cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6511
Views
0
Helpful
20
Replies

Ask the Expert: Identity Services Engine - 802.1x, Identity Management and BYOD

ciscomoderator
Community Manager
Community Manager

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Identity Service Engine (ISE) with subject matter expert Nicolas Darchis.

Cisco Identity Service Engine is a security policy management and control platform that automates and simplifies access control and security compliance for wired, wireless, and VPN connectivity. It is primarily used to provide secure access and guest access, support BYOD initiatives, and enforce usage policies in conjunction with Cisco TrustSec. 

Nicolas Darchis is a wireless and authentication, authorization, and accounting expert for the Technical Assistance Center at Cisco Europe. He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, since 2007. He also focuses on filing technical and documentation bugs. Darchis holds a bachelor's degree in computer networking from the Haute Ecole Rennequin Sualem and a master's degree in computer science from the University of Liege. He also holds CCIE Wireless certification (no. 25344).

Remember to use the rating system to let Nicolas know if you have received an adequate response.

Because of the volume expected during this event, our expert might not be able to answer every question. Remember that you can continue the conversation in the Security community under subcommunity AAA, Identity, and NAC shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

20 Replies 20

egordon310
Level 1
Level 1

Hello Nicolas,

Can we install several certificates on ISE ? How do we accommodate the guest portal and the admin portal different requirements from a certificate perspective? 

Thanks,

Evan

This is a classic question. I will try to explain all the possibilities...

First of all, you can only install 2 different certificates on an ISE node. One for HTTPS and one for EAP (the same cert can be used for both also).

This means that it is the same certificate that will be used for sponsor portal, guest portal and admin GUI. That looks like a problem but isn't one.

 

In the settings for the sponsor portal, you can give it a different URL (something like sponsor.company.domain for example). You do not need a different certificate for that, you can simply add a "SAN" (Subject Alternative Name) in your HTTPS certificate that will contain the Sponsor portal URL. Therefore the same certificate is valid for the admin GUI/URL and also for the Sponsor URL you configured !

Important note : By RFC standard, the CN of the HTTPS certificate must be ISE FQDN, nothing else. ISE FQDN must also appear in one of the SAN fields. But then you can add more SAN fields for Sponsor URL and so on ...

 

The only concern remaining would be for the guest portal, which you cannot give a different URL. Well, if that is a concern, you could technically issue one kind of certificate on the admin ISE node (issued by your enterprise CA, using your company domain) and then on the PSN, the HTTPS cert is issued by a different CA (in another domain, that guests can see for example) and there ISE FQDN is something the guests can relate to. There is no real admin GUI on a PSN so this is not a problem.

As long as the admin node and the PSN node trust each other certificate or issuing CA in their store, they will be able to join each other in a distributed deployment.

Note : Playing with certificates should always be done on a node being in standalone mode, BEFORE it joins a deployment.

mistr
Level 1
Level 1

Hi Nicolas,

           I'm installing ISE for use with 802.1x wired Microsoft windows 8 clients connecting to 3560 switches running 12.2.55SE9. We are using eap-tls machine and user certs. ISE is v1.2 patch 7.

I have a few questions you can perhaps help me with:

1. When a user logs in to a laptop for the first time their certificate is delivered using GPO. This means that the first time a user logs in their profile does not have a user cert and can not be authenticated. I was looking at machine access restriction (MAR) as a solution to this but couldn't get it to work. There is some talk online about MAR not working with EAP-TLS machine certs. Can you confirm to me whether MAR will work with EAP_TLS?

2. The cisco live presentations on the ISE say that the Radius Acct-Session-Time attribute is collected by the ISE but it is not in the drop-down list. Is there a way to use this attribute in profiling rules?

3. I am seeing some incosistent behaviour from windows 8 clients. They seem to stop responding to 802.1x requests and the process times out and tries MAB instead. Once restarted the windows 8 clients work correctly again. Do you have a list of windows 8 bugs and bugfixes at all which might impact this process?

 

Thanks very much for any info

Mike

 

Hi Mike,

 

1. So the idea would be that if all laptops have a good machine certificate store all the time, you could give some access after machine authentication so that laptops could get their GPOs and then they can do user authentication without any problem. You technically do not need MAR. You simply do machine and user authentication. Machine authentication will be done as soon as laptop booted in "CTRL-ALT-DEL" login page. If successful, it is a domain laptop and you can safely place an ACL on the port that only gives access to AD servers so that users can log in through the domain.

Then users can do their user authentication once they log in to windows.

 

I suggest you take a look at the following : http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html#anc7

 

In a nutshell, adding MAR to the previous paragraph simply means that when users do their user authentication, you enforece that a machine authentication must have happened in the X hours before (x being configurable but not infinite). This means that everyone will HAVE TO reboot their laptops every day or every second day as machine authentication is only done on boot time or on logging off.

A good alternative is EAP-chaining with Anyconnect.

I never heard of a MAR problem with EAP-TLS. EAP-TLS machine auth is a classic and MAR is simply ISE keeping a mac address list of machines who authenticated successfully in the last X hours.

 

2. Indeed, it is present in the radius system dictionnary but not configurable. It makes sense that you cannot use it for auth or AuthZ rules as it is accounting. I personally do not see what use it could have in profiling as it is an attribute having a value usually at the end of the session (or during with interim-updates) and that is probably why developers did not include it in the drop-down list. If you have a good business case to use it, the best is to explain that case to your cisco account team who can push it as a feature in upcoming releases.

 

3. I do not have such a list and did not particularly face many problems that I can remember with windows 8 clients.

Hi Nicolas,

                 1. GPOs update user settings so they can not run until after the user has logged in so your solution is not technically feasible. The process is like this:

Client laptop boots up and is authenticated to the network by the machine certificate.

User logs in.

GPO starts running and sends a request for new user cert if cert is not present.

Dot1x tries to reauthenticate with user cert which will fail as gpo has not had time to deliver new user cert if this is a first time login.

My thought was that MAR could allow the machine to remain authenticated for an hour which would give the GPOs time to deliver the user cert. What happens when MAR time restriction runs out? Does the switch try and re-authenticate the port? At that point the user cert could be used so this could work.

Can you confirm that EAP-TLS works with MAR please? It seems easy to setup but it did not work when I tried it. Is there a way I can debug/troubleshoot this process?

2. OK thanks

3. Thanks.

 

 

MAR is not exactly that. MAR is a cache on ISE where ISE remembers that a given mac address has machine authenticated before.

 

What you could do is have an authorization rule that permits access on a machine authentication (i.e. username starting with host/) and gives access to AD servers only.

Another rules that says if a user authentication fails, but the computer "wasmachineauthenticated==true", then we still permit access and give access to AD servers only.

On a user authentication succeeding, you give full access.

 

This way you don't really need regular reboots or have timeouts of any sorts.

I am using eap-tls. username starting with host/ is a different eap type, not eap-tls. I am using machine certificates

 

Indeed, my bad. The username in EAP-TLS will typically be the CN field of the certificate but that can be changed by the TLS profile in ISE.

However, the logic stays the same. Except that to determine if it's a user or computer authentication, you can check if the user belongs to "domain computers" AD group. If it does, it's a valid machine authentication :-)

Your first statement seemed to imply that the "wasmachineauthenticated" attribute would not be set to true in case of EAP-TLS machine authentication. I actually could not find clues supporting that theory nor could I find clues saying it would work. I am not sure if that attribute relies on the presence of "host/" in the username or not. That is worth testing

In any case, EAP-chaining with anyconnect is much more noble

I think that with EAP-TLS it requires certificate binary comparison to be enabled in order for ISE to write the client mac address in the MAR cache.

hhtyson11
Level 1
Level 1

Hello Nicolas,

Thank you for covering this topic.  My question is how are licenses counted? How do I make sense out of the number of base or advanced licenses consumed?

Thanks,

Henry

Licenses are consumed as soon as a device authenticates. So if your ISE is profiling whole subnets, that will not really matter until those devices actually authenticates.

If an unknown device authenticate with 802.1x, it consumes a base license. If a device with profiled information authenticates, then it consumes an advanced (or Plus) license.

Seth Bjorn
Level 1
Level 1

What is the Cisco recommended way to prevent domain joined computers from joining a BYOD ssid?

The best way is still the control at the source. Having Anyconnect deployed on domain laptops with a profile configured so that they can only join certain SSIDs.

 

Otherwise, you can also use profiling. Relying on mac address to prevent attackers is not secure. But if it's to prevent employee to simply pick a wrong SSID, it works. However, the trick is to create a profiling rule that will identify correctly your domain laptops. The safest way would be to add mac addresses manually to a group. Automatic ways can use the hostname of the PC sent in DHCP request to categorize it as part of the domain.

You need only to play with profiling in case you have other mac addresses in the ISE db too. In a simpler setup, you can simply say that if the mac is known by ISE, it's an employee and he can connect to employee SSID only, but if mac is unknown (or known but belongs to "Registered Device" group, which means it went through BYOD), it goes to BYOD SSID only.