AnyConnect Group Authentication With Cisco ISE and Downloadable ACLs (Part 2)
KB ID 0001156 Problem Carrying on from PART 1 Solution Add > Create Before. Edit the Policy Giv the policy set a name and description > Create a new condition. Set Description to Device Type. Equals > All Device Types (The Device Group You Created Above). Add attribute value. Set Description to RADIUS. NAS-Port-Type-[61]. Equals > Virtual. Edit the Authentication Policy. Change the identity source to the the identity...
AnyConnect Group Authentication With Cisco ISE and Downloadable ACLs (Part 1)
KB ID 0001155 Problem To be honest it’s probably a LOT easier to do this with Dynamic Access Policies, but hey, if you have ISE then why not use it for RADIUS, and let it deploy downloadable ACL’s to your remote clients and give them different levels of access, based on their group membership. I’m going to keep things simple, I will have a group for admins that can access anything, and a group for users that can only...
Cisco ISE – Replace the Self Signed Certificate
KB ID 0001068 Problem Cisco ISE arms itself with a self generated certificate out of the box, (well the NFR appliance does anyway). To replace that cert with one signed by your own CA, this is the procedure. (Note: I’m using Microsoft Certificate Services on Server 2012 R2). Solution Step 1: Import the CA Certificate into ISE Note: If you have a lot issuing servers it’s a good idea the repeat this procedure for EVERY...
Cisco ISE NFR Appliance Setup
KB ID 0001066 Problem The Cisco ISE NFR appliance is for demos and test bench use, I’m currently building a test lab for ISE so I spun a copy up. I looked at the associated ReadMe.pdf for instructions on the basic setup, and found a hyper-link to the instructions, that didn’t work! bah. Solution The appliance comes as an OVA file for importation into vSphere/ESX, I’m assuming you have already imported the appliance....
Cisco ISE – Upgrading
KB ID 0001071 Problem Just as I was hunting around for an NFR version of Cisco ISE 1.3, they released 1.4. I wasn’t sure if I could upgrade my NFR version without breaking it so I thought I would ‘have a go’. Solution If you read the documentation for the upgrade of 1.2 to 1.4, I suggest you skip straight to the tasks to do AFTER upgrade, as it has a habit of resetting things back to default, best to make sure you...
Cisco ISE – Basic 802.1x With Windows Part One (Active Directory Integration)
KB ID 0001074 Problem To carry out this procedure you should have your ISE appliance deployed, with all the basic settings on it. Over the next few articles I’m going to connect the ISE appliance to Active Directory, then configure the ISE Appliance for 802.1x. Configure RADIUS on both the appliance, and on my Cisco Switches. Then finally configure Windows Group Policy to enable the clients to authenticate to 802.1x. Solution 1....
Cisco ISE – Basic 802.1x With Windows Part Two – Configuring 802.1x Policies
KB ID 0001075 D Problem Back in Part One, we joined Cisco ISE to Active Directory, now we we will take the built in ISE policies and change them. This will allow our clients to authenticate, with the correct protocols. Solution 1. By default ISE will use pretty much any available protocol, we are going to use PEAP, although I’m also going to allow EAP-TLS (it’s more secure and if I start rolling out certificates I’ve...
Cisco ISE – Basic 802.1x With WindowsPart Three – Adding Network Devices (Authenticators)
KB ID 0001077 Problem Back in Part Two we configured the specific 802.1x policies in Cisco ISE. Remember with 802.1x it is a three tier system there is a supplicant, (a machine that wants to authenticate), the Authenticator, (the device the supplicant connect to, in our case a switch), and finally an Authentication server (Cisco ISE). Below I will add our switch into ISE, as a RADIUS device and create some groups, and locations for...
Cisco ISE – Basic 802.1x With WindowsPart Four – Configuring The Windows Clients (Supplicants)
KB ID 0001083 Problem Back in Part Three we setup the switches ready to plug in our clients. I’m going to configure the Windows clients by Group Policy. But I suggest you carry out tests using single Windows clients and LOCAL policy until you know you have everything setup correctly. WARNING: Rolling this out without adequate testing, can resolve in all your Windows clients falling off the network Solution 1. On a DC or a...