View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0112 - ISE 1.2 Wireless 802.1X Authorization with FlexConnect (Part 1)

Rating: 
5
Average: 5 (3 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video looks into Cisco ISE 1.2 wireless 802.1X authentication with FlexConnect AP. We will configure wireless AP and SSID to operate in central switching and local switching and compare authorization capability on ISE between the two modes. Since local switching mode does not support DACL, we will be configuring FlexConnect ACL and FlexConnect group and use dynamic VLAN assignment to place a wireless user on a VLAN with appropriate ACL.
Part 1 of this video walks through ISE configuration for FlexConnect central switching mode.  
 
Topic:
  • Network Device
  • Network Device Group
  • Policy Element Result
    • Authorization (Downloadable ACL, Dynamic VLAN Assignment)
    • Authorization (Authorization Profile)
  • Authentication Policy
  • Authorization Policy
  • WLC AP and SSID Configuration for FlexConnect
  • FlexConnect ACL
  • FlexConnect Group with ACL Mapping

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

10 comments

thanks

Hi,

i am trying configure Flexconnect with your example, but what happend:

When the machine in Domain Computer / Connect in wireless, the authorization match in Wireless_802.1X AND AD1:ExternalGroups EQUALS sise.local/Users/Domain Computers ) and the authorization PERMIT_ALL, but when i try connect with the user: admin1/group Network Support in same machine, the machine match in rule Wireless_802.1X AND AD1:ExternalGroups EQUALS sise.local/Users/Domain Computers and not in Wireless_802.1X AND AD1:ExternalGroups EQUALS sise.local/ISE USERS/Network Support. Can you help-me ?

Sequence in Authorization:
lm-wlan-win-machine if (Wireless_802.1X AND AD1:ExternalGroups EQUALS sise.local/Users/Domain Computers ) then WLAN-PERMIT-ALL

lm-wlan-win-admin if (Wireless_802.1X AND AD1:ExternalGroups EQUALS sise.local/ISE USERS/Network Admin ) then WLAN-PERMIT-ALL

lm-wlan-network-support if (Wireless_802.1X AND AD1:ExternalGroups EQUALS sise.local/ISE USERS/Network Support ) then WLAN-INTERNET-ONLY

Do you use PAEP or EAP-TLS? Do you have wireless profile set to have both User and Computer Authentication? When user admin1 authenticated successfully, do you see a list of AD group under Authentication Detail page, and was Network Support one of them?

It´s work.

I forgot the configure in wireless profile.
thanks.

Hi Metha,
I'm already made DVA works with single SSID:
-User A authenticate and mapped to Vlan10
-User B authenticate and mapped to Vlan20
OK, it working fine.

Now i want to configure DVA with 20 Vlans, so that i come to "FlexConnect Group with ACL Mapping" and add more Vlans, but WLC not allow to add more than 16 Vlans. Do you have any ideas?

Thanks

This is the limitation on the FlexConnect AP. See link below.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configurati...

Hello

I need your help, I managed to configured these rules in my test lab using only domain users but the very first time it worked then after if wouldn't allow me to connect to the same SSID even if I restarted my pc, I am using Windows 7 ent.

Are there any other configuration I need to change?

What did it show on the authentication log when you couldn't connect?

How come you can have access to the Internet?
With the ACL you showed, traffic to the default gateway should be blocked by the deny internal-network lines.
I am having that issue. Please advise, thanks.

Internet bound packet does not have default gateway as destination so it is allowed. If you however try to ping default GW, that should be blocked. If you want client to be able to ping DGW, add an allow entry above blocking private networks.