Skip to main content
All CollectionsAdvanced 5G LAN Features
Network Access Control (NAC) Integration - Cisco ISE
Network Access Control (NAC) Integration - Cisco ISE

Cisco ISE integration to automate authorization of Private Cellular Devices on Celona 5G LAN

A
Written by Asha Latha Amara
Updated over a week ago

Cisco Identity Services Engine (ISE) is an identity-based network access control and policy enforcement platform that enhances network security and simplifies management. Celona Orchestrator integrates with Cisco ISE to provide a centralized system for managing access policies and automating device onboarding. This ensures that only authorized and compliant devices can connect to the network.

Key Benefits:

  • Centralized management of user and device authorization across the network.

  • Enhanced security with RADIUS-based authorization for private 5G, Wi-Fi, and wired devices.

  • Simplified access policy management from a single console, reducing operational complexity.

Note: This feature is available starting from Edge OS version 2406 and is accessible only to users with an Admin role.

Feature Description

The scope of the feature is to use Enterprise RADIUS based Network Access Control (NAC) systems for authorization, while SIM based authentication is handled directly on the Celona Edge. Users are authorized by validating SIM card (IMSI) or Device (IMEI) credentials. This enables Enterprises to use a unified policy engine to authorize wired, Wi-Fi & Private 5G devices.

  • As part of the Attach process the device will go through SIM-based authentication via HSS (in LTE) and AUSF/UDM/UDR (in 5G) function.

  • Once the device has been authenticated, Celona Edge will initiate an authorization request to the configured policy engine (such as Cisco ISE or Aruba ClearPass). Device (IMEI) or SIM identifiers (IMSI) information will be passed to the NAC system to identify the device and automatically retrieve the configured authorization policy.

  • This information will be passed back to the Celona Edge in the authorization response. In phase 1, we are automatically retrieving the device group of the device and configuring that on the Private Network. Based on the device group, the following networking and security policy will be dynamically set up on the Private Network -

    • QoS policy

    • Admission control policy

    • IP domain & VLAN segmentation

  • In addition to setting the authorization policy upon attach, NAC can also trigger a change of authorization (CoA) or Disconnect event based on a security incident. This enables Enterprises to quarantine the device and automate remediation action and do so at the edge of the network ensuring complete adherence to zero-trust policies.

Configuration on Celona Orchestrator

  1. Login to Celona Orchestrator with Admin credentials.

  2. Navigate to the "Edge Clusters" tab on the main dashboard.

  3. Select an Edge cluster to view details.

  4. Enable Device Authorization by toggling the relevant setting.

  5. In the Device Authorization Server field, click Add New to create a new profile. In this example, Cisco_automation is the new profile created.

  6. In the “Device Authorization Server” window, enter all the required fields, such as the Server Name, Secret Source, Server IP Address, Server Port, User Name, and Password.

    • Server Name: Cisco ISE server

    • Secret Source: Shared secret (must match Shared Secret on Cisco ISE)

    • Server IP Address: Cisco ISE server IP address

    • Server Port: Cisco ISE server port number

    • User Name: AAA server’s user name

      • Currently, this is not being passed to NAC server in the the RADIUS access request message

    • Password: AAA server's password

    • Choose IMSI or IMEI as the identifier.
      NOTE: The default option for “Device Authorization Identifier” is IMSI.

  7. Click the Add button to add the settings. Ensure you select the new Device Authorization Server profile you created in the Device Authorization Server field.

    NOTE: Enabling the feature without selecting the server will result in device attach failure.

Configuration on Cisco ISE

  1. Login to the Cisco ISE by entering your Admin credentials

  2. Configure Network Device (Edge Cluster)

    1. Go to Cisco ISE Menu → Administration → Network Resources → Network Devices.

    2. Click + Add to add the Celona Edge Cluster details

    3. Enter the Edge's Name, IP Address, and other details. Then, click RADIUS Authentication Settings to view the RADIUS UDP settings.

      • For a HA cluster, configure separate Network Devices for each node

    4. To establish a secure connection, enter the key in the Shared Secret field (same in the “Shared Source” field on the “Device Authorization Server” window on Celona Orchestrator).

    5. After initial authentication and authorization, the Admin can dynamically enforce new policies or update session attributes in real-time without requiring the user or device to reconnect or reauthenticate using ISE's Change of Authorization (CoA) feature.

    6. To use the CoA feature, the Admin must enter the CoA Port as 3799 to connect to the Celona Edge.

  3. Configure Network Access Users (Private Cellular Devices)

    1. Go to Cisco ISE Menu → Administration → Identity Management → Identities

    2. You can configure the user (Private Cellular End-device) by adding the IMSI or IMEI values or clicking the Import button to bulk import Device or SIM credentials.

    3. Enter the user’s details and set the password. You can also enter other user information in this window.

      NOTE:

      • The password configured on Cisco ISE and Celona Orchestrator UI should match to successfully authorize the device

      • Currently the same password is used to authorize all Private Cellular end-devices

    4. Go to the Groups tab to create User Identity Groups in Cisco ISE. These groups categorize and manage users based on their roles and enforce control policies within the network.

    5. Create new User Identity Groups by clicking the Add button or edit by clicking the Edit button.

    6. After creating the Identity group, you can edit the users by clicking the Add or Delete button.

  4. Configure Policy Sets

    1. Go to Cisco ISE Menu → Policy → Policy Sets

    2. Click the + button to create a new Policy Set and click the > button to view the Policy Set.

    3. In the Policy Set window, under the Authorization Policy, click the + button to create a new authorization policy. After creating the authorization policy, click the Conditions to create or edit device group policies.

    4. Create new or edit the authorization rules or conditions in the Conditions Studio window.

  5. Configure Authorization Profile

    1. Go to Cisco ISE Menu → Policy → Policy Elements → Results to view the Authorization profiles.

    2. In the Results tab, click the Authorization Profiles to view the newly created authorization profile.

    3. Click the authorization profile (in this example, celona_auth_profile) to edit the Authorization Profile.

    4. In the Authorization Profile window, you can set the Access Type and Attributes Details.

    5. The Device Group name must be set in the Radius-Reply-Message field. This is a mandatory configuration. After successfully integrating the device, you can view these details on the Celona Orchestrator. Device Group name configured on Cisco ISE should match the Device Group name configured on the Celona Orchestrator.

Verify Integration

  1. Test RADIUS Authentication from a client device and attempt to connect to a Celona network that uses the integrated policy.

  2. Check the Cisco ISE Live Logs under Cisco ISE Menu → Operations → RADIUS → Live Logs.

  3. Click the Authentication detail report to view the Live Logs.

  4. In the detailed report, you can verify if the Authorization is successful and collect the integration-related logs here.

  5. To verify the integration on the Celona Orchestrator, go to “Devices” and check the description on the Device Group field.

  6. For more information on troubleshooting, configuration, and service logs, contact support@celona.io.

Here is a demo video showcasing the integration of Celona 5G LAN and Cisco ISE

Did this answer your question?