Let’s say you have been asked to configure ISE to allow secured network access for Cisco Wireless Access Points.
To do so you should :
· Enable the ISE endpoint profile for Cisco Access Points
· Configure an Authorization Profile and Authorization Policy rule for Cisco Access Points
· Review the access switch configuration to authorize an access point using MAC Authentication Bypass (MAB).
· Verify proper authorization of a Cisco Access Point based on ISE policy
Login to ISE
The ISE Home Dashboard page should display. Navigate the interface using the multi-level menus.
Configure the Profiler Policy to assign endpoints matching a Cisco Access Point profile to an Identity Group called “Cisco-Access-Points” .
Navigate to Policy > Profiling and select Cisco-Access-Point from the list of Endpoint Policies, verify that the policy is enabled (Policy Enabled checkbox is checked) and check the option Create Matching Identity Group.
Do not forget to save otherwise it will not work
Now define an Authorization Profile for Cisco Access Points.
Navigate to Policy > Policy Elements > Results and double-click Authorization to expand its contents.
Select Authorization Profiles from the left-hand pane and click Add from the right-hand pane and enter the values for the Authorization Profile as shown below:
Attribute | Value |
Name | Cisco_Access_Points |
Description | Permit access to Cisco Access Points |
Access Type | ACCESS_ACCEPT |
Common Tasks |
DACL Name | [ ✓ ] PERMIT_ALL_TRAFFIC |
VLAN | 90 (or 1:90) |
The resultant Attribute Details should appear at the bottom of the page as the following:
Access Type = ACCESS_ACCEPT Tunnel-Private-Group-ID = 1:90 Tunnel-Type = 1:13 Tunnel-Medium-Type = 1:6 DACL = PERMIT_ALL_TRAFFIC |
finally click Submit to apply your changes.
Now we should configure a new Authorization Policy rule to assign the new Cisco_Access_Points profile to endpoints that match the Identity Group named Cisco-Access-Point.
To do so go to Policy > Authorization and insert a new rule below the Profiled Cisco IP Phones rule as shown in the policy table below. Use the selector at the end of a rule entry to insert or duplicate rules.
Enter the following values for a new rule named Profiled Cisco Access Points:
Status | Rule Name | Identity Groups | Other Conditions | Permissions |
| Profiled Cisco IP Phones | Cisco-IP-Phone | – | Cisco_IP_Phones |
| Profiled Cisco Access Points | Cisco-Access-Point | – | Cisco_Access_Points |
… | | | | |
Don’t forget to Save when finished making policy updates.
Hint: Verify proper authorization of the wireless access point.
check the status of the port, eventually give the No Shut command in the configuration mode for the selected interface.
check the auth status with:
cisco-access# show authentication sessions interface gi0/x
or
cisco-access(config-if)# do sh auth sess int gi0/x
keep in mind you could need a few minutes to allow the result to be shown (between bootstraps and stuffs…)
To display the current dACL applied to the interface using the command show ip access-lists interface GigabitEthernet 0/3. The output should appear similar to the following:
cisco-access(config-if)# do sh ip access-list int gi0/3 permit ip host 10.1.90.100 any |
To verify the Cisco Wireless Access Point authentication in the ISE go to Monitor > Authentications log:
S | Username | Endpoint ID | IP Address | NAD | Device Port | AuthZ Profiles | Identity Group | Event |
✓ | #ACSACL#-IP-PERMIT_ALL_TRAFFIC | | | 3k-access | | | Authorize Only | DACL Download |
✓ | nn:nn:nn:nn:nn:nn | nn:nn:nn:nn:nn:nn | 10.1.10.100 | 3k-access | Gi0/3 | Cisco_Access_Points | Cisco-Access-Point | Auth Succeeded |
Note: The access point periodically attempts to renew its IP address if no network connectivity. The default port ACL on the switch allows access to DHCP services, so the access point initially receives an IP address in the default access VLAN 10 (10.1.100.10). Once authorized for VLAN 90, the access point will renew its IP address in the new VLAN (10.1.90.100).
The authentication event in the above log reflects the IP address learned at the time of authentication. The access list applied to this session reflects the final endpoint IP address using variable substitution of the “any” value in the dACL’s source IP address.