Configure cisco ISE for Cisco Access Points

Let’s say you have been asked to configure ISE to allow secured network access for Cisco Wireless Access Points.

To do so you should :

· Enable the ISE endpoint profile for Cisco Access Points

· Configure an Authorization Profile and Authorization Policy rule for Cisco Access Points

· Review the access switch configuration to authorize an access point using MAC Authentication Bypass (MAB).

· Verify proper authorization of a Cisco Access Point based on ISE policy

 

Login to ISE

The ISE Home Dashboard page should display. Navigate the interface using the multi-level menus.

Configure the Profiler Policy to assign endpoints matching a Cisco Access Point profile to an Identity Group  called  “Cisco-Access-Points” .

Navigate to Policy > Profiling and select Cisco-Access-Point from the list of Endpoint Policies, verify that the policy is enabled (Policy Enabled checkbox is checked) and check the option Create Matching Identity Group.

Do not forget to save otherwise it will not work

Now define an Authorization Profile for Cisco Access Points.

Navigate to Policy > Policy Elements > Results and double-click Authorization to expand its contents.

Select Authorization Profiles from the left-hand pane and click Add from the right-hand pane and enter the values for the Authorization Profile as shown below:

Attribute	Value
Name	Cisco_Access_Points
Description	Permit access to Cisco Access Points
Access Type	ACCESS_ACCEPT
Common Tasks
DACL Name	[ ✓ ] PERMIT_ALL_TRAFFIC
VLAN	90 (or 1:90)

The resultant Attribute Details should appear at the bottom of the page as the following:

Access Type = ACCESS_ACCEPT Tunnel-Private-Group-ID = 1:90 Tunnel-Type = 1:13 Tunnel-Medium-Type = 1:6 DACL = PERMIT_ALL_TRAFFIC

finally click Submit to apply your changes.

Now we should configure a new Authorization Policy rule to assign the new Cisco_Access_Points profile to endpoints that match the Identity Group named Cisco-Access-Point.

To do so go to Policy > Authorization and insert a new rule below the Profiled Cisco IP Phones rule as shown in the policy table below. Use the selector at the end of a rule entry to insert or duplicate rules.

Enter the following values for a new rule named Profiled Cisco Access Points:

Status	Rule Name	Identity Groups	Other Conditions	Permissions
	Profiled Cisco IP Phones	Cisco-IP-Phone	–	Cisco_IP_Phones
	Profiled Cisco Access Points	Cisco-Access-Point	–	Cisco_Access_Points
…

 

Don’t forget to  Save when finished making policy updates.

Hint: Verify proper authorization of the wireless access point.

check the status of the port, eventually give the No Shut command in the configuration mode for the selected interface.

check the auth status with:

cisco-access# show authentication sessions interface gi0/x

or

cisco-access(config-if)# do sh auth sess int gi0/x

keep in mind you could need a few minutes to allow the result to be shown (between bootstraps and stuffs…)

To display the current dACL applied to the interface using the command show ip access-lists interface GigabitEthernet 0/3. The output should appear similar to the following:

cisco-access(config-if)# do sh ip access-list int gi0/3 permit ip host 10.1.90.100 any

 

To verify the Cisco Wireless Access Point authentication in the ISE go to Monitor > Authentications log:

S	Username	Endpoint ID	IP Address	NAD	Device Port	AuthZ Profiles	Identity Group	Event
✓	#ACSACL#-IP-PERMIT_ALL_TRAFFIC			3k-access			Authorize Only	DACL Download
✓	nn:nn:nn:nn:nn:nn	nn:nn:nn:nn:nn:nn	10.1.10.100	3k-access	Gi0/3	Cisco_Access_Points	Cisco-Access-Point	Auth Succeeded

Note: The access point periodically attempts to renew its IP address if no network connectivity. The default port ACL on the switch allows access to DHCP services, so the access point initially receives an IP address in the default access VLAN 10 (10.1.100.10). Once authorized for VLAN 90, the access point will renew its IP address in the new VLAN (10.1.90.100).
The authentication event in the above log reflects the IP address learned at the time of authentication. The access list applied to this session reflects the final endpoint IP address using variable substitution of the “any” value in the dACL’s source IP address.

Related articles

• California Schools Deploy Wired/Wireless Solution Cost-Effectively (blogs.cisco.com)
• Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers (netsecurityit.wordpress.com)
• Revving for the Mobility Race (blogs.cisco.com)
• Cisco launches new Aironet wireless access points; Eyes more spatial streams (zdnet.com)
• Cisco first out the door with next-gen hotspot (gigaom.com)
• Cisco rolls out 4×4 MIMO Wi-Fi access point (nfcdata.com)
• Wireless access point with updates (ask.metafilter.com)
• Cisco rolls out 4×4 MIMO Wi-Fi access point (fiercebroadbandwireless.com)
• PCProfile Releases New Wi-Fi Software to Reduce Risk of Bandwidth Theft (prweb.com)
• Cisco Aims Wi-Fi Access Point at iPad Profusion (pcworld.com)

Related Posts via Taxonomies

• PostOffice: New Cisco securtity report
• Security and Datacenters
• Is Big C missing the point on security?
• ISE basic installation and configuration. Part 2
• Today ISE training day 1
• Sex, Love, and Little Scams
• The Cyber Resilience Act: Because One More Cybersecurity Requirement Couldn’t Hurt, Right?
• Cybersecurity Regulation: A Global Overview of Standards and Regional Approaches Influenced by Legal Systems
• Shrems II, Data transfer, and the USA: wheels are rolling.
• Please help me to share for my phishing friend sake

To the official site of Related Posts via Taxonomies.

Configure cisco ISE for Cisco Access Points by The Puchi Herald Magazine is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.