View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0035 - ISE 1.1 Device Admin RADIUS Authentication

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0035 - Video Download $7.00
Purchase SEC0035 - Video Download $7.00

 

The video walks you through how to configure Cisco ISE to provide device admin authentication via RADIUS. We will enable AAA on a Cisco switch, perform a test using telnet, and determine specific attributes in RADIUS request to construct a more accurate authentication rule. Both AD and Internal Users will be used as user databases. You will see that, while ISE (as of version 1.1.2) still lacks on TACACS+, RADIUS is equally practical for device admin authentication. 
 
Topic
  • Identities Group
  • Identities
  • Network Device Group
  • Network Device
  • RADIUS Authentication
  • Authentication Policy
  • Authentication Policy Element (Result)

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new Cisco technologies.

14 comments

Hi, I think there is something wrong with this video, after few secs it stops, regards

We are able to view this video without any issue. Would you be able to try on a different browser or computer?

Please i need to work on the Cisco ISE and i haven't done anything with this before. i need to implement it in my networking project and i have been reading some materials lately and i stumbled on this site and it's also very helpful.

*Please suggest to me all what i need to set the Cisco ISE running
*Do i need the VMSphere for housing the ISE and Windows server 2008?
*can you suggest me also a test scenario in which i can pratice (Similar Lab Example)?

i decided to emback on this project because i love new challenges, guys kindly help me with all relevant information i need to know about setting up the Cisco ISE and testing it

Is this just for lab or preparing for production?

Yes, it is just for lab testing and practice. I saw it on this site, if i am not mistaken, The Cisco ISE was installed on a VMware sphere with windows server 2008 and some testings were done. since i am kind of new to this i would like to know the procedures in achieving this setup.

Thank you very much for the initial reply. looking forward to hearing from you.

All the hardware you need are an ESXi server and a compatible Cisco switch. On ESXi, you need a Windows 2008 server and a Windows 7 test VM. You can follow ISE video series on our website for all installation and configuration procedure. All lab diagrams are also available. You will certainly need to have some familarity with Vmware ESXi and concept of 802.1x authentication. For further question, please kindly post them on our forum link below.

http://communities.labminutes.com/

 

As you have instructed, i have learnt the active directory and the 802.1x authentication and i wish to try some tips out.

I also wish to integrate a free radius server. Do i need to install this also on the ESXi? Because it is running on a PC already in my Lab environment or link it to the Cisco ISE?

Secondly in other to test for BYOD, i also wish to install the Cisco virtual wireless controller on the ESXi and have them a connected through the virtual switch in the ESXi to communicated with each other. i Guess this is the idea process?

Many thanks for your useful response. I sincerely appreciate.

You don't really need ISE to get the device admin to work with RADIUS as it uses the standard RADIUS attribute although there isn't really a reason why you wouldn't use ISE as its evaluation is free if all you want to do is testing. For BYOD, please review our ISE BYOD videos to see how to set it up.

Up to now, all your explanations have been very vital. I have a 3650 switch and on this witch i have all my configurations entered, except for the 802.1x that will be configured on the SG300 business switch.

Can i achieve the lab objectives by using both switches, or i should use just one switch?

the SG300 will have the clients (PC) connected to it and with 802.1x alone on the switch with vlans created too on it.
while the 3650 has all the recommended cisco configurations from their site. Do u see me having issues in using both switches or i should default to just one switch.

We are not familiar with SG300 hence not sure if it contains all the 802.1x feature that you need. 3650 on the other hand should work just fine if all you are doing is lab testing, but not recommened for production right now as there are knowns bugs that affect switch stability.

I have two rule, rule 1 name Wired-DOT1X with identities store is ActiveDirectory. Rule 2 name Wired-Mab with identities store is Internal Endpoint. The problem is when put Wired-Dot1X to first, everything ok with user use 802.1x method but with device use mab method they use identities store is ActiveDirectory instead of Internal Enpoint. So they authentication faild. And when i put rule Wired-Mab to first, device use mab method authentication success but user use 802.1x faild with the same reason (not found in identities stores cause it select identities sotre of the first rule)

I find the way out is put rule 1 inside rule 2 or opposite. Both of user and device can authentication success, but when i go to Operations > Authentication, no new log about success authentication session.
Please show me where iwrong ??

That does not sound right. MAB should not match Wired-DOT1X condition becuase MAB uses service-type call-check and dot1x should not match Wired-MAB becuase dot1x uses Login. It should not matter which rule you have first. Please make sure the RADIUS request containt the correct service type.

Thank so much, you're right. So if i have 2 Wired-DOT1X rule. The first one use ActiveDirectory as identity stores and the orther use Internal user. Which attribute i can use to seperate it ?

You don't really need two wired .1x authen rule. If you want to authenticate both AD and Internal user, you can just put them in Identity Source Sequence and use that. If you want to keep them seperate for whatever reason, your reason will dictate the condition you need.

Lab Minutes Classifieds