Ise Configuration

  



Cisco ISE supports Guest Access Portals, which allows users from outside an organisation to connect to the network (wired or wireless) and access the internet. In a typical deployment a Guest Web Portal is used for the users to self-register their device and gain access.

In this guide we will be performing Wired Guest access on a Cisco Catalyst switch. It is the same principle for Wireless, which is covered in great depth in the Cisco ISE Guest Access Prescriptive Deployment Guide. This guide is designed to be used an environment where ISE and the switch are already configured.

We will also demonstrate how to provide Active/Standby load balancing without a Load Balancing.

Ise (config)# (configuration mode) The Configuration mode has several submodes; each has its own prompt. To enter these submodes, you must first enter the Configuration mode by entering the configure terminal command. To exit the Configuration mode, enter the end, exit, or Ctrl-z command. Cisco Identity Services Engine Administrator Guide, Release 2.6. PDF - Complete Book (18.34 MB) View with Adobe Reader on a variety of devices.

ISE Configuration

Certificates

For each ISE PSN hosting a Portal, use a wildcard certificate issued from a Public Certificate Authority. In this example an Internal CA is used in the lab, the local computer certificate stores has the certificate installed, this is unlikely in a real-life scenario.

  • Navigate to Administration > System > Certificates > Certificate Signing Request
  • If required complete a Certificate Signing Request for a Portal certificate (ensure the assign Portal tag is referenced in the Guest Portal).

Figure 1 – ISE Portal Certificate

Guest Portal

  • Navigate to Work Center > Guest Access > Portal & Components > Guest Portals
  • Click Self-Registered Guest Portal (default)
  • Amend the portal configuration using the settings in the table below

Table 1 – Self-Registered Guest Portal (default)

  • Click Save

Downloadable ACL

A Downloadable ACL (DACL) is applied to the initial session, prior to the guest user authenticating to ensure they can only access the Guest Portal to register or re-authenticate.

Ise Configuration

  • Navigate to Policy > Policy Elements > Authorization > Downloadable ACLs
  • Click Add
  • Define an appropriate Name for the DACL, e.g. – Guest-DACL
  • Enter the DACL Content as per the figure below

Figure 2 – Downloadable ACL (DACL)

The IP addresses within this DACL are the ISE PSN nodes hosting the Guest Portal.

Authorisation Profiles

Authorisation Profiles define the Guest Portal attributes to be applied to the users’ session. In this lab scenario we have 2 PSN nodes hosting the Guest Portal, so we will define 2 Guest Authorisation Profiles for each Portal. These Authorisation Profiles will then be referenced in the Policy Set.

  • Navigate to Policy > Policy Elements > Authorization > Authorization Profiles
  • Click Add
  • Define the name Guest-Portal-ISE1
  • Select the DACL Name as Guest-DACL
  • Select Web Redirection (CWA, MDM, NSP, CPP)
    • From the drop-down list select Centralized Web Auth
    • Type the ACL name REDIRECT_ACL_CWA
    • From the drop-down list select Self-Registered Guest Portal (default)
    • Select Static IP/Host name/FQDN = guest-ise1.lab.local

Figure 3 – Authorisation Profile (Guest-Portal-ISE1)

  • Click Save
  • Create an Authorisation Profile for each PSN node hosting the Guest Portal, ensure to change the Static IP/Host name/FQDN to represent the additional PSN hosting the Guest Portal.

Policy Set

It is important that the ISE PSN that owns the session for radius is the same PSN that is used for the URL redirection. This can normally be achieved using persistence on a Load Balancer or in this example we will be using the Host Name of the ISE PSN node in conjunction with the 2 x Authorisation Profiles previously defined.

  • Navigate to Policy > Policy Sets
  • Select an existing Policy Set
  • Create authorisation rules as per the table below

Table 2 – Guest Policy Set

Switch Configuration

  • Define an ACL on the switch (the name must be the same as defined in the Authorisation Profile in ISE).
  • Enable HTTP Server on the switch, in order to redirect http traffic

Testing/Verification

For testing we will connect a computer to the switch, dot1x is not configured in Windows. Opening Firefox we are presented with the message You must log in to this network before you can access the internet.

  • Click the Open Network Login Page at the top right of the webpage.

Figure 4 – Firefox Network Login Page

The Guest Portal for PSN1 (as defined in the Authorisation Profile) is displayed.

Figure 5 – ISE Guest Portal Login

Ise Configuration

At this point the user can login using previously defined credentials or create a new account.

Ise
  • Click Or register for guest access from the bottom of the login page
  • Complete the registration form

Figure 6 – Guest Registration

  • Click Register
  • The account will be created and will display the username and password to login.

Figure 7 – Guest Account Created

  • Click Sign On
  • Accept the Acceptable Use Policy

The user should now have internet access.

Wireshark Redirect from client

If you run wireshark on the local computer during the guest portal redirection phase we can determine how it works. From the figure below we can see that a connection attempt was made to http://detectportal.firefox.com, this is a built-in feature of Firefox brower to detect captive portals on public wifi networks.

Figure 8 – Wirehshark detectportal.firefox.com

Within the subsequent packet we determine that the response was HTTP 302 Page Moved and the location is the URL of the ISE PSN Portal, as defined in the Authorisation Profile.

Figure 9 – Wireshark page moved

Switch Output

  • Login to the switch
  • Enter the command show authentication session interface fas 0/4

Figure 10 – Switch, URL redirection

From the output we can determine dot1x failed over to MAB, which was successful. The DACL Guest-DACL, the ACS ACL REDIRECT_ACL_CWA and the URL Redirect of the FQDN of the PSN authenticating the session was applied to the session.

This can be confirmed from the ISE Live logs.

Figure 11 – ISE Live Log, guest redirection

Once the user logins into the session we can determine the newly created user was successfully authenticated.

Figure 12 – ISE Live Log, authorisation successful

Repeating the command show authentication session interface fas 0/4 on the switch you will notice the DACL, Redirect ACL have been removed. This is because the user successfully re-authorised and ISE sent a CoA (change of authorisation) to the switch to remove the DACL and Redirect ACL.

Figure 13 – Successfully authorised to Guest

For failover testing we will define a null route to the first ISE PSN node hosting the Guest Portal.

  • Enter the command ip route 192.168.10.10 255.255.255.255 null0
  • Confirm the PSN is DEAD use the command show aaa server

Figure 14 – DEAD aaa server

  • Remove the computer MAC address from the ISE Endpoint Identity Group GuestEndpoints
  • Clear the authentication session on the interface with the command show authentication session fas 0/4
  • After a while run the command show authentication session interface fas 0/4

Observe the output from the figure below, the URL Redirect is now of the 2nd ISE PSN hosting the Guest Portal.

Figure 15 – PSN2 Guest Portal


Observe the output from the figure below, the ISE Live Logs confirms the Server is that of the 2nd ISE PSN.

Figure 16 – ISE2 Live Logs


Ise Configuration Backup

This failover example demonstrated will not load balance connections between PSNs like a true Load Balancer will, it is more Active/Standby. It will however ensure that the PSN that terminates the RADIUS session is the same PSN that is used for the Guest Portal, for that session.

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, the last post in the Cisco ISE blog post series: Profiling and posture. For both features is the Cisco ISE advanced license required.
Profiler is a functionality for discovering, locating and determing the capabilities of the attached endpoints. It will detect the network type and will authorize it.
A sensor in the network captures network packets by quering the NADs, it forwards the attributes to the analyzer. The analyzer checks the attributes using policies and identity groups. The results is stored in the ISE database with the corresponding device profile. The MAC address of the device will be linked to a existing endpoint identity group.
There are 9 availabled probes:

  • Netflow
  • DHCP
  • DHCP SPAN
  • HTTP
  • RADIUS
  • NMAP
  • DNS
  • SNMPQUERY
  • SNMPTRAP

Profiling uses CoA (change of authorization). There are 3 options:

  • No CoA: CoA is disabled
  • Port bounce: use this only of there is a single session on a switchport
  • Reauth: enforce reauthentication of a currently authenticated endpoint when it’s profiled

ISE creates three identity groups by default and two identity groups that are specific for Cisco IP phones. Creation of extra groups is optional.
An endpoint profiling policy contains a simple condition or a set of conditions (compound).
Configuring
Probe configuration
First, make sure the ISE appliance can SNMP to the switches (SNMPv2 or 3) with a read only community string. Also, configure a snmp trap destination to Cisco ISE policy node.

For DHCP probing, configure an additional IP helper on the SVI to the policy node:

Cisco ISE configuration
Click Administration – System – Settings, click Profiling and configure the CoA.
Click Administration – System – Deployment – Deployment. Choose the node and click edit. Select the Profiling configuration tab. Enable and configure the probes as needed.
Next, click: Administration – Network resources – Network devices and edit your switch. Scroll down and check/edit the SNMP settings.
To create a new policy: Click Policy – Profiling, choose Profiling policies and click Create.
Enter a name, a minimum certaincy factor and a exception action. Apply the needed rules with the certaincy factors.
To check the discovered endpoints, click Administration – Identity management – identities – endpoints.
Monitor the authentication by clicking Monitor – Authentications.
Appendix
If you want to use IOS probing with a switch on IOS 15.0 or newer, use the following configuration:

Posture
To check inside a host for available antivirus, firewall, registry keys etc, posture is being used. A NAC agent is needed for this.
There are 3 modes:

  • Audit (audit only)
  • Optional (client can ignore the result)
  • Mandatory

The most common conditions:

  • Windows update
  • Virus application
  • Virus definition
  • Windows screensaver password
  • Registry entry

The NAP client is using the SWISS protocol (UDP/8905). Make sure the client can connect to the policy node on UDP/8905. A client can download the NAC client (it’s read-only software). There are againts for Windows, MAC OS-X and a web agent.
The provisioning flow:

  • Client provisioning
  • Posture subscription and policy
  • Authorization policy

Make sure the ISE appliance is up to date with the latest posture files. You can download those from the Cisco website with a CCO account. These updates are a set of predefined checks, rules and antivirus support charts. These updates can be downloaded automatically. Check this by clicking Administration – System – Settings – Posture – updates
This was a 10 series blog post about Cisco ISE. Hope you’ll liked it!