Add the controller to the AAA server – Cisco ISE runing 2.4

Add the WLC’s IP address to ISE along with the Radius key

Create a 802.1X WLAN












Verify that the SSID is being broadcast over the air and that i can be seen by the client device.


Create 802.1X authentication policy /condition on ISE



Time to test the client
Now a look at the packet capture taken by Cisco ISE:
The first user (fin) failed authentication be cause he is NOT a member of the wireless engineers group. Remember that the authentication policy is as follows: If the user is a member of the wireless engineers group and the authentication is eap-tls permit access ELSE fail authentication


Cisco ISE Radius logs



Wireshark:

Access request


Access challenge

Finally a failure as the user fin1 will be rejected because his request does NOT match the policy requirements:

Successful authentication for my request as I am a member of the defined group



fclarke client association on the controller


Iperf test