Cisco ISE 2.0 – Guest authentication ISE configuration

This is a 4 part blog series about configuring Cisco ISE 2.0 for WLAN authentication and WLAN Guest authentication (split into two parts) on a Cisco Wireless LAN Controller (WLC).

ISEimageFor more guides about configuring (previous) Cisco ISE, see this page.This is part 4, the ISE configuration for guest access

Configure Cisco ISE

The Authorization profile will be created first, then the authentication and authorization policies are configured.

(more…)

Installing Cisco WSA

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:

Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware

This is the 2nd post in the series.

Installation of the (virtual) WSA is straight forward. I’ll cover the most important and critical steps in a basic installation.

Hardware appliance

A hardware appliances has 5 interfaces, connect the required interface to your network:

  • T1 + T2 (used for L4TM only)
  • P1 + P2  (used for web proxy)
  • M1 (management or web proxy)

Virtual appliance

The virtual appliance is downloadable as a OVF file. Import the OVF file into you VMWare servers with the specifications as described in the previous blog post.

Configuration

Your first basic installation starts with connecting to the M1 port and browse to: http://192.168.42.42:8080 and login with these default credentials:

  • username: admin
  • password: ironport

You can also connect with SSH with the same login credentials. Start the interface config with the interfaceonfig command:

  • Run edit command
  • enter number 1
  • Enter IP address, netmaks and hostname.

Run  Setgateway
Select the M1 interface and enter the IP of the default gateway.

Don’t forget to commit the changes with the commit command. This is only needed for CLI configuration.

And the WSA appliance is up and running!

installation done

(more…)

Cisco WSA Defending Malware

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:

Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware

This is the last post in the series.

Malware.. we all know that we don’t want it. But how do we block it?

All websites have a Web based reputation number (WBRS). This is a number between -10 and +10. You can define what ranges are used for what action. Think about: -10 to -5 drop, -4 to +5 scan, +6 to +10 do not scan. The WSA receives regulary updates with new reputations.

Note: these features are licensed!

(more…)

Cisco ISE Part 5: Configuring wired network devices

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture

This week, part 5: Configuring wired network devices

First some terminology and guidelines:

Single host mode / Multi host mode. This defines 1 or multiple hosts on the switchport. Only the first device needs authentication.

Ports are authenticated first before any other traffic can pass.

802.1x is disabled in a SPAN port configuration, trunk ports, dynamic ports, dynamic access ports and etherchannels.

The windows client configuration can be pushed by a GPO. Configuration of this GPO is out of scope for this blog.

Configuration

First, add the RADIUS clients in the ISE deployment.

Click: Administration – Network Resources – Network Devices and click Add. Enter the requested information:

Radius client1

Radius client2

(more…)