Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE 1.2 With WLC and AD

Hi everyone,


What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.

The wireless network is configured with 2 SSID (Staff and Guest) 

Active Directory, DNS, DHCP, and  NTP configured & synced.

ISE and AD running on C220 VMs, and WLC is 5760 Appliance.


Please provide your thoughts and assistance.











New Member

Hello,I supposed you have


I supposed you have done communication between your NAD devices and ISE (Wired Switch and WLC). 

If done, that means for classification you have created two groups (wired and wireless) 

administration -->network resources-->network devices group-->group-->all devices Types. 


now go to the policy -->authentications and if you want modify the defaults. 

wireless MAB, Wired MAB, ect. 

You  can check the default authentication protocols (Default Network Access) and customize or modify it to use EAP-FAST, EAP-MD5, LEAP and so on. 


After authentication, you can then define authorization. 



New Member

I have made the reachability

I have made the reachability AD, WLC,ISE and 3850 SW, Appreciate if you can brief/send me the full steps to implement this solution.



New Member

You have to implement dot1x

You have to implement dot1x and radius between your NAD and ISE device.


Using the switch 3850, that are the steps: 

username RADIUS-HEALTH password radiusKey1 privilege 15
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
!this password will be used to communicate with ISE and to verify reachability
!between ISE and Switch
aaa server radius dynamic-author
 client server-key 7 radiuskey
 client server-key 7 radiuskey
ip domain-name lab.local
ip name-server
dot1x system-auth-control

interface GigabitEthernet1/0/3
 switchport mode access
 switchport voice vlan 50
 switchport access vlan 10
 ip access-group ACL-ALLOW in
 authentication event fail action next-method
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
ip access-list extended ACL-ALLOW
 permit ip any any
!the comm between radius and ise will occur on these Port
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host transport udp port 20514
logging host transport udp port 20514
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host transport udp port 20514
logging host transport udp port 20514
snmp-server community ciscoro RO
snmp-server community public RO
snmp-server trap-source Vlan100
snmp-server source-interface informs Vlan100
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!defining ISE servers
radius server ISE-RADIUS-1
 address ipv4 auth-port 1812 acct-port 1813
 automate-tester username RADIUS-HEALTH idle-time 15
 key radiusKey

Please be sure that NTP servers and time are synchronized. 

enable dot1X on windows machine, or using cisco NAM. 

you can enable debugging on aaa authentication to see the events. 

you have to create this user on ISE (RADIUS-HEALTH). 


3850#test aaa group radius username password new-code 




and observe the result. You are supposed to have user authenticated successfully. 

You Must also have define these device in ISE on the radius interface.

ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE. 

administration-->network resources -->Network Devices-->Add

input the name

input the Ip address for radius communication

select the authentication settings and field the corresponding shared secret radius key

select snmp settings and select version 2c. 

snmp community : ciscoro

you can customize the polling interval if you want and that all. 


you are supposed to received message communication between your NAD and ISE. 



After you can do the procedure for WLC device. 

I will fill it after you have passed the first steps (3850 authentication). 




New Member

Thank you fogemarttt , I will

Thank you fogemarttt , I will follow the same and update you soon.

Cisco Employee

I have attached screenshots

I have attached screenshots of authentication and authorization policy's for dual ssid  on boarding