Tag: authentication

Cisco ISE 2.0 – Guest Authentication

Leave a comment

This is a 4 part blog series about configuring Cisco ISE 2.0 for WLAN authentication and WLAN Guest authentication (split into two parts) on a Cisco Wireless LAN Controller (WLC).ISEimage
For more guides about configuring (previous) Cisco ISE, see this page.This is part 3, configuring the Cisco WLC for guest access.
Configure WLAN’s on WLC

  1. Navigate to WLAN’s, Create new

Picture12. Configure General Settings:
Read more

Cisco ISE 2.0 – Employee Authentication Based on 802.1x (User auth)

Leave a comment

This is a 4 part blog series about configuring Cisco ISE 2.0 for WLAN authentication and WLAN Guest authentication (split into two parts) on a Cisco Wireless LAN Controller (WLC).ISEimage
For more guides about configuring (previous) Cisco ISE, see this page.This is part 2, creating authentication and authorization policies.
Create authentication policy

  1. Navigate to Policy, Authentication
  2. Edit, Wired_802.1X to include Wireless_802.1X, and select “ehlo.lan” domain store.

Picture1
Read more

Cisco ISE 2.0 Active Directory & Radius

Leave a comment

This is a 4 part blog series about configuring Cisco ISE 2.0 for WLAN authentication and WLAN Guest authentication (split into two parts) on a Cisco Wireless LAN Controller (WLC).
ISEimageFor more guides about configuring (previous) Cisco ISE, see this page.This is part 1, the prerequisites before you can start configuring any authentication method.
Add ISE to Active Directory domain
Login into ISE and add ISE to the Active Directory domain by following these steps:
Read more

Cisco WSA Authentication

One comment

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the 6th part of the series.
A proxy is no real proxy without user authentication. That’s what I’m going to discuss in this post. Authentication is needed for logging and user tracking.
Authentication options:

  • Basic (local accounts)
  • NTLMSSP (for Microsoft Active Directory)

In explicit forwarding mode you can use straightforward proxy authentication. In transparant mode you have to fool the WSA.
In case all authentication services are unavailable, you can choose to permit or block all traffic. You can find this setting in Network > Authentication, click Edit Global Settings.
Read more

Cisco Web Security Appliance introduction

Leave a comment

In this and upcoming posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda for the upcoming weeks:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
In this blog we’ll talk about the product introduction.
The Cisco Web Security Appliance (WSA) is an appliance for securing http, https and ftp traffic from (and to) the internet.
The WSA replaces all, or most of these devices in your network:
Firewall
Webproxy
Anti spyware
Antivirus
URL Filtering
Policy management
As you can see, it’s more than just a regular proxy server.
The internet provides a lot of websites, good websites and bad websites. There are a lot of websites which are not work related for a lot of companies. If you want to limit or block those websites for users, the WSA is the product for you. Limitation can be time based, bandwidth based, user based or category based (79 categories). Road warriors (remote users) can be protected too by Anyconnect security or Web cloud Security, also known as Scansafe.
Read more

Cisco ISE Part 9: Guest and web authentication

5 comments

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 9: Guest and web authentication
Webauthentication can be used for guest access. It can also being used for a last resort for authentication of normal users if the 802.1x supplicant is not working. Access to this portal can be done by a remediation VLAN with limited access to resources. The portal is using HTTP and HTTPS,  because of limited access, the NAD (or WLC) will intercept the HTTP request and redirects it to the web portal.
There are two portals: Guest user portal is a portal the guest is using for logging in. The Sponsor portal is a portal being used by company employees for creating and managing guest accounts. The guest portal is customizable in available options for guest users.
To manage the RADIUS requests, the portal is installed on all required policy nodes. The configuration of the portal (and users) are replicated to all nodes. So, there is a central deployment.
You can configure multiple authorization sources in one rule. So, you can use one SSID for all used: internal production use, BYOD, Guest, etc. This is a nice feature of Cisco ISE.
Configuration
Click Administration – Guest management – Settings, click the arrow and click Multi-portal configurations.
Edit the DefaultGuestPortal to your needs:

  • Password policies
  • Need of posture client
  • self service
  • device registration
  • DHCP settings
  • Policies
  • etc

guestportal1
guestportal2
Read more

Cisco ISE Part 7: Configuring wireless network devices

6 comments

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 7: Configuring wireless network devices
Configuration
First, add the WLC as a radius client.
Click: Administration – Network Resources – Network Devices. Click Add and create a network device object.
Click Select Existing condition from library, select condition, navigate to Compound condition and select wireless_802.1x.
Click Select Network Access, Allowed Protocols – Default network access. Make sure PEAP is available in this network access rule.
For the authorization profiles, click Policy – Policy Elements – Results
Make sure you select the correct Airespace ACL name.
authprofile
Create an authorization policy that assigns the authorization profile. Click Policy – Authorization. Insert a new row.
Create a new rule, select the “wireless_802.1X” compound condition from the library. To check if the user is also a domain member, add another attribute. Click Select Attribute – <domain> – <usergroup>
 
Browse to the WLC webinterface.
Read more

Cisco ISE Part 6: Policy enforcement and MAB

9 comments

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 6: Policy enforcement and MAB
Policy enforcement in Cisco ISE is based on authentication en authorization.
Some authentication protocols:

  • pap
  • chap
  • ms-chapv1/2
  • eap-md5
  • eap-tls
  • leap
  • peap
  • eap-fast

Authorization can exist of:

  • DACL
  • VLAN
  • webauth
  • smartport
  • MACsec
  • WLC ACL
  • NEAT
  • Filter-ID
  • reauth timer

Authentication policy: defines to protocols ISE is using to communicate with network devices
Policy: set of conditions
Condition: a rule with true of false as response
The result of an authentication policy is the identity method. It can be any one of the following:
Read more

Cisco ISE Part 5: Configuring wired network devices

10 comments

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 5: Configuring wired network devices
First some terminology and guidelines:
Single host mode / Multi host mode. This defines 1 or multiple hosts on the switchport. Only the first device needs authentication.
Ports are authenticated first before any other traffic can pass.
802.1x is disabled in a SPAN port configuration, trunk ports, dynamic ports, dynamic access ports and etherchannels.
The windows client configuration can be pushed by a GPO. Configuration of this GPO is out of scope for this blog.
Configuration
First, add the RADIUS clients in the ISE deployment.
Click: Administration – Network Resources – Network Devices and click Add. Enter the requested information:
Radius client1
Radius client2
Read more