Cisco ISE Part 5: Configuring wired network devices

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture

This week, part 5: Configuring wired network devices

First some terminology and guidelines:

Single host mode / Multi host mode. This defines 1 or multiple hosts on the switchport. Only the first device needs authentication.

Ports are authenticated first before any other traffic can pass.

802.1x is disabled in a SPAN port configuration, trunk ports, dynamic ports, dynamic access ports and etherchannels.

The windows client configuration can be pushed by a GPO. Configuration of this GPO is out of scope for this blog.

Configuration

First, add the RADIUS clients in the ISE deployment.

Click: Administration – Network Resources – Network Devices and click Add. Enter the requested information:

Radius client1

Radius client2

Repeat this step for all devices with ports which need authentication. Don’t forget the Cisco WLC’s if you want to authenticate on wireless.

Click Administration – Network Resources – Network Device Groups – Expand Groups – All Locations and click Add.

Create a location, like “corporate_office” or “hq” and click Submit.

Network device group

Next, select All Device Types and click Add. In the Name field type Router (or switch, or any other type of device you’re using)

Device groups

You can create sub layers by type. Like: Routers – 800 or Routers – 2900.

Associate a radius client to a location and device type.

Click – Administration – Network Resources – Network Devices and edit a Radius client. Select the correct Location and Device Type.

Radiusclient

Devices (NADs) need TCP 1812 and TCP 1645 for radius communiction to the Policy node.

Configure a router for using radius:

Router(config)# aaa new-model
Router(config)# ip radius source-interface f0/0
Router(config)# radius-server host 10.10.2.50 key <mykey>
Router# test aaa group radius admin <password> new-code

Configure a switch:

Switch(config)# aaa new-model
Switch(config)# radius-server host 10.10.2.250
Switch(config)# radius-server key <mykey>
Switch(config)# aaa authentication dot1x default group radius local
Switch(config)# dot1x system-auth-control
Switch(config)# aaa authorization network default group radius
Switch(config)# radius-server vsa send authentication

In the ISE console you can see the user denied logging. Click Operations – Authenications.

 Enabling authentication on clients

First, make sure the correct protocols are selected. Click Policy – Policy elements – Results – Authentication – Allowed protocol – default network access (or create a new one).

In my case, I’ll only enable PEAP and disable all the others.

allow peap

Make sure the correct sequence is used. Click Policy – Authentication. Click the Dot1x rule and change the sequence to AD_then_Local (or the one you desire and created before)

dot1x sequence

Make sure your switchports are configured as described:

Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan x
Switch(config-if)# authentication event fail action next-method
Switch(config-if)# authentication event server dead action authorize vlan 10
Switch(config-if)# authentication event server alive action reinitialze
Switch(config-if)# authentication host-mode multi-auth
Switch(config-if)# authentication closed
Switch(config-if)# authentication port-control auto
Switch(config-if)# authentication violation restrict
Switch(config-if)# ip device tracking
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# spanning-tree portfast

More about ttis configuration in part 6 of this blog post series.

For periodic reauthentication of the switchports every 7200 sec (3600 is default), configure:

Switch(config-if)# authentication periodic
Switch(config-if)# authentication timer reauthenticate 7200

Configuring the Win7 Supplicant

Start the “Wired Autoconfig” service in services.msc

Click to your adapter settings and click the tab “authentication”.

nic1

Check “enable IEEE802.1x authentication”. For the EAP type, select PEAP in the drop down list.

Click Settings, ensure that Validate Server Certificate is checked. Also make sure that the client does have the root certificate of your CA. Select this root certificate.

Ensure that EAP-MSCHAPv2 is selected and Enable Fast Reconnect is checked.

Check the switchport authentication:

Switch#show dot1x all summary

And:

Switch# show dot1x interface fa0/x

You can check the authentication logging in ISE:
Click Operations – Authentications

authlogging

Authorization with DACL

Let’s create a DACL that will override the interface port based ACL.

Click: Policy – Policy Elements – Results – Authorization – Downloadable ACLs.
Click Add to create a new one  and enter the required ACL:

dacl1

Click Policy – Policy Elements – Results – Authorization – Authorization Profiles. Click Add, give this profile a name and select the DACL in the drop down menu. Check the reauthentication checkbox!

dacl2

Make sure there is an Active Directory group available with the needed computer accounts. Make this group available in ISE:
Click Adminsitration – Identity management – External identity – Sources – Active directory – groups.
Click Add – select groups from directory and add the group.

Now it’s time to create a authorization policy. Click Policy – Authorization, click the down arrow at a rule, click Insert new rule above.

Click Create new condition (Advanced option)

Fill in the Expression and correct user group.

In the ‘then’ portion of the rule, add a authorization policy. Click the created Dot1x authorization policy.

That’s it, start testing!

Next week part 6 of this blog post series: Policy enforcement and MAB