Configuring Cisco TrustSec Enforcement using Cisco ISE

Cisco TrustSec can be used to segment a network, it classifies traffic and assigns Security Group Tags (SGTs), these tags can be used to enforce (permit/deny traffic at any point in the network.

Classification of traffic can be performed dynamically by ISE depending on the users’ group membership, device type or health (posture) of the computer at time of authentication to the network. The SGTs are propagated throughout the network using 2 methods, inline tagging or SXP. Enforcement can be performed anywhere in the network on Cisco switches, routers, firewalls using a TrustSec Policy which can permit/deny traffic based on source/destination SGT.

In this blog post we will setup a simple lab, with an Access Layer Switch (Cisco Catalyst 3560) and an Enforcement Point (CSR1000v Router). Users will authenticate to the network using 802.1x with Cisco ISE (v2.4) as the RADIUS server, this will authorise the user and assign an SGT depending on AD group membership. This SGT will be downloaded to the Access Layer Switch, in turn using SXP, the switch will send the SGT binding to the Enforcement Point router. These SGTs will be used in a TrustSec Policy as the source.

The Servers will be manually classified using IP SGT Mappings on ISE and sent to the Enforcement Point using SXP, this SGT will be used in a TrustSec Policy as the destination.

A TrustSec Policy will be defined on ISE and downloaded to the Enforcement Point, and permit/deny traffic to the servers from Users’ SGT.

Continue reading “Configuring Cisco TrustSec Enforcement using Cisco ISE”


Configuring Cisco ISE Dynamic VLAN assignment

Dynamic VLAN assignment by a RADIUS server (e.g. Cisco ISE) can be useful when you want to assign a specific VLAN to a user or group of users. In order to achieve this the VLANS configured on the switches must be configured with a name, this name must be consistent across multiple switches. However the VLAN number does not necessarily need to be the same across the switches.The scenario in this blog post will simply define 2 VLANS (ADMIN and USERS), members of the AD group Domain Admins will be assigned to a VLAN called ADMIN and members of the AD group Domain Users will be assigned to a VLAN called USERS.

The configuration of ISE in this post only describes the steps in order to configure Dynamic VLAN assignment. Refer to this previous post on how to configure Cisco ISE for 802.1x authentication.

Continue reading “Configuring Cisco ISE Dynamic VLAN assignment”

Configuring ISE TACACS+

This blog post describes the configuration of Cisco ISE 2.4 TACACS+ (Device Administration) to authenticate and authorize administration of Cisco IOS devices. In this example Cisco ISE will be joined to the Active Directory domain (LAB.LOCAL), and domain group membership will determine the authorization for users.

ISE Configuration

Configure External Identity Source

Active Directory will be used as the authentication ID source, for users and groups.

  • Navigate to Administration > External Identity Sources > Active Directory 
  • Click Add  to configure a new AD Join Point 
  • Join the ISE Node to the domain, enter AD credentials when prompted 
  • Click the Groups tab 
  • Add the groups to be used for TACACS Authentication/Authorisation e.g Network Admin and Helpdesk Users 
  • Click Save

Continue reading “Configuring ISE TACACS+”

Configuring FlexVPN external AAA with RADIUS

This post will describe how to configure FlexVPN authorization using RADIUS AAA, ISE 2.4 will be used as the RADIUS server.

The Hub router will authenticate the spoke routers with RSA certificates. The spoke routers’ certificate will have an value in the OU (organisational unit) field which will identify the location e.g. US-Branch or UK-Branch.  An IKEv2 name-mangler will be used to extract the OU value from the certificate and use this in the authorization request to the RADIUS server. Depending on matching on location in the Authorization rules the RADIUS server will return different values per location.
Continue reading “Configuring FlexVPN external AAA with RADIUS”

Configuring ASA AnyConnect IKEv2/IPSec VPN

See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).

ASA Configuration

Create a Crypto Keypair

crypto key generate rsa label VPN_KEY modulus 2048

Create a CA Trustpoint

crypto ca trustpoint LAB_PKI
keypair VPN_KEY
enrollment terminal
crl nocheck

Continue reading “Configuring ASA AnyConnect IKEv2/IPSec VPN”

Configuring ASA AnyConnect SSL-VPN

This blog post will document how to configure an AnyConnect SSL-VPN on a Cisco ASA firewall using Cisco ISE (2.1 patch 5) as a AAA server for authentication.

ISE Configuration

It is assumed that ISE is installed and configured with the basics (IP addresses and integrated into AD).

Define the ASA as a Network Device

  • Navigate to Administration > Network Resources > Network Devices
  • Create new by clicking Add and define the ASA
  • Specify the INSIDE interface IP address of the ASA
  • Tick the RADIUS Authentication Settings box
  • Specify a shared secret, this will need to match on the ASA configuration
  • Click Save

Continue reading “Configuring ASA AnyConnect SSL-VPN”

Reset Cisco ISE WebGUI/CLI Passwords

In Cisco ISE the WebGUI and CLI admin accounts/passwords are separate. In order to change the passwords you can use the following methods:

  • The CLI Admin password can be changed from the CLI by entering the command password. The CLI password is unique to each ISE node