Cisco ISE Internal Radius Server Configuration for 802.1X

In this article we’ll explore the configuration of Cisco ISE as an internal Radius server.

  • Setting Device Groups
  • Configuring the network device (the Radius client)
  • Setting internal users
  • Preparing the Authentication policy
  • Setting a compound authorization policy
  • Setting the Allowed Protocols
  • Setting the downloadable ACL
  • Setting Authorization Profiles
  • Setting the Policy Set

Setting Device Groups

Go to Administration -> Network Resources -> Network Device Groups

cisco-ise-internal-radius-server-2017-08-06 22_24_51


Configuring the network device

cisco-ise-internal-radius-server-2017-08-06 22_27_09

cisco-ise-internal-radius-server-2017-08-06 22_27_24

Setting internal users

cisco-ise-internal-radius-server-2017-08-06 22_29_39

cisco-ise-internal-radius-server-2017-08-06 22_29_50

“Employee” is a pre-defined user group.

Preparing the Authentication policy

We’ll use the pre-built Wired_802.1X authentication policy which is enough for what we are going to do.

cisco-ise-internal-radius-server-2017-08-06 22_32_44

Setting a compound authorization policy

When a Radius client is authenticated, the authorization process is evaluated. Our authorization policy will be compound. Here is a sample one.

cisco-ise-internal-radius-server-2017-08-06 22_34_18

I did not use the default Wired_802.1x authorization policy because I want some customized parameters.

cisco-ise-internal-radius-server-2017-08-06 22_35_36

Setting the Allowed Protocols

I’ll define a set of allowed protocols, which will be used to negotiate 802.1X and Radius, when the authentication policy conditions are met.

cisco-ise-internal-radius-server-2017-08-06 22_38_05

cisco-ise-internal-radius-server-2017-08-06 22_38_21

Setting the downloadable ACL

Although the dACL did not work in my home lab, I’ll mention them for the completeness of information.

cisco-ise-internal-radius-server-2017-08-06 22_42_36

cisco-ise-internal-radius-server-2017-08-06 22_42_48

Setting Authorization Profiles

Authorization profiles are given as a result of a successful matching of the authorization policy’s conditions. Here I give the example of an authorization policy that leverages the dACL we created before (EMPLOYEE-ONLY) and sets the vlan that’ll be assigned to the successfully-authorized port.

cisco-ise-internal-radius-server-2017-08-06 22_43_57

cisco-ise-internal-radius-server-2017-08-06 22_44_22

Setting the Policy Set

I created a policy set with a general-matching condition, just to fire it up in the ISE matching logic.

cisco-ise-internal-radius-server-2017-08-06 22_47_37

My primary constructs within the policy set are:

  • the authentication policy: wired-dot1x
  • the authentication policy: Employee-access

cisco-ise-internal-radius-server-2017-08-06 22_48_37


Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *