Integrating Cisco ISE into cnMaestro for Radius User Login

If you are going to use Cisco ISE as your authentication server for Radius in cnMaestro, then hopefully this short guide will help you out.  It is not comprehensive and requires some fundamental knowledge of configuring Cisco ISE.

**I am not a Cisco ISE expert, so if you have suggestions for a more efficient profile or method, please feel free to comment.**

The author of the article linked here gave me the radius attribute required and pointed me in the right direction.  Thank you moderator ‘raghavendra’!

https://community.cambiumnetworks.com/t5/cnMaestro/Integrating-RADIUS-server-with-cnMaestro/m-p/86428

Summary:

  • Use the standard Radius IETF Dictionary
    • Define attribute ‘209’ as ‘Role’
      • Do NOT set any values; such as ‘super’ or ‘monitor’
        • This is done in the ‘Policy Elements’ --> ‘Results’ page
    • Do NOT create a Cambium Dictionary with 17713
    • Do NOT create a Motorola Dictionary with 161
  • Define the cnMaestro attribute values
    • Example ‘Super Administrator’ as ‘super’
  • Create an ‘Authorization Profile’ under ‘Policy Elements’--> ‘Results’ --> ‘Authorization’ --> ‘Authorization Profile’ --> Create new profile here
    • You will need one for each user type that you want to authorize (i.e. ‘super’, ‘monitor’)
  • Create ‘Authorization Policy’
    • This could be different for each company, so I will point out the result that you want, not how you should select the policy

Define the Attribute

 

Create the ‘Authorization Profile’

Create ‘Authorization Policy’

In order for the policy to get selected you will need to identify the cnMaestro server and/or user so that you can return the radius attribute to the cnMaestro server.  Example: IF the user is in a specific AD group AND the device is the cnMaestro server THEN return the Cambium authorization profile expected for the respective AD group (i.e. admin = super, user = monitor)


Map Roles in cnMaestro

The role mappings are created inside the ‘Authentication Server’ in cnMaestro.  You can set these to whatever you want so long as it matches the ‘209’ ‘Role’ attribute in the authentication server.

Good Luck!

3 Likes

Doug - This is awesome, and I have no doubt this will be helpful to others looking to implement a similar solution.  Thank you very much for posting!

1 Like