Cisco ISE 2.0 – Employee Authentication Based on 802.1x (User auth)

This is a 4 part blog series about configuring Cisco ISE 2.0 for WLAN authentication and WLAN Guest authentication (split into two parts) on a Cisco Wireless LAN Controller (WLC).ISEimage

For more guides about configuring (previous) Cisco ISE, see this page.This is part 2, creating authentication and authorization policies.

Create authentication policy

  1. Navigate to Policy, Authentication
  2. Edit, Wired_802.1X to include Wireless_802.1X, and select “ehlo.lan” domain store.

Picture1

Create authorization policy

  1. Navigate to Policy, Authorization
  2. Configure to include the following:

Picture2

Configure Controller WLAN Profile – 802.1x (Employee access)

  1. Navigate to WLAN, add wlan with following settings:
    1. Status: Enabled
    2. Radio Policy: X
    3. Interface: X
    4. Security, Layer 2, WPA2, AES, 802.1x
    5. Security, Layer 3, None
    6. Security, AAA, select ISE Server IP for authentication & accounting
    7. Advanced, Allow AAA Override, NAC State: None
    8. DHCP Address Assignment: Required

My thought

Configuring these kind of policies are really straight forward and easy to understand. In general, the documentation about Cisco ISE is not so common as other Cisco products (yet) but they’re still working on that. Luckily, it’s not so hard to configure these policies if you have a good starting point, as described in this blog.

That’s it! In the next blog post we start configuring the policies for guest access on the Cisco WLC.

Thanks to Dominique Hermans (follow him on Twitter) for his great help with these Cisco ISE 2.0 blog posts!