Cisco ISE Security

Cisco ISE: 802.1x AP Authentication

Following my previous ISE post on phones authentication using EAP-TLS, in this new post I’ll show you how to quickly configure the access points for 802.1x authC. This require some specific configurations:

  • They need to enable EAP-FAST as authentication protocol in addition to EAP-TLS and PEAP-MS-CHAPv2.
  • If credentials are stored in the ISE servers, then the internal group must be added to the sequence of internal groups to be checked during the authentication.
  • Authorization rule checks user credentials, authentication tunnel and endpoint profiling:

Configuration steps:

For this to work, previously the Identity Group must be generated from the profiling policy:

  • Create an internal identity group for the credentials the access points will use to authenticate:

  • You can enable 802.1x supplicant per AP or in a global basis. Add the credentials you configured in the previous step:

  • Modify the protocols set and ensure you accept EAP-FAST + EAP-MS-CHAPv2 + EAP-GTC + EAP-TLS: using PACs:

  • Your identity source sequence must include the internal user repository, otherwise it won’t find the “airuser” you just created:

  • Finally, your authentication policy must include the “Wireless 802.1x” condition and should look like this:


Related Posts

No Comments

Leave a Reply