The configuration Enterprise Wifi on the Velocloud is extremely straightforward.

Prerequire

  • Configured and working Cisco ISE
  • Configured and working Velocloud device

Both solutions must have connectivity.

 

In the sample I used:

  • Cisco ISE 2.3.0.298 (wihout any patch)
  • Velocloud 510

In the Step 1 we go to Velocloud Orchestrator and and we need to configure authentication server from there.

Click Configure > Netowrk Services > Authentication services > New

1

In new window, we must fill fields below and press Save Changes:

  • Service name – The name that will be displayed on Velocloud. In our example is ISE-01
  • Server addressIP Address of our ISE server. In our example is 172.31.137.70
  • Shared Secret – Password used for Radius/Cisco ISE
  • Authentication Port – As field says. In our example is 1812
  • Accounting Port –  As field says. In our example is 1813

7


Step 2 Configuration Velocloud – Profile

After creating Authentication service we must point it on required profile.

Click Configure > Profile > YOUR_PROFILE

3

And from Authentication Settings select ISE-01 (created abowe)and click Save Changes.

4


Step 3 Configuration Velocloud – Profile – Verification

Check that your settings is properly distributed to the edge device.

Click Configure > Edges > YOUR_EDGE_DEVICE > Device > Authentication Settings

5


Step 4 Configuration Velocloud – Profile – WLAN1

We must configure proper SSID, WPA2 / Personal and assign to it proper VLAN, in our example VLAN1. Because of this end client will get proper IP address, in our example from network 192.168.88.0/24 (It will be configured in step 5).

Click Configure > Profiles > YOUR_PROFILE > Device > Interface Settings  > WLAN1 > Edi

We must fill fields below and press Update WLAN1

  • VLAN – choose VLAN which you want to use
  • SSID – set SSID name
  • Brodcast – brodcast SSID (will be displayed)
  • Security – choose WPA2 / Enterprise

2


Step 5 Configuration Velocloud – VLAN

In the last step in Velocloud solution we must configure VLAN in our example VLAN 1.

We must fill fields below and press Update VLAN

  • Edge LAN IP Address – IP address for the gateway
  • DHCP Start – starting point from where we can start assign IP for the clients

15

You can see also that this VLAN is acutaly asigned to VLAN1.


Step 6 Configuration Cisco ISE – Policy

I don’t describe installation and configuration process of Cisco ISE because it’s out from scope. I just show screen shot from policy.

  • Firstly we must create policy in our example called Velocloud.

Click Policy > Policy Sets and the create new policy presing “+” on the left side.

  • Secondly we must set Conditions.

For our needs we create Conditions like below:

14.PNG

Where:

  • Called-Station-ID: The Velocloud can be configured to send the SSID name in the RADIUS Called-Station-ID attribute, which in turn it is used as a condition on ISE. The advantage of this attribute is that it can be used regardless of what the WLAN ID is set to on the Velocloud.
  • End-With:  ends with the SSID name, so the REGEX to use in this example is .*(:<SSID NAME>)$
  • bastion-lab-velocloud: Our SSID name configured in Velocloud (Step 3).

 

  • Thirdly we must choose source from where our users will be authenticated. Please pay attention on the If Auth fail, If User not found, If Process fail fileds.

17


Step 7 For the end

In below example I show you proper connection via iPhone.

  • Certificate from ISE Server

IMG_3412

 

  • IP address asigned from Velocloud and also SSID.

16

  • Connection

IMG_3413

  • We can see on the Orchestrator page that the iPhone (called Iluzjonista) consumed 151.49 kB.

screenshot-vco8-fra1.velocloud.net-2018-08-03-11-57-00

  • The client was authorized via proper policy (Velocloud-Wifi)

 

13

  • Sample view from Wireshark where we can see Radius’ atributes like Call-Station-Id.

12

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.