03-13-2018 10:43 AM - edited 03-13-2018 10:44 AM
Hi we are planning to integrate Aruba 7010 with Cisco ISE.
our requirement is once users connect to SSID they should redirect to ISE for Authentication, then they need to give Active Directory user name and password. once successfully authenticated user need to get the internet /network access.
Kindly help me to clear following
1. how ISE server add as authentication server (normal Radius server or RFC-3576 RADIUS Server).
2. Once authenticated and have the network access, how users can assign different permission (access privilege), for example: for it department users (active directory IT OU user /groups) able to manage wireless controller but other departments user (active directory other OUs /normal user) doesnot need controller management privilege (they only need network /internet access)
3. is it need to configure captive portal for users authentication with ISE (i thing yes required, and its external captive portal) how external captive portal configured.
4. could you please share step by step configuration for ISE integration and to achive our requirement.
Solved! Go to Solution.
03-13-2018 12:46 PM
I am currently working on an ISE project with Aruba wireless. From what you are describing you may want to look into onboarding / BYOD. That user flow has the user log into a onboarding portal and then install profiles on their devices that configures the network settings. From there the user would connect to another SSID (or the same depending on configuration) and use dot1x. You can assign different access rights using user roles that are passed back in the RADIUS accept message.
1. You should configure both, especially if you are using portals. ISE uses CoA to change authorization after the user has authenticated through the portal. CoA can also be used manually or through other flows if you want to remove a device from the network.
2. Integrate ISE with AD. You can then create policies that reference AD groups or other attributes and assign user roles on the controller that match the access requirements.
3. You can either a single SSID or dual SSID configuration. Single SSID the user would connect to the SSID using PEAP and then get redirected to a onboarding page where a specific profile is installed. The profile installed can be determined by the username and AD group. A dual SSID configuration you would have an open SSID that redirects to a BYOD portal that the user can login into. From there they would install a profile and then re-connect to the other, secured SSID.
4. This can be a fairly complicated setup and I can't provide a step by step on how to do it. I'm also learning my way through it. I would suggest you start by reading the Cisco documentation and visit the ISE community forum. They have a lot of great information on there, including how to integrate with Aruba. Here are some links: