Cisco ISE Part 7: Configuring wireless network devices

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture

This week, part 7: Configuring wireless network devices

Configuration

First, add the WLC as a radius client.

Click: Administration – Network Resources – Network Devices. Click Add and create a network device object.

Click Select Existing condition from library, select condition, navigate to Compound condition and select wireless_802.1x.

Click Select Network Access, Allowed Protocols – Default network access. Make sure PEAP is available in this network access rule.

For the authorization profiles, click Policy – Policy Elements – Results

Make sure you select the correct Airespace ACL name.

authprofile

Create an authorization policy that assigns the authorization profile. Click Policy – Authorization. Insert a new row.

Create a new rule, select the “wireless_802.1X” compound condition from the library. To check if the user is also a domain member, add another attribute. Click Select Attribute – <domain> – <usergroup>

 

Browse to the WLC webinterface.

Click Security РRADIUS РAuthentication and click new. Enter the ISE policy node details.

wlcradiusconfig

Configure some ACL’s. Click Security – Access Control Lists – Access Control List. Enter the needed ACLs.

Click Wireless, click your SSID – security tab. Select WPA+WPA2.
Click AAA servers and select the correct ISE (RADIUS) server.

Click tab Advanced and check Allow AAA Override.

wirelessaaaoverride

Client configuration

Edit your wireless profile on your windows PC.
Click security – settings and check the “Connect to these servers” and enter the DNS name of the ISE policy node. In the trusted root certificate authorities list, check your CA root certificate.

Click Advanced settings and select User authentication.

That’s it, start testing!

Next week part 8 of this blog post series: Inline posture and VPN