In this article we’ll explore the configuration of Cisco ISE as an internal Radius server.
- Setting Device Groups
- Configuring the network device (the Radius client)
- Setting internal users
- Preparing the Authentication policy
- Setting a compound authorization policy
- Setting the Allowed Protocols
- Setting the downloadable ACL
- Setting Authorization Profiles
- Setting the Policy Set
Setting Device Groups
Go to Administration -> Network Resources -> Network Device Groups
Configuring the network device
Setting internal users
“Employee” is a pre-defined user group.
Preparing the Authentication policy
We’ll use the pre-built Wired_802.1X authentication policy which is enough for what we are going to do.
Setting a compound authorization policy
When a Radius client is authenticated, the authorization process is evaluated. Our authorization policy will be compound. Here is a sample one.
I did not use the default Wired_802.1x authorization policy because I want some customized parameters.
Setting the Allowed Protocols
I’ll define a set of allowed protocols, which will be used to negotiate 802.1X and Radius, when the authentication policy conditions are met.
Setting the downloadable ACL
Although the dACL did not work in my home lab, I’ll mention them for the completeness of information.
Setting Authorization Profiles
Authorization profiles are given as a result of a successful matching of the authorization policy’s conditions. Here I give the example of an authorization policy that leverages the dACL we created before (EMPLOYEE-ONLY) and sets the vlan that’ll be assigned to the successfully-authorized port.
Setting the Policy Set
I created a policy set with a general-matching condition, just to fire it up in the ISE matching logic.
My primary constructs within the policy set are:
- the authentication policy: wired-dot1x
- the authentication policy: Employee-access