EMAIL SUPPORT
dclessons@dclessons.comLOCATION
AUBootstrapping Network Access Devices
Bootstrapping Network Access Device
In Bootstrapping Network Access Device section, Configuration of Network catalyst Switch and WLC needs to be done to work with ISE.
Global Configuration on Cisco Catalyst Switches IOS and IOS 15.x
Switches perform URL redirection for Web Authentication and once the traffic is discovered, it also redirect that traffic from posture to PSN node.
In order to redirect HTTP and HHTPS traffic, the switches needs to be configured. Below are some configuration steps related to that?
Step 1. Set the DNS domain name on the switch, it is necessary because switch will not allow to create certificates or self-generated certificates with DNS definition.
ip domain-name domain-name
Step 2. Generate keys to be used for HTTPS.
crypto key generate rsa general-keys modulus 2048
Enable the Switch HTTP/HTTPS Server.
This feature used to discover the HTTP traffic and redirect that user’s browser to the Centralized Web Authentication (CWA) portal, a device registration portal, or even to the Mobile Device Management (MDM) onboarding portal.
Step 1. Enable the HTTP server
ip http server
Global AAA Commands
Step 1. Enable AAA on the access switch(es)
Dclessons-DIST (config)# aaa new-model
Step 2. Create an authentication method for 802.1X.
Dclessons-DIST(config)# aaa authentication dot1x default group radius
Step 3. Create an authorization method for 802.1X.
Dclessons-DIST(config)# aaa authorization network default group radius
Step 4. Create an accounting method for 802.1X.
Accounting packets provide information on when to terminate a live session, as well as local decisions made by the switch
Dclessons-DIST(config)# aaa accounting dot1x default start-stop group radius
Step 5. Configure periodic RADIUS accounting updates.
Periodic RADIUS accounting packets allow Cisco ISE to track which sessions are still active on the network.
Dclessons-DIST(config)# aaa accounting update newinfo periodic 1440
In Cisco IOS, A proactive method can be configured, in order to check the availability of RADIUS Server, Doing this Switch will periodically send test authentication message to ISE and will look for a response. But a success message is not necessary, even though in case of failed authentication, it will show server is alive.
Below steps required adding RADIUS server in configuration, and enables Proactive RADIUS server health Check.
Step 1. Add a username and password for the RADIUS keepalive
Dclesson-Dist(config)# username radius-test password password
Step 2. Add the Cisco ISE PSNs as RADIUS servers.
Dclesson-Dist(config)# radius server server-name Dclesson-Dist(config-radius-server)# address ipv4 address auth-port 1812 acct-port 1813 Dclesson-Dist(config-radius-server)# key Shared-Secret Dclesson-Dist(config-radius-server)# automate-tester username radius-test probe-on
Step 3. Set the dead criteria. Configuration to wait 5 seconds for a response from the RADIUS server and if server not responds then test three more times before marking the server dead. If a Cisco ISE server doesn’t have a valid response within 15 seconds, it is marked as dead.
Dclesson-Dist(config)# radius-server dead-criteria time 5 tries 3 Dclesson-Dist(config)# radius-server deadtime 15
Step 4. Enable Change of Authorization (CoA).
Dclesson-Dist(config)# aaa server radius dynamic-author Dclesson-Dist(config-locsvr-da-radius)# client ise_ip_address server-key shared_secret
Repeat the command for each of the PSNs and the MNT nodes of the ISE cube (deployment).
Step 5. Configure the switch to use the Cisco vendor-specific attributes.
Here you configure the switch to send any defined VSAs to Cisco ISE PSNs during authentication requests and accounting updates:
Dclesson-Dist(config)# radius-server vsa send authentication Dclesson-Dist(config)# radius-server vsa send accounting
Step 6. Enable the VSAs:
These VSAs are used to ensure the service-type, framed-ip-address, and class attributes are sent in the RADIUS communications to ISE.
Dclesson-Dist(config)# radius-server attribute 6 on-for-login-auth Dclesson-Dist(config)# radius-server attribute 8 include-in-access-req Dclesson-Dist(config)# radius-server attribute 25 access-request include
Step 7. Ensure that the switch always sends traffic from the correct interface
Dclesson-Dist(config)# ip radius source-interface interface_name Dclesson-Dist(config)# snmp-server trap-source interface_name Dclesson-Dist(config)# snmp-server source-interface informs interface_name
Local Access Control Lists for Classic IOS and IOS 15.x
Local ACLs are used by switches in operation like URL redirection. Below are configuration of Local ACls.
LEAVE A COMMENT
Please login here to comment.