MACsec provides secure communication on wired networks; it encrypts each packet on the wire so that communication cannot be monitored. There are 2 deployment types:- User facing/downlink MACsec or switch-to-switch MACsec.
When using downlink MACsec a supplicant that supports 802.1x with MACsec is required, Cisco AnyConnect version 3.0+ supports this functionality. When AnyConnect is configured with MACsec it authenticates the user/computer using 802.1x and then encrypts all traffic using MACsec that is sent to the directly attached Access Layer switch. Once the packet has been received by the Access Layer switch the packet is decrypted, this allows the possibility to apply QoS polices or monitor with Netflow. The switch could then route packet in clear text or if switch-to-switch MACsec is enabled re-encrypt the traffic.
Switch-to-Switch MACsec secures the packets on a hop by hop basis, decrypting and encrypting on each network device (meaning all traffic inside the switches are in clear text). The MACsec sessions are completely independent as they are routed through the network.
Continue reading “MACsec with Cisco AnyConnect and ISE”
Cisco ISE and Firepower can exchange attributes such as TrustSec SGT (Security Group Tag), endpoint profile information and IP address via pxGrid. These attributes can then be used in Firepower Access Control Policies to permit/deny access as required. In addition, this integration can also be used to quarantine users/hosts in the event the user performs a malicious activity. When Firepower detects the malicious activity this will match a correlation rule on the FMC, which instructs ISE to perform a remediation action such as sending a CoA (Change of Authorization) and quarantining the user by apply a DACL and/or applying a new SGT.
This post will describe how to configure the pxGrid integration between the FMC and ISE, it is assume that you already have a working ISE environment with users/computers authenticating using dot1x and a working Firepower FMC/FTD environment.
Refer to these previous ISE posts on how to configure ISE, dot1x authentication and more information about configuring TrustSec.
The following software versions were used:-
- Firepower Management Centre 126.96.36.199
- Firepower Threat Defence Virtual 188.8.131.52
- Identity Services Engine 2.4
- Windows Server 2008 R2 (Domain Controller and PKI)
- Windows 7 Enterprise
Continue reading “Cisco ISE pxGrid integration with Firepower”
The purpose of this blog post is to document the configuration steps required to configure Wireless 802.1x authentication on a Cisco vWLC v8.3 using Cisco ISE 2.4 as the RADIUS server.
Define AAA Servers
Adaptive Network Control (ANC) is a feature of Cisco ISE that can be used to monitor and control network access of authenticated (via ISE) endpoints. With ANC you have the ability to quarantine and endpoint by restricting access with a DACL or shutting down the interface. ANC is a manual process that can be triggered by an administrator. ANC requires ISE Plus License, the Base license is also required.
This post covers only the configuration of ANC and assumes Cisco ISE and 802.1x is setup and working. The posts below maybe useful to assist when configuring Cisco ISE and Cisco switches in order to authenticate users/computers with 802.1x.
Continue reading “Cisco ISE Adaptive Network Control (ANC)”
EAP-FAST is a Cisco proprietary EAP authentication method. It provides the ability to chain user and machine authentications together, this is called EAP Chaining. The major advantage of using this protocol is ensuring that only corporate users can authenticate to the network using a corporate issued computer. EAP-FAST is only supported when using Cisco AnyConnect as the dot1x supplicant.
This post will cover the configuration of EAP-Chaining on Cisco ISE, using EAP-FAST with EAP-TLS (certificates) as an inner authentication method for both Machine and User authentication. In this lab Cisco ISE version 2.4 and Cisco AnyConnect v4.6 is used.
Continue reading “EAP Chaining with Cisco ISE”
When you install an ISE patch from the WebGUI of the Primary PAN (in a distributed deployment), the patch installs the patch on the P-PAN and if successful continues to install the patch on the remaining nodes automatically. Alternatively you can install the patch from the CLI, on each node individually. This will allow you to control when the patches are installed and therefore when the nodes are rebooted an inactive.
If the PAN auto-failover is enabled this must be disabled before installing the patch.
This post will describe will demonstrate how to install ISE 2.3 patch 2 via the CLI.
Continue reading “Upgrading Cisco ISE via CLI”
In addition to Site-to-Site VPNs, FlexVPN can also be used for Remote Access VPN. It uses the same familiar commands as used to configure the S2S VPNs. Remote Access VPN can use certificate authentication (mutual certificate authentication between router and AnyConnect client), EAP (MD5/MSCHAPv2) and AnyConnect EAP. Authentication and Authorization can be performed by local AAA or external RADIUS, which can authenticate the users against Active Directory Domain and authorize depending on AD group membership.
This post will describe how to configure FlexVPN Remote Access VPN using aggregated authentication (double authentication) using AD username/password and client certificate authentication. We will not describe the basics of configuring FlexVPN Hub-and-Spoke or certificate authentication; these have been described in previous posts here:
Continue reading “FlexVPN Remote Access VPN”