Cisco ISE 2.0 – Employee Authentication Based on 802.1x (User auth)

This is a 4 part blog series about configuring Cisco ISE 2.0 for WLAN authentication and WLAN Guest authentication (split into two parts) on a Cisco Wireless LAN Controller (WLC).ISEimage
For more guides about configuring (previous) Cisco ISE, see this page.This is part 2, creating authentication and authorization policies.
Create authentication policy

  1. Navigate to Policy, Authentication
  2. Edit, Wired_802.1X to include Wireless_802.1X, and select “ehlo.lan” domain store.

Picture1

Create authorization policy

  1. Navigate to Policy, Authorization
  2. Configure to include the following:

Picture2
Configure Controller WLAN Profile – 802.1x (Employee access)

  1. Navigate to WLAN, add wlan with following settings:
    1. Status: Enabled
    2. Radio Policy: X
    3. Interface: X
    4. Security, Layer 2, WPA2, AES, 802.1x
    5. Security, Layer 3, None
    6. Security, AAA, select ISE Server IP for authentication & accounting
    7. Advanced, Allow AAA Override, NAC State: None
    8. DHCP Address Assignment: Required

My thought
Configuring these kind of policies are really straight forward and easy to understand. In general, the documentation about Cisco ISE is not so common as other Cisco products (yet) but they’re still working on that. Luckily, it’s not so hard to configure these policies if you have a good starting point, as described in this blog.
That’s it! In the next blog post we start configuring the policies for guest access on the Cisco WLC.
Thanks to Dominique Hermans (follow him on Twitter) for his great help with these Cisco ISE 2.0 blog posts!

Leave a Reply

Your email address will not be published. Required fields are marked *