Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
•EAP-FAST/EAP-GTC Apartfromthemethodslistedabove,thereareEAPmethodsthatusecertificatesforbothserverandclient authentication. RADIUS-Based EAP Authentication Flow WheneverEAPisinvolvedintheauthenticationprocess,theprocessisprecededbyanEAPnegotiationphase todeterminewhichspecificEAPmethod(andinnermethod,ifapplicable)shouldbeused.EAP-based authenticationoccursinthefollowingprocess: 1Ahostconnectstoanetworkdevice. 2ThenetworkdevicesendsanEAPRequesttothehost. 3ThehostreplieswithanEAPResponsetothenetworkdevice. 4ThenetworkdeviceencapsulatestheEAPResponsethatitreceivedfromthehostintoaRADIUS Access-Request(usingtheEAP-MessageRADIUSattribute)andsendstheRADIUSAccess-Requestto CiscoISE. 5CiscoISEextractstheEAPResponsefromtheRADIUSpacketandcreatesanewEAPRequest, encapsulatesitintoaRADIUSAccess-Challenge(again,usingtheEAP-MessageRADIUSattribute),and sendsittothenetworkdevice. 6ThenetworkdeviceextractstheEAPRequestandsendsittothehost. Inthisway,thehostandCiscoISEindirectlyexchangeEAPmessages(transportedoverRADIUSandpassed throughthenetworkdevice).TheinitialsetofEAPmessagesthatareexchangedinthismannernegotiatethe specificEAPmethodthatwillsubsequentlybeusedtoperformtheauthentication. TheEAPmessagesthataresubsequentlyexchangedarethenusedtocarrythedatathatisneededtoperform theactualauthentication.IfitisrequiredbythespecificEAPauthenticationmethodthatisnegotiated,Cisco ISEusesanidentitystoretovalidateusercredentials. AfterCiscoISEdetermineswhethertheauthenticationshouldpassorfail,itsendseitheranEAP-Successor EAP-Failuremessage,encapsulatedintoaRADIUSAccess-AcceptorAccess-Rejectmessagetothenetwork device(andultimatelyalsotothehost). ThefollowingfigureshowsaRADIUS-basedauthenticationwithEAP. Figure 45: RADIUS-Based Authentication with EAP Extensible Authentication Protocol-Message Digest 5 ExtensibleAuthenticationProtocol-MessageDigest5(EAP-MD5)providesone-wayclientauthentication. Theserversendstheclientarandomchallenge.Theclientprovesitsidentityinaresponsebyencryptingthe Cisco Identity Services Engine Administrator Guide, Release 1.3 875 Network Access for Users
challengeanditspasswordwithMD5.Becauseamaninthemiddlecouldseethechallengeandresponse, EAP-MD5isvulnerabletodictionaryattackwhenusedoveranopenmedium.Becausenoserverauthentication occurs,itisalsovulnerabletospoofing.CiscoISEsupportsEAP-MD5authenticationagainsttheCiscoISE internalidentitystore.HostLookupisalsosupportedwhenusingtheEAP-MD5protocol. Lightweight Extensible Authentication Protocol CiscoISEcurrentlyusesLightweightExtensibleAuthenticationProtocol(LEAP)onlyforCiscoAironet wirelessnetworking.Ifyoudonotenablethisoption,CiscoAironetend-userclientswhoareconfiguredto performLEAPauthenticationcannotaccessthenetwork.IfallCiscoAironetend-userclientsuseadifferent authenticationprotocol,suchasExtensibleAuthenticationProtocol-TransportLayerSecurity(EAP-TLS), werecommendthatyoudisablethisoption. IfusersaccessyournetworkbyusingaAAAclientthatisdefinedintheNetworkDevicessectionasa RADIUS(CiscoAironet)device,thenyoumustenableLEAP,EAP-TLS,orboth;otherwise,CiscoAironet userscannotauthenticate. Note Protected Extensible Authentication Protocol ProtectedExtensibleAuthenticationProtocol(PEAP)providesmutualauthentication,ensuresconfidentiality andintegritytovulnerableusercredentials,protectsitselfagainstpassive(eavesdropping)andactive (man-in-the-middle)attacks,andsecurelygeneratescryptographickeyingmaterial.PEAPiscompatiblewith theIEEE802.1XstandardandRADIUSprotocol.CiscoISEsupportsPEAPversion0(PEAPv0)andPEAP version1(PEAPv1)withExtensibleAuthenticationProtocol-MicrosoftChallengeHandshakeAuthentication Protocol(EAP-MS-CHAP),ExtensibleAuthenticationProtocol-GenericTokenCard(EAP-GTC),and EAP-TLSinnermethods.TheCiscoSecureServicesClient(SSC)supplicantsupportsallofthePEAPv1 innermethodsthatCiscoISEsupports. Advantages of Using PEAP UsingPEAPpresentstheseadvantages:PEAPisbasedonTLS,whichiswidelyimplementedandhas undergoneextensivesecurityreview.Itestablishesakeyformethodsthatdonotderivekeys.Itsendsan identitywithinthetunnel.Itprotectsinnermethodexchangesandtheresultmessage.Itsupportsfragmentation. Supported Supplicants for the PEAP Protocol PEAPsupportsthesesupplicants: •MicrosoftBuilt-InClients802.1XXP •MicrosoftBuilt-InClients802.1XVista •CiscoSecureServicesClient(SSC),Release4.0 •CiscoSSC,Release5.1 •FunkOdysseyAccessClient,Release4.72 •Intel,Release12.4.0.0 Cisco Identity Services Engine Administrator Guide, Release 1.3 876 Network Access for Users
PEAP Protocol Flow APEAPconversationcanbedividedintothreeparts: 1CiscoISEandthepeerbuildaTLStunnel.CiscoISEpresentsitscertificate,butthepeerdoesnot.The peerandCiscoISEcreateakeytoencryptthedatainsidethetunnel. 2Theinnermethoddeterminestheflowwithinthetunnel: •EAP-MS-CHAPv2innermethod—EAP-MS-CHAPv2packetstravelinsidethetunnelwithouttheir headers.Thefirstbyteoftheheadercontainsthetypefield.EAP-MS-CHAPv2innermethodssupport thechange-passwordfeature.Youcanconfigurethenumberoftimesthattheusercanattemptto changethepasswordthroughtheAdminportal.Userauthenticationattemptsarelimitedbythis number. •EAP-GTCinnermethod—BothPEAPv0andPEAPv1supporttheEAP-GTCinnermethod.The supportedsupplicantsdonotsupportPEAPv0withtheEAP-GTCinnermethod.EAP-GTCsupports thechange-passwordfeature.Youcanconfigurethenumberoftimesthattheusercanattemptto changethepasswordthroughtheAdminportal.Userauthenticationattemptsarelimitedbythis number. •EAP-TLSinnermethod—TheWindowsbuilt-insupplicantdoesnotsupportfragmentationof messagesafterthetunnelisestablished,andthisaffectstheEAP-TLSinnermethod.CiscoISEdoes notsupportfragmentationoftheouterPEAPmessageafterthetunnelisestablished.Duringtunnel establishment,fragmentationworksasspecifiedinPEAPdocumentation.InPEAPv0,EAP-TLS packetheadersareremoved,andinPEAPv1,EAP-TLSpacketsaretransmittedunchanged. •ExtensibleAuthenticationProtocol-type,length,value(EAP-TLV)extension—EAP-TLVpackets aretransmittedunchanged.EAP-TLVpacketstravelwiththeirheadersinsidethetunnel. 3Thereisprotectedacknowledgmentofsuccessandfailureiftheconversationhasreachedtheinnermethod. TheclientEAPmessageisalwayscarriedintheRADIUSAccess-Requestmessage,andtheserverEAP messageisalwayscarriedintheRADIUSAccess-Challengemessage.TheEAP-Successmessageis alwayscarriedintheRADIUSAccess-Acceptmessage.TheEAP-Failuremessageisalwayscarriedin theRADIUSAccess-Rejectmessage.DroppingtheclientPEAPmessageresultsindroppingtheRADIUS clientmessage. CiscoISErequiresacknowledgmentoftheEAP-SuccessorEAP-FailuremessageduringPEAPv1 communication.ThepeermustsendbackaPEAPpacketwithemptyTLSdatafieldtoacknowledgethe receiptofsuccessorfailuremessage. Note Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling ExtensibleAuthenticationProtocol-FlexibleAuthenticationviaSecureTunneling(EAP-FAST)isan authenticationprotocolthatprovidesmutualauthenticationandusesasharedsecrettoestablishatunnel.The tunnelisusedtoprotectweakauthenticationmethodsthatarebasedonpasswords.Thesharedsecret,referred toasaProtectedAccessCredentials(PAC)key,isusedtomutuallyauthenticatetheclientandserverwhile securingthetunnel. Cisco Identity Services Engine Administrator Guide, Release 1.3 877 Network Access for Users
Benefits of EAP-FAST EAP-FASTprovidesthefollowingbenefitsoverotherauthenticationprotocols: •Mutualauthentication—TheEAPservermustbeabletoverifytheidentityandauthenticityofthepeer, andthepeermustbeabletoverifytheauthenticityoftheEAPserver. •Immunitytopassivedictionaryattacks—Manyauthenticationprotocolsrequireapasswordtobeexplicitly provided,eitherascleartextorhashed,bythepeertotheEAPserver. •Immunitytoman-in-the-middleattacks—Inestablishingamutuallyauthenticatedprotectedtunnel,the protocolmustpreventadversariesfromsuccessfullyinterjectinginformationintotheconversation betweenthepeerandtheEAPserver. •FlexibilitytoenablesupportformanydifferentpasswordauthenticationinterfacessuchasMS-CHAPv2, GenericTokenCard(GTC),andothers—EAP-FASTisanextensibleframeworkthatallowssupportof multipleinternalprotocolsbythesameserver. •Efficiency—Whenusingwirelessmedia,peersarelimitedincomputationalandpowerresources. EAP-FASTenablesthenetworkaccesscommunicationtobecomputationallylightweight. •Minimizationoftheper-userauthenticationstaterequirementsoftheauthenticationserver—Withlarge deployments,itistypicaltohavemanyserversactingastheauthenticationserversformanypeers.Itis alsohighlydesirableforapeertousethesamesharedsecrettosecureatunnelmuchthesamewaythat itusestheusernameandpasswordtogainaccesstothenetwork.EAP-FASTfacilitatestheuseofa single,strong,sharedsecretbythepeer,whileenablingserverstominimizetheper-useranddevice statethatitmustcacheandmanage. EAP-FAST Flow TheEAP-FASTprotocolflowisalwaysacombinationofthefollowingphases: 1Provisioningphase—ThisisphasezeroofEAP-FAST.Duringthisphase,thepeerisprovisionedwitha unique,strongsecretthatisreferredtoasthePACthatissharedbetweentheCiscoISEandthepeer. 2Tunnelestablishmentphase—TheclientandserverauthenticateeachotherbyusingthePACtoestablish afreshtunnelkey.Thetunnelkeyisthenusedtoprotecttherestoftheconversationandprovidesmessage confidentialityandwithauthenticity. 3Authenticationphase—Theauthenticationisprocessedinsidethetunnelandincludesthegenerationof sessionkeysandprotectedtermination.CiscoISEsupportsEAP-FASTversions1and1a. Cisco Identity Services Engine Administrator Guide, Release 1.3 878 Network Access for Users
CHAPTER 33 Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions ToensureCiscoISEisabletointeroperatewithnetworkswitchesandfunctionsfromCiscoISEaresuccessful acrossthenetworksegment,youneedtoconfigurenetworkswitcheswiththenecessaryNTP,RADIUS/AAA, 802.1X,MAB,andothersettingsforcommunicationwithCiscoISE. •EnableYourSwitchtoSupportStandardWebAuthentication,page880 •LocalUsernameandPasswordDefinitionforSyntheticRADIUSTransactions,page880 •NTPServerConfigurationtoEnsureAccurateLogandAccountingTimestamps,page880 •CommandtoEnableAAAFunctions,page880 •RADIUSServerConfigurationontheSwitch,page881 •ConfiguretheSwitchtoSendRADIUSAccountingStart/StoptoInlinePostureNodes,page882 •CommandtoEnableRADIUSChangeofAuthorization(CoA),page882 •CommandtoEnableDeviceTrackingandDHCPSnooping,page882 •CommandtoEnable802.1XPort-BasedAuthentication,page883 •CommandtoEnableEAPforCriticalAuthentications,page883 •CommandtoThrottleAAARequestsUsingRecoveryDelay,page883 •VLANDefinitionsBasedonEnforcementStates,page883 •Local(Default)ACLsDefinitionontheSwitch,page884 •EnableSwitchPortsfor802.1XandMAB,page885 •CommandtoEnableEPMLogging,page887 •CommandtoEnableSNMPTraps,page887 •CommandtoEnableSNMPv3QueryforProfiling,page887 •CommandtoEnableMACNotificationTrapsforProfilertoCollect,page888 Cisco Identity Services Engine Administrator Guide, Release 1.3 879
•RADIUSIdle-TimeoutConfigurationontheSwitch,page888 •WirelessLANControllerConfigurationforiOSSupplicantProvisioning,page888 •WirelessLANControllerSupportforAppleDevices,page889 •ConfiguringACLsontheWirelessLANControllerforMDMInteroperability,page889 Enable Your Switch to Support Standard Web Authentication EnsurethatyouincludethefollowingcommandsinyourswitchconfigurationtoenablestandardWeb AuthenticatingfunctionsforCiscoISE,includingprovisionsforURLredirectionuponauthentication: ipclassless iproute0.0.0.00.0.0.010.1.2.3 iphttpserver !MustenableHTTP/HTTPSforURL-redirectiononport80/443 iphttpsecure-server Local Username and Password Definition for Synthetic RADIUS Transactions EnterthefollowingcommandtoenabletheswitchtotalktotheCiscoISEnodeasthoughitistheRADIUS serverforthisnetworksegment: usernametest-radiuspassword0abcde123 NTP Server Configuration to Ensure Accurate Log and Accounting Timestamps EnsurethatyouspecifythesameNTPserverasyouhavesetinCiscoISEatAdministration>System> Settings>SystemTimebyenteringthefollowingcommand: ntpserver| Command to Enable AAA Functions EnterthefollowingcommandstoenablethevariousAAAfunctionsbetweentheswitchandCiscoISE, including802.1XandMABauthenticationfunctions: aaanew-model !Createsan802.1Xport-basedauthenticationmethodlist aaaauthenticationdot1xdefaultgroupradius !RequiredforVLAN/ACLassignment aaaauthorizationnetworkdefaultgroupradius !Authentication&authorizationforwebauthtransactions Cisco Identity Services Engine Administrator Guide, Release 1.3 880 Enable Your Switch to Support Standard Web Authentication
aaaauthorizationauth-proxydefaultgroupradius !Enablesaccountingfor802.1XandMABauthentications aaaaccountingdot1xdefaultstart-stopgroupradius ! aaasession-idcommon ! aaaaccountingupdateperiodic5 !UpdateAAAaccountinginformationperiodicallyevery5minutes aaaaccountingsystemdefaultstart-stopgroupradius ! aaaserverradiusdynamic-author client10.0.56.17server-keycisco !EnablesCiscoISEtoactasaAAAserverwheninteractingwiththeclientatIPaddress10.0.56.17 RADIUS Server Configuration on the Switch ConfiguretheswitchtointeroperatewithCiscoISEactingastheRADIUSsourceserverbyenteringthe followingcommands: ! radius-serverattribute6on-for-login-auth !IncludeRADIUSattribute8ineveryAccess-Request radius-serverattribute8include-in-access-req !IncludeRADIUSattribute25ineveryAccess-Request radius-serverattribute25access-requestinclude !Wait3x30secondsbeforemarkingRADIUSserverasdead radius-serverdead-criteriatime30tries3 !UseRFC-standardports(1812/1813) radius-serverhostauth-port1812acct-port1813testusernametest-radiuskey 0 ! radius-servervsasendaccounting! radius-servervsasendauthentication!!sendRADIUSrequestsfromtheMANAGEMENTVLAN ipradiussource-interface Cisco Identity Services Engine Administrator Guide, Release 1.3 881 RADIUS Server Configuration on the Switch
Werecommendthatyouconfigureadead-criteriatimeof30secondswith3retriestoprovidelonger responsetimesforRADIUSrequeststhatuseActiveDirectoryforauthentication. Note Configure the Switch to Send RADIUS Accounting Start/Stop to Inline Posture Nodes ThenetworkaccessdeviceshouldbeconfiguredtosendRADIUSaccounting“Start”and“Stop”messagesat thebeginningandendofasession,respectively,withtheremotedevice’sIPaddressinthosemessagestothe InlinePosturenodes.TheInlinePosturenodeassociatesthedeviceIPaddresstoanyrelevantauthorization profilesdownloadedoverthelifeofasession.Forexample,aremotedevicemayhavean “unknown-compliance-state”authorizationprofileatinitiallogin,thenswitchtoa“compliant”authorization profilefollowingCoA(assumingsuccessfuldevicepostureassessment). Command to Enable RADIUS Change of Authorization (CoA) SpecifythesettingstoensuretheswitchisabletoappropriatelyhandleRADIUSChangeofAuthorization behaviorsupportingPosturefunctionsfromCiscoISEbyenteringthefollowingcommands: aaaserverradiusdynamic-author clientserver-key0abcde123 CiscoISEusesport1700(CiscoIOSsoftwaredefault)versusRFCdefaultport3799forCoA.Existing CiscoSecureACS5.xcustomersmayalreadyhavethissettoport3799iftheyareusingCoAaspartof anexistingACSimplementation. Note Command to Enable Device Tracking and DHCP Snooping Tohelpprovideoptionalsecurity-orientedfunctionsfromCiscoISE,youcanenabledevicetrackingand DHCPsnoopingforIPsubstitutionindynamicACLsonswitchportsbyenteringthefollowingcommands:!Optional ipdhcpsnooping !Required! ipdevicetracking InRADIUSAccounting,theDHCPattributesarenotsentbyIOSsensortoCiscoISEevenwhendhcp snoopingisenabled.Insuchcases,thedhcpsnoopingshouldbeenabledontheVLANtomaketheDHCP active. UsethefollowingcommandstoenabledhcpsnoopingonVLAN: ipdhcpsnooping ipdhcpsnoopingvlan1-100 Cisco Identity Services Engine Administrator Guide, Release 1.3 882 Configure the Switch to Send RADIUS Accounting Start/Stop to Inline Posture Nodes
(VLANrangeshouldincludeusedfordataandvlan) Command to Enable 802.1X Port-Based Authentication Enterthefollowingcommandstoturn802.1Xauthenticationonforswitchports,globally: dot1xsystem-auth-control Command to Enable EAP for Critical Authentications TosupportsupplicantauthenticationrequestsovertheLAN,enableEAPforcriticalauthentications (InaccessibleAuthenticationBypass)byenteringthefollowingcommand: dot1xcriticaleapol Command to Throttle AAA Requests Using Recovery Delay Whenacriticalauthenticationrecoveryeventtakesplace,youcanconfiguretheswitchtoautomatically introduceadelay(inseconds)toensureCiscoISEisabletolaunchservicesagainfollowingrecoveryby enteringthefollowingcommand: authenticationcriticalrecoverydelay1000 VLAN Definitions Based on Enforcement States EnterthefollowingcommandstodefinetheVLANnames,numbers,andSVIsbasedonknownenforcement statesinyournetwork.CreatetherespectiveVLANinterfacestoenableroutingbetweennetworks.Thiscan beespeciallyhelpfultohandlemultiplesourcesoftrafficpassingoverthesamenetworksegments—traffic frombothPCsandtheIPphonethroughwhichthePCisconnectedtothenetwork,forexample. ThefirstIPhelpergoestotheDHCPserverandthesecondIPhelpersendsacopyoftheDHCPrequest totheinlineposturenodeforprofiling. Note vlan nameACCESS! vlan nameVOICE ! interface descriptionACCESS Cisco Identity Services Engine Administrator Guide, Release 1.3 883 Command to Enable 802.1X Port-Based Authentication
ipaddress10.1.2.3255.255.255.0 iphelper-address iphelper-address ! interface descriptionVOICE ipaddress10.2.3.4255.255.255.0 iphelper-address Local (Default) ACLs Definition on the Switch Enablethesefunctionsonolderswitches(withCiscoIOSsoftwarereleasesearlierthan12.2(55)SE)toensure CiscoISEisabletoperformthedynamicACLupdatesrequiredforauthenticationandauthorizationby enteringthefollowingcommands: ipaccess-listextendedACL-ALLOW permitipanyany ! ipaccess-listextendedACL-DEFAULT remarkDHCP permitudpanyeqbootpcanyeqbootps remarkDNS permitudpanyanyeqdomain remarkPing permiticmpanyany remarkPing permiticmpanyany remarkPXE/TFTP permitudpanyanyeqtftp remarkAllowHTTP/StoISEandWebAuthportal Cisco Identity Services Engine Administrator Guide, Release 1.3 884 Local (Default) ACLs Definition on the Switch