cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2030
Views
3
Helpful
8
Replies

Setting up ISE 2.3

walwar
Level 1
Level 1

Hi guys,

I need to setup ISE 2.3 for dot1x, mab and webauth for guest self-registration with Catalyst 2960 switch. Can anyone point me to a good resource/documentation? Many thanks in advanced!

-walwar

8 Replies 8

ognyan.totev
Level 5
Level 5

Cisco Identity Services Engine - Configuration Examples and TechNotes - Cisco

This is some config examples.You can google it too for some information .

hslai
Cisco Employee
Cisco Employee

walwar
Level 1
Level 1

Thank you guys for links and sorry for the late reply.

Anyway, I have now everything setup and from my search and Cisco's documentation I understood that if I want to authenticate my printer, it is recommended to add the MAC address of the printer in ISE instead of active directory group. Also the CWA redirection is not functioning for wired MAB guest PC.

My goal is to achieve the following:

1. DOT1X for domain computers (which works fine and was pretty easy to setup)

2. MAB for printers, security cams, etc (doen't really matter if I use ISE or active directory for me)

3. Wire MAB for guest PC using CWA. (now this didn't work when I used active directory group for wired/wireless_mab or it might be that my authorization wasn't correctly configured)

My concerns or questions:

1. How many MAC addresses can ISE handle? (what if I have more than 1500 MAC addresses, can I import all into ISE)

My issue:

CWA doens't work for my guest PC using wired_mab. When I try to go to cisco.com from the guest PC it can't redirect me to the portal to guest account registration. Event hough I see that I have obtained an IP, but when I copy the redirect url from my switchport and and register an account from another PC the guest PC is able to connect to the Internet. Now I have to mention that the PC is able to ping cisco.com but it can't access cisco.com, I tried FF, Chrome and even IE, but same issue I even tried IP but it was the same.

I tried to debug ip http all but didn't see ANYTHING in the switch.

My aaa config:

aaa authentication dot1x default group ISE_GROUP

aaa authorization network default group ISE_GROUP

aaa authorization auth-proxy default group ISE_GROUP

aaa accounting system default start-stop group ISE_GROUP

aaa accounting dot1x default start-stop group ISE_GROUP

aaa accounting update newinfo periodic 2880

username RADIUS-TEST-USER password 7 REMOVED

!

aaa server radius dynamic-author

client 172.30.1.181

server-key 7 REMOVED

!

radius server KNETISE2001

address ipv4 172.30.1.181 auth-port 1812 acct-port 1813

automate-tester username RADIUS-TEST-USER probe-on

key 7 REMOVED

!

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 10 tries 3

!

aaa group server radius ISE_GROUP

server name KNETISE2001

deadtime 15

!

aaa new-model

aaa session-id common

ACL:

ip access-list extended ACL_DEFAULT (port ACL,but it seems if I apply this on the port nothing works, after I removed it the guest PC was able to connect to the Internet)

permit udp any any eq domain

permit udp any eq bootpc any eq bootps

deny   ip any any

ip access-list extended ACL_REDIRECT_ISE_BLACKLISTED_DEVICES (this is not applied anywhere, don't know what this should exist)

permit tcp any any eq www

permit tcp any any eq 443

ip access-list extended ACL_WEBAUTH_REDIRECT (used for my CWA in ISE)

permit tcp any any eq www

permit tcp any any eq 443

IP http config:

ip http server

ip http secure-server

ip http secure-active-session-modules none

ip http max-connections 48

ip http active-session-modules none

Port config:

interface GigabitEthernet1/0/1

switchport access vlan 3180

switchport mode access

authentication event fail action next-method

authentication event server dead action reinitialize vlan 20

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server dynamic

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

se-sw01-018#sh authen se int g1/0/2 d

            Interface:  GigabitEthernet1/0/2

          MAC Address:  54e1.ada3.2c1a

         IPv6 Address:  Unknown

         IPv4 Address:  172.30.180.11

            User-Name:  54-E1-AD-A3-2C-1A

               Status:  Authorized

               Domain:  DATA

       Oper host mode:  multi-domain

     Oper control dir:  both

      Session timeout:  N/A

      Restart timeout:  N/A

       Session Uptime:  57s

    Common Session ID:  AC1E31AA00000014003FF110

      Acct Session ID:  0x00000009

               Handle:  0x7E000007

       Current Policy:  POLICY_Gi1/0/2

Local Policies:

        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:

         URL Redirect:  https://FQDN-REMOVED:8443/portal/gateway?sessionId=AC1E31AA00000014003FF110&portal=f0ae43f0-7159-11e7-a355-005056aba474&action=cwa&token=1b9a2c0511a704712fa4106f8ff70ec1

     URL Redirect ACL:  ACL_WEBAUTH_REDIRECT

              ACS ACL:  xACSACLx-IP-SVKY_PREAUTH-5a5f0057

Method status list:

       Method           State

       dot1x            Stopped

       mab              Authc Success

This is after I copied the redirect url and registered from another PC:

se-sw01-018#sh authen se int g1/0/2 d

            Interface:  GigabitEthernet1/0/2

          MAC Address:  54e1.ada3.2c1a

         IPv6 Address:  Unknown

         IPv4 Address:  172.30.180.11

            User-Name:  llk2

               Status:  Authorized

               Domain:  DATA

       Oper host mode:  multi-domain

     Oper control dir:  both

      Session timeout:  N/A

      Restart timeout:  N/A

       Session Uptime:  1802s

    Common Session ID:  AC1E31AA00000014003FF110

      Acct Session ID:  0x0000000B

               Handle:  0x7E000007

       Current Policy:  POLICY_Gi1/0/2

Local Policies:

        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:

           Vlan Group:  Vlan: 3180

Method status list:

       Method           State

       dot1x            Stopped

       mab              Authc Success

Authentication policy:

authentication policy.png

Authorization policy:

authorization policy.png

Authentication profiles:

authorization Profiles.png

I have checked dACL and CWA in the central_webauth profile and VLAN in surf_vlan profile

My dACL is at the moment permit ip any any.

All inputs are welcome and thank you in advanced for stepping by.

ognyan.totev
Level 5
Level 5

If you have plus license you can use logical profiles ,and not manually add every printer or etc.

Second thing ,in mine deployment new switch 3650 default acl on port deny all traffic except permited one . When dot1x come

it take ACl from ISE but not apply it .That is in mine deployment.

What is permitted in your default ACL and what is your dACL? Can you share your authorization policies for wired mab?

-walwar

That's what i try to explain . I remove ACL from port ,and it take Dacl from ise correctly .I am not use Wired mab for guest,only for wireless. but ofc i can share it .

Thank you very much, could you share your Authorization policy as well? I don't think my problem is in authentication, it is in authorization. It might be either wrong or configured or missing something.

ognyan.totev
Level 5
Level 5