Professional Documents
Culture Documents
Introduction on page 1
What is ISE on page 1
Key features of ISE on page 2
What happens behind the boxes on page 3
Components Used on page 5
Network Diagram on page 5
Configuration on page 5
Cisco 5500 Wireless LAN Controller Configuration on page 6
ISE Configuration on page 8
Limitations on page 10
ISE is from NAC-OOB this differences are as per IS Ever 1.0 on page 11
Related Information on page 11
Related Links on page 13
Introduction
This document provides a sample configuration for Integration of ISE (Identity Services Engine) with Cisco
Wireless LAN Controller.
NOTE:- This document is about posturing the client and based on 7.0.116.0. The same
information is also mentioned in the VoD.
What is ISE
Cisco Identity Services Engine (ISE) is a next generation product that provides various types
of solutions/services in one box. Example ACS, NAC, NAC Profiler, NAC Guest Portfolios
and many more.
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
1
Integration of ISE (Identity Services Engine) with Cisco WLC (Wireless LAN Controller)
AAA protocols - it uses RADUIS Protocol for Authentication, Authorization and Accounting. ISE
NAC and WLC uses RADUIS protocol to communicate with each other.
Authentication protocols It supports various types of authentication protocols. PAP, MS-
CHAP, EAP-MD5, PEAP, EAP-FAST, EAP-TLS.
Access control it provides wide range of access control mechanism like - URL Redirect,
Vlan Assignment, downloadable access control lists dACLs), and SGA tagging.
Posture ISE verifies endpoints posture assessment via either a NAC-client-Agent or
web agent. An admin can configure various kinds of posture conditions like latest OS
patches, Antivirus etc.-
Profiling Profiling is for identifying and analyzing end-points in the network, end-points
can be any device in the network which try to access network like iPhone, iPad, laptop,
printers etc. ISE comes with several pre-defined profiles for end-points. We can also
create our own and we can define specific authorization policy to those profile.
Policy model policy model offers attributes and rule based policies for creating flexible
and more specific access control policy.
Guest lifecycle management - this feature is used to create a lobby admin, in ISE terminology, it is
called sponsor user who can create login credentials for guest user.
Platform options - ISE available as a physical or virtual appliance. It can also be installed on
VMware.
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
2
Integration of ISE (Identity Services Engine) with Cisco WLC (Wireless LAN Controller)
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
3
Integration of ISE (Identity Services Engine) with Cisco WLC (Wireless LAN Controller)
6) Once client completes assessment, ISE will send a Radius CoA-Req with re-auth service sent to
WLC. (CoA stands for Change of Authorization)
7) Then WLC will initiate re-authentication of the client by sending EAP-START to the client.
8) Once re-authentication succeeds.
9) ISE sends new profile and Access Accept carries new ACL (if any) to provide full access (as per
ACL rules) to the network.
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
4
Integration of ISE (Identity Services Engine) with Cisco WLC (Wireless LAN Controller)
Components Used
Network Diagram
We have an AP and a WLC, connected to a switch. The traffic will be encapsulated using CAPWAP protocol
between AP and WLC. An ISE is sitting somewhere in the network and have connectivity to the WLC for
posturing, authentication etc. Clients are associated to the WLC.
Configuration
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
5
Integration of ISE (Identity Services Engine) with Cisco WLC (Wireless LAN Controller)
Now, lets discuss what are the things need to be configured on Cisco WLC
WLAN is named as ISEnWLC. Keeping security with default Wpa2. Advance Tab --> Enable Radius NAC.
When we enable Radius NAC, AAA-Override feature will be enabled automatically.
NOTE:- If we configure it through CLI, AAA override should be configured first before configuring Radius-NAC
on the WLAN.
Creating ACLs:-
ISE differentiates client in to 3 categories and we need to configure 3 different ACLs in order to
give specific access to clients. Its not mandatory to have 3 ACLs. We can also use only 2 ACLs.
Suppose an admin does not want to differentiate unknown and non-compliant users and do not
want to give different access policy to them for him. In that case, he can use 2 ACL, One ACL for
unknown and non-compliant clients and second ACL for compliant clients.
It all depends on how Admin wants to configure it. We have created only 2 ACLs. we are treating unknown and
non-compliant client in the same way.
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
6
Integration of ISE (Identity Services Engine) with Cisco WLC (Wireless LAN Controller)
Limited_Access will allow only ISE traffic and Full_Access will not block anything.
Now we add the ISE as AAA server. On the Security Tab --> select Authentication > give ip
address, shared secret. Shared secret should be same on ISE as well.
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
7
Integration of ISE (Identity Services Engine) with Cisco WLC (Wireless LAN Controller)
As per Cisco recommendation, an admin should configure 3 ACLs. lets discuss more on ACLs and
Posture state of clients/users.
So we need 3 different access profiles for unknown, non-compliant and compliant. Each profile
will have an ACL. As per user/clients state, ISE will send the profile to the controller. Then
controller will apply the ACL and other attribute into the client database.
ACL for unknown should allow traffic so user can access ISE or I would say that user should able to get the
ISE page for posturing and it should also allow the traffic so clients can remediate itself.ACL for Compliant
it should allow all the traffic but it all depends on the Admin and companys policies.ACL for Non-
Compliant it should block everything.
ISE Configuration
The main purpose of this Document is to discuss posture and integration of ISE NAC and WLC.
There are so many options, combination, attributes on ISE to configure but its tough to cover
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
8
Integration of ISE (Identity Services Engine) with Cisco WLC (Wireless LAN Controller)
all in this document, so we will discuss some of the basic configuration ISE for wireless clients in
order to do posture:-
Administration
Identity Group
Identity..instead of local user we can also configure Active Directory.
WLC with shared secret.
Policy Elements
Condition -
Posture Condition.
Results -
Client Provisioning -
Authorization -
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
9
Integration of ISE (Identity Services Engine) with Cisco WLC (Wireless LAN Controller)
Limitations
No support for guest clients posture for guest user is not supported.
Hreap local switching is not supported -
No support for wlans without 802.1x support
Client will go through posture during slow roam when client is associated used 802.1x
(not wpa2 or cckm) then when client roams from one wlc to other wlc will send new
session ID hence client will again go through posture validation process.
No support for guest tunneling mobility
Mac auth bypass is not supported
Vlan pooling is not supported.
No support for WGB AP
No support for AP group.
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
10
Integration of ISE (Identity Services Engine) with Cisco WLC (Wireless LAN Controller)
ISE is a single box solution but in NAC-OOB, you will have to deploy multiple appliances
for complete solution like profiler, guest server, CAM, CAS etc.
ISE uses Radius protocol and NAC-OOB uses SNMP.
In ISE, client will be restricted by pushing ACL , vlan can also be pushed to the client but change of
vlan not yet supported for wireless client after posture validation as per wlc 7.0.116.0.
Since ISE uses Radius protocol, wlan has to be configured with dot1x security. In other hand NAC-
OOB supports all types of security.
Related Information
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
11
Integration of ISE (Identity Services Engine) with Cisco WLC (Wireless LAN Controller)
We have Two Video's from Hemant Sharma. Hemant is a software engineer in the Wireless Business Unit at
Cisco.
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
12
Integration of ISE (Identity Services Engine) with Cisco WLC (Wireless LAN Controller)
3. Limitation
Related Links
ISE - http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_overview.html
WLC - http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/
cg_security_sol.html
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
13