Bootstrapping Network Access Devices

Bootstrapping Network Access Devices

Bootstrapping Network Access Device

In Bootstrapping Network Access Device section, Configuration of Network catalyst Switch and WLC needs to be done to work with ISE.

Global Configuration on Cisco Catalyst Switches IOS and IOS 15.x

Switches perform URL redirection for Web Authentication and once the traffic is discovered, it also redirect that traffic from posture to PSN node.

In order to redirect HTTP and HHTPS traffic, the switches needs to be configured. Below are some configuration steps related to that? 

Step 1. Set the DNS domain name on the switch, it is necessary because switch will not allow to create certificates or self-generated certificates with DNS definition.

ip domain-name domain-name

Step 2. Generate keys to be used for HTTPS.

crypto key generate rsa general-keys modulus 2048

Enable the Switch HTTP/HTTPS Server.

This feature used to discover the HTTP traffic and redirect that user’s browser to the Centralized Web Authentication (CWA) portal, a device registration portal, or even to the Mobile Device Management (MDM) onboarding portal.

Step 1. Enable the HTTP server

ip http server

Global AAA Commands

Step 1. Enable AAA on the access switch(es)

Dclessons-DIST (config)# aaa new-model

Step 2. Create an authentication method for 802.1X.

Dclessons-DIST(config)# aaa authentication dot1x default group radius

Step 3. Create an authorization method for 802.1X.

Dclessons-DIST(config)# aaa authorization network default group radius

Step 4. Create an accounting method for 802.1X.

Accounting packets provide information on when to terminate a live session, as well as local decisions made by the switch

Dclessons-DIST(config)# aaa accounting dot1x default start-stop group radius

Step 5. Configure periodic RADIUS accounting updates.

Periodic RADIUS accounting packets allow Cisco ISE to track which sessions are still active on the network.

Dclessons-DIST(config)# aaa accounting update newinfo periodic 1440

In Cisco IOS, A proactive method can be configured, in order to check the availability of RADIUS Server, Doing this Switch will periodically send test authentication message to ISE and will look for a response. But a success message is not necessary, even though in case of failed authentication, it will show server is alive.

Below steps required adding RADIUS server in configuration, and enables Proactive RADIUS server health Check.

Step 1. Add a username and password for the RADIUS keepalive

Dclesson-Dist(config)# username radius-test password password

Step 2. Add the Cisco ISE PSNs as RADIUS servers.

Dclesson-Dist(config)# radius server server-name                                                                                        Dclesson-Dist(config-radius-server)# address ipv4 address auth-port 1812 acct-port 1813                    Dclesson-Dist(config-radius-server)# key Shared-Secret                                                                                      Dclesson-Dist(config-radius-server)# automate-tester username radius-test probe-on

Step 3. Set the dead criteria. Configuration to wait 5 seconds for a response from the RADIUS server and if server not responds then test three more times before marking the server dead. If a Cisco ISE server doesn’t have a valid response within 15 seconds, it is marked as dead.

Dclesson-Dist(config)# radius-server dead-criteria time 5 tries 3                                                              Dclesson-Dist(config)# radius-server deadtime 15

Step 4. Enable Change of Authorization (CoA).

Dclesson-Dist(config)# aaa server radius dynamic-author                                                                              Dclesson-Dist(config-locsvr-da-radius)# client ise_ip_address server-key shared_secret

Repeat the command for each of the PSNs and the MNT nodes of the ISE cube (deployment).

Step 5. Configure the switch to use the Cisco vendor-specific attributes.

Here you configure the switch to send any defined VSAs to Cisco ISE PSNs during authentication requests and accounting updates:

Dclesson-Dist(config)# radius-server vsa send authentication                                                                        Dclesson-Dist(config)# radius-server vsa send accounting

Step 6. Enable the VSAs:

These VSAs are used to ensure the service-type, framed-ip-address, and class attributes are sent in the RADIUS communications to ISE.

Dclesson-Dist(config)# radius-server attribute 6 on-for-login-auth                                                                  Dclesson-Dist(config)# radius-server attribute 8 include-in-access-req                                                            Dclesson-Dist(config)# radius-server attribute 25 access-request include

Step 7. Ensure that the switch always sends traffic from the correct interface

Dclesson-Dist(config)# ip radius source-interface interface_name Dclesson-Dist(config)# snmp-server trap-source interface_name Dclesson-Dist(config)# snmp-server source-interface informs interface_name

Local Access Control Lists for Classic IOS and IOS 15.x 

Local ACLs are used by switches in operation like URL redirection. Below are configuration of Local ACls.



    You are will be the first.


Please login here to comment.