Cisco ISE: Device Administration with AD Credentials using RADIUS

Cisco ISE: Device Administration with AD Credentials using RADIUS

This tutorial will show you how to utilize ISE to authenticate users logging into network devices for management purposes.  This assumes that you have a group in Active Directory called NetAdmin and your user is in that group.

 

Add the Network Device as a RADIUS Client to ISE

Administration > Network Resources > Network Devices

Click Add

Enter Name and IP Address of the network device

Select RADIUS Authentication Settings

Enter a Shared Secret

Click Save

 

Join ISE to Active Directory

Administration > Identity Management External Identity Sources > Active Directory

Click Add

Enter a Join Point Name (for instance wifiworkshop-AD)

Enter the Domain name

Click Submit

Highlight the node (or nodes in a distributed environment) and Click Join

Enter the username and password of a user with rights to join a computer to the domain

 

Add NetAdmin group to the newly created Join Point

Administration > Identity Management External Identity Sources > Active Directory

Click the newly created Join Point (wifiworkshop-AD)

Click Groups

Click Add > Select Groups from Directory

Search for NetAdmin, highlight it, and click OK

 

Create an Identity Source Sequence

Administration > Identity Management > Identity Source Sequences

Click Add

Enter a Name (for instance AD)

Move the Join Point you created earlier to “Selected” and Click Submit

 

Create a new Allowed Protocols Authentication Result

Policy > Policy Elements > Results > Authentication > Allowed Protocols

Click Add

Enter a Name (for instance PAP_ASCII_Only)

Select Allow PAP/ASCII

Deselect everything else

Click Submit

 

Create a new Authorization Profile

Policy > Policy Elements > Results > Authorization > Authorization Profiles

Click Add

Enter a Name (for instance NetAdmin_Access)

Set Access Type to ACCESS_ACCEPT

Set Advanced Attributes Settings to Radius:Service-Type = Administrative

Click Submit

 

Create a new Device Management Policy Set

Policy > Policy Sets > Highlight Default > Click Add > Create Above

Enter a Policy name (for instance Device Management)

Set Conditions to Radius:Service-Type EQUALS NAS Prompt

Click Save

 

Create a new Network Device Authentication Policy

Policy > Policy Sets > Device Management > Authentication Policy

Click the drop down arrow to the right of Default Rule and Click Insert New Rule Above

Name the Rule (for instance Network Device)

Set the Condition to Radius:Service-Type Nas Prompt

Set the Allowed Protocol to PAP_ASCII_ONLY (or whatever you named the Allowed Protocols earlier)

Set the Default: Use to AD (or whatever you named the Identity Source Sequence)

Click Save

Note* I typically set the Authentication > Default Rule to DenyAccess.

 

Create a New Authorization Policy

Policy > Policy Sets > Device Management > Authorization Policy

Click the drop down arrow to the right of Default and Click Insert New Row Above

Set the Rule Name

Set the Conditions to wifiworkshop-AD:ExternalGroups EQUALS domainName/path/NetAdmin

Set Permissions to NetAdmin_Access

Click Save

Note* I typically set the Authorization > Default Rule to DenyAccess.

 

 

Configure the Network Device to use RADIUS Authentication

On a Cisco WLC:

Click Security > RADIUS > Authentication > New

Enter the IP of the ISE Policy Service Node

Enter the Shared Secret

Enable support for CoA if you want ISE to implement policy changes for clients

Enable Management