Configuring Wired 802.1x/MAB Authentication with Cisco ISE

The purpose of this blog post is to document the configuration steps required to configure Wired 802.1x and MAB authentication on Cisco Catalyst switches using Cisco ISE 2.0 as the RADIUS server. ISE will be configured to use Microsoft AD as the External Identity Store to authenticate the users and computer onto the AD domain.

The switch is already configured for VLAN, Routing etc and any device plugged into the switch will be able to access the network. Basic ISE functionality has already been configured (integration with AD/PKI).

Software/Hardware Used:
Cisco Catalyst 3650 – IP Services 12.2(55)SE4
Cisco ISE 2.0 with patch 2
Microsoft Server 2008 R2 (Domain Controller, DNS, DHCP)

Switch Commands

Global RADIUS Commands

Command

Function

radius-server host 192.168.10.14 auth-port 1645 acct-port 1646 key cisco1234

radius-server host 192.168.10.14 auth-port 1645 acct-port 1646 key cisco1234

Defines ISE as a RADIUS server, specifics ports for auth/acct and shared secret

aaa server radius dynamic-author

client 192.168.10.4 server-key cisco1234

client 192.168.10.14 server-key cisco1234

Ensures switch is able to handle RADIUS CoA. Define all ISE servers as clients

aaa group server radius ISE

server 192.168.10.14 auth-port 1645 acct-port 1646

server 192.168.10.4 auth-port 1645 acct-port 1646

Defines a RADIUS group (in this instance called ISE) to be used for AAA.

radius-server attribute 6 on-for-login-auth

Include RADIUS attribute 6 (Service-Type) in every Access-Request

radius-server attribute 8 include-in-access-req

Include RADIUS attribute 8 (Framed-IP-Address) in every Access-Request

radius-server attribute 25 access-request include

Include RADIUS attribute 25 (Class) in every Access-Request

ip radius source-interface vlan 10

Define the source IP/Interface/VLAN for RADIUS packets – useful when switch has multiple SVI.

radius-server dead-criteria time 30 tries 3

Wait 3 x 30 seconds before marking RADIUS server dead

radius-server deadtime 30

Mark the dead RADIUS server DOWN for 30 minutes before marking the server as UP after the timer expires.

radius-server vsa send authentication

Limits the set of recognized vendor-specific attributes to only authentication attributes.

radius-server vsa send accounting

Limits the set of recognized vendor-specific attributes to only accounting attributes.

Global AAA Method List Commands

Command

Function

aaa new-model

Enables 802.1x port-based assignment method list

aaa authentication dot1x default group ISE

VLAN/ACL assignment

aaa authorization network default group ISE

Authentication & authorization for webauth transactions

aaa authorization auth-proxy default group ISE

For authentication proxy services

aaa accounting dot1x default start-stop group ISE

Define ISE as an accounting server for dot1x sessions

aaa accounting update periodic

Update accounting records at regular intervals

Other Global Commands

Command

Function

system-auth-control

Globally enable 802.1x port-based authentication

ip device tracking

Allows the switch to track IP devices

Interface Level Commands

Command

Function

interface gigabitethernet 1/0/1

 

switchport mode access

switchport access vlan 11

spanning-tree bpduguard enable

spanning-tree portfast

The basics (define vlan, enable BPDUGuard and Portfast)

authentication event fail action next-method

Action to take if any configured authentication method fails (eg attempt mab if dot1x fails and has higher priority)

authentication host-mode single-auth

Define how many hosts to authenticate (single host, single host and voice, multi authenticated hosts and voice or multiple hosts)

authentication order dot1x mab

Authentication method order (dot1x/mab/webauth)

authentication priority dot1x mab

Authentication method priority (dot1x/mab/webauth)

authentication port-control auto

Enables 802.1x authentication on the interface

authentication violation restrict/shutdown/replace

Defines action to take when a violation is triggered

mab

Enable MAB on interface

dot1x pae authenticator/supplicant/both

Enable 802.1x on the port as either authenticator, supplicant or both

dot1x timeout tx-period 10

Retransmission period

authentication event server dead action reinitialize vlan 12

If all RADIUS servers are marked DEAD, then reinitialize in vlan 12 (in this instance a different VLAN, could be the same VLAN as before)

authentication event server dead action authorize voice

When the RADIUS servers are marked DEAD, authorize the voice VLAN (fail open)

authentication event server alive action reinitialize

When the RADIUS servers are marked UP, then reinitialize – will go through normal AuthC then AuthZ procedure

authentication open

Open mode, if authentication/authorization fails the device will still have network access

no authentication open

Closed mode, if authentication/authorization fails the device will not have network access. This command does not appear in the interface running configuration.

Switch Configuration

aaa new-model
ip device tracking
dot1x system-auth-control

aaa group server radius ISE
server 192.168.10.14 auth-port 1645 acct-port 1646
server 192.168.10.4 auth-port 1645 acct-port 1646
load-balance method least-outstanding batch-size 5

aaa server radius dynamic-author
client 192.168.10.4 server-key cisco1234
client 192.168.10.14 server-key cisco1234

aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE
aaa accounting update periodic
aaa accounting dot1x default start-stop group ISE

interface gigabitethernet 1/0/1
switchport mode access
switchport access vlan 11
spanning-tree bpduguard enable
spanning-tree portfast
authentication event fail action next-method
authentication host-mode single-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
authentication event server alive action reinitialize
authentication event server dead action reinitialize vlan 12
authentication event server dead action authorize voice
mab
dot1x pae authenticator
dot1x timeout tx-period 10

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server dead-criteria time 30 tries 3
radius-server host 192.168.10.14 auth-port 1645 acct-port 1646 key cisco1234
radius-server host 192.168.10.4 auth-port 1645 acct-port 1646 key cisco1234
radius-server deadtime 30
radius-server vsa send accounting
radius-server vsa send authentication

ISE Configuration

Within ISE we need to manually define the Switch as NAD, create a Policy Set with specific Authentication and Authorization rules

Network Device


Create a “Network Device Group” called “Cisco Switch”- Administration > Network Resources > Network Devices

Create a new “Network Device” – Administration > Network Resources > Network Devices

  • Enter the IP address of the switch
  • Select the “Device Type” from the drop down menu, using the device group previously created
  • Tick RADIUS Authentication Settings
  • Enter the shared secret as defined on the switch
  • Click Save

Policy Set

  • Ensure Policy Sets are in use
  • Create a new Policy Set above the Default
  • Select an appropriate name eg “Wired Auth”
  • Set Conditions as a minimum
  • RADIUS:NAS-Port-Type EQUALS Ethernet AND DEVICE:Device Type#All Device Types#Cisco Switch


Based on these conditions a device will only therefore match this policy if connecting from a device within the previously created NAD Group “Cisco Switch”.

Authentication Policy

Create an Authentication rule for MAB Authentication

  • Create a new rule above the default rule
  • Select name as “MAB”
  • Select condition as pre-defined compound condition “Wired_MAB”
  • Select Allow Protocols as pre-defined Allowed Protocols “Default Network Access”
  • Change Default “Internal Users” to use “Internal Endpoints”
  • Ensure “If authentication failed” and “If user not found” is set to “Continue”

 

Create an Authentication Rule for 802.1x Authentication

 

  • Select “Edit” and choose “Insert new row below”
  • Select name as “dot1x”
  • Select condition as pre-defined compound condition “Wired_802.1x”
  • Select Allow Protocols as pre-defined Allowed Protocols “Default Network Access”
  • Select “Actions” to the right of the greyed out “Default” rule – Select “Insert new row above”
  • Define a store rule, named “PEAP”
  • Select condition and use “Create new condition” – select “Network Access:EAPAuthentication EQUALS EAP-MSCHAPv2”
  • Select the Identity Store as your AD source
  • Duplicate that rule and change the name to “TLS” and change the condition to EQUALS “EAP-TLS”

 

Authorization Policy

 

  • Within the Authorization Policy section, create a new rule above the Default called “Domain Users”
  • Leave Identity Group condition as “Any”
  • Select other conditions and “Select Existing Condition from Library”
  • Select “Wired_802.1x” from compound condition list
  • Select “Add Attribute/Value” from the drop down box on the right
  • Select your External Identity Store for your AD (in my lab it’s called LAB_AD)
  • Choose ExternalGroup EQUALS lab.local/Users/Domain Users
  • Select Permissions as pre-defined permissions AuthZ Profile “PermitAccess”
  • Duplicate that rule below, rename the duplicated rule and call it “Domain Computers”
  • Change the ExternalGroup to EQUALS /Users/Domain Computers
  • Create a new rule above the Default rule (and below the 802.1x rules) – called “MAB”
  • Leave Identity Group condition as “Any”
  • Select other conditions and “Select Existing Condition from Library”
  • Select “Wired_MAB” from compound condition list
  • Click SAVE at the bottom of the screen

Verification

You can verify successful or failed authentication/authorization from ISE within the RADIUS LiveLog section. This will reveal details of Identity (Username), EndPoint Profile, Authentication Policy matched, Authorization Policy matched and the applied Authorization Profile.


From the switch you can use the command “show authentication session interface fastethernet 1/0/1“. This will identify what authentication method was used (dot1x or mab), currently logon user or computer (determined by the prefix of host/ )” and the IP address of the device connected to the port amongst other things.


If a device is connected to the port that is unable to support 802.1x then it will fail over to MAB. From the screenshot below you can confirm 802.1x failed and MAB authentication succeeded. The username would equal the mac address of the client device.


When using MAB authentication it is highly recommended to use Profiling to determine the fingerprint/make/model of the actual device and create an Authorization Rule specifically on the type of device connecting. Use a custom Authorization Profile that applies a Downloadable ACL (DACL) to restrict exactly what that un-authenticated device can access.

Reference

https://www.youtube.com/watch?v=nazpNmmU2Ys
http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/119374-technote-dacl-00.html
https://supportforums.cisco.com/discussion/11893846/acl-assignment-radius-cisco-av-pair

Supported RADIUS IETF Attributes

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrdat1.html

Advertisements

3 thoughts on “Configuring Wired 802.1x/MAB Authentication with Cisco ISE”

  1. great write up; so is vlan 11 the default fall back if all auth fails – in other words that is your “guest” vlan so to speak? Thanks

    1. In closed mode if auth fails, then the user would not get access (assuming the default rule on ISE was to deny). If you wanted some kinds of guest access if auth fails then you’d create some rules in ISE to potentially apply a DACL (restricting access). HTH

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s