Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-Cisco ISE Server Configuration Examples | 1.76 MB |
|
|
|
H3C Access Controllers |
|
Access Authentication by Cisco ISE Server |
|
Configuration Examples |
|
|
Copyright © 2022 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Example: Configuring Cisco ISE-based 802.1X PEAP authentication
Example: Configuring Cisco ISE-based MAC authentication
Example: Configuring Cisco ISE-based portal authentication
Example: Configuring Cisco ISE-based HWTACACS authentication for SSH login
Introduction
The following information provides examples for configuring H3C access controllers to use a Cisco ISE server to authenticate wireless clients. The examples include configuring Cisco ISE-based 802.1X authentication, MAC authentication, portal authentication, and SSH login HWTACACS authentication.
Software versions used
The following configuration examples were created and verified on the following hardware and software versions:
· Cisco ISE server running 2.3.0.298.
· H3C access controller running R5428 or later.
Example: Configuring Cisco ISE-based 802.1X PEAP authentication
Network configuration
As shown in Figure 1, the AP is connected to the AC over the switch and the client accesses the wireless network through the AP.
Configure the devices and server to meet the following requirements:
· The client must pass 802.1X PEAP authentication to access the wireless network.
· The ISE server assigns an authorization ACL and an authorization VLAN to the client after the client passes 802.1X PEAP authentication.
Procedures
|
|
IMPORTANT: This configuration example only covers the major settings related to authenticating the client by 802.1X authentication on the Cisco ISE server. For information about the network connectivity settings, see the manuals for the devices and server. Make sure the devices and server have network connectivity. |
Configuring the AC
1. Configure the AC to use EAP relay to authenticate the 802.1X client.
<AC> system-view
[AC] dot1x authentication-method eap
2. Configure a RADIUS scheme:
# Create RADIUS scheme ise.
[AC] radius scheme ise
# Specify the ISE server at 8.1.1.18 as the primary authentication server and specify a shared key for secure communication with the server. Make sure the shared key is the same as the shared secret configured on the ISE server.
[AC-radius-ise] primary authentication 8.1.1.18 key cipher $c$3$FpBySjKd6TF17QmPAQ83vNM+mNuZHUw=
# Exclude the domain name from usernames sent to the ISE server.
[AC-radius-ise] user-name-format without-domain
# Specify 191.120.1.56 as the NAS IP address of RADIUS packets sent to the ISE server. Make sure the NAS IP address is the same as that specified on the ISE server for the AC.
[AC-radius-ise] nas-ip 191.120.1.56
[AC-radius-ise] quit
3. Configure an ISP domain:
# Create ISP domain ise.
[AC] domain ise
# Configure the ISP domain to use RADIUS scheme ise for LAN user authentication and authorization.
[AC-isp-ise] authentication lan-access radius-scheme ise
[AC-isp-ise] authorization lan-access radius-scheme ise
[AC-isp-ise] quit
4. Configure a service template:
# Create service template ise.
[AC] wlan service-template ise
# Set the SSID of the service template to 000AAA-MACAU.
[AC-wlan-st-ise] ssid 000AAA-MACAU
# Assign clients coming online through the service template to VLAN 71.
[AC-wlan-st-ise] vlan 71
# Set the AKM mode to 802.1X.
[AC-wlan-st-ise] akm mode dot1x
# Specify the AES-CCMP cipher suite, and enable the RSN IE in beacon and probe responses.
[AC-wlan-st-ise] cipher-suite ccmp
[AC-wlan-st-ise] security-ie rsn
# Set the authentication mode to 802.1X authentication and specify authentication domain ise.
[AC-wlan-st-ise] client-security authentication-mode dot1x
[AC-wlan-st-ise] dot1x domain ise
# Enable the service template.
[AC-wlan-st-ise] service-template enable
[AC-wlan-st-ise] quit
5. Configure a manual AP:
# Configure an AP named ax and specify its model and serial ID.
[AC] wlan ap ax model WA6528
[AC-wlan-ap-ax] serial-id 219801A1LH8188E00011
# Enable radio 1 and bind service template ise to the radio.
[AC-wlan-ap-ax] radio 1
[AC-wlan-ap-ax-radio-1] radio enable
[AC-wlan-ap-ax-radio-1] service-template ise
[AC-wlan-ap-ax-radio-1] quit
[AC-wlan-ap-ax] quit
6. Configure advanced ACL 3100 and a rule to deny the client from accessing 8.1.1.5.
[AC] acl advanced 3100
[AC-acl-ipv4-adv-3100] rule 1 deny ip destination 8.1.1.5 0
[AC-acl-ipv4-adv-3100] quit
7. Configure authorization VLAN settings:
# Create VLAN 4094 and VLAN-interface 4094, and assign an IP address to the VLAN interface.
[AC] vlan 4094
[AC-vlan4094] quit
[AC] interface vlan-interface 4094
[AC-Vlan-interface4094] ip address 191.94.0.1 24
[AC-Vlan-interface4094] quit
# Configure DHCP address pool vlan4094 for VLAN 4094.
[AC] dhcp server ip-pool vlan4094
[AC-dhcp-pool-vlan4094] network 191.94.0.0 mask 255.255.255.0
[AC-dhcp-pool-vlan4094] gateway-list 191.94.0.1
[AC-dhcp-pool-vlan4094] dns-list 191.94.0.1
[AC-dhcp-pool-vlan4094] quit
Configuring the ISE server
1. Create a user group:
a. On the top navigation bar, select Administration > Identity Management > Groups.
b. From the left navigation pane, select User Identity Groups.
c. Click Add.
d. On the page that opens, set the name to LDF.
e. Click Submit.
Figure 2 Creating a user group
2. Create a network access user:
a. On the top navigation bar, select Administration > Identity Management > Identities.
b. From the left navigation pane, select Users.
c. Click Add.
d. On the page that opens, set the name to ldf00001 and password to Ldf123456, and bind the user to user group LDF.
Make sure the password contains uppercase letters, lowercase letters, and digits.
e. Click Submit.
Figure 3 Creating a network access user
3. Add the AC to the server as a network access device:
a. On the top navigation bar, select Administration > Network Resources > Network Devices.
b. Click Add.
c. Set the name to AC, specify IP address 191.120.1.56, select RADIUS Authentication Settings, and set the shared secret to H3cc.
Make sure the IP address is the same as the NAS IP address of RADIUS packets on the AC.
Make sure the shared secret is the same as the shared key configured on the AC.
d. Save the configuration.
Figure 4 Adding the AC to the server
4. Configure authentication protocols:
a. On the top navigation bar, select Policy > Policy Elements > Results.
b. From the left navigation pane, select Authentication > Allowed Protocols.
c. Create an allowed protocols service named 1x, and select Allow EAP-TLS and Allow PEAP.
d. Save the configuration.
Figure 5 Creating an allowed protocols service
5. Configuring an authorization ACL:
a. On the top navigation bar, select Policy > Policy Elements > Results.
b. From the left navigation pane, select Authorization > Authorization Profiles.
c. Click Add.
d. In the Authorization Profile area, set the name to acl_3100 and select Cisco from the Network Device Profile field. In the Advanced Attributes Settings area, select attribute Radius:Filter-ID and set the attribute value to 3100 (an ACL number).
e. Save the configuration.
Figure 6 Configuring an authorization ACL
6. Configuring an authorization VLAN:
a. On the top navigation bar, select Policy > Policy Elements > Results.
b. From the left navigation pane, select Authorization > Authorization Profiles.
c. Click Add.
d. In the Authorization Profile area, set the name to vlan_4094 and select Cisco from the Network Device Profile field. In the Custom Tasks area, select the VLAN option and enter 4094 in the ID/Name field.
e. Save the configuration.
Figure 7 Configuring an authorization VLAN
7. Configure an authentication and authorization policy set:
a. On the top navigation bar, select Policy > Policy Sets.
b. Click the plus icon + under Policy Sets.
c. Set the policy set name to 1x. Set the conditions name to 1x, select Wired_Dot1x or Wireless Dot1x as the conditions, and select 1x from the Allowed Protocols/Server Sequence list.
Figure 8 Configuring an authentication and authorization policy set
d. Click the icon in the View column for the authentication and authorization policy set.
e. In the Authorization Policy area, add an authorization policy named acl_vlan. In the Results > Profiles column for the authorization policy, select profiles acl_3100 and vlan_4094.
Figure 9 Configuring an authorization policy
f. Save the configuration.
Verifying the configuration
1. On the top navigation bar, select Operations > RADIUS > Live Logs. View live log information for online clients.
Figure 10 Viewing live log information for online clients
2. On the top navigation bar, select Operations > RADIUS > Live Sessions. View live session information for online clients.
Figure 11 Viewing live session information for online clients
Configuration files
#
vlan 4094
#
dhcp server ip-pool vlan4094
network 191.94.0.0 mask 255.255.255.0
gateway-list 191.94.0.1
dns-list 191.94.0.1
#
interface vlan-interface 4094
ip address 191.94.0.1 24
#
acl advanced 3100
rule 1 deny ip destination 8.1.1.5 0
#
radius scheme ise
primary authentication 8.1.1.19 key cipher $c$3$FpBySjKd6TF17QmPAQ83vNM+mNuZHUw=
user-name-format without-domain
nas-ip 191.120.1.56
#
domain ise
authentication lan-access radius-scheme ise
authorization lan-access radius-scheme ise
#
wlan service-template ise
ssid 000AAA-MACAU
vlan 71
akm mode dot1x
cipher-suite ccmp
security-ie rsn
client-security authentication-mode dot1x
dot1x domain ise
service-template enable
#
wlan ap ax model WA6528
serial-id 219801A1LH8188E00011
radio 1
radio enable
service-template ise
#
dot1x authentication-method eap
Example: Configuring Cisco ISE-based MAC authentication
Network configuration
As shown in Figure 12, the AP is connected to the AC over the switch and the client accesses the wireless network through the AP.
To control the client's access to the network resources, configure the devices and server to meet the following requirements:
· The client must pass MAC authentication to access the wireless network.
· The client and AP use the PSK AKM mode to secure data packets between them.
· The ISE server assigns an authorization ACL and an authorization VLAN to the client after the client passes MAC authentication.
Procedures
|
|
IMPORTANT: This configuration example only covers the major settings related to authenticating the client by MAC authentication on the Cisco ISE server. For information about the network connectivity settings, see the manuals for the devices and server. Make sure the devices and server have network connectivity. |
Configuring the AC
1. Configure a RADIUS scheme:
# Create RADIUS scheme ise.
<AC> system-view
[AC] radius scheme ise
# Specify the ISE server at 8.1.1.18 as the primary authentication server and specify a shared key for secure communication with the server. Make sure the shared key is the same as the shared secret configured on the ISE server.
[AC-radius-ise] primary authentication 8.1.1.18 key cipher $c$3$FpBySjKd6TF17QmPAQ83vNM+mNuZHUw=
# Exclude the domain name from usernames sent to the ISE server.
[AC-radius-ise] user-name-format without-domain
# Specify 191.120.1.56 as the NAS IP address of RADIUS packets sent to the ISE server. Make sure the NAS IP address is the same as that specified on the ISE server for the AC.
[AC-radius-ise] nas-ip 191.120.1.56
[AC-radius-ise] quit
2. Configure an ISP domain:
# Create ISP domain ise.
[AC] domain ise
# Configure the ISP domain to use RADIUS scheme ise as the default methods for user authentication and authorization.
[AC-isp-ise] authentication default radius-scheme ise
[AC-isp-ise] authorization default radius-scheme ise
[AC-isp-ise] quit
3. Configure a service template:
# Create service template isemac2.
[AC] wlan service-template isemac2
# Specify an SSID for the service template.
[AC-wlan-st-isemac2] ssid 000AAAMACAU-MAC-CCMP-WPA
# Assign clients coming online through the service template to VLAN 71.
[AC-wlan-st-isemac2] vlan 71
# Set the PSK AKM mode and specify a PSK.
[AC-wlan-st-isemac2] akm mode psk
[AC-wlan-st-isemac2] preshared-key pass-phrase cipher $c$3$XYqokG6I8YoOymukIyvxoJuzFoB+oVJD6exoqw==
# Specify the AES-CCMP cipher suite, and enable the RSN IE in beacon and probe responses.
[AC-wlan-st-isemac2] cipher-suite ccmp
[AC-wlan-st-isemac2] security-ie rsn
# Set the access authentication mode to MAC authentication and specify authentication domain ise.
[AC-wlan-st-isemac2] client-security authentication-mode mac
[AC-wlan-st-isemac2] mac-authentication domain ise
# Enable the service template.
[AC-wlan-st-isemac2] service-template enable
[AC-wlan-st-isemac2] quit
4. Configure a manual AP:
# Configure an AP named ax and specify its model and serial ID.
[AC] wlan ap ax model WA6528
[AC-wlan-ap-ax] serial-id 219801A1LH8188E00011
# Specify VLAN 1 for the AP.
[AC-wlan-ap-ax] vlan 1
# Enable radio 1 and bind service template isemac2 to the radio.
[AC-wlan-ap-ax] radio 1
[AC-wlan-ap-ax-radio-1] radio enable
[AC-wlan-ap-ax-radio-1] service-template isemac2
[AC-wlan-ap-ax-radio-1] quit
[AC-wlan-ap-ax] quit
5. Configure advanced ACL 3100 and a rule to deny the client from accessing 8.1.1.5.
[AC] acl advanced 3100
[AC-acl-ipv4-adv-3100] rule 1 deny ip destination 8.1.1.5 0
[AC-acl-ipv4-adv-3100] quit
6. Configure authorization VLAN settings:
# Create VLAN 4094 and VLAN-interface 4094, and assign an IP address to the VLAN interface.
[AC] vlan 4094
[AC-vlan4094] quit
[AC] interface vlan-interface 4094
[AC-Vlan-interface4094] ip address 191.94.0.1 24
[AC-Vlan-interface4094] quit
# Configure DHCP address pool vlan4094 for VLAN 4094.
[AC] dhcp server ip-pool vlan4094
[AC-dhcp-pool-vlan4094] network 191.94.0.0 mask 255.255.255.0
[AC-dhcp-pool-vlan4094] gateway-list 191.94.0.1
[AC-dhcp-pool-vlan4094] dns-list 191.94.0.1
[AC-dhcp-pool-vlan4094] quit
Configuring the ISE server
1. Create a user group:
a. On the top navigation bar, select Administration > Identity Management > Groups.
b. From the left navigation pane, select User Identity Groups.
c. Click Add.
d. On the page that opens, set the name to LDF.
e. Click Submit.
Figure 13 Creating a user group
2. Create a network access user:
a. On the top navigation bar, select Administration > Identity Management > Identities.
b. From the left navigation pane, select Users.
c. Click Add.
d. On the page that opens, set the name to ldf00001 and password to Ldf123456, and bind the user to user group LDF.
Make sure the password contains uppercase letters, lowercase letters, and digits.
e. Click Submit.
Figure 14 Creating a network access user
3. Add the AC to the server as a network access device:
a. On the top navigation bar, select Administration > Network Resources > Network Devices.
b. Click Add.
c. On the page that opens, set the name to AC, specify IP address 191.120.1.56, select RADIUS Authentication Settings, and set the shared secret to H3cc.
Make sure the IP address is the same as the NAS IP address of RADIUS packets on the AC.
Make sure the shared secret is the same as the shared key configured on the AC.
d. Save the configuration.
Figure 15 Adding the AC to the server
4. Configure authentication protocols:
a. On the top navigation bar, select Policy > Policy Elements > Results.
b. From the left navigation pane, select Authentication > Allowed Protocols.
c. Create an allowed protocols service named mab. In the Authentication Bypass area, select Process Host Lookup. In the Authentication Protocols area, select Allow PAP/ASCII and Allow CHAP.
d. Save the configuration.
Figure 16 Configuring authentication protocols
5. Configuring an authorization ACL:
a. On the top navigation bar, select Policy > Policy Elements > Results.
b. From the left navigation pane, select Authorization > Authorization Profiles.
c. Click Add.
d. In the Authorization Profile area, set the name to acl_3100 and select Cisco from the Network Device Profile field. In the Advanced Attributes Settings area, select attribute Radius:Filter-ID and set the attribute value to 3100 (an ACL number).
e. Save the configuration.
Figure 17 Configuring an authorization ACL
6. Configuring an authorization VLAN:
a. On the top navigation bar, select Policy > Policy Elements > Results.
b. From the left navigation pane, select Authorization > Authorization Profiles.
c. Click Add.
d. In the Authorization Profile area, set the name to vlan_4094 and select Cisco from the Network Device Profile field. In the Custom Tasks area, select the VLAN option and enter 4094 in the ID/Name field.
e. Save the configuration.
Figure 18 Configuring an authorization VLAN
7. Configure an authentication and authorization policy set:
a. On the top navigation bar, select Policy > Policy Sets.
b. Click the plus icon + under Policy Sets.
c. Set the policy set name to mab, set the conditions name to mab, and select mab from the Allowed Protocols/Server Sequence list.
Figure 19 Configuring an authentication and authorization policy set
d. Select Wired_MAB or Wireless_MAB as the conditions.
Figure 20 Configuring conditions
e. Click the icon in the View column for the authentication and authorization policy set.
f. In the Authorization Policy area, add an authorization policy named Authorization Rule 1. In the Results > Profiles column for the authorization policy, select profiles acl_3100 and vlan_4094.
Figure 21 Adding an authorization policy
g. Save the configuration.
Verifying the configuration
1. On the client, connect to the wireless network and enter the configured username and password. (Details not shown.)
2. On the AC, verify that the user has come online and the server has assigned the authorization ACL and VLAN to the user.
Figure 22 Viewing online user information
Configuration files
#
vlan 4094
#
dhcp server ip-pool vlan4094
network 191.94.0.0 mask 255.255.255.0
gateway-list 191.94.0.1
dns-list 191.94.0.1
#
interface vlan-interface 4094
ip address 191.94.0.1 24
#
acl advanced 3100
rule 1 deny ip destination 8.1.1.5 0
#
radius scheme ise
primary authentication 8.1.1.19 key cipher $c$3$FpBySjKd6TF17QmPAQ83vNM+mNuZHUw=
user-name-format without-domain
nas-ip 191.120.1.56
#
domain ise
authentication default radius-scheme ise
authorization default radius-scheme ise
#
wlan ap ax model WA6528
serial-id 219801A1LH8188E00011
#
wlan service-template isemac2
ssid 000AAAMACAU-MAC-CCMP-WPA
vlan 71
akm mode psk
preshared-key pass-phrase cipher $c$3$XYqokG6I8YoOymukIyvxoJuzFoB+oVJD6exoqw==
cipher-suite ccmp
security-ie rsn
client-security authentication-mode mac
mac-authentication domain ise
service-template enable
#
wlan ap ax model WA6528
serial-id 219801A1LH8188E00011
vlan 1
radio 1
radio enable
service-template isemac2
Example: Configuring Cisco ISE-based portal authentication
Network configuration
As shown in Figure 23, the AP is connected to the AC over the switch and the client accesses the wireless network through the AP.
Configure the devices and server to meet the following requirements:
· The client must pass direct portal authentication to access the wireless network.
· The ISE server acts as the portal and RADIUS servers.
Restrictions and guidelines
Make sure file ise_h3c.zip has been stored in the root directory of the storage medium on the AC.
Procedures
|
|
IMPORTANT: This configuration example only covers the major settings related to authenticating the client by portal authentication on the Cisco ISE server. For information about the network connectivity settings, see the manuals for the devices and server. Make sure the devices and server have network connectivity. |
Configuring the AC
1. Configure an ISP domain:
# Create ISP domain ise.
<H3C> system-view
[H3C] domain ise
# Configure the ISP domain to use RADIUS scheme ise for portal user authentication, authorization, and accounting.
[H3C-isp-ise] authentication portal radius-scheme ise
[H3C-isp-ise] authorization portal radius-scheme ise
[H3C-isp-ise] accounting portal radius-scheme ise
[H3C-isp-ise] quit
2. Configure a RADIUS scheme:
# Create RADIUS scheme ise.
[H3C] radius scheme ise
# Specify the ISE server at 100.18.0.200 as the primary authentication and accounting servers and specify a shared key for secure communication with the ISE server. Make sure the shared key is the same as the shared secret configured on the ISE server.
[H3C-radius-ise]primary authentication 100.18.0.200 key simple 12345678
[H3C-radius-ise]primary accounting 100.18.0.200 key simple 12345678
# Exclude the domain name from usernames sent to the ISE server.
[H3C-radius-ise]user-name-format without-domain
3. Configure portal authentication:
# Enable automatic logout for wireless portal users.
[H3C] portal user-logoff after-client-offline enable
# Specify VLAN-interface 1000 on the AC for clients to access during third-party authentication.
[H3C] portal client-gateway interface vlan-interface 1000
# Permit packets destined for the AC.
[H3C] portal free-rule 2 destination ip 6.6.4.10 255.255.255.255
# Permit packets destined for the RADIUS server.
[H3C] portal free-rule 5 destination ip 100.18.0.200 255.255.255.255
# Configure the Web server.
|
|
NOTE: For more information about the URL of the Web server, see portal settings in "Configuring the ISE server." |
[H3C] portal web-server ise
[H3C-portal-websvr-ise] url https://100.18.0.200:8443/portal/PortalSetup.action?portal=f0ae43f0-7159-11e7-a355-005056aba474
[H3C-portal-websvr-ise] server-type ise
# Create an HTTP-based local portal Web service and an HTTPS-based local portal Web service. Specify file ise_h3c.zip as the default authentication page file for local portal authentication. Make sure the file has been stored in the root directory of the storage medium on the AC.
[H3C] portal local-web-server http
[H3C-portal-local-websvr-http] default-logon-page ise_h3c.zip
[H3C] portal local-web-server https
[H3C-portal-local-websvr-https] default-logon-page ise_h3c.zip
4. Configure and enable a service template.
[H3C] wlan service-template iseportal
[H3C-wlan-st-iseportal] ssid h3c-ise-portal
[H3C-wlan-st-iseportal] portal enable method direct
[H3C-wlan-st-iseportal] portal domain ise
[H3C-wlan-st-iseportal] portal bas-ip 6.6.4.10
[H3C-wlan-st-iseportal] portal apply web-server ise
[H3C-wlan-st-iseportal] service-template enable
[H3C-wlan-st-iseportal] quit
5. Configure a manual AP and bind the service template to radio 1 on the AP.
[H3C] wlan ap ap1 model WA6330
[H3C-wlan-ap-ap1] serial-id 219801A23V8209E0043Y
[H3C-wlan-ap-ap1] radio 1
[H3C-wlan-ap-ap1-radio-1] service-template iseportal vlan 234
[H3C-wlan-ap-ap1-radio-1] radio enable
[H3C-wlan-ap-ap1-radio-1] quit
[H3C-wlan-ap-ap1] quit
Configuring the ISE server
1. Create a device profile:
a. On the top navigation bar, select Administration > Network Resources > Network Device Profiles.
b. Click Add.
c. Set the device profile name to H3C, select Other as the vendor, and select RADIUS in the Supported Protocols area.
d. Save the configuration.
Figure 24 Creating a device profile
2. Add the AC to the server as a network access device:
a. On the top navigation bar, select Administration > Network Resources > Network Devices.
b. Click Add.
c. On the page that opens, set the name to AC, select device profile H3C, specify IP address 6.6.4.10, select RADIUS Authentication Settings, and set the shared secret to 12345678.
Make sure the IP address is the same as the NAS IP address of RADIUS packets on the AC.
Make sure the shared secret is the same as the shared key configured on the AC.
d. Click Submit.
Figure 25 Adding the AC to the server
3. Create a user group:
a. On the top navigation bar, select Administration > Identity Management > Groups.
b. From the left navigation pane, select User Identity Groups.
c. Click Add.
d. On the page that opens, set the name to H3C.
e. Click Submit.
Figure 26 Creating a user group
4. Create a network access user:
a. On the top navigation bar, select Administration > Identity Management > Identities.
b. From the left navigation pane, select Users.
c. Click Add.
d. On the page that opens, set the name to h3c001 and password to H3c123456, and bind the user to user group H3C.
Make sure the password contains uppercase letters, lowercase letters, and digits.
e. Click Submit.
Figure 27 Creating a network access user
5. Configure authentication protocols:
a. On the top navigation bar, select Policy > Policy Elements > Results.
b. From the left navigation pane, select Authentication > Allowed Protocols.
c. Click Default Network Access and select Allow CHAP.
d. Save the configuration.
Figure 28 Configuring authentication protocols
a. On the top navigation bar, select Work Centers > Guest Access > Portals & Components.
b. From the left navigation pane, select Guest Portals.
c. On the page that opens, click Self-Registered Guest Portal (default). Use the default settings, and then click Portal test URL. The address in the address bar of the window that opens is the address of the Web server.
Figure 29 Configuring portal settings
Verifying the configuration
# On a mobile phone, connect to the wireless service with SSID h3c-ise-portal. When the Cisco authentication login page opens, enter the correct username and password, and then click Sign On. On the page that opens, click Continue. Verify that the login succeeds.
Figure 1 Verifying the configuration
# On the AC, display online portal user information.
[H3C] display portal user all
Total portal users: 1
Username: h3c001
AP name: ap1
Radio ID: 1
SSID: h3c-ise-portal
Portal server: N/A
State: Online
VPN instance: N/A
MAC IP VLAN Interface
9cbc-f0e7-50f0 10.249.56.169 234 WLAN-BSS1/0/4
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL number: N/A
Inbound CAR: N/A
Outbound CAR: N/A
Web URL: N/A
Configuration files
#
vlan 234
#
vlan 1000
#
wlan service-template iseportal
ssid h3c-ise-portal
portal enable method direct
portal domain ise
portal bas-ip 6.6.4.10
portal apply web-server ise
service-template enable
#
interface Vlan-interface1000
ip address 6.6.4.10 255.255.255.0
#
radius scheme ise
primary authentication 100.18.0.200 key cipher $c$3$oTPE3ir9uYI718iL9tFmRoaoDu7
DmtlZ2gZC
primary accounting 100.18.0.200 key cipher $c$3$/Vcna21JU94hHKqWvBTrACCGhUm8iPi
B5Vp7
user-name-format without-domain
nas-ip 6.6.4.10
#
domain ise
authentication portal radius-scheme ise
authorization portal radius-scheme ise
accounting portal radius-scheme ise
#
portal user-logoff after-client-offline enable
portal client-gateway interface Vlan-interface1000
portal free-rule 2 destination ip 6.6.4.10 255.255.255.255
portal free-rule 5 destination ip 100.18.0.200 255.255.255.255
#
portal web-server ise
url https://100.18.0.200:8443/portal/PortalSetup.action?portal=f0ae43f0-7159-11e7-a355-005056aba474
server-type ise
#
portal local-web-server http
default-logon-page ise_h3c.zip
#
portal local-web-server https
default-logon-page ise_h3c.zip
#
wlan ap ap1 model WA6330
serial-id 219801A23V8209E0043Y
radio 1
radio enable
service-template iseportal vlan 234
radio 2
radio 3
#
Example: Configuring Cisco ISE-based HWTACACS authentication for SSH login
Network configuration
As shown in Figure 2, the PC is connected to the AC over the switch. The ISE server performs HWTACACS authentication for the client when the client logs in to the AC through SSH.
The client has the following permissions after it logs in to the AC through SSH:
· Has the permissions of the level-1 user role.
· Cannot access the display cpu-usage command.
Procedures
|
|
IMPORTANT: This configuration example only covers the major settings related to authenticating SSH login by HWTACACS authentication on the Cisco ISE server. For information about the network connectivity settings, see the manuals for the devices and server. Make sure the devices and server have network connectivity. |
Configuring the AC
1. Configure an HWTACACS scheme:
# Create HWTACACS scheme tac.
<AC> system-view
[AC] hwtacacs scheme tac
# Specify the ISE server at 8.1.1.19 as the primary authentication, authorization, and accounting servers and specify a shared key for secure communication with the ISE server. Make sure the shared key is the same as the shared secret configured on the ISE server.
[AC-hwtacacs-tac] primary authentication 8.1.1.19 key cipher $c$3$8zfqwa07HmNhvjWvEeixw5NGEGo82r/htRg=
[AC-hwtacacs-tac] primary authorization 8.1.1.19 key cipher $c$3$fARZu6PskfKoULCy46SHq0hVbNHakBUPleE=
[AC-hwtacacs-tac] primary accounting 8.1.1.19 key cipher $c$3$tBnfBlfHnO9YHBko2ZjMpzpuRqSyN3wdDPA=
# Exclude the domain name from usernames sent to the ISE server.
[AC-hwtacacs-tac] user-name-format without-domain
# Specify 191.2.1.56 as the NAS IP address of HWTACACS packets sent to the ISE server. Make sure the NAS IP address is the same as that specified on the ISE server for the AC.
[AC-hwtacacs-tac] nas-ip 191.2.1.56
[AC-hwtacacs-tac] quit
2. Configure an ISP domain:
# Create ISP domain system.
[AC] domain system
# Configure the ISP domain to use HWTACACS scheme tac for login user authentication and authorization and to not perform accounting for login users.
[AC-isp-system] authentication login hwtacacs-scheme tac
[AC-isp-system] authorization login hwtacacs-scheme tac
[AC-isp-system] accounting login none
# Configure the ISP domain to use HWTACACS scheme tac for command authorization and accounting.
[AC-isp-system] authorization command hwtacacs-scheme tac
[AC-isp-system] accounting command hwtacacs-scheme tac
[AC-isp-system] quit
3. Create local RSA and DSA key pairs and enable the SSH server.
[AC] public-key local create rsa
[AC] public-key local create dsa
[AC] ssh server enable
4. Enable the default role feature.
[AC] role default-role enable
5. Enable command authorization and accounting.
[AC] line vty 0 31
[AC-line-vty0-31] authentication-mode scheme
[AC-line-vty0-31] command authorization
[AC-line-vty0-31] command accounting
[AC-line-vty0-31] quit
Configuring the ISE server
1. Create a network access user:
a. On the top navigation bar, select Work Centers > Device Administration > Identities.
b. From the left navigation pane, select Users.
c. Click Add.
d. On the page that opens, set the name to ldflogin and password to Ldf654321.
Make sure the password contains uppercase letters, lowercase letters, and digits.
e. Click Submit.
Figure 3 Creating a network access user
2. Add the AC to the server as a network access device:
a. On the top navigation bar, select Work Centers > Device Administration > Network Resources.
b. From the left navigation pane, select Network Devices.
c. Click Add.
d. On the page that opens, set the name to AC2, specify IP address 191.2.1.56, select TACACS Authentication Settings, and set the shared secret to H3cc.
Make sure the IP address is the same as the NAS IP address of HWTACACS packets on the AC.
Make sure the shared secret is the same as the shared key configured on the AC.
e. Save the configuration.
Figure 4 Adding the AC to the server
3. Configure authentication protocols:
a. On the top navigation bar, select Work Centers > Device Administration > Policy Elements.
b. From the left navigation pane, select Results > Allowed Protocols.
c. Use the default allowed protocols service named Default Device Admin.
Figure 5 Configuring authentication protocols
4. Configure a TACACS profile:
a. On the top navigation bar, select Work Centers > Device Administration > Policy Elements.
b. From the left navigation pane, select Results > TACACS Profiles.
c. Click Add.
d. On the page that opens, set the name to ldftacas, select Default Privilege, and set the default privilege to level 1.
e. Save the configuration.
Figure 6 Configuring a TACACS profile
5. Configure a TACACS command set:
a. On the top navigation bar, select Work Centers > Device Administration > Policy Elements.
b. From the left navigation pane, select Results > TACACS Command Sets.
c. Click Add.
d. On the page that opens, set the name to ldftacacs. In the Commands area, select Permit any command that is not listed below and deny the display cpu-usage command.
e. Save the configuration.
Figure 7 Configuring a TACACS command set
6. Configure an authentication and authorization policy set:
a. On the top navigation bar, select Work Centers > Device Administration > Device Admin Policy Sets.
b. Click the plus icon + under Policy Sets.
c. Set the policy set name to a.
Figure 8 Configuring an authentication and authorization policy set
d. Click the icon in the View column for the authentication and authorization policy set named a.
e. In the Authorization Policy area, add an authorization policy named Authorization Rule 1. In the Results > Command Sets column for the authorization policy, select command set ldftacacs. In the Results > Shell Profiles column for the authorization policy, select TACACS profile ldftacas.
Figure 9 Adding an authorization policy
f. Save the configuration.
7. Enable device access authentication service:
a. On the top navigation bar, select Administration > System > Deployment.
b. Select the ISE node, and then click Edit.
Figure 10 Selecting the ISE node and clicking Edit
c. On the page that opens, select the Enable Device Admin Service option and save the configuration.
Figure 11 Editing the ISE node
Verifying the configuration
1. Verify that the client can log in to the AC through SSH after it provides the correct username and password. (Details not shown.)
2. Verify that the client can access only commands permitted by the level-1 role. For example, the client can access the display memory command. Verify that the client cannot access the display cpu-usage command.
Figure 12 Verifying the access permissions
Configuration files
#
hwtacacs scheme tac
primary authentication 8.1.1.19 key cipher $c$3$8zfqwa07HmNhvjWvEeixw5NGEGo82r/htRg=
primary authorization 8.1.1.19 key cipher $c$3$fARZu6PskfKoULCy46SHq0hVbNHakBUPleE=
primary accounting 8.1.1.19 key cipher $c$3$tBnfBlfHnO9YHBko2ZjMpzpuRqSyN3wdDPA=
user-name-format without-domain
nas-ip 191.2.1.56
#
domain system
authentication login hwtacacs-scheme tac
authorization login hwtacacs-scheme tac
accounting login none
authorization command hwtacacs-scheme tac
accounting command hwtacacs-scheme tac
#
public-key local create rsa
#
public-key local create dsa
#
ssh server enable
#
role default-role enable
#
line vty 0 31
authentication-mode scheme
command authorization
command accounting
