topic Hi supportlan in Network Access Control

Cisco ISE Small Network Deployment

kuzminsk1 — Mon, 11 Mar 2019 06:51:13 GMT

Hi Guys

I am working on a "Small Network Deployment" of two Cisco ISE servers (SNS-3415-K9) in the Active/Passive config. In this deployment, one Cisco ISE node is functioning as the primary appliance. The secondary node supports the primary node and maintains a functioning network whenever connectivity is lost between the primary node and network appliances, network resources, or RADIUS.

Our scenario:
Around 250-300 users are migrating to a new office, which is “shared” with another company. Each user has an Avaya IP phone (9650), a Windows 7 laptop/PC or a WYSE Terminal (Citrix). Around 600 devices in total. a pair of ISE servers is going to be used to control NAC and profile non-windows devices (Plus licenses purchased).

Please refer to the LLD/HLD attached (please note 2 pages in the pdf doc).

The network diagram is oversimplified as it only describes the ISE server architecture in relation to the rest of the local network.

The core switches pass all VLANs
The access switches intentionally only have some VLANs configured and not others, while the core switches are passing all VLANs
A01 is a two module stack
Redundant links are configured as port channels on both sides (our standard config)
SPT is defined per VLAN.

My questions relate specifically to the ISE server installation and configuration as we have never installed one before.

Could someone please clarify if the same 802.1x switch config should be applied to all of our core and access switches? If not, how should it differ between the core and the access switches?
Do you have any reliable config examples for a comparable scenario?

Thanks

Hi

Francesco Molino — Fri, 10 Jun 2016 23:58:00 GMT

I'm not sure if I understood correctly your concern.

To activate ISE radius config on all switches you need:

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
!
radius server ISE
address ipv4 192.168.0.1 auth-port 1812 acct-port 1813
key cisco123
!
ip radius source-interface g0/0

Then to activate aaa and dot1x features:

aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group radius
!
aaa session-id common
!
dot1x system-auth-control
!

Afterwards, you need to configure below commands on ports on which you want dot1x authentication. If ports don't have this configuration, then no dot1x configuration will done.

interface Gigabitethernet0/0
dot1x pae authenticator
authentication event fail action next-method
authentication event server dead action authorize vlan xxx
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 600
authentication violation restrict
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
!

You need to adapt vlan, timers if needed.

For ISE configuration point of view, you need:

- authorization profile

- authentication profile

- under the policy tab, you need to define your authentication rules and authorization rules

You can found some documentation on Cisco website or I can help but I don't have any ISE server right now for lab purpose.

Is it what you were looking for?

Thanks

Hi supportlan

kuzminsk1 — Wed, 22 Jun 2016 08:30:37 GMT

Hi supportlan

Thanks for your response and the example configs.

I am configuring a pair of physical Cisco SNS3415 servers running ISE. So far, i have applied the basic configs on both servers and we are now configuring the switches (non-ISE related) and upgrading the firmware to the level that supports 802.1x.

None of the team have done this before so i am essentially looking for a bit of guidance in relation to the scenario described in my original post. Do you know where i could find some specific procedures for configuring the ISE server policies? (i've been looking at numerous YouTube videos so far) such as https://www.youtube.com/watch?v=kWJYDsqkEas

Would the commands you have provided cover Windows authentication as well as Avaya phone, WYSE terminal and printer profiling (i.e. identification by MAC address using a PLUS licence)?

If i understood you correctly, the following commands (adjusted for our own objects) would need to be applied to all core and access switches:

################ - please see questions next to the config lines
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
!
radius server ISE ####how would this be configured for a pair of ISE servers?
address ipv4 192.168.0.1 auth-port 1812 acct-port 1813 ####how would this be configured for a pair of ISE servers?
key cisco123
!
ip radius source-interface g0/0

....Then to activate aaa and dot1x features:

aaa new-model #### is this a variable?
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group radius
!
aaa session-id common
!
dot1x system-auth-control
!
##############

After that, each client facing access port on EACH ACCESS SWITCH (!? - we have a lot of client facing ports - would they need to be configured individually) would need to be configured with the following commands:

interface Gigabitethernet0/0
dot1x pae authenticator
authentication event fail action next-method
authentication event server dead action authorize vlan xxx
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 600
authentication violation restrict
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
!

Many thanks

p.s. i meant posturing, not

kuzminsk1 — Wed, 22 Jun 2016 09:29:20 GMT

p.s. i meant posturing, not profiling

Hi

Francesco Molino — Wed, 22 Jun 2016 12:09:11 GMT

First of all, for documentation, you can search Cisco Trustsec and you will find some example. After there are administration guide like this one :

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010110.html

All commands are standard except the command authentication open based on what you want to manage your ise environment.

For adding a 2 radius, just add the ip with key under the radius group.

If you want to follow step by step video you can also take a look at labminutes video

Hope this is clear

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

thanks - i'll definitely rate

kuzminsk1 — Wed, 22 Jun 2016 14:22:00 GMT

thanks - i'll definitely rate this.

If the ISE servers are patched into the core switches, but the radius configs need to be defined on core and access switches, in the following config, :

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
!
radius server ISE
address ipv4 192.168.0.1 auth-port 1812 acct-port 1813
key cisco123
!
ip radius source-interface g0/0 -- IS THIS THE UPLINK TRUNK PORT ON THE ACCESS SWITCH???

thanks

i.e the trunk port connecting

kuzminsk1 — Wed, 22 Jun 2016 14:23:17 GMT

i.e the trunk port connecting the access switch to the core switch?

please note we are using 2 physical port Port Chanel to uplink the switches

im not able to authenticate

kuzminsk1 — Wed, 22 Jun 2016 15:10:17 GMT

im not able to authenticate with radius, having configured the the network device in ISE and created a test user:

ISE log:

Source Timestamp2016-06-22 14:58:26.82Received Timestamp2016-06-22 14:58:26.828Policy ServerGLS-ISE-01Event5413 RADIUS Accounting-Request droppedFailure Reason11007 Could not locate Network Device or AAA ClientResolutionVerify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network DevicesRoot causeCould not find the network device or the AAA Client while accessing NAS by IP during authentication.Service TypeFramedNAS IPv4 Address10.18.4.38

Switch output:

test aaa group radius server 10.18.4.33 auth-port 1812 acct-port 1813 radius-user PASSWORD new-code
User rejected

Radius Switch Config:

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
!
radius server ISE-01
address ipv4 10.18.4.33 auth-port 1812 acct-port 1813
key 7 0337530E145C256F1A19481116434A
!
radius server ISE-02
address ipv4 10.18.4.35 auth-port 1812 acct-port 1813
key 7 073C29495C5A1D2643025A18057B6A

ip radius source-interface GigabitEthernet1/0/1 (i only add one port here - this command overrides itself if i enter it with the second port. Gi1/0/1 is the switchport that ISE-01 is connected to. i tried to add Gi2/0/1, but it did overwrote it - ??? im only configuring it on the core switch at the moment, how would this look on the access switch??)

The shared secret is the same on both sides.

AAA witch Config:

aaa new-model
!
!
aaa authentication attempts login 5
aaa authentication login default group tacacs+ enable
aaa authentication login no_tacacs enable
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default group tacacs+
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+

aaa session-id common
switch 1 provision ws-c3850-24t
switch 2 provision ws-c3850-24t
!

user caller radius-user is created in identities on ISE-01, but im not able to test the link:

test aaa group radius server 10.18.4.33 auth-port 1812 acct-port 1813 radius-user Capita123! new-code
User rejected

Can you see what im doing wrong?

many thanks

Can you see

Also, 10.18.4.38 is the

kuzminsk1 — Wed, 22 Jun 2016 16:41:05 GMT

Also, 10.18.4.38 is the gateway IP address of the VLAN that hosts the ISE servers, i dont understand why its listed in th eerror logs as device IP!

ource Timestamp	2016-06-22 16:38:02.826
Received Timestamp	2016-06-22 16:38:02.841
Policy Server	GLS-ISE-01
Event	5413 RADIUS Accounting-Request dropped
Failure Reason	11007 Could not locate Network Device or AAA Client
Resolution	Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices
Root cause	Could not find the network device or the AAA Client while accessing NAS by IP during authentication.
Service Type	Framed
NAS IPv4 Address	10.18.4.38

Other Attributes

ConfigVersionId	118
Device Port	1646
DestinationPort	1813
Protocol	Radius
Acct-Status-Type	Interim-Update
Acct-Delay-Time	15
Acct-Session-Id	00000000
Acct-Authentic	RADIUS
AcsSessionID	GLS-ISE-01/255868885/32
Device IP Address	10.18.4.38

Those commands needs to be

Francesco Molino — Wed, 22 Jun 2016 17:05:52 GMT

Those commands needs to be setup on all authenticator devices (all devices that will request authentication on behalf of user devices).

The interface is usually the management that the switch use to communicate with your radius (layer 3 interface)