Cisco Cisco Identity Services Engine 1.1 정보 가이드
4
Cisco Identity Services Engine Network Component Compatibility, Release 1.1.x
OL-26141-01
AAA Attributes Required for Third-Party VPN Concentrators
AAA Attributes Required for Third-Party VPN Concentrators
For third-party VPN concentrators to integrate with Cisco ISE and Inline Posture nodes, the following
AAA attributes must be included in RADIUS communication:
AAA attributes must be included in RADIUS communication:
•
Calling-Station-Id (for MAC_ADDRESS)
•
USER_NAME
•
NAS_PORT_TYPE
Also, for VPN devices, the RADIUS accounting message must have the framed-ip-address attribute set
to the VPN client’s IP address pool.
to the VPN client’s IP address pool.
Supported External Identity Sources
lists the external identity sources supported with Cisco ISE.
5.
Wireless LAN Controllers (WLCs) do not support downloadable ACLs (dACLs), but support named ACLs. Autonomous AP deployments do not support
the requirements for Inline Posture Node as they do not send Framed-IP-Address. Profiling services are supported for 802.1X-authenticated WLANs
starting from WLC release 7.0.116.0 and for MAB-authenticated WLANs starting from WLC 7.2.110.0. FlexConnect, previously known as Hybrid
Remote Edge Access Point (HREAP) mode, is supported with central authentication configuration deployment starting from WLC 7.2.110.0. For
additional details regarding FlexConnect support, refer to the release notes for the applicable wireless controller platform.
the requirements for Inline Posture Node as they do not send Framed-IP-Address. Profiling services are supported for 802.1X-authenticated WLANs
starting from WLC release 7.0.116.0 and for MAB-authenticated WLANs starting from WLC 7.2.110.0. FlexConnect, previously known as Hybrid
Remote Edge Access Point (HREAP) mode, is supported with central authentication configuration deployment starting from WLC 7.2.110.0. For
additional details regarding FlexConnect support, refer to the release notes for the applicable wireless controller platform.
6.
An issue has been observed during wireless login scenarios where the WLC is running firmware version 7.0.116.0. Unless you require features available
only in version 7.0.116.0, Cisco recommends returning your WLC firmware version to 7.0.98.218 or upgrade your WLC firmware version to 7.0.220.0.
For more information, see the
only in version 7.0.116.0, Cisco recommends returning your WLC firmware version to 7.0.98.218 or upgrade your WLC firmware version to 7.0.220.0.
For more information, see the
7.
Wireless Controllers support MAC filtering with RADIUS lookup. For WLCs that support version 7.2.103.0, there is support for session ID and COA
with MAC filtering so it is more MAB-like.
with MAC filtering so it is more MAB-like.
Table 2
Supported External Identity Sources
External Identity Source
OS/Version
Active Directory
1
,
2
,
3
1.
Cisco ISE OCSP functionality is available only on Microsoft Windows Active Directory 2008 and 2008 R2.
2.
Cisco ISE SCEP functionality is available only on Microsoft Windows Active Directory 2008 R2.
3.
Microsoft Windows Active Directory version 2000 or its functional level are not supported by Cisco ISE.
Microsoft Windows Active Directory 2003
—
Microsoft Windows Active Directory 2003 R2
—
Microsoft Windows Active Directory 2008
—
Microsoft Windows Active Directory 2008 R2
—
LDAP Servers
SunONE LDAP Directory Server
Version 5.2
Linux LDAP Directory Server
Version 2.4.23
Cisco NAC Profiler
Version 2.18 or later
Token Servers
RSA ACE/Server
6.x series
RSA Authentication Manager
7.x series
Any RADIUS RFC 2865-compliant token server
—