This section is the Radius configuration section. Radius-server host 172.16.10.204 auth-port 1812 acct-port 1813 key ZBISE_INSTALL Radius-server host 172.16.10.203 auth-port 1812 acct-port 1813 key ZBISE_INSTALL Radius-server dead-criteria time 10 tries 3 Radius-server attribute 25 access-request include Radius-server attribute 8 include-in-access-req Radius-server attribute 6 on-for-login-auth Dot1x is of course for authentication while Device Tracking is to find out the IP Addresses for the devices being connected to our NAD. In this section, we enable Dot1x, LLDP, and Device tracking on the switch. The “ aaa server radius dynamic-author” portion is specifically important here because it enables Change of Authorization (CoA) for this Network Access Device.īelow is a screenshot of what we did in our lab. In this first section of configurations we enable Authentication, Authorization, and Accounting (AAA) and configure a number of settings to support it.
aaa new-modelĪaa authentication dot1x default group radiusĪaa authorization network default group radiusĪaa accounting dot1x default start-stop group radiusĪaa accounting update newinfo periodic 2880Ĭlient 172.16.10.203 server-key ZBISE_INSTALLĬlient 172.16.10.204 server-key ZBISE_INSTALL Also, we are not enabling the Device sensor configurations because they are not supported on the IOS version we are running on this Cisco 3750e. The commands may just not be available or they may have a different syntax altogether. NOTE: These configurations may not be the same on your IOS Version or Model of device. Now that we are logged into our switch, we are going to apply the following configurations. For our lab this is our Cisco 3750e and we will utilize the Loopback 0 address of 172.16.0.2 to ssh to it. Launch your favorite SSH / Telnet client and log into your network switch, which is our Network Access Device for this installment. The Global Switch configuration for our Network Access Device: There are a number of configurations that will need to be added to both the 3750 and the ISE Cluster. We are going to add our lab Cisco 3750e switch (172.16.0.2) as a Network Access Device, or NAD, into ISE.
ZBISE05 – Virtual Wireless LAN Controller (vWLC) Install.ZBISE04 – Cisco ISE 2.3 Adding the ISE Cluster to Active Directory.
ZBISE03 – Overview of our Cisco ISE 2.3 Use Cases for the ZBISE Blog Series.ZBISE02 – Building a Cisco ISE 2.3 Distributed Cluster.ZBISE01 – Basic Cisco ISE 2.3 VM Installation.If you haven’t seen these posts yet, you should check them out Here is our reference diagram that we will be using throughout this blog series. We are going to add our Lab Cisco 3750e switch into our ISE Cluster! This is our last blog post for 2017 so lets jump right into it! Additionally, using the interactive graph in the Port Summary Report, users can identify detailed information for each device port.Hey Ziglets, its ISE ISE Baby time!! Today we are continuing with our Cisco ISE 2.3 Blog Series by adding our NADs, or Network Access Devices, into our ISE Cluster. IDA maintains a history of all the previously generated Port Summary Reports. Users can create custom templates and push them to devices. IDA can identify the current IBNS template type on a device and can generate the validation report for the devices configured with IBNS 2.0. A new addition to IDA is generating an elastic template for the critical authentication VLAN parameter. IDA can create an IBNS 2.0 template for ISE use cases. Support for the IBNS 2.0 identity template: For this to work, devices must be associated with “Network Device Profiles.” Then, IDA will identify the device type and analyze the existing configuration. Users can push the configuration to non-Cisco devices and generate validation reports for those devices.