cancel
Showing results for 
Search instead for 
Did you mean: 

Setting up Cisco-ISE for RADIUS Services to Support Cambium products

Highlighted
Moderator

Setting up Cisco-ISE for RADIUS Services to Support Cambium products

Setting up Cisco ISE for RADIUS Services

 

Overview

This document presents basic configuration of Cisco ISE 2.4.0.357 as RADIUS server.

Pre-requisites

  1. CISCO ISE Installed on VM
  2. Latest Chrome/Firefox browser

Configuration:

The steps below configure the Cisco-ISE server for RADIUS authentication to be used by Cambium products.

Step1: Adding new RADIUS Vendor

  1. Navigate to Policy > Policy Elements > Dictionaries > System > Radius > RADIUS Vendors

Fig-1.png

 

     2. Click Add and provide proper details in the required fields, then click on submit.

 

Fig-2.png

 

Fig-3.png

 

Step2: Adding Network Device Profiles

  1. Navigate to Administration > Network Resources > Network Device Profiles

 Fig-4.png

 

  1. Click +Add and Provide valid details.

 Fig-5.png

 

  1. Select RADIUS under supported protocols, Add the newly created RADIUS Dictionary then Click Submit.

 Fig-6.png

 

Step3: Adding Network Device

  1. Navigate to Administration > Network Resources > Network Devices
  2. Click +Add

 Fig-7.png

 

  1. Provide Name, description, IP Address/Range, select the newly created device profile.
  2. Let Network device group values be default.
  3. Enable Radius Authentication Settings and configure Shared secret.

 

Fig-8.png

 

  1. Click save.

Step 4: Creating User Identity Groups

  1. Navigate to Identity Management > Groups > User Identity Groups

 

 Fig-9.png

 

  1. Click +Add and Enter a group name and submit.

 

  1. Create four User Identity Groups each for one Role, super-admin, admin, operator and monitor.

Fig-10.png 

 

Step 5: Creation of Users Identities

  1. Navigate to Identity Management > Identities > Users

 

Fig-11.png

 

  1. Click + Add and fill the details as mentioned below
  • Name: Name of the user (need to be unique)
  • Status: Enabled by default
  • Email: Email address of the user
  • Login Password: Password as per password policy
  • User Info and Account options: fill as per details available
  • User Groups: Map to corresponding user groups created

 

  1. Click submit

 

 Fig-12.png

 

Step 6: Selection of Authentication Protocols

  1. Navigate to Policy > Policy Elements > Results

 Fig-13.png

 

  1. Navigate to Authentication > Allowed Protocols

 Fig-14.png

Note: Use existing Default Network Access or Create your own network access profiles with the custom allowed protocols.

 Fig-15.png

 

Step7: Creation of Authorization Profiles

  1. Navigate to Policy > Policy Elements > Results

 Fig-16.png

 

  1. Navigate to Authorization > Authorization Profiles and click + Add

Fig-17.png

 

  1. Fill the Mandatory details as below

 

Fig-18.png

 

Name: Provide valid name

Access Type: ACCESS ACCEPT

Network Device Profile: Select the profile you created for Radius

Advanced Attributes Settings: Choose the dictionary created for Radius and select the Attribute, then enter value that need to be sent in Access-Accept response.

Verify under Attribute Details.

 

Fig-19.png

 

Step7: Creation of Policy Sets

  1. Navigate to Policy > Policy Sets

 Fig-20.png

 

  1. Click on + symbol and Add the rules

Fig-21.png

 

  1. Select Allowed protocols as Default Network Access

Fig-22.png

 

  1. Click on + symbol and select the profile

Fig-23.png 

 

  1. User can select existing rules from conditions studio or can create a new one and save.
  2. Under Editor Click to add an attribute and add a rule which equals to Network device profile, so that requests coming from particular device IP ranges will be hitting to this policy.
  3. Select the new policy and click on Authentication policy and use Internal users.

Fig-24.png 

 

  1. Click on Authorization policy- Local Exceptions and create a rule for user belonging to a particular group.
  2. Save the policy.

Step 8: Configuration of cnMaestro

    

  1. Navigate to Application > Users > Authentication Servers in the cnMaestro On-Premises UI to create the RADIUS Server

Fig-27.png

 

       2. Configure Server name, IP address/Host name, Shared secret and Role mappings values.

Note: Role Mappings values must be same as the values configured under Roles of each Authorization policy in ISE.

Navigate to Application > Users > Authentication and set the Primary Authentication to be the RADIUS server just created. The Secondary Authentication will be automatically set to Local Users, which means if the RADIUS server is not reachable, the UI can be accessed using the Local Users database (so it is important to change the default password). If you are unable to log into the UI, you can create a One-Time password in the CLI in order to resolve the issue. (see the User Guide for details on Application Account Recovery).

Note: cnMaestro expects Role attribute under Access-Accept packet received from radius server, based on the value of Role and role mappings in cnMaestro  the previliages are projected.

 

Fig-26.png

 

Step9: Logging in to the Client

Use the credentials of user Identities created in ISE to log in to client for respective roles.

Step 10: Uploading certificates SSL/TLS Connections

  1. Navigate to Administration > Certificates
  2. Upload the certificates under system certificates and trusted certificates as per the certificates availability.

Identity Services Engine - Google Chrome 2018-08-02 13.19.33.png

 Step11: Troubleshooting

 1. Navigate to  Work Centers > Passive ID > Troubleshoot

 2. Start TCP dump before client connects to RADIUS server.

 3. Stop TCP dump once client disconnects and download the file.

 4. Wireshark or any other sniffers can be used to analyse the dump.

Fig-28.png

 5. User can Navigate to Live Logs under Operations > RADIUS > Live Logs and can check the client entries which have tried to contact the ISE RADIUS service.

Fig-29.png

  6. For detailed steps, Click on icon under details in Radius live logs table and will open in the new tab as shown below

 

Fig-30.png