Cisco ISE Part 6: Policy enforcement and MAB

4 Replies

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture

This week, part 6: Policy enforcement and MAB

Policy enforcement in Cisco ISE is based on authentication en authorization.

Some authentication protocols:

  • pap
  • chap
  • ms-chapv1/2
  • eap-md5
  • eap-tls
  • leap
  • peap
  • eap-fast

Authorization can exist of:

  • DACL
  • VLAN
  • webauth
  • smartport
  • MACsec
  • WLC ACL
  • NEAT
  • Filter-ID
  • reauth timer

Authentication policy: defines to protocols ISE is using to communicate with network devices
Policy: set of conditions
Condition: a rule with true of false as response

The result of an authentication policy is the identity method. It can be any one of the following:

Continue reading

Cisco ISE Part 5: Configuring wired network devices

Leave a reply

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture

This week, part 5: Configuring wired network devices

First some terminology and guidelines:

Single host mode / Multi host mode. This defines 1 or multiple hosts on the switchport. Only the first device needs authentication.

Ports are authenticated first before any other traffic can pass.

802.1x is disabled in a SPAN port configuration, trunk ports, dynamic ports, dynamic access ports and etherchannels.

The windows client configuration can be pushed by a GPO. Configuration of this GPO is out of scope for this blog.

Configuration

First, add the RADIUS clients in the ISE deployment.

Click: Administration – Network Resources – Network Devices and click Add. Enter the requested information:

Radius client1

Radius client2

Continue reading

Cisco ISE Part 4: High availability

2 Replies

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture

This week, a short part post, part 4: High Availability

The admin and monitoring nodes are only available in Active/Standby

All configuration is done on the primary Admin node. All other nodes are managed by this node. In case  of a failure, the secondary admin node has the be manually promoted to primary (ISE 1.X).

Policy nodes can be clustered. Switches can use the cluster IP as radius server. The cluster will act like a load balancer.

Switches (NADs) can sent syslog messages (UDP 20514) to the monitor nodes. All logging is sent / replicated to both HA monitoring nodes.

First, a nodes has to get registered with the admin node. Requirement for this is a useraccount on the new node and prepared the trust list. Changing the secondary administration role is only possible by deregistering.

Registering of a node is certificate based:

  • Self signed
  • CA signed

Continue reading

Cisco ISE Part 3: Active directory

9 Replies

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture

This week, part 3: Active Directory

Microsoft Active directory is the mostly used directory. Cisco ISE can get membership in only 1 AD forest in ISE 1.1.x.

Check the following requirements:

  • Correctly configured NTP
  • Firewall ports: tcp: 389, 636, 445, 88, 3268, 3289, 464
  • Firewall ports: udp: 389, 123
  • All firewall ports are needed for the policy nodes
  • NAT is not supported!!

A local identity store is desired as a fallback in the event that the external identity store cannot be contacted. This is optional.

Local Identity

Click Administration – Identity management – Groups and click Add to add a new group. (Bulk import is available)

newidentitygroup

Under Administration – Identity management – identities – users, users can be created and linked to the usergroup.

Continue reading

Cisco ISE Part 2: Installation

Leave a reply

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

  • Part 1: introduction
  • Part 2: installation
  • Part 3: Active Directory
  • Part 4: High Availability
  • Part 5: Configuring wired network devices
  • Part 6: Policy enforcement and MAB
  • Part 7: Configuring wireless network devices
  • Part 8: Inline posture and VPN
  • Part 9: Guest and web authentication
  • Part 10: Profiling and posture

This week, part 2: installation.

Cisco ISE installation

After installation of the software, type “setup” in the username field on the console.

A wizard appears, complete this wizard with the following information:

  • Hostname
  • IP adress
  • Netmask
  • Default Gateway
  • DNS domain
  • Nameservers
  • NTP server
  • Timezone (try to use UTC)
  • Enter a useraccount for the first admin user
  • Enter the password for this user

Make sure the NTP server is correct and reachable, NTP is important for the ISE deployment.

During the wizard proces, enter a database password and a database user password.

After the wizard, it can take up to 30 minutes before the setup completes. So, grab a coffee or something.

Continue reading