My last post covered some of the bring-your-own-device (BYOD) issues companies are facing and how to use Cisco’s Identity Services Engine (ISE) to help define access restrictions, while still providing users a good experience. I also went through and demonstrated how this segmentation worked and how it was enforced on the wireless LAN controller (WLC).

As a reminder this is our example policy.

Device Type






Company Computer




Inside 582

Company Mobile




Inside 582


Employee Device




Guest 583

In this post, I am going to cover how to configure the WLC and ISE to enforce these policies. Let’s get started!

Wireless LAN Controller Configuration

On the WLC, we will configure the radius server(s), access control lists, and the SSID that the user will connect to.

Radius Server(s)

1. From the WLC GUI go to Security->AAA->RADIUS->Authentication

2. Select New


3. From the WLC GUI go to Security->AAA->RADIUS->Accounting

4. Select New

5. Enter the IP Address of ISE



1. From the WLC GUI go to Security->Access Control Lists->Access Control Lists

2. Select New

3. Enter the desired name

Take note of this name as it will be needed to set up the ISE policy.


4. Select Apply

5. Now Select the Access-list that was just created

6. Enter the set of rules needed to provide the correct permissions


Let’s take some time to explain these rules.

Outbound means leaving the controller going toward the client. Inbound means coming into the controller from the client.

  1. Permit Any traffic – Outbound (same default action as a switch)
  2. Allow UDP DNS traffic to the internal DNS Server – Inbound
  3. Allow Any traffic to our ISE Server – Inbound
  4. Allow HTTPS to our Exchange OWA Server – Inbound
  5. Allow HTTP to our Exchange OWA Server – Inbound
  6. Deny Any to – Inbound
  7. Deny Any to – Inbound
  8. Deny Any to – Inbound
  9. Permit Any to Any – Inbound

In summary, this access-list is allowing access to DNS, ISE and OWA, then blocking all private address space and then allowing access to everything. In effect, it’s blocking access to the internal network (assuming it is all private addresses) but allowing the device to go anywhere on the Internet.

SSID Settings

1. From the WLC GUI go to WLANS
2. Either Create a new SSID or modify an existing one
Note: If you are editing an existing SSID, changes will disconnect devices.


3. Now under the SSID’s Security tab and enter the desired Layer 2 security settings


4. Now under the SSID’s Security, AAA Servers select your ISE Server(s)


5. Select Allow AAA Override and set NAC State to Radius NAC
These settings allow ISE to change the session information based on the policy match.


 6. Click Apply to Save the changes

Before we move to ISE, let’s recap what has been configured.

1. ISE has been added into the WLC as a AAA server
2. The INET_Exchange access-list is staged on the controller with the desired access policy
3. The SSID has been set up for 802.1X authentication and ISE is allowed to change the session access privileges on-the-fly

Identity Services Engine Configuration

In ISE, we will be adding the WLC, configuring the identity sources, defining our user permissions, and lastly, setting up the authentication and authorization policies.

Network Access Devices

1. Add the WLC into ISE by going to Administration->Network Resources->Network Devices.

2. Select Add

3. Enter at a minimum the Name, Management Interface IP Address, and the RADIUS Shared Secret


4. Select Save


Certificate Authority (CA)

1. Add the Trusted Certificate Authority for your user Certificates Administration->Certificates->Certificate Store

2. Select Import

3. Browse to the Public key file for your CA

4. Select Trust for client authentication or Secure Syslog services



5. Submit

 Active Directory

1. To add ISE to Active Directory go to,  Administration->Identity Management->External Identity Sources->Active Directory

2. Enter your Domain Name

3. Give the Identity Store a friendly name in the Identity Store Name

4. Select the ISE server(s) in your deployment

5. Select Join and Enter a username and password combination with privileges to join a computer to the domain, select OK



6. Once joined, your server(s) should show a  Connected To:

Blog_CISCOISE_127. To Map Groups from Active Directory, select Groups

8. Select Add, Select Groups from the Directory

9. Search for your desired AD Groups and select them and select OK


10. Select Save Configuration

11. Your mapped groups will look something like the below image


 Certificate Authentication Profile

12. Add a Certificate Authentication Administration->Identity Management->Certificate Authentication Profile

13. Add

14. Enter a Name and select where you will find the AD ID of your users


15. Select Save

 Authentication Policy

1. Policy->Authentication Policy
2. Insert a new Policy that has the following settings

+++A. Match on Wireless_802.1X
B.  If EAP-TLS, use the Certificate Identity Store that was created
+++C. If Default, use the Active Directory Identity Store



3. Click Save

Authorization Profiles

These can be created while creating the authorization policy, but I prefer to stage them ahead of time.

2. Navigate to the authorization profiles Policy->Policy Elements->Results
Then Authorization->Authorization Profiles


3. Select Add

4. Enter a Name for the BYOD permission and the guest VLAN ID


5. Scroll down and select Save

6. Repeat for the other Computer Policy. Note: If the VLAN on the controller and the desired VLAN is the same, it is not required to be set here


7. Repeat for the Mobile Device Policy, defining the access-list we set up on the WLC


Authorization Policy

1. Insert a new authorization policy Policy->Authorization Policy

2. Add a new policy for PEAP-BYOD matching PEAP (EAP-MSCHAPv2) and Domain Users with the Permission of the BYOD Profile


3. Repeat for the Mobile Policy matching EAP-TLS and Domain User defining your Mobile Device Permission


4. Repeat for the Computer Policy matching EAP-TLS and Domain Computer defining your Computer Permission


When you are finished, your policy should look something like this.


For a cleaner looking policy:setup conditions


ISE Recap

We walked through a bare minimum ISE configuration. This will allow the WLC to authenticate the device to either Active Directory or use the certificate it was issued from the company certificate authority. When the device connects, we will also be able to take the information available to define a precise policy to get the user the permission that was defined by the security policy.


As you have seen, ISE is highly customizable and can be complicated at times. But with the right knowledge and set of skills, it can be your Swiss Army knife of network access tools. It allows you to craft an access policy that is unique for your requirements. I hope this information gets you thinking about your network access polices and offers ideas for using these tools to help mitigate organizational risk.



Leave a Reply