Setting Up Cisco ISE RADIUS

Setting Up Cisco ISE RADIUS

A key benefit to SecureW2’s onboarding solution is the efficiency of its integration by leveraging existing hardware. No forklift upgrades are required to convert to a certificate-based, WPA2-Enterprise network. Along with the security and network visibility benefits of certificates, they can be utilized for SSL inspection, VPN, wired security, and much more, making a certificate platform a valuable multi-use tool at your disposal. The setup below will demonstrate how to integrate with an existing RADIUS to authenticate x.509 certificates for secure Wi-Fi access.

To complete this setup, you need to have already configured:

  • A Cisco ISE RADIUS Server
  • A SecureW2 Network Profile
  • An Identity Provider

We need to setup an Identity Provider in ISE similar to how we had set it up in SecureW2. By this, we mean providing information about our IDP (the LDAP server in this case), such as the IP address, administrator credentials, and port number into Cisco ISE. For detailed information on how Active Directory integrates with Cisco ISE, please refer to Cisco’s official documentation.

 

Adding the SecureW2 Root and Intermediate Certificates to the Trust List

  1. Beginning in the SecureW2 Management portal, in the PKI Management Section, click Certificate Authorities
  2. Download the root and the intermediate certificate that corresponds with your network profile from the Certificate Authorities list

  1. Once the certificates are downloaded, navigate to the Cisco ISE page
  2. Click Administration on the menu bar and click Certificates
  3. From there, click Trusted Certificates under Certificate Management
  4. Click Import and add the root and intermediate certificates

Displaying the trusted certificates in Cisco ISE

Adding the Identity Provider

  1. Go to Administration on the menu bar and under Identity Management, click External Identity Sources
  2. Create a new Identity Source within the LDAP folder
  3. Under General, enter a Name, Description, and set the Schema as Active Directory
  4. Under Connection, enter the Server’s IP address under Hostname/IP,  389 for the Port, select Authenticated Access, and input the server’s credentials under Admin DN and Password

Connecting and configuring the identity provider

Configuring the Authentication Policy

  1. Start by navigating to Policy on the menu bar and clicking Authentication
    • By default, you will have a set of authentication policies
  2. Delete the set of default policies
  3. Create a new policy and name it
    • In this guide, the policy is named “WirelessDot1x
  4. Click the plus (+) symbol next to the If dialog box
    • Here you can add the Attributes that you would want for an authentication policy
  5. Ensure that under Condition Name, both Wireless_802.1X and Wired_802.1X are added and that the dialog box with the options AND / OR is set to OR
  6. The Allow Protocols: option should be set to Default Network Access

Correct Condition Settings for the Authentication Policy

The condition must be set to ‘OR’ because ‘AND’ indicates that it must satisfy both the wireless and wired conditions. It should be set to ‘OR’ because it is not valid to do connection attempts always from wired and wireless devices.

After confirming that the Default Network Access is set, we need to figure out how it was calibrated. To find this:

  1. Go to the menu bar, and under the Results tab, click Policy
  2. In the drop-down menu that appears, open Conditions in a new tab
  3. On the left side, click the drop-down arrow next to Authentication and then the similar arrow next to Allowed Protocols
  4. From here, click Default Network Access

 

Configuring the Authorization Policy

  1. Under the Policy dropdown menu, click Authorization and create a new rule
  2. For Rule Name, enter Wireless TLS
  3. The If condition should be set to Any
  4. For the next condition, click the (+) plus sign and confirm that it is configured as an AND condition
  5. The Condition Name should be Wireless 802.1X
  6. Click the settings symbol on the right side to create conditions so the Description reads Network Access:EAPAuthentication EQUALS EAP-TLS
  7. Set the Permissions to PermitAccess and click Done

Displaying the Condition Settings for the Authorization Policy

Here is where you could setup an identity lookup by creating a couple more AND clauses and conditions. It would read along the lines of “users will be accepted only if they are set up for EAP-TLS, AND only if the user is from the Active Directory, AND only if the user from the Active Directory is marked ‘ACTIVE’.

PermitAccess tells ISE to send an ACCESS_ACCEPT response. You can see how it’s configured by doing the following:

  1. Navigate to the Cisco ISE page we had opened for the Authentication Policy and click Conditions on the left side
  2. Click Authorization and then Compound Conditions
  3. Under Name, click Wireless_802.1X
    • Based on the condition, we can see that it is requiring EAP Authentication for a secured connection
  4. Next to Conditions, click Results
  5. From here, click Authorization, then Authorization Profiles, and finally click PermitAccess
    • Here you can see that the Access Type is ACCESS_ACCEPT

 

Adding the RADIUS Server Certificate

If you go back to the SecureW2 Management Portal, you can click Edit by the profile we just evaluated, and you’ll see that a RADIUS server certificate has not been added. Using a RADIUS server certificate is integral to preventing MITM attacks. To add a RADIUS server certificate:

  1. Navigate to the Cisco ISE page and click Certificates in the dropdown menu for Administration
  2. Click System Certificates, and click Import to import the server certificate
  3. Select the certificate by clicking the small box next to it and then clicking Edit above
  4. Select what you want to use the certificate for under Usage, and then click EAP Authentication
  5. Navigate back to the SecureW2 Management Portal and upload the certificate in the Certificates section
  6. Under Network Settings, click Edit
  7. This will take you to a page where you can enable server validation
    • Check Enable Server Certificate Validation
    • Check the Trust Box next to the certificate
    • Write in the domain name the certificate was issued in Connect to these server names

Enabling the RADIUS Certificate and connecting the differing servers

Concluding Thoughts

Now, the wireless network is configured for WPA2-Enterprise with EAP-TLS authentication. Network users will only need to complete the onboarding process once for uninterrupted and secure Internet use. Network administrators will see their IT help desk tickets reduced and if a problem should arise, they can easily diagnose it. The benefits of using certificate-based authentication include eliminating password-related disconnects and MITM attacks, tying users and devices to network connections, improving network performance, and many more. However, many wrongfully assume the level of difficulty in deploying the EAP-TLS protocol. Historically, setting up this type of network would have taken weeks, but with SecureW2, setting up certificate-based authentication with a Cisco ISE RADIUS can take just a few hours. So if you’d like to try out SecureW2, or have any questions about how we integrate with Cisco ISE, drop us a line! We are happy to introduce a network professional with a Cisco expert to facilitate a free trial and show how easy it can be to deploy certificate-based authentication.

Cisco and Cisco ISE are either registered trademarks or trademarks of Cisco Systems Inc in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.

  • Email addresses from free providers (Gmail, Hotmail, etc.) will not be accepted.
  • This field is for validation purposes and should be left unchanged.