Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
0
Helpful
9
Replies

How to have ISE detect endpoints when using NPS for Radius and 802.1x

DurzoBlint
Level 1
Level 1

‎07-05-2024 11:31 AM

Hello all,

We are in the early stages of deploying ISE in our environment for detection and eventual lockdown of ports if they don't meet compliance.  We did NOT have ISE in our environment before this initiative, so we have Windows NPS running on our domain controllers, and our Cisco switches are configured with radius and 802.1x port auth pointing to those DC's.

Since we are in the early stages of ISE, so I just need to get detection working for now.  And this is all for WIRED ONLY communication.  We do not have any wireless on this network.  I've added all of our Cisco switches to "Network Devices".  Within the device settings, I've checked the "RADIUS Authentication Settings" box and entered the same "Shared Secret" key that the switches are using to communicate with NPS.

I've gone to External RADIUS Servers section and added both DC's there as well.

On one of the test Switches, I've added a 3rd server destination under "aaa group server radius radius-group" being our new ISE VM. We have an over-flow room with its own switch that only has 2 PC's and no users actually go in to it. So we're able to treat that like a "test lab" of sorts.  Once I figure out what works for that switch, I can duplicate to the other "production" rooms switches.

After doing all of that, I did a shut / no shut on one of the ports that is serving a desktop.  The desktop went down and came back online just fine.  I was hoping that the change in port status would cause the desktop to show up as a new unknown endpoint within ISE, but nothing shows up there.

After typing this all out, I am realizing that I never went into NPS to add the ISE server as a "client" there.  So maybe I still need to do that so that they are allowed to talk?  I'm sure I'm missing something else as ISE is already pretty complicated but I'm not exactly sure what that is.  And I'm sure I'm adding to the complication by trying to continue to keep NPS in the loop.  So any additional guidance you all can offer would be most appreciated.

0 Helpful
9 Replies 9

Rob Ingram
VIP
VIP

‎07-05-2024 11:37 AM

@DurzoBlint if you added ISE as the 3rd AAA server to the RADIUS group, authentications will only be sent to ISE if the other 2 RADIUS servers do not respond.

If you just want detection, you could add ISE as an additional ip helper-addresses on the VLAN SVIs, ISE will profile these devices at a minimum.

0 Helpful

DurzoBlint
Level 1
Level 1
In response to Rob Ingram

‎07-05-2024 11:54 AM

Thanks for the info.  I had a feeling that might happen if it was only the 3rd AAA server.  I debated about removing the first 2 to see what would happen, but I didn't want to go that far yet.

As for the ip helper-address - would this only function if DHCP is enabled within the vlan? I know typically that would be the case, but in our environment, we do not have DHCP running.  All assets have their IP's manually configured.  This was done because of "reasons", but we've been debating about turning DHCP back on.

0 Helpful

Rob Ingram
VIP
VIP
In response to DurzoBlint

‎07-05-2024 12:04 PM

@DurzoBlint it sounds like it would be better to build in ISE in parallel, rather than reconfigure a temporary solution with NPS and proxying authentications to ISE.

Add a secondary ISE node for resilency, configure Active Directory as an External Identity Store. Setup a test switch that points to the ISE cluster, get your client devices authenticating to ISE, once happy everything works ok, migrate the existing switches to ISE for 802.1X authentication.

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

0 Helpful

DurzoBlint
Level 1
Level 1
In response to Rob Ingram

‎07-05-2024 01:01 PM

I just had a thought.  What if I leave the 3 servers defined on the switch.  2 DC's / NPS, and 1 ISE.
Then, I define 2 separate aaa groups.
aaa group server radius radius-group
  server name dc1
  server name dc2
aaa group server radius ise-group
  server name ise-server
  (second ise to be deployed at a later date for redundancy)

Then I leave
aaa authentication login default group radius-group local
as well as most of the the other lines.  But I only change:
aaa authentication dot1x default group ise-group
aaa accounting dot1x default start-stop group ise-group

do you think this would work?  This project to push ISE came out of the blue, and our ESXi host is low on RAM.  So I'm not sure I can stand up another ISE VM until we get our second host in 2025.  Just trying to minimize the "non-compliance" of only have one authentication server.

0 Helpful

Rob Ingram
VIP
VIP
In response to DurzoBlint

‎07-05-2024 01:15 PM

@DurzoBlint you be introducing a single point of failure if you just use the ISE AAA group.

You could add ISE to be the first server on the existing aaa group. You'd obviously need to ensure authentications work on ISE, if ISE fails you'd failover to the NPS servers.

It would be better implementing the design correctly from the start rather than being creative and making things unnecessary complex.

0 Helpful

DurzoBlint
Level 1
Level 1
In response to Rob Ingram

‎07-05-2024 02:04 PM - edited ‎07-05-2024 02:04 PM

Oh I definitely get that.  I hate it when you almost "have to" do it wrong only to redo it later because your hands are tied by either money, time or resources.

Last question - Is it possible to not change anything regarding our AAA settings, but have all of this (both discover and mitigate) accomplished via SNMP back and forth?  Again, I know this probably isn't the RIGHT way to do this.  I just have a 70 item task list that keeps growing by the week, and ISE is only 1 item on that list.

0 Helpful

Rob Ingram
VIP
VIP
In response to DurzoBlint

‎07-05-2024 11:54 PM

@DurzoBlint you can configure the ISE SNMP probe to poll the NADs (switches) at certain intervals. https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456#toc-hId--1464449051

 

0 Helpful

MHM Cisco World
VIP
VIP

‎07-05-2024 11:48 AM

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/213239-configure-external-radius-servers-on-ise.html

the ISE will receive the radius request and use NPS as external radius server 
check link above 
MHM

0 Helpful

DurzoBlint
Level 1
Level 1
In response to MHM Cisco World

‎07-05-2024 11:58 AM - edited ‎07-05-2024 11:58 AM

Thank you for your response.

So this thought had crossed my mind as well.  I haven't opened the link yet, but sounds like what you're saying is, within the switch configs, I would replace the DC's from being the AAA Target with the ISE server.  And then ISE would be configured to use the DC's NPS as it's external auth.  I'd be fine with that except we have a requirement that our Cisco gear is supposed to have redundant authentication servers.  So we had to put NPS on both of our DC's.  Right now, we only have one ISE vm.  So if I go this route, it sounds like I'd have to stand up a second ISE VM?  Again, I haven't clicked your link yet and will be reading that shortly.  Just getting my bearings.

0 Helpful
Customers Also Viewed These Support Documents