There are some excellent blog posts in the ISE Community and just about everything has been discussed about how to configure ISE to do many cool things. I wanted to add my contribution to help users test their configurations - mostly for purposes of rapid prototyping of ISE configurations. Installing and configuring ISE in a VM is almost a no-brainer these days - but you may find yourself in a situation where you have no networking gear (NAD's) to test your system. This blog series will take care of that - at zero cost - most common use cases can be tested entirely in software.
Here is what I promise to explain to you
PAP/CHAP authentications (simulate MAB, and any simple Request/Response use cases)
EAP-PEAP authentications (simulate a Wireless 802.1X doing MS-CHAPv2)
EAP-TLS authentications (simulate a Wireless 802.1x doing user certificate auth)
I will caveat this by saying that what I am proposing is NOT a replacement of a real lab. But the prototyping gets you a long way to your goal. Real devices usually have side effects that you never thought of and it may throw you for a loop. And in the case of my EAP-PEAP testing I realised that the tool I am using (eapol_test) doesn't cater for human behaviour such as mistyping a credential, and then performing a retry - these are things you will only experience in a real lab. I love the eapol_test tool and I have reached out to them to ask them whether there is an interactive mode for some of their tests.
SO let's start with the basics.
Radius PAP and CHAP authentication.
This is the simplest form of authentication I know of and it's surprising how often it's used (MAB and simple web services).
You will need a Linux server. I am assuming you are somewhat comfortable with Linux and installing packages. To make things simple I installed a CentOS 7 VM and made sure I could install packages with the yum command.
There is a great test suite from the Freeradius community called radtest and radclient from the freeradius-utils package.
yum install freeradius-utils
So here are some common constants that I will use in my examples
radius shared secret: RadiusS3cret
ISE PSN IP address: 192.168.21.101
Source IP address: 192.168.21.211 (NB: this does NOT have to be the NAD IP address - it's the address that ISE will use to identify the NAD) - in my case 192.168.21.211 is one of the IP addresses of the CentOS server (I have a single interface with multiple IP addresses to simulate a variety of different NAD's)
Send one PAP request using radtest (quick and dirty)
radtest bob AbCd123 192.168.21.101:1812 0 RadiusS3cret 1
Send a more exciting PAP request using radclient (commands extend over multiple lines)
I am having an issue where when I try and use the Quarantine DAP both my main DAP and the Quarantine Policy is getting useddynamic-access-policy-record VPN-IT-USERS network-acl IT-ALLOWpriority 4 its looking for users withing an AD group plus at...
Can anyone tell me how many users/systems supported on ASA 5506-X with Firepower module?Also can tell anyone me on what basis how many users are supported on the particular firewall is determined?Please explain anyoneThanks in advance!
It gives me great pleasure to announce that FMT 2.1 supports the migration of the Palo Alto firewall to FTD.
Tool flawlessly migrates the following component of PA configuration
Network Object and Groups
Greetings, would anyone who has personal experience configuring a ASA 5516-X Firewall be able to give me their input? What features are turned on by default when it comes to security along with layer-6 security and what features are not on but you recomme...
Hey all, I'm having a heck of a time trying to enable my spoke 5506 asa to allow remote management over a DMVPN tunnel from the hub side of the network. Finally got to a point where I can now ping the inside interface across the tunnel but when I try...