To be honest it’s probably a LOT easier to do this with Dynamic Access Policies, but hey, if you have ISE then why not use it for RADIUS, and let it deploy downloadable ACL’s to your remote clients and give them different levels of access, based on their group membership.
I’m going to keep things simple, I will have a group for admins that can access anything, and a group for users that can only RDP to internal servers.
I always assume things will break, so I’m also going to create a local user on the ISE deployment, so if Active Directory is down I will have a user account I can use to gain full access in the event of an emergency.
Solution
In production you will have plenty of users, but to test Im going to create a test user, and a test admin user.
Then put those users in an appropriate Active Directory security group, (here I’m using VPN-Users and VPN-Admins).
Now you will also need a ‘Tunnel-Group and a matching Group-Policy on the ASA to map the user groups to. That way, when a user connects they can pick the appropriate tunnel group like so;
So what I’ve done is setup AnyConnect and configured it properly, (see article below) then I’ve simply ‘cloned‘ the tunnel group, and group policy to create a VPN-ADMIN and VPN-USERS tunnel-group ,and a group-policy. So my ASA config is as follows;
[box]
1. Show run ip local pool
Petes-ASA# show run ip local pool
ip local pool ANYCONNECT-POOL 192.168.101.1-192.168.101.254 mask 255.255.255.0
Petes-ASA#
2. Show Group-Policy
Petes-ASA# show run group-policy
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
wins-server none
dns-server value 192.168.100.10
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
webvpn
anyconnect profiles value PNL-Profile type user
group-policy VPN-ADMINS internal
group-policy VPN-ADMINS attributes
wins-server none
dns-server value 192.168.100.10
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
webvpn
anyconnect profiles value PNL-Profile type user
group-policy VPN-USERS internal
group-policy VPN-USERS attributes
wins-server none
dns-server value 192.168.100.10
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
webvpn
anyconnect profiles value PNL-Profile type user
Petes-ASA#
Show Tunnel Groups
Petes-ASA# show run tunnel
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
address-pool ANYCONNECT-POOL
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
tunnel-group VPN-ADMINS type remote-access
tunnel-group VPN-ADMINS general-attributes
address-pool ANYCONNECT-POOL
default-group-policy VPN-ADMINS
tunnel-group VPN-ADMINS webvpn-attributes
group-alias VPN-ADMINS enable
tunnel-group VPN-USERS type remote-access
tunnel-group VPN-USERS general-attributes
address-pool ANYCONNECT-POOL
default-group-policy VPN-USERS
tunnel-group VPN-USERS webvpn-attributes
group-alias VPN-USERS enable
Petes-ASA#
[/box]
Create a Local Admin Group in Cisco ISE
On your Cisco ISE Deployment > Identity Management > Groups > Add.
Give the group a name and optional description > Save.
To create an admin user > Administration > Identity Management > Identities > Add.
Create the new admin user > set the password > add the user to the group you create above.
Adding Domain Groups To Cisco ISE
I’m assuming you have joined ISE toActive Directory > To check Administration > Identity Management > External Identity Sources > Ensure the domain is joined and operational.
Groups > Add.
Locate and add the groups you created above.
Add An Active Directory Identity Source Sequence
We need to authenticate against our AD, but we want it to fail back to the ISE local database, (for our local admin). To do that we use and identity source sequence. Administration > Identity Management > Identity Source Sequence > Add.
Give the sequence a name and add your AD and Internal Users.
MAKE SURE you select ‘Treat as if the user was not found and proceed to the next store in the sequence’ > Submit.
Add Cisco ASA to Cisco ISE as a RADIUS Device.
Administration > Network Resources > Network Device Groups > All Device Types > Add.
Cisco ISE arms itself with a self generated certificate out of the box, (well the NFR appliance does anyway). To replace that cert with one signed by your own CA, this is the procedure. (Note: I’m using Microsoft Certificate Services on Server 2012 R2).
Solution
Step 1: Import the CA Certificate into ISE
Note: If you have a lot issuing servers it’s a good idea the repeat this procedure for EVERY issuing server you have in your PKI environment. Assuming you have an off-line root that would be every SubCA (to use Microsoft terminology). On my test network I only have one so that’s not a problem.
1. Connect to the web enrollment portal of your Certificate services folder > Download a CA Certificate, certificate chain, or CRL.
9. Again save it somewhere you can find it easily.
10. Open the PEM file you just created, and copy all the text to the clipboard.
11. Back at you web enrollment portal > Request a certificate.
12. Advanced certificate request.
13. Submit a certificate request by using…
14. Paste in your copied text (make sure no spaces get added to the end, this usually happens, be careful) > Set the template to Web Server (of your own template, if you are not using the default one) > Submit.
15. Select DER encoded > Download certificate > Save it with a name that is recognizable as the ISE appliance.
16. On the ISE web portal > Local Certificates > Add > Bind CA Signed Certificate.
17. Browse to the new cert > Select EAP and HTTPS > Submit.
18. Now remember to connect to the ISE appliance using its FQDN (you did remember to create a record in DNS for it didn’t you?)
At this point if you get an error either the URL is wrong, or you didn’t create a DNS record, or the machine you are on does not trust your issuing servers root certificate.</p?
Related Articles, References, Credits, or External Links
The Cisco ISENFR appliance is for demos and test bench use, I’m currently building a test lab for ISE so I spun a copy up. I looked at the associated ReadMe.pdf for instructions on the basic setup, and found a hyper-link to the instructions, that didn’t work! bah.
Solution
The appliance comes as an OVA file for importation into vSphere/ESX, I’m assuming you have already imported the appliance.
[box] ise/admin(config-GigabitEthernet)# exit ise/admin(config)# ip default-gateway 192.168.200.1[/box]
Cisco ISE NFR Set Hostname and DNS Information
6. To change the appliances default domain;
[box]
ise/admin(config)# ip domain-name pnltest1.com
Enter ‘Y’ to restart the services.
[/box]
7. To set the DNS server to use for local lookups;
[box]ise/admin(config)# ip name-server 192.168.200.10
Enter ‘yes’ to restart the services.
[/box]
8. To set the Hostname, simply use the following syntax;
[box]ise/admin(config)# hostname ISE-01 [/box]
Cisco ISE NFR Set NTP Information
9. To set the timezone;
[box]ise/admin(config)# clock timezone GB [/box]
10. To set the NTP servers it’s a little more convoluted, you can have up to three, two are already configured. If you try and delete the pre-configured ones it will error. So you need to add one, then delete the two factory ones, then you can add up to another two.
[box]
To Add an NTP Server
ise/admin(config)# ntp server 123.123.123.123To Remove an NTP Server
ise/admin(config)# no ntp server 123.123.123.123
[/box]
11. As usual NTP can take a while to synchronise, I’d go and have a coffee at this point, to test;
[box]ise/admin(config)# show ntp [/box]
12. Save your changes.
13. At this point you should be able to get to the web console.
14. Logged in successfully.
Related Articles, References, Credits, or External Links
Just as I was hunting around for an NFR version of Cisco ISE 1.3, they released 1.4. I wasn’t sure if I could upgrade my NFR version without breaking it so I thought I would ‘have a go’.
Solution
If you read the documentation for the upgrade of 1.2 to 1.4, I suggest you skip straight to the tasks to do AFTER upgrade, as it has a habit of resetting things back to default, best to make sure you know how everything is setup that might break before you start.
This upgrade took me a long time! The best part of an afternoon!
1. Before we do anything let’s take a snapshot, just in case it all goes to hell in a hand cart.
2. Gotcha! The upgrade fails if you have any expired certificates, even disabling them wont help, you need to delete all expired root certs before you start.
3. Copy the upgrade file from an FTP server to the ISE device, it wont show you any progress bar, go and get a coffee, if it does not error it’s probably copying over OK :).
4. When you get the prompt back you can check it’s there with a ‘dir’ command.
5. Before you can upgrade you need to create a repository for the upgrade;
[box]
ISE-01/admin# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ISE-01(config)# repository upgrade
ISE-01(config-Repository)# url disk:
% Warning: Repositories configured from CLI cannot be used from the ISE web UI and are not replicated to other ISE nodes.
If this repository is not created in the ISE web UI, it will be deleted when ISE services restart.
ISE-01(config-Repository)# exit
ISE-01(config)# exit
[/box]
6. Then you need to ‘prepare’ for the upgrade.
[box]
ISE-01/admin# application upgrade prepare ise-upgradebundle-1.2.x-to-1.4.0.253.x86_64.tar.gz upgrade
Getting bundle to local machine...
md5: 35a159416afd0900c9da7b3dc6c72043
sha256: e3358ca424d977af67f8bb2bb3574b3e559ce9578d2f36c44cd8ba9e6dddfefd
% Please confirm above crypto hash matches what is posted on Cisco download site.
% Continue? Y/N [Y] ? Y
[/box]
7. Start the upgrade, this takes ages, go and have at least three coffees.
To carry out this procedure you should have your ISE appliance deployed, with all the basic settings on it. Over the next few articles I’m going to connect the ISE appliance to Active Directory, then configure the ISE Appliance for 802.1x. Configure RADIUS on both the appliance, and on my Cisco Switches. Then finally configure Windows Group Policy to enable the clients to authenticate to 802.1x.
Solution
1. Log into the web console > Administration > Identity Management > Identity Sources > Active Directory > Add > Submit a short name and DNS name for the domain > Submit.
2. With your domain selected > Join.
3. Provide some Domain credentials. Note: Just a ‘domain user’ account is required.
4. After a while, it should say ‘Completed’.
5. Now from the ‘Groups’ Tab > Add in the groups you want to deal with, here I’m keeping it simple and sticking with ‘Domain users’, and ‘Domain computers’.
Related Articles, References, Credits, or External Links
Back in Part One, we joined Cisco ISE to Active Directory, now we we will take the built in ISE policies and change them. This will allow our clients to authenticate, with the correct protocols.
Solution
1. By default ISE will use pretty much any available protocol, we are going to use PEAP, although I’m also going to allow EAP–TLS (it’s more secure and if I start rolling out certificates I’ve already got it available). Policy > Policy Elements > Results > Authentication > Allowed Protocols > Add > Give the protocol set a name > Allow EAP–TLS and PEAP.
2. Policy > Authentication > There will be three built in, one for MAB and one for 802.1x, and a ‘catch all’ rule at the end. Edit the MAB rule.
3. Click the cross next to ‘Internal Endpoints’.
4. Change the options, (top to bottom) to; Continue, Continue, and Drop.
5. Now edit the Dot1x policy.
6. Set the identity source to the Active Directory you configured in part one. Ensure the options are set (top to bottom) to; Reject, Reject, and drop.
7. Finally change the ‘Allowed Protocol’ to the set you created in step 1. Then click ‘Save’.
Related Articles, References, Credits, or External Links
Back in Part Two we configured the specific 802.1x policies in Cisco ISE. Remember with 802.1x it is a three tier system there is a supplicant, (a machine that wants to authenticate), the Authenticator, (the device the supplicant connect to, in our case a switch), and finally an Authentication server (Cisco ISE).
Below I will add our switch into ISE, as a RADIUS device and create some groups, and locations for good housekeeping.
Solution
1. From within ISE > Authentication > Network Resources > Network Devices > Network Devices > Add.
2. Specify a name and description for the device > Set its IP address > Set the device type and location (we will change these in a minute) > Under authentication settings select RADIUS and enter a shared secret, (you can set these up globally if you prefer).
3. Create a Device Type: Administration > Network Devices > Network Device Groups > Groups > All Device Types > Add.
Note: You can have as many of these as you like to make managing your network easier, I’m just going to set one up for Cisco Switches.
4. Give the group a name and description > Submit.
5. Create a Location: On the same page > All Locations > Add.
6. Give the location a name and description > Submit.
7. You can now go back to the network device you created earlier, and set the location and group accordingly.
8. Now you can configure the Cisco switch for RADIUS Authentication.
Note: 192.168.100.12 is the IP address of the ISE server, and 666999 is the shared secret we setup in step 2.
[box]
Petes-3750(config)#aaa new-model
Petes-3750(config)#aaa group server radius ISE
Petes-3750(config-sg-radius)#server-private 192.168.200.12 key 666999
Petes-3750(config-sg-radius)#exit
Petes-3750(config)#aaa authentication dot1x default group ISE
Petes-3750(config)#aaa authorization network default group ISE
Petes-3750(config)#dot1x system-auth-control
Petes-3750(config)#do write
Building configuration...
[OK]
Petes-3750(config)#
[/box]
9. To configure the port that our supplicant is going to connect to;
Note: I’m setting the host-mode to multi-host because my clients are all in VMware ESXi and are coming from a VMware vSwitch into the Cisco switch.
[box]
Petes-3750(config)#interface fastEthernet 1/0/4
Petes-3750(config-if)#authentication host-mode multi-host
Petes-3750(config-if)# authentication port-control auto
Petes-3750(config-if)# dot1x pae authenticator
Petes-3750(config-if)#exit
Petes-3750(config)#exit
Petes-3750#write mem
Building configuration...
[OK]
Petes-3750#
[/box]
10. Once a supplicant has been authenticated you can check like so;
[box]
Petes-3750#show dot1x all summary
Interface PAE Client Status
--------------------------------------------------------
Fa1/0/4 AUTH 0050.56b1.5f5c AUTHORIZED
Petes-3750#
[/box]
Related Articles, References, Credits, or External Links
Back in Part Three we setup the switches ready to plug in our clients. I’m going to configure the Windows clients by Group Policy. But I suggest you carry out tests using single Windows clients and LOCAL policy until you know you have everything setup correctly.
WARNING: Rolling this out without adequate testing, can resolve in all your Windows clients falling off the network
Solution
1. On a DC or a machine with the AD management tools installed, open the group management console. Either edit an existing policy or create and link a policy to the OU that contains your client computers.
Create A New Wired Network Policy for Windows Vista and Later Releases.
3. Configure the following;
General Tab
Policy Name: Give the policy a name
Description: Optional
Use Windows Wired Auto Config service for clients. (Ticked)
Security Tab
Enable use of IEEE802.1X authentication for network access. (Ticked)
Select a network authentication method: Microsoft Protected EAP (PEAP)
Authentication Mode: User or computer authentication
Properties (optional in case you ever use TLS) Add in your Root CA Cert
4. Navigate to;
[box]Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Wired AutoConfig[/box]
Define the policy and set the startup type to ‘Automatic’.
5. Now when you connect a client to a properley configured switch port it will authenticate before if is allowed to join the network. If the machine is not a domain PC, or 802.1x fails then it will get an authentication failed remark on its network card.
6. OPTIONAL: We have setup 802.1x now, but it is also worth adding RADIUS to the ISE profiling configuration.
Related Articles, References, Credits, or External Links