network_stuff:cisco:ise
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| network_stuff:cisco:ise [2023/11/02 14:38] – external edit 127.0.0.1 | network_stuff:cisco:ise [2025/01/22 10:16] (current) – jotasandoku | ||
|---|---|---|---|
| Line 91: | Line 91: | ||
| show disks | show disks | ||
| show application status ise # application server must be in ' | show application status ise # application server must be in ' | ||
| - | | + | |
| + | ==== 802.1x ==== | ||
| + | === wired === | ||
| + | |||
| + | {{: | ||
| + | |||
| + | * End users receive local VLAN after authentication and authorization via 801.1x supplicant. | ||
| + | * EAP-TLS is used for mutual authentication between the supplicant and the ISE (Radius) server + AD as a database. | ||
| + | * Supplicant sends the certificate in EAPoL (encapsulated in EAPoL) | ||
| + | * The access switch acts as an authentication capturing the user identity (certificate, | ||
| + | * The switch relays the attributes to via EAP (encapsulated in RADIUS messages) to ISE (RADIUS server) | ||
| + | * ISE authenticates and authorize the user-based after consulting the database (AD (via LDAP)) | ||
| + | * ISE sends RADIUS access-accept message with an encapsulated EAP-success message. Also contains things like: radius vlan-id attribute and authorization options like dACLs | ||
| + | * Multiple policy sets in ISE allow flexibility | ||
| + | |||
| + | Commands: | ||
| + | show vlans | ||
| + | show authentication sessions | ||
| + | show dot1x all summary | ||
| + | |||
| + | === wireless === | ||
| + | |||
| + | {{: | ||
| + | |||
| + | |||
| + | * When 802.1x is used in wireless, every client (supplicant) uses a different WPA key for encrypting the traffic over the air. It is derived from the user's credentials and the shared secret between the client and the authentication server. So it's unique for every client. | ||
| + | * The AP connects to the access switches via an access port ( management VLAN, used for AP<> | ||
| + | * Steps: | ||
| + | * Client (supplicant) sends a special EAP request to the AP (EAPoL). | ||
| + | * EAPoL message is encapsulated in the CAPWAP protocol so it can reach the WLC. | ||
| + | * WLC forwards the EAP message to the ISE server encapsulated in a RADIUS packet. | ||
| + | * ISE (Radius) checks AD and, if positive, replies with a RADIUS Access_Accept packet. There are normal also attributes like VLAN, ACL, etc. | ||
| + | * Now the WLC does two things: | ||
| + | * Moves this session to an specific VLAN (eg: user in prod SSID goes to VLAN PROD) | ||
| + | * Derives a unique WPA key for this client (supplicant) and sends it to the AP | ||
network_stuff/cisco/ise.1698935895.txt.gz · Last modified: by 127.0.0.1
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
