Thank you very much for the

Deepthi · ‎07-11-2017

Hi Friends,

I am really new to ISE. I have experience working with ASA and am aware of the AAA concepts, but apart from that, I do not have any idea about ISE.

I followed some videos and documents, and could integrate the AD server with ISE, and connect an end point via switch ( 2960) and could do the the MAB and Dot1x authentications.

After this, am struck. Because the videos I referred were ISE 1.3 version, and the ISE version am using is 2.2 and trust me, its very confusing when you start doing the profiling and posturing.

I was giving the below tasks

1. Be able to authenticate MAC(apple) users who connect to the corp. network via vpn using ISE

2. Wireless users to authenticate with ISE

And i feel doomed. :(

Hope if someone could give me suggestions on how to move forward.

Thank you so much in advance.

dirkmelvin · ‎07-18-2017

Statements/Issues/Questions like this are unfortunately VERY common. I think the largest cause is how Cisco 'plays it close to the vest' on the more detailed information. And that is probably because they don't want just anyone to jump into potentially VERY important (and business critical) configurations and cause even larger problems potentially for everyone. (or maybe they just want the additional income from requiring anyone that wants to know how to work on these things to get a certification).

At any rate, I promise configuring ISE from scratch is very doable....IF you have time to spend and an environment that will allow you to learn. I started out with ISE 1.1, the company we worked with to get it implemented assigned us a Cisco expert that seemed almost as green as me when it came to how to actually configure ISE for our setup. I feel that I pretty much learn it all on the fly during that implementation and almost on my own. I did not have time to do so, nor did we have an environment that allowed me the luxury of 'playing to learn'. My company wanted this implemented and did not give me 'warm and fuzzies' for any delays or issues we had.

We are now running on ISE v1.4u? born from this original implementation. I actually have ISE v2.2 running on our HyperV cluster (but having network related issues specific to talking to ISE), because we implemented an MDM solution that required v2.2 to work properly. So now I also need to convert/migrate our rules from 1.4 to our 2.2 (and quickly, I only have 30days left of our 90 trail).

It is NOT easy, but if you have the ability, I suggest diving head first in getting to know it. Read up, read older version docs, to get a feel of how operations have changed and how the product has improved (or got worse). Read through all the forums you can find, I still feel like I have a LOT to learn and I have been working with ISE for 5 years now.

You can go back and look at some of my posts here to see some of my struggles.

Deepthi · ‎07-18-2017

Thank you very much for the support. I am trying to learn and practice as much as i can.

Have a good day..!

Marvin Rhoads · ‎07-18-2017

I would agree that ISE can be daunting. I would not agree that information from Cisco is in short supply.

Have a look at the literally dozens of implementation guides and documents Cisco has published on the ISE Community page:

https://communities.cisco.com/community/technology/security/pa/ise

I also recommend the Cisco Press book, just updated in June to the 2nd edition:

http://www.ciscopress.com/store/cisco-ise-for-byod-and-secure-unified-access-9781587144738

Don't forget that Cisco Live presentations are free to view and download the slides. There are many ISE presnetations there.

http://www.ciscolive365.com

There are also a very nice series on the 3rd party labminutes site:

http://www.labminutes.com/video/sec/ISE

He is also developing and ISE 2.2 versions of videos.

Deepthi · ‎07-19-2017

Hi Marvin,

Thank you very much for the references provided.

I did find the labminutes videos online earlier to my post here and was referring them and also the CBT nuggets for ISE.

** Am really sorry for the lengthy post. I would like you to suggest me with my query.

But, i do have few confusions over "Remote VPN users getting authenticated via Cisco ISE".

My current setup:

1. Windows users ( using in-built VPN client(windows vpn client) are remotely accessing the internal machines ( Windows Laptop -> ASA-> LDAP server ) - access works perfectly fine with the config. shared below.

2. MAC users ( they are using the in-built vpn client) -  - access works perfectly fine with the config. shared below.

For compliance, i need to use MS CHAP for authentication.

=== My doubt here is --  for Radius (MS CHAP) to work for MAC users, what are the changes i need to be doing.

Please refer the configurations ( Changed the IPs and Domain names - for security reasons)

Current ASA configuration

## for windows users - ASA configuration for RAS VPN
## Tunnel group: 
 tunnel-group DefaultRAGroup general-attributes
 address-pool WIN_POOL
 authentication-server-group RR_LDAP
 authorization-server-group RR_LDAP
 default-group-policy WIN_POLICY
 authorization-required
 tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key Cisco
 tunnel-group DefaultRAGroup ppp-attributes
 authentication pap 
## Group Policy 
group-policy WIN_POLICY internal
group-policy WIN_POLICY attributes
dns-server value 172.16.24.5 172.16.24.22
vpn-tunnel-protocol l2tp-ipsec ssl-client ssl-clientless
default-domain value RR.net
## IP POOL
ip local pool WIN_POOL 10.10.40.1-10.10.40.254 mask 255.255.255.0

## for MAC users - ASA configuration for RAS VPN
## Tunnel group:
 tunnel-group RRVPN type remote-access
 tunnel-group RRVPN general-attributes
 address-pool RR-VPN-POOL
 authentication-server-group RR_LDAP
 authorization-server-group RR_LDAP
 default-group-policy RRVPN
 authorization-required
 tunnel-group RRVPN ipsec-attributes
 ikev1 pre-shared-key Cisco
 
 ## Group policy

 group-policy RRVPN internal
 group-policy RRVPN attributes
 dns-server value 172.16.24.5 172.16.24.22
 vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RRVPN_SPLIT
 default-domain value RR.net
 
 ## IP POOL 
ip local pool RR-VPN-POOL 10.10.20.1-10.10.20.254 mask 255.255.255.0

### AAA configuration

aaa-server RR_LDAP protocol ldap
 aaa-server RR_LDAP (INTERNAL) host 172.16.24.5
 server-port 636
 ldap-base-dn DC=RR,DC=net
 ldap-scope subtree
 ldap-login-password Cisco
 ldap-login-dn vpnldap@RR.net
 ldap-over-ssl enable
 server-type microsoft
 
 
 aaa-server FF_RADIUS protocol radius
 aaa-server FF_RADIUS (INTERNAL) host 172.16.24.22
 key Cisco
 user-identity default-domain LOCAL
 aaa authentication http console FF_RADIUS LOCAL
 aaa authentication ssh console FF_RADIUS LOCAL
 aaa authentication enable console FF_RADIUS LOCAL

Configuration which was in my mind : Proposed ASA configuration

## for windows users - ASA configuration for RAS VPN
## Tunnel group:
 tunnel-group DefaultRAGroup general-attributes
 address-pool WIN_POOL
 authentication-server-group RR_Authserver
 authorization-server-group RR_Authserver
 default-group-policy WIN_POLICY
 authorization-required
 tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key Cisco
 tunnel-group DefaultRAGroup ppp-attributes
 authentication mschap

## Group Policy

group-policy WIN_POLICY internal
 group-policy WIN_POLICY attributes
 dns-server value 172.16.24.5 172.16.24.22
 vpn-tunnel-protocol l2tp-ipsec ssl-client ssl-clientless
 default-domain value RR.net
 user-authentication enable
 user-authentication-idle-timeout 1
 address-pools value WIN_POOL

## IP POOL
ip local pool WIN_POOL 10.10.40.1-10.10.40.254 mask 255.255.255.0

## for MAC users - ASA configuration for RAS VPN
## Tunnel group:
 
 tunnel-group RRVPN type remote-access
 tunnel-group RRVPN general-attributes
 address-pool RR-VPN-POOL
 authentication-server-group RR_Authserver
 authorization-server-group RR_Authserver
 default-group-policy RRVPN
 authorization-required
 tunnel-group RRVPN ipsec-attributes
 ikev1 pre-shared-key Cisco
 
 ## Group policy
 
group-policy RRVPN internal
 group-policy RRVPN attributes
 dns-server value 172.16.24.5 172.16.24.22
 vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RRVPN_SPLIT
 default-domain value RR.net
 user-authentication-idle-timeout 5
 address-pools value RR-VPN-POOL
 
## IP POOL
ip local pool RR-VPN-POOL 10.10.20.1-10.10.20.254 mask 255.255.255.0

AAA Config:
New configuration:
Radius:
 aaa-server RR_Authserver protocol radius
 aaa-server RR_Authserver (INTERNAL) host 172.16.24.252
 key Cisco

 Tacacs+:

 aaa-server RR_mgmt_auth protocol tacacs+
 aaa-server RR_mgmt_auth (INTERNAL) host 172.16.24.252
 key Cisco

 aaa authentication telnet console LOCAL 
 aaa authentication ssh console RR_mgmt_auth LOCAL
 aaa authentication enable console RR_mgmt_auth LOCAL
 aaa authentication http console RR_mgmt_auth LOCAL
 aaa authorization command RR_mgmt_auth LOCAL

Cisco ISE 2.2 - Very New to ISE

Hi Marvin,

Thank you very much for the references provided.

I did find the labminutes videos online earlier to my post here and was referring them and also the CBT nuggets for ISE.

But, i do have few confusions over "Remote VPN users getting authenticated via Cisco ISE".

Please refer the configurations ( Changed the IPs and Domain names - for security reasons)