The goal for implementing ISE in your environment is to prohibit NON corporate devices like PC’s, Printers, Phones, etc… on your network. Without one, you have no way to manage and control a large number of devices from connecting to your network. This gives bad actors access to network resources which is a very big security threat for your organization.
Authentication Types Typically Used:
When using ISE, any devices that’s gets attached to the network will be checked and verified by using one of the three methods listed below. If a device has not been authenticated using one of three methods below, ISE will block it.
1. Certificate Based Authentication – This is a common auth type. Computers will have machine certificates that were given out by the corporate Certificate Authority (CA). ISE will use this certificate to validate that the device is a corporate device and allow it onto the network. Pretty simple, do you have a legit cert? Yes, you’re allowed on the network. No, you are denied access.
2. Profiling – This allows NON-Domain connected devices to be profiled by ISE. You might have devices that can’t be joined to the domain and/or can’t have a certificate installed on them. These devices will have profiles associated with them in ISE to help control their access. ISE utilizes NMAP and the MAC OUI’s found in the list below. It tries to update this list daily.
The OUI database contains the MAC OUIs assigned to vendors. The OUI list is available here: http://standards.ieee.org/develop/regauth/oui/oui.txt
What if the OUI is not in the database? That brings us to the next Authentication type, Mac Address Bypass (MAB).
3. MAC Authentication Bypass (MAB) – As you can guess by now, these devices are the devices you need on your corporate network but you have no way to profile them. Here you would create a profile to use their MAC Address which you would have to get from the device. This is the least secure and should be avoided at all costs if possible because MAC Address spoofing is a simple thing to do. But, I know there are times where you have no choice. You should be using this anyway but please use Port Security and in this case you can Sticky the MAC Address to the port for some security.
Now lets talk about what happens when a device plugs into the network. These are generally configured on the Access port as you can see below. We have three modes but I usually see just two in working environments. The three are Monitor, Low-Impact, and Closed. I usually see Monitor and Closed mode. Some will call Monitor, Open.
Monitor Mode – ISE OFF
• No impact to existing network
• Prepare for enforcement
• Sometimes used for troubleshooting connectivity issues
• Visibility to:
—–Endpoints on network & their supplicant configuration
—–Passed/Failed 802.1x & MAB attempts
ip access-list extended ACL-ISE-MONITOR
permit ip any any
int Gig x/x/x
ip access-group ACL-ISE-MONITOR in
Closed Mode – ISE ON
• Impact to existing network
• No access at all before authentication
ip access-list extended ACL-ISE-CLOSED
permit udp any eq bootpc any eq bootps
remark DNS and Domain Controllers
permit udp any any eq domain
permit udp any any eq 389
permit tcp any any eq 389
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Deny All
deny ip any any log
int Gig x/x/x
ip access-group ACL-ISE-CLOSED in
To help troulbeshoot the Cisco port, use this command: show authentication sessions interface gigabitEthernet x/x/x details
CORDERO-SW1#show authentication sessions interface gigabitEthernet 2/0/31 details
MAC Address: bcad.28c7.4266
IPv6 Address: Unknown
IPv4 Address: 10.1.2.22
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Session Uptime: 297s
Common Session ID: 0A5240660000040AFFA3DF2B
Acct Session ID: 0x0000040A
Current Policy: POLICY_Gi2/0/31
Service Template: MONITOR_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Vlan Group: Vlan: 100
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-544f05ed
Method status list:
mab Authc Success
From the options above you can see when you are about to implement ISE, you want to run it in Monitor mode first to gain visibility to what’s on the network and see what devices will fail authentication. You can adjust/add policies to work properly first before going to Closed mode.
Wired vs Wireless:
There’s no difference between these two from an ISE Authentication perspective. Both will use one of three options above.
Cisco ISE and Port Security are not specifically related but its good to implement it along with ISE. Typically you’ll want to allow 2 MAC Addresses (e.g. phone and PC) to one switch port. This will allow you “tie” network devices to that port and help prevent non-managed hubs and switches on your network.
Certificate Based Authentication:
Since CBA is used a lot, I’ll go over some basic troubleshooting for these.
The first thing you should do is first check to make sure the appropriate Group Policy is applied.
1. Open and run the command prompt
2. Type “gpresult /r” :with admin rights, you can do a “gpresult /r /scope “computer””
3. Scroll and look for the “COMPUTER SETTINGS“, “Applied Group Policy Objects”
4. Look to make sure the policy is applied, for the example below, we are looking for two policies: “Workstation Certificate” and “ISE Wired and Wireless Network Settings”
5. If you are missing any Policy, either do a “gpupdate /force” or reboot.
Check Machine Cert:
1. Launch MMC by going to: Start, run, and type in “mmc.exe”
2. When the Console window opens up, go to File, “Add/Remove Snap-in…”
3. Choose “Certificates” and click “Add” to add it to the “Selected snap-ins:” section. Make sure you choose “Local Computer” and click “Finish“. Now you can click “OK” to close out.
4. You should see a screen like the one below. Click on “Personal“, “Certificates“. In the pane to the right, you should see the corporate PC/Device certificate .
5. If you have a valid certificate and you still have problems connecting to the network, you can delete and re-download the certificate. To do this you will have to either open the port or bring the PC/Device to an open port.
6. After deleting the certificate, in the command prompt, run “gpupdate /force” and then reboot the PC/Device. Log back in and check to see if the cert is there. If it’s there, move onto 7.
7. Take the PC/Device back to the original port and try again.
Profiling allows devices that have been identified by the enterprise to be authenticated without and user intervention. These are trusted devices.
Standard devices you might allow onto your network:
Approved Cisco Desktop Phones (need to turn on 802.1x)
Approved Cisco APs
Approved Network Printers
Approved Security Cameras
When approved and tested, these devices will be “plug and play” from an ISE/Auth perspective.
MAC Address Bypass Authentication (MAB):
MABs are easy to use since it’s just a group or list of MACs you keep adding to. These requests should be looked at carefully and documented.
Even though you’re using MAB, you can still authenticate using AD with these devices if they support it.
COMMON ISSUE: AutoConfig Settings:
There may be a case where Wired and Wireless Autoconfig services are not started and running when they should be. If you are having network connectivity issues and everything looks OK, check these settings. Below I’m assuming you’re using both Wired and Wireless. Check the service you are using.
1. Go to services (services.msc) and find “Wired AutoConfig” and “WLAN AutoConfig“. Make sure that these two services are started and make sure they are set to start automatically.
2. Now check the settings for the NIC. You should see a tab labeled “Authentication” in between the “Networking” and “Sharing” tabs. ISE needs this to properly identify and authenticate the device. If you started the service and still don’t see the “Authentication” tab, you might have to reboot the PC/Device. If, after the reboot, the “Authentication” tab is still not there and the services are set correctly and running, you might have to delete your NIC and reboot your machine.