rule and these conditions also worked.

From the detailed output we can determine the AD Group, the NAS-Identifier defined in the AP Group configuration and the Called-Station-ID.

From the WLC we can navigate to Monitor > Clients and determine the client properties. We can determine user2 associated to the correct SSID and used 802.1x authentication, with PEAP as the protocol.

ISE AD Integration

LAB 4: ISE AD Integration

Topology: Below is the topology provided to configure in lab.

Task:Perform below task as per above topology.

  • Integrate the AD demo.local to ISE Engine
  • Add AD groups and user attributes to Cisco ISE
  • Test User authentication via any two authentication types.
  • Integrate LDAP to Cisco ISE
  • Test ISE so that it can pull data from your AD via LDAP.
  • Modify ISE Authentication configuration to authenticate and pull data from AD server via LDAP.
  • Add LDP groups and Attributes to Cisco ISE.

Solution:

Go to Cisco ISE, Navigate to Work Center | Network Access | Overview. Click on Introduction and on right pane, Click to prepare | External Identity Stores

Now On Left Pane, Click to Active Directory | ADD

Enter the following information:

  • Join Point Name: Local
  • Active Directory Domain: Local

And then Submit. Once done a popup window will ask do you want to join the ISE to AD, Click to Yes.

In the Join domain box , Provide the AD username and Password and select the Specify Organization Unit Checkbox and Modify the DN value to OU=ISE, OU=HCC,DC=DEMO,DC=LOCAL and Click OK.

Now Click to ise-1 node from list | From Toolbar Click Run Diagnostic Tool

Now Match the names as per given below figure and click to RUN test now and you will see all test result will be successful, compare your output with below figure.

Now we will add the AD attributes to ISE engine.

In Left Pane, Click demo. Local under Active Directory | Click ADD | Choose Select Groups from Directory.

Put demo. Local under domain, Type Filter: ALL and click to Retrieve Groups.

Cisco Ise 2.4 Ad Integration Module

Now change the type to GLOBAL and again click on Retrieve Groups.

Cisco Ise 2.4 Ad Integration System

LEAVE A COMMENT

Please login here to comment.




broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save