Configure ISE: BYOD Wireless Network

Categories Cisco, ISE, Wireless
  • Configure a native supplicant profile for wireless clients
  • Configure a BYOD Portal for onboarding
  • Create the authentication policy that allows users to log in
  • Configure authorization policy that permits access to resources
  • Configure ACLs on WLC

Users will connect to the BYOD WLAN.  If the mobile device does not have a certificate, the user will be prompted to enter their Active Directory Username and Password. Once they complete the onboarding process, ISE will initiate a Change of Authorization (CoA). This will disconnect the client and they will immediately re-associate to the WLAN using the new certificate.

Certificate Template

This is the certificate that clients will download when attempting to connect to the SSID “MGMT”.

  • Go to: Administration > System > Certificates > Certificate Authority > Certificate Templates
  • Select EAP_Authentication_Certificate_Template and Click Duplicate
  • Enter the name BYOD_EAP_Authentication_Certificate_Template
  • Edit the Organizational Unit and Organization
  • Set SCEP RA Profile to ISE Internal CA
  • Click Submit

Native Supplicant Profile

This is the wireless profile the device will use to connect to the WLAN once the device is onboarded.

  • Go to: Policy > Policy Element > Results > Client Provisioning > Resources
  • Click Add > Native Supplicant Profile
  • Enter a Name (BYOD_EAP_TLS_NSP)
  • Click Add under Wireless Profile
  • Enter the SSID
  • Set Security to WPA2 Enterprise
  • Set Allowed Protocol to TLS
  • Set Certificate Template to BYOD_EAP_Authentication_Certificate_Template
  • Click Submit

Client Provisioning Policy

  • This determines which Native Supplicant Profile gets installed on which type of device.
  • Policy > Client Provisioning
  • Edit each type of device with the Native Supplicant Profile that you created earlier
  • (Set Results to BYOD_EAP_TLS_NSP)
  • Click Save

BYOD Portal

  • This is the web page the user is redirected to in order to “onboard” their device.
  • Administration > Device Portal Management > BYOD
  • Click Create
  • Enter a Portal Name (BYOD WEB PAGE)
  • Use the default settings.

CA for External Identity Sources

  • Administration > Identity Management > External Identity Sources > Certificate Authentication Profile
  • Click Add
  • Enter a Name (Ge_Cert_CommonName)
  • Set Use Identity from “Subject – Common Name”
  • Click Save

Active Directory External Identity Source

  • Administration > Identity Management > External Identity Sources > Active Directory
  • Click Add
  • Enter the Join Point Name (For instance, wifiworkshop_AD)
  • Enter the Active Directory Domain
  • Click Submit
  • Once the Join Point is created, Click the Groups Tab
  • Add AD Groups of users who will be allowed to onboard their device.

Authentication Policy

  • Policy > Policy Sets > Wireless Devices
  • Create an Authentication Policy above the default rule
  • Set the Condition to Radius:Called-Station-ID contains Mgmt
  • Set the Allowed Protocols to Default Network Access
  • Set Network Access:AuthenticationMethod EQUALS x509_PKI to use “Ge_Cert_CommonName”
  • Click the drop-down arrow next to Actions and Insert Row Above the Default Rule
  • Set Network Access:AuthenticationMethod EQUALS MSCHAPv2 to use “Ge”
  • Set the Default Rule to Deny Access

Authorization Profile

  • Work Centers > BYOD > Policy Elements > Results > Authorization Profiles
  • Click Add
  • Enter a Name (BYOD_NSP_AuthZ_Profile)
  • Select Web Redirection (CWA, MDM, NSP, CPP)
  • Set it to Native Supplicant Provisioning
  • Create an ACL named BYOD_REDIRECT
  • Set the Value BYOD WEB PAGE

Authorization Profile for Android Devices

  • Work Centers > BYOD > Policy Elements > Results > Authorization Profiles
  • Click Add
  • Enter a Name (BYOD_NSP_Google_AuthZ_Profile)
  • Select Web Redirection (CWA, MDM, NSP, CPP)
  • Set it to Native Supplicant Provisioning
  • Manually type in BYOD_Google_REDIRECT for the ACL
  • (You’ll create the ACL on the WLC later)
  • Set the Value BYOD WEB PAGE

Authorization Policy for Android Devices

  • Work Centers > BYOD > Policy Sets
  • Create a new Authorization Policy Rule above the default rule
  • Set the Condition to Network Access:Authentication Method EQUALS MSCHAPV2 AND Session:Device-OS EQUALS Android
  • Set Permissions to BYOD_NSP_Google_AuthZ_Profile

Authorization Policy for all other devices

  • Work Centers > BYOD > Policy Sets
  • Create a new Authorization Policy Rule above the default rule
  • Set the Condition to Network Access:Authentication Method EQUALS MSCHAPV2
  • Set Permissions to Ge_NSP_AuthZ_Profile

Add the ACL to the WLC

  • Deny statements in the ACL trigger the redirect on WLC. Create permit statements to allow traffic to the Policy Service Nodes and DNS (not redirected). Create a rule for each direction. Create deny statements for web traffic, so that they get redirected to the BYOD Portal
  • Log into the WLC
  • Security > Access Control Lists > Access Control Lists
  • Click New
  • Name it BYOD_DIRECT (or whatever you manually named the ACL in the Authorization Rule)
  • Click on the BYOD_DIRECT acl and click Add New Rule
  • Create Rule to permit traffic all traffic outbound from controller
  • Create Rule to permit TCP traffic on 8443 to all Policy Service Nodes
  • Create Rule to permit UDP traffic to DNS
  • Create Rule to permit UDP traffic to DHCP  (I believe DHCP is allowed by default, so you may not need this rule.)
  • Deny all other traffic (to be redirected)
  • Save Configuration

vWLC with Hotspot Guest Access using ISE 2.7

Categories Cisco, ISE
  • Hotspots are a portal where users can access an open SSID. Generally, they will need to accept an Acceptable Use Policy before being granted access to the internet. You can have different scenarios than just this lab scenario.
  • Log into the vWLC. Click the security tab at the top.
  • Click the New button to add a new AAA server.
  • Enter the IP address of the ISE server, port number is 1812, and that Support for COA is checked. *** Change of Authorization is a feature that allows a RADIUS server to adjust an active client session. ***
  • Create a Shared Secret and make note of it as ISE will need to be configured with the same secret. Click Apply.
  • Next click Accounting from the Security/AAA menu on the left. Hit New and enter the required information.
  • Next we will log into ISE and configure the WLC as a network device
  • Go to Work Centers, then Network Resources.
  • Click Add and fill out the WLC information. Check Radius Auth. Settings and be sure to fill out the Shared Secret we filled out earlier in the WLC.
  • After you save the network device you can verify it has been added by checking the Network Devices section.

Configuring the Guest SSID

  • Log into your WLC and click the WLANs tab. Choose Create New from the drop down box and click Go.
  • Enter a profile name and SSID.

Select Status Enabled, and the correct interface for your guest traffic. *** NOTE: My screen shot doesn’t show the Guest SSID as being enabled ***

  • Next click the Security tab.
  • Change Layer 2 Security to None, and check MAC Filtering.
  • Click AAA Servers, and change the Authentication and Authorization servers to the ISE server via the drop down boxes.
  • Click the Advanced tab.
  • Check Allow AAA Override.
  • Under NAC change the drop down to ISE NAC.
  • Uncheck Flex Connect Local Switching if enabled.
  • Check DHCP/HTTP profiling under Radius Client Profiling.
  • Next we have to create a few ACLs. One for Web Auth Redirect that will allow DNS and traffic to ISE and another ACL for restricting guest access.
  • You can verify your ACLs have been added to the vWLC from the Access control list section.

ISE Policies

Our policy goals will be:

  • redirect users who connect to the Guest network to a web portal.
  • Once the AUP has been accepted they will get a new policy applied to them restricting their access to internet only via the ACL we created earlier.
  • Log in to ISE. Go to Work CentersGuest Access, Policy Elements.
  • Click Results and and go to Authorization Profiles.
  • Click Add to create a new profile.
  • Give the policy a descriptive name and description.
  • Scroll down to the Common Tasks and check Web Redirection.
  • Select Hotspot from the drop down.
  • Enter WEB_AUTH_REDIRECT as the ACL and the value will be the Hotspot guest portal.
  • Click Submit.
  • Click Add again, enter a new name and description. This policy will apply the guest restriction ACL we created on the WLC.
  • Scroll down into the Common Tasks and find Airespace ACL, enter the name Guest_ACL
  • Click Submit.
  • Now, go to Work CentersGuest AccessPolicy Sets.
  • Create a new policy set
  • Add a new profile above the one we just created
  • This will be for applying the Guest ACL for the user once going through the portal. Conditions will be Wireless_MABIdentityGroup = GuestEndpoints, and Guest_Flow. Result will be the Guest_Access policy we created which applies the ACL we created on the WLC.
  • Lastly, use whatever wireless device to verify you can connect to the new SSID.
  • Save all configurations and backup if needed.

Cisco Switch Configuration for ISE

Categories Cisco, ISE, Switch

Switch Configuration

  • Example configuration used
conf t
 radius server ISE_RADIUS
 address ipv4 10.0.30.40 auth-port 1645 acct-port 1646
 key Temp1234!@#$
 exit
 aaa group server radius ISE
 server name ISE_RADIUS
 ip radius source-interface vlan 30
 exit
 aaa authentication dot1x default group ISE
 aaa authorization network default group ISE
 aaa authorization exec default group ISE local if-authenticated
 aaa accounting update perdiodic 3
 aaa accounting dot1x default start-stop group ISE
 aaa server radius dynamic-author
 client 10.0.30.40 server-key Temp1234!@#$
 radius-server attribute 6 on-for-login-auth
 radius-server attribute 8 include-in-access-req
 radius-server attribute 25 access-request include
 end

Explanation

  • Explain commands

ISE Configuration

  • Add in the name, description, IP address, Device profile, Model name, Software version.
  • Enable the RADIUS Authentication Settings and input the shared secret then submit to add the switch in.
  • To verify after you click on submit you will now see the device listed under the Network Devices section.

Authorization Profile

Policy Set

Verification

  • On the switch you can issue:
show cdp neighbor
show authentication session
show aaa server
  • On ISE GUI you can review the live session and logs under the RADIUS section in Operations:

Troubleshooting

  • No authentication sessions are showing on the network device.
  • Run an authentication test using the network device and review the logs in ISE.
  • Verify the aaa server configuration
test aaa group radius test-user test-password new-code
  • In ISE GUI:

Verify NTP is matching for Logs

  • Verify the NTP server matches on all devices.
    Cisco Switch:

ISE Server:

Cisco ISE 2.7 on ESXi

Categories Cisco, ESXi, ISE

What is ISE?

  • Cisco Identity Services Engine (ISE) is a solution to streamline security policy management and reduce operating costs. You can see users and devices controlling access across wired, wireless, and VPN connections to the corporate network.

Image

  • Login with your CCO to Download ISE 2.7 evaluation .OVA file or whichever format you prefer.

System Requirements

  • Clock speed: 2.0 GHz or faster
  • Number of CPU cores: 4 CPU cores
  • 16 GB memory
  • 300 GB Storage
  • 1 NIC interface required (two or more NICs are recommended; six NICs are supported).
    ***Cisco ISE supports E1000 and VMXNET3 adapters.***

License

  • The Cisco ISE image comes with a 90-day evaluation license already installed, so you can begin testing all Cisco ISE services when the installation and initial configuration is complete.
  • Transfer the .OVA file to your datastore on the ESXi server and follow the installation steps.
  • Once the upload and import have completed start the virtual machine.

Initial Setup

  • Boot the image.
  • To begin configuration enter ‘setup’ as the username and then follow along the prompts for initial setup.
  • ***This process can take 30 minutes to multiple hours depending on your hardware resources***

Verify the Installation

  • After ISE starts login with your new credentials and begin to verify the installation.
show application
show application status ise

Web GUI

  • Login to the GUI with your credentials

Initial Login

CLI Admin Vs GUI Admin

  • The username and password that you configure when using the Cisco ISE setup program are intended to be used for administrative access to the Cisco ISE CLI and the Cisco ISE web interface.
  • You can initially access the Cisco ISE web interface by using the CLI-admin user’s username and password that you defined during the setup process. There is no default username and password for a web-based admin.
  • The CLI-admin user is copied to the Cisco ISE web-based admin user database.
  • Only the first CLI-admin user is copied as the web-based admin user.
  • You should keep the CLI- and web-based admin user stores synchronized, so that you can use the same username and password for both admin roles.
  • The Cisco ISE CLI-admin user has different rights and capabilities than the Cisco ISE web-based admin user and can perform other administrative tasks.

Create a CLI Admin

Cisco ISE allows you to create additional CLI-admin user accounts other than the one you created during the setup process. To protect the CLI-admin user credentials, create the minimum number of CLI-admin users needed to access the Cisco ISE CLI.You can add the CLI-admin user by using the following command in the configuration mode:

username <username> password [plain/hash] <password> role admin
  • Please note the password complexity and requirements.

Create a Web-Based Admin

  • For first-time web-based access to Cisco ISE system, the administrator username and password is the same as the CLI-based access that you configured during setup.
  • Choose Administration > System > Admin Access > Administrators > Admin Users.
  • Choose Add > Create an Admin User.
  • Enter the name, password, admin group, and the other required details.
  • Click Submit.

Reset a Disabled Password Due to Administrator Lockout

  • An administrator can enter an incorrect password enough times to disable the account. The minimum and default number of attempts is five.
  • Use these instructions to reset the administrator user interface password with the application reset-passwd ise command in the Cisco ISE CLI. It does not affect the CLI password of the administrator. After you successfully reset the administrator password, the credentials are immediately active and you can log in without having to reboot the system.
  • Cisco ISE adds a log entry in the Administrator Logins window. The navigation path for this window is Operations > Reports > Reports > Audit > Administrator Logins. The credentials for that administrator ID is suspended until you reset the password associated with that administrator ID.