Cisco ISE Part 6: Policy enforcement and MAB
This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 6: Policy enforcement and MAB
Policy enforcement in Cisco ISE is based on authentication en authorization.
Some authentication protocols:
- pap
- chap
- ms-chapv1/2
- eap-md5
- eap-tls
- leap
- peap
- eap-fast
Authorization can exist of:
- DACL
- VLAN
- webauth
- smartport
- MACsec
- WLC ACL
- NEAT
- Filter-ID
- reauth timer
Authentication policy: defines to protocols ISE is using to communicate with network devices
Policy: set of conditions
Condition: a rule with true of false as response
The result of an authentication policy is the identity method. It can be any one of the following:
- Deny access
- Identity database (single db)
- Identity source sequences (sequence of db’s)
If authentication fails, user is not found or process fails, these actions can be configured:
- reject
- drop
- continue
- authorization policy
Simple authentication
You cannot define any condition for simple policies because a simple policy assumes that all conditions have been met.
Rule based authentication policies
Dynamically protocol selection
- Simple condition
- Compound condition (multiple simple conditions with AND or OR relationship
Authorization profile
a DACL is applied to the client if it meets specific criteria in the authorization policy. This ACL is applied to the NAD where the client is requesting access to the network. Keep in mind, ISE does not check the syntax of the ACL!
MAC Authentication Bypass
If a device (endpoint) does not support 802.1x, MAC address authentication can be used, based on the MAC address of the device. Offcourse, it is less secure because of MAC address spoofing. Hashing and encryption is not really needed because username and password are both the MAC address. EAP-MD5 or PAP is not always necessary.
Benefits:
- Device visibility
- Identity based
- Access control
- Fallback or standalone authentication
- device authentications
Limitations:
- Requires a MAC db
- More delay (first packets will be dropped)
- No user authentications
- Less securee
MAB is using 4 phases during operations of the endpoint:
Phase 1: initation, this will timeout because there is no 802.1x response
Phase 2: MAC learning, the NAD will check the MAC address with ISE after the endpoint sends the first packet
Phase 3: Authorization, ISE can push some DACL or other authorization objects like VLANs
Phase 4: Accounting
The MAC address database can be the ISE internal db, LDAP or Microsoft AD.
Configuration of MAB on the switch
Global switch configuration:
Switch(config)# radius-server attribute 6 on-for-login-auth Switch(config)# radius-server attribute 8 include-in-access-req Switch(config)# radius-server attribute 25 access-request include Switch(config)# radius-server vsa send accounting Switch(config)# radius-server vsa send authentication
attribute 6: sends the service-type attribute in the authentication packets
attribute 8: sends the IP of a user to the RADIUS server in the access request
attribute 25: specifies the group that the user is a member of
vsa send accounting: switch recognizes and will use accounting attributes
vsa send authentication: switch recognizes and will use accounting authentication
Switchport configuration:
Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan x Switch(config-if)# authentication event fail action next-method Switch(config-if)# authentication event server dead action authorize vlan 10 Switch(config-if)# authentication event server alive action reinitialze Switch(config-if)# authentication host-mode multi-auth Switch(config-if)# authentication closed Switch(config-if)# authentication order mab dot1x Switch(config-if)# authentication priority dot1x mab Switch(config-if)# authentication port-control auto Switch(config-if)# authentication violation restrict Switch(config-if)# mab Switch(config-if)# dot1x pae authenticator Switch(config-if)# spanning-tree portfast
About the Switch(config-if)# authentication closed command:
802.1x drops all the traffic prio to a successful 802.1x of MAB authentication. If you want to allow all traffic prior to successful authentication, open-access mode is needed:
Switch(config-if)# authentication open
This command will enable multi authentication for IPphones with clients attached to it:
Switch(config-if)# authentication host-mode multi-auth
The following commands indicates that MAB will be attempted first, but if 802.1x becomes available, 802.1x will be started to reauthenticate the port:
Configuration of MAB on Cisco ISE
Click Policy – Policy Elements and make sure “Process Host lookup” is checked in the allowed protocols! You can also create a new protocol group with only this checkbox checked.
To add MAC addresses to the local database, click Administration – identity management – identities – endpoints. Click Add and enter the requested information:
Happy testing!
Awesome work. Were doing our pilot righg now and these guides with pictures are perfect. Much appreciated you taking time out of your day to post these!!
Good luck with the pilot, please let me know if you have any additions, suggestions or comments to my ise blogs. Your comment is much appreciated!
Good luck with the pilot, please let me know if you have any additions, suggestions or comments to my ise blogs. Your comment is much appreciated!!
I will definitely reach out to you. So far so good. Were government so everything happens so slow . Im trying to jump ahead of them and these are awesome for my home lab along with work. It stiill amazes me to see this new technology come out and then people like yourself seem to already have it nailed down. Although Im sure youve invested many many man hours learning the technology. Thanks again and it was awesome to already see a part 7…..These ISE notes are hot! No pun intended.
it’s a very nice blog .. it make me love cisco ise more than before .. i’m a student and i’m going to make ise my Graduation project but i have a problem with adding a C2970 switch after i integration between ise and AD Successfully any help plz
Thanks! 🙂 What are you trying to do with the C2970? Only MAB is supported on those switches. Do you have any logs or errors?
I am doing pilot testing on a site (using ISE 1.2). Customer wants to use mab authentication. So I made an authz rule that checks mab auth plus posture compliant and result will be access given but endpoint doesnt match this rule and goes to default rule.
What happens when you disable posture so only MAB is active? Verify and make sure that the rule will be hit with only MAB enabled. you can add posture rules later on.
I tried it. When I removed posture from the rule, it worked. But again if I add posture to same rule the hit doesn’t go to this rule and it goes to default rule i.e. no match rule.