Cisco ISE 2.0 Active Directory & Radius

This is a 4 part blog series about configuring Cisco ISE 2.0 for WLAN authentication and WLAN Guest authentication (split into two parts) on a Cisco Wireless LAN Controller (WLC).

ISEimageFor more guides about configuring (previous) Cisco ISE, see this page.This is part 1, the prerequisites before you can start configuring any authentication method.

Add ISE to Active Directory domain

Login into ISE and add ISE to the Active Directory domain by following these steps:

  1. Click Administration, External Identity Sources, AD, add
  2. Join point name / AD Domain: ehlo.lan (in this example)
  3. Enter service account, password and OU
  4. A computer account for ISE nodes is created
  5. Add groups to be used, navigate to Groups tab:
    Picture1

    1. Click Save

Create a Radius Authentication Mapping between ISE and WLC

Wireless LAN Controller Configuration:

  1. Navigate to Security, Radius, Authentication
    1. Auth Call Station ID Type: AP MAC Address: SSID
    2. MAC Delimiter: Hyphen
  2. Create a new Authentication Server entry
    1. Shared Secret format: ASCII
    2. Server status: Enabled
    3. Support for RFC 3576 (COA): Enabled
    4. Network user: Enable
    5. Management: Disable
      Picture2
  3. Navigate to Accounting
    1. Acct called station ID Type: System Mac Address
    2. MAC Delimiter: Hyphen
  4. Create a new Radius Accounting Server entryPicture3
    1. Create a RO SNMP v2c community string
      1. Navigate to Management, SNMP, Communities
      2. Create a new community string, name it “ISE_RO”, enter the IP address of the ISE appliance, ip mask: 255.255.255.255. Access Mode: Read Only, Status: Enable.
        Picture4

ISE Configuration:

  1. Administration, Network Devices
  2. Name XXXWLC01
  3. IP: Management IP of Controller
  4. Enter Model and Version
  5. Authentication Settings: Protocol: Radius, Enter shared secret, ASCII
  6. Enable SNMP, version 2c, Enter RO community string, polling interval: 3600 , Enable Link Trap Query and MAC Trap Query. Originating Policy Services Node: Auto

That’s it! In the next blog post we start configuring Authentication based on 802.1x (user authentication). This can be used for normal employee authentication.

Thanks to Dominique Hermans (follow him on Twitter) for his great help with these Cisco ISE 2.0 blog posts!