ISE
Test lab is quite involved
- Need windows AD
- ISE
- VMware
- Cisco anyconnect
- Cisco switch (supports 802.1x)
- Client PCs connected to the switch
- Wifi AP might also be useful
802.1.x intro
Don't allow any traffic on the port until we know who the client is
Authenticator
Authentication server RADIUS -> (ISE)
Supplicant (supply credentials)
Supplicant -> Authenticator -> Auth Server
We can also do posture assessment of the client
VM settings
Download .ISO or .OVA from Cisco
200GB thin provision
4 GB RAM (more better)
4 cores or more better
SSD hard drives faster
Logging into ISE after install
https://x.x.x.x (IP or Name)
username: admin
password: set during install
First steps
Download .ISO or .OVA from Cisco
Administration -> network device group
ISE is security product so needs to be kept patched.
In VMware vShpere
Right click on cluster -> Deploy OVF template
Choose upload
You can also try
New -> Virtual machine -> Deploy from Template
You can also browse into the datastores:
https://192.168.10.100/folder
Deploy OVA VM (set network adapters)
Console
setup (to run script)
hostname
ip address 10.4.9.21
subnet mask 255.255.255.0
default gateway 10.4.9.254
default dns domain corkcoco.localgov
DNS server 10.4.9.162 / 10.4.10.16
NTP server 10.4.253.1
Syslog server s.s.s.s
timezone
y to enable ssh
username
password
confirm password
Web interface
Check running version by clicking the cog in the top right -> about ISE and Server
Burger menu in the top left -> Administration -> deployment
Click on your ServerName / ISE node (our server)
You can click "Make primary" (it will need to reboot) to setup HA
Scroll down
Enable device administration service tickbox
RADIUS/TACACS are not encrypted by default
Profiling configuration
Burger menu in the top left -> Administration -> deployment
Go onto "Profiling Configuration" tab
Turn on HTTP (get the user agent)
Turn on DNS
Click Save
Licensing
We will use eval license.
For production you will need to purchase a license
Certificates
Managing digital certificates with ISE (video on youtube)
Resources:
ISE Webinars: https://cs.co/ise-webinars
ISE YouTube Channel: https://cs.co/ise-videos
ISE Resources: https://cs.co/ise-resources
ISE Community: https://cs.co/ise-community
ISE Security Integration Guides: https://cs.co/ise-guides
ISE API: https://cs.co/ise-api
ISE NAD Capabilities: https://cs.co/nad-capabilities
ISE Licensing & Evaluations: https://cs.co/ise-licensing
Logging
Burger menu in the top left -> Administration -> Logging
We can add syslog server(s)
old school syslog UDP
new TCP (more reliable)
secure syslog (TCP + encryption)
Syslog UDP 514 (clear text)
Syslog TCP 1468 (clear text)
Secure Syslog TCP 6514 (encrypted)
Facility code is like severity level (LOCAL6 is default / informational)
Maximum 8192
Include alarms
Comply with RFC 3164
Buffer messages when server down, buffer size 100MB
click Submit
Logging categories
Add your syslog server to the categories
AAA Audit
Failed attempts
Passed authentications
AAA diagnostics
Administrator authentication
Meraki
We can connect meraki APs
Edit settings is WIFI SSID
Configure the ISE server as the radius server + password and click test
input a domain username and password
We need to config it on the ISE end
Logging -> Message Catalog
To see more info on logs the ID's to messages
Can be exported to CSV
Filter on ID 5405 RADIUS request dropped
Logging -> Connection filters
We can filter out noisy clients here, a WIFI AP that is broken and keeps sending auth requests filling up logs for example
Maintenance -> Repository
Burger menu in the top left -> Administration -> Maintenance
Add LOCALDISK root path submit
Can add remote servers
FTP
SFTP
TFTP
NFS
CDROM
HTTP
HTTPS
Submit
Upload a patch to ISE server from web interface
Burger menu in the top left -> Administration -> Maintenance -> Localdisk Management
We can upload patch bundle file (downloaded from cisco)
Select hot patch file .tar.gz
We can appy later ISE will need to restart to install
Maintenance -> Operational data purging
You can select how long before you delete logs
The longer you keep logs the more disk space you need
Enable export repo will export the logs before they are deleted
Upgrade
On latest version so no need for upgrade but this is where you can do it
Check health check first
Health Checks
Burger menu in the top left -> Administration -> Health Checks
Run before upgrades
Upgrade readiness tool, worth running after fresh install for a base line.
Can download the report
Backup and restore
Burger menu in the top left -> Administration -> Backup & Restore
Config is light
Operational has logs
We can save to localdisk or remote server we configured
It does not backup your certs you will need to store them manually in a safe place
You can config a backup schedule
Admin access
Burger menu in the top left -> Administration -> Admin Access
Authentication (on left) -> Password policy (tab in middle) -> Password Lifetime
Turn off
Click save
RBAC
Role based access control policy
If you want to setup limited admins
ERS admin - API
Connect to AD (interactive help top right)
External identity sources
Active directory ->
join point name dcloud.cisco.com
ad domain dcloud.cisco.com
submit
Yes join nodes
Fill in AD username and password
Groups
Add groups from AD
Retrieve groups
If you have a big org this could take a long time
Select the groups we want to use for auth
You may want to make some AD groups
ISE-ADMINS
ISE-READ-ONLY
etc
Can change authentication to AD
Admin access -> Settings -> Access
Can set banner logs
Can set ASCII for the CLI login
Save
Session timeout default is 60
Session info shows whos logged in
Settings
Client provisioning (not on day1)
FIPS mode (strong security, turns off clear text protocols/old ciphers, can cause issues)
Security settings turn off TLS1.0 (may restart)
Alarm settings
Posture
Cover later
Profiling
Can leave default
Enable session resunme and fast reconnect
EAP-FAST
PEAP
RADIUS
Should be nothing to change day1
DTLS tunnels can be enabled
Proxy
For ISE internet updates
SMTP server
Email server for ISE to
Settings -> SMS gateway
NTP servers pool.ntp.org
time.nist.gov
Settings -> API settings
API service settings
enable ERS and openAPI
Deploy a patch on CLI
Example is log4j patch
SSH into ISE box
Show what patches have been applied
show logging application hotpatch.log
application install ise-apply-patch-name-SPA.tar.gz LOCALDISK
Deploy a patch via API
Use the rest API to install the patch with curl
curl --insecure --include --user admin:passw0rd -H "accept: applicaiton.jsopn" -H "Content-Type: applicaiton/json" -X POST https://ise.demo.com:443/api/hotpatch/install -d '{"hotpatchName": ise-apply-patch-name-SPA.tar.gz", "repositoryName:"LOCALDISK" }'
Task status
curl
--insure
--include
--user admin:passw0rd
-H "accept: application/json"
-X GET https://ise.demo.com:443/api/v1/task/[task-id]
One node we can update manually but if we have 50 nodes it would be useful to patch them all with one command.
Older version (300-208 SISAS)
Admin -> Network device groups
Create a group (test switch)
Admin -> Network device -> Add
ping between the switch and the ISE server and other direction
Radius 1812/1813
TACACS encrypts the whole session
RADIUS only encrypts the important parts like passwords
Give radius secret
submit
conf t
aaa new-mode
aaa authentication login default enable
radius server ISE
address ipv4 192.168.1100 auth-port 1812 acct-port 1813
aaa group server radius ISE-group
server name ISE
radius-server vsa send authenticaiton
radius-server vsa send accounting
ip device tracking
802.1x auth
EAP (clear text)
EAP TTLS (tunnelled some security)
PEAP (tunnelled so its secure) (protected EAP)
TLS implies we have certs, self signed, CA issued, vendor issued
Monitor mode first - lets all traffic through but we can see
Low impact - some ACLs on the port
closed - no traffic until authenticaiton
Bob user - may need to auth
BobPC - is a computer
We may want to auth the user and the hardware
We can have phone and then a PC, the PC can be running VMs so we can see multiple macs on one port.
Single host - 1 mac only will be authenticated
multi-host - don't use, use authenticated the port is open
multi-domain - voice + data. 1 mac from voice, 1 mac from data
multi-auth - each device will need to autenticate
MAB - old printers won't have a supplicant so we can allow by MAC when the other methods fail. This is not best practice but can get you out of a hole.
test aaa group ISE-GROUP bob p4ssw0rd new-code
User ISE server for dot1x
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
radius-server attribute 8 include-in-access-req
dot1x system-auth-control
switchport mode access
spanning-tree port fast
authentication host-mode multi-auth
authentication open
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 10
authenticaiton port-conrol auto
no shut
show dot1x all
Connect ISE server to AD
Policy set triggers if conditions are met
If yes the authentication polocys rules are checked
If device is wired 802.1 then use our DC for auth
If that passes go to authorization policy
If the user had a valid AD username and password then let them in
Default network access is that large set of EAP protocols
Authorization policies:
Policy elements (Policy -> Policy elements)
Policy -> Policy elements - > Authorization -> Downloadable ACLs
We can push an ACL down onto the switch (we can use allow all IPv4 traffic)
Policy -> Policy elements - > Authorization -> Authorization profiles
We can assign what VLAN
show commands:
show authentication sessions
show authentication sessions interface fa0/1
show authentication sessions mac xxxx.xxxx,xxxx details
show interface status
Live logs in ISE GUI:
Search for MAC
Click the details ICON to get a full report
Blue icon means we have a session
Sample ISE switchport with details:
switchport host
switchport access vlan 999 (this is a holding vlan / dead end)
authentication priority dot1x mab (use dot1x over mab)
authentication order dot1x mab (try auth with dot1x, if it fails then mab)
authentication event fail action next-method (if dot1x fails try next which is mab)
authentication event server dead action authorize vlan 10 (If ISE dead put them on vlan 10)
authentication event server alive action reinitialize (when the server comes back re auth)
authentication host-mode multi-domain (1 device in voice and 1 data vlan can get authorized)
single-host just one device gets authorised (good if you have single PC)
multi-host (once the first hosts auths everything after gets auth, usually bad)
multi-auth (everyone can get on but must be auth)
authentication violation restrict (send log message and block additional mac)
protect (Drops unexpected incoming MAC addresses. No syslog errors are generated.)
replace (Removes the current session and initiates authentication with the new host.)
shutdown (Error-disables the port or the virtual port on which an unexpected MAC address occurs.)
restrict (Generates a syslog error when a violation error occurs. Puts port in restricted mode ignoring the new mac)
authentication open (if doesn't have supplicant no 802.1x / mab it will allow it through)
mab (enable MAB)
dot1x pae authenticator (tells the switch on this port it should be the authenticator)
dot1x timeout tx-period 5 (how long to wait for dot1x answer before trying next [mab])
authentication port-control auto (lets use 802.1x and control this port based on the ISE rules)
Find out if you switch supports dot1x commands
cisco.com/go/fn
Check 802.1x services
services.msc
look for wired autoconfig
changed to started + automatic
If we take Wireshark we will see EAP requests
wireshark display filter "eap"
Looks for request
Properties on network card
authentication tab at the top
Enable IEEE 802.1x authentication
MS-PEAP
settings -> validate server cert is off (self signed cert)
configure
additional settings
user auth
save credentials -> fill in username and password
Installing an internal CA cert
Browse to your internal CA
http://192.168.1.50/certsrv
Download a CA certificate, chain or CRL
Select DER encoding
Download CA cert
Name it Root-Internal-CA.crt
Save
In ISE
System -> certificates
Import -> select the Internal CA cert
Give a friendly game
Trust for all
Create CSR
Local certs -> Add -> Generate a CSR
CN=ise.lab.com
2048
SHA256
Go to CSR
Export
Save -> CSR-from-ISE.pem
Open the file and copy all the CSR text
Go back to http://192.168.1.50/certsrv
Request a certificate
Advanced certificate request
Submit a certificate request
Paste the csr text
Click submit
Admin must approve
Server manger -> CA -> Pending requests -> right click and issue
Go back to http://192.168.1.50/certsrv
View the pending
Download DER encode
ISE-ID.cert
Back to ISE
Add "Bind CA certificate"
Selected the ISE-ID.cert
tick EAP and HTTPS
Save ok
Server will restart
MAB (MAC authentication bypass)
Some devices like phones, printers, ip cameras won't have 802.1x supplicant
We can hard code the MAC address
Printer tries dot1x
If that fails
Try MAB if the MAC is in the list then it will be allow
Source guard and DHCP snooping would be useful
We can re-order try MAB first the 802.1x. We can also try priority. If dot1x works we will use that. etc
Interface gig0/1
switchport mode access
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
Let the ISE server know its sending over the mac address
This switch might be enabled or not
radius-server attribute 6 on-for-login-auth
May need, check debugs
radius-server attribute 25 on-for-login-auth
Shows the authentication details on that port
show authentication sessions int gig0/1
Enable MAB
Try mab first then dot1x
Use dot1x first if both are available
authentication order mab dot1x
authentication priority dot1x mab
debug radius authentication
We need to setup the MAC addresses in the ISE
Admin -> identity management -> endpoints
add the MAC
xx:xx:xx:xx:xx:xx
We saw the server needed a reboot after adding the MAC addresses
Phones need the voice vlan domain permission
You can bulk import MAC's
Burger menu > Work Centres > Identities > import
It gives a template for MAC addresses
Interface range
To reconfig a log of ports into ISE conifg the interface range command can be useful to put in config and roll back
interface range g1/0/1 - 48, g2/0/1 - 48
Diagnostic tool
Menu > Operations > Troubleshoot > Diagnostic tools > Evaluate configuration validator
May need to add the ISE server to ACL so it can SSH in
Fill in IP of switch
username password and enable
Check for AAA/dot1x and just pick 1 port to see switch conifg
The aaa stuff all errored as the radius group name was already in use
error on auth and acct port
ip device tracking did not exist on my 9300
logging transport udp port did not either
Not sure about snmp-server host public (need more research, seem to work without)
