This is a 4 part blog series about configuring Cisco ISE 2.0 for WLAN authentication and WLAN Guest authentication (split into two parts) on a Cisco Wireless LAN Controller (WLC).
For more guides about configuring (previous) Cisco ISE, see this page.This is part 3, configuring the Cisco WLC for guest access.
Configure WLAN’s on WLC
- Navigate to WLAN’s, Create new
2. Configure General Settings:
It took some time this morning for configuring a RADIUS or TACACS server for management access to a Cisco WLC. So, let’s write a short how-to:
- Login into the WLC and click Security – AAA – TACACS+ (or Radius) – Authentication
- Click New and enter:
- Server IP Address – IP address of the TACACS server
- Shared secret – The configured shared secret on the TACACS server
- If you’re using TACACS, click Authorization and enter the same Server IP address and Shared Secret. Configuring accounting is optional
- Click Security – Priority order – Management user and make sure TACACS (or radius) is in top of the list
This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 7: Configuring wireless network devices
First, add the WLC as a radius client.
Click: Administration – Network Resources – Network Devices. Click Add and create a network device object.
Click Select Existing condition from library, select condition, navigate to Compound condition and select wireless_802.1x.
Click Select Network Access, Allowed Protocols – Default network access. Make sure PEAP is available in this network access rule.
For the authorization profiles, click Policy – Policy Elements – Results
Make sure you select the correct Airespace ACL name.
Create an authorization policy that assigns the authorization profile. Click Policy – Authorization. Insert a new row.
Create a new rule, select the “wireless_802.1X” compound condition from the library. To check if the user is also a domain member, add another attribute. Click Select Attribute – <domain> – <usergroup>
Browse to the WLC webinterface.