cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Rapid prototyping ISE Policies without any real networking hardware

1477
Views
10
Helpful
5
Comments
Arne Bier
VIP Advisor

There are some excellent blog posts in the ISE Community and just about everything has been discussed about how to configure ISE to do many cool things.  I wanted to add my contribution to help users test their configurations - mostly for purposes of rapid prototyping of ISE configurations.  Installing and configuring ISE in a VM is almost a no-brainer these days - but you may find yourself in a situation where you have no networking gear (NAD's) to test your system.  This blog series will take care of that - at zero cost - most common use cases can be tested entirely in software.

Here is what I promise to explain to you

  1. RADIUS
    1. PAP/CHAP authentications (simulate MAB, and any simple Request/Response use cases)
    2. EAP-PEAP authentications (simulate a Wireless 802.1X doing MS-CHAPv2)
    3. EAP-TLS authentications (simulate a Wireless 802.1x doing user certificate auth)
  2. TACACS
    1. Authentications
    2. Authorizations

I will caveat this by saying that what I am proposing is NOT a replacement of a real lab.  But the prototyping gets you a long way to your goal.  Real devices usually have side effects that you never thought of and it may throw you for a loop.  And in the case of my EAP-PEAP testing I realised that the tool I am using (eapol_test) doesn't cater for human behaviour such as mistyping a credential, and then performing a retry - these are things you will only experience in a real lab.  I love the eapol_test tool and I have reached out to them to ask them whether there is an interactive mode for some of their tests.

SO let's start with the basics.

Radius PAP and CHAP authentication.

This is the simplest form of authentication I know of and it's surprising how often it's used (MAB and simple web services).

You will need a Linux server.  I am assuming you are somewhat comfortable with Linux and installing packages.  To make things simple I installed a CentOS 7 VM and made sure I could install packages with the yum command.

There is a great test suite from the Freeradius community called radtest and radclient from the freeradius-utils package.

yum install freeradius-utils

So here are some common constants that I will use in my examples

username: bob

user-password: AbCd123

radius shared secret: RadiusS3cret

ISE PSN IP address: 192.168.21.101

Source IP address: 192.168.21.211 (NB: this does NOT have to be the NAD IP address - it's the address that ISE will use to identify the NAD) - in my case 192.168.21.211 is one of the IP addresses of the CentOS server (I have a single interface with multiple IP addresses to simulate a variety of different NAD's)

Send one PAP request using radtest (quick and dirty)

radtest bob AbCd123 192.168.21.101:1812 0 RadiusS3cret 1

Send a more exciting PAP request using radclient (commands extend over multiple lines)

echo "User-Name = 'bob',User-Password = 'AbCd123',NAS-IP-Address = 192.168.21.201,Packet-Src-IP-Address = 192.168.21.211,Calling-Station-ID = '00:00:00:00:00:ff'"| /usr/bin/radclient -x 192.168.21.101:1812 auth RadiusS3cret

Send a CHAP request using radclient (commands extend over multiple lines)

echo "User-Name = 'bob',MS-CHAP-Password = 'AbCd123',NAS-IP-Address = 192.168.21.201,Packet-Src-IP-Address = 192.168.21.211,Calling-Station-ID = '00:00:00:00:00:ff'"| /usr/bin/radclient -x 192.168.21.101:1812 auth RadiusS3cret

Get curious about these commands and check the help (man) pages for other options.

man radtest

man radclient

Next blog entry will contain the EAP methods - stay tuned!

5 Comments
Create
Recognize Your Peers
Content for Community-Ad