Cisco ISE Part 6: Policy enforcement and MAB

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture

This week, part 6: Policy enforcement and MAB

Policy enforcement in Cisco ISE is based on authentication en authorization.

Some authentication protocols:

  • pap
  • chap
  • ms-chapv1/2
  • eap-md5
  • eap-tls
  • leap
  • peap
  • eap-fast

Authorization can exist of:

  • DACL
  • VLAN
  • webauth
  • smartport
  • MACsec
  • WLC ACL
  • NEAT
  • Filter-ID
  • reauth timer

Authentication policy: defines to protocols ISE is using to communicate with network devices
Policy: set of conditions
Condition: a rule with true of false as response

The result of an authentication policy is the identity method. It can be any one of the following:

  • Deny access
  • Identity database (single db)
  • Identity source sequences (sequence of db’s)

If authentication fails, user is not found or process fails, these actions can be configured:

  • reject
  • drop
  • continue
  • authorization policy

Simple authentication

You cannot define any condition for simple policies because a simple policy assumes that all conditions have been met.

Rule based authentication policies

Dynamically protocol selection

  • Simple condition
  • Compound condition (multiple simple conditions with AND or OR relationship

Authorization profile

a DACL is applied to the client if it meets specific criteria in the authorization policy. This ACL is applied to the NAD where the client is requesting access to the network. Keep in mind, ISE does not check the syntax of the ACL!

MAC Authentication Bypass

If a device (endpoint) does not support 802.1x, MAC address authentication can be used, based on the MAC address of the device. Offcourse, it is less secure because of MAC address spoofing. Hashing and encryption is not really needed because username and password are both the MAC address. EAP-MD5 or PAP is not always necessary.

Benefits:

  • Device visibility
  • Identity based
  • Access control
  • Fallback or standalone authentication
  • device authentications

Limitations:

  • Requires a MAC db
  • More delay (first packets will be dropped)
  • No user authentications
  • Less securee

MAB is using 4 phases during operations of the endpoint:
Phase 1: initation, this will timeout because there is no 802.1x response
Phase 2: MAC learning, the NAD will check the MAC address with ISE after the endpoint sends the first packet
Phase 3: Authorization, ISE can push some DACL or other authorization objects like VLANs
Phase 4: Accounting

The MAC address  database can be the ISE internal db, LDAP or Microsoft AD.

Configuration of MAB on the switch

Global switch configuration:

Switch(config)# radius-server attribute 6 on-for-login-auth
Switch(config)# radius-server attribute 8 include-in-access-req
Switch(config)# radius-server attribute 25 access-request include
Switch(config)# radius-server vsa send accounting
Switch(config)# radius-server vsa send authentication

attribute 6: sends the service-type attribute in the authentication packets
attribute 8: sends the IP of a user to the RADIUS server in the access request
attribute 25: specifies the group that the user is a member of
vsa send accounting: switch recognizes and will use accounting attributes
vsa send authentication: switch recognizes and will use accounting authentication

Switchport configuration:

Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan x
Switch(config-if)# authentication event fail action next-method
Switch(config-if)# authentication event server dead action authorize vlan 10
Switch(config-if)# authentication event server alive action reinitialze
Switch(config-if)# authentication host-mode multi-auth
Switch(config-if)# authentication closed
Switch(config-if)# authentication order mab dot1x
Switch(config-if)# authentication priority dot1x mab
Switch(config-if)# authentication port-control auto
Switch(config-if)# authentication violation restrict
Switch(config-if)# mab
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# spanning-tree portfast

About the Switch(config-if)# authentication closed command:
802.1x drops all the traffic prio to a successful 802.1x of MAB authentication. If you want to allow all traffic prior to successful authentication, open-access mode is needed:
Switch(config-if)# authentication open

This command will enable multi authentication for IPphones with clients attached to it:

Switch(config-if)# authentication host-mode multi-auth

The following commands indicates that MAB will be attempted first, but if 802.1x becomes available, 802.1x will be started to reauthenticate the port:

Configuration of MAB on Cisco ISE

Click Policy – Policy Elements and make sure “Process Host lookup” is checked in the allowed protocols! You can also create a new protocol group with only this checkbox checked.

host lookup

To add MAC addresses to the local database, click Administration – identity management – identities – endpoints. Click Add and enter the requested information:

MAB endpoint

Happy testing!