cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

ISE - Switch Configuration

4465
Views
29
Helpful
11
Comments
Cisco Employee

In this blog post, I'm going to set up my 3650 switch with basic Layer 2, Layer 3 and dot1x configurations. I'll walk through some of the basic configurations and explain why I'm configuring it as I am.

I'm starting with a completely unconfigured switch so to start, I like to configure it with a username, SSH, etc:

conf t
username admin privilege 15 password networknode
enable password networknode

ip domain-name securitydemo.net
ip domain-lookup
ip name-server 10.1.100.40
hostname Sw1
crypto key gen rsa
1024

ip ssh version 2
ip ssh authentication-retries 2

line vty 5 15
transport input ssh
login local

Next, I'll configure the my Layer 3 configuration. I also include an ip helper-address to the ISE server (10.1.100.21) so ISE can collect additional DHCP profiling information:

ip routing

vlan 10
name MGMT
vlan 50
name USER_VLAN
vlan 70
name GUEST_VLAN
vlan 100
name SERVER_VLAN

interface vlan 10
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

interface vlan 50
ip address 10.1.50.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

interface vlan 70
ip address 10.1.70.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

interface vlan 100
ip address 10.1.100.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

ip route 0.0.0.0 0.0.0.0 10.1.10.99 <-
This is the inside interface of my ASA 5506

ip ftp source-interface vlan100
ip tftp source-interface vlan100

For ports that are directly connected to my server and ASA, I'll start by giving them a base configuration without restriction. In a production environment, you usually have policies already set up and you can restrict this with d0t1x and profiling but in my lab, I don't have any policies set up yet so I need these servers and the ASA to continue to have access:

interface range g1/0/1-6
switchport
switchport mode trunk
switchport trunk native vlan 10
spanning-tree portfast trunk

no shut

The next thing I configure is DHCP. In a production environment, you usually see DHCP centralized on a server and I could easily do so for my lab as well. I would only need to add a second ip helper address to make it work but for the save of simplicity, I'll just go ahead and configure it locally on the switch:

ip dhcp excluded-address 10.1.10.1 10.1.10.100
ip dhcp excluded-address 10.1.50.1 10.1.50.100
ip dhcp excluded-address 10.1.70.1 10.1.70.100
ip dhcp excluded-address 10.1.100.1 10.1.100.100

ip dhcp pool VLAN10
network 10.1.10.0 255.255.255.0
dns-server 10.1.100.40
<-- My AD server

default-router 10.1.10.1

ip dhcp pool VLAN50
network 10.1.50.0 255.255.255.0
dns-server 10.1.100.40
default-router 10.1.50.1

ip dhcp pool VLAN70

network 10.1.70.0 255.255.255.0
dns-server 10.1.100.40
default-router 10.1.70.1

ip dhcp pool VLAN100
network 10.1.100.0 255.255.255.0
dns-server 10.1.100.40
default-router 10.1.100.1

Next we are going to configure our AAA commands which basically will configure ISE as the RADIUS server on the switch and it should use ISE for network AAA. I will also configure the switch to send certain RADIUS attributes to ISE. Note: ISE uses ports 1812 and 1813 for authentication and accounting. Older RADIUS devices have been known to use ports 1645 and 1646 for these ports. This is not the case with ISE:

aaa new-model

radius server ise
address ipv4 10.1.100.21 auth-port 1812 acct-port 1813

key networknode <- This is the shared key that we configured on ISE when we added this NAD

radius-server dead-criteria tries 3 <- Sets the condition to determine when a RADIUS server is considered unavailable. With this configuration, the switch dynamically tries 3 times
radius-server deadtime 30 <- Sets the number of minutes during which a RADIUS server is not sent requests.

aaa group server radius ise-group
server name ise <-
We configure this a few lines back. If you have multiple ISE nodes, you'd add them all to this RADIUS group

aaa authentication login console local <- Going to keep console login local for now
aaa authentication login vty local <- Keeping VTY login local as well for now
aaa authentication enable default enable
aaa authorization exec default local
<- Keeping EXEC mode local for now

aaa authentication dot1x default group ise-group <- Specifying to use our RADIUS group for dot1x authentication
aaa authorization exec vty local <- Keeping EXEC VTY authorization local for now
aaa authorization network default group ise-group <- Specifying our RADIUS group for network authorization
aaa authorization auth-proxy default group ise-group <- Required for VLAN/ACL assignment
aaa accounting dot1x default start-stop group ise-group <- Specifying our RADIUS group for dot1x accounting
aaa accounting auth-proxy default start-stop group ise-group  <- Enables accounting for dynamic ACLs and VLANs that can be downloaded

aaa session-id common
aaa accounting update periodic 5 <- Updates the accounting information periodically every 5 minutes

aaa server radius dynamic-author <- This enables ISE to act as an AAA server when interacting with the client
client 10.1.100.21 server-key networknode <- Use the same password you set up in ISE
server-key networknode <- You may not need to do this with your version of IOS but I noticed that in XE 3.07.01E, I had to add this extra separate line with the server key

radius-server vsa send accounting <- Tells the switch to send accounting vendor-specific attributes
radius-server vsa send authentication <- Tells the switch to send authentication vendor-specific attributes
Note: To see a list of vendor-specific attributes, check out this list here
radius-server attribute 6 on-for-login-auth <- Used to identify the Service-Type this RADIUS request is used for
radius-server attribute 6 support-multiple <- Supports multiple Service-Type values for each RADIUS profile
radius-server attribute 8 include-in-access-req <- This is to send the IP address of a user to the RADIUS server in the access request.
radius-server attribute 25 access-request include <- This is to  include the class attribute in the access request which specifies the authorization action
radius-server attribute 31 mac format ietf upper-case <- This is to specify the MAC address in the Calling Station ID. I recommend using IETF on this one
radius-server attribute 31 send nas-port-detail <- This includes all NAS port details in the Calling Station ID

ip radius source-interface vlan 100

captive-portal-bypass <- This might only be necessary if you are using your 3650 as a wireless controller as well. I'll explain this command a bit more in the WLC configuration post.

dot1x system-auth-control <- Globally enables 802.1x SystemAuthControl (port-based authentication)

Now that I'm done with the RADIUS configuration, I'm going to add SNMP, logging, and additional configurations to provide ISE more details about the endpoints that connect to this switch.

I like to configure the switch to send MAC notifications, syslog logging and SNMP so the ISE profiler is able to collect information on the network endpoints:

mac address-table notification change
mac address-table notification mac-move

mac address-table notification change interval 0
authentication mac-move permit <- Enables MAC move on a switch between any authentication-enabled ports (MAB, 802.1X or Web-Auth)
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps mac-notification change
snmp-server enable snmp linkdown linkup
snmp-server host 10.1.100.21 version 2c networknode mac-notification

snmp-server community networknode ro <-
This is the SNMP community string we previously configured in ISE

no snmp-server group networknode v1

snmp-server trap-source vlan100
snmp-server source-interface inform vlan100
lldp run

logging origin-id ip <- This specifies that the IP address of the sending interface will be used as the message origin identifier
logging source vlan100
logging host 10.1.100.21 transport udp port 20514
logging monitor informational

no ip dhcp snooping information option <- Disables the switch from adding Option 82 into the packet before forwarding it to ISE. If this option is enabled, it will send the giaddr field with a zero value to ISE.
ip dhcp snooping
ip dhcp snooping vlan 10,50,70,100

epm logging <- Sets up standard logging functions on a switch to support possible troubleshooting/recording for ISE functions
ip device tracking <- This allows the switch to maintain an IP device tracking table. You must enable this feature to use web-based authentication
ip device tracking probe use-svi <- This configures the with to send an non-RFC compliant ARP Probe. The IP source will not be 0.0.0.0 but it will be the SVI in the VLAN where the host resides. If it's a Windows machine, it'll no longer see the probe as defined by RFC 5227 and therefore will not flag a potential duplicate IP

device-sensor accounting <- This command enables the addition of sensor protocol data to account records and enables the generation of additional accounting events when new sensor data is detected.
device-sensor notify all-changes <- Enables client notifications and accounting events for all TLV changes where either a new TLV is received or a previously received TLV is received with a new value in the context of a given sessions.

In order to have URL-Redirection on the switch for Web-Auth, you must enable HTTP/HTTPs on the switch. You also need to define ACL local default ACLs on your switch:

ip http server
ip http secure-server


ip access-list ext ACL-DEFAULT
deny udp any any eq domain
deny udp any eq bootpc any eq bootps

deny tcp any host 10.1.100.21 eq 8443

deny tcp any host 10.1.100.21 eq 8905
permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any


Note: This ACL-DEFAULT ACL will be for our WebAuth Redirect. Whatever is "permitted" in this list will be redirected so in order to have the computer get an IP address, be able to use DNS and access ISE, we must create "deny" statements. You can lock this down further by configuring the allowed ports between ISE and the device to be 8443 and 8905 which would be the WebAuth portals. The logic of the ACL is a little backwards compared to what you think of when you think of an ACL but it's only for the WebAuth for the switches.

The last thing I will do is configure the interfaces that will be ISE-protected. In the following configuration, I will break it up a bit to explain what I am configuring on the port-level:

interface range g1/0/7-48
description ISE dot1x Port
switchport access vlan 70
switchport mode access

spanning-tree portfast
spanning-tree bpduguard enable

Under the port configuration, the following set of commands enables re-authentication via RADIUS Session-Timeout:
authentication event fail action next-method
authentication event server dead action reinitialize vlan 50

authentication event server dead action authorize voice
authentication timer reauthenticate server
authentication timer inactivity server

The following command allows voice and multiple endpoints on the same physical access port:
authentication host-mode multi-auth

This command enables pre-auth access before AAA response which is subject to the port ACL:
authentication open

These commands are here to specify that IOS Flex-Auth authentication should perform 802.1X first and then MAB:
authentication order dot1x mab
authentication priority dot1x mab

These commands enable port-based authentication on the interface:
authentication port-control auto
authentication violation restrict

This command enables re-authentication on the interface:
authentication periodic

This command enables MAC Authentication Bypass (MAB) on the interface:
mab

This command enables 802.1x authentication in the interface:
dot1x pae authenticator

This command sets the retransmit period to 10 seconds:
dot1x timeout tx-period 10

These commands enable the SNMP trap for added and removed MACs on the interface:
snmp trap mac-notification change added
snmp trap mac-notification change removed

We configure the default ACL on the interface which will prepend dACLs from the ISE server:
ip access-group ACL-DEFAULT in



In the end, the final configuration should resemble the following:

username admin privilege 15 password networknode
enable password networknode

ip domain-name securitydemo.net
hostname Sw1
crypto key gen rsa
1024

ip ssh version 2
ip ssh authentication-retries 2

line vty 5 15
transport input ssh
login local

ip routing

vlan 10
name MGMT
vlan 50
name USER_VLAN
vlan 70
name GUEST_VLAN
vlan 100
name SERVER_VLAN

interface vlan 10
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

interface vlan 50
ip address 10.1.50.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

interface vlan 70
ip address 10.1.70.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

interface vlan 100
ip address 10.1.100.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

ip route 0.0.0.0 0.0.0.0 10.1.10.99 <-
This is the inside interface of my ASA 5506

ip ftp source-interface vlan100
ip tftp source-interface vlan100

interface range g1/0/1-6
switchport
switchport mode trunk
switchport trunk native vlan 10
spanning-tree portfast trunk

no shut

ip dhcp excluded-address 10.1.10.1 10.1.10.100
ip dhcp excluded-address 10.1.50.1 10.1.50.100
ip dhcp excluded-address 10.1.70.1 10.1.70.100
ip dhcp excluded-address 10.1.100.1 10.1.100.100

ip dhcp pool VLAN10
network 10.1.10.0 255.255.255.0
dns-server 10.1.100.40
<-- My AD server

default-router 10.1.10.1

ip dhcp pool VLAN50
network 10.1.50.0 255.255.255.0
dns-server 10.1.100.40
default-router 10.1.50.1

ip dhcp pool VLAN70

network 10.1.70.0 255.255.255.0
dns-server 10.1.100.40
default-router 10.1.70.1

ip dhcp pool VLAN100
network 10.1.100.0 255.255.255.0
dns-server 10.1.100.40
default-router 10.1.100.1

aaa new-model

radius server ise
address ipv4 10.1.100.21 auth-port 1812 acct-port 1813

key networknode

radius-server dead-criteria tries 3
radius-server deadtime 30

aaa group server radius ise-group
server name ise

aaa authentication login console local
aaa authentication login vty local

aaa authentication enable default enable
aaa authorization exec default local
aaa authentication dot1x default group ise-group
aaa authorization exec vty local
aaa authorization network default group ise-group
aaa authorization auth-proxy default group ise-group
aaa accounting dot1x default start-stop group ise-group
aaa accounting auth-proxy default start-stop group ise-group

aaa session-id common
aaa accounting update periodic 5

aaa server radius dynamic-author

client 10.1.100.21 server-key networknode
server-key networknode

radius-server vsa send accounting
radius-server vsa send authentication
radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include

radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail

ip radius source-interface vlan 100

captive-portal-bypass
system-auth-control

mac address-table notification change
mac address-table notification mac-move

snmp-server enable snmp linkdown linkup
snmp-server host 10.1.100.21 version 2c networknode mac-notification
snmp-server community networknode ro
no snmp-server group networknode v1

snmp-server trap-source vlan100
snmp-server source-interface inform vlan100
lldp run

logging origin-id ip
logging source vlan100
logging host 10.1.100.21 transport udp port 20514
logging monitor informational

no ip dhcp snooping information option
ip dhcp snooping
ip dhcp snooping vlan 10,50,70,100

epm logging

ip device tracking
ip device tracking probe use-svi

device-sensor accounting
device-sensor notify all-changes

ip http server
ip http secure-server

ip access-list ext ACL-DEFAULT
deny udp any any eq domain
deny udp any eq bootpc any eq bootps

deny tcp any host 10.1.100.21 eq 8443

deny tcp any host 10.1.100.21 eq 8905
permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any

interface range g1/0/7-48
description ISE dot1x Port
switchport access vlan 70
switchport mode access

spanning-tree portfast
spanning-tree bpduguard enable

authentication event fail action next-method
authentication event server dead action reinitialize vlan 50

authentication event server dead action authorize voice
authentication timer reauthenticate server
authentication timer inactivity server
authentication host-mode multi-auth

authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto

authentication violation restrict
authentication periodic
mab
dot1x pae authenticator

dot1x timeout tx-period 10
snmp trap mac-notification change added
snmp trap mac-notification change removed

ip access-group ACL-DEFAULT in

11 Comments
Beginner

Hi katmcnam

l follow you from your private blog site you really give a simple and detailed setup for cisco ise.Thank you for you time.Great work thank you again you make our deployment for ise very simple with your examples.....

.........

Beginner

Hi Katherine

Question for you does it not these commands violate 802.1x when you implementing ise:

interface GigabitEthernetx/x

switchport port-security maximum 11

switchport port-security violation  restrict

switchport port-security aging type inactivity

switchport port-security

Cisco Employee

I remember Aaron Woland mentioning in the BYOD ISE book not to add port security. I wouldn't recommend putting port-security commands on there. Imho, ISE is doing the same job of limiting how many hosts can come and go on that port and if your port gets shut down for port security instead of ISE, you're chasing rabbits trying to prove it's not ISE and troubleshooting both the switch and ISE. Kind of redundant. I'm sure there are more reasons not to mix them but that's just off the top of my head.

Beginner

Thank you more clear now.....you the best

Beginner

Thank you for offering this configuration, it seems like configuration examples as these are hard to come by.  Does this configuration "fail-open" so to speak, in that if dot1x or mab fails the user can still access the network or is that completely a function of ISE policies.  Today I had a perfectly good configuration that was working for days suddenly stop working and block the wired hosts behind the switch with no anomalies reported in ISE.  Tac referred me to this post.  Thanks again for your hard work.

Regards,
CJ

Contributor

Hi katmcnam

An excellent doc,appreciate your work.

Can you tell me which one is recommended config in case of dead server detection.


authentication event server dead action reinitialize/authorize --> should this be authorize or reinitialize

I also have seen some people use the below command to avoid any direct http sessions on the switch. Most auditing companies ask to disable http/https on switches

ip http active-sessions-modules none

Regards

Nikhil

Cisco Employee

Hello Christopher,

The above does not "fail open" if you have the pre-auth ACL I have on there (DEFAULT-ACL). Typically those preauth ACLs are comprised of basic services to allow someone get an IP address and essentially login so they may vary from enterprise-to-enterprise.

There's a couple options you can do upon failure:

- (kinda-okish-method) You could have no default ACL and let ISE assign the access the second something connects and have the bottom of your default authorization rule be a block

- (Better method) You can choose to allow something called "Critical ACL on AAA Failure" (i.e. if the switch loses connectivity to ISE and it hits the dead timer). The idea is to give the host a certain level of access when that happens. It could be a "fail open" or "half open." You can read about it more here:   IBNS 2.0 Deployment Guide - Cisco

If your switch blocked everything, I'd check the config and also the logs to see if it hit the dead timer somehow. Also check the switch code unless you hit some sort of weird bug. I, personally, err on the side of the proven tested IOS code instead of the "minimum OS version" listed here: Cisco Identity Services Engine Network Component Compatibility, Release 2.1 - Cisco

Cisco Employee

@Nikhil - On my site, I use ip http active-session-modules none. I have a video of me configuring it here and the sample config: 1.5 - Switch Configuration — Networking fun

As far as authorized vs reinitialized, it depends on what you're trying to accomplish. Authorize will move any NEW hosts to the VLAN you specify while reinitialize will move all authorized hosts to the specified VLAN upon RADIUS failure. It's your choice how you want to fail or if you want to impact existing sessions

Contributor

Hi Katherine,

  Thanks for the blog link & the explanation

Regards

Nikhil

Beginner

Hello Katherine,

Thank you once again for helping point out something I overlooked...I did not have ip dhcp snooping trust on the uplink interface of my test switch.  It appears that systems behind the switch can receive one DHCP allocation for the term of the lease even without trust enabled.  What a mind-bender, I assure you.

At this point, my 7 node ISE deployment appears to be authenticating via MAB as I haven't set up 802.1x yet.  I'm going to post a redacted running config below that cherrypicks your code and http://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/TrustSec_2-0/trustsec_2-0_dig.pdf. in the event it is useful for anyone .

I want to once again give you a big shout out because you've provided something very valuable that hasn't been currently documented for 4 or 5 years

version 15.2

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname ISETEST

!

boot-start-marker

boot-end-marker

!

logging buffered 128000

logging monitor informational

enable secret 5 XXXXXXXXXXXXXXXXXXXX

!

username admin privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXXXX

aaa new-model

!

aaa group server radius ise-group

server name isepolicy01

server name isepolicy02

server name isepolicy03

!

aaa authentication login allports group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authentication dot1x default group ise-group

aaa authorization exec default group tacacs+ local none

aaa authorization network default group ise-group

aaa authorization auth-proxy default group ise-group

aaa accounting update periodic 5

aaa accounting auth-proxy default start-stop group ise-group

aaa accounting dot1x default start-stop group ise-group

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

!

aaa server radius dynamic-author

client 10.4.1.204 server-key 7 XXXXXXXXXXXXXXXXXXXX

client 10.4.5.185 server-key 7 XXXXXXXXXXXXXXXXXXXX

client 10.4.5.186 server-key 7 XXXXXXXXXXXXXXXXXXXX

server-key 7 XXXXXXXXXXXXXXXXXXXXXX

!

aaa session-id common

clock timezone CST -6 0

clock summer-time CDT recurring

system mtu routing 1500

device-sensor accounting

device-sensor notify all-changes

no ip source-route

ip routing

!

ip dhcp snooping vlan 213,436

no ip dhcp snooping information option

ip dhcp snooping

no ip domain-lookup

ip domain-name XXXXXXXXXXX

ip device tracking probe auto-source override

vtp mode transparent

!

authentication mac-move permit

epm logging

!

dot1x system-auth-control

!

spanning-tree mode rapid-pvst

spanning-tree portfast bpduguard default

spanning-tree extend system-id

auto qos srnd4

errdisable recovery cause bpduguard

errdisable recovery cause loopback

errdisable recovery interval 30

!

vlan internal allocation policy ascending

!

vlan 213,436

!

lldp run

!

interface ra FastEthernet0/1-8

switchport access vlan 436

switchport mode access

switchport voice vlan 213

srr-queue bandwidth share 1 30 35 5

priority-queue out

authentication event fail action next-method

authentication event server dead action reinitialize vlan 436

authentication event server dead action authorize voice

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server

authentication violation restrict

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

mls qos trust device cisco-phone

mls qos trust cos

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

spanning-tree bpduguard enable

!

interface Vlan1

ip address 10.254.1.97 255.255.255.0

!

ip forward-protocol nd

ip http server

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 10.254.1.253

ip ssh version 2

!

ip radius source-interface Vlan1

logging origin-id ip

logging source-interface Vlan1

logging host 10.4.1.203 transport udp port 20514

***access lists redacted***

snmp-server community XXXXXXXXXXX RO 25

snmp-server community XXXXXXXXXXX RW 25

snmp-server trap-source Vlan1

snmp-server source-interface informs Vlan1

snmp-server enable traps snmp linkdown linkup

snmp-server enable traps mac-notification change move threshold

snmp-server host 10.4.1.204 version 2c XXXXXXXXXXX  mac-notification

snmp-server host 10.4.5.185 version 2c XXXXXXXXXXX  mac-notification

snmp-server host 10.4.5.186 version 2c XXXXXXXXXXX  mac-notification

!

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server attribute 31 mac format ietf upper-case

radius-server attribute 31 send nas-port-detail

radius-server dead-criteria tries 3

radius-server deadtime 30

!

radius server isepolicy01

address ipv4 10.4.1.204 auth-port 1812 acct-port 1813

key 7 XXXXXXXXXXXXXXXXXXXX

!

radius server isepolicy02

address ipv4 10.4.5.185 auth-port 1812 acct-port 1813

key 7 XXXXXXXXXXXXXXXXXXXX

!

radius server isepolicy03

address ipv4 10.4.5.186 auth-port 1812 acct-port 1813

key 7 XXXXXXXXXXXXXXXXXXXX

!

line con 0

line vty 0 4

line vty 5 15

mac address-table notification change interval 0

mac address-table notification change

mac address-table notification mac-move

!

Cisco Employee

Great job.