Cisco ISE Part 10: Profiling and posture

Leave a reply

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture

This week, the last post in the Cisco ISE blog post series: Profiling and posture. For both features is the Cisco ISE advanced license required.

Profiler is a functionality for discovering, locating and determing the capabilities of the attached endpoints. It will detect the network type and will authorize it.

A sensor in the network captures network packets by quering the NADs, it forwards the attributes to the analyzer. The analyzer checks the attributes using policies and identity groups. The results is stored in the ISE database with the corresponding device profile. The MAC address of the device will be linked to a existing endpoint identity group.

There are 9 availabled probes:

  • Netflow
  • DHCP
  • DHCP SPAN
  • HTTP
  • RADIUS
  • NMAP
  • DNS
  • SNMPQUERY
  • SNMPTRAP

Profiling uses CoA (change of authorization). There are 3 options:

  • No CoA: CoA is disabled
  • Port bounce: use this only of there is a single session on a switchport
  • Reauth: enforce reauthentication of a currently authenticated endpoint when it’s profiled

ISE creates three identity groups by default and two identity groups that are specific for Cisco IP phones. Creation of extra groups is optional.

An endpoint profiling policy contains a simple condition or a set of conditions (compound).

Configuring

Probe configuration

First, make sure the ISE appliance can SNMP to the switches (SNMPv2 or 3) with a read only community string. Also, configure a snmp trap destination to Cisco ISE policy node.

Switch(config)# snmp-server host 10.10.2.50 version 3 priv ISE
Switch(config)# snmp-server enable traps snmp linkdown linkup
Switch(config)# snmp-server enable traps mac-notification change move

On all interfaces:
Switch(config-if)# snmp trap mac-notification change added

For DHCP probing, configure an additional IP helper on the SVI to the policy node:

Switch(config-if)# ip helper-address 10.10.2.50

Cisco ISE configuration

Click Administration – System – Settings, click Profiling and configure the CoA.

profile5

Continue reading

Cisco ISE Part 9: Guest and web authentication

Leave a reply

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture

This week, part 9: Guest and web authentication

Webauthentication can be used for guest access. It can also being used for a last resort for authentication of normal users if the 802.1x supplicant is not working. Access to this portal can be done by a remediation VLAN with limited access to resources. The portal is using HTTP and HTTPS,  because of limited access, the NAD (or WLC) will intercept the HTTP request and redirects it to the web portal.

There are two portals: Guest user portal is a portal the guest is using for logging in. The Sponsor portal is a portal being used by company employees for creating and managing guest accounts. The guest portal is customizable in available options for guest users.

To manage the RADIUS requests, the portal is installed on all required policy nodes. The configuration of the portal (and users) are replicated to all nodes. So, there is a central deployment.

You can configure multiple authorization sources in one rule. So, you can use one SSID for all used: internal production use, BYOD, Guest, etc. This is a nice feature of Cisco ISE.

Configuration

Click Administration – Guest management – Settings, click the arrow and click Multi-portal configurations.

Edit the DefaultGuestPortal to your needs:

  • Password policies
  • Need of posture client
  • self service
  • device registration
  • DHCP settings
  • Policies
  • etc

guestportal1

guestportal2

Continue reading

Cisco ISE Part 8: Inline posture and VPN

Leave a reply

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture

This week, part 8: Inline posture and VPN

The fourth ISE node role is inline posture. This appliance can be placed in your network for devices which don’t support CoA (Change of authority). Cisco ASA doesn’t support CoA yet (but will come in the near future). This role is hardware appliance only, the VM is not supported.

This node is a gatekeeper that can enforce policies and handles CoA. After initial authentication of a client, the client still must go through posture assessment.

There are 3 possible modes:

  • Router mode: This is a L3 hop in your network. This node is def gw for clients. Only static routes are available!
  • Bridge mode: is “transparant in your network
  • Maintenance mode: takes node offline, traffic should be uninterupted, this is de default mode

Continue reading

How to: Cisco WLC Tacacs/radius for management

Leave a reply

It took some time this morning for configuring a RADIUS or TACACS server for management access to a Cisco WLC. So, let’s write a short how-to:

  1. Login into the WLC and click Security – AAA – TACACS+ (or Radius) - Authentication
  2. Click New and enter:
    • Server IP Address – IP address of the TACACS server
    • Shared secret – The configured shared secret on the TACACS server
  3. If you’re using TACACS, click Authorization and enter the same Server IP address and Shared Secret. Configuring accounting is optional
  4. Click Security – Priority order – Management user and make sure TACACS (or radius) is in top of the list

tacacsorder

Cisco ISE Part 7: Configuring wireless network devices

1 Reply

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture

This week, part 7: Configuring wireless network devices

Configuration

First, add the WLC as a radius client.

Click: Administration – Network Resources – Network Devices. Click Add and create a network device object:

wlcradius

 

Click Select Existing condition from library, select condition, navigate to Compound condition and select wireless_802.1x.

Click Select Network Access, Allowed Protocols – Default network access. Make sure PEAP is available in this network access rule.

wirelessauthrule

For the authorization profiles, click Policy – Policy Elements – Results

Make sure you select the correct Airespace ACL name.

authprofile

Create an authorization policy that assigns the authorization profile. Click Policy – Authorization. Insert a new row.

Create a new rule, select the “wireless_802.1X” compound condition from the library. To check if the user is also a domain member, add another attribute. Click Select Attribute – <domain> – <usergroup>

authwlanrule

Browse to the WLC webinterface.

Continue reading