Home / IT Certifications / CCNP Routing and Switching / CCNP SWITCH / Cisco ISE Internal Radius Server Configuration for 802.1X

Cisco ISE Internal Radius Server Configuration for 802.1X

In this article we’ll explore the configuration of Cisco ISE as an internal Radius server.

  • Setting Device Groups
  • Configuring the network device (the Radius client)
  • Setting internal users
  • Preparing the Authentication policy
  • Setting a compound authorization policy
  • Setting the Allowed Protocols
  • Setting the downloadable ACL
  • Setting Authorization Profiles
  • Setting the Policy Set

Setting Device Groups

Go to Administration -> Network Resources -> Network Device Groups

cisco-ise-internal-radius-server-2017-08-06 22_24_51


Configuring the network device

cisco-ise-internal-radius-server-2017-08-06 22_27_09

cisco-ise-internal-radius-server-2017-08-06 22_27_24

Setting internal users

cisco-ise-internal-radius-server-2017-08-06 22_29_39

cisco-ise-internal-radius-server-2017-08-06 22_29_50

“Employee” is a pre-defined user group.

Preparing the Authentication policy

We’ll use the pre-built Wired_802.1X authentication policy which is enough for what we are going to do.

cisco-ise-internal-radius-server-2017-08-06 22_32_44

Setting a compound authorization policy

When a Radius client is authenticated, the authorization process is evaluated. Our authorization policy will be compound. Here is a sample one.

cisco-ise-internal-radius-server-2017-08-06 22_34_18

I did not use the default Wired_802.1x authorization policy because I want some customized parameters.

cisco-ise-internal-radius-server-2017-08-06 22_35_36

Setting the Allowed Protocols

I’ll define a set of allowed protocols, which will be used to negotiate 802.1X and Radius, when the authentication policy conditions are met.

cisco-ise-internal-radius-server-2017-08-06 22_38_05

cisco-ise-internal-radius-server-2017-08-06 22_38_21

Setting the downloadable ACL

Although the dACL did not work in my home lab, I’ll mention them for the completeness of information.

cisco-ise-internal-radius-server-2017-08-06 22_42_36

cisco-ise-internal-radius-server-2017-08-06 22_42_48

Setting Authorization Profiles

Authorization profiles are given as a result of a successful matching of the authorization policy’s conditions. Here I give the example of an authorization policy that leverages the dACL we created before (EMPLOYEE-ONLY) and sets the vlan that’ll be assigned to the successfully-authorized port.

cisco-ise-internal-radius-server-2017-08-06 22_43_57

cisco-ise-internal-radius-server-2017-08-06 22_44_22

Setting the Policy Set

I created a policy set with a general-matching condition, just to fire it up in the ISE matching logic.

cisco-ise-internal-radius-server-2017-08-06 22_47_37

My primary constructs within the policy set are:

  • the authentication policy: wired-dot1x
  • the authentication policy: Employee-access

cisco-ise-internal-radius-server-2017-08-06 22_48_37


Top Courses in IT & Software 300x250

Leave a Reply

Your email address will not be published. Required fields are marked *


Adsense black background: