Professional Documents
Culture Documents
GC EN Team
Hui Chen
2019/11/02
ISE AAA RADIUS Overview
如何将现有的非基于 Cisco RADIUS 的解决方案与 SD-Access 架构进行集成,以便可以利用 Cisco DNA
Center 1.3.1 的高级分段功能( Trustsec SGT )。
Software Version
1. DNAC 1.3.1
3. Freeradius on Ubuntu
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE AAA RADIUS Overview
DNAC
ISE
1
Access Accept w/ Cisco AV 2
cts:security-group-tag-0001-01 + Vlan ID
Policy Request
Policy
Download
ASA
802.1x/MAB
3
SGT
SGT
SRC:10.1.10.220
DST: 10.1.100.52
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Connection Overview
5 、 Edge 交换机执行策略判断是否阻断流量或者将流量转发到外部的网络
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Configuration Overview——Freeradius
ubuntu 安装 freeradius
sudo apt-get install freeradius
编辑对应认证交换机的 client 信息
sudo vim /etc/freeradius/3.0/clients.conf
添加以下信息
client 10.10.254.161{
proto = *
secret = C1sco@123 // 认证共享密钥
shortname = Site3-Border-Edge // 交换机名字
ipv4addr = 10.10.254.161 // 交换机的 loopback0 地址
}
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Configuration Overview——Freeradius
重启 radius 服务
sudo systemctl restart freeradius
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Configuration Overview——Freeradius
SGT 标签 ID 对应关系
Cisco-AVPair = “cts:security-group-tag=0010-00” // 标签信息
0010-00 对应的是标签 16 Campus , 0010 为 16 进制可在交换机上通过命令查看各个标签对应的 ID 数值
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Configuration Overview——Freeradius
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Configuration Overview——DNAC
DNAC 关联 radius server 信息为 ISE ,因为交换机的 SGT 标签数据库还是需要通过 ISE 来进行下发
Design-->Network Settings--><Site Name>. Configure ISE as the AAA server
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Configuration Overview——DNAC
通过关联修改 Day N 的模板给交换机下发 radius 的配置,修改 radius 认证的默认 server 指向 3rd radius
Server ,并进行 provision
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Configuration Overview——DNAC
Template 脚本: <thirdparty IP> 和 <secret> 替换成 freeradius IP 和对应的密钥
aaa group server radius thirdparty
server name thirdparty
ip radius source-interface Loopback0
aaa authentication dot1x default group thirdparty
aaa authorization network default group thirdparty
aaa accounting identity default start-stopp broadcast group dnac-client-radius-group group thirdparty
aaa accounting network default start-stop group dnac-client-radius-group group thirdparty
aaa server radius dynamic_author
client <thirdparty IP> server-key 0 <secret>
ip radius source-interface Loopback0
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 5 tries 3
radius-server deadtime 3
radius server thirdparty
address ipv4 <third party IP> auth-port 1812 acct-port 1813
timeout 4
retransmit 3
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Verification
Freeraiuds 抓包在 access 报文中看到给交换机授权 vlan 以及标签信息
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Verification
交换机端口看到授权获取下来的 vlan 和标签信息
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Configuration For Wireless Controller
编辑对应认证无线控制器的 client 信息
sudo vim /etc/freeradius/3.0/clients.conf
添加以下信息
client 10.10.1.4{
proto = *
secret = C1sco@123 // 认证共享密钥
shortname = Site1-WLC // WLC 名字
ipv4addr = 10.10.1.4 // WLC 地址
}
重启 radius 服务
sudo systemctl restart freeradius
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Configuration For Wireless Controller
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Configuration For Wireless Controller
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Configuration For Wireless Controller
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Verification
无线控制上在查看无线终端认证信息
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Verification
无线控制上在查看无线终端认证信息
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Verification
交换机上查看无线终端认证信息
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Reference
• More details can be found at
Group-Based Access Control Policy in Cisco DNA Center
https://salesconnect.cisco.com/open.html?c=cbf45a8f-aac7-4f01-b3a7-7d134f0b339e
How to use Group-Based Policies with 3rd Party RADIUS using Cisco DNA Center
https://community.cisco.com/t5/networking-documents/how-to-use-group-based-policies-with-3rd-party-
radius-using/ta-p/3930041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Thank you
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public