Cisco ISE Part 5: Configuring wired network devices
This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 5: Configuring wired network devices
First some terminology and guidelines:
Single host mode / Multi host mode. This defines 1 or multiple hosts on the switchport. Only the first device needs authentication.
Ports are authenticated first before any other traffic can pass.
802.1x is disabled in a SPAN port configuration, trunk ports, dynamic ports, dynamic access ports and etherchannels.
The windows client configuration can be pushed by a GPO. Configuration of this GPO is out of scope for this blog.
First, add the RADIUS clients in the ISE deployment.
Click: Administration – Network Resources – Network Devices and click Add. Enter the requested information:
Repeat this step for all devices with ports which need authentication. Don’t forget the Cisco WLC’s if you want to authenticate on wireless.
Click Administration – Network Resources – Network Device Groups – Expand Groups – All Locations and click Add.
Create a location, like “corporate_office” or “hq” and click Submit.
Next, select All Device Types and click Add. In the Name field type Router (or switch, or any other type of device you’re using)
You can create sub layers by type. Like: Routers – 800 or Routers – 2900.
Associate a radius client to a location and device type.
Click – Administration – Network Resources – Network Devices and edit a Radius client. Select the correct Location and Device Type.
Devices (NADs) need TCP 1812 and TCP 1645 for radius communiction to the Policy node.
Configure a router for using radius:
Router(config)# aaa new-model Router(config)# ip radius source-interface f0/0 Router(config)# radius-server host 10.10.2.50 key <mykey> Router# test aaa group radius admin <password> new-code
Configure a switch:
Switch(config)# aaa new-model Switch(config)# radius-server host 10.10.2.250 Switch(config)# radius-server key <mykey> Switch(config)# aaa authentication dot1x default group radius local Switch(config)# dot1x system-auth-control Switch(config)# aaa authorization network default group radius Switch(config)# radius-server vsa send authentication
In the ISE console you can see the user denied logging. Click Operations – Authenications.
Enabling authentication on clients
First, make sure the correct protocols are selected. Click Policy – Policy elements – Results – Authentication – Allowed protocol – default network access (or create a new one).
In my case, I’ll only enable PEAP and disable all the others.
Make sure the correct sequence is used. Click Policy – Authentication. Click the Dot1x rule and change the sequence to AD_then_Local (or the one you desire and created before)
Make sure your switchports are configured as described:
Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan x Switch(config-if)# authentication event fail action next-method Switch(config-if)# authentication event server dead action authorize vlan 10 Switch(config-if)# authentication event server alive action reinitialze Switch(config-if)# authentication host-mode multi-auth Switch(config-if)# authentication closed Switch(config-if)# authentication port-control auto Switch(config-if)# authentication violation restrict Switch(config-if)# ip device tracking Switch(config-if)# dot1x pae authenticator Switch(config-if)# spanning-tree portfast
More about ttis configuration in part 6 of this blog post series.
For periodic reauthentication of the switchports every 7200 sec (3600 is default), configure:
Switch(config-if)# authentication periodic Switch(config-if)# authentication timer reauthenticate 7200
Configuring the Win7 Supplicant
Start the “Wired Autoconfig” service in services.msc
Click to your adapter settings and click the tab “authentication”.
Check “enable IEEE802.1x authentication”. For the EAP type, select PEAP in the drop down list.
Click Settings, ensure that Validate Server Certificate is checked. Also make sure that the client does have the root certificate of your CA. Select this root certificate.
Ensure that EAP-MSCHAPv2 is selected and Enable Fast Reconnect is checked.
Check the switchport authentication:
Switch#show dot1x all summary
Switch# show dot1x interface fa0/x
You can check the authentication logging in ISE:
Click Operations – Authentications
Authorization with DACL
Let’s create a DACL that will override the interface port based ACL.
Click: Policy – Policy Elements – Results – Authorization – Downloadable ACLs.
Click Add to create a new one and enter the required ACL:
Click Policy – Policy Elements – Results – Authorization – Authorization Profiles. Click Add, give this profile a name and select the DACL in the drop down menu. Check the reauthentication checkbox!
Make sure there is an Active Directory group available with the needed computer accounts. Make this group available in ISE:
Click Adminsitration – Identity management – External identity – Sources – Active directory – groups.
Click Add – select groups from directory and add the group.
Now it’s time to create a authorization policy. Click Policy – Authorization, click the down arrow at a rule, click Insert new rule above.
Click Create new condition (Advanced option)
Fill in the Expression and correct user group.
In the ‘then’ portion of the rule, add a authorization policy. Click the created Dot1x authorization policy.
That’s it, start testing!
Next week part 6 of this blog post series: Policy enforcement and MAB