Wireless 802.1x authentication with Cisco ISE

The purpose of this blog post is to document the configuration steps required to configure Wireless 802.1x authentication on a Cisco vWLC v8.3 using Cisco ISE 2.4 as the RADIUS server.

WLC Configuration

Define AAA Servers

Advertisements

Reset Cisco AP to factory defaults

This post describes the procedure to reset the Cisco Wireless AP to factory defaults; you will need to connect a console cable to the AP in order to complete the procedure.

  • Connect the console cable
  • Unplug the power or network cable if connected to a POE switch
  • Press and hold the Mode button
  • Plug the power back into the AP
  • Wait until the output on the console says button is pressed. Wait for button to be released…
  • Once that message is displayed release the button and allow the AP to boot
    Continue reading “Reset Cisco AP to factory defaults”

Cisco ISE Adaptive Network Control (ANC)

Adaptive Network Control (ANC) is a feature of Cisco ISE that can be used to monitor and control network access of authenticated (via ISE) endpoints. With ANC you have the ability to quarantine and endpoint by restricting access with a DACL or shutting down the interface. ANC is a manual process that can be triggered by an administrator. ANC requires ISE Plus License, the Base license is also required.

This post covers only the configuration of ANC and assumes Cisco ISE and 802.1x is setup and working. The posts below maybe useful to assist when configuring Cisco ISE and Cisco switches in order to authenticate users/computers with 802.1x.

Continue reading “Cisco ISE Adaptive Network Control (ANC)”

EAP Chaining with Cisco ISE

EAP-FAST is a Cisco proprietary EAP authentication method. It provides the ability to chain user and machine authentications together, this is called EAP Chaining. The major advantage of using this protocol is ensuring that only corporate users can authenticate to the network using a corporate issued computer. EAP-FAST is only supported when using Cisco AnyConnect as the dot1x supplicant.

ISE Configuration

This post will cover the configuration of EAP-Chaining on Cisco ISE, using EAP-FAST with EAP-TLS (certificates) as an inner authentication method for both Machine and User authentication. In this lab Cisco ISE version 2.4 and Cisco AnyConnect v4.6 is used.
Continue reading “EAP Chaining with Cisco ISE”

IKEv2/IPSec VTI tunnel between ASA Firewall and IOS Router

Cisco introduced VTI to ASA Firewalls in version 9.7.1 as an alternative to policy based crypto maps. Cisco IOS routers have long supported VTI (sVTI, DVTI, DMVPN, FlexVPN etc). This post will describe the steps on how to configure a VTI between a Cisco ASA Firewall and a Cisco IOS Router.

Hardware/Software used:
Cisco ASAv (v9.9.1)
Cisco CSR1000v (v16.3.3)

Continue reading “IKEv2/IPSec VTI tunnel between ASA Firewall and IOS Router”

FlexVPN IKEv2 Routing

FlexVPN supports the use of Dynamic Routing protocols such as EIGRP, BGP and OSPF. FlexVPN also has the ability to advertise routes in the IKEv2 SA’s. In order to do this we must configure an IKEv2 Authorization Policy, this policy can be configured on the local router or centrally on a RADIUS server such as ISE.

This post only describes the steps how to configure a local IKEv2 Authorization Policy and IKEv2 Routing on a Hub and Spoke router. For further information on FlexVPN, review these blog posts  Configure FlexVPN Hub and Spoke and Configure FlexVPN with certificate authentication.

Continue reading “FlexVPN IKEv2 Routing”

Recommended IKEv2 Proposal

IKEv2 is an important protocol used in IPSec VPNs, it is used to securely authenticate peers by setting up security associations (SAs). Cisco IOS routers have predefined default encryption, integrity (hashing), DH group and PRF algorithms, some of these algorithms are no longer considered secure and therefore not recommended.

As of Cisco IOS-XE v16.8.1 the default IKEv2 Proposal will be updated, more information here: https://gblogs.cisco.com/uki/deep-dive-a-vpn-journey/

As of 2018 the recommended IKEv2 Proposal ciphers are:
Encryption:
AES-CBC-256
Integrity: SHA512 SHA384
PRF: SHA512 SHA384
DH Group: Group19 Group 14 Group21 Group5

Continue reading “Recommended IKEv2 Proposal”