Cisco ISE 802.1X in Monitor Mode (Pre-802.1x Phase)

By in
47
Cisco ISE 802.1X in Monitor Mode (Pre-802.1x Phase)

Cisco ISE in Monitor Mode – Pre-802.1X Deployment Steps

Formerly you enable 802.1X through your network, you want to monitor the switch ports to regulate the endpoint devices and check what capability they can support.

Some devices may not support 802.1X, so it is good to know what options you have to allow them through the network if they do not support 802.1X, such as through MAC Authenticaiton Bypass (MAB).

Further, you enable ISE profiling, which allows ISE to properly organize devices such as Windows 10, MacBook, VMW are Workplaces, Printers, etc. and if they do not show up as generic, and create a custom profile to enable advanced policy for those not covered.

MAB allows you to use the endpoint’s device MAC address to determine what kind of access to allow.

Below is what you need to prepare ISE to start profiling devices (recommended for a large deployment due to the number of endpoints):

  • Switch configuration needed for Profiling
  • ISE General Profiling Settings and Adding Switch Device to ISE
  • ISE Authentication and Authorization Policy
  • Switch Configuration Needed for ISE in Monitor Mode

I. Switch’s Configuration:

  • aaa new-model
  • aaa group server radius RADIUS_SERVERS
  • aaa authentication dot1x default group radius
  • aaa authorization network default group radius
  • aaa accounting update newinfo periodic 5
  • aaa accounting dot1x default start-stop group radius
  • aaa accounting system default start-stop group radius
  • aaa server radius dynamic-author
  • aaa session-id common
  • aaa group server radius RADIUS_SERVERS
  • server X.X.X.90 auth-port 1645 acct-port 1646
  • dot1x system-auth-control
  • radius-server host X.X.X.90 auth-port 1645 acct-port 1646 key cisco123
  • interface GigabitEthernet2/0/19
  • switchport mode access
  • ip access-group ACL_DEFAULT in
  • authentication event fail action next-method
  • authentication host-mode multi-auth
  • authentication open
  • authentication order dot1x mab
  • authentication priority dot1x mab
  • authentication port-control auto
  • authentication periodic
  • authentication timer restart 30
  • authentication timer reauthenticate 1200
  • authentication timer inactivity 600
  • mab
  • snmp trap mac-notification change added
  • snmp trap mac-notification change removed
  • dot1x pae authenticator
  • dot1x timeout tx-period 10
  • spanning-tree portfast
  • ip access-list extended ACL_DEFAULT
  • permit ip any

II. Add switch to ISE as a network device

Go to Administration-> Network Resources -> Network Device -> Add

And fill in the Switch Name, IP Address, Radius Pre-shared key, SNMP community string (we can use V2 there or V3 if your device supports it – see the Profiling section on why SNMP community string is needed):

 

 

 

 

 

III.  ISE’s Profiling Configuration

Go to Administration -> System -> edit the ISE server, and make sure that the Profiling Service is checked.

Go to the Profiling Configuration tab and make sure DHCP, HTTP, RADIUS, Network Scan (NMAP), SNMPQUERY, SNMPTRAP, and ACTIVE DIRECTORY are checked:

 

 

 

Switch’s Configuration Relevant for Probe:

  • aaa new-model!
  • aaa group server radius RADIUS_SERVERS
  • server X.X.X.X auth-port 1645 acct-port 1646!
  • aaa authentication dot1x default group radius
  • aaa authorization network default group radius
  • aaa accounting update newinfo periodic 5
  • aaa accounting dot1x default start-stop group radius
  • aaa accounting identity default start-stop group radius
  • aaa accounting system default start-stop group radius
  • device-sensor notify all-changes!
  • interface vlan#
  • IP helper-address X.X.X.90 —(IP Address of ISE Server #1)
  • IP helper-address X.X.X.91 —(IP Address of ISE Server #2)
  • ((forwards DHCP request to the ISE server))

logging host X.X.X.90 transport udp port 20514

  • snmp-server community cisco RO 10
  • snmp-server trap-source Vlan1
  • snmp-server enable traps snmp link down linkup
  • snmp-server enable traps mac-notification change move threshold
  • snmp-server host X.X.X.90 version 2c cisco mac-notification snmp
  • access-list 10 permit X.X.X.90
  • access-list 10 deny   any log!
  • radius-server attribute 6 on-for-login-auth
  • radius-server attribute 6 support-multiple
  • radius-server attribute 8 include-in-access-req
  • radius-server attribute 25 access-request include
  • radius-server dead-criteria time 60 tries 5
  • radius-server host X.X.X.90 auth-port 1645 acct-port 1646 key cisco123
  • radius-server retransmit 1
  • radius-server timeout 2
  • radius-server deadtime 20
  • radius-server key cisco 123
  • radius-server vsa send accounting
  • radius-server vsa send authentication

The above is for SNMPQUERY, SNMPTRAP, DHCP, and RADIUS probes. Active Directory has already been joined and groups added.  Make sure this is connected.

(Policy Service Node – Pick the closest one if there are several nodes).Go to Work Centers, Profiler, Endpoint Classification, and you should start seeing mac addresses of endpoints discovered:

Show command’s for the Switch:

  • switch show ip access-list
  • Standard IP access list 10
  • 10 permit X.X.X.90 (8276 matches) -> should start seeing hits
  • 20 deny   any log

Above is the SNMP query probe that is happening.  802.1X was not required to probe the switch and uses public for community string.

AD Probe needs to see the host name of computer and is part of the DHCP request.

Dashboard

 

Now we will look at the Policy Sets needed on ISE to pass traffic through. We use default rule for demonstration purposes, but you can duplicate the default rule and rename it accordingly.

Change the Identity Store as highlighted below and make sure to click on “Save” to save the changes:

Also, expand the Options under each authentication policy and change the following as highlighted; then click on Save.

We will create a new White list group for all the devices used in our authorization policy to allow access:

Go to Administration-> Identity Management-> Groups -> Identity Groups-> Add-> and type in “White list” for the group name and put a description and hit “submit”.  Leave the parent group empty:

You can add a device to this ‘White list’ to be permitted full access to the network.

Create an Authorization Profile for the White listed Devices:

Go to Policy-> Policy Elements->Results->Authorization->Add

We will create a new Authorization policy under the Default Policy Sets using the “White list” Authorization Profile just created in the previous step, as shown below:

At this point, the monitor mode configuration is done, and all endpoint devices will still be permitted to access the network, regardless whether they passed the authenticated or not.  There is no effect on end users.

However, the switch ports will attempt to authenticate the end points that are connected and the port cycles through attempts to authenticate with EAP 802.1X and bypass authentication with MAB.

The ISE’s Monitoring reports will show which devices failed the authentication process, and you can take action to re-mediate accordingly before going live to production.

Leave a reply

Your email address will not be published. Required fields are marked *