FlexConnect & ISE ACLs - AAA Overide/RADIUS NAC

Similar Messages

• Ise radius/nac

  Can ISE 1.1 act as a RADIUS for WGB through WLC?
  thank  you

  Tarik,
  Thanks for your answer, here is the problem !!!
  In order to do PROFILING/POSTURING and all that for wireless clients here is what's needed:
  Need to go to WLC (wireless controller) and choose RADIUS/NAC for the SSID.
  So SSID = test RADIUS/NAC - then all normal clients go through ISE and get postured and profiled and all that works fine except...
  WGBs cannot connect to SSID=test at all and they do not appear on ISE as an attempt at all.
  As soon as I remove option RADIUS/NAC from WLC wgb connects and shows up on ISE fine and get authenticated ---> you would say well there you go that's ur problem , well yeah but if i DISABLE Radius/Nac option from WLC I lose the ability to control normal users that connect to SSID=test so it would just be PERMIT/DENY ACCESS based on username and the whole point of ISE would be ACS or Simple Radius Server.
  Do you get my point?
  Thank you.
  P.s so for me to POSTURE/PROFILE wireless clients I need to use RADIUS/NAC option and for WGBs I have to setup a NEW SSID and leave that SSID without RADIUS/NAC option so it can only authenticate through ISE and not posture/profile clients, and I do not need to posture/profile clients behind WGB (it would be great but I don't necessarily need to, and I know they don't support CoA Change of Access attribute in RADIUS)

• ISE 1.2 rejects RADIUS messages from vWLC

  Hello,
  I have an ISE appliance with the Wireless license. The Cisco vWLC is configured to send Radius traffic to the device, but is getting the error message:
  11054 Request from a non-wireless device was  dropped due to installed Wireless license
  The vWLC is showing up under endpoints as a VMWARE workstation, and not a WLC, and so under the licensing requirements will not allow RADIUS to be received from anything other than a WLC. I tried hard-coding the policy to match a Cisco WLC with a condition of matching its MAC address, and even disabled the VMWARE profile policy, but the endpoint then only matches the "Unknown" policy. Any ideas?

  Check the Cisco ISE dashboard (
  Operations > Authentications
  ) for any indication
  regarding the nature of RADIUS communication loss. (Look for instances of your
  specified RADIUS usernames and scan the sy
  stem messages that are associated with
  any error message entries.)
  Log into the Cisco ISE CLI
  2
  and enter the following command to produce RADIUS
  attribute output that may aid in debugging connection issues:
  test aaa group radius
  new-code
  If this test command is successful, you should see the following attributes:
  Connect port
  Connect NAD IP address
  Connect Policy Service ISE node IP address
  Correct server key
  Recognized username or password
  Connectivity between the NAD and Policy Service ISE node
  You can also use this command to help narrow the focus of the potential problem
  with RADIUS communication by deliberatel
  y specifying incorrect parameter values
  in the command line and then returning to the administrator dashboard (
  Operations
  > Authentications
  ) to view the type and frequency
  of error message entries that
  result from the incorrect command line. For example, to test whether or not user
  credentials may be the source
  of the problem, enter a username and or password that
  you
  know
  is incorrect, and then go look for error message entries that are pertinent
  to that username in the
  Operations > Authentications
  page to see what Cisco ISE
  is reporting.)
  Note
  This command does not validate whether or not the NAD is configured to use
  RADIUS, nor does it verify whether th
  e NAD is configured to use the new
  AAA model.

• Radius NAC VLAN select support

  Hi all,
  I have digged through the WLC documentation for 7.3 and in the chapter about Radius NAC I read that the VLAN select feature is not supported.
  Does anyone know if this will change?
  VLAN select is actually a useful feature and I wouldn't understand if NAC support over the ISE won't be possible.
  Hope someone can shed some light on this.
  Regards,
  Patrick

  I think with radius the vlan select and dynamic vlan assignment are two different topics. You can have ISE set users on different vlans within the same WLAN as long as the interface is present on the controller. I have tested this and works just fine.
  The vlan select maybe a topic that the wireless folks can shed some light on.
  Thanks
  Tarik Admani
  *Please rate helpful posts*

• AAA using RADIUS

  GOod morning all,
  I am trying to configure AAA using RADIUS with ACS 4.1 SE and various Cisco Devices. I have configured the ACS to perform group mapping on personnel who I want to give access privileges. What I would like to do is give that group privilege level 15 and do away with enable passwords. However, I need local level authentication for our console options with enable privileges. Can this be done? Any help would be appreciated.
  Dwane

  For routers and IOS switches:
  aaa new-model
  aaa authentication banner *Unauthorized Access Prohibited*
  aaa authentication login default group radius
  radius-server host 10.10.10.10 (your acs device)
  radius-server key cisco123
  radius-server configure-nas
  username nmg password telnet
  aaa authentication ppp dialins group radius local
  aaa authentication login nmg local
  aaa authorization network default group radius local
  aaa accounting network default start-stop group radius
  aaa processes 16
  line 1 16
  login authentication
  For CatOS switches:
  Set radius-server 10.10.10.10
  show radius
  set radius key cisco123
  set authentication login radius enable
  set authentication enable radius enable
  show authentication
  set radius timeout 5
  set radius retransmit 3
  set radius deadtime 3
  For Pix Firewalls:
  aaa authentication ssh console radius LOCAL
  aaa authentication telnet console radius LOCAL
  aaa-server radgroup protocol RADIUS
  max-failed-attempts 2
  reactivation-mode depletion deadtime 5
  exit
  (NOTE: This will depending on the location of the pix firewall)
  aaa-server radgroup (inside) host 10.10.10.10
  key XXXXXXX
  exit
  aaa-server radgroup(inside) host 10.10.10.10
  key XXXXXX
  exit
  This is pretty much what we used for configurations on our test. It looks like most of your switches are IOS based so that will be nice for you.
  If you are using local authentication, you can create a group and assign the local addresses to that group. What I did in the radius IETF attribute, you ensure that [006] Service-Type is checked and scroll down to Administrative and click Submit & Restart.
  Hope this helps some. I had alot of help from Cisco TAC on this.
  Dwane

• AAA with RADIUS on ASA

  Hey Everyone,
  I am configuring AAA with RADIUS on our remote ASA firewalls.  This is pretty straight forward, but I have some firewalls that this is not working on.  I have upgraded the IOS image on the ASA 5510 to ASA804-K8.BIN on all of them.  The strange part is some of them are working and some of them are not working.
  Just wondering if anyone else has come across this before and what info do you need to give me an assist.
  Thanks in advance,
  Kimberly

  Hi Kimberly,
  just curious: why 8.0.4 and not 8.0.5 ?
  What are you using radius for ? What is the radius server? Did you configure all the ASAs on the radius server(s) ? Did you use the correct shared secret?
  Is there anything different between the working ASAs and the failing ones? Configuration, location in the network, etc?
  If the above doesn't help please post the config of a failing ASA (or at least the relevant parts, and make sure to remove any sensitive data) and the output of:
  debug radius
  debug aaa authen
  debug aaa common 254
  You can test just the radius part with the cli command "test aaa-server authentication ..."
  hth
  Herbert

• WLC, FlexConnect, ISE: Dynamic VLAN not working

  Hi,
  Not sure if this is a WLC or ISE problem, but since I am unsure of the WLC config I will try here first.
  Equipment:
  WiSM2 7.2.111.3
  ISE 1.1.1.268
  AP 3502 in FlexConnect
  What I want to achive:
  One SSID, multiple VLAN
  Devices gets profiled in ISE and based on type of device it gets asigned to a VLAN
  Problem:
  When the device connects the first time it ends up in native VLAN and not switched to the right VLAN, but when I reconnect then it is added to the right VLAN.
  WLC config (I know you like images so here you go ):
  I must be missing something but I can't figure out what. I will be attaching a debug aaa event enable for when the client connect the first time.
  In ISE I have an Authorization Profile that just say VLAN ID/Tag 158 (the VLAN that the device should go to) an it is added to the Authorization rule of the profiled device. CoA is set to Reauth.
  When the client connects I get three events in ISE:
  1.
  Authentication failed :
  22056 Subject not found in the applicable identity store(s)
  2. Authentication Success. With the results:
  UserName=00:18:DE:A2:BC:3A
  User-Name=00-18-DE-A2-BC-3A
  State=ReauthSession:c20e8b2f0000027e50ed27f8
  Class=CACS:c20e8b2f0000027e50ed27f8:ISE01/144259326/671335
  Termination-Action=RADIUS-Request
  Tunnel-Type=(tag=1) VLAN
  Tunnel-Medium-Type=(tag=1) 802
  Tunnel-Private-Group-ID=(tag=1) 158
  cisco-av-pair=profile-name=AX-Intel-Device
  3.
  Dynamic Authorization failed :
  11213 No response received from Network Access Device
  Has anyone got this to work? Do I need to add FlexConnect groups? If so then why?
  Regards,
  Philip

  I think you're hitting CSCua58554
  The bugtoolkit description is horrible....  From what I recall when I ran into it, I believe that Flex connect is having a problem with Mac filtering based AAA override on open wlans (and/or CWA based).  In general, AAA override works fine when it is from like an eap authentication.
  We had to use a 7.3 ES to resolve it.....
  Looks like it is implemented in 7.4 though.....     If you dont want to join the 7.4 bandwagon quite yet, you might could ask TAC for an ES of 7.3,  don't think they have a 7.2 build.

• ISE and AAA configuration

  Hi Guys,
  I am using ISE only one server as primary and as cisco says it has functionality of (ACS+ NAC). I  want to enable AAA services on the  ISE box rightnow.
  I used the ACS earlier and want to configure the same functions on it.
  Authentication of devices from ISE when remote login to router/switches/firewalls.
  Authorization of commands form ISE based on user login
  Accounting of command and login and logout details of user.
  I have very basic knowledge in ISE but i used ACS througly.
  Please Help  in the above issue.
  Thanks in Advance
  Regards

  Can you give any link where is shows TACACS is not supported.
  You find that amongst others in the Q&A:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
  Can you tell where need to enable these settings for AAA services.
  That's a quite complex thing ... Best you start with the ISE policies:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_authz_polprfls.html
  Then look at the ACS migration-tool:
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/migration_guide/ise104_mig_book.html
  But don't expect that the tool will migrate your ACS-policies in a usefull way ... There is much handwork involved to end with a good ISE-policy.

• Cisco ISE with TACACS+ and RADIUS both?

  Hello,
  I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
  Bob

  Hello Robert,
  I believe NO, they both won't work together as both TACACS and Radius are different technologies.
  It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
  For your reference, I am sharing the link for the difference between TACACS and Radius.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
  Moreover, Please review the information as well.
  Compare TACACS+ and RADIUS
  These sections compare several features of TACACS+ and RADIUS.
  UDP and TCP
  RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
  TCP transport offers:
  TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
  TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
  Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
  TCP is more scalable and adapts to growing, as well as congested, networks.
  Packet Encryption
  RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
  TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
  Authentication and Authorization
  RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
  TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
  During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
  Multiprotocol Support
  RADIUS does not support these protocols:
  AppleTalk Remote Access (ARA) protocol
  NetBIOS Frame Protocol Control protocol
  Novell Asynchronous Services Interface (NASI)
  X.25 PAD connection
  TACACS+ offers multiprotocol support.
  Router Management
  RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
  TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
  Interoperability
  Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
  Traffic
  Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do).

• ISE Deployment - Limit on Radius Sources?

  Greetings, 
  I am planning a change to our ISE deployment, and I am curious if there is a limitation to the number of Radius sources that can be added to the running config on the switches and APs.
  The majority of the switches are 2960 series and the APs are 2602 models.   
  Currently, we have two Radius Sources configured as follows:
  aaa group server radius rad_eap
   server X.X.X.X auth-port 1645 acct-port 1646
   server X.X.X.X auth-port 1645 acct-port 1646
  I need to know if I am able to add a third entry to that list, or if there is a hard limitation I am unaware of.
  Thank You.

  ISE questions will probably get more traction in the Security forum.
  That said, the answer is "it depends". It all depends on your design. Is your third server a Policy Services Node or an Inline Posture Node (IPEP)? Either way, one of those would generally be positioned so as to provide profiling, posture and enforcement services working in conjunction with the Admin server(s). If a server is not part of the overall architecture, it will not.
  All new ISE designs should be based on the Cisco-approved High Level Design (HLD) template. If you follow that and develop your Low Level design based on it, many of the typical questions should be answered.
  Hope this helps.

• Radius Nac

  Hi,
  I try to mount a NAC lab with the following architecture :
  - 802.1x on switch ports
  - ACSv5 with an external database (windows) for machine and user authentification
  - ACS v5 do vlan assignement and it works great.
  - Nac Manager
  - Nac agent on workstations : tried with CTA or CAA
  I try to add a posture validation to check for the presence of an antivirus.
  So I insalled a NAC Manager and add a "External Policy Check" on my ACS policy rule.
  The Endpoint has CTA or CCA for posture validation.
  It seems ACS doen't even try to make the request to the manager. I get the following error in ACS :
  STEP_79=15038 Skipping External Policy because of missing or malformed required attributes
  My question is : What do I need to do external posture validation with acs5 to a Nac Manager.
  The guide reference I used is : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/user/guide/common_scenarios.html#wp1053461
  Thanks for your answer
  Regards

  I think with radius the vlan select and dynamic vlan assignment are two different topics. You can have ISE set users on different vlans within the same WLAN as long as the interface is present on the controller. I have tested this and works just fine.
  The vlan select maybe a topic that the wireless folks can shed some light on.
  Thanks
  Tarik Admani
  *Please rate helpful posts*

• ISE 1.2 rejects RADIUS messages from 5508 WLC

  The setup in ref is:
  WLC 5508 HA pair running 7.6 talking to ISE 1.2 patch 7 (was 6).
  Wireless users are authenticated fine, so the 5508 is a valid NAD in ISE, but...
  When I setup active RADIUS fallback, so that the WLC can poll the ISE servers I get the message:
  "The RADIUS request from a non-wireless device was dropped because the installed license is for wireless devices only"
  Why would ISE drop a RADIUS message from a WLC which is a wireless device?  Surely this is a mistake?

  Hi Nicholas,
  This is a known defect.
  CSCug34679    ISE drop keep alive coming from WLC. 
  <B>Symptom:</B>
  ISE drops keep alive authentications coming from the WLC, with message 11054 Request from a non-wireless device due to installed wireless license.
  <B>Conditions:</B>
  When only a wireless license is install on the ISE and using active keep alive on the WLC.
  <B>Workaround:</B>
  Use passive keep alive on the WLC and not active.
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• ISE 1.2.1 - RADIUS service down after Promoting Secondary PAN

  Hi Experts,
  I have currently a ISE deployment where I run a Dual Node construct (both 3495)
  ISE-1: PAN (Primary), MNT (Secondary), PSN
  ISE-2: PAN (Secondary), MNT (Primary), PSN
  When ISE-1 fails and ISE-2 is promoted to Primary PAN then the services are restarted. This causes also the radius service to go down which causes a full RADIUS outage. Also if ISE-1 is online again and is re-promoted, also both ISE instances restart simultanious the services which includes the RADIUS service. Again full RADIUS outage.
  A ISE service restart takes about 10-15 minutes.
  Is this "workes as designed" or a bug? I think this behavior was different in ACS 5.X
  Best Regards Michael

  List of working (Y) and Non Working (N) if Primary PAP is down
  Existing internal user radius auth : Y
  Existing/New AD user radius auth : Y
  Existing endpoint with no profile change : Y
  Existing endpoint with profile change : Y
  New endpoint learned via profiling : Y
  Existing guest (LWA) : Y
  Existing guest (CWA) : Y
  Guest - Change Password : N (user must log in using old password)
  Guest - AUP : Y (displayed for every login)
  Guest - Max Failed Login Enforcement : N
  New guest (Sponsored or Self-Registration) : N
  Posture : Y
  New Device Registration : N
  Existing registered device : Y

• Cut-Through Proxy / Authentication Proxy on Cisco ASA using ISE as AAA Server for allocating SGTs

  Hi,
  We are trying to setup ASA to do cut-through authentication proxy, and use ISE as RADIUS. We can successfully authenticate the user from Radius on the ASA, while he opens a web-page, but then it displays the error: authorization denied.
  What we want:
  ISE to allocate a security group tag to the user session when he logs in, that tag would carried within out cisco network infrastrucutre to define the access
  policy for that user.
  Can someone please help me with a sort of step by step thing for ISE configuration to allocate SGTs/SGACL for the user session after authentication is completed.
  Thanks
  Lovleen

  Please refer to below step by step config guide for security group access policies
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_sga_pol.html

• Mobility Anchor and AAA Overide VLAN Assignment

  Hello,
  I read some document 2 years ago that dynamic VLAN assignment was not possible with Anchored WLANs. Please I would like to know if this is now possible. The network setup would be as follows:
  1. Foreign and Anchor WLC (5508) with single SSID for both guest and internal users
  2. Cisco ISE 1.2 performing AAA override with VLAN tag based on AD group. Guest will go to VLAN for guest after web authentication.
  Please a speedy response would be helpful.

  Hi grabonlee,
  We have been running an anchor with VLAN override for out Guest services. Works well. VLAN needs to be defined on both the anchor and foreign. We are running 7.6.120 code.