Cisco Cisco Identity Services Engine 2.1 Manuale Tecnico

Cisco Wireless LAN Controllers (Unified and Converged Access)

●

Identity Services Engine (ISE)

●

The information in this document is based on these software and hardware versions:

Cisco Identity Services Engine version 2.1

●

Cisco Wireless LAN controller 5508 running 8.0.121.0

●

Next Generation Wireless Controller (NGWC) catalyst 3850(WS-C3850-24P) running
03.06.04.E

●

Steps covered in this document describe the typical configuration on both Unified and Converged
Access WLCs to support any Guest flow with ISE.

Regardless of the use case configured in ISE, from the WLC perspective it all starts with a
wireless endpoint that connects to an Open SSID with MAC filtering enabled (Plus AAA override
and RADIUS NAC) that points to ISE as the authentication and accounting server.  This ensures
that ISE can dynamically push the necessary attributes to the WLC for successful enforcement of
a redirect to ISE’s Guest Portal.

 1.  Add ISE globally as an Authentication and Accounting server.

Navigate to Security > AAA > Authentication and click New

●

Enter ISE server IP and shared secret

●

Ensure that the Server Status and Support for RFC 3676 (Change of Authorization or CoA
support) are both set to Enabled.

●

Under server timeout by default AireOS WLCs will have 2 seconds. Depending on the network
characteristics (latency, ISE and WLC in different locations, etc) it may be beneficial to
increase the server timeout to at least 5 seconds to avoid unnecessary failover events.

●

Click Apply.

●

If there are multiple Policy Services Nodes (PSN) to configure proceed to create additional
server entries.

●

Note: This particular configuration example includes 2 ISE instances

Navigate to Security > AAA > RADIUS > Accounting and click New

●

Enter ISE server IP and Shared secret

●

Ensure that Server Status is set to Enabled

●