Cisco Identity service Engine (ISE) Radius Server Configuration

Cisco Identity service engine (ISE) can act as a RADIUS server. Radius protocol can be used to authenticate, authorize the users when they try to connect to a network whether its a wired network or wireless network.

The network switches or wireless controllers need to be configured so that they will make sure they authenticate, authorize the user against Cisco ISE.

Authentication and authorization flow with Cisco ISE Radius Server

We will explain in details about packets which are exchanged between Cisco Identity service engine (ISE) which is active as radius server, Radius client (Switch or wireless controller) and the user machine.

Cisco Identity service Engine (ISE) Radius Server Configuration

Step by step packet level explanation of flow:

1> As soon as the user tries to connect on a switch port where 802.1x is configured. The switch will send a EAPol-Start message and request for identity from the machine. Between switch and user machine EAP protocol is used for the communication.

2> Once the machine receives the packet and if 802.1x is enabled then it will respond with Response identity.

3> The switch upon receiving the response will start a communication with Cisco ISE using radius protocol and sends access-request packet basically the response from the user machine will be encapsulated into RADIUS packet and sent to Cisco ISE.

4> Cisco ISE will respond with access-challenge and request switch to check which authentication protocol is supported by the end user machine.

5> The switch act as intermediate device and pass the information to end machine using EAP protocol.

6> Couple of more packet will get exchanges in similar way and a secure TLS tunnel is negotiated between the user machine and Cisco ISE. We need to make sure the signer of EAP certificate of Cisco ISE is trusted by end user machine.

7> Cisco ISE will validate the credentials/certificate sent by the end user machine during the authentication against local database or with active directory or with CA server and upon the validate if successful Cisco ISE will allow the connect by sending access-accept, if the validation fails Cisco ISE will not allow the to connect by sending access-reject.

8> Once the switch receives the final response from Cisco ISE, it will further send the response to end machine and inform about the status of authentication. The switch will send EAP success or EAP failure to end machine.

9> The switch will send accounting start to Cisco ISE. Using Accounting Cisco ISE will maintain when the user connected on which switch port, what ip address the user have got and many more details. License consumption will also be maintained by ISE.

10> When the user disconnect his laptop from the switch accounting stop would be sent and ISE will remove the license consumption of the machine.

Now to have the above flow work, we need to configure Cisco ISE, Switch and the end user machine.

Switch configuration for 802.1x authentication of users using Cisco ISE radius.
!Enable AAA on switch
aaa new-model

! IP address of radius server 1
! Ensure to put strong key in this example I have kept key as cisco
radius server Radius_Server_IP_1
address ipv4 auth-port 1812 acct-port 1813
key 0 cisco 

! IP address of radius server 2 (Optional but needed for redundancy)
radius server Radius_Server_IP_2
address ipv4 auth-port 1812 acct-port 1813
key 0 cisco

! Group the radius server into a single group.
aaa group server radius Radius_Server_Group
server name Radius_Server_IP_1
server name Radius_Server_IP_2

! Enable 802.1x on the switch

dot1x system-auth-control

! Authentication and authorize the users for network access against the group we created above
aaa authentication dot1x default group Radius_Server_Group
aaa authorization network default group Radius_Server_Group

! Send VSA attributes in accounting
radius-server vsa send accounting
radius-server vsa send authentication

! Add more attributes to be send to ISE
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 25 access-request include

! Configure switch to send only new updates to ISE and start, stop packets.
aaa accounting update newinfo
aaa accounting dot1x default start-stop group Radius_Server_Group

!Configure switch to listen for Change of authorization CoA.
aaa server radius dynamic-author
client server-key cisco
client server-key cisco

! interface configuration, We need to apply on all interfaces where we want to enable 802.1x authentication, except trunk port.

interface GigabitEthernet2/0/18
 switchport access vlan 16
 switchport mode access
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 dot1x pae authenticator
Window Machine configuration for 802.1x authentication

Step 1>  We need to enable dot1x service on the PC. Go to run and type services.msc and hit enter.

Double click on wired auto config and under general tab change the startup type to automatic, click apply and click ok.


Step 2> Configure interface for dot1x authentication. Go to run and type ncpa.cpl and hit enter.


Right click on the wired nic and click on properties.


A new authentication tab will start appearing. Select Enable IEEE 802.1x Authentication.

wired auto config windows

Click on Setting next to authentication method. Unselect validate server certificate, this we need to do only in case Cisco ISE EAP certificate is trusted by endpoint, if we have public CA signed certificate or internal CA signed certificate then we don’t need to un-select..

Select the authentication method as EAP-MSCHAP v2 and click configure, Select automatically use my windows logon name and password.

Click ok and then click on Additional setting, select user authentication.

Cisco ISE configuration

Step 1> Add the switch on ISE: We have to specify the IP address of the switch with which the request will come to ISE.

Step 2> Ensure ISE is joined to the active directory. Check this post for joining ISE with active directory.

Step 3> Create a new policy under policy set. Under condition select Wired_802.1x and under allowed protocols select the Default network access.

Policy for a specific switch can be created by entering IP address of the switch.

Step 4> Click on the symbol next to gear icon and under authentication select the active directory join point name

Step 5> Create a new authorization policy, add the group from domain controller selected while joining ISE to active directory and under authorization profile select permit access.

Below is what we have configured in above 4 steps.

Verification on Cisco ISE:

Under operation radius live logs we can see the latest authentication logs. Also we can search for user machine mac address under endpoint ip. If we click on details icon we will get more details.

Verification on Switch:

3700-2#show auth se int G2/0/18
                   Interface:  GigabitEthernet2/0/18
           MAC Address:  b496.9126.e632
                IP Address:
               User-Name:  CLICKSOLUTION\pankaj
                       Status:  Authz Success
                    Domain:  DATA
          Security Policy:  Should Secure
         Security Status:  Unsecure
      Oper host mode:  multi-auth
       Oper control dir:  in
          Authorized By:  Authentication Server
               Vlan Policy:  N/A
       Session timeout:  N/A
             Idle timeout:  N/A
Common Session ID:  0A12120200001029353D0425
        Acct Session ID:  0x00001ED8
                     Handle:  0x9E000032

Runnable methods list:
       Method   State
       dot1x    Authc Success

2 thoughts on “Cisco Identity service Engine (ISE) Radius Server Configuration”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.