Cisco ISE 2.6 Wireless Setup Guide (Part 1)

Welcome to my first technical guide on this blog. I will show you how to install Cisco ISE 2.6 and configure for your organization from start to finish. I will also be going into AAA and WLAN setup on a Cisco WLC and Certificate Authority setup on Microsoft Server 2019 server. (I won’t be going into the installation of a Cisco WLC, ESXi Host, or Microsoft Server. Perhaps in a later guide)

Resources needed for starting this project:
-VMware ESXi Host (single or vSphere cluster)
-ISE 2.6 ova (2.3 and up could also work)
-Microsoft Server 2019 (2012 and up could also work)
-WLC 8.5 (8.3 and up could also work)

Step 1: Import .ova into VMware
It will take a little bit for it to upload the .ova over the network.
Step 2: Launch ISE VM and start the install process by typing setup and pressing enter (Example above)

As you can see above, the timezone has to be in proper format (e.g. US/California, US/Washington, US/Texas)

The setup will take a while…
Step 3: Login and dismiss all messages
Step 4: Go to Administration > System > Licensing and enter licensing information
Step 5: Go to Administration > System > Settings > Security Settings, uncheck all boxes and click Save; This is to create a baseline of your network (Remember this step, you may have to return to this page to enable legacy ciphers for legacy devices on your network. Also on my test machine I lost access to the web console for like 2-3 min, I’m not sure if Tomcat was restarted after disabling all and clicking Save.)
Step 6: Go to Administration > Identity Management > Active Directory and add new AD domain (using any AD credentials with computer join permissions)
Step 7: Within the new AD ID Management Group’s settings, go to Groups and add Domain Users
Step 8: Go to Policy > Policy Elements > Authentication > Results > Allowed Protocols, open the Default Network Access Policy and uncheck all boxes and click Save; This is to create a baseline of our network
Step 9: Add new Allowed Protocols policy, uncheck all but PEAP MS-CHAPv2, change Preferred EAP Protocol to PEAP, and click Submit
Step 10: Go to Policy > Policy Sets > Default Policy, delete all example Rules on both the Authentication and Authorization Policy lists, ensuring both Default Policies are set to DenyAccess; This is to change the Default policy into an implicit deny and for creating a baseline of our network
Step 11: Create a new Policy Set, choosing the Condition Wireless_802.1x and the Allowed Protocols policy you created earlier for PEAP
Step 12: Edit the Policy and set Authentication Policy to use your AD ID Group you created earlier, create a new Rule under Authorization Policy, set the Condition to AD ExternalGroups EQUALS Domain Users, and PermitAccess
Step 13: Go to Administration > Network Resources > Network Devices and add new devices, ensuring the RADIUS key matches what is on your wireless LAN controller

The next step in this guide is step one on part 2 of this guide.