cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco ISE configuration for onboarding hosts in Cisco SD-Access

507
Views
5
Helpful
0
Comments

 

 

Picture1.png

Cisco ISE configuration for onboarding hosts in Cisco SD-Access

Overview

This document will provide details of Cisco ISE configurations for customers who are onboarding wired and wireless users via 802.1x in the Cisco SD-Access solution.

This document also covers configuration in Cisco ISE for onboarding wired/wireless Guest users

in Cisco SD-Access fabric.

Authentication Methods in Cisco SD-Access fabric

Using Cisco DNAC, you can have multiple authentication methods:

Closed Authentication: This is the most restrictive authentication template. A host attempting to connect to the network will first be required to use dot1x authentication. If dot1x authentication fails, the host will be permitted to try to authentication using MAC Authentication Bypass (MAB). If MAB also fails, the host will have no access to the network.

Low Impact: Security is added by applying an ACL to the switch port, to allow very limited network access prior to authentication. After a host has been successfully authenticated, additional network access is granted.

No Authentication No Authentication deploys no additional configuration to the access ports. Hosts will not be required to use any authentication method to access the network. Access is simply granted when the port moves to the Up/Up status.

Open Authentication: A host is allowed network access without having to go through 802.1X authentication

Details regarding how to build the Cisco SD-Access fabric can be found here:

How to deploy Cisco SD-Access (SDA) Fabric from start to finish with Cisco DNAC 1.3.1

 

Cisco ISE configuration details for onboarding users in the Cisco SD-Access fabric via 802.1X are outlined below:

Wired Dot1X Authorization Profiles and Policies

The authorization policy applies the VLAN and SGT assignment based on the authorization conditions/attributes. Below is one of the ways to push VLANs dynamically from ISE. You can use many other conditions to authorize as well from ISE. These policies will be specific to the authenticating user’s identity group.

After successful authentication, ISE will look at the User Identity Group the authenticated user is part of and assign the VLAN and SGT accordingly (e.g. Employees).

The authentication table checks who you are, and the authorization table gives you access to the right resources. If the user’s password is correct, authentication succeeds, and the authorization policy is then matched depending on the authorization policy conditions.

Upon successful match of authorization policy, the user is placed into the configured VLAN and assigned the configured SGT. This section explains how to create an authorization result for each user Identity Group. The authorization result is used in an authorization policy that informs the edge switch which VLAN and SGT to apply to the successfully authenticated endpoint/user.

Authorization Profile for Employees

  1. In ISE, click Authorization Profiles from the left-hand pane under Policy > Policy Elements > Results  > Authorization.

  2. Click Add from the right-hand pane and enter the values for the Authorization Profile as shown below.

Screen Shot 2020-06-20 at 2.11.51 AM.png

 

More details regarding how to map ip pool from DNAC to name like above can be seen in the below link:

How to SDA Host Onboarding with ISE

 

Details about Cisco ISE Posturing can be found below

Cisco ISE Posture Prescriptive Deployment Guide

 

The resultant Attribute Details should appear at the bottom of the page as below:

Screen Shot 2020-06-20 at 2.13.07 AM.png

  1. Scroll to the bottom and click [ Submit ] to apply the changes.

You can create similar profiles for other users in the network

Policy Set for Wired Dot1X

Navigate to Policy > Policy Sets.

 

Screen Shot 2020-06-20 at 2.15.54 AM.png

 

 

  1. Use one of the three ways shown above and add a new Policy Set.

  2. As a good practice, change the status to [ Disabled ], as this policy set is incomplete.

Screen Shot 2020-06-20 at 2.16.17 AM.png

  1. Update the policy set name to Wired1X.

  2. Click + under the Conditions column and bring up the Conditions Studio to add conditions

Picture2.png

Inside the condition studio, the Library on the left has saved conditions for re-use. Scroll up and down to search for a condition visually or use the [ Search by Name] box on the top left of the screen to narrow down the list conditions. We can also hover over and click to filter on the category icons above the list of saved conditions to acquaint ourselves with the available categories.

  1. Locate it on the left side window, click and hold on the condition, drag to the right panel, and drop onto the block that has the + sign.

Picture3.png

  1. Scroll down the condition studio and click on the [ Use ] button at the bottom right of the screen.

  2. After returning to the policy set list view. Click on [ Select from list ] drop down under the Allowed Protocols / Server Sequence and choose Default Network Access from the list. Click [ Save ].

The policy set should look similar to below:

Picture4.pngPicture5.pngClick the right arrow > to expand the policy set Wired1X. We will see the authentication, authorization and exception policies listed as shown aboveTo see the full Authorization Policy, collapse the Authentication Policy and expand the Authorization Policy in the Policy sets > Wired1X screen.

Picture6.png

 

  1. Next, we will insert a rule for Employees. Click + above the Default rule to insert a new one. Rename the rule to Employee.

  2. Click + under the Conditions column and bring up the Conditions Studio to add a condition.

  3. Under the Editor on the right pane, click on the box [ Click to add an attribute ].

  4. Use the icon filter Identity Group to narrow down the attributes pertaining to ID groups. Then, select IdentityGroup:Name.Picture7.png

  5. In the right-hand-side of EQUALS, type in the first few characters of Employee to find and select User Identity Groups:Employee.Picture8.png

  6. Click [ Use ] to close the conditions studio and return to the policy set view.

  7. For the Results > Profiles of this rule, select CampusEmployees. Picture9.png

  8. We are done with the authorization policy. Scroll up to the policy set name Wired1X and toggle the policy set status to Enabled. Then, click [ Save ].    Picture10.png

The policies in ISE are enforced when the conditions are matched. The authenticated user/endpoint’s attributes will be matched against the beginning of the policies (rules) and continue down the list. Once a condition/attribute is matched, the associated authorization (result profile) and SGT (Security Group) is applied to the user/endpoint’s RADIUS session.

Wireless Dot1X Authorization Profiles and Policies

For Wireless, VLAN attribute is not essential. However if you want to create single Authorization profiles for both Wired/Wireless Users, you can reuse the Authorization profile used in Wired for Wireless as well.

This is one way of doing it because we are using separate policy set for wired/wireless authentication. You can also use same policy

Below configuration is showing creating separate Authorization policy for Wired/Wireless.

  1. In ISE, go to Policy > Policy Sets

  1. Duplicate above the policy set Wired1X as shown below.

  2. In the duplicate, update the policy set name to Wireless1X, the conditions to Wireless_802.1X. Save the policy sets. After saving, click the view icon > to delve into the details of the policy set.  Picture11.png

  3. Expand on the last section Authorization Policy and update the results of the two rules Employee and Contractor by (a) removing the authorization profiles and then (b) adding security groups Employees and Contractors, respectively, as shown below.

  4. Save once done.     Picture12.png

Note:

For Cat9800 controller running IOS-XE versions prior to 16.12.3, you need to create a separate authorization profile just for the 9800 and use the "airespace-interface-name" attribute to send the VLAN

Sample screenshot with airspace interface:     Picture13.png

 

Wired Guest Authorization Profiles and Policies

Cisco ISE comes with policies and profiles for wireless guests. In this section, we will make adjustments to these pre-built elements for wired guests in SD-Access.

Authorization Profile for Wired Web Auth

  1. In ISE, click Authorization Profiles from the left-hand pane under Policy > Policy Elements >  Results > Authorization.

  2. Locate the Authorization Profile Cisco_WebAuth. Select it and Duplicate.

  3. In the edit page, update the name to sdaWiredWebAuth. Then, scroll down to the section Common Tasks, first locate VLAN and put Guest into the text box next to ID/Name. Then, locate Web Redirection (CWA, MDM, NSP, CPP), enable Static IP/Host name/FQDN, and put the ISE IP Address into the text input box, as shown below.    Picture14.pngPicture15.png

 

 

Static ip is needed only in case of Lab Environment where there is no DNS setup, we can use ISE IP address for redirection

  1. Scroll to the bottom and click [ Submit ] to apply the changes.

Authorization Profile for Wired Guest Access

  1. In the Standard Authorization Profiles pane in ISE, click Add and enter the values for the Authorization Profile as shown below.    Screen Shot 2020-06-20 at 2.22.19 AM.png

The resultant Attribute Details should appear at the bottom of the page as the following:       Screen Shot 2020-06-20 at 2.22.29 AM.png

  1. Scroll to the bottom and click [ Submit ] to apply the changes.

Policy Rules for Wired Guest Auth and Access

  1. Navigate to Policy > Policy Sets. Then, click on > at the right end of the Default policy set to view the details.

  2. Expand on the Authorization Policy section and scroll all the way down. Insert two rules before the one on Basic_Authenticated_Access as shown below and then Save.    Picture16.png

Wireless Guest Authorization Profiles and Policies

There is a workflow for this from Cisco DNAC which pushes the configuration to Cisco ISE.

Design

Create Guest Wireless SSID

Navigate to DESIGN > Network Settings > Wireless. And, select Global in the Network Hierarchy.   

  1. Click Add to create a new Guest Wireless Network.     Picture18.png

  2. In (1), enter a Wireless Network Name (SSID).      Picture19.png

 

  1. Leave the defaults setting for SSID State, Wireless Options, Level of Security and Authentication Server. Change from Original URL to Success Page at the option on where will your guests redirect after successful authentication? Click Next.    Picture20.png

  2. In (2) Wireless Profiles, select the wireless profile created for the fabric-enabled Enterprise Wireless.    Picture21.png

  3. In the Edit Wireless Profile slide-out, verify Yes for Fabric. Scroll down and Save.     Picture22.png

  4. Click Next in (2).

  5. In (3) Portal Customization, click Add.      Picture23.png

 

  1. Give a descriptive Portal Name.     Picture24.png

 

  1. Click Save.    Picture25.png

  2. Click Finish.        Picture26.png

 

Update ISE Authorization Profile

  1. Similar Authorization profile is needed only in lab environment where there is no DNS for redirection, and we have to use static ip of ise similar to Wired Guest we created above

  1. In ISE, click Authorization Profiles from the left-hand pane under Policy > Policy Elements > Results > Authorization.

  2. Locate the Authorization Profile created for the Guest (e.g. dnacGuestPortalPod6_Profile). Select it and Edit.

  3. In the edit page, scroll down to the section Common Tasks, locate Web Redirection (CWA, MDM, NSP, CPP), enable Static IP/Host name/FQDN, and put the ISE IP Address into the text input box, as shown below

  4. Scroll to the bottom and click [ Save ] to apply the changes.

Provision WLC

  1. In Cisco DNA Center, go to Provision > Devices. Focus on Inventory.

  2. Select WLCs as the device type and select WLC-5520.

  3. Go to Actions > Provision and select Provision Device.  Picture28.png

 

  1. In (1) Assign Site, keep the current site and click Next.      Picture29.png

 

In (2) Configuration, review and leave the Configuration as is and select Next.   

  1. In (3) Advanced Configuration, select Next

  2. In (4) Summary, review and click Deploy.   Picture31.png

 

  1. Leave Now radio button checked and select Apply to start provisioning

  2. Go to WLC > WLANs. Verify that the SSID created in DNAC is listed and the status is disabled.     Picture32.png

 

Add WLC to Fabric

This step is needed only if we did not provision WLC before.

  1. Access Cisco DNA Center web UI

  2. Go to PROVISION > Fabric

  3. Select the main site from left panel.

  4. Under Fabric Infrastructure, select WLC-5520

  5. Under Fabric, turn Wireless switch on and click Add.    Picture34.png

Assign IP Pool to Guest SSID

  1. Go to PROVISION > Fabric

  2. Select fabric domain University

  3. Select the main fabric site.

  4. Go to Host Onboarding

  5. In Wireless SSID’s section, select Address Pool for Guest. Click Save and then Apply.   Picture35.png

Check WLAN status is Enabled

  1. Log in to WLC and then go to WLC > WLANs

  2. Check the guest SSID is now Enabled.

Note: The status is Enabled.    Picture36.png