The Cisco Identity Services Engine (ISE) is a next-generation, context-based access control solution that provides the functions of Cisco Secure Access Control System (ACS) and Cisco Network Admission Control (NAC) in one integrated platform.
ISE has been introduced in the 126.96.36.199 release of the Cisco Unified Wireless Network. ISE can be used to provide advanced security for your deployed network. It is an authentication server that you can configure on your controller. When a client associates to the controller on a RADIUS NAC–enabled WLAN, the controller forwards the request to the ISE server.
The ISE server validates the user in the database and on successful authentication, the URL and pre-AUTH ACL are sent to the client. The client then moves to the Posture Required state and is redirected to the URL returned by the ISE server.
The client moves to the Central Web Authentication state, if the URL returned by the ISE server has the keyword 'cwa'.
The NAC agent in the client triggers the posture validation process. On successful posture validation by the ISE server, the client is moved to the run state.
Flex local switching with Radius NAC support is added in Release 188.8.131.52. It is not supported in 7.0 Releases and 7.2 Releases. Downgrading 184.108.40.206 and later releases to either 7.2 or 7.0 releases will require you to reconfigure the WLAN for Radius NAC feature to work.
Device registration enables you to authenticate and provision new devices on the WLAN with RADIUS NAC enabled. When the device is registered on the WLAN, it can use the network based on the configured ACL.
Central Web Authentication
In the case of Central Web Authentication (CWA), the web-authentication occurs on the ISE server. The web portal in the ISE server provides a login page to the client. Once the credentials are verified on the ISE server, the client is provisioned. The client remains in the POSTURE_REQD state until a CoA is reached. The credentials and ACLs are received from the ISE server.
Local Web Authentication
Local web authentication is not supported for RADIUS NAC.
This table describes the
possible combinations in a typical ISE deployment with Device Registration, CWA
and LWA enabled:
Table 1 ISE Network Authentication
PSK, Static WEP,
Restrictions for RADIUS NAC Support
A RADIUS NAC-enabled WLAN
supports Open Authentication and MAC filtering.
Radius NAC functionality does
not work if the configured accounting server is different from authentication
(ISE) server. You should configure the same server as the authentication and
accounting server in case ISE functionalities are used. If ISE is used only for
ACS functionality, the accounting server can be flexible.
When clients move from one
WLAN to another, the controller retains the client’s audit session ID if it
returns to the WLAN before the idle timeout occurs. As a result, when clients
join the controller before the idle timeout session expires, they are
immediately moved to RUN state. The clients are validated if they reassociate
with the controller after the session timeout.
Suppose you have two WLANs,
where WLAN 1 is configured on a controller (WLC1) and WLAN2 is configured on
another controller (WLC2) and both are RADIUS NAC enabled. The client first
connects to WLC1 and moves to the RUN state after posture validation. Assume
that the client now moved to WLC2. If the client connects back to WLC1 before
the PMK expires for this client in WLC1, the posture validation is skipped for
the client. The client directly moves to RUN state by passing posture
validation as the controller retains the old audit session ID for the client
that is already known to ISE.
When deploying RADIUS NAC in
your wireless network, do not configure a primary and secondary ISE server.
Instead, we recommend that you configure HA between the two ISE servers. Having
a primary and secondary ISE setup will require a posture validation to happen
before the clients move to RUN state. If HA is configured, the client is
automatically moved to RUN state in the fallback ISE server.
The controller software
configured with RADIUS NAC does not support a change of authorization (CoA) on
the service port.
Do not swap AAA server
indexes in a live network because clients might get disconnected and have to
reconnect to the RADIUS server, which might result in log messages to be
appended to the ISE server logs.
You must enable AAA override
on the WLAN to use RADIUS NAC.
WPA and WPA2 or dot1X must be
enabled on the WLAN.
During slow roaming, the
client goes through posture validation.
Guest tunneling mobility is
supported for ISE NAC–enabled WLANs.
VLAN select is not supported
Workgroup bridges are not
The AP Group over NAC is not
supported over RADIUS NAC.
FlexConnect local switching
is not supported.
With RADIUS NAC
enabled, the RADIUS server overwrite interface is not supported.
communication between client and server. We parse the DHCP profiling only once.
This is sent to the ISE server only once.
If the AAA
url-redirect attributes are expected from the AAA
server, the AAA override feature must be enabled on the controller.
Configuring RADIUS NAC Support (GUI)
Choose the WLANs tab.
Click the WLAN ID of the WLAN for which you want to enable ISE.
The WLANs > Edit page appears.
Click the Advanced tab.
From the NAC State drop-down list, choose Radius NAC:
SNMP NAC—Uses SNMP NAC for the WLAN.
Radius NAC—Uses Radius NAC for the WLAN.
AAA override is automatically enabled when you use RADIUS NAC on a WLAN.