View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0039 - ISE 1.1 802.1X Switch & WLC Recommended Config (Part 2)

SEC0039 - ISE 1.1 802.1X Switch & WLC Recommended Config (Part 2)

Rating: 
5
Average: 5 (3 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Category: 
Security

The video presents you with Cisco recommended switch and Wireless LAN Controller (WLC) configuration to interoperate with Cisco ISE. Most configurations are for enabling 802.1X and RADIUS, while the remaining (eg. SNMP, DHCP etc) are for providing additional information as part of ISE device profiling. Here we use a Cisco 3750 and vWLC in our demonstration, and we will also add them to Network Device. The video closes by going through the switch configuration validator.

Part 2 of the video covers WLC configurations, Network Device addition, and config validator.
Topic:
  • ISE Recommended 802.1X Switch Configuration
  • ISE Recommended WLC Configuration
  • Network Devices Group
  • Network Devices
  • ISE Configuration Validator
 
 
Tag: 
ISE
802.1x
wlc
radius

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

7 comments

Submitted by lnhquang1993 on Tue, 03/21/2017 - 01:58

I have a Computer A, Computer A has join domain, authentication and authorization success. But when a remote user remote to computer A. CPU go higher and after a few second Remote Desktop connection is lost. Authentication sesion on Computer A lost. When i go to switch, port state( which connect to Computer A ) change from Authenticated to Unauthentication. My switch is SG200 which only support RADIUS and 802.1X. What can i do to help Remote user can remote to computer A and not lost authentication session.

Submitted by admin on Sat, 03/25/2017 - 20:48

When you RDP to the computer, what do you get on the ISE RADIUS log? Was it a successful login? Do you have both user and computer authentication configured?

Submitted by lnhquang1993 on Tue, 03/28/2017 - 00:27

Thankyou so much, i relize how dumb i was. I forget to check the ISE log. It authentication success but authorization faild. I was fix it. Thank again

Submitted by lnhquang1993 on Mon, 11/13/2017 - 01:08

Hi, i have a problem with IP-phone. Authen and author is success but Ip-phone still cannot receive IP from DHCP. Here is my configuration :

enable
config terminal
no ip domain lookup
lin con 0
logg syn
exit

logging console information

####### 802.1x and MAB #######
aaa new-model
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa session-id common
aaa accounting update periodic 5

radius-server host 10.145.220.19 auth-port 1812 acct-port 1813 key abcd2314

radius-server dead-criteria time 30 tries 3
radius-server vsa send authentication
radius-server vsa send accounting
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include

int vlan 195
ip add 10.145.195.245 255.255.255.0
ip helper-address 10.145.195.1
exit
ip radius source-interface vlan 195

aaa server radius dynamic-author
client 10.145.220.19 server-key abcd2314
exit

access-list 10 permit host 10.145.220.19
access-list 10 deny any log

ip access-list ext ACL_DEFAULT
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit udp any any eq tftp
permit ip any host 10.145.220.19
deny ip any any log
exit

dot1x system-auth-control
ip device tracking

int range f0/2-6
switchport host
switchport acc vlan 195
ip access-group ACL_DEFAULT in
spanning-tree portfast
spanning-tree bpduguard ena
authentication priority dot1x mab
authentication order dot1x mab
authentication event fail action next-method
authentication host-mode multi-auth
authentication violation restrict
dot1x pae authenticator
mab
dot1x timeout tx-period 10
authentication port-control auto
exit

And authentica tion log on Switch :

PP.L1.SW01(config)#do sho auth sess int f0/5
Interface: FastEthernet0/5
MAC Address: c85b.76ac.b7bc
IP Address: 10.145.195.231
User-Name: hpt
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A91C3F5000000790161ACA3
Acct Session ID: 0x00000063
Handle: 0x3300007A

Runnable methods list:
Method State
dot1x Authc Success
mab Not run

----------------------------------------
Interface: FastEthernet0/5

MAC Address: 0007.3b93.92fc
IP Address: 10.145.195.173
User-Name: 00-07-3B-93-92-FC
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A91C3F50000007801618844
Acct Session ID: 0x00000062
Handle: 0x1C000079

Runnable methods list:
Method State
dot1x Failed over
mab Authc Success

PP.L1.SW01(config)#do sho vla

VLAN on Switch :

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
14 PP.VOICE.LAN active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
195 PP.2F-IT.LAN active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
311 PP.GF.MF.1F.LAN active

Submitted by admin on Thu, 11/16/2017 - 23:33

Do you have DACL configured on Auth Profile to override port default ACL? It is not shown on the show auth session command,

Submitted by lnhquang1993 on Fri, 11/17/2017 - 02:02

Yes, i use the default DACL permit all, but even when i don't remove acl from interface, it sitll can't not receive DHCP IP. In port connect to IPphone, can i use command "authentication host-mode multi-domain" or "authentication host-mode multi-auth" is ok ?

Submitted by admin on Mon, 11/20/2017 - 22:39

Either one should be fine. Is IP Phone supposed to be on Voice VLAN on data VLAN? Can you check ISE detail log to see if DACL is pushed down to the switch? If it is, you will need to look into why it is not applied to the session.