dokucama

User Tools

Site Tools

Trace: api
network_stuff:cisco:ise

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
network_stuff:cisco:ise [2025/01/17 17:46] jotasandokunetwork_stuff:cisco:ise [2025/01/22 10:16] (current) jotasandoku
Line 106: Line 106:
   * Multiple policy sets in ISE allow flexibility   * Multiple policy sets in ISE allow flexibility
  
-=== wireless ===+Commands:  
 +  show vlans 
 +  show authentication sessions 
 +  show dot1x all summary
  
-{{:network_stuff:cisco:8021x-wireless.png?600|}} +=== wireless ===
-When 802.1x is used in wireless, every client (supplicant) uses a different WPA key for encrypting the traffic over the air. It is derived from the user's credentials and the shared secret between the client and the authentication server. So it's unique for every client.+
  
-The AP connects to the access switches via an access port ( management VLAN, used for AP<>WLC comms and AP discovery/configuration). Trunk port is not required because wifi traffic is encapsulated in CAPWAP and sent to the WLC. All segmentattion and tagging happens inside the CAPWAP tunnel.+{{:network_stuff:cisco:8021x-wireless.png?700|}}
  
-Steps: 
  
-Client (supplicant) sends a special EAP request to the AP (EAPoL). +  * When 802.1x is used in wireless, every client (supplicant) uses a different WPA key for encrypting the traffic over the air. It is derived from the user's credentials and the shared secret between the client and the authentication server. So it's unique for every client. 
-EAPoL message is encapsulated in the CAPWAP protocol so it can reach the WLC. +  * The AP connects to the access switches via an access port ( management VLAN, used for AP<>WLC comms and AP discovery/configuration). Trunk port is not required because wifi traffic is encapsulated in CAPWAP and sent to the WLC. All segmentation and tagging happens inside the CAPWAP tunnel. 
-WLC forwards the EAP message to the ISE server encapsulated in a RADIUS packet. +  * Steps:  
-ISE (Radius) checks AD and, if positive, replies with a RADIUS Access_Accept packet. There are normall also attibutes like VLAN, ACL, etc.  +    * Client (supplicant) sends a special EAP request to the AP (EAPoL). 
-Now the WLC does two things: +    EAPoL message is encapsulated in the CAPWAP protocol so it can reach the WLC. 
- Moves this session to an specific VLAN (eg: user in prod SSID goes to VLAN PROD) +    WLC forwards the EAP message to the ISE server encapsulated in a RADIUS packet. 
- Derives a unique WPA key for this client (supplicant) and sends it to the AP +    ISE (Radius) checks AD and, if positive, replies with a RADIUS Access_Accept packet. There are normal also attributes like VLAN, ACL, etc.  
- +    Now the WLC does two things: 
 +    Moves this session to an specific VLAN (eg: user in prod SSID goes to VLAN PROD) 
 +    Derives a unique WPA key for this client (supplicant) and sends it to the AP
  
network_stuff/cisco/ise.1737135969.txt.gz · Last modified: by jotasandoku

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki