Solved: Re: Cisco ISE, radius authentication for switches

VinnyB · ‎10-31-2017

Hi,

I'm new to ISE and right now I was given a working ISE 1.4 only used for WIFI.

Right now, switch authentication is done via a Cisco ACS (radius, no tacacs+).We are talking about authentication for managing switches, not 802.1x on access port.

We want to migrate this management authentication on the ISE. So, the ISE will serve both WIFI and switches authentication.

I'm looking for a tutorial or some documentation for this. I'm interested in Auth and AuthZ policies...I'm not sure how to mix all this with existing WIFI policies.

I found some documents but nothing complete.

Thanks

Arne Bier · ‎10-31-2017

There are quite a few sources of information on the web. I would recommend www.labminutes.com

But most importantly, create a lab for yourself to play around with this stuff. Really. That is the best teacher. Here would be my recommendation

Build an ISE 1.4 VM (4GB RAM, 2vCPU, 200GB HDD should do it) - restore your prod backup config in the lab so that you have the existing Policy Set to start off with.

Then, the killer ingredient - install radtest from Freeradius Utilities on a Linux install. E.g if you have a CentOS/Fedora setup then simply type yum install freeradius-utils

Add you CentOS as a radius client to ISE and off you go! Now you can test ANYTHING. Prototyping will become really fun and easy - and by the time you deploy this in prod you'll have a much more confident feeling that things will work.

You can look at my blog series on free lab testing tools in the Cisco ISE Community Forums - it's three parts but Part 1 is probably the one you need to get started.

Below is an example of a radtest from my lab

$ echo "User-Name = '03:20:00:00:00:02',User-Password = '03:20:00:00:00:02',Calling-Station-ID='03:00:00:00:00:02',NAS-IP-Address = 10.224.19.121,NAS-Port-Type = 19,Service-Type=10"| /usr/bin/radclient -x 10.224.19.121:1812 auth MyPassword!

Sent Access-Request Id 215 from 0.0.0.0:41383 to 10.224.19.121:1812 length 110
        User-Name = "03:20:00:00:00:02"
        User-Password = "03:20:00:00:00:02"
        Calling-Station-Id = "03:00:00:00:00:02"
        NAS-IP-Address = 10.224.19.121
        NAS-Port-Type = Wireless-802.11
        Service-Type = Call-Check
        Cleartext-Password = "03:20:00:00:00:02"

  Received Access-Accept Id 215 from 10.224.19.121:1812 to 0.0.0.0:0 length 262
        User-Name = "03-00-00-00-00-02"
        State = 0x52656175746853657373696f6e3a30616530313337395f7263654370785156497a687150324b7658473861766c70476a5147654d3334525735465a4978726e5873
        Class = 0x434143533a30616530313337395f7263654370785156497a687150324b7658473861766c70476a5147654d3334525735465a4978726e58733a73636f383833346973653630322f3239383130303036382f3130
        Session-Timeout = 28800
        Tunnel-Type:1 = VLAN
        Tunnel-Medium-Type:1 = IEEE-802
        Tunnel-Private-Group-Id:1 = "18"
        Cisco-AVPair = "profile-name=Unknown"
        Airespace-ACL-Name = "GUEST_ACCEPT"

View solution in original post

Arne Bier · ‎10-31-2017

There are quite a few sources of information on the web. I would recommend www.labminutes.com

But most importantly, create a lab for yourself to play around with this stuff. Really. That is the best teacher. Here would be my recommendation

Build an ISE 1.4 VM (4GB RAM, 2vCPU, 200GB HDD should do it) - restore your prod backup config in the lab so that you have the existing Policy Set to start off with.

Then, the killer ingredient - install radtest from Freeradius Utilities on a Linux install. E.g if you have a CentOS/Fedora setup then simply type yum install freeradius-utils

Add you CentOS as a radius client to ISE and off you go! Now you can test ANYTHING. Prototyping will become really fun and easy - and by the time you deploy this in prod you'll have a much more confident feeling that things will work.

You can look at my blog series on free lab testing tools in the Cisco ISE Community Forums - it's three parts but Part 1 is probably the one you need to get started.

Below is an example of a radtest from my lab

$ echo "User-Name = '03:20:00:00:00:02',User-Password = '03:20:00:00:00:02',Calling-Station-ID='03:00:00:00:00:02',NAS-IP-Address = 10.224.19.121,NAS-Port-Type = 19,Service-Type=10"| /usr/bin/radclient -x 10.224.19.121:1812 auth MyPassword!

Sent Access-Request Id 215 from 0.0.0.0:41383 to 10.224.19.121:1812 length 110
        User-Name = "03:20:00:00:00:02"
        User-Password = "03:20:00:00:00:02"
        Calling-Station-Id = "03:00:00:00:00:02"
        NAS-IP-Address = 10.224.19.121
        NAS-Port-Type = Wireless-802.11
        Service-Type = Call-Check
        Cleartext-Password = "03:20:00:00:00:02"

  Received Access-Accept Id 215 from 10.224.19.121:1812 to 0.0.0.0:0 length 262
        User-Name = "03-00-00-00-00-02"
        State = 0x52656175746853657373696f6e3a30616530313337395f7263654370785156497a687150324b7658473861766c70476a5147654d3334525735465a4978726e5873
        Class = 0x434143533a30616530313337395f7263654370785156497a687150324b7658473861766c70476a5147654d3334525735465a4978726e58733a73636f383833346973653630322f3239383130303036382f3130
        Session-Timeout = 28800
        Tunnel-Type:1 = VLAN
        Tunnel-Medium-Type:1 = IEEE-802
        Tunnel-Private-Group-Id:1 = "18"
        Cisco-AVPair = "profile-name=Unknown"
        Airespace-ACL-Name = "GUEST_ACCEPT"

VinnyB · ‎11-01-2017

wow ! thank you !

Sinaga · ‎11-03-2017

Hello friends, I'm doing an 802.1X authentication implementation with a server radius using multi-host mode. for server radius, I use windows server 2008 R2 Enterprise with installed roles like AD DS, AD CS, DNS Server, DHCP Server, Network Policy and Access Services (NPS). I use PEAP -MsChapV2 method. for authentication when successfully will be redirected to vlan 10, and if failed will be directed to vlan 30. for authenticator and supplicant switches, I use Cisco Catalyst 2960-CX series. network topology: 3 clients --- g0/2, g0/3, g0/4 --- suplicant switch (switch2) --- g0/1 (supplicant switch) to g0/3 --- switch authenticator (switch1) - g0/1 - server radius. script authenticator: Switch1#sh run Building configuration... Current configuration : 3391 bytes ! ! Last configuration change at 06:17:02 UTC Fri Nov 3 2017 ! NVRAM config last updated at 06:17:09 UTC Fri Nov 3 2017 ! version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Switch ! boot-start-marker boot-end-marker ! ! aaa new-model ! ! aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting network default start-stop group radius ! ! ! ! ! ! aaa session-id common system mtu routing 1500 ! ! ! ! ! ! ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-3753304576 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3753304576 revocation-check none rsakeypair TP-self-signed-3753304576 ! ! crypto pki certificate chain TP-self-signed-3753304576 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33373533 33303435 3736301E 170D3137 31303235 30373031 31325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37353333 30343537 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100C5DB 3CB9DFF2 77BDF4BA 5A9A2842 B71574A0 58FC948F EF638567 64FCCDC0 F842FB87 D1A7509F CF178E66 81578924 AA24C583 F6F82921 898DA3A5 826F81B5 4DB19C29 35ECE681 D8A60EFF 2587AA24 F87A606D B1645B14 8F8CCBA5 2441947C 2F646F38 AB657A8D 2E2A7EED F716FF61 147A875D 654C2180 3B6C5789 3618C7FE BCF30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 147771B2 F7F18FB4 1E7361EF E18B497D DEDDD572 CC301D06 03551D0E 04160414 7771B2F7 F18FB41E 7361EFE1 8B497DDE DDD572CC 300D0609 2A864886 F70D0101 05050003 81810085 2E8424AF 2FE7AEFC 74D07E7C BE1E141F 79F2E7EC 263877AE F6532F13 4D069CDA 80C7A219 8AEACB31 443CC054 9466502F 40317CF6 4D5F7409 D05590CE D74E29C4 F0A95E69 D4B26372 0086C7E9 14A37DBE 3DE0BBB7 355DF39B 5169479C 24BE990B 91E13BEE 99C46D24 1A00CFDC 0D5C60A0 2BEEA481 0C60152E 49A59BCC 0E7D62 quit dot1x system-auth-control ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! ! ! ! vlan internal allocation policy ascending ! ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/1 switchport mode access ! interface GigabitEthernet0/2 ! interface GigabitEthernet0/3 switchport mode access authentication event fail action authorize vlan 30 authentication event no-response action authorize vlan 30 authentication host-mode multi-host authentication port-control auto dot1x pae authenticator ! interface GigabitEthernet0/4 ! interface GigabitEthernet0/5 ! interface GigabitEthernet0/6 ! interface GigabitEthernet0/7 ! interface GigabitEthernet0/8 ! interface GigabitEthernet0/9 ! interface GigabitEthernet0/10 ! interface GigabitEthernet0/11 ! interface GigabitEthernet0/12 ! interface Vlan1 ip address 10.123.10.250 255.255.255.0 ! interface Vlan10 ip address 172.16.10.250 255.255.255.0 ip helper-address 10.123.10.10 ! interface Vlan30 ip address 172.16.30.250 255.255.255.0 ip helper-address 10.123.10.10 ! ip forward-protocol nd ip http server ip http secure-server ! ! ! ! ! ! radius server host address ipv4 10.123.10.10 auth-port 1812 acct-port 1813 key 12345 ! ! line con 0 line vty 5 15 ! end ============================================================================ script switch supplicant: Switch2#sh run Building configuration... Current configuration : 973 bytes ! ! Last configuration change at 06:17:51 UTC Fri Nov 3 2017 ! version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Switch ! boot-start-marker boot-end-marker ! ! no aaa new-model system mtu routing 1500 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! ! ! ! vlan internal allocation policy ascending ! ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface GigabitEthernet0/3 ! interface GigabitEthernet0/4 ! interface GigabitEthernet0/5 ! interface GigabitEthernet0/6 ! interface GigabitEthernet0/7 ! interface GigabitEthernet0/8 ! interface GigabitEthernet0/9 ! interface GigabitEthernet0/10 ! interface GigabitEthernet0/11 ! interface GigabitEthernet0/12 ! interface Vlan1 no ip address ! ip forward-protocol nd ip http server ip http secure-server ! ! ! ! ! line con 0 line vty 5 15 ! end Switch# i found the problem, when my authenticator connect to switch supplicant then the authentication notification does not appear to client. direct authentication failed. from my configuration above, is there anything wrong or need to be added? I beg for his help, thank you very much.

dhook · ‎12-18-2019

Thanks, this was very helpful! I had to search for your excellent blog since the URL has been changed. The new URL is https://community.cisco.com/t5/security-blogs/rapid-prototyping-ise-policies-without-any-real-networking/ba-p/3661915

Mady · ‎01-09-2018

Hi,

How did you create you authC and authZ policy for switch management on ISE? I also like to use our ISE as authentication server for switches but not with access port.

thanks!

Peter Koltl · ‎01-11-2018

Using Cisco ISE as a generic RADIUS server

Cisco ISE, radius authentication for switches

ISE Webinars

CiscoISE on YouTube