- Configured and working Cisco ISE
- Configured and working Velocloud device
Both solutions must have connectivity.
In the sample I used:
- Cisco ISE 220.127.116.118 (wihout any patch)
- Velocloud 510
In the Step 1 we go to Velocloud Orchestrator and and we need to configure authentication server from there.
Click Configure > Netowrk Services > Authentication services > New
In new window, we must fill fields below and press Save Changes:
- Service name – The name that will be displayed on Velocloud. In our example is ISE-01
- Server address – IP Address of our ISE server. In our example is 172.31.137.70
- Shared Secret – Password used for Radius/Cisco ISE
- Authentication Port – As field says. In our example is 1812
- Accounting Port – As field says. In our example is 1813
Step 2 Configuration Velocloud – Profile
After creating Authentication service we must point it on required profile.
Click Configure > Profile > YOUR_PROFILE
And from Authentication Settings select ISE-01 (created abowe)and click Save Changes.
Step 3 Configuration Velocloud – Profile – Verification
Check that your settings is properly distributed to the edge device.
Click Configure > Edges > YOUR_EDGE_DEVICE > Device > Authentication Settings
Step 4 Configuration Velocloud – Profile – WLAN1
We must configure proper SSID, WPA2 / Personal and assign to it proper VLAN, in our example VLAN1. Because of this end client will get proper IP address, in our example from network 192.168.88.0/24 (It will be configured in step 5).
Click Configure > Profiles > YOUR_PROFILE > Device > Interface Settings > WLAN1 > Edi
We must fill fields below and press Update WLAN1
- VLAN – choose VLAN which you want to use
- SSID – set SSID name
- Brodcast – brodcast SSID (will be displayed)
- Security – choose WPA2 / Enterprise
Step 5 Configuration Velocloud – VLAN
In the last step in Velocloud solution we must configure VLAN in our example VLAN 1.
We must fill fields below and press Update VLAN
- Edge LAN IP Address – IP address for the gateway
- DHCP Start – starting point from where we can start assign IP for the clients
You can see also that this VLAN is acutaly asigned to VLAN1.
Step 6 Configuration Cisco ISE – Policy
I don’t describe installation and configuration process of Cisco ISE because it’s out from scope. I just show screen shot from policy.
- Firstly we must create policy in our example called Velocloud.
Click Policy > Policy Sets and the create new policy presing “+” on the left side.
- Secondly we must set Conditions.
For our needs we create Conditions like below:
- Called-Station-ID: The Velocloud can be configured to send the SSID name in the RADIUS Called-Station-ID attribute, which in turn it is used as a condition on ISE. The advantage of this attribute is that it can be used regardless of what the WLAN ID is set to on the Velocloud.
- End-With: ends with the SSID name, so the REGEX to use in this example is .*(:<SSID NAME>)$
- bastion-lab-velocloud: Our SSID name configured in Velocloud (Step 3).
- Thirdly we must choose source from where our users will be authenticated. Please pay attention on the If Auth fail, If User not found, If Process fail fileds.
Step 7 For the end
In below example I show you proper connection via iPhone.
- Certificate from ISE Server
- IP address asigned from Velocloud and also SSID.
- We can see on the Orchestrator page that the iPhone (called Iluzjonista) consumed 151.49 kB.
- The client was authorized via proper policy (Velocloud-Wifi)
- Sample view from Wireshark where we can see Radius’ atributes like Call-Station-Id.