Setting up Cisco ISE for RADIUS Services
This document presents basic configuration of Cisco ISE 188.8.131.527 as RADIUS server.
The steps below configure the Cisco-ISE server for RADIUS authentication to be used by Cambium products.
Step1: Adding new RADIUS Vendor
2. Click Add and provide proper details in the required fields, then click on submit.
Step2: Adding Network Device Profiles
Step3: Adding Network Device
Step 4: Creating User Identity Groups
Step 5: Creation of Users Identities
Step 6: Selection of Authentication Protocols
Note: Use existing Default Network Access or Create your own network access profiles with the custom allowed protocols.
Step7: Creation of Authorization Profiles
Name: Provide valid name
Access Type: ACCESS ACCEPT
Network Device Profile: Select the profile you created for Radius
Advanced Attributes Settings: Choose the dictionary created for Radius and select the Attribute, then enter value that need to be sent in Access-Accept response.
Verify under Attribute Details.
Step7: Creation of Policy Sets
Step 8: Configuration of cnMaestro
2. Configure Server name, IP address/Host name, Shared secret and Role mappings values.
Note: Role Mappings values must be same as the values configured under Roles of each Authorization policy in ISE.
Navigate to Application > Users > Authentication and set the Primary Authentication to be the RADIUS server just created. The Secondary Authentication will be automatically set to Local Users, which means if the RADIUS server is not reachable, the UI can be accessed using the Local Users database (so it is important to change the default password). If you are unable to log into the UI, you can create a One-Time password in the CLI in order to resolve the issue. (see the User Guide for details on Application Account Recovery).
Note: cnMaestro expects Role attribute under Access-Accept packet received from radius server, based on the value of Role and role mappings in cnMaestro the previliages are projected.
Step9: Logging in to the Client
Use the credentials of user Identities created in ISE to log in to client for respective roles.
Step 10: Uploading certificates SSL/TLS Connections
1. Navigate to Work Centers > Passive ID > Troubleshoot
2. Start TCP dump before client connects to RADIUS server.
3. Stop TCP dump once client disconnects and download the file.
4. Wireshark or any other sniffers can be used to analyse the dump.
5. User can Navigate to Live Logs under Operations > RADIUS > Live Logs and can check the client entries which have tried to contact the ISE RADIUS service.
6. For detailed steps, Click on icon under details in Radius live logs table and will open in the new tab as shown below