View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0112 - ISE 1.2 Wireless 802.1X Authorization with FlexConnect (Part 1)

SEC0112 - ISE 1.2 Wireless 802.1X Authorization with FlexConnect (Part 1)

Rating: 
5
Average: 5 (3 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Category: 
Security
The video looks into Cisco ISE 1.2 wireless 802.1X authentication with FlexConnect AP. We will configure wireless AP and SSID to operate in central switching and local switching and compare authorization capability on ISE between the two modes. Since local switching mode does not support DACL, we will be configuring FlexConnect ACL and FlexConnect group and use dynamic VLAN assignment to place a wireless user on a VLAN with appropriate ACL.
Part 1 of this video walks through ISE configuration for FlexConnect central switching mode.  
 
Topic:
  • Network Device
  • Network Device Group
  • Policy Element Result
    • Authorization (Downloadable ACL, Dynamic VLAN Assignment)
    • Authorization (Authorization Profile)
  • Authentication Policy
  • Authorization Policy
  • WLC AP and SSID Configuration for FlexConnect
  • FlexConnect ACL
  • FlexConnect Group with ACL Mapping
Tag: 
ISE
802.1x
wireless
flexconnect

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

10 comments

Submitted by mikeccie2012@gm... on Sun, 01/05/2014 - 13:21

thanks

Submitted by maiquel on Tue, 08/26/2014 - 13:07

Hi,

i am trying configure Flexconnect with your example, but what happend:

When the machine in Domain Computer / Connect in wireless, the authorization match in Wireless_802.1X AND AD1:ExternalGroups EQUALS sise.local/Users/Domain Computers ) and the authorization PERMIT_ALL, but when i try connect with the user: admin1/group Network Support in same machine, the machine match in rule Wireless_802.1X AND AD1:ExternalGroups EQUALS sise.local/Users/Domain Computers and not in Wireless_802.1X AND AD1:ExternalGroups EQUALS sise.local/ISE USERS/Network Support. Can you help-me ?

Sequence in Authorization:
lm-wlan-win-machine if (Wireless_802.1X AND AD1:ExternalGroups EQUALS sise.local/Users/Domain Computers ) then WLAN-PERMIT-ALL

lm-wlan-win-admin if (Wireless_802.1X AND AD1:ExternalGroups EQUALS sise.local/ISE USERS/Network Admin ) then WLAN-PERMIT-ALL

lm-wlan-network-support if (Wireless_802.1X AND AD1:ExternalGroups EQUALS sise.local/ISE USERS/Network Support ) then WLAN-INTERNET-ONLY

Submitted by admin on Tue, 08/26/2014 - 18:17

Do you use PAEP or EAP-TLS? Do you have wireless profile set to have both User and Computer Authentication? When user admin1 authenticated successfully, do you see a list of AD group under Authentication Detail page, and was Network Support one of them?

Submitted by maiquel on Wed, 08/27/2014 - 04:31

It´s work.

I forgot the configure in wireless profile.
thanks.

Submitted by nikeboy on Mon, 06/08/2015 - 00:26

Hi Metha,
I'm already made DVA works with single SSID:
-User A authenticate and mapped to Vlan10
-User B authenticate and mapped to Vlan20
OK, it working fine.

Now i want to configure DVA with 20 Vlans, so that i come to "FlexConnect Group with ACL Mapping" and add more Vlans, but WLC not allow to add more than 16 Vlans. Do you have any ideas?

Thanks

Submitted by admin on Tue, 06/16/2015 - 20:36

This is the limitation on the FlexConnect AP. See link below.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configurati...

Submitted by gettoyouth on Wed, 08/19/2015 - 08:17

Hello

I need your help, I managed to configured these rules in my test lab using only domain users but the very first time it worked then after if wouldn't allow me to connect to the same SSID even if I restarted my pc, I am using Windows 7 ent.

Are there any other configuration I need to change?

Submitted by admin on Thu, 08/20/2015 - 10:44

What did it show on the authentication log when you couldn't connect?

Submitted by nsp54058 on Thu, 03/01/2018 - 14:01

How come you can have access to the Internet?
With the ACL you showed, traffic to the default gateway should be blocked by the deny internal-network lines.
I am having that issue. Please advise, thanks.

Submitted by admin on Sat, 03/03/2018 - 10:29

Internet bound packet does not have default gateway as destination so it is allowed. If you however try to ping default GW, that should be blocked. If you want client to be able to ping DGW, add an allow entry above blocking private networks.

Poll

Vote for the Next Video Series