cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Rapid prototyping ISE Policies without any real networking hardware

1018
Views
10
Helpful
5
Comments
VIP Advocate

There are some excellent blog posts in the ISE Community and just about everything has been discussed about how to configure ISE to do many cool things.  I wanted to add my contribution to help users test their configurations - mostly for purposes of rapid prototyping of ISE configurations.  Installing and configuring ISE in a VM is almost a no-brainer these days - but you may find yourself in a situation where you have no networking gear (NAD's) to test your system.  This blog series will take care of that - at zero cost - most common use cases can be tested entirely in software.

Here is what I promise to explain to you

  1. RADIUS
    1. PAP/CHAP authentications (simulate MAB, and any simple Request/Response use cases)
    2. EAP-PEAP authentications (simulate a Wireless 802.1X doing MS-CHAPv2)
    3. EAP-TLS authentications (simulate a Wireless 802.1x doing user certificate auth)
  2. TACACS
    1. Authentications
    2. Authorizations

I will caveat this by saying that what I am proposing is NOT a replacement of a real lab.  But the prototyping gets you a long way to your goal.  Real devices usually have side effects that you never thought of and it may throw you for a loop.  And in the case of my EAP-PEAP testing I realised that the tool I am using (eapol_test) doesn't cater for human behaviour such as mistyping a credential, and then performing a retry - these are things you will only experience in a real lab.  I love the eapol_test tool and I have reached out to them to ask them whether there is an interactive mode for some of their tests.

SO let's start with the basics.

Radius PAP and CHAP authentication.

This is the simplest form of authentication I know of and it's surprising how often it's used (MAB and simple web services).

You will need a Linux server.  I am assuming you are somewhat comfortable with Linux and installing packages.  To make things simple I installed a CentOS 7 VM and made sure I could install packages with the yum command.

There is a great test suite from the Freeradius community called radtest and radclient from the freeradius-utils package.

yum install freeradius-utils

So here are some common constants that I will use in my examples

username: bob

user-password: AbCd123

radius shared secret: RadiusS3cret

ISE PSN IP address: 192.168.21.101

Source IP address: 192.168.21.211 (NB: this does NOT have to be the NAD IP address - it's the address that ISE will use to identify the NAD) - in my case 192.168.21.211 is one of the IP addresses of the CentOS server (I have a single interface with multiple IP addresses to simulate a variety of different NAD's)

Send one PAP request using radtest (quick and dirty)

radtest bob AbCd123 192.168.21.101:1812 0 RadiusS3cret 1

Send a more exciting PAP request using radclient (commands extend over multiple lines)

echo "User-Name = 'bob',User-Password = 'AbCd123',NAS-IP-Address = 192.168.21.201,Packet-Src-IP-Address = 192.168.21.211,Calling-Station-ID = '00:00:00:00:00:ff'"| /usr/bin/radclient -x 192.168.21.101:1812 auth RadiusS3cret

Send a CHAP request using radclient (commands extend over multiple lines)

echo "User-Name = 'bob',MS-CHAP-Password = 'AbCd123',NAS-IP-Address = 192.168.21.201,Packet-Src-IP-Address = 192.168.21.211,Calling-Station-ID = '00:00:00:00:00:ff'"| /usr/bin/radclient -x 192.168.21.101:1812 auth RadiusS3cret

Get curious about these commands and check the help (man) pages for other options.

man radtest

man radclient

Next blog entry will contain the EAP methods - stay tuned!

5 Comments
Beginner

For Wired_MAB

echo "User-Name = 'A4:5D:36:B6:xx:xx',User-Password = 'A4:5D:36:B6:xx:xx',Calling-Station-ID='A4:5D:36:B6:xx:xx',Service-Type='Call-Check',NAS-Port-Type='Ethernet'"| /usr/bin/radclient -x 1.1.1.1:1812 auth RadiusS3cret

VIP Advocate

Another useful attribute (for MAB) is the Service-Type.  You can put just about any Radius attribute to suit your requirements.

e.g.

[abier@centos radius]$ echo "User-Name = '03:20:00:00:00:02',User-Password = '03:20:00:00:00:02',Calling-Station-ID='03:00:00:00:00:02',NAS-IP-Address = 192.168.21.201,NAS-Port-Type = 19,Service-Type=10"| /usr/bin/radclient -x 192.168.21.100:1812 auth RadiusS3cret

Sending Access-Request Id 253 from 0.0.0.0:42089 to 192.168.21.101:1812

User-Name = '03:20:00:00:00:02'

User-Password = '03:20:00:00:00:02'

Calling-Station-Id = '03:00:00:00:00:02'

NAS-IP-Address = 192.168.21.201

NAS-Port-Type = Wireless-802.11

Service-Type = Call-Check

Beginner

Hi Arne,

I am currently developing a Python script that monitors our the ISE cluster. Now I still need a possibility for TACACS+, in the article you mention TACACS in the beginning, but I can not find a test. Do you know a test command?

Beginner

that meets my requirements

https://github.com/ansible/tacacs_plus

#!/usr/bin/env python

from tacacs_plus.client import TACACSClient

from tacacs_plus.flags import TAC_PLUS_ACCT_FLAG_START, TAC_PLUS_ACCT_FLAG_WATCHDOG, TAC_PLUS_ACCT_FLAG_STOP

cli = TACACSClient('host', 49, 'secret', timeout=10)

# authenticate user and pass

authen = cli.authenticate('username', 'password')

print "PASS!" if authen.valid else "FAIL!"

VIP Advocate

Hi Christian

for TACACS I use a Windows application call TacTest.  I have used it quite a bit to test my Policy Sets.  One small issue I have with it is that it does not support MS-CHAPv1/v2 (only ASCII, PAP, CHAP).  But that's a minor gripe.

I could not find a Linux based utility and I didn't want to start coding.  But your posting gave me some inspiration to try tackle that.  Every distro has a Python interpreter and I am not afraid of a bit of coding.

Thanks for sharing

This widget could not be displayed.