The Cisco Identity Services Engine (ISE) is a next-generation, context-based access control solution that provides the functions of Cisco Secure Access Control System (ACS) and Cisco Network Admission Control (NAC) in one integrated platform.
ISE has been introduced in the 184.108.40.206 release of the Cisco Unified Wireless Network. ISE can be used to provide advanced security for your deployed network. It is an authentication server that you can configure on your controller. When a client associates to the controller on a RADIUS NAC–enabled WLAN, the controller forwards the request to the ISE server.
The ISE server validates the user in the database and on successful authentication, the URL and pre-AUTH ACL are sent to the client. The client then moves to the Posture Required state and is redirected to the URL returned by the ISE server.
The client moves to the Central Web Authentication state, if the URL returned by the ISE server has the keyword 'cwa'.
The NAC agent in the client triggers the posture validation process. On successful posture validation by the ISE server, the client is moved to the run state.
Flex local switching with Radius NAC support is added in Release 220.127.116.11. It is not supported in 7.0 Releases and 7.2 Releases. Downgrading 18.104.22.168 and later releases to either 7.2 or 7.0 releases will require you to reconfigure the WLAN for Radius NAC feature to work.
Device registration enables you to authenticate and provision new devices on the WLAN with RADIUS NAC enabled. When the device is registered on the WLAN, it can use the network based on the configured ACL.
Central Web Authentication
In the case of Central Web Authentication (CWA), the web-authentication occurs on the ISE server. The web portal in the ISE server provides a login page to the client. Once the credentials are verified on the ISE server, the client is provisioned. The client remains in the POSTURE_REQD state until a CoA is reached. The credentials and ACLs are received from the ISE server.
Local Web Authentication
Local web authentication is not supported for RADIUS NAC.
This table describes the possible combinations in a typical ISE deployment with Device Registration, CWA and LWA enabled:
Table 1 ISE Network Authentication Flow
RADIUS NAC Enabled
PSK, Static WEP, CKIP
MAC Filtering Enabled
Restrictions for RADIUS NAC Support
A RADIUS NAC-enabled WLAN supports Open Authentication and MAC filtering.
Radius NAC functionality does not work if the configured accounting server is different from authentication (ISE) server. You should configure the same server as the authentication and accounting server in case ISE functionalities are used. If ISE is used only for ACS functionality, the accounting server can be flexible.
When clients move from one WLAN to another, the controller retains the client’s audit session ID if it returns to the WLAN before the idle timeout occurs. As a result, when clients join the controller before the idle timeout session expires, they are immediately moved to RUN state. The clients are validated if they reassociate with the controller after the session timeout.
Suppose you have two WLANs, where WLAN 1 is configured on a controller (WLC1) and WLAN2 is configured on another controller (WLC2) and both are RADIUS NAC enabled. The client first connects to WLC1 and moves to the RUN state after posture validation. Assume that the client now moved to WLC2. If the client connects back to WLC1 before the PMK expires for this client in WLC1, the posture validation is skipped for the client. The client directly moves to RUN state by passing posture validation as the controller retains the old audit session ID for the client that is already known to ISE.
When deploying RADIUS NAC in your wireless network, do not configure a primary and secondary ISE server. Instead, we recommend that you configure HA between the two ISE servers. Having a primary and secondary ISE setup will require a posture validation to happen before the clients move to RUN state. If HA is configured, the client is automatically moved to RUN state in the fallback ISE server.
The controller software configured with RADIUS NAC does not support a change of authorization (CoA) on the service port.
Do not swap AAA server indexes in a live network because clients might get disconnected and have to reconnect to the RADIUS server, which might result in log messages to be appended to the ISE server logs.
You must enable AAA override on the WLAN to use RADIUS NAC.
WPA and WPA2 or dot1X must be enabled on the WLAN.
During slow roaming, the client goes through posture validation.
Guest tunneling mobility is supported for ISE NAC–enabled WLANs.
VLAN select is not supported
Workgroup bridges are not supported.
The AP Group over NAC is not supported over RADIUS NAC.
FlexConnect local switching is not supported.
With RADIUS NAC enabled, the RADIUS server overwrite interface is not supported.
Any DHCP communication between client and server. We parse the DHCP profiling only once. This is sent to the ISE server only once.
If the AAA url-redirect-acl and url-redirect attributes are expected from the AAA server, the AAA override feature must be enabled on the controller.
Configuring RADIUS NAC Support (GUI)
Choose the WLANs tab.
Click the WLAN ID of the WLAN for which you want to enable ISE.
The WLANs > Edit page appears.
Click the Advanced tab.
From the NAC State drop-down list, choose Radius NAC:
SNMP NAC—Uses SNMP NAC for the WLAN.
Radius NAC—Uses Radius NAC for the WLAN.
AAA override is automatically enabled when you use RADIUS NAC on a WLAN.