There are some excellent blog posts in the ISE Community and just about everything has been discussed about how to configure ISE to do many cool things. I wanted to add my contribution to help users test their configurations - mostly for purposes of rapid prototyping of ISE configurations. Installing and configuring ISE in a VM is almost a no-brainer these days - but you may find yourself in a situation where you have no networking gear (NAD's) to test your system. This blog series will take care of that - at zero cost - most common use cases can be tested entirely in software.
Here is what I promise to explain to you
PAP/CHAP authentications (simulate MAB, and any simple Request/Response use cases)
EAP-PEAP authentications (simulate a Wireless 802.1X doing MS-CHAPv2)
EAP-TLS authentications (simulate a Wireless 802.1x doing user certificate auth)
I will caveat this by saying that what I am proposing is NOT a replacement of a real lab. But the prototyping gets you a long way to your goal. Real devices usually have side effects that you never thought of and it may throw you for a loop. And in the case of my EAP-PEAP testing I realised that the tool I am using (eapol_test) doesn't cater for human behaviour such as mistyping a credential, and then performing a retry - these are things you will only experience in a real lab. I love the eapol_test tool and I have reached out to them to ask them whether there is an interactive mode for some of their tests.
SO let's start with the basics.
Radius PAP and CHAP authentication.
This is the simplest form of authentication I know of and it's surprising how often it's used (MAB and simple web services).
You will need a Linux server. I am assuming you are somewhat comfortable with Linux and installing packages. To make things simple I installed a CentOS 7 VM and made sure I could install packages with the yum command.
There is a great test suite from the Freeradius community called radtest and radclient from the freeradius-utils package.
yum install freeradius-utils
So here are some common constants that I will use in my examples
radius shared secret: RadiusS3cret
ISE PSN IP address: 192.168.21.101
Source IP address: 192.168.21.211 (NB: this does NOT have to be the NAD IP address - it's the address that ISE will use to identify the NAD) - in my case 192.168.21.211 is one of the IP addresses of the CentOS server (I have a single interface with multiple IP addresses to simulate a variety of different NAD's)
Send one PAP request using radtest (quick and dirty)
radtest bob AbCd123 192.168.21.101:1812 0 RadiusS3cret 1
Send a more exciting PAP request using radclient (commands extend over multiple lines)
Hello,we use an FMC (vmware Version 126.96.36.199).I've noticed that sda7 (/var) has consistently high read rates. Between 250 and 300 MB/s. Is that normal? Which process is responsible for this and how can I determine which process it is?Thanks for the helpRon...
Hi. I'm the network admin for my organization and we've been having some security issues on our network recently so I'm trying to investigate using wireshark. But my issue is that wireshark only captures packets that come to my device's network inter...
Cisco Router 2911, there are two problems:1. SSL from outside not working. From outside I mean to access router on WAN Port from my home. 2. Ping Router WAN Port from outside i.e. from my home. Complete configuration is as follows, please ...
Hello Guys, I am using cisco 2802 AP as WLC and using ISE for AAA. Clients should be authenticate by using EAP-TLS. I am getting these errors: 5411 Supplicant stopped responding to ISE 12931 Supplicant stopped responding to ISE af...
Hi, my Customer has some strange behaviors on his Switches with some clients.First the config (Closed Mode): aaa group server radius ISE
server name cisco-nac01
server name cisco-nac02
aaa authentication dot1x default group ISE