Wireless 802.1x authentication with Cisco ISE

The purpose of this blog post is to document the configuration steps required to configure Wireless 802.1x authentication on a Cisco vWLC v8.3 using Cisco ISE 2.4 as the RADIUS server.

WLC Configuration

Define AAA Servers

Advertisements

Cisco ISE Adaptive Network Control (ANC)

Adaptive Network Control (ANC) is a feature of Cisco ISE that can be used to monitor and control network access of authenticated (via ISE) endpoints. With ANC you have the ability to quarantine and endpoint by restricting access with a DACL or shutting down the interface. ANC is a manual process that can be triggered by an administrator. ANC requires ISE Plus License, the Base license is also required.

This post covers only the configuration of ANC and assumes Cisco ISE and 802.1x is setup and working. The posts below maybe useful to assist when configuring Cisco ISE and Cisco switches in order to authenticate users/computers with 802.1x.

Continue reading “Cisco ISE Adaptive Network Control (ANC)”

EAP Chaining with Cisco ISE

EAP-FAST is a Cisco proprietary EAP authentication method. It provides the ability to chain user and machine authentications together, this is called EAP Chaining. The major advantage of using this protocol is ensuring that only corporate users can authenticate to the network using a corporate issued computer. EAP-FAST is only supported when using Cisco AnyConnect as the dot1x supplicant.

ISE Configuration

This post will cover the configuration of EAP-Chaining on Cisco ISE, using EAP-FAST with EAP-TLS (certificates) as an inner authentication method for both Machine and User authentication. In this lab Cisco ISE version 2.4 and Cisco AnyConnect v4.6 is used.
Continue reading “EAP Chaining with Cisco ISE”

Upgrading Cisco ISE via CLI

When you install an ISE patch from the WebGUI of the Primary PAN (in a distributed deployment), the patch installs the patch on the P-PAN and if successful continues to install the patch on the remaining nodes automatically. Alternatively you can install the patch from the CLI, on each node individually. This will allow you to control when the patches are installed and therefore when the nodes are rebooted an inactive.

If the PAN auto-failover is enabled this must be disabled before installing the patch.

This post will describe will demonstrate how to install ISE 2.3 patch 2 via the CLI.
Continue reading “Upgrading Cisco ISE via CLI”

FlexVPN Remote Access VPN

In addition to Site-to-Site VPNs, FlexVPN can also be used for Remote Access VPN. It uses the same familiar commands as used to configure the S2S VPNs. Remote Access VPN can use certificate authentication (mutual certificate authentication between router and AnyConnect client), EAP (MD5/MSCHAPv2) and AnyConnect EAP. Authentication and Authorization can be performed by local AAA or external RADIUS, which can authenticate the users against Active Directory Domain and authorize depending on AD group membership.

This post will describe how to configure FlexVPN Remote Access VPN using aggregated authentication (double authentication) using AD username/password and client certificate authentication. We will not describe the basics of configuring FlexVPN Hub-and-Spoke or certificate authentication; these have been described in previous posts here:

Continue reading “FlexVPN Remote Access VPN”

Cisco TrustSec Enforcement using Cisco ISE

Cisco TrustSec can be used to segment a network, it classifies traffic and assigns Security Group Tags (SGTs), these tags can be used to enforce (permit/deny traffic at any point in the network.

Classification of traffic can be performed dynamically by ISE depending on the users’ group membership, device type or health (posture) of the computer at time of authentication to the network. The SGTs are propagated throughout the network using 2 methods, inline tagging or SXP. Enforcement can be performed anywhere in the network on Cisco switches, routers, firewalls using a TrustSec Policy which can permit/deny traffic based on source/destination SGT.

Scenario
In this blog post we will setup a simple lab, with an Access Layer Switch (Cisco Catalyst 3560) and an Enforcement Point (CSR1000v Router). Users will authenticate to the network using 802.1x with Cisco ISE (v2.4) as the RADIUS server, this will authorise the user and assign an SGT depending on AD group membership. This SGT will be downloaded to the Access Layer Switch, in turn using SXP, the switch will send the SGT binding to the Enforcement Point router. These SGTs will be used in a TrustSec Policy as the source.

The Servers will be manually classified using IP SGT Mappings on ISE and sent to the Enforcement Point using SXP, this SGT will be used in a TrustSec Policy as the destination.

A TrustSec Policy will be defined on ISE and downloaded to the Enforcement Point, and permit/deny traffic to the servers from Users’ SGT.



Continue reading “Cisco TrustSec Enforcement using Cisco ISE”

Cisco ISE Dynamic VLAN assignment

Dynamic VLAN assignment by a RADIUS server (e.g. Cisco ISE) can be useful when you want to assign a specific VLAN to a user or group of users. In order to achieve this the VLANS configured on the switches must be configured with a name, this name must be consistent across multiple switches. However the VLAN number does not necessarily need to be the same across the switches.The scenario in this blog post will simply define 2 VLANS (ADMIN and USERS), members of the AD group Domain Admins will be assigned to a VLAN called ADMIN and members of the AD group Domain Users will be assigned to a VLAN called USERS.

The configuration of ISE in this post only describes the steps in order to configure Dynamic VLAN assignment. Refer to this previous post on how to configure Cisco ISE for 802.1x authentication.

Continue reading “Cisco ISE Dynamic VLAN assignment”