Cisco ISE Part 5: Configuring wired network devices
This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 5: Configuring wired network devices
First some terminology and guidelines:
Single host mode / Multi host mode. This defines 1 or multiple hosts on the switchport. Only the first device needs authentication.
Ports are authenticated first before any other traffic can pass.
802.1x is disabled in a SPAN port configuration, trunk ports, dynamic ports, dynamic access ports and etherchannels.
The windows client configuration can be pushed by a GPO. Configuration of this GPO is out of scope for this blog.
Configuration
First, add the RADIUS clients in the ISE deployment.
Click: Administration – Network Resources – Network Devices and click Add. Enter the requested information:
Repeat this step for all devices with ports which need authentication. Don’t forget the Cisco WLC’s if you want to authenticate on wireless.
Click Administration – Network Resources – Network Device Groups – Expand Groups – All Locations and click Add.
Create a location, like “corporate_office” or “hq” and click Submit.
Next, select All Device Types and click Add. In the Name field type Router (or switch, or any other type of device you’re using)
You can create sub layers by type. Like: Routers – 800 or Routers – 2900.
Associate a radius client to a location and device type.
Click – Administration – Network Resources – Network Devices and edit a Radius client. Select the correct Location and Device Type.
Devices (NADs) need TCP 1812 and TCP 1645 for radius communiction to the Policy node.
Configure a router for using radius:
Router(config)# aaa new-model Router(config)# ip radius source-interface f0/0 Router(config)# radius-server host 10.10.2.50 key <mykey> Router# test aaa group radius admin <password> new-code
Configure a switch:
Switch(config)# aaa new-model Switch(config)# radius-server host 10.10.2.250 Switch(config)# radius-server key <mykey> Switch(config)# aaa authentication dot1x default group radius local Switch(config)# dot1x system-auth-control Switch(config)# aaa authorization network default group radius Switch(config)# radius-server vsa send authentication
In the ISE console you can see the user denied logging. Click Operations – Authenications.
Enabling authentication on clients
First, make sure the correct protocols are selected. Click Policy – Policy elements – Results – Authentication – Allowed protocol – default network access (or create a new one).
In my case, I’ll only enable PEAP and disable all the others.
Make sure the correct sequence is used. Click Policy – Authentication. Click the Dot1x rule and change the sequence to AD_then_Local (or the one you desire and created before)
Make sure your switchports are configured as described:
Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan x Switch(config-if)# authentication event fail action next-method Switch(config-if)# authentication event server dead action authorize vlan 10 Switch(config-if)# authentication event server alive action reinitialze Switch(config-if)# authentication host-mode multi-auth Switch(config-if)# authentication closed Switch(config-if)# authentication port-control auto Switch(config-if)# authentication violation restrict Switch(config-if)# ip device tracking Switch(config-if)# dot1x pae authenticator Switch(config-if)# spanning-tree portfast
More about ttis configuration in part 6 of this blog post series.
For periodic reauthentication of the switchports every 7200 sec (3600 is default), configure:
Switch(config-if)# authentication periodic Switch(config-if)# authentication timer reauthenticate 7200
Configuring the Win7 Supplicant
Start the “Wired Autoconfig” service in services.msc
Click to your adapter settings and click the tab “authentication”.
Check “enable IEEE802.1x authentication”. For the EAP type, select PEAP in the drop down list.
Click Settings, ensure that Validate Server Certificate is checked. Also make sure that the client does have the root certificate of your CA. Select this root certificate.
Ensure that EAP-MSCHAPv2 is selected and Enable Fast Reconnect is checked.
Check the switchport authentication:
Switch#show dot1x all summary
And:
Switch# show dot1x interface fa0/x
You can check the authentication logging in ISE:
Click Operations – Authentications
Authorization with DACL
Let’s create a DACL that will override the interface port based ACL.
Click: Policy – Policy Elements – Results – Authorization – Downloadable ACLs.
Click Add to create a new one and enter the required ACL:
Click Policy – Policy Elements – Results – Authorization – Authorization Profiles. Click Add, give this profile a name and select the DACL in the drop down menu. Check the reauthentication checkbox!
Make sure there is an Active Directory group available with the needed computer accounts. Make this group available in ISE:
Click Adminsitration – Identity management – External identity – Sources – Active directory – groups.
Click Add – select groups from directory and add the group.
Now it’s time to create a authorization policy. Click Policy – Authorization, click the down arrow at a rule, click Insert new rule above.
Click Create new condition (Advanced option)
Fill in the Expression and correct user group.
In the ‘then’ portion of the rule, add a authorization policy. Click the created Dot1x authorization policy.
That’s it, start testing!
Next week part 6 of this blog post series: Policy enforcement and MAB
hi
I want to configure cisco ise to make use of AD credential. such that a credential once authenticated can not be use by another person until the first credential disauthenticate.
for example. user A authenticate with cisco ise using username: danimax.
Nobody should be able to use credential danimax again while user A is still active on the network
I don’t have an immediate answer on that one. Afaik their are no options for this in AD. For ISE… Have to check that but I can’t remember such options in the interface or in the config guides. My ISE test servers are down at this moment so I’ll come back on that one.
Great guides! I have a quick question on re-authentication if you dont mind?
You have the configuration above “authentication periodic” but is this actually a requirement? and what (if any) functionality is lost if we don’t have this enabled?
Thanks! Great question!
Reauthentication is not needed for clients, but recommended in some cases. A short example:
let’s say your laptop is connected to the network because of a machine certificate. For some reason, the machine certificate gets revoked. If you don’t have reauthentication, the latpop can still be connected to the network as long as the switchport is up (this could be forever). If reauthentication is enabled the laptop has to reauthenicate again, but it will fail because of the revoked certificate and the switchport will stop forwarding user traffic.
it works like a charm with this topo :
(PC)—->(SW1)—->(Radius)
(SW1) : Cisco 2960S
But when i connected another switch to (SW1) like this :
(PC)—->(SW2)—->(SW1)—->(Radius)
(SW1) : Cisco 2960S
(SW2) : Cisco 2960S factory setting
Plug ethernet cable into PC , authentication pop-up appears , i click “Cancel” and then (PC) joined to the network !!! (In the first topo , (PC) can’t joined to the network if not authenticated)
Pls help me , Rob . Many thanks !!!
Hi,
In my understanding, you’ve only configured 802.1x on SW1?
As far as I can think of right now, I guess that the port is getting authenticated in some way, due a misconfig of the switchport or you’ve missed something in ISE. Double check the logging in ISE and check how the port is getting authenticated!
OMG you right ! Something wrong with my config
But with this topo :
(PC)—->(SW2)—->(SW1)—->(ISE)
(SW1) : Cisco 2960S
(SW2) : Cisco 2960S factory setting , doesn’t config 802.1x (or other switches not support 802.1x)
Should i used Mab for this case (config Mab on (ISE) to permit (SW2) )? If i used Mab , (PC) attached to (SW2) does have to be authenticated ? Or (PC) will bypass because (SW2) already bypass
Many thanks !!!!
Once the switchport on SW1 connected to SW2 is authenticated, every device on SW2 will get network access. You have to use the “authentication host-mode multi-auth” interface command for this.
It is highly recommended to configure SW2 for 802.1x and don’t use the factory settings.
I know , but if SW2 is non-Cisco Switch (or no support 802.1X), i think that the only plan is using Mab .
I will try and tell you soon . Thanks Rob !
Hello friends,
I’m doing an 802.1X authentication implementation with a server radius using multi-host mode.
for server radius, I use windows server 2008 R2 Enterprise with installed roles like AD DS, AD CS, DNS Server, DHCP Server, Network Policy and Access Services (NPS). I use PEAP -MsChapV2 method.
for authentication when successfully will be redirected to vlan 10, and if failed will be directed to vlan 30.
for authenticator and supplicant switches, I use Cisco Catalyst 2960-CX series.
network topology:
3 clients — g0/2, g0/3, g0/4 — suplicant switch (switch2) — g0/1 (supplicant switch) to g0/3 — switch authenticator (switch1) – g0/1 – server radius.
script authenticator:
Switch1#sh run
Building configuration…
Current configuration : 3391 bytes
!
! Last configuration change at 06:17:02 UTC Fri Nov 3 2017
! NVRAM config last updated at 06:17:09 UTC Fri Nov 3 2017
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
!
!
!
!
!
!
aaa session-id common
system mtu routing 1500
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-375xxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-375xxxxxxxx
revocation-check none
rsakeypair TP-self-signed-3753xxxxxxxx
!
!
crypto pki certificate chain TP-self-signed-3753304576
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 040xxx6 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373533 33303435 3736301E 170D3137 31303235 30373031
31325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37xxx333
30343537 3630819F 300D0609 2A864886 F70D0101 01050003 8xxxx030 81890281
8100C5DB 3CB9DFF2 77BDF4BA 5A9A2842 B7xxx4A0 58FC948F EF638567 64FCCDC0
F842FB87 D1A7509F CF178E66 81578924 AA24C583 F6F82921 898DA3A5 826F81B5
4DB19C29 35ECE681 D8A60EFF 2587AA24 F87A606D B1645B14 8F8CCBA5 2441947C
2F646F38 AB657A8D 2E2A7EED F716FF61 147A875D 654C2180 3B6C5789 3618C7FE
BCF30203 010001A3 53305130 0F0xxxx 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 147771B2 F7F18xxx 1E7361EF E18B497D DEDDxxxx C301D06
03551D0E 04160414 7771B2F7 F18FB41E 7361EFE1 8B497DDE DDD572CC xxxxD0609
2A864886 F70D0101 05050003 81810085 2E8424AF 2FE7AEFC 74D07E7C BE1E141F
79F2E7EC 263877AE F6532F13 4D069CDA 80C7A219 8AEACB31 443CC054 9466502F
40317CF6 4D5F7409 D05590CE D74E29C4 F0A95E69 D4B26372 0086C7E9 14A37DBE
3DE0BBB7 355DF39B 5169479C 24Bxx0B 91E13BEE 99C46D24 1A00CFDC 0D5C60A0
2BEEA481 0C60152E xxA59BCC 0E7D62
quit
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/1
switchport mode access
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
switchport mode access
authentication event fail action authorize vlan 30
authentication event no-response action authorize vlan 30
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface Vlan1
ip address 10.123.10.250 255.255.255.0
!
interface Vlan10
ip address 172.16.10.250 255.255.255.0
ip helper-address 10.123.10.10
!
interface Vlan30
ip address 172.16.30.250 255.255.255.0
ip helper-address 10.123.10.10
!
ip forward-protocol nd
ip http server
ip http secure-server
!
!
!
!
!
!
radius server host
address ipv4 10.123.10.10 auth-port 1812 acct-port 1813
key 12345
!
!
line con 0
line vty 5 15
!
end
===============================================================
script switch supplicant:
Switch2#sh run
Building configuration…
Current configuration : 973 bytes
!
! Last configuration change at 06:17:51 UTC Fri Nov 3 2017
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface Vlan1
no ip address
!
ip forward-protocol nd
ip http server
ip http secure-server
!
!
!
!
!
line con 0
line vty 5 15
!
end
Switch#
i found the problem, when my authenticator connect to switch supplicant then the authentication notification does not appear to client. direct authentication failed.
from my configuration above, is there anything wrong or need to be added?
I beg for his help, thank you very much.