- Configured and working Cisco ISE
- Configured and working Velocloud device
Both solutions must have connectivity.
In the sample I used:
- Cisco ISE 18.104.22.1688 (wihout any patch)
- Velocloud 510
Step 1 Configuration Velocloud – Authentication services
In the Step 1 we go to Velocloud Orchestrator and and we need to configure authentication server from there.
Click Configure > Netowrk Services > Authentication services > New
In new window, we must fill fields below and press Save Changes:
- Service name – The name that will be displayed on Velocloud. In our example is ISE-01
- Server address – IP Address of our ISE server. In our example is 172.31.137.70
- Shared Secret – Password used for Radius/Cisco ISE
- Authentication Port – As field says. In our example is 1812
- Accounting Port – As field says. In our example is 1813
Step 2 Configuration Velocloud – Profile
After creating Authentication service we must point it on required profile.
Click Configure > Profile > YOUR_PROFILE
And from Authentication Settings select ISE-01 (created abowe)and click Save Changes.
Step 3 Configuration Velocloud – Profile – Verification
Check that your settings is properly distributed to the edge device.
Click Configure > Edges > YOUR_EDGE_DEVICE > Device > Authentication Settings
Step 3 Configuration Velocloud – Profile – WLAN1
We must configure proper SSID, WPA2 / Personal and assign to it proper VLAN, in our example VLAN1. Because of this end client will get proper IP address, in our example from network 192.168.88.0/24 (It will be configured in step 5).
Click Configure > Profiles > YOUR_PROFILE > Device > Interface Settings > WLAN1 > Edi
We must fill fields below and press Update WLAN1
- VLAN – choose VLAN which you want to use
- SSID – set SSID name
- Brodcast – brodcast SSID (will be displayed)
- Security – choose WPA2 / Enterprise
Step 4 Configuration Velocloud – VLAN
In the last step in Velocloud solution we must configure VLAN in our example VLAN 1.
We must fill fields below and press Update VLAN
- Edge LAN IP Address – IP address for the gateway
- DHCP Start – starting point from where we can start assign IP for the clients
You can see also that this VLAN is acutaly asigned to VLAN1.
Step 5 Configuration Cisco ISE – Policy
I don’t describe installation and configuration process of Cisco ISE because it’s out from scope. I just show screen shot from policy.
Firstly we must create policy in our example called Velocloud.
Click Policy > Policy Sets and the create new policy presing “+” on the left side.
Secondly we must set Conditions.
for our needs we create Conditions like below
- Called-Station-ID: The Velocloud can be configured to send the SSID name in the RADIUS Called-Station-ID attribute, which in turn it is used as a condition on ISE. The advantage of this attribute is that it can be used regardless of what the WLAN ID is set to on the Velocloud.
- End-With: ends with the SSID name, so the REGEX to use in this example is .*(:<SSID NAME>)$
- bastion-lab-velocloud: Our SSID name configured in Velocloud (Step 3).
Thirdly We must choose source from where our users will be authenticated. Please pay attention on the If Auth fail, If User not found, If Process fail fileds.
For the end
In below example I show you proper connection via iPhone.
- Certificate from ISE Server
- IP address asigned from Velocloud and also SSID.
- We can see on the Orchestrator page that the iPhone (called Iluzjonista) consumed 151.49 kB.
- The client was authorized via proper policy (Velocloud-Wifi)
- Sample view from Wireshark where we can see Radius’ atributes like Call-Station-Id.