Configuring Wired 802.1x/MAB Authentication with Cisco ISE

The purpose of this blog post is to document the configuration steps required to configure Wired 802.1x and MAB authentication on Cisco Catalyst switches using Cisco ISE 2.0 as the RADIUS server. ISE will be configured to use Microsoft AD as the External Identity Store to authenticate the users and computer onto the AD domain.

The switch is already configured for VLAN, Routing etc and any device plugged into the switch will be able to access the network. Basic ISE functionality has already been configured (integration with AD/PKI).

 

Software/Hardware Used:
Cisco Catalyst 3560 – IP Services 12.2(55)SE4
Cisco ISE 2.0 with patch 2
Microsoft Server 2008 R2 (Domain Controller, DNS, DHCP)

Switch Commands

Global RADIUS Commands

Command Function
radius-server host 192.168.10.14 auth-port 1645 acct-port 1646 key cisco1234
radius-server host 192.168.10.14 auth-port 1645 acct-port 1646 key cisco1234
Defines ISE as a RADIUS server, specifics ports for auth/acct and shared secret
aaa server radius dynamic-author
client 192.168.10.4 server-key cisco1234
client 192.168.10.14 server-key cisco1234
Ensures switch is able to handle RADIUS CoA. Define all ISE servers as clients
aaa group server radius ISE
server 192.168.10.14 auth-port 1645 acct-port 1646
server 192.168.10.4 auth-port 1645 acct-port 1646
Defines a RADIUS group (in this instance called ISE) to be used for AAA.
radius-server attribute 6 on-for-login-auth Include RADIUS attribute 6 (Service-Type) in every Access-Request
radius-server attribute 8 include-in-access-req Include RADIUS attribute 8 (Framed-IP-Address) in every Access-Request
radius-server attribute 25 access-request include Include RADIUS attribute 25 (Class) in every Access-Request
ip radius source-interface vlan 10 Define the source IP/Interface/VLAN for RADIUS packets – useful when switch has multiple SVI.
radius-server dead-criteria time 30 tries 3 Wait 3 x 30 seconds before marking RADIUS server dead
radius-server deadtime 30 Mark the dead RADIUS server DOWN for 30 minutes before marking the server as UP after the timer expires.
radius-server vsa send authentication Limits the set of recognized vendor-specific attributes to only authentication attributes.
radius-server vsa send accounting Limits the set of recognized vendor-specific attributes to only accounting attributes.

Global AAA Method List Commands

Command Function
aaa new-model Enables 802.1x port-based assignment method list
aaa authentication dot1x default group ISE Specifies the RADIUS server(s) for 802.1x port based authentication
aaa authorization network default group ISE Dynamic VLAN/ACL assignment
aaa authorization auth-proxy default group ISE For authentication proxy services
aaa accounting dot1x default start-stop group ISE Define ISE as an accounting server for dot1x sessions
aaa accounting update periodic Update accounting records at regular intervals

Other Global Commands

 

Command Function
dot1x system-auth-control Globally enable 802.1x port-based authentication
ip device tracking Allows the switch to track IP devices

Interface Level Commands

Command Function
interface gigabitethernet 1/0/1
switchport mode access
switchport access vlan 11
spanning-tree bpduguard enable

spanning-tree portfast

The basics (define vlan, enable BPDUGuard and Portfast)
authentication event fail action next-method Action to take if any configured authentication method fails (eg attempt mab if dot1x fails and has higher priority)
authentication host-mode single-auth Define how many hosts to authenticate (single host, single host and voice, multi authenticated hosts and voice or multiple hosts)
authentication order dot1x mab Authentication method order (dot1x/mab/webauth)
authentication priority dot1x mab Authentication method priority (dot1x/mab/webauth)
authentication port-control auto Enables 802.1x authentication on the interface
authentication violation restrict/shutdown/replace Defines action to take when a violation is triggered
mab Enable MAB on interface
dot1x pae authenticator/supplicant/both Enable 802.1x on the port as either authenticator, supplicant or both
dot1x timeout tx-period 10 Retransmission period

Switch Configuration

aaa new-model
ip device tracking
dot1x system-auth-control

aaa group server radius ISE
server 192.168.10.14 auth-port 1645 acct-port 1646
server 192.168.10.4 auth-port 1645 acct-port 1646
load-balance method least-outstanding batch-size 5

 

aaa server radius dynamic-author
client 192.168.10.4 server-key cisco1234
client 192.168.10.14 server-key cisco1234

 

aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE
aaa accounting update periodic
aaa accounting dot1x default start-stop group ISE

 

interface gigabitethernet 1/0/1
switchport mode access
switchport access vlan 11
spanning-tree bpduguard enable
spanning-tree portfast
authentication event fail action next-method
authentication host-mode single-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10

 

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server dead-criteria time 30 tries 3
radius-server host 192.168.10.14 auth-port 1645 acct-port 1646 key cisco1234
radius-server host 192.168.10.4 auth-port 1645 acct-port 1646 key cisco1234
radius-server deadtime 30
radius-server vsa send accounting
radius-server vsa send authentication

ISE Configuration

Within ISE we need to manually define the Switch as NAD, create a Policy Set with specific Authentication and Authorization rules

Network Device


Create a “Network Device Group” called “Cisco Switch”- Administration > Network Resources > Network Devices

Create a new “Network Device” – Administration > Network Resources > Network Devices

  • Enter the IP address of the switch
  • Select the “Device Type” from the drop down menu, using the device group previously created
  • Tick RADIUS Authentication Settings
  • Enter the shared secret as defined on the switch
  • Click Save

Policy Set

  • Ensure Policy Sets are in use
  • Create a new Policy Set above the Default
  • Select an appropriate name eg “Wired Auth”
  • Set Conditions as a minimum
  • RADIUS:NAS-Port-Type EQUALS Ethernet AND DEVICE:Device Type#All Device Types#Cisco Switch


Based on these conditions a device will only therefore match this policy if connecting from a device within the previously created NAD Group “Cisco Switch”.

Authentication Policy

Create an Authentication rule for MAB Authentication

  • Create a new rule above the default rule
  • Select name as “MAB”
  • Select condition as pre-defined compound condition “Wired_MAB”
  • Select Allow Protocols as pre-defined Allowed Protocols “Default Network Access”
  • Change Default “Internal Users” to use “Internal Endpoints”
  • Ensure “If authentication failed” and “If user not found” is set to “Continue”

Create an Authentication Rule for 802.1x Authentication

  • Select “Edit” and choose “Insert new row below”
  • Select name as “dot1x”
  • Select condition as pre-defined compound condition “Wired_802.1x”
  • Select Allow Protocols as pre-defined Allowed Protocols “Default Network Access”
  • Select “Actions” to the right of the greyed out “Default” rule – Select “Insert new row above”
  • Define a store rule, named “PEAP”
  • Select condition and use “Create new condition” – select “Network Access:EAPAuthentication EQUALS EAP-MSCHAPv2”
  • Select the Identity Store as your AD source
  • Duplicate that rule and change the name to “TLS” and change the condition to EQUALS “EAP-TLS”

Authorization Policy

  • Within the Authorization Policy section, create a new rule above the Default called “Domain Users”
  • Leave Identity Group condition as “Any”
  • Select other conditions and “Select Existing Condition from Library”
  • Select “Wired_802.1x” from compound condition list
  • Select “Add Attribute/Value” from the drop down box on the right
  • Select your External Identity Store for your AD (in my lab it’s called LAB_AD)
  • Choose ExternalGroup EQUALS lab.local/Users/Domain Users
  • Select Permissions as pre-defined permissions AuthZ Profile “PermitAccess”
  • Duplicate that rule below, rename the duplicated rule and call it “Domain Computers”
  • Change the ExternalGroup to EQUALS /Users/Domain Computers
  • Create a new rule above the Default rule (and below the 802.1x rules) – called “MAB”
  • Leave Identity Group condition as “Any”
  • Select other conditions and “Select Existing Condition from Library”
  • Select “Wired_MAB” from compound condition list
  • Click SAVE at the bottom of the screen

Verification

You can verify successful or failed authentication/authorization from ISE within the RADIUS LiveLog section. This will reveal details of Identity (Username), EndPoint Profile, Authentication Policy matched, Authorization Policy matched and the applied Authorization Profile.


From the switch you can use the command “show authentication session interface fastethernet 1/0/1“. This will identify what authentication method was used (dot1x or mab), currently logon user or computer (determined by the prefix of host/ )” and the IP address of the device connected to the port amongst other things.


If a device is connected to the port that is unable to support 802.1x then it will fail over to MAB. From the screenshot below you can confirm 802.1x failed and MAB authentication succeeded. The username would equal the mac address of the client device.


When using MAB authentication it is highly recommended to use Profiling to determine the fingerprint/make/model of the actual device and create an Authorization Rule specifically on the type of device connecting. Use a custom Authorization Profile that applies a Downloadable ACL (DACL) to restrict exactly what that un-authenticated device can access.

Reference

https://www.youtube.com/watch?v=nazpNmmU2Ys
http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/119374-technote-dacl-00.html
https://supportforums.cisco.com/discussion/11893846/acl-assignment-radius-cisco-av-pair

Supported RADIUS IETF Attributes

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrdat1.html

Advertisements

One thought on “Configuring Wired 802.1x/MAB Authentication with Cisco ISE”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s