Cisco ISE Basics

The goal for implementing ISE in your environment is to prohibit NON corporate devices like PC’s, Printers, Phones, etc… on your network. Without one, you have no way to manage and control a large number of devices from connecting to your network. This gives bad actors access to network resources which is a very big security threat for your organization.

Authentication Types Typically Used:
When using ISE, any devices that’s gets attached to the network will be checked and verified by using one of the three methods listed below. If a device has not been authenticated using one of three methods below, ISE will block it.

1. Certificate Based Authentication – This is a common auth type. Computers will have machine certificates that were given out by the corporate Certificate Authority (CA). ISE will use this certificate to validate that the device is a corporate device and allow it onto the network. Pretty simple, do you have a legit cert? Yes, you’re allowed on the network. No, you are denied access.

2. Profiling – This allows NON-Domain connected devices to be profiled by ISE. You might have devices that can’t be joined to the domain and/or can’t have a certificate installed on them. These devices will have profiles associated with them in ISE to help control their access. ISE utilizes NMAP and the MAC OUI’s found in the list below. It tries to update this list daily.

The OUI database contains the MAC OUIs assigned to vendors. The OUI list is available here:
http://standards.ieee.org/develop/regauth/oui/oui.txt

What if the OUI is not in the database? That brings us to the next Authentication type, Mac Address Bypass (MAB).

3. MAC Authentication Bypass (MAB) – As you can guess by now, these devices are the devices you need on your corporate network but you have no way to profile them. Here you would create a profile to use their MAC Address which you would have to get from the device. This is the least secure and should be avoided at all costs if possible because MAC Address spoofing is a simple thing to do. But, I know there are times where you have no choice. You should be using this anyway but please use Port Security and in this case you can Sticky the MAC Address to the port for some security.

Deployment Phases:
Now lets talk about what happens when a device plugs into the network. These are generally configured on the Access port as you can see below.  We have three modes but I usually see just two in working environments. The three are Monitor, Low-Impact, and Closed. I usually see Monitor and Closed mode. Some will call Monitor, Open.

Monitor Mode – ISE OFF
• No impact to existing network
• Prepare for enforcement
• Sometimes used for troubleshooting connectivity issues
• Visibility to:
—–Endpoints on network & their supplicant configuration
—–Passed/Failed 802.1x & MAB attempts

Cisco Config:

ip access-list extended ACL-ISE-MONITOR
 permit ip any any

int Gig x/x/x
 ip access-group ACL-ISE-MONITOR in

Closed Mode – ISE ON
• Impact to existing network
• No access at all before authentication

Cisco Config:

ip access-list extended ACL-ISE-CLOSED
 remark DHCP
 permit udp any eq bootpc any eq bootps
 remark DNS and Domain Controllers
 permit udp any any eq domain
 permit udp any any eq 389
 permit tcp any any eq 389
 remark Ping
 permit icmp any any
 remark PXE / TFTP
 permit udp any any eq tftp
 remark Deny All
 deny   ip any any log

int Gig x/x/x
 ip access-group ACL-ISE-CLOSED in

To help troulbeshoot the Cisco port, use this command:
show authentication sessions interface gigabitEthernet x/x/x details

CORDERO-SW1#show authentication sessions interface gigabitEthernet 2/0/31 details
            Interface:  GigabitEthernet2/0/31
          MAC Address:  bcad.28c7.4266
         IPv6 Address:  Unknown
         IPv4 Address:  10.1.2.22
            User-Name:  BC-AD-28-C7-42-78
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
      Restart timeout:  N/A
       Session Uptime:  297s
    Common Session ID:  0A5240660000040AFFA3DF2B
      Acct Session ID:  0x0000040A
               Handle:  0x520003DD
       Current Policy:  POLICY_Gi2/0/31

Local Policies:
        Service Template: MONITOR_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
           Vlan Group:  Vlan: 100
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-544f05ed

Method status list:
       Method           State

       dot1x            Stopped
       mab              Authc Success

From the options above you can see when you are about to implement ISE, you want to run it in Monitor mode first to gain visibility to what’s on the network and see what devices will fail authentication. You can adjust/add policies to work properly first before going to Closed mode.

Wired vs Wireless:
There’s no difference between these two from an ISE Authentication perspective. Both will use one of three options above.

Port Security:
Cisco ISE and Port Security are not specifically related but its good to implement it along with ISE. Typically you’ll want to allow 2 MAC Addresses (e.g. phone and PC) to one switch port. This will allow you “tie” network devices to that port and help prevent non-managed hubs and switches on your network.

Certificate Based Authentication:
Since CBA is used a lot, I’ll go over some basic troubleshooting for these.

Check GPOs:
The first thing you should do is first check to make sure the appropriate Group Policy is applied.

1. Open and run the command prompt
2. Type “gpresult /r” :with admin rights, you can do a “gpresult /r /scope “computer”
3. Scroll and look for the “COMPUTER SETTINGS“, “Applied Group Policy Objects
4. Look to make sure the policy is applied, for the example below, we are looking for two policies: “Workstation Certificate” and “ISE Wired and Wireless Network Settings

ise-cli

5. If you are missing any Policy, either do a “gpupdate /force” or reboot.

Check Machine Cert:

1. Launch MMC by going to: Start, run, and type in “mmc.exe
2. When the Console window opens up, go to File, “Add/Remove Snap-in…

ise-cli

3. Choose “Certificates” and click “Add” to add it to the “Selected snap-ins:” section. Make sure you choose “Local Computer” and click “Finish“. Now you can click “OK” to close out.

ise-mmc

4. You should see a screen like the one below. Click on “Personal“, “Certificates“. In the pane to the right, you should see the corporate PC/Device certificate .

ise-cert1

5. If you have a valid certificate and you still have problems connecting to the network, you can delete and re-download the certificate. To do this you will have to either open the port or bring the PC/Device to an open port.

6. After deleting the certificate, in the command prompt, run “gpupdate /force” and then reboot the PC/Device. Log back in and check to see if the cert is there.  If it’s there, move onto 7.

7. Take the PC/Device back to the original port and try again.

Profiling:
Profiling allows devices that have been identified by the enterprise to be authenticated without and user intervention. These are trusted devices.

Standard devices you might allow onto your network:
Approved Cisco Desktop Phones (need to turn on 802.1x)
Approved Cisco APs
Approved Network Printers
Approved Security Cameras

When approved and tested, these devices will be “plug and play” from an ISE/Auth perspective.

MAC Address Bypass Authentication (MAB):
MABs are easy to use since it’s just a group or list of MACs you keep adding to. These requests should be looked at carefully and documented.

Even though you’re using MAB, you can still authenticate using AD with these devices if they support it.

COMMON ISSUE:
AutoConfig Settings:

There may be a case where Wired and Wireless Autoconfig services are not started and running when they should be. If you are having network connectivity issues and everything looks OK, check these settings.  Below I’m assuming you’re using both Wired and Wireless.  Check the service you are using.

1. Go to services (services.msc) and find “Wired AutoConfig” and “WLAN AutoConfig“. Make sure that these two services are started and make sure they are set to start automatically.

ise-autoconfig1

2. Now check the settings for the NIC. You should see a tab labeled “Authentication” in between the “Networking” and “Sharing” tabs. ISE needs this to properly identify and authenticate the device. If you started the service and still don’t see the “Authentication” tab, you might have to reboot the PC/Device. If, after the reboot, the “Authentication” tab is still not there and the services are set correctly and running, you might have to delete your NIC and reboot your machine.

ise-autoconfig2

More Stories
OSPF LSA Types