Wi-Fi employee access – Cisco Wireless Controller

In this topic, you will learn how to configure a Cisco Wireless Controller to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Wi-Fi connections.

Cisco Virtual Wireless Controller

This section contains an example configuration for the Cisco Virtual Wireless Controller.

Warning: We tested this configuration using a Cisco Virtual Wireless Controller with software version 8.10.142.0 in our lab, but we cannot guarantee that it will cover every relevant product and version. Also, the configuration is generic and may not fit every single environment. Therefore, to get the most accurate and current configuration guidance on 802.1X configuration, we strongly recommend that you refer to the documentation provided by Cisco on these topics for your particular software version and related devices.
  1. In the top menu of the Cisco Wireless Controller web interface, click on the SECURITY option

  2. In the left-hand side menu, select the AAA > RADIUS > Authentication options.

  3. In the RADIUS Authentication Servers pane, click on the New... button in the top-right corner.

  4. In the RADIUS Authentication Servers > New pane, enter the details of the Portnox Cloud RADIUS server that you created earlier: the Server IP Address, the authentication Port Number, and the Shared Secret. Set the timeout to 30 seconds. Then, click on the Apply button in the top-right corner.
    Note: The Support for CoA switch should be set to Enable if you want to use the CoA feature and/or the IPSK feature of Portnox Cloud.

  5. If you use two Cloud RADIUS servers in both regions, repeat the above steps for the second RADIUS server.

    The above screenshot shows an example configuration for two Cloud RADIUS region authentication servers. Adjust the IP addresses and port numbers to your tenant configuration.

  6. In the left-hand side menu select AAA > RADIUS > Accounting menu option.

  7. In the RADIUS Accounting Servers pane, click on the New... button in the top-right corner.

  8. In the RADIUS Accounting Servers > New pane, enter the details of the Portnox Cloud RADIUS server that you created earlier: the Server IP Address, the accounting Port Number, and the Shared Secret. Set the timeout to 30 seconds. Then, click on the Apply button in the top-right corner.

  9. If you use two Cloud RADIUS servers in both regions, repeat the above steps for the second RADIUS server.

    The above screenshot shows an example configuration for two Cloud RADIUS region accounting servers. Adjust the IP addresses and port numbers to your tenant configuration.

  10. In the top menu of the Cisco Wireless Controller web interface, click on the WLANs option

  11. In the WLANs pane, select the Create New option from the drop-down menu, and then click on the Go button.

    Note: Instead of creating a new WLAN, you can edit an existing WLAN by clicking on the number in the WLAN ID column.

  12. In the WLANs > New pane, enter the Profile Name and the SSID for the secure SSID that you want to create, and then click on the Apply button in the top-right corner.

  13. In the WLANs > Edit pane, click on the Security tab and select the following options in the Layer 2 tab that is opened by default:

    1. In the Layer 2 Security field, select the WPA2+WPA3 option.
      Note: If you want to use this SSID to connect IoT devices that do not support 802.1x, select the None option and activate the MAC Filtering checkbox instead.
    2. In the Security Type field, select the Enterprise option.
    3. In the Authentication Key Management section, activate the Enable checkbox next to the 802.1X-SHA1 option.
  14. Click on the AAA Servers tab and in the Authentication Servers and Accounting Servers columns, select the relevant servers that you defined earlier. Then, click on the Apply button in the top-right corner.

    Important: If you want to use the IPSK feature of Portnox Cloud, additionally, activate the RADIUS Server Overwrite Interface checkbox.

    The following screenshot shows an example configuration for two Cloud RADIUS servers. Adjust the IP addresses and port numbers to your tenant configuration.

Result: Your Wi-Fi devices can now access the protected Wi-Fi network, using the Portnox Cloud RADIUS servers for authentication.

Cisco 9800 RadSec

This section contains an example configuration for the Cisco Catalyst 9800 wireless controller and Portnox Cloud RADIUS servers using secure RADIUS (RadSec) connections.

  1. Turn on RadSec connections for your cloud RADIUS server(s).
    1. Open your Portnox Cloud tenant in a web browser.
    2. Go to Settings > Services > CLEAR RADIUS instance and select the cloud RADIUS server that you want to connect to using RadSec. Then, click on the Edit link.

    3. Activate the Enable RADIUS over TLS (RadSec) checkbox.

    4. Click on the Download root certificate link to download the root CA certificate, which you will need later on in the configuration process.

    5. Copy the following information and store it, for example, in a text file. You will need this information later on in the configuration process:
      • Cloud RADIUS IP
      • Authentication port
      • Accounting port
      • Shared Secret (click on the  ⧉  icon)

    6. Click on the Save button to save your changes.
  2. Import the Portnox root CA certificate using one of the following methods:

    • Connect to your Cisco Catalyst switch console and import the root CA certificate:

      crypto pki trustpool import url https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

    • Alternatively, use the Cisco web user interface as described below:

    1. Alternatively, open your Cisco 9200/9300 web user interface and navigate to Configuration > Security > PKI Management. Then, click on the Trustpool tab.

    2. Click on the Import button, and import the root CA certificate that you downloaded earlier from Portnox Cloud.

  3. In the console, configure the interface that you want to use as the source for RadSec connections.

    For example:

    interface GigabitEthernet1/0/2
switchport mode access
access-session host-mode single-host
access-session port-control auto
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 60
service-policy type control subscriber DOT1X
  4. Add an authentication RADIUS server.
    Important: The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.

    For example:

    radius server PORTNOX-CLOUD-US-AUTH
address ipv4 20.119.69.248                          
key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
tls port 10322
tls idletimeout 75
tls watchdoginterval 10
tls connectiontimeout 10
tls retries 15
tls ip radius source-interface GigabitEthernet1/0/2
tls match-server-identity hostname clear-rad.portnox.com
  5. Add an accounting RADIUS server.

    For example:

    radius server PORTNOX-CLOUD-US-ACCT
address ipv4 20.119.69.248                          
key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
tls port 10323
tls idletimeout 75
tls watchdoginterval 10
tls connectiontimeout 10
tls retries 15
tls ip radius source-interface GigabitEthernet1/0/2
tls match-server-identity hostname clear-rad.portnox.com
  6. Optional: Repeat the two above steps for the second cloud RADIUS server, if necessary.

    For example, you can create servers PORTNOX-CLOUD-EMEA-AUTH and PORTNOX-CLOUD-EMEA-ACCT.

  7. Create a group for RadSec servers. 
    aaa server group radius PortnoxRadSec                            
server 20.119.69.248 auth port 10322 acct port 10323
server 52.232.122.157 auth port 10476 acct port 10477
    Note: Use the second server command only if you also configured the second cloud RADIUS server earlier.
  8. Update your AAA commands to use the RadSec server group. 
    aaa authentication dot1x default group PortnoxRadSec
aaa authorization network default group PortnoxRadSec
aaa accounting dot1x default start-stop group PortnoxRadSec