Tuesday, 17 October 2023

Cisco ISE notes

ISE

Test lab is quite involved

  • Need windows AD
  • ISE
  • VMware
  • Cisco anyconnect 
  • Cisco switch (supports 802.1x)
  • Client PCs connected to the switch
  • Wifi AP might also be useful

802.1.x intro
Don't allow any traffic on the  port until we know who the client is
Authenticator
Authentication server RADIUS -> (ISE)
Supplicant (supply credentials)

Supplicant -> Authenticator -> Auth Server
 
We can also do posture assessment of the client

VM settings
Download .ISO or .OVA from Cisco

200GB thin provision
4 GB RAM (more better)
4 cores or more better
SSD hard drives faster


Logging into ISE after install
https://x.x.x.x  (IP or Name)
username: admin
password: set during install


First steps
Download .ISO or .OVA from Cisco
Administration -> network device group
ISE is security product so needs to be kept patched.

In VMware vShpere
Right click on cluster -> Deploy OVF template
Choose upload

You can also try
New -> Virtual machine -> Deploy from Template 

You can also browse into the datastores:
https://192.168.10.100/folder





Deploy OVA VM (set network adapters)
Console
setup (to run script)
hostname
ip address 10.4.9.21
subnet mask 255.255.255.0
default gateway 10.4.9.254
default dns domain    corkcoco.localgov
DNS server    10.4.9.162 / 10.4.10.16
NTP server 10.4.253.1    
Syslog server s.s.s.s
timezone
y to enable ssh
username
password
confirm password


Web interface
Check running version by clicking the cog in the top right -> about ISE and Server


Burger menu in the top left -> Administration -> deployment
Click on your ServerName / ISE node (our server)
You can click "Make primary" (it will need to reboot) to setup HA

Scroll down
Enable device administration service tickbox
RADIUS/TACACS are not encrypted by default

Profiling configuration
Burger menu in the top left -> Administration -> deployment
Go onto "Profiling Configuration" tab
Turn on HTTP (get the user agent)
Turn on DNS
Click Save

Licensing
We will use eval license. 
For production you will need to purchase a license

Certificates
Managing digital certificates with ISE (video on youtube)
Resources:
ISE Webinars: https://cs.co/ise-webinars 
ISE YouTube Channel: https://cs.co/ise-videos  
ISE Resources: https://cs.co/ise-resources  
ISE Community: https://cs.co/ise-community   
ISE Security Integration Guides: https://cs.co/ise-guides
ISE API: https://cs.co/ise-api
ISE NAD Capabilities: https://cs.co/nad-capabilities
ISE Licensing & Evaluations: https://cs.co/ise-licensing

Logging
Burger menu in the top left -> Administration -> Logging
We can add syslog server(s)

old school syslog UDP
new TCP (more reliable)
secure syslog (TCP + encryption)

Syslog UDP 514    (clear text)
Syslog TCP 1468   (clear text)
Secure Syslog TCP 6514 (encrypted)

Facility code is like severity level (LOCAL6 is default / informational)

Maximum 8192
Include alarms 
Comply with RFC 3164
Buffer messages when server down, buffer size 100MB
click Submit

Logging categories
Add your syslog server to the categories
AAA Audit
Failed attempts
Passed authentications
AAA diagnostics
Administrator authentication

Meraki
We can connect meraki APs
Edit settings is WIFI SSID
Configure the ISE server as the radius server + password and click test
input a domain username and password
We need to config it on the ISE end

Logging -> Message Catalog
To see more info on logs the ID's to messages
Can be exported to CSV
Filter on ID 5405 RADIUS request dropped

Logging -> Connection filters
We can filter out noisy clients here, a WIFI AP that is broken and keeps sending auth requests filling up logs for example

Maintenance -> Repository
Burger menu in the top left -> Administration -> Maintenance 
Add LOCALDISK root path submit

Can add remote servers
FTP
SFTP
TFTP
NFS
CDROM
HTTP
HTTPS

Submit

Upload a patch to ISE server from web interface
Burger menu in the top left -> Administration -> Maintenance -> Localdisk Management
We can upload patch bundle file (downloaded from cisco)
Select hot patch file .tar.gz
We can appy later ISE will need to restart to install

Maintenance -> Operational data purging
You can select how long before you delete logs
The longer you keep logs the more disk space you need
Enable export repo will export the logs before they are deleted

Upgrade
On latest version so no need for upgrade but this is where you can do it
Check health check first

Health Checks
Burger menu in the top left -> Administration -> Health Checks
Run before upgrades
Upgrade readiness tool, worth running after fresh install for a base line.
Can download the report

Backup and restore
Burger menu in the top left -> Administration -> Backup & Restore
Config is light
Operational has logs
We can save to localdisk or remote server we configured
It does not backup your certs you will need to store them manually in a safe place
You can config a backup schedule 

Admin access
Burger menu in the top left -> Administration -> Admin Access 
Authentication (on left) -> Password policy (tab in middle)  -> Password Lifetime
Turn off
Click save


RBAC
Role based access control policy
If you want to setup limited admins
ERS admin - API

Connect to AD (interactive help top right)
External identity sources
Active directory -> 
join point name dcloud.cisco.com
ad domain dcloud.cisco.com
submit
Yes join nodes
Fill in AD username and password

Groups
Add groups from AD
Retrieve groups 
If you have a big org this could take a long time
Select the groups we want to use for auth
You may want to make some AD groups
ISE-ADMINS
ISE-READ-ONLY
etc

Can change authentication to AD


Admin access -> Settings -> Access
Can set banner logs
Can set ASCII for the CLI login
Save
Session timeout default is 60

Session info shows whos logged in

Settings

Client provisioning (not on day1)
FIPS mode (strong security, turns off clear text protocols/old ciphers, can cause issues)
Security settings turn off TLS1.0 (may restart)

Alarm settings

Posture
Cover  later

Profiling
Can leave default

Enable session resunme and fast reconnect
EAP-FAST
PEAP

RADIUS
Should be nothing to change day1

DTLS tunnels can be enabled

Proxy
For ISE internet updates


SMTP server
Email server for ISE to
Settings -> SMS gateway

NTP servers pool.ntp.org
time.nist.gov


Settings -> API settings

API service settings
enable ERS and openAPI

Deploy a patch on CLI
Example is log4j patch
SSH into ISE box

Show what patches have been applied
show logging application hotpatch.log

application install ise-apply-patch-name-SPA.tar.gz LOCALDISK

Deploy a patch via API
Use the rest API to install the patch with curl
curl --insecure --include --user admin:passw0rd -H "accept: applicaiton.jsopn" -H "Content-Type: applicaiton/json" -X POST https://ise.demo.com:443/api/hotpatch/install -d '{"hotpatchName": ise-apply-patch-name-SPA.tar.gz", "repositoryName:"LOCALDISK" }'

Task status
curl
--insure
--include
--user admin:passw0rd
-H "accept: application/json"
-X GET https://ise.demo.com:443/api/v1/task/[task-id]


One node we can update manually but if we have 50 nodes it would be useful to patch them all with one command.


Older version (300-208 SISAS)
Admin -> Network device groups
Create a group (test switch)
Admin -> Network device -> Add
ping between the switch and the ISE server and other direction

Radius 1812/1813
TACACS encrypts the whole session
RADIUS only encrypts the important parts like passwords

Give radius secret
submit

conf t
aaa new-mode
aaa authentication login default enable
radius server ISE
address ipv4 192.168.1100 auth-port 1812 acct-port 1813

aaa group server radius ISE-group
server name ISE

radius-server vsa send authenticaiton
radius-server vsa send accounting 
ip device tracking 


802.1x auth
EAP (clear text)
EAP TTLS (tunnelled some security)

PEAP (tunnelled so its secure) (protected EAP)
TLS implies we have certs, self signed, CA issued, vendor issued

Monitor mode first - lets all traffic through but we can see
Low impact - some ACLs on the port
closed - no traffic until authenticaiton

Bob user - may need to auth
BobPC - is a computer 

We may want to auth the user and the hardware

We can have phone and then a PC, the PC can be running VMs so we can see multiple macs on one port.

Single host - 1 mac only will be authenticated
multi-host - don't use, use authenticated the port is open
multi-domain - voice + data. 1 mac from voice, 1 mac from data
multi-auth - each device will need to autenticate
MAB - old printers won't have a supplicant so we can allow by MAC when the other methods fail. This is not best practice but can get you out of a hole.

test aaa group ISE-GROUP bob p4ssw0rd new-code

User ISE server for dot1x
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
radius-server attribute 8 include-in-access-req
dot1x system-auth-control 


switchport mode access
spanning-tree port fast
authentication host-mode multi-auth
authentication open
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator 
dot1x timeout tx-period 10
authenticaiton port-conrol auto
no shut

show dot1x all

Connect ISE server to AD
Policy set triggers if conditions are met
If yes the authentication polocys rules are checked 
If device is wired 802.1 then use our DC for auth
If that passes go to authorization policy
If the user had a valid AD username and password then let them in
Default network access is that large set of EAP protocols

Authorization policies:
Policy elements (Policy -> Policy elements)

Policy -> Policy elements - > Authorization -> Downloadable ACLs
We can push an ACL down onto the switch (we can use allow all IPv4 traffic)

Policy -> Policy elements - > Authorization -> Authorization profiles
We can assign what VLAN

show commands:
show authentication sessions
show authentication sessions interface fa0/1
show authentication sessions mac xxxx.xxxx,xxxx details
show interface status 

Live logs in ISE GUI:
Search for MAC
Click the details ICON to get a full report
Blue icon means we have a session

Sample ISE switchport with details:
switchport host 
switchport access vlan 999 (this is a holding vlan / dead end)
authentication priority dot1x mab (use dot1x over mab)
authentication order dot1x mab (try auth with dot1x, if it fails then mab)

authentication event fail action next-method (if dot1x fails try next which is mab)
authentication event server dead action authorize vlan 10 (If ISE dead put them on vlan 10)
authentication event server alive action reinitialize (when the server comes back re auth)
authentication host-mode multi-domain (1 device in voice and 1 data vlan can get authorized)
single-host just one device gets authorised (good if you have single PC)
multi-host (once the first hosts auths everything after gets auth, usually bad)
multi-auth (everyone can get on but must be auth)

authentication violation restrict (send log message and block additional mac)
protect (Drops unexpected incoming MAC addresses. No syslog errors are generated.)
replace (Removes the current session and initiates authentication with the new host.)
shutdown (Error-disables the port or the virtual port on which an unexpected MAC address occurs.)
restrict (Generates a syslog error when a violation error occurs. Puts port in restricted mode ignoring the new mac)

authentication open (if doesn't have supplicant no 802.1x / mab it will allow it through)

mab (enable MAB)

dot1x pae authenticator (tells the switch on this port it should be the authenticator)
dot1x timeout tx-period 5 (how long to wait for dot1x answer before trying next [mab])

authentication port-control auto (lets use 802.1x and control this port based on the ISE rules)

Find out if you switch supports dot1x commands
cisco.com/go/fn

Check 802.1x services
services.msc
look for wired autoconfig
changed to started + automatic

If we take Wireshark we will see EAP requests
wireshark display filter "eap"
Looks for request

Properties on network card
authentication tab at the top
Enable IEEE 802.1x authentication
MS-PEAP
settings -> validate server cert is off (self signed cert)
configure 
additional settings 
user auth 
save credentials -> fill in username and password

Installing an internal CA cert
Browse to your internal CA
http://192.168.1.50/certsrv
Download a CA certificate, chain or CRL
Select DER encoding
Download CA cert
Name it Root-Internal-CA.crt
Save

In ISE
System -> certificates
Import -> select the Internal CA cert
Give a friendly game
Trust for all

Create CSR
Local certs -> Add -> Generate a CSR
CN=ise.lab.com
2048
SHA256

Go to CSR
Export
Save -> CSR-from-ISE.pem
Open the file and copy all the CSR text

Go back to http://192.168.1.50/certsrv
Request a certificate 
Advanced certificate request
Submit a certificate request 
Paste the csr text
Click submit

Admin must approve
Server manger -> CA -> Pending requests -> right click and issue

Go back to http://192.168.1.50/certsrv
View the pending 
Download DER encode
ISE-ID.cert

Back to ISE
Add "Bind CA certificate" 
Selected the ISE-ID.cert
tick EAP and HTTPS
Save ok
Server will restart

MAB (MAC authentication bypass)

Some devices like phones, printers, ip cameras won't have 802.1x supplicant
We can hard code the MAC address

Printer tries dot1x
If that fails
Try MAB if the MAC is in the list then it will be allow

Source guard and DHCP snooping would be useful

We can re-order try MAB first the 802.1x. We can also try priority. If dot1x works we will use that. etc

Interface gig0/1
switchport mode access
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast


Let the ISE server know its sending over the mac address
This switch might be enabled or not
radius-server attribute 6 on-for-login-auth

May need, check debugs
radius-server attribute 25 on-for-login-auth

Shows the authentication details on that port
show authentication sessions int gig0/1

Enable MAB
Try mab first then dot1x
Use dot1x first if both are available

Interface gig0/1
mab
authentication order mab dot1x 
authentication priority dot1x mab

debug radius authentication

We need to setup the MAC addresses in the ISE

Admin -> identity management -> endpoints
add the MAC
xx:xx:xx:xx:xx:xx

We saw the server needed a reboot after adding the MAC addresses

Phones need the voice vlan domain permission

You can bulk import MAC's
Burger menu > Work Centres > Identities > import 
It gives a template for MAC addresses 


Interface range
To reconfig a log of ports into ISE conifg the interface range command can be useful to put in config and roll back

interface range g1/0/1 - 48, g2/0/1 - 48


Diagnostic tool
Menu > Operations > Troubleshoot > Diagnostic tools > Evaluate configuration validator 


May need to add the ISE server to ACL so it can SSH in
Fill in IP of switch
username password and enable
Check for AAA/dot1x and just pick 1 port to see switch conifg

The aaa stuff all errored as the radius group name was already in use
error on auth and acct port 

ip device tracking did not exist on my 9300

logging transport udp port did not either

Not sure about snmp-server host public (need more research, seem to work without)




Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)