Cisco ISE Part 6: Policy enforcement and MAB

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 6: Policy enforcement and MAB
Policy enforcement in Cisco ISE is based on authentication en authorization.
Some authentication protocols:

  • pap
  • chap
  • ms-chapv1/2
  • eap-md5
  • eap-tls
  • leap
  • peap
  • eap-fast

Authorization can exist of:

  • DACL
  • VLAN
  • webauth
  • smartport
  • MACsec
  • WLC ACL
  • NEAT
  • Filter-ID
  • reauth timer

Authentication policy: defines to protocols ISE is using to communicate with network devices
Policy: set of conditions
Condition: a rule with true of false as response
The result of an authentication policy is the identity method. It can be any one of the following:

  • Deny access
  • Identity database (single db)
  • Identity source sequences (sequence of db’s)

If authentication fails, user is not found or process fails, these actions can be configured:

  • reject
  • drop
  • continue
  • authorization policy

Simple authentication
You cannot define any condition for simple policies because a simple policy assumes that all conditions have been met.
Rule based authentication policies
Dynamically protocol selection

  • Simple condition
  • Compound condition (multiple simple conditions with AND or OR relationship

Authorization profile
a DACL is applied to the client if it meets specific criteria in the authorization policy. This ACL is applied to the NAD where the client is requesting access to the network. Keep in mind, ISE does not check the syntax of the ACL!
MAC Authentication Bypass
If a device (endpoint) does not support 802.1x, MAC address authentication can be used, based on the MAC address of the device. Offcourse, it is less secure because of MAC address spoofing. Hashing and encryption is not really needed because username and password are both the MAC address. EAP-MD5 or PAP is not always necessary.
Benefits:

  • Device visibility
  • Identity based
  • Access control
  • Fallback or standalone authentication
  • device authentications

Limitations:

  • Requires a MAC db
  • More delay (first packets will be dropped)
  • No user authentications
  • Less securee

MAB is using 4 phases during operations of the endpoint:
Phase 1: initation, this will timeout because there is no 802.1x response
Phase 2: MAC learning, the NAD will check the MAC address with ISE after the endpoint sends the first packet
Phase 3: Authorization, ISE can push some DACL or other authorization objects like VLANs
Phase 4: Accounting
The MAC address  database can be the ISE internal db, LDAP or Microsoft AD.
Configuration of MAB on the switch
Global switch configuration:

Switch(config)# radius-server attribute 6 on-for-login-auth
Switch(config)# radius-server attribute 8 include-in-access-req
Switch(config)# radius-server attribute 25 access-request include
Switch(config)# radius-server vsa send accounting
Switch(config)# radius-server vsa send authentication

attribute 6: sends the service-type attribute in the authentication packets
attribute 8: sends the IP of a user to the RADIUS server in the access request
attribute 25: specifies the group that the user is a member of
vsa send accounting: switch recognizes and will use accounting attributes
vsa send authentication: switch recognizes and will use accounting authentication
Switchport configuration:

Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan x
Switch(config-if)# authentication event fail action next-method
Switch(config-if)# authentication event server dead action authorize vlan 10
Switch(config-if)# authentication event server alive action reinitialze
Switch(config-if)# authentication host-mode multi-auth
Switch(config-if)# authentication closed
Switch(config-if)# authentication order mab dot1x
Switch(config-if)# authentication priority dot1x mab
Switch(config-if)# authentication port-control auto
Switch(config-if)# authentication violation restrict
Switch(config-if)# mab
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# spanning-tree portfast

About the Switch(config-if)# authentication closed command:
802.1x drops all the traffic prio to a successful 802.1x of MAB authentication. If you want to allow all traffic prior to successful authentication, open-access mode is needed:
Switch(config-if)# authentication open
This command will enable multi authentication for IPphones with clients attached to it:

Switch(config-if)# authentication host-mode multi-auth

The following commands indicates that MAB will be attempted first, but if 802.1x becomes available, 802.1x will be started to reauthenticate the port:
Configuration of MAB on Cisco ISE
Click Policy – Policy Elements and make sure “Process Host lookup” is checked in the allowed protocols! You can also create a new protocol group with only this checkbox checked.
host lookup
To add MAC addresses to the local database, click Administration – identity management – identities – endpoints. Click Add and enter the requested information:
MAB endpoint
Happy testing!
 
 

9 comments

  • Awesome work. Were doing our pilot righg now and these guides with pictures are perfect. Much appreciated you taking time out of your day to post these!!

  • I will definitely reach out to you. So far so good. Were government so everything happens so slow . Im trying to jump ahead of them and these are awesome for my home lab along with work. It stiill amazes me to see this new technology come out and then people like yourself seem to already have it nailed down. Although Im sure youve invested many many man hours learning the technology. Thanks again and it was awesome to already see a part 7…..These ISE notes are hot! No pun intended.

  • it’s a very nice blog .. it make me love cisco ise more than before .. i’m a student and i’m going to make ise my Graduation project but i have a problem with adding a C2970 switch after i integration between ise and AD Successfully any help plz

  • I am doing pilot testing on a site (using ISE 1.2). Customer wants to use mab authentication. So I made an authz rule that checks mab auth plus posture compliant and result will be access given but endpoint doesnt match this rule and goes to default rule.

    • What happens when you disable posture so only MAB is active? Verify and make sure that the rule will be hit with only MAB enabled. you can add posture rules later on.

      • I tried it. When I removed posture from the rule, it worked. But again if I add posture to same rule the hit doesn’t go to this rule and it goes to default rule i.e. no match rule.

Leave a Reply

Your email address will not be published. Required fields are marked *