Setting up Cisco ISE for RADIUS Services
Overview
This document presents basic configuration of Cisco ISE 2.4.0.357 as RADIUS server.
Pre-requisites
- CISCO ISE Installed on VM
- Latest Chrome/Firefox browser
Configuration:
The steps below configure the Cisco-ISE server for RADIUS authentication to be used by Cambium products.
Step1: Adding new RADIUS Vendor
- Navigate to Policy > Policy Elements > Dictionaries > System > Radius > RADIUS Vendors
2. Click Add and provide proper details in the required fields, then click on submit.
Step2: Adding Network Device Profiles
- Navigate to Administration > Network Resources > Network Device Profiles
- Click +Add and Provide valid details.
- Select RADIUS under supported protocols, Add the newly created RADIUS Dictionary then Click Submit.
Step3: Adding Network Device
- Navigate to Administration > Network Resources > Network Devices
- Click +Add
- Provide Name, description, IP Address/Range, select the newly created device profile.
- Let Network device group values be default.
- Enable Radius Authentication Settings and configure Shared secret.
- Click save.
Step 4: Creating User Identity Groups
- Navigate to Identity Management > Groups > User Identity Groups
- Click +Add and Enter a group name and submit.
- Create four User Identity Groups each for one Role, super-admin, admin, operator and monitor.
Step 5: Creation of Users Identities
- Navigate to Identity Management > Identities > Users
- Click + Add and fill the details as mentioned below
- Name: Name of the user (need to be unique)
- Status: Enabled by default
- Email: Email address of the user
- Login Password: Password as per password policy
- User Info and Account options: fill as per details available
- User Groups: Map to corresponding user groups created
- Click submit
Step 6: Selection of Authentication Protocols
- Navigate to Policy > Policy Elements > Results
- Navigate to Authentication > Allowed Protocols
Note: Use existing Default Network Access or Create your own network access profiles with the custom allowed protocols.
Step7: Creation of Authorization Profiles
- Navigate to Policy > Policy Elements > Results
- Navigate to Authorization > Authorization Profiles and click + Add
- Fill the Mandatory details as below
Name: Provide valid name
Access Type: ACCESS ACCEPT
Network Device Profile: Select the profile you created for Radius
Advanced Attributes Settings: Choose the dictionary created for Radius and select the Attribute, then enter value that need to be sent in Access-Accept response.
Verify under Attribute Details.
Step7: Creation of Policy Sets
- Navigate to Policy > Policy Sets
- Click on + symbol and Add the rules
- Select Allowed protocols as Default Network Access
- Click on + symbol and select the profile
- User can select existing rules from conditions studio or can create a new one and save.
- Under Editor Click to add an attribute and add a rule which equals to Network device profile, so that requests coming from particular device IP ranges will be hitting to this policy.
- Select the new policy and click on Authentication policy and use Internal users.
- Click on Authorization policy- Local Exceptions and create a rule for user belonging to a particular group.
- Save the policy.
Step 8: Configuration of cnMaestro
- Navigate to Application > Users > Authentication Servers in the cnMaestro On-Premises UI to create the RADIUS Server
2. Configure Server name, IP address/Host name, Shared secret and Role mappings values.
Note: Role Mappings values must be same as the values configured under Roles of each Authorization policy in ISE.
Navigate to Application > Users > Authentication and set the Primary Authentication to be the RADIUS server just created. The Secondary Authentication will be automatically set to Local Users, which means if the RADIUS server is not reachable, the UI can be accessed using the Local Users database (so it is important to change the default password). If you are unable to log into the UI, you can create a One-Time password in the CLI in order to resolve the issue. (see the User Guide for details on Application Account Recovery).
Note: cnMaestro expects Role attribute under Access-Accept packet received from radius server, based on the value of Role and role mappings in cnMaestro the previliages are projected.
Step9: Logging in to the Client
Use the credentials of user Identities created in ISE to log in to client for respective roles.
Step 10: Uploading certificates SSL/TLS Connections
- Navigate to Administration > Certificates
- Upload the certificates under system certificates and trusted certificates as per the certificates availability.
Step11: Troubleshooting
1. Navigate to Work Centers > Passive ID > Troubleshoot
2. Start TCP dump before client connects to RADIUS server.
3. Stop TCP dump once client disconnects and download the file.
4. Wireshark or any other sniffers can be used to analyse the dump.
5. User can Navigate to Live Logs under Operations > RADIUS > Live Logs and can check the client entries which have tried to contact the ISE RADIUS service.
6. For detailed steps, Click on icon under details in Radius live logs table and will open in the new tab as shown below