CISCO ISE Integration

Enable Your Switch to Support Standard Web Authentication

Ensure that you include the following commands in your switch configuration to enable standard web authentication
functions for Cisco ISE, including provisions for URL redirection upon authentication:
ip classless

ip route 0.0.0.0 0.0.0.0 10.1.2.3

ip http server
! Must enable HTTP/HTTPS for URL-redirection on port 80/443

ip http secure-server

Define Local Username and Password for Synthetic RADIUS

Transactions
Enter the following command to enable the switch to talk to the Cisco ISE node as though it is the RADIUS server for
this network segment:
username test-radius password 0 abcde123

Configure NTP Server for Accurate Log and Accounting

Timestamps
Ensure that you specify the same NTP server on the switch as you have set in Cisco ISE by entering the following
command:
ntp server <IP_address>|<domain_name>
Command to Enable AAA Functions
Enter the following commands on the switch to enable the various AAA functions between the switch and Cisco ISE,
including 802.1X and MAB authentication functions:
aaa new-model
! Creates an 802.1X port-based authentication method list

aaa authentication dot1x default group radius

! Required for VLAN/ACL assignment

aaa authorization network default group radius

! Authentication & authorization for webauth transactions

aaa authorization auth-proxy default group radius

! Enables accounting for 802.1X and MAB authentications

aaa accounting dot1x default start-stop group radius

!

aaa session-id common

aaa accounting update periodic 1440

! Update AAA accounting information periodically every 1440 minutes

aaa accounting system default start-stop group radius

!

RADIUS Server Configuration on the Switch

Configure the switch to interact with Cisco ISE as the RADIUS source server by entering the following
commands:
!
radius-server <ISE Name>
! ISE Name is the name of the ISE PSN

address ipv4 <ip address> auth-port 1812 acct-port 1813

! IP address is the address of the PSN. This example uses the standard RADIUS ports.

key <passwd>
! passwd is the secret password confiugured in Cisco ISE

exit
Enable Switch to Handle RADIUS Change of Authorization (CoA)

Specify the settings to ensure the switch can appropriately handle RADIUS CoA behavior and related posture functions on
Cisco ISE by entering the following commands:
aaa server radius dynamic-author client <ISE-IP> server-key 0 abcde123

Enable Device Tracking and DHCP Snooping on Switch Ports

To help provide optional security-oriented functions from Cisco ISE, enable device tracking and DHCP snooping for IP
substitution in dynamic ACLs on switch ports by entering the following commands:
! Optional
ip dhcp snooping
! Required!

! Configure Device Tracking Policy!device-tracking policy <DT_POLICY_NAME>no protocol ndp

tracking enable

! Bind it to interface!interface <interface_id>device-tracking attach-

policy<DT_POLICY_NAME>
In RADIUS accounting, the DHCP attributes are not sent by the IOS sensor to Cisco ISE even when DHCP snooping is
enabled. In such cases, DHCP snooping should be enabled on the VLAN to make the DHCP active.
Use the following commands to enable DHCP snooping on VLAN:
ip dhcp snooping
ip dhcp snooping vlan 1-100

Enable 802.1X Port-Based Authentication for Switch Ports

Enter the following commands to turn on 802.1X authentication for switch ports, globally:
dot1x system-auth-control

Enable EAP for Critical Authentications

To support supplicant authentication requests over the LAN, enable EAP for critical authentications (Inaccessible
Authentication Bypass) by entering the following command:
dot1x critical eapol
Throttle AAA Requests Using Recovery Delay

In the case of a critical authentication recovery, configure the switch to automatically introduce an authentication delay (in
milliseconds) to ensure Cisco ISE can launch services again after recovery. Use the following command:
authentication critical recovery delay 1000

VLAN Definitions Based on Enforcement States

Enter the following commands to define the VLAN names, numbers, and Switch Virtual Interfaces (SVIs) based on known
enforcement states in your network. Create the respective VLAN interfaces to enable routing between networks. This can be
especially helpful to handle multiple sources of traffic passing over the same network segments from both the endpoints
(such as PC, laptop) and the IP phone through which the endpoint is connected to the network, for example:

vlan <VLAN_number>
name ACCESS!
vlan <VLAN_number>
name VOICE

!
interface <VLAN_number>
description ACCESS
ip address 10.1.2.3 255.255.255.0
ip helper-address <DHCP_Server_IP_address>
ip helper-address <Cisco_ISE_IP_address>

!
interface <VLAN_number>
description VOICE
ip address 10.2.3.4 255.255.255.0
ip helper-address <DHCP_Server_IP_address>

Local (Default) Access List (ACL) Definitions on the Switch

Enable these functions on older switches (with Cisco IOS software releases earlier than 12.2(55)SE) to ensure Cisco ISE is able to
perform the dynamic ACL updates required for authentication and authorization by entering the following commands:
ip access-list extended ACL-ALLOW

permit ip any any

ip access-list extended ACL-DEFAULT

remark DHCP

permit udp any eq bootpc any eq bootps

remark DNS

permit udp any any eq domain

remark Ping

permit icmp any any

remark Ping

permit icmp any any

remark PXE / TFTP

permit udp any any eq tftp

remark Allow HTTP/S to ISE and WebAuth portal

permit tcp any host <Cisco_ISE_IP_address> www

eq
permit tcp any host <Cisco_ISE_IP_address> 443
eq
permit tcp any host <Cisco_ISE_IP_address> 8443
eq
permit tcp any host <Cisco_ISE_IP_address> 8905
eq
permit udp any host <Cisco_ISE_IP_address> 8905
eq
permit udp any host <Cisco_ISE_IP_address> 8906
eq
permit tcp any host <Cisco_ISE_IP_address> 8080
eq
permit udp any host <Cisco_ISE_IP_address> 9996
eq

remark Drop all the rest

deny ip any any log

! The ACL to allow URL-redirection for WebAuth

ip access-list extended ACL-WEBAUTH-

REDIRECT permit tcp any any eq www

permit tcp any any eq 443

Enable Switch Ports for 802.1X and MAB
To enable switch ports for 802.1X and MAB:

Command to Enable 802.1X based on Identity-Based Networking

Services
The following example shows a control policy that is configured to allow sequential authentication methods using
802.1X, MAB, and web authentication.
class-map type control subscriber match-all DOT1X match
method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
match
method dot1x

match result-type method dot1x authoritative

!
class-map type control subscriber match-all DOT1X_NO_RESP match
method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all MAB
match method mab
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
!
!

policy-map type control subscriber DOT1XMAB

event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10 event
authentication-failure match-first
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
20 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
30 authorize
40 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart
60 event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
!

The following example shows a control policy that is configured to allow sequential authentication methods using MAB,
802.1X, and web authentication.
policy-map type control subscriber MABDOT1X
event session-started match-all
10 class always do-until-failure
10 authenticate using mab priority 20
20 authenticate using dot1x priority 10
event authentication-failure match-first
10 class ALL_FAILED do-until-failure
10 authentication-restart 60
event authentication-success match-all
10 class DOT1X do-until-failure

10 terminate mab
event agent-found match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10

Applying the service policy on the interface:

interface GigabitEthernet1/0/4
switchport mode access
device-tracking attach-policy pol1
ip access-group sample in
authentication timer reauthenticate server
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout auth-period 10
spanning-tree portfast
service-policy type control subscriber DOT1XMAB

Enable EPM Logging

Set up standard logging functions on the switch to support possible troubleshooting and recording for Cisco ISE
functions:
epm logging

Enable Switch to Receive SNMP Traps

Ensure the switch can receive SNMP trap transmissions from Cisco ISE over the appropriate VLAN in this
network segment:
snmp-server community public RO snmp-
server trap-source <VLAN_number>
Enable SNMP v3 Query for Profiling on Switch
Configure the switch to ensure SNMP v3 polling takes place as intended to support Cisco ISE profiling services
using the following commands. Before that configure the SNMP settings in the Cisco ISE GUI in the SNMP
Settings window. To view this window, click the Menu icon ( ) and chooseAdministration > Network
Resources > Network Devices > Add | Edit > SNMP Settings.
Snmp-server user <name> <group> v3 auth md5 <string> priv des <string>
snmp-server group <group> v3 priv
snmp-server group <group> v3 priv contextvlan-1
If the SNMP request times out and there is no connectivity issue, then you can increase the timeout value.

Enable MAC Notification Traps for Profiler to Collect

Configure your switch to transmit the appropriate MAC notification traps so that the Cisco ISE profiler function can collect
information on network endpoints:
mac address-table notification change mac address-
table notification mac-move snmp trap mac-
notification change added snmp trap mac-
notification change removed

Configure RADIUS Idle-Timeout on the Switch

To configure the RADIUS idle-timeout on a switch, use the following command:
Switch(config-if)# authentication timer inactivity
where inactivity is the interval of inactivity in seconds, after which the client activity is considered unauthorized.
In Cisco ISE, you can enable this option for any authorization policies to which such a session inactivity timer should apply.
In the Cisco ISE GUI, click the Menu icon ( ) and choose Policy > Policy Elements > Results > Authorization >
Authorization Profiles.
Wireless Controller Configuration for iOS Supplicant
Provisioning
For Single SSID
To support Apple iOS-based devices (iPhone or iPad) switching from one SSID to another on the same wireless
access point, configure the Wireless Controller to enable the FAST SSID change function. This function helps
ensure iOS-based devices can switch between SSIDs quickly.

For Dual SSID BYOD

Fast SSID must be enabled to support dual SSID BYOD. When fast SSID changing is enabled, the Wireless
Controller allows clients to move faster between SSIDs. When fast SSID is enabled, the client entry is not
cleared and the delay is not enforced.

Example Wireless Controller Configuration

WLC (config)# FAST SSID change
You might see the following error message while trying to connect to a wireless network for some of the Apple
iOS-based devices:
Could not scan for Wireless Networks.

You can ignore this error message because this does not affect the authentication of the device.

Configure ACLs on Wireless Controllers for MDM

Interoperability
Configure ACLs on the Wireless Controller for use in an authorization policy to redirect nonregistered devices and certificate
provisioning. Your ACLs must be in the following sequence.

Example
The following example shows the ACLs for redirecting a nonregistered device to the BYOD flow. In this
example, the Cisco ISE IP address is 10.35.50.165, the internal corporate network IP addresses are 192.168.0.0
and 172.16.0.0 (to redirect), and the MDM server subnet is 204.8.168.0.
Figure : ACLs for Redirecting Nonregistered Device