Configuration Velocloud to use Cisco ISE as a RADIUS server.

The configuration Enterprise Wifi on the Velocloud is extremely straightforward.

Prerequire

  • Configured and working Cisco ISE
  • Configured and working Velocloud device

Both solutions must have connectivity.

 

In the sample I used:

  • Cisco ISE 2.3.0.298 (wihout any patch)
  • Velocloud 510

 

Step 1 Configuration Velocloud – Authentication services

In the Step 1 we go to Velocloud Orchestrator and and we need to configure authentication server from there.

Click Configure > Netowrk Services > Authentication services > New

1

In new window, we must fill fields below and press Save Changes:

  • Service name – The name that will be displayed on Velocloud. In our example is ISE-01
  • Server addressIP Address of our ISE server. In our example is 172.31.137.70
  • Shared Secret – Password used for Radius/Cisco ISE
  • Authentication Port – As field says. In our example is 1812
  • Accounting Port –  As field says. In our example is 1813

7

Step 2 Configuration Velocloud – Profile

After creating Authentication service we must point it on required profile.

Click Configure > Profile > YOUR_PROFILE

3

And from Authentication Settings select ISE-01 (created abowe)and click Save Changes.

4

Step 3 Configuration Velocloud – Profile – Verification

Check that your settings is properly distributed to the edge device.

Click Configure > Edges > YOUR_EDGE_DEVICE > Device > Authentication Settings

5

Step 3 Configuration Velocloud – Profile – WLAN1

We must configure proper SSID, WPA2 / Personal and assign to it proper VLAN, in our example VLAN1. Because of this end client will get proper IP address, in our example from network 192.168.88.0/24 (It will be configured in step 5).

Click Configure > Profiles > YOUR_PROFILE > Device > Interface Settings  > WLAN1 > Edi

We must fill fields below and press Update WLAN1

  • VLAN – choose VLAN which you want to use
  • SSID – set SSID name
  • Brodcast – brodcast SSID (will be displayed)
  • Security – choose WPA2 / Enterprise

2

Step 4 Configuration Velocloud – VLAN

In the last step in Velocloud solution we must configure VLAN in our example VLAN 1.

We must fill fields below and press Update VLAN

  • Edge LAN IP Address – IP address for the gateway
  • DHCP Start – starting point from where we can start assign IP for the clients

15

You can see also that this VLAN is acutaly asigned to VLAN1.

Step 5 Configuration Cisco ISE – Policy

I don’t describe installation and configuration process of Cisco ISE because it’s out from scope. I just show screen shot from policy.

Firstly we must create policy in our example called Velocloud.

Click Policy > Policy Sets and the create new policy presing “+” on the left side.

 

Secondly we must set Conditions.

for our needs we create Conditions like below

14.PNG

Where:

  • Called-Station-ID: The Velocloud can be configured to send the SSID name in the RADIUS Called-Station-ID attribute, which in turn it is used as a condition on ISE. The advantage of this attribute is that it can be used regardless of what the WLAN ID is set to on the Velocloud.
  • End-With:  ends with the SSID name, so the REGEX to use in this example is .*(:<SSID NAME>)$
  • bastion-lab-velocloud: Our SSID name configured in Velocloud (Step 3).

 

Thirdly We must choose source from where our users will be authenticated. Please pay attention on the If Auth fail, If User not found, If Process fail fileds.

17

For the end

In below example I show you proper connection via iPhone.

  • Certificate from ISE Server

IMG_3412

 

  • IP address asigned from Velocloud and also SSID.

16

  • Connection

IMG_3413

  • We can see on the Orchestrator page that the iPhone (called Iluzjonista) consumed 151.49 kB.

screenshot-vco8-fra1.velocloud.net-2018-08-03-11-57-00

  • The client was authorized via proper policy (Velocloud-Wifi)

 

13

  • Sample view from Wireshark where we can see Radius’ atributes like Call-Station-Id.

12

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.