Setting up ISE 2.3

walwar — Tue, 09 Jan 2018 11:50:32 GMT

Hi guys,

I need to setup ISE 2.3 for dot1x, mab and webauth for guest self-registration with Catalyst 2960 switch. Can anyone point me to a good resource/documentation? Many thanks in advanced!

-walwar

Re: Setting up ISE 2.3

ognyan.totev — Tue, 09 Jan 2018 12:24:29 GMT

Cisco Identity Services Engine - Configuration Examples and TechNotes - Cisco

This is some config examples.You can google it too for some information .

Re: Setting up ISE 2.3

hslai — Tue, 09 Jan 2018 17:12:04 GMT

Adding to Ognyan's, it's good to reference Cisco ISE Design & Integration with Cisco Switches

and start with How To: Universal IOS Switch Config for ISE

Re: Setting up ISE 2.3

walwar — Wed, 17 Jan 2018 10:22:10 GMT

Thank you guys for links and sorry for the late reply.

Anyway, I have now everything setup and from my search and Cisco's documentation I understood that if I want to authenticate my printer, it is recommended to add the MAC address of the printer in ISE instead of active directory group. Also the CWA redirection is not functioning for wired MAB guest PC.

My goal is to achieve the following:

1. DOT1X for domain computers (which works fine and was pretty easy to setup)

2. MAB for printers, security cams, etc (doen't really matter if I use ISE or active directory for me)

3. Wire MAB for guest PC using CWA. (now this didn't work when I used active directory group for wired/wireless_mab or it might be that my authorization wasn't correctly configured)

My concerns or questions:

1. How many MAC addresses can ISE handle? (what if I have more than 1500 MAC addresses, can I import all into ISE)

My issue:

CWA doens't work for my guest PC using wired_mab. When I try to go to cisco.com from the guest PC it can't redirect me to the portal to guest account registration. Event hough I see that I have obtained an IP, but when I copy the redirect url from my switchport and and register an account from another PC the guest PC is able to connect to the Internet. Now I have to mention that the PC is able to ping cisco.com but it can't access cisco.com, I tried FF, Chrome and even IE, but same issue I even tried IP but it was the same.

I tried to debug ip http all but didn't see ANYTHING in the switch.

My aaa config:

aaa authentication dot1x default group ISE_GROUP

aaa authorization network default group ISE_GROUP

aaa authorization auth-proxy default group ISE_GROUP

aaa accounting system default start-stop group ISE_GROUP

aaa accounting dot1x default start-stop group ISE_GROUP

aaa accounting update newinfo periodic 2880

username RADIUS-TEST-USER password 7 REMOVED

aaa server radius dynamic-author

client 172.30.1.181

server-key 7 REMOVED

radius server KNETISE2001

address ipv4 172.30.1.181 auth-port 1812 acct-port 1813

automate-tester username RADIUS-TEST-USER probe-on

key 7 REMOVED

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 10 tries 3

aaa group server radius ISE_GROUP

server name KNETISE2001

deadtime 15

aaa new-model

aaa session-id common

ACL:

ip access-list extended ACL_DEFAULT (port ACL,but it seems if I apply this on the port nothing works, after I removed it the guest PC was able to connect to the Internet)

permit udp any any eq domain

permit udp any eq bootpc any eq bootps

deny ip any any

ip access-list extended ACL_REDIRECT_ISE_BLACKLISTED_DEVICES (this is not applied anywhere, don't know what this should exist)

permit tcp any any eq www

permit tcp any any eq 443

ip access-list extended ACL_WEBAUTH_REDIRECT (used for my CWA in ISE)

permit tcp any any eq www

permit tcp any any eq 443

IP http config:

ip http server

ip http secure-server

ip http secure-active-session-modules none

ip http max-connections 48

ip http active-session-modules none

Port config:

interface GigabitEthernet1/0/1

switchport access vlan 3180

switchport mode access

authentication event fail action next-method

authentication event server dead action reinitialize vlan 20

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server dynamic

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

se-sw01-018#sh authen se int g1/0/2 d

Interface: GigabitEthernet1/0/2

MAC Address: 54e1.ada3.2c1a

IPv6 Address: Unknown

IPv4 Address: 172.30.180.11

User-Name: 54-E1-AD-A3-2C-1A

Status: Authorized

Domain: DATA

Oper host mode: multi-domain

Oper control dir: both

Session timeout: N/A

Restart timeout: N/A

Session Uptime: 57s

Common Session ID: AC1E31AA00000014003FF110

Acct Session ID: 0x00000009

Handle: 0x7E000007

Current Policy: POLICY_Gi1/0/2

Local Policies:

Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:

URL Redirect: https://FQDN-REMOVED:8443/portal/gateway?sessionId=AC1E31AA00000014003FF110&portal=f0ae43f0-7159-11e7-a355-005056aba474&action=cwa&token=1b9a2c0511a704712fa4106f8ff70ec1

URL Redirect ACL: ACL_WEBAUTH_REDIRECT

ACS ACL: xACSACLx-IP-SVKY_PREAUTH-5a5f0057

Method status list:

Method State

dot1x Stopped

mab Authc Success

This is after I copied the redirect url and registered from another PC:

se-sw01-018#sh authen se int g1/0/2 d

Interface: GigabitEthernet1/0/2

MAC Address: 54e1.ada3.2c1a

IPv6 Address: Unknown

IPv4 Address: 172.30.180.11

User-Name: llk2

Status: Authorized

Domain: DATA

Oper host mode: multi-domain

Oper control dir: both

Session timeout: N/A

Restart timeout: N/A

Session Uptime: 1802s

Common Session ID: AC1E31AA00000014003FF110

Acct Session ID: 0x0000000B

Handle: 0x7E000007

Current Policy: POLICY_Gi1/0/2

Local Policies:

Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:

Vlan Group: Vlan: 3180

Method status list:

Method State

dot1x Stopped

mab Authc Success

Authentication policy:

Authorization policy:

Authentication profiles:

I have checked dACL and CWA in the central_webauth profile and VLAN in surf_vlan profile

My dACL is at the moment permit ip any any.

All inputs are welcome and thank you in advanced for stepping by.

Re: Setting up ISE 2.3

ognyan.totev — Wed, 17 Jan 2018 10:57:59 GMT

If you have plus license you can use logical profiles ,and not manually add every printer or etc.

Second thing ,in mine deployment new switch 3650 default acl on port deny all traffic except permited one . When dot1x come

it take ACl from ISE but not apply it .That is in mine deployment.

Re: Setting up ISE 2.3

walwar — Wed, 17 Jan 2018 11:09:24 GMT

What is permitted in your default ACL and what is your dACL? Can you share your authorization policies for wired mab?

-walwar

Re: Setting up ISE 2.3

ognyan.totev — Wed, 17 Jan 2018 11:13:57 GMT

That's what i try to explain . I remove ACL from port ,and it take Dacl from ise correctly .I am not use Wired mab for guest,only for wireless. but ofc i can share it .

Re: Setting up ISE 2.3

walwar — Wed, 17 Jan 2018 11:21:55 GMT

Thank you very much, could you share your Authorization policy as well? I don't think my problem is in authentication, it is in authorization. It might be either wrong or configured or missing something.

Re: Setting up ISE 2.3

ognyan.totev — Wed, 17 Jan 2018 11:34:22 GMT

topic Re: Setting up ISE 2.3 in Network Access Control

Setting up ISE 2.3

Re: Setting up ISE 2.3

Re: Setting up ISE 2.3

Re: Setting up ISE 2.3

Re: Setting up ISE 2.3

Re: Setting up ISE 2.3

Re: Setting up ISE 2.3

Re: Setting up ISE 2.3

Re: Setting up ISE 2.3