Beruflich Dokumente
Kultur Dokumente
Cisco ISE Integration with a Ruckus ICX Switch for Web Authentication
Guest Access NAC Solution
Brocade, the B-wing symbol, and MyBrocade are registered trademarks of Brocade Communications Systems, Inc., in the United States and in other
countries. Other brands, product names, or service names mentioned of Brocade Communications Systems, Inc. are listed at www.brocade.com/en/legal/
brocade-Legal-intellectual-property/brocade-legal-trademarks.html. Other marks may belong to third parties.
Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment
feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and
assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for
information on feature and product availability. Export of technical data contained in this document may require an export license from the United States
government.
The authors and Brocade Communications Systems, Inc. assume no liability or responsibility to any person or entity with respect to the accuracy of this
document or any loss, cost, liability, or damages arising from the information contained herein or the computer programs that accompany it.
The product described by this document may contain open source software covered by the GNU General Public License or other open source license
agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and
obtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd.
Overview....................................................................................................................................................................................................... 5
Switch Configuration..................................................................................................................................................................................... 5
ISE Configuration.......................................................................................................................................................................................... 6
Summary.................................................................................................................................................................................................... 26
The information in this document is based on the following software and hardware versions:
• Cisco Identity Services Engine (ISE), Release 2.1.0
• Ruckus ICX switch running FastIron 08.0.61
Audience
This document can be used by technical marketing engineers, system engineers, technical assistance center engineers, and customers to
deploy a Ruckus ICX switch with Cisco ISE.
Related Documents
• Brocade FastIron Security Configuration Guide, 08.0.60
http://www.brocade.com/content/html/en/fastiron-os/08-0-60/fastiron-08060-securityguide/GUID-CA45229B-
F8EE-4074-9175-046A1E3B1830-homepage.html
Document History
Date Part Number Description
Overview
Switch Configuration
The Ruckus ICX switch must be configured with MAC authentication, external web authentication, RADIUS, and CoA in order for CWA to
work.
authentication
auth-default-vlan <temporary_auth_vlan>
mac-authentication enable
mac-authentication enable ethe 1/1/13
captive-portal brocade
virtual-ip <CiscoISE_domain_name>
virtual-port 8443
login-page <CiscoISE_guest_portal>
............
vlan <temporary_auth_vlan> name <temporary_auth_vlan_name> by port
............
vlan <temporary_guest_vlan> name <temporary_guest_vlan_name> by port
webauth
captive-portal profile brocade
auth-mode captive-portal
trust-port ethernet 1/1/2 <-- uplink port
enable
............
vlan <final_guest_vlan> name <final_guest_vlan_name> by port
...........
web-management https
ISE Configuration
Cisco ISE configuration consists of creating an authorization profile, creating an authentication rule, and creating an authorization rule with
two policies.
1. Create an authorization profile. Cisco ISE generates a link to access its web portal. The web link must be copied to the login page
portion of the captive portal profile on the switch.
2. Create an authentication rule to allow the flow with an unknown MAC address to continue rather than being dropped.
3. Create an authorization rule with two policies. One policy is applied before web authentication so the user is moved to the
temporary guest VLAN to perform web authentication. The other policy is applied after web authentication succeeds so the guest
user is moved to the final guest VLAN.
the Cisco ISE guest portal. After successful user login, the switch port connected to the client PC will be bounced and the user will be
successfully authenticated.
3. The PC user opens a web browser and is redirected to the Cisco ISE web guest portal.
4. After web authentication, the switch port is disabled and then re-enabled.
SYSLOG: <14> Jun 24 06:41:08 7450-U33 MAC-AUTH: CoA disabled and enabled (flip) the Port 1/1/13
5. After the switch port is bounced, the PC is authorized by MAC authentication again and the PC session is moved to a new VLAN.
The CLI output for the Ruckus ICX switch shows the device MAC address, VLAN assignment, and state.
6. The PC receives a new IP address after the PC session is moved to a new VLAN. The PC user can now access the Internet.
FIGURE 20 Templates
FIGURE 22 Permissions
FIGURE 24 Disconnect
FIGURE 25 Redirect
Summary
This document shows the configurations and steps necessary to configure CWA on Cisco ISE and a Ruckus ICX switch. It also gives the
details of the CWA flow for better understanding and easy deployment of CWA in the existing network infrastructure.