Setting up Cisco-ISE for RADIUS Authentication to Support Cambium cnPilot Products.
Setting up Cisco ISE for RADIUS Services
Overview
This document presents basic configuration of Cisco ISE 2.4.0.357 as RADIUS server.
Pre-requisites
- Cisco ISE Installed on VM
- Latest Chrome/Firefox browser
Configuration:
The steps below configure the Cisco-ISE server for RADIUS authentication to be used by Cambium products.
Step1: Adding new RADIUS Vendor
1. Navigate to Policy > Policy Elements > Dictionaries > System > Radius > RADIUS Vendors
2. Click Add and provide proper details in the required fields, then click on submit.
Step2: Adding Network Device Profiles
1. Navigate to Administration > Network Resources > Network Device Profiles > Click +Add
2. Provide valid details and submit
Step3: Adding Network Device
1. Navigate to Administration > Network Resources > Network Devices
2. Click +Add ,
3. Provide Name, description, IP Address/Range,
4. Select the newly created device profile. (in the previous step)
5. Let Network device group values be default.
6. Enable Radius Authentication Settings and configure Shared secret.
7. Save
Step 4: Creating User Identities
1. Navigate to Identity Management > Identities >
2. Click + Add and fill the details as mentioned below
3. Name: Name of the user (need to be unique)
4. Status: Enabled by default
5. Email: Email address of the user (optional)
6. Login Password: Password as per password policy
7. User Custom Attributes : Assign a role for the user
8. Click submit
Step 5: Selection of Authentication Protocols
1. Navigate to Policy > Policy Elements > Results
2. Navigate to Authentication > Allowed Protocols
Step 6: Creation of Authorization Profiles
1. Navigate to Policy > Policy Elements > Results
2. Navigate to Authorization > Authorization Profiles and click + Add
3. Name: Provide valid name
4. Access Type: ACCESS ACCEPT
5. Network Device Profile: Select the profile you created for Radius
6. Click on Submit
Step7: Creation of Policy Sets
1. Navigate to Policy > Policy Sets
2. Click on + symbol and Add the rules
3. Select Allowed protocols as “solution_team_network_access”
4. Click on + symbol and select the conditions studio, User can select existing rules from conditions studio or can create a new one and save
5. Click Editor to add an attribute and add a rule which equals to Network device profile, so that requests coming from particular device IP ranges will be hitting to this policy.
6. Select the new policy and click on Authentication policy and use internal users.
7. Select the appropriate Authorization policy
8. Save the policy.
Step 8: Troubleshooting
1. Navigate to Work Centers > Passive ID > Troubleshoot
2. Start TCP dump before client connects to RADIUS server.
3. Stop TCP dump once client disconnects and download the file.
4. Wireshark or any other sniffers can be used to analyse the dump.
5. User can Navigate to Live Logs under Operations > RADIUS > Live Logs and can check the client entries which have tried to contact the ISE RADIUS service.
6. For detailed steps, Click on icon under details in Radius live logs table and will open in the new tab as shown below
7. For Session trace details, please click on troubleshoot and select session trace Tests
Step 9: cnPilot Configuration
1. Navigate to WLAN > Create/Select the WLAN where “WPA2 enterprise” is enabled,
2. Select Radius server tab of the respective WLAN
The PDF version of the document is available below