Cisco ISE 2.0 – Employee Authentication Based on 802.1x (User auth)

This is a 4 part blog series about configuring Cisco ISE 2.0 for WLAN authentication and WLAN Guest authentication (split into two parts) on a Cisco Wireless LAN Controller (WLC).ISEimage

For more guides about configuring (previous) Cisco ISE, see this page.This is part 2, creating authentication and authorization policies.

Create authentication policy

  1. Navigate to Policy, Authentication
  2. Edit, Wired_802.1X to include Wireless_802.1X, and select “ehlo.lan” domain store.

Picture1

(more…)

Cisco ISE 2.0 Active Directory & Radius

This is a 4 part blog series about configuring Cisco ISE 2.0 for WLAN authentication and WLAN Guest authentication (split into two parts) on a Cisco Wireless LAN Controller (WLC).

ISEimageFor more guides about configuring (previous) Cisco ISE, see this page.This is part 1, the prerequisites before you can start configuring any authentication method.

Add ISE to Active Directory domain

Login into ISE and add ISE to the Active Directory domain by following these steps:

(more…)

Cisco WSA Policies

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:

Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware

This is the 4th part of the series.

Creating policies is one the major (en most fun) part of the WSA. In this blog I’ll cover the configuration of access policies and identities.

Click  Web Security Manager > Access Policies

access policy default

Only one policy can be applied. This is based on first match (top-down). If no policy matches, the Global Policy will be used.

First, you have to create a identity. An identity doesn’t identify a user, but it identifies a client or transaction that may require authentication. Identity membership is determined before authentication is done. Policy group membership is determined after authentication is performed.

Click  Web Security Manager > Identities > add identity and create the identity, based on IP’s ip ranges or IP subnets. Possible identities are:

  • Kiosk users
  • Update agents
  • Company users

(more…)

How to: Cisco WLC Tacacs/radius for management

It took some time this morning for configuring a RADIUS or TACACS server for management access to a Cisco WLC. So, let’s write a short how-to:

  1. Login into the WLC and click Security – AAA – TACACS+ (or Radius) – Authentication
  2. Click New and enter:
    • Server IP Address – IP address of the TACACS server
    • Shared secret – The configured shared secret on the TACACS server
  3. If you’re using TACACS, click Authorization and enter the same Server IP address and Shared Secret. Configuring accounting is optional
  4. Click Security – Priority order – Management user and make sure TACACS (or radius) is in top of the list

tacacsorder