Connecting to Cisco ISE

Context

Connecting to Cisco ISE refers to using the Cisco ISE server for authentication and authorization on a network admission control (NAC) network. NAC is a type of E2E security architecture that covers 802.1X, MAC, and portal authentication, and supports configuration of aggregation and access layers. NAC enables authentication, authorization, and accounting for device administrators and access users, ensuring device and network security.

Procedure

Choose Configuration > Advanced Services > Connecting to Cisco ISE. The configuration page is displayed.
On the Select Authentication Interfaces page, select interfaces for authentication configuration by performing any of the following operations based on actual requirements:
- Click an interface icon to select an interface. You can click the icon again to deselect the interface.
- Drag the mouse to select continuous interfaces in batches.
- Click multiple interface icons to select them. You can click a certain icon again to deselect the interface.
After selecting an interface, click Clear Interface Authentication Configuration to clear the original authentication configuration of the interface.
To clear all authentication configurations on the device, click Clear Authentication Configuration.
Set the Authentication method to 802.1X, MAC, or Portal.
Set the Network layer to Aggregation layer or Access layer.

Network layer is configurable only when the Authentication method is set to 802.1X.

Specify the parameters in Authentication Configuration, as shown in Figure 1.

Authentication Configuration is not supported when the Authentication method is set to 802.1X and the Network layer is set to Access layer.

Figure 1 Authentication configuration

Table 1 describes the parameters on the page.

**Table 1** List of authentication parameters
Parameter		Description
Authentication server IP address		Indicates the IPv4 address of the RADIUS authentication server.
Secondary server IP address		Indicates the IPv4 address of the secondary RADIUS authentication server.
Accounting server IP address		Indicates the IPv4 address of the RADIUS accounting server.
Secondary server IP address		Indicates the IPv4 address of the secondary RADIUS accounting server.
Shared key		Indicates the shared key for RADIUS servers.
Authentication Service	Primary server port number	Indicates the port number of the RADIUS authentication server.
	Source address of outgoing packets	Indicates the source address of RADIUS packets sent by a switch to the RADIUS authentication server. IP Address: a specified IPv4 address. VLANIF: IPv4 address of a specified VLANIF interface. Loopback: IPv4 address of a specified loopback interface.
	Secondary server port number	Indicates the port number of the secondary RADIUS authentication server. This parameter is configurable only after the address of the secondary RADIUS authentication server is configured.
	Source address of packets sent by the secondary server	Indicates the source address of RADIUS packets sent to the secondary RADIUS authentication server. IP Address: a specified IPv4 address. VLANIF: IPv4 address of a specified VLANIF interface. Loopback: IPv4 address of a specified loopback interface. This parameter is configurable only after the address of the secondary RADIUS authentication server is configured.
Accounting Service	Primary server port number	Indicates the port number of the RADIUS accounting server.
	Source address of outgoing packets	Indicates the source address of RADIUS packets sent to the RADIUS accounting server. IP Address: a specified IPv4 address. VLANIF: IPv4 address of a specified VLANIF interface. Loopback: IPv4 address of a specified loopback interface.
	Secondary server port number	Indicates the port number of the secondary RADIUS accounting server. This parameter is configurable only after the address of the secondary RADIUS accounting server is configured.
	Source address of packets sent by the secondary server	Indicates the source address of RADIUS packets sent to the secondary RADIUS accounting server. IP Address: a specified IPv4 address. VLANIF: IPv4 address of a specified VLANIF interface. Loopback: IPv4 address of a specified loopback interface. This parameter is configurable only after the address of the secondary RADIUS accounting server is configured.
Real-time accounting interval (minutes)		Indicates the real-time accounting interval.
MAC address format in Calling-Station-Id		Indicates the encapsulation format of the MAC address in the Calling-Station-Id (Type 31) attribute of RADIUS packets.
MAC address format in Called-Station-Id		Indicates the encapsulation format of the MAC address in the Called-Station-Id (Type 30) attribute of RADIUS packets.
Maximum number of authentication requests		Indicates the times of retransmission of request authentication or handshake packets to an 802.1X user.	This parameter is configurable only when the Authentication method is set to 802.1X.
Authentication timeout period (s)		Indicates the timeout time for client authentication.
User name mode		Indicates the user name type of a MAC authentication user. MAC address: MAC address type. Fixed user name: user name type.	This parameter is configurable only when the Authentication method is set to MAC.
MAC address		Indicates that the user name of a MAC authentication user is a MAC address. This parameter is configurable only when the user name of a MAC authentication user is set to the MAC address type.
MAC address case		Indicates that the user name of a MAC authentication user is a MAC address in uppercase. This parameter is configurable only when the user name of a MAC authentication user is set to the MAC address type.
MAC-based authentication user name		Indicates that the user name of a MAC authentication user is a fixed user name. This parameter is configurable only when the user name of a MAC authentication user is set to the user name type.
MAC-based authentication password		Indicates the password for a MAC authentication user.
External Portal server IP Address		Indicates the IP address of the portal server.	This parameter is configurable only when the Authentication method is set to Portal. Only S5720-HI, S5730-HI, S5731-H, S5731S-H, S5732-H, S6730-H, S6730S-H, and S6720-HI support the AP-IP, AP-MAC, AP Name, AP Location, AP Group Name, and SSID parameters.
Shared key		Indicates the shared key for the communication with the portal server.
SSL policy		Indicates the SSL policy used by the built-in portal server.
URL		Indicates the redirection URL for the portal server.
URL Separator		Replaces the start character in the URL with a quotation mark (?).
LSW IP address		Indicates the AC's CAPWAP gateway address carried in the URL.
LSW MAC address		Indicates the AC's MAC address carried in the URL.
User access URL		Indicates the original URL that is accessed by a user and carried in the URL.
MAC Address		Indicates the access user's MAC address carried in the URL.
User IP		Indicates the access user's IP address carried in the URL.
System name		Indicates the access device's system name carried in the URL.
AP-IP		Indicates the AP's IP address carried in the URL.
AP-MAC		Indicates the AP's MAC address carried in the URL.
AP Name		Indicates the AP's name carried in the URL.
AP Location		Indicates the AP's name carried in the URL.
AP Group Name		Indicates the AP group's name carried in the URL.
SSID		Indicates the user's associated SSID carried in the URL.
Login URL keyword/Login URL		Indicates the identification keyword for the login URL sent to the portal server during redirection, and the specified URL on the access device.

Specify the parameters in Global Settings, as shown in Figure 2.

Global Settings is not supported when the Authentication method is set to 802.1X and the Network layer is set to Access layer.

Figure 2 Setting global parameters

Table 2 describes the parameters on the page.

Table 2 List of global parameters
Parameter

Description

ACL for the post-authentication domain

Indicates the global ACL.

Authentication domain

Create an authentication domain.

**Table 2** List of global parameters
Parameter	Description
ACL for the post-authentication domain	Indicates the global ACL.
Authentication domain	Create an authentication domain.

Specify the parameters in 802.1X packet transparent transmission configuration.

802.1X packet transparent transmission configuration is supported when the Authentication method is set to 802.1X and the Network layer is set to Access layer.

The S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-HI, S6720-EI, and S6720S-EI interfaces are shown in Figure 3, and the other models are shown in Figure 4.

Figure 3 Configuring 802.1X transparent transmission

Figure 4 Configuring 802.1X transparent transmission

Table 3 describes the parameters on the page.

**Table 3** Configuring 802.1X transparent transmission
Parameter	Description
BPDU MAC address/mask	Indicates the BPDU MAC address and mask. Only S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-HI, S6720-EI, and S6720S-EI support this parameter.
Destination MAC address of transparently transmitted 802.1X packets	Indicates the multicast destination MAC address of the user-defined protocol packets. The models besides S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-HI, S6720-EI, and S6720S-EI support this parameter.
Multicast MAC address replacing the destination multicast MAC address of packets	Indicates the multicast MAC address that replaces the destination MAC address of Layer 2 protocol packets. The models besidesS5720-EI, S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-HI, S6720-EI, and S6720S-EI support this parameter.

Click Apply to complete the configuration.