Cisco ISE Demo Script
The purpose of this blog entry is to to detail in the simplest wat key ISE functionalities and lay them out so that it could be easily reviewed/demoed.
We will cover the following in the order below. Please note that the some sections could have configuration dependencies from the sections before it.
At some point I will upload the configs based on each sections. Please feel free to reach out to me meanwhile.
Basic Wired DOT1.X Authentication (Allow access to deny completely)
Basic Wired DOT1.X Authentication with Change of VLAN/DACL
NOTE that 802.1X Works at the Layer 2 level and there is no IP communication at this level. Good review of the process here : https://en.wikipedia.org/wiki/IEEE_802.1X
Basic Wired DOT1.X Authentication (Allow access to network or deny completely)
In this lab setup the switchport either authorsises the devices if the right credential is provided or completely denies access and the devices gets APIPA IP .
dot1.x configuration flow consists of configuring three main sections.
- The Switch to which the endpoint is connected : AAA and DOT1X related config.
- The ISE Server with the details of the Switch and the end user
- The End Point itself for
In the topology below we will configure the Switch , ISE and the Win devices. Very basic connectivity is already setup as show int the topology.
Lets start with the Switch
Different types of Host Authentication Modes
single-host - Exactly one MAC Address
multi-host - One MAC Address opens the door , and rest (other VMs on the Host) can get in easily without authentication.
multi-domain - Has nothing to do with AD Domain , its about multiple VLANs like voice and data vlan.
multi-auth - Every single MAC Address has to be authenticated . Even the VMs has to be authenticated .
The code below is commented and sequenced accordign the steps required.
!Make sure a enable password is set enable secret 5 $1$AGpH$kIw79LdzMFQ395d/ !Enable AAA system aaa new-model !Point to ISE aaa group server radius ISE-group server name ISE ! radius server ISE address ipv4 192.168.1.101 auth-port 1812 acct-port 1813 key **sharedsecret_with_ISE** !Configure shell login to use enable secret details aaa authentication login default enable ! Use the Radius Authentication for dot1x aaa authentication dot1x default group radius !Authorization is for Dynamic VLANs and ACLs to be assigned aaa authorization network default group radius !Default method for account is RADIUS aaa accounting dot1x default start-stop group radius !Include IP Address of the supplicant IP Address of the suplicant as a part of the request. radius-server attribute 8 include-in-access-req !Globally enabling Dot1X Authentication dot1x system-auth-control !Default the port on which the endpoint is connected to reset config default interface GigabitEthernet1/2 !Switchport configuration details interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 spanning-tree portfast ! Open mode for testing authentication open ! Authentication mode , see above for what each mode means authentication host-mode multi-auth authentication port-control auto ! Recurring authentication authentication periodic ! Let server decide on how often to re-athenticate authentication timer reauthenticate server ! Set port access entity as the autheticator dot1x pae authenticator ! Supplicant retry timeout dot1x timeout tx-period 10 !Ensure the following for reachability from switch to ISE interface Vlan1 ip address 192.168.1.102 255.255.255.0 ! ! Some default configs aaa session-id common !
Copy Paste Snippet (Modify Here)
enable secret 5 $1$AGpH$kIw79LdzMFQ395d/ aaa new-model ! aaa group server radius ISE-group server name ISE ! radius server ISE address ipv4 X.X.X.X auth-port 1812 acct-port 1813 key **yourpassword here** ! aaa authentication login default enable aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius ! radius-server attribute 8 include-in-access-req ! dot1x system-auth-control ! default interface GigabitEthernetX/X ! ! interface GigabitEthernetX/X switchport mode access switchport access vlan 10 spanning-tree portfast authentication open authentication host-mode multi-auth authentication port-control auto authentication periodic authentication timer reauthenticate server dot1x pae authenticator dot1x timeout tx-period 10 ! Make sure connectivity to ISE interface Vlan1 ip address X.X.X.X 255.255.255.0 ! ! aaa session-id common !
no authentication open authentication host-mode single-host
Lets configure ISE now
OPTIONAL Set the ISE Password to be less restrictive
Add the User
Add the Switch This basically lest the switch to communication via RADIUS to ISE
debug aaa test aaa group ISE-group bob cisco123 new-code
Finally lets enable the PC to do DOT1.X
services.msc --> Wired Auto Config --> Start
do debug radius authentication show dot1x all debug aaa test aaa group ISE-group bob cisco123 new-code show authentication sessions interface gi1/2
Basic Wired DOT1.X Authentication with Change of VLAN
No Additional switch configuration is required for the change of VLAN/DACL
This builds upon the lab above. Instead of blatenlty denying network access to the user , we put in on a separate VLAN.
Make sure the user is moved under a user group
Create and Authorization Profile to set the VLAN to 30 or whatever
Set the Policy set (Authorization Policy)
And that is it!
Now let the user
bob login and the switchport vlan should change to the desired VLAN.
Configuring DACL is pretty much the same as the VLAN change above.
- Make the DACL
- Add the DACL to the Authorization to the Profiles
- Now re-authenticate the PC and you should see new ACLs on the switch (show ip access-list)
Notice the deny to 184.108.40.206 ```sh Switch# sh authentication sessions interface gigabitEthernet 2/0/1 details
Interface: GigabitEthernet2/0/1 MAC Address: 9457.a5b0.0ade IPv6 Address: Unknown IPv4 Address: Unknown User-Name: 94-57-A5-B0-0A-DE Status: Authorized Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Common Session ID: 0A0000640000012B75977C34 Acct Session ID: 0x00000039 Handle: 0xE7000033 Current Policy: POLICY_Gi2/0/1
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910
Method status list:
Method State dot1x Stopped mab Authc Success
4. **Now check the ping front the PC and you should not be able to ping 220.127.116.11 anymore** !(/assets/markdown-img-paste-20181105232306747.png) # **To be continued...** > SNMP Trap ```sh snmp-server community snmp_ro RO snmp-server trap-source Vlan10 snmp-server source-interface informs Vlan10 snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps snmp-server host 10.10.10.4 version 2c snmp_ro
Subscribe via RSS