Aruba/Cisco ISE – Basic AAA / 802.1X WLAN authentication

Posted on Posted in 802.1x - EAP-PEAP, AAA ISE RADIUS TACACS, Aruba Mobility Master 8.x

Add the controller to the AAA server – Cisco ISE runing 2.4

Add the WLC’s IP address to ISE along with the Radius key

Create a 802.1X WLAN

Verify that the SSID is being broadcast over the air and that i can be seen by the client device.

Create 802.1X authentication policy /condition on ISE

Time to test the client

Now a look at the packet capture taken by Cisco ISE:

The first user (fin) failed authentication be cause he is NOT a member of the wireless engineers group. Remember that the authentication policy is as follows: If the user is a member of the wireless engineers group and the authentication is eap-tls permit access ELSE fail authentication

Cisco ISE Radius logs

Wireshark:

Access request

Access challenge

Finally a failure as the user fin1 will be rejected because his request does NOT match the policy requirements:

Successful authentication for my request as I am a member of the defined group

fclarke client association on the controller

Iperf test

Leave a Reply

Your email address will not be published. Required fields are marked *