Setting up Cisco-ISE for RADIUS Services to Support Cambium products

Setting up Cisco ISE for RADIUS Services

Overview

This document presents basic configuration of Cisco ISE 2.4.0.357 as RADIUS server.

Pre-requisites

  1. CISCO ISE Installed on VM
  2. Latest Chrome/Firefox browser

Configuration:

The steps below configure the Cisco-ISE server for RADIUS authentication to be used by Cambium products.

Step1: Adding new RADIUS Vendor

  1. Navigate to Policy > Policy Elements > Dictionaries > System > Radius > RADIUS Vendors

     2. Click Add and provide proper details in the required fields, then click on submit.

Fig-3.png

Step2: Adding Network Device Profiles

  1. Navigate to Administration > Network Resources > Network Device Profiles

 

  1. Click +Add and Provide valid details.

 

  1. Select RADIUS under supported protocols, Add the newly created RADIUS Dictionary then Click Submit.

 

Step3: Adding Network Device

  1. Navigate to Administration > Network Resources > Network Devices
  2. Click +Add

 

  1. Provide Name, description, IP Address/Range, select the newly created device profile.
  2. Let Network device group values be default.
  3. Enable Radius Authentication Settings and configure Shared secret.

  1. Click save.

Step 4: Creating User Identity Groups

  1. Navigate to Identity Management > Groups > User Identity Groups

 

  1. Click +Add and Enter a group name and submit.
  1. Create four User Identity Groups each for one Role, super-admin, admin, operator and monitor.

 

Step 5: Creation of Users Identities

  1. Navigate to Identity Management > Identities > Users

  1. Click + Add and fill the details as mentioned below
  • Name: Name of the user (need to be unique)
  • Status: Enabled by default
  • Email: Email address of the user
  • Login Password: Password as per password policy
  • User Info and Account options: fill as per details available
  • User Groups: Map to corresponding user groups created
  1. Click submit

 

Step 6: Selection of Authentication Protocols

  1. Navigate to Policy > Policy Elements > Results

 

  1. Navigate to Authentication > Allowed Protocols

 

Note: Use existing Default Network Access or Create your own network access profiles with the custom allowed protocols.

 

Step7: Creation of Authorization Profiles

  1. Navigate to Policy > Policy Elements > Results

 

  1. Navigate to Authorization > Authorization Profiles and click + Add

  1. Fill the Mandatory details as below

Name: Provide valid name

Access Type: ACCESS ACCEPT

Network Device Profile: Select the profile you created for Radius

Advanced Attributes Settings: Choose the dictionary created for Radius and select the Attribute, then enter value that need to be sent in Access-Accept response.

Verify under Attribute Details.

Step7: Creation of Policy Sets

  1. Navigate to Policy > Policy Sets

 

  1. Click on + symbol and Add the rules

  1. Select Allowed protocols as Default Network Access

  1. Click on + symbol and select the profile

 

  1. User can select existing rules from conditions studio or can create a new one and save.
  2. Under Editor Click to add an attribute and add a rule which equals to Network device profile, so that requests coming from particular device IP ranges will be hitting to this policy.
  3. Select the new policy and click on Authentication policy and use Internal users.

 

  1. Click on Authorization policy- Local Exceptions and create a rule for user belonging to a particular group.
  2. Save the policy.

Step 8: Configuration of cnMaestro

  1. Navigate to Application > Users > Authentication Servers in the cnMaestro On-Premises UI to create the RADIUS Server

       2. Configure Server name, IP address/Host name, Shared secret and Role mappings values.

Note: Role Mappings values must be same as the values configured under Roles of each Authorization policy in ISE.

Navigate to Application > Users > Authentication and set the Primary Authentication to be the RADIUS server just created. The Secondary Authentication will be automatically set to Local Users, which means if the RADIUS server is not reachable, the UI can be accessed using the Local Users database (so it is important to change the default password). If you are unable to log into the UI, you can create a One-Time password in the CLI in order to resolve the issue. (see the User Guide for details on Application Account Recovery).

Note: cnMaestro expects Role attribute under Access-Accept packet received from radius server, based on the value of Role and role mappings in cnMaestro  the previliages are projected.

Step9: Logging in to the Client

Use the credentials of user Identities created in ISE to log in to client for respective roles.

Step 10: Uploading certificates SSL/TLS Connections

  1. Navigate to Administration > Certificates
  2. Upload the certificates under system certificates and trusted certificates as per the certificates availability.

 Step11: Troubleshooting

 1. Navigate to  Work Centers > Passive ID > Troubleshoot

 2. Start TCP dump before client connects to RADIUS server.

 3. Stop TCP dump once client disconnects and download the file.

 4. Wireshark or any other sniffers can be used to analyse the dump.

 5. User can Navigate to Live Logs under Operations > RADIUS > Live Logs and can check the client entries which have tried to contact the ISE RADIUS service.

  6. For detailed steps, Click on icon under details in Radius live logs table and will open in the new tab as shown below

10 Likes