Cisco - Integration Document

Overview

This guide outlines the necessary configurations for integrating Cisco WLAN Controllers with NAC as an enforcement device. Controllers running version 7.2 or later support centrally switched traffic, and Radius Based Enforcement (RBE) is available for both Open networks and Secure networks using WPA2E/802.1x.

General RADIUS Settings

1 - Secure Wireless Integration

1.1 - AAA Server Profile

Click on Security and then on Authentication under AAA → RADIUS. Create a new Authentication Server

After creating the new server it will appear in the list. Before saving, ensure ‘Call Station ID Type’ is ‘System MAC Address’ and ‘No Delimiter’ is selected. Save the configuration by clicking the ‘Apply’ button.

Click on Security and then on Authentication under AAA → RADIUS. Click on Accounting and ensure under ‘MAC Delimiter‘, ‘No Delimiter’ is selected.

Create a new Accounting Server

1.2 - WLAN Profile

Click on WLANs then under the Security tab of the WLAN, click on the Layer 2 tab. Verify Layer 2 Security is set to ‘WPA+WPA2’ and Authentication Key Management is set to ‘802.1x’.

Under the Security tab of the WLAN, click on the Layer 3 tab. Verify Layer 3 Security is set to ‘None’.

Under the Security tab of the WLAN, click on the AAA Servers tab. Add the NAC Enforcer IP as an Authentication and Accounting server using standard ports 1812 and 1813*. Ensure interim update is checked.

Under the Advanced tab of the WLAN, ensure that AAA Override is enable, and ensure NAC State is set to ‘Radius NAC’. This setting may show up as ‘ISE NAC’ on certain AireOS versions which is also supported.

1.3 - Configure NAC to return a VLAN to Client

2 - Open Wireless Integration

2.1 - AAA Server Profile

Refer to this section

2.2 - WLAN Profile

Click on WLANs then under the Security tab of the WLAN, click on the Layer 2 tab. Check the Mac Filtering check box. For Open SSIDs ensure Security is set to ‘None’, for PSKs select appropriate security settings for the PSK.

Under the Security tab of the WLAN, click on the Layer 3 tab. Verify Layer 3 Security is set to ‘None’.

3 - Wired

3.1 - Cisco 2960X Switch Configuration

In this example, a Cisco 2960X configuration is provided. However, any Cisco Layer 2 switch supporting the following features are eligible for integration:

RADIUS Authentication/Accounting
MAC Authentication Bypass (MAB)
RADIUS Change of Authorization (CoA)

Note – In this example RadsecProxy is 10.10.10.10 (replace this IP with the IP of your RadsecProxy system)

Note – Replace the VLAN number on the example port configuration with the desired default VLAN for the port.

Note – The “radius-server vsa send authentication” command is enabled by default and auto-generated on some IOS versions. If the command does not show up in a sh run, “sh run all” can be used to verify that it is configured on the switch.

Bash
    
 
aaa new-model aaa authentication dot1x default group radius aaa authorization network default local group radius aaa accounting dot1x default start-stop group radius aaa session-id common aaa accounting update newinfo periodic 10 ! aaa server radius dynamic-author client 10.10.10.10 server-key XXXXX port 3799 auth-type any ! dot1x system-auth-control ip device tracking ! interface GigabitEthernetX/X/X (replace with interface number) description MetaDefender NAC User Test Port switchport access vlan X (replace with desired default VLAN for port) switchport mode access mab authentication host-mode multi-auth ! ip radius source-interface X (Layer 3 management interface) ! radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key XXXXX radius-server vsa send authentication
Copy

RADIUS NAC Configuration

Cisco leverages RADIUS assigned VLANs. The roles configured in the RADIUS NAC UI for the Cisco NAS type should be configured as shown below.

Last updated on

Was this page helpful?