Integrating Cisco-ISE as Radius server for enterprise AP's

Setting up Cisco-ISE for RADIUS Authentication to Support Cambium cnPilot Products.

Setting up Cisco ISE for RADIUS Services

 

Overview

This document presents basic configuration of Cisco ISE 2.4.0.357 as RADIUS server.

 

Pic1.png

Pre-requisites

  1. Cisco ISE Installed on VM
  2. Latest Chrome/Firefox browser

Configuration:

The steps below configure the Cisco-ISE server for RADIUS authentication to be used by Cambium products.

Step1: Adding new RADIUS Vendor 

1. Navigate to Policy > Policy Elements > Dictionaries > System > Radius > RADIUS Vendors  

2. Click Add and provide proper details in the required fields, then click on submit.

Step2: Adding Network Device Profiles 


1. Navigate to Administration > Network Resources > Network Device Profiles > Click +Add

2. Provide valid details and submit  

Step3: Adding Network Device  

1. Navigate to Administration > Network Resources > Network Devices

2. Click +Add ,
3. Provide Name, description, IP Address/Range,
4. Select the newly created device profile. (in the previous step)
5. Let Network device group values be default.
6. Enable Radius Authentication Settings and configure Shared secret.
7. Save

Step 4: Creating User Identities

1. Navigate to Identity Management > Identities >  

2. Click + Add and fill the details as mentioned below
3. Name: Name of the user (need to be unique)
4. Status: Enabled by default
5. Email: Email address of the user (optional)
6. Login Password: Password as per password policy
7. User Custom Attributes : Assign a role for the user
8. Click submit

Step 5: Selection of Authentication Protocols


1. Navigate to Policy > Policy Elements > Results
2. Navigate to Authentication > Allowed Protocols 

Step 6: Creation of Authorization Profiles

1. Navigate to Policy > Policy Elements > Results
2. Navigate to Authorization > Authorization Profiles and click + Add
3. Name: Provide valid name
4. Access Type: ACCESS ACCEPT
5. Network Device Profile: Select the profile you created for Radius
6. Click on Submit   

Step7: Creation of Policy Sets 

1. Navigate to Policy > Policy Sets
2. Click on + symbol and Add the rules
3. Select Allowed protocols as “solution_team_network_access”

4. Click on + symbol and select the conditions studio, User can select existing rules from conditions studio or can create a new one and save
5. Click Editor to add an attribute and add a rule which equals to Network device profile, so that requests coming from particular device IP ranges will be hitting to this policy.

6. Select the new policy and click on Authentication policy and use internal users.
7. Select the appropriate Authorization policy
8. Save the policy.

Step 8: Troubleshooting

1. Navigate to Work Centers > Passive ID > Troubleshoot
2. Start TCP dump before client connects to RADIUS server.
3. Stop TCP dump once client disconnects and download the file.
4. Wireshark or any other sniffers can be used to analyse the dump.  

5. User can Navigate to Live Logs under Operations > RADIUS > Live Logs and can check the client entries which have tried to contact the ISE RADIUS service.   

6. For detailed steps, Click on icon under details in Radius live logs table and will open in the new tab as shown below
7. For Session trace details, please click on troubleshoot and select session trace Tests

Step 9: cnPilot Configuration

1. Navigate to WLAN > Create/Select the WLAN where “WPA2 enterprise” is enabled,
2. Select Radius server tab of the respective WLAN

 

The PDF version of the document is available below 

Hi Anand,


We have a PMP450i that is configured to authenticate with ISE for device administration.

From other Cambium documents, it appears that we need to use the following attribute:

Cambium-Canopy-UserLevel=3
Cambium-Canopy-UserMode=0

in the Authorization Profile under "Advanced Attributes Settings". This is as per
https://community.cambiumnetworks.com/t5/PMP-450/SM-ADMIN-User-privilege-level-for-radius-server-based/td-p/76145

Also, to be able to use the above attribute, it needs to be added to ISE Radius Vendor's dictionary at
Policy > Policy Elements > Dictionaries > System > Radius > RADIUS Vendors


Q1. What is the Vendor Attribute ID for "Cambium-Canopy-UserMode" and is it really required for device administration with Radius?

Q2. Cambium Vendor code seems 161 per below document
https://usermanual.wiki/Cambium-Networks/50450M.USER-MANUAL-PART-3/info
but above document says it is 17713.

Please confirm which one is correct.

Q3. When we use PAP method for authentication and just use "Cambium-Canopy-UserLevel=3" or "Canopy-User-Level=3" or even both as per
https://community.cambiumnetworks.com/t5/cnMaestro/Setting-up-Cisco-ISE-for-RADIUS-Services-to-Support-Cambium/td-p/91013
and
https://community.cambiumnetworks.com/t5/PMP-450/PMP450-Radius-and-Universal-Admin-account/td-p/75326

We see ISE shows succesful authentication and correct authorization result (ISE sending the required attributes) is pushed but we are not able to log into PMP450i.

Radius logs on PMP450i shows the following

11/21/2019 : 02:37:19 UTC : Radius Request sent with auth type as PAP
11/21/2019 : 02:37:19 UTC : PAP Start sent
11/21/2019 : 02:37:20 UTC : PAP: Access Accept received from radius server
11/21/2019 : 02:37:20 UTC : PAP: UserAccessError noinfo

Is this a known issue ?

Regards,
Dinesh