Cisco ISE Internal Radius Server Configuration for 802.1X

In this article we’ll explore the configuration of Cisco ISE as an internal Radius server.

  • Setting Device Groups
  • Configuring the network device (the Radius client)
  • Setting internal users
  • Preparing the Authentication policy
  • Setting a compound authorization policy
  • Setting the Allowed Protocols
  • Setting the downloadable ACL
  • Setting Authorization Profiles
  • Setting the Policy Set

Setting Device Groups

Go to Administration -> Network Resources -> Network Device Groups

cisco-ise-internal-radius-server-2017-08-06 22_24_51

 

Configuring the network device

cisco-ise-internal-radius-server-2017-08-06 22_27_09

cisco-ise-internal-radius-server-2017-08-06 22_27_24

Setting internal users

cisco-ise-internal-radius-server-2017-08-06 22_29_39

cisco-ise-internal-radius-server-2017-08-06 22_29_50

“Employee” is a pre-defined user group.

Preparing the Authentication policy

We’ll use the pre-built Wired_802.1X authentication policy which is enough for what we are going to do.

cisco-ise-internal-radius-server-2017-08-06 22_32_44

Setting a compound authorization policy

When a Radius client is authenticated, the authorization process is evaluated. Our authorization policy will be compound. Here is a sample one.

cisco-ise-internal-radius-server-2017-08-06 22_34_18

I did not use the default Wired_802.1x authorization policy because I want some customized parameters.

cisco-ise-internal-radius-server-2017-08-06 22_35_36

Setting the Allowed Protocols

I’ll define a set of allowed protocols, which will be used to negotiate 802.1X and Radius, when the authentication policy conditions are met.

cisco-ise-internal-radius-server-2017-08-06 22_38_05

cisco-ise-internal-radius-server-2017-08-06 22_38_21

Setting the downloadable ACL

Although the dACL did not work in my home lab, I’ll mention them for the completeness of information.

cisco-ise-internal-radius-server-2017-08-06 22_42_36

cisco-ise-internal-radius-server-2017-08-06 22_42_48

Setting Authorization Profiles

Authorization profiles are given as a result of a successful matching of the authorization policy’s conditions. Here I give the example of an authorization policy that leverages the dACL we created before (EMPLOYEE-ONLY) and sets the vlan that’ll be assigned to the successfully-authorized port.

cisco-ise-internal-radius-server-2017-08-06 22_43_57

cisco-ise-internal-radius-server-2017-08-06 22_44_22

Setting the Policy Set

I created a policy set with a general-matching condition, just to fire it up in the ISE matching logic.

cisco-ise-internal-radius-server-2017-08-06 22_47_37

My primary constructs within the policy set are:

  • the authentication policy: wired-dot1x
  • the authentication policy: Employee-access

cisco-ise-internal-radius-server-2017-08-06 22_48_37

 

Comments

Post a Comment

Popular posts from this blog

The Thing With CUCM Device Packs

Image
To add a new phone on CUCM, whether it is a Cisco phone or one of the free softphones on the Internet, you go to Device –> phone. Sometimes the phone you want to add does not exist in the drop box, because the device model is new or the CUCM version is a bit old. What you can do here is to download a Device Pack of the new phone and install it. A Device Pack is a set of firmwares contained in a single file. Generally, it has the extension “sgn”. A Device Pack for phone X not only contains a load for it, but also loads for many other phone models. This is important to know because, once you install a Device Pack in CUCM, your existing phones by default will install the new version of their respective loads. I encountered a case where, after installing a Device Pack, some phones no longer worked. So I had to note down the “Active Load” and put it in the Device Defaults page. CUCM Device Pack download To download a Device Pack, you need to have a valid Cis...
Read more

En Bloc Dialing vs Digit-By-Digit Dialing

Image
Digit Signaling, aka Digit Addressing, is the method by which digits are sent from a dialing endpoint (e.g. phone) to a CUCM server, or by a voice gateway or trunk. There are three known digit signaling methods: En Bloc dialing SIP Dial Rules Digit-by-digit dialing 1. En Bloc digit dialing In the En Bloc digit signaling method, digits are sent as a whole block. Think of it like a brick that you send to UCM. This is the digit addressing method used on Type A Cisco phones, whether the endpoint signaling protocol is SIP or SCCP. En Bloc dialing is the default method used with the famous gateway protocols -MGCP, H323 and SIP- and also on H323 trunks and SIP trunks. Besides, the resulting pattern of a Translation Pattern operation is sent as En bloc to the call control system. 2. SIP Dial Rules It is important to know that all SIP phones support SIP dial rules, whether they are Type A or Type B. SIP dial rules are created on CUCM and downloaded by...
Read more

Call Forward And Call Hunt on CUCM

Image
Call forwarding is one of the features of the call coverage in Cisco CUCM. Call Hunting is when CUCM distributes a call on more than one Directory Number (DN), whether consecutively or simultaneously, depending on the algorithm. Hunt Pilot A Hunt Pilot is the entry point for the whole call hunting process. It is hit by a Call. The Hunt Pilot number is a dialable entity and has many similarities with Route Patterns : We can configure Route Filters with Hunt Pilots, Hunt Pilots can Provide Outside Dial Tone , We can set Hunt Pilots with the Urgent Priority flag, They can route or block calls, They can apply Calling and Called Party Transformations. Hunt Lists After hitting the Hunt Pilot, the call is presented by CUCM to the Hunt List. Each Hunt List contains one or more ordered Line Groups. A Hunt List can be pointed by one or more Hunt Pilots. Line Groups Each Line Group contains one or more member (we’ll refer to them as Hunt members, hunt parties or Line Group members). A Line Grou...
Read more