Configure cisco ISE for Cisco Access Points

Let’s say you have been asked to configure ISE to allow secured network access for Cisco Wireless Access Points.

To do so you should :

· Enable the ISE endpoint profile for Cisco Access Points

· Configure an Authorization Profile and Authorization Policy rule for Cisco Access Points

· Review the access switch configuration to authorize an access point using MAC Authentication Bypass (MAB).

· Verify proper authorization of a Cisco Access Point based on ISE policy

 

Login to ISE

clip_image002

The ISE Home Dashboard page should display. Navigate the interface using the multi-level menus.

Configure the Profiler Policy to assign endpoints matching a Cisco Access Point profile to an Identity Group  called  “Cisco-Access-Points” Caldo.

Navigate to Policy > Profiling and select Cisco-Access-Point from the list of Endpoint Policies, verify that the policy is enabled (Policy Enabled checkbox is checked) and check the option Create Matching Identity Group.

Do not forget to save Sorriso otherwise it will not work Occhiolino

Now define an Authorization Profile for Cisco Access Points.

Navigate to Policy > Policy Elements > Results and double-click Authorization to expand its contents.

Select Authorization Profiles from the left-hand pane and click Add from the right-hand pane and enter the values for the Authorization Profile as shown below:

Attribute Value
Name Cisco_Access_Points
Description Permit access to Cisco Access Points
Access Type ACCESS_ACCEPT
Common Tasks
DACL Name [ ✓ ] PERMIT_ALL_TRAFFIC
VLAN 90 (or 1:90)

The resultant Attribute Details should appear at the bottom of the page as the following:

Access Type = ACCESS_ACCEPT

Tunnel-Private-Group-ID = 1:90

Tunnel-Type = 1:13

Tunnel-Medium-Type = 1:6

DACL = PERMIT_ALL_TRAFFIC

finally click Submit to apply your changes.

Now we should configure a new Authorization Policy rule to assign the new Cisco_Access_Points profile to endpoints that match the Identity Group named Cisco-Access-Point.

To do so go to Policy > Authorization and insert a new rule below the Profiled Cisco IP Phones rule as shown in the policy table below. Use the clip_image006 selector at the end of a rule entry to insert or duplicate rules.

Enter the following values for a new rule named Profiled Cisco Access Points:

Status Rule Name Identity Groups Other Conditions Permissions
clip_image002[4] Profiled Cisco IP Phones Cisco-IP-Phone Cisco_IP_Phones
clip_image002[5] Profiled Cisco Access Points Cisco-Access-Point Cisco_Access_Points

 

Don’t forget to  Save when finished making policy updates.

Hint: Verify proper authorization of the wireless access point.

check the status of the port, eventually give the No Shut command in the configuration mode for the selected interface.

check the auth status with:

cisco-access# show authentication sessions interface gi0/x

or

cisco-access(config-if)# do sh auth sess int gi0/x

keep in mind you could need a few minutes to allow the result to be shown (between bootstraps and stuffs…)

To display the current dACL applied to the interface using the command show ip access-lists interface GigabitEthernet 0/3. The output should appear similar to the following:

cisco-access(config-if)# do sh ip access-list int gi0/3

permit ip host 10.1.90.100 any

 

To verify the Cisco Wireless Access Point authentication in the ISE go to Monitor > Authentications log:

S Username Endpoint ID IP Address NAD Device Port AuthZ
Profiles
Identity Group Event
#ACSACL#-IP-PERMIT_ALL_TRAFFIC 3k-access Authorize Only DACL Download
nn:nn:nn:nn:nn:nn nn:nn:nn:nn:nn:nn 10.1.10.100 3k-access Gi0/3 Cisco_Access_Points Cisco-Access-Point Auth Succeeded

Note: The access point periodically attempts to renew its IP address if no network connectivity. The default port ACL on the switch allows access to DHCP services, so the access point initially receives an IP address in the default access VLAN 10 (10.1.100.10). Once authorized for VLAN 90, the access point will renew its IP address in the new VLAN (10.1.90.100).
The authentication event in the above log reflects the IP address learned at the time of authentication. The access list applied to this session reflects the final endpoint IP address using variable substitution of the “any” value in the dACL’s source IP address.

Antonio Ieranò
CSO, Cyber Security Architect, technical evangelist, consultant, writer, journalist and trainer
I am a Security Manager and architect, CSO, BDM, marketing specialist, and tech evangelist with over 20 years of experience serving as a community liaison, subject matter expert, and high-profile trainer for key technologies and solutions. My experience includes acting as the public face of Huawei technology and before Cisco security technologies; leading pan-European technical teams in development of new Cisco security products; and serving as a key public speaker and trainer on behalf of new high-tech products. My expertise spans IT development and implementation, marketing strategy, legal issues, and budget / financial management.

Specialties and Executive Expertise
IT Strategy, Technical Audits, Enterprise Architecture & Applications, Technical Sales Liaison, Solution Architecture, Network Design, Architecture, & Security, Vulnerability Assessment & Management, Systems Engineering, Data Privacy, Cloud Computing, Marketing Strategy, Budget Management, Social Media Marketing, High-Impact Presentations,incident handling, Forensics, Italian companies, Authentication, Infrastructure security, Security manager, Security issues, Attacks, Security infrastructure, Data encryption

Security and Technical Advisoring
Project Management
Business Development and Marketing

To the official site of Related Posts via Taxonomies.

CC BY-NC-SA 4.0 Configure cisco ISE for Cisco Access Points by The Puchi Herald Magazine is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.