BYOD - Identification and Authentication Deployment Guide

BYOD - Identification and Authentication Deployment Guide

Deployment Details

Procedure 1 Set up initial primary engine

Step 1: Boot the Cisco ISE and then, at the initial prompt, enter setup. The installation begins.

The deployment described here bases all IP addressing off of the SBA for

Enterprise Organizations – Borderless Networks LAN Deployment Guide.

Any IP addresses used in this guide are examples; you should use addressing that is applicable to your architecture.

Device

Primary Cisco ISE

Secondary Cisco ISE

IP address

10.4.48.41

10.4.48.42

Hostname

Ise-1.cisco.local

ise-2.cisco.local

Process

Deploying Identity Services Engine

1. Set up initial primary engine

2. Set up the secondary engine

3. Configure certificate trust list

4. Configure Cisco ISE deployment nodes

5. Install Cisco ISE license

6. Configure network devices in Cisco ISE

7. Configure Cisco ISE to use Active Directory

8. Disable IP Phone authorization policy

Step 2: Enter the host name, IP address, subnet mask, and default router of the engine.

Enter hostname[]:

ise-1

Enter IP address[]:

10.4.48.41

Enter IP default netmask[]:

255.255.255.0

Enter IP default gateway[]:

10.4.48.1

Step 3: Enter DNS information.

Enter default DNS domain[]:

cisco.local

Enter primary nameserver[]:

10.4.48.10

Add/Edit another nameserver? Y/N :

n

February 2012 Series

Deployment Details

5

Step 4: Configure time.

Enter primary NTP server[time.nist.gov]:

ntp.cisco.local

Add/Edit secondary NTP server? Y/N :

n

Enter system timezone[UTC]:

PST8PDT

Tech Tip

Timezone abbreviations can be found in the Cisco Identity

Services Engine CLI Reference Guide, Release 1.1: http://www.cisco.com/en/US/docs/security/ise/1.1/cli_ref_guide/ ise_cli_app_a.html#wp1571855

Step 5:

Configure an administrator account.

You must configure an administrator account in order to access to the CLI console. This account is not the same as the one used to access the GUI.

Enter username[admin]:

admin

Enter password:

[password]

Enter password again:

[password]

Cisco ISE completes the installation and reboots. This process takes several minutes. You will be asked to enter a new database administrator password and a new database user password during the provisioning of the internal database. Do not press

Control-C

during the installation, or it will abort the installation.

The primary engine is now installed.

Procedure 2 Set up the secondary engine

The procedure for setting up the secondary engine is the same as the primary, with the only difference being the IP address and host name config-

ured for the engine. To set up the secondary engine, follow Procedure 1 and

use the values supplied in the table for the secondary engine.

Procedure 3 Configure certificate trust list

The two engines use public key infrastructure (PKI) to secure communications between them. Initially in this deployment, you use local certificates and you must configure a trust relationship between the primary and secondary engines. To do this, you need to import the local certificate from the secondary engine into the primary engine.

Step 1: In your browser, connect to the secondary engine’s GUI at http:// ise-2.cisco.local.

Step 2: In Administration > System , select Certificates .

Step 3: In the Local Certificates window, select the local certificate by checking the box next to the name of the secondary engine, ise-2.cisco.

local, and then click Export .

Step 4: Choose Export Certificate Only , and then click Export.

Step 5: When the browser prompts you to save the file to a location on the local machine, choose where to store the file and make a note of it. You will be importing this file into the primary engine.

Step 6: In a browser, access the primary engine’s GUI at http://ise-1.cisco.

local.

Step 7: In Administration > System , select Certificates .

Step 8: In the Certificate Operations pane on the left, click Certificate

Authority Certificates, and then click Add .

February 2012 Series

Deployment Details

6

Step 9: Click Browse next to the Certificate File field, and then locate the certificate exported from the secondary engine. It has an extension of .pem.

Step 10: Click Submit .

Procedure 4 Configure Cisco ISE deployment nodes

You can configure the functions of Cisco ISE—administration, monitoring, and policy service—to run all on a single engine or to be distributed amongst several engines. For this example installation, you will deploy a primary engine that performs all three functions and a secondary engine that acts as a backup for the primary.

Step 1: Connect to http://ise-1.cisco.local.

Step 2: From the Administration menu, choose System , and then choose

Deployment . A message appears notifying you that the node is currently stand-alone.

Step 4: Configure the node group with the node group name ISE-Group and the default multicast address of 228.10.11.12.

Step 5: Click Submit . A pop-up window lets you know the group was created successfully. Click OK .

Step 6: In the Deployment pane on the left, expand Deployment . A list of the current deployment nodes appears.

Step 7: Click ise-1 . This enables you to configure this deployment node.

Step 8: Under the Personas section on the General Settings tab, click Make

Primary , which is next to the Administration Role.

Step 9: Include this node in the ISE-Group node group by choosing it from the pull-down menu.

Step 3: In the Deployment pane, click the gear icon, and then select Create

Node Group .

In order for the two Cisco ISE devices to share policy and state information, they must be in a node group. The nodes use IP multicast to distribute this information so they need to be able to communicate via IP multicast.

Next, you’ll configure which methods will be used to profile network endpoints.

Step 10: Click the Profiling Configuration tab.

February 2012 Series

Deployment Details

7

Step 11: This example uses DHCP and RADIUS. Select the box next to each to enable these methods, use the default parameters, and then click Save .

Step 15: Configure ise-2 to be the secondary engine in the group by making sure that all the boxes are selected to enable all personas and that this unit is the secondary. Choose the node group ISE-Group from the drop-down list.

Step 16: Click Submit . The node registers and a pop-up window displays letting you know that the process was successful. Click OK .

Step 12: In the Edit Node window, click Deployment Nodes List . The

Deployment Nodes window appears.

Step 13: Click Register, and then choose Register an ISE Node .

Step 17: In the Deployment Nodes window, click ise-2, click the Profiling

Configuration tab, and then configure the DHCP and RADIUS options in the same way you did for the primary engine.

Step 18: Click Save .

Both Cisco ISE units are now configured as a redundant pair.

Step 14: Enter the IP address or host name of the secondary Cisco ISE and the credentials for the admin account, and then click Next .

February 2012 Series

Deployment Details

8

Procedure 5 Install Cisco ISE license

Cisco ISE comes with a 90-day demo license for both the Base and

Advanced packages. To go beyond 90-days, you need to obtain a license from Cisco. In a redundant configuration, you only need to install the license on the Primary Administration Node.

Step 1: Mouse over Administration , and then, from the System section of the menu, choose Licensing .

Notice that you only see one node here since the secondary node does not require licensing.

Step 2: Click the name of the Cisco ISE server. This enables you to edit the license details.

Step 3: Under Licensed Services, click Add Service.

Step 4: Click Browse to locate your license file, and then click Import .

If you have multiple licenses to install, repeat the process for each.

Tech Tip

When installing a Base license and an Advanced license, the

Base license must be installed first.

Procedure 6 Configure network devices in Cisco ISE

Configure Cisco ISE to accept authentication requests from network devices. RADIUS requires a shared secret key to enable encrypted communications. Each network device that will use Cisco ISE for authentication will need to have this key.

Step 1: Mouse over Administration , and then, from the Network Resources section of the menu, choose Network Devices .

Step 2: In the left pane, click Default Device .

Tech Tip

Each network device can be configured individually, or devices can be grouped by location, by device type, or by using IP address ranges. The other option is to use the Default Device to configure the parameters for devices that aren’t specifically configured. All our network devices have to use the same key, so for simplicity, this example uses the Default Device.

Step 3: Enable Default Network Device Status by choosing Enable from the pull-down menu.

Step 4: Enter the RADIUS shared secret, and then click Save .

February 2012 Series

Deployment Details

9

Procedure 7 Configure Cisco ISE to use Active Directory

Cisco ISE will use the existing Active Directory (AD) server as an external authentication server. First, you must configure the external authentication server.

Step 1: Mouse over Administration , and then, from the Identity

Management section of the menu, choose External Identity Sources .

Step 2: In the left panel, click Active Directory .

Step 3: On the Connection tab, configure the connection to the AD server by entering the AD domain (for example, “cisco.local”) and the name of the server (for example, “AD1”), and then click Save Configuration.

Step 4: Verify these settings by selecting the box next to the node, and then clicking Test Connection and choosing Basic Test .

Step 5: Enter the credentials for a domain user and click OK .

Step 7: Enter the credentials for a domain administrator account. The Cisco

ISE is now joined to the AD domain.

Next, select which groups from AD that Cisco ISE will use for authentication.

Step 8:

Click the

Groups

tab, click

Add,

and then click

Select Groups from

Directory

.

Step 9: Search for the groups you wish to add. The domain field is already filled in. The default filter is a wildcard to list all groups. Click Retrieve

Groups to get a list of all groups in your domain.

Step 10:

Select the groups you want to use for authentication, and then click

OK

. For example, for all users in the domain, select the group

<domain>/Users/Domain Users.

Step 6:

Select the box next each node, and then click

Join

.

February 2012 Series

Step 11: Click Save Configuration .

Deployment Details

10

Procedure 8 Disable IP Phone authorization policy

There is a default policy in place for Cisco IP Phones that have been profiled. This profile applies a downloadable access list on the port to which the phone is connected. Since there is no policy enforcement taking place, this rule should be disabled.

Step 1: On the menu bar, mouse over Policy , and then click Authorization .

Step 2: Click Edit for the Profiled Cisco IP Phones rule, click the green check mark icon, choose Disabled , click Done , and then click Save .

Process

Enabling Visibility to the LAN

1. Configure MAC Authentication Bypass

2. Configure 802.1X for wired users

3. Enable RADIUS in the access layer

4. Enable identity

5. Disable port security timers

6. Configure profiling for the LAN

Cisco ISE is now configured for identity. The next step is to configure the switches for identity by using Cisco LMS 4.1 and the Identity Workcenter.

Procedure 1 Configure MAC Authentication Bypass

MAC Authentication Bypass (MAB) allows you to configure specific machine

MAC addresses on the switch to bypass the authentication process. For monitor mode, this is required, since you aren’t enforcing authentication.

MAB will be configured to allow any MAC address to authenticate.

Step 1:

Mouse over

Policy

, and then choose

Authentication

. The Policy

Type is Rule-Based.

There are already two default rules in place, MAB and Dot1X.

February 2012 Series

Deployment Details

11

Step 2: Use the default MAB policy. Click the black triangle to the right of the and… of the MAB rule. This brings up the identity store used for the MAB rule.

Next, change the options on the Internal Users database, which is used for profiling.

Step 3:

Click the

+

next to

Internal Endpoints

. In this example deployment, we are allowing all endpoints to authenticate. If the MAC address isn’t found in the database, you need to bypass authentication and continue. For the authentication failed and user not found options, choose

Continue

from the pull-down menu.

Step 4:

Click anywhere in the window to continue, and then click

Save

.

Procedure 2 Configure 802.1X for wired users

There is already a Dot1X rule configured on the engine. Although in this example deployment you aren’t deploying any wired endpoints with 802.1X supplicants at this point, you should still configure this rule to prepare for the next phase of an identity deployment.

Step 1: Mouse over Policy , and then, from the menu, choose

Authentication .

Step 2: To differentiate this from a wireless 802.1X rule, rename the rule

Wired-Dot1X .

Step 3: Click the black triangle to the right of the and… of the Wired-Dot1X rule. This brings up the identity store used for this rule.

The default identity store is the internal user database. For 802.1X, use the

Active Directory server that you defined earlier.

Step 4: Click the + symbol next to Internal Users . This enables you to edit the identity store and the parameters.

Step 5: From the Identity Source drop-down list, choose the previously defined AD server AD1 , use the default options for this identity source, and then click anywhere in the window to continue.

Step 6: Click Save .

February 2012 Series

Deployment Details

12

Procedure 3 Enable RADIUS in the access layer

Step 1: Connect to Cisco LMS with a web browser, for example: https://lms.

cisco.local.

Step 2: Mouse over Workcenters , and then, from the Identity section, choose Getting Started . This shows the network’s Identity Readiness

Assessment, which verifies that the software versions support the identity features and that the switches are capable of running RADIUS.

Step 6: In the pop-up window, enter 10.4.48.41

for the RADIUS server IP address, and then click Save and add another .

Step 7: Enter 10.4.48.42

for the second RADIUS server, and then click

Save. The RADIUS server group has been configured.

Step 8: In the AAA Configuration section, make sure that only Enable for

802.1X / MAB AAA is selected. A warning message about not configuring

AAA for Web authentication appears. Click OK .

Step 9: Click Next to proceed to the next step.

Next, configure identity by enabling RADIUS on the switch.

Step 3: In the RADIUS-capable devices table, select the switches for which you want to enable RADIUS, and then click Configure RADIUS .

Step 4: Select the RADIUS Group button, and then fill in the fields. Enter

ISE-Group for the RADIUS group name, and then use the value used in previous procedures for the Shared Key.

Step 5: In the RADIUS Server Details section, click Add .

February 2012 Series

Tech Tip

You can review the CLI commands that will be pushed to the switch by clicking Preview CLI .

Deployment Details

13

Step 10: Enter a job description, and then click Finish to deploy immediately.

Step 11: When you receive the warning regarding the addition of AAA commands, click Yes , and then click OK on the pop-up window generated after the job is created.

Procedure 4 Enable identity

The identity configuration enables monitor mode on the switch. This enables both 802.1X and MAC Authentication Bypass, (MAB) however no authentication policy is enabled. This allows the ports to be monitored with no disruption to current network activity.

Step 1: Mouse over Work Centers , and then, under the Identity section, choose Configure .

Step 2: In the Navigator pane on the left, click Enable Interfaces .

Step 3: Choose the switch that was previously configured for RADIUS from the list, select All Groups in the port group selector, and then click Next .

Step 4: Select the check box next to the ports for which you want to enable identity, and then click Next .

Next, configure monitor mode.

Step 5:

Move the Security Mode slider to

Monitor

, which is the default.

February 2012 Series

Deployment Details

14

Step 6: In the Authentication Profile section, select 802.1X

, then MAB in the

Define Authentication Profile slider, make sure MultiAuth is selected in the

Define Host Mode section and No Change is selected for Action to be taken on security violation, and then, in the MAC Configuration section, make sure only Enable MAC Move is selected.

Step 8: Give the deployment job a description in the Job Description field, and then click Finish to submit the job. Click OK .

Tech Tip

You can review the CLI commands that will be pushed to the switch by clicking Preview CLI .

Step 7: Click Next . Identity configuration is complete.

Next, you must create a deployment job in order to deliver the configuration to the switch.

February 2012 Series

The global commands added to the switch configuration at the completion of the previous two procedures are as follows.

aaa group server radius ISE-Group

server 10.4.48.41

server 10.4.48.42

aaa authentication dot1x default group ISE-Group aaa authorization network default group ISE-Group aaa authorization configuration default group ISE-Group aaa accounting dot1x default start-stop group ISE-Group authentication mac-move permit dot1x system-auth-control

Deployment Details

15

radius-server host 10.4.48.41

radius-server host 10.4.48.42

radius-server key

[key]

The interface commands added at the completion of this procedure are as follows.

interface

[interface]

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication port-control auto

mab

dot1x pae authenticator

Procedure 5 Disable port security timers

The current Cisco SBA design incorporates the use of port security to provide a level of security and prevent rogue devices from being connected.

However, 802.1X also provides this functionality and there can be conflicts when both are enabled on a port at the same time. This is particularly true of inactivity timers since both port security and 802.1X each have their own set of timers. The conflict causes 802.1X to re-authenticate every time the port security time out is reached. To avoid this issue, port security timers need to be disabled.

Step 1: Connect to the Cisco LMS server by browsing to https://lms.cisco.

local.

Step 2: Mouse over Configuration , and then choose NetConfig under the

Tools heading. This opens the Job Browser.

Step 3: Click Create.

This enables you to configure a new job.

Step 4: Select Port based , and then click Go .

Step 5: Click the + symbol next to the All Devices tree, select the switch you are configuring, and then click Next .

Tech Tip

In this example, only one switch is being configured, but you can select multiple switches to accommodate a large deployment.

The Group Selector allows you to choose switches by predefined groups or by model.

Step 6:

Select

Define an Ad-Hoc Rule

. This brings up a new screen.

Step 7:

For the ad-hoc rule, select

Port for the object type.

Step 8:

From the Variable drop-down menu, choose

Identity_Security_Mode

.

Step 9:

For the Operator, choose

=, and for the Value, select

Monitor

.

Step 10:

Click

Add Rule Expression

, and then click

Next

.

February 2012 Series

Deployment Details

16

Step 11: In the Task Selector, select Adhoc Task , and then click Next .

Step 12: Click Add Instance , and then, in the new window, add the CLI commands necessary to remove the port security configuration.

no switchport port-security aging time no switchport port-security aging type no switchport port-security violation

Step 13: Click Applicable Devices, select the switch to apply this configuration to, click Close , and then click Save .

Step 14: After returning to the Add Tasks window, click Next .

Step 15: Fill in a description for the job, and then click Next to submit the job for immediate deployment.

Step 16: Click Finish , and then click OK when you receive a notice that the job was submitted successfully.

Procedure 6 Configure profiling for the LAN

One of the ways Cisco ISE profiles endpoints is by examining DHCP requests that are sent from the device. In order to forward these requests to the engine, a helper address needs to be configured on the router interface of the network of the host. A helper address takes the broadcast packet and makes it a directed broadcast to the address specified.

Step 1: Connect to the console of the default router for the endpoint.

February 2012 Series

Deployment Details

17

Step 2: At the CLI, enter the following commands.

Router#ena

Router#conf terminal

Router(config)#interface

[interface]

Router(config-if)#ip helper-address

10.4.48.41

Router(config-if)#ip helper-address

10.4.48.42

Router(config-if)#exit

Router(config)#exit

Router#copy running-config startup-config

Process

Enabling Visibility to the Wireless Network

1. Configure 802.1X for wireless endpoints

2. Disable EAP-TLS on Cisco ISE

3. Add ISE as RADIUS Authentication Server

4. Disable the original RADIUS server

5. Add ISE as RADIUS accounting server

6. Add secondary DHCP server on WLC

To authenticate wireless clients, you need to configure the wireless LAN controllers (WLC) to use the new Cisco ISE servers as RADIUS servers for authentication and accounting. The existing entry is disabled so that if there are any issues after moving to Cisco ISE, you can quickly restore the original configuration. Additionally, you configure the WLCs with Cisco ISE as a secondary DHCP server so that profiling information can be obtained from the DHCP requests from these clients.

Procedure 1 Configure 802.1X for wireless endpoints

To differentiate wireless users in the authentication logs, create a rule to identify when wireless users authenticate.

Step 1: Navigate to the Authentication Policy tab, mouse over Policy , and then, from the menu, choose Authentication .

Step 2: Click the Actions button for the Default Rule, and then choose

Insert new row above . A new rule, Standard Policy 1, is created.

Step 3: Rename Standard Rule 1 to Wireless-Dot1X . Click the + symbol in the Condition(s) box, and then choose Select Existing Condition from

Library .

Step 4: In the Select Condition pull-down list, click the > symbol next to

Compound Condition .

February 2012 Series

Deployment Details

18

Step 5: Choose Wireless_802.1X, and then click anywhere to continue.

Step 10: Use the default options for this identity source, continue by clicking anywhere in the window, and then click Save .

Step 6: Click the Select Network Access pull-down list, click the > symbol next to Allowed Protocols , and then select Default Network Access .

Step 7: Click the black triangle to the right of the and… on the Wireless-

Dot1X rule. This displays the identity store used for this rule.

Step 8: Click the + symbol next to Set Identity Source .

Step 9: In the Identity Source drop-down list, choose the previously defined

AD server, for example. AD1.

Procedure 2 Disable EAP-TLS on Cisco ISE

For wireless deployments that aren’t currently using digital certificates, you need to disable EAP-TLS to allow clients to log in. You will be deploying digital certificates in a later phase of this deployment.

Step 1: On the menu bar, mouse over Policy , and then, from the Policy

Elements section of the menu, choose Results .

Step 2: In the left pane, double-click Authentication.

This expands the options.

Step 3: Double-click Allowed Protocols , and then select Default Network

Access .

February 2012 Series

Deployment Details

19

Step 4: Clear the global Allow EAP-TLS check box and, under the PEAP settings, clear the Allow EAP-TLS check box, and then click Save .

Step 6: Next to Management, clear the Enable box, and then click Apply .

Procedure 3 Add ISE as RADIUS Authentication Server

Perform this procedure for every wireless LAN controller (WLC) in the architecture with the exception of the guest WLC in the demilitarized zone

(DMZ).

Step 1: Navigate to the WLC console by browsing to https://wlc1.cisco.local.

Step 2: On the menu bar, click Security .

Step 3: In the left pane, under the RADIUS section, click Authentication .

Step 4: Click New.

A new server is added.

Step 5: Enter 10.4.48.41

for the IP address of the new server and your

RADIUS shared secret.

Step 7:

Repeat Steps 4 through 6 to add the secondary engine, 10.4.48.42,

to the WLC configuration.

Procedure 4 Disable the original RADIUS server

After adding Cisco ISE as a RADIUS server, disable the current RADIUS server in use. By disabling the server instead of deleting it, you can easily switch back if needed. Perform this procedure for every wireless LAN controller (WLC) in the architecture with the exception of the guest WLC in the DMZ.

Step 1: On the RADIUS Authentication Servers screen, click the Server

Index of the original RADIUS server, and then, for Server Status , select

Disabled . Click Apply .

February 2012 Series

Deployment Details

20

Step 2: On the RADIUS Authentication Servers screen, click Apply .

Step 5:

Repeat Step 4 to add the secondary engine, 10.4.48.42, to the WLC

configuration.

Step 6: On the RADIUS Accounting Servers screen, click the Server Index of the original RADIUS server, and then, for Server Status, select Disabled .

Click Apply .

Step 7: On the RADIUS Accounting Servers screen, click Apply .

Procedure 5 Add ISE as RADIUS accounting server

Perform this procedure for every wireless LAN controller (WLC) in the architecture, with the exception of the guest WLC in the DMZ.

Step 1: On the menu bar, click Security .

Step 2: In the left pane, under the RADIUS section, click Accounting .

Step 3: Click New.

This adds a new server.

Step 4: Enter 10.4.48.41

for the IP address of the new server and your

RADIUS shared secret, and then click Apply.

Procedure 6 Add secondary DHCP server on WLC

You need to add a secondary DHCP server to the WLC configuration in order to send DHCP requests to the engine for endpoint profiling.

Step 1:

On the WLC, navigate to

Controller > Interfaces

. Select the interface for the clients you wish to monitor.

Step 2:

In the DHCP Information section, add the Cisco ISE server as the

Secondary DHCP Server, and then click

Apply

.

February 2012 Series

Deployment Details

21

Step 3: When the warning appears with a message about the WLANs needing to be disabled, click OK .

Step 4: Click Save Configuration , and then click OK .

The network infrastructure is now enabled for monitoring the network to determine what types of devices are connecting. Additionally, authentication using ISE was enabled for the wireless network. This is a good place in the deployment to test the deployment and monitor network access. Some organizations may not need to implement the next phase and choose to stop here.

Process

Deploying digital certificates

1. Install certificate authority

2. Install trusted root certificate for domain

3. Install trusted root on AD server

4. Request a certificate for ISE from the CA

5. Download CA root certificate

6. Issue certificate for ISE

7. Install trusted root certificate in ISE

8. Install local certificate in ISE

9. Delete old certificate and request

In the next phase of deployment, you configure the infrastructure to support the use of digital certificates for user and machine authentication. Using digital certificates when deploying 802.1X is a Cisco best practice. In this example deployment, you will be deploying digital certificates to Microsoft

Windows XP and Windows 7 endpoints as well as to Apple Mac OS X devices. The certificate authority (CA) you will be using is the one built into

Windows Server 2008 Enterprise and you will enable it on the existing Active

Directory (AD) server.

February 2012 Series

Deployment Details

22

Procedure 1 Install certificate authority

Step 1: Install an enterprise root certificate authority on the AD server.

Tech Tip

Microsoft Windows Server 2008 Active Directory Certificate

Services Step-by-Step Guide: http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.

aspx

Step 4: Click Download CA Certificate, and then save the certificate file on the AD controller.

Procedure 2 Install trusted root certificate for domain

Install a trusted root certificate on the AD controller to distribute it to the clients so that certificates from the CA server will be trusted.

Step 1: On the CA console, launch a web browser, and then connect to the certificate authority, https://ca.cisco.local/certsrv.

Step 2: Click Download a CA certificate, certificate chain, or CRL .

Step 3: Make sure the current certificate is selected and the DER encoding method is selected.

Step 5:

On the CA console, navigate to

Start > Administrative Tools >

Group Policy Management

.

Step 6:

Expand the

Forest

,

Domain

, local domain, and

Group Policy

Objects

.

February 2012 Series

Deployment Details

23

Step 7: Right-click Default Domain Policy, and then choose Edit .

Step 8: Navigate to Computer Configuration > Policies > Windows

Settings > Security Settings > Public Key Policies, right-click Trusted

Root Certification Authorities, and then choose Import . The Certificate

Import Wizard launches.

Step 9:

Click

Next

.

February 2012 Series

Deployment Details

24

Step 10: Click Browse

, locate the trusted root certificate saved in Step 4

and then click Next .

Procedure 3 Install trusted root on AD server

In addition to installing the trusted root certificate on the AD server to be distributed to workstations, you need to install it on the AD server directly. A

GPO update takes care of this automatically. In this procedure, you will force the update to run immediately.

Step 1: On the AD console, navigate to Start > Run .

Step 2: Type cmd , and then press Enter to open a command window.

Step 3: Type gpupdate . The group policy updates.

Step 11: Place the certificate in the Trusted Root Certification Authorities certificate store, and then click Next .

Step 12: Click Finish.

The certificate imports.

Step 13: Click OK .

Procedure 4 Request a certificate for ISE from the CA

In order to obtain a certificate from the CA, Cisco ISE needs to generate a signing request that will be used by the CA to generate a certificate.

Step 1:

Connect to https://ise-1.cisco.local.

Step 2:

Mouse over

Administration

, and then, from the System section of the menu, choose

Certificates

.

Step 3:

Under Certificate Operations, select

Local Certificates

.

February 2012 Series

Deployment Details

25

Step 4: Click Add, and then choose Generate Certificate Signing

Request .

Step 5:

Enter the fully qualified domain name (FQDN) of the Cisco ISE server in the Certificate Subject field after the “CN=”, and then click

Submit

.

Procedure 5 Download CA root certificate

Step 1: Browse to https://ca.cisco.local/certsrv.

Step 2: Click Download a CA certificate, certificate chain, or CRL .

Step 3: Make sure the current certificate is selected and the DER encoding method is selected.

Step 4: Click Download CA Certificate, and then save the certificate file on the local machine.

Step 6: Click OK. This acknowledges the certificate was generated successfully.

Step 7: Click Certificate Signing Requests , select the check box next to the new request, and then click Export .

Step 8: Save the file to your local machine. You will use this file to generate a certificate on the CA for Cisco ISE.

Procedure 6 Issue certificate for ISE

Step 1: Click Home. The CA’s home screen displays.

Step 2: Click Request a certificate .

Step 3: Click advanced certificate request .

Step 4: Open the certificate file saved in Procedure 4, “Request a certificate for ISE from the CA,” in a text editor, such as Notepad. Select all the text and copy it to the clipboard.

February 2012 Series

Deployment Details

26

Step 5: Paste the contents into the text box in the Saved Request section of the certificate request that is open in the browser.

Step 6: From the Certificate Template drop-down list, choose Web Server , and then click Submit .

Step 3: Click Browse, and then locate the root CA certificate saved in

Procedure 5, “Download CA root certificate.”

Step 4: Select Trust for client authentication , and then click Submit .

Step 7: Select DER encoded , and then click Download certificate.

The certificate saves to your local machine.

Procedure 7 Install trusted root certificate in ISE

Step 1: In the Cisco ISE interface, mouse over Administration , and then, from the System section of the menu, choose Certificates .

Step 2: Click Certificate Authority Certificates, and then click Import .

Procedure 8 Install local certificate in ISE

Step 1: In the Cisco ISE interface, mouse over Administration , and then, from the System section of the menu, choose Certificates .

Step 2: Click Local Certificates .

Step 3: Click Add, and then choose Bind CA Certificate .

Step 4: Click Browse

and locate the certificate saved from Step 1, “Issue

certificate for ISE.”

February 2012 Series

Deployment Details

27

Step 5: In the Protocol section, select both the EAP and Management

Interface check boxes. When you receive a warning that checking the

Management Interface box will require the Cisco ISE appliance to restart, click OK , and then click Submit .

Step 3: Select the box next to the self-signed certificate. This is the certificate issued by the Cisco ISE appliance and not the certificate issued by the

CA that was just imported.

Step 4: Click Delete, and then click OK .

Step 5: Click Certificate Signing Requests .

Step 6: Select the box next to the certificate signing request that was created in Procedure 4, “Request a certificate for ISE from the CA.”

Step 6: When you receive a warning that the Cisco ISE appliance will restart, click OK

Procedure 9 Delete old certificate and request

Now that you have imported the local certificate into Cisco ISE, you need to delete the old self-signed certificate as well as the certificate signing request generated previously.

Step 1: In the Cisco ISE interface, mouse over Administration , and then, in the System section, choose Certificates .

Step 2: Click Local Certificates .

Step 7: Click Delete, and then click OK .

February 2012 Series

Deployment Details

28

Process

Enable 802.1X authentication

1. Create ISE policies

2. Enable certificates

3. Enable EAP-TLS

You will configure ISE policies to support 802.1X authentication using digital certificates for both wired and wireless users.

Procedure 1 Create ISE policies

An authentication profile is used to determine how a certificate will be used for authentication.

Step 1:

In Cisco ISE, mouse over

Administration

, and then, in the Identity

Management section, choose

External Identity Sources

.

Step 2:

In the left pane, click

Certificate Authentication Profile,

and then click

Add

.

Step 3: Give the profile a meaningful name, and then, from the Principal

Username X509 Attribute drop-down list, choose Subject Alternative

Name .

Step 4:

Click

Submit

.

An identity source sequence allows certificates to be used as an identity store and also allows for a backup identity store if a primary identity store is unavailable.

Step 5:

Click

Identity Source Sequences

, and then click

Add

.

Step 6: Give the sequence a meaningful name.

Step 7: In the Certificate Based Authentication section, select Select

Certificate Authentication Profile , and then choose the profile created previously.

Step 8: In the Authentication Search List section, double-click the AD server from the Available list to move it to the Selected list.

February 2012 Series

Deployment Details

29

Step 9: In the Advanced Search List Settings section, select Treat as if the user was not found and proceed to the next store in the sequence .

Step 4: In the Identity Store drop-down list, choose the identity source sequence created in Procedure 1, “Create ISE policies,” use the default options for this identity source, and then click anywhere in the window to continue.

Step 10: Click Submit .

Procedure 2 Enable certificates

Now that you have created a certificate authentication profile and identity source sequence for digital certificates, you need to enable the 802.1X authentication policies for both wired and wireless users.

Step 1: Mouse over Policy , and then, from the drop-down menu, choose

Authentication .

Step 2: Click the black triangle to the right of the and… of the Wired-Dot1X rule. This brings up the identity store used for this rule.

Step 3: Click the + symbol next to the AD1 identity store entry.

For wireless users, you should modify the authentication policy to first check if the client is using EAP-TLS and then, if not, to allow them to use an authentication method like PEAP that uses a user name and password for credentials. This allows users who haven’t gotten certificates yet to still access the network. Once they connect to the network, Windows clients will get their certificates pushed to them and other endpoints can manually obtain a certificate.

Step 5: Click the black triangle to the right of the and… of the Wireless-

Dot1X rule. This brings up the identity store used for this rule.

February 2012 Series

Deployment Details

30

Step 6: In the Actions drop-down list next to the Default rule, choose Insert new rule above .

Step 11: In the second drop-down list, choose Equals, and in the last dropdown list, choose EAP-TLS , and then click OK .

Step 7:

Give the rule a name, and then open the expression builder by clicking the symbol next to the

Enter Condition

box.

Step 8:

Click

Create New Condition (Advance Option)

.

Step 9:

In the Expression drop-down list, click the arrow next to

Select

Attribute.

Step 10:

Click the arrow next to Network Access, and then select

EapAuthentication

.

Step 12: Click the + symbol next to Internal Users.

Step 13: In the Identity Store drop-down list, choose the identity source sequence created in Procedure 1, “Create ISE policies,” use the default options for this identity source, and then click anywhere in the window to continue.

Step 14: Click Save .

February 2012 Series

Deployment Details

31

Procedure 3 Enable EAP-TLS

In a previous section, you disabled EAP-TLS. Now that you are using digital certificates, you need to re-enable it.

Step 1: On the menu bar, mouse over Policy, and then, in the Policy

Elements section, choose Results .

Step 2: In the left pane, double-click Authentication. This expands the options.

Step 3: Double-click Allowed Protocols , and then choose Default Network

Access .

Step 4: Select the global Allow EAP-TLS check box and, under the PEAP settings, select the Allow EAP-TLS check box, and then click Save .

Process

Configure Group Policy Objects

1. Create template for workstations

2. Create template for user auto-enrollment

3. Configure GPOs for wired endpoints

4. Configure GPOs for wireless endpoints

In this deployment you will be using Group Policy Objects (GPOs) to distribute certificates and to configure the native 802.1X supplicant for

Windows XP and later endpoints that are members of the domain. Machine certificates are distributed when the machine joins the domain and user certificates are deployed to the endpoint where the user logs in to the domain. The steps in this example deployment describe how to edit the

Default Domain Policy so that it will apply to all users but you could create a new policy object and apply it to a subset of users if you prefer.

Procedure 1 Create template for workstations

You need to create a certificate template on the CA to be used to distribute machine certificates to workstations that join the Active Directory (AD) domain.

Step 1:

On the CA console, navigate to

Start > Administrative Tools >

Certification Authority

.

February 2012 Series

Deployment Details

32

Step 2: Expand the CA server, right-click Certificate Templates, and then choose Manage . The Certificate Templates Console opens.

Step 7: Select Requests must use one of the following CSPs and

Microsoft Enhanced Cryptographic Provider v1.0

, and then click OK .

Step 3:

Right-click the Computer template, and then choose

Duplicate

Template

.

Step 4:

For compatibility, make sure that

Windows 2003 Server Enterprise is selected.

Step 5:

In the template properties window, click the

General

tab, and then give the template a name.

Step 6:

On the Request Handling tab, select

Allow private key to be exported,

and then click

CSPs

.

February 2012 Series

Deployment Details

33

Step 8: On the Security tab, click Domain Computers, and then make sure

Allow is selected for both Enroll and Autoenroll .

Step 11: In the Certificate Authority console, right-click Certificate

Templates , and then choose New > Certificate Template to Issue .

Step 9: Use the defaults for the remaining tabs, and then click OK .

Step 10: Close the Certificate Templates Console.

February 2012 Series

Deployment Details

34

Step 12: Choose the previously defined template, and then click OK .

Procedure 2 Create template for user auto-enrollment

This deployment uses Group Policy Objects (GPOs) to have domain users auto-enroll to obtain a certificate when they log in to the domain. You need to create a certificate template for these users to enable auto-enrollment.

Step 1: On the CA console, navigate to Start > Administrative Tools >

Certification Authority .

Step 2: Expand the CA server, right-click Certificate Templates, and then choose Manage . The Certificate Templates Console opens.

When machines join the domain or when the GPO policy is refreshed (the default period is 90 minutes), the machine receives a machine certificate to allow for 802.1X machine authentication.

February 2012 Series

Step 3:

Right-click the User template, and then choose

Duplicate

Template

.

Step 4:

For compatibility with Windows XP, make sure that

Windows 2003

Server Enterprise

is selected.

Step 5:

In the template properties window, click the

General

tab, and then give the template a name.

Deployment Details

35

Step 6: On the Request Handling tab, select Allow private key to be exported , make sure Enroll subject without requiring any user input is selected, and then click CSPs .

Step 7: Select Requests must use one of the following CSPs and

Microsoft Enhanced Cryptographic Provider v1.0

, and then click OK .

Step 8: On the Security tab, click Domain Users , and then make sure Allow is selected for Read , Enroll, and Autoenroll .

Step 9: Use the defaults for the remaining tabs, and then click OK .

Step 10: Close the Certificate Templates Console.

Step 11: In the Certificate Authority console, right-click Certificate

Templates , and then choose New > Certificate Template to Issue .

February 2012 Series

Deployment Details

36

Step 12: Choose the previously defined template, and then click OK .

Step 5: Right-click Wired Network (IEEE 802.3e) Policies, and then choose Create a New Wired Network Policy for Windows Vista and Later

Releases .

Users will have a certificate pushed to them the next time they log in to the domain or after the GPO policy is refreshed. If the user logs in to multiple endpoints, the certificate is deployed to each of them.

Procedure 3 Configure GPOs for wired endpoints

This deployment uses GPOs to configure the 802.1X supplicant on wired endpoints running Windows XP SP3 and higher.

Step 1: On the CA console, navigate to Start > Administrative Tools >

Group Policy Management .

Step 2: Expand the Forest , Domain , local domain , and Group Policy

Objects .

Step 3: Right-click Default Domain Policy.

The Group Policy Management

Editor opens.

Step 4: In the Group Policy Management Editor, navigate to Computer

Configuration > Policies > Windows Settings > Security Settings .

February 2012 Series

Step 6:

On the General tab, give the policy a name and description, and then make sure

Use Windows Wired Auto Config service for clients

is selected.

Step 7:

On the Security tab, make sure

Enable of IEEE 802.1X authentication for network access

is selected.

Step 8:

In the network authentication method drop-down list, choose

Microsoft: Smart Card or other certificate

.

Step 9:

In the Authentication Mode drop-down list, choose

User or computer authentication

.

Step 10:

Click

Properties

.

Step 11:

Make sure the

Use a certificate on this computer

option is selected, and then make sure the

Use simple certificate selection

and

Validate server certificate

check boxes are selected.

Deployment Details

37

Step 12: In the Trusted Root Certification Authorities list, select the check box next to the root certificate for the CA.

Step 13: Click OK , click Apply, and then click OK again.

Procedure 4 Configure GPOs for wireless endpoints

This deployment uses GPOs to configure the 802.1X supplicant for wireless endpoints running Windows XP SP3 and higher.

Step 1: On the CA console, navigate to Start > Administrative Tools >

Group Policy Management .

Step 2: Expand the Forest , Domain , local domain , and Group Policy

Objects .

Step 3: Right-click Default Domain Policy . The Group Policy Management

Editor opens.

Step 4: In the Group Policy Management Editor, navigate to Computer

Configuration > Policies > Windows Settings > Security Settings .

Step 5: Right-click Wireless Network (IEEE 802.11) Policies, and then choose Create a New Wireless Network Policy for Windows Vista and

Later Releases .

Step 6: On the General tab, give the policy a name and description, and then make sure Use Windows WLAN AutoConfig service for clients is selected.

February 2012 Series

Deployment Details

38

Step 7: Click Add, and then choose Infrastructure .

Step 12: In the Authentication Mode drop-down list, choose User or

Computer authentication .

Step 8: Give the profile a name, enter the name of the SSID for the wireless network, and then click Add .

Step 9: Click the Security tab.

Step 10: In the Authentication drop-down list, choose WPA2-Enterprise, and then in the Encryption drop-down list, choose AES .

Step 11: In the Select a network authentication method drop-down list, choose Microsoft: Smart Card or other certificate .

February 2012 Series

Step 13: Click Properties .

Step 14: Make sure the Use a certificate on this computer option is selected, and then make sure the Use simple certificate selection and

Validate server certificate check boxes are selected.

Step 15: In the Trusted Root Certification Authorities list, select the box next to the root certificate for the CA.

Step 16: Click OK , and then click OK again.

Step 17: Click Apply, and then click OK .

You also need to create a policy for Windows XP clients.

Deployment Details

39

Step 18: Right-click Wireless Network (IEEE 802.11) Policies, and then choose Create a New Windows XP Policy .

Step 20: In the Networks to access list, choose Any available network

(access point preferred) .

Step 19: On the General tab, give the policy a name and description, and then make sure Use Windows WLAN AutoConfig service for clients is selected.

February 2012 Series

Step 21:

Click the

Preferred Networks

tab.

Step 22:

Click

Add,

and then select

Infrastructure

.

Step 23:

Enter the SSID for the network and give a description.

Step 24:

Select

WPA2

for Authentication and

AES

for Encryption.

Step 25:

Click the

IEEE 802.1X

tab.

Step 26:

In the EAP type list, choose

Microsoft: Smart Card or other certificate

.

Deployment Details

40

Step 27: In the Authentication Mode list, choose User or Computer authentication .

Step 30: In the Trusted Root Certification Authorities list, select the box next to the root certificate for the CA.

Step 28:

Click

Settings

.

Step 29:

Make sure the

Use a certificate on this computer

option is selected, and then make sure the

Use simple certificate selection

and

Validate server certificate

check boxes are selected.

Step 31: Click OK .

Step 32: Click Apply , and then click OK . The Profile Properties window displays.

February 2012 Series

Deployment Details

41

Step 33: Click Apply, and then click OK .

At this point, all endpoints running Windows XP SP3 and later will have a

802.1X supplicant configuration pushed to them the next time they log in to the domain or after the GPO policy is refreshed.

Process

Deploy AnyConnect on Windows endpoints

1. Install AnyConnect

2. Install Profile Editor

3. Create wired profile

4. Create wireless profile

Cisco AnyConnect Secure Mobility Client 3.0 can be used as an 802.1X supplicant on Windows endpoints using the Network Access Manager module.

In this example deployment, the Network Access Manager is configured with both wired and wireless profiles using digital certificates.

Procedure 1 Install AnyConnect

To use Cisco AnyConnect Secure Mobility Client 3.0 as your 802.1X supplicant on Windows endpoints, you need to download the latest version from Cisco.com along with the Profile Editor. The client is distributed as an

ISO image and will need to either be burned to a disk or mounted as a disk image by using a utility that provides this function. You need to be logged in as an administrator to install AnyConnect Secure Mobility Client.

Reader Tip

The latest Cisco AnyConnect Secure Mobility client and Profile

Editor can be downloaded from: http://www.cisco.com/cisco/software/release.html?mdfid=28300018

5&flowid=17001&softwareid=282364313&release=3.0.5075&relind=A

VAILABLE&rellifecycle=&reltype=latest

Step 1: Start the installer for the AnyConnect Secure Mobility Client by launching the Setup program on the disk.

February 2012 Series

Deployment Details

42

Step 2: Select AnyConnect Diagnostic and Reporting Tool and

AnyConnect Network Access Manager check boxes.

, and then clear all of the other

Step 3: Click Install Selected, verify the components selected to install, and then click OK .

Step 4: Click Accept to accept the license agreement.

Step 5: After the installation completes, click OK . You may be asked to restart the computer.

Procedure 2 Install Profile Editor

Step 1: Locate the Profile Editor Installer downloaded previously, and then double-click it. The installation process starts.

The installation requires Java Runtime Environment 1.6 or higher. If you don’t have it installed, you will be prompted to install it.

Step 2: If you are prompted to install Java Runtime Environment 1.6 or higher, click Next . This installs it.

Step 3: Click Next.

The installation of Profile Editor continues.

Step 4: Click Typical, and then click Install .

Step 5: Click Finish . The installation completes.

Procedure 3 Create wired profile

Step 1: Launch the Profile Editor by navigating to Start > All Programs >

Cisco > Cisco AnyConnect Profiler Editor > Network Access Manager

Profile Editor .

Step 2: From the File menu, choose Open, and select C:\ProgramData\

Cisco\Cisco AnyConnect Secure Mobility Client\Network Access

Manager\system\configuration.xml

.

Step 3: Click Networks.

February 2012 Series

Deployment Details

43

Step 4: Select the wired profile, and then click Edit .

Step 11: Select EAP-TLS as the user authentication method, and then click

Next .

Step 12: Enter an unprotected identity pattern for user identity. In this deployment, use [username]@[domain] .

Step 13: In the User Credentials section, select Prompt for Credentials, and then select Remember while User is Logged On .

Step 14: Select Smart Card or OS certificates as the certificate source, and then click Done .

Step 5:

Enter a name for the profile, and then click

Next

.

Step 6:

Select

Authenticating Network,

and then click

Next

.

Step 7:

Select

Machine and User Authentication,

and then click

Next

.

Step 8:

Select

EAP-TLS

as the machine authentication method, and then click

Next

.

Step 9:

Enter an unprotected identity pattern for machine identity. In this deployment, use host.[domain]

.

Step 10:

Click

Next

.

February 2012 Series

Deployment Details

44

Procedure 4 Create wireless profile

Step 1: Click Add . This creates a new wireless profile.

Step 2: Enter a name for the profile, and then, for group membership, select

In all groups (Global) .

Step 3: In the Network Media section, select Wi-Fi (wireless) Network, enter the SSID of the wireless network, and then click Next .

Step 4: Select Authenticating Network, choose WPA2 Enterprise (AES) as the association mode, and then click Next .

Step 5: Select Machine and User Authentication, and then click Next .

Step 6: Select EAP-TLS as the machine authentication method, and then click Next .

February 2012 Series

Step 7: Enter an unprotected identity pattern for machine identity. In this deployment, use host.[domain] .

Step 8: Click Next .

Step 9: Select EAP-TLS as the user authentication method, and then click

Next .

Step 10: Enter an unprotected identity pattern for user identity. In this deployment, use [username]@[domain] .

Step 11: In the User Credentials section, select Prompt for Credentials, and then select Remember while User is Logged On .

Step 12: Select Smart Card or OS certificates as the certificate source, and then click Done .

Step 13: From the File menu, choose Save . This updates the configuration file.

Tech Tip

To deploy the Cisco AnyConnect Secure Mobility Client to multiple workstations with the same policy, you can create a customized installation package. You need to copy all the files from the installation disk to a folder on the hard drive, for example,

C:\AnyConnect. Then, follow the procedure above to edit the profile.

Copy the file (C:\ProgramData\Cisco\Cisco AnyConnect Secure

Mobility Client\Network Access Manager\system\configuration.xml) to C:\AnyConnect\Profiles\nam\configuration.xml.

Copy the contents of C:\AnyConnect to some form of removable media, for instance, CD, DVD, USB drive, etc.

You can then take this new installer package and run the installation on a workstation. The custom configuration file is loaded and ready for use.

At this point, all Windows endpoints now have certificates deployed and are enabled to use 802.1X authentication. On the wireless network, any device that doesn’t have a certificate uses PEAP to gain access to the network.

Deployment Details

45

Monitor mode is running on the wired network, so endpoints that aren’t configured for 802.1X still get access by using MAC Authentication Bypass

(MAB).

Process

Configure Mac workstations for 802.1X authentication

1. Install root certificate on Mac OS X

2. Request user certificate

3. Configure Mac OS X supplicant

If you have Apple Mac endpoints, you have to manually obtain a certificate and configure 802.1X authentication. The example deployment shows how you would do this for Mac OS X 10.6.

Procedure 1 Install root certificate on Mac OS X

To install a trusted root certificate on Mac OS X 10.6, you need to manually request the certificate from the CA and install the certificate in the keychain.

Step 1:

On the Mac, browse to the CA at http://ca.cisco.local/certsrv.

Step 2:

Make sure the current certificate is selected and the

DER

encoding method is selected.

Step 3:

Click

Download CA Certificate,

and then save the certificate file.

Step 4:

Locate the certificate file, and then double-click it. This launches the Keychain Access utility.

Step 5: Click Always Trust .

Tech Tip

You may be prompted for credentials of a user with permission to change the certificate trust settings.

Procedure 2 Request user certificate

Next, you need to obtain a user certificate for the Mac. To do this, first you need to generate a certificate signing request, and then request the certificate from the CA.

February 2012 Series

Deployment Details

46

Step 1: In the Keychain Access utility, from the Keychain Access menu, choose Certificate Assistant > Request a Certificate from a Certificate

Authority .

Step 2: In the Certificate Assistant, enter your email address and common name (typically the user’s first and last names), select Saved to Disk , and then click Continue .

Step 5: On the Mac, browse to http://ca.cisco.local/certsrv. When you authenticate to the CA, be sure to authenticate as the user for which you wish to obtain a certificate.

Tech Tip

If you still have the browser window open from when you downloaded the trusted root certificate, click Home in the upper right corner to go back to the main page of the CA.

Step 6:

Click

Request a certificate

.

Step 7:

Click advanced certificate request

.

Step 8:

Open the certificate request file saved in Step 3 in a text editor,

such as TextEdit, select all the text, and then copy it to the clipboard.

Step 9:

Paste the contents into the text box in the Saved Request section of the certificate request that is open in the browser.

Step 10:

In the Certificate Template drop-down list, choose

User,

and then click

Submit

.

Step 3:

Enter a file name and location, and then click

Save

.

Step 4:

Click

Done

.

February 2012 Series

Step 11: Select DER encoded, and then click Download certificate . This saves the certificate.

Deployment Details

47

Step 12: Locate the saved certificate in Finder, and then double-click it to import it into the Keychain Access utility.

Step 13: In the Keychain drop-down list, choose login , and then click Add .

Step 4: Click the + symbol and select Add User Profile .

Procedure 3 Configure Mac OS X supplicant

Step 1:

On your Mac, launch System Preferences.

Step 2:

Double-click

Network

.

Step 3:

Click

Advanced,

and then click the

802.1X

tab.

Step 5: Give the profile a name, and then enter your user name and password.

Step 6: In the Authentication section, select TLS , and then click Configure .

Step 7: Select the certificate for this user, and then click Continue .

February 2012 Series

Deployment Details

48

Step 8: For wireless connections, choose the wireless network from the list, and then choose WPA2 Enterprise for the Security Type.

Step 9:

Click

OK

, click

Apply

, and then exit System Preferences.

Repeat this process for all Mac OS X endpoints to deploy certificates and to enable 802.1X authentication. On the wireless network, any device that doesn’t have a certificate uses PEAP to gain access to the network. Monitor mode is running on the wired network, so endpoints that aren’t configured for 802.1X still get access by using MAC Authentication Bypass (MAB).

Process

Monitoring

1. Cisco ISE Dashboard

2. Configure identity groups

3. Add a custom profile

4. Examining the authentication log

5. Create custom authentication reports

6. Identify endpoints

7. Create device type reports

The configuration of the network infrastructure is complete. Now it’s time to answer the what/when/where/who questions regarding network access by using the reporting functionality of Cisco ISE to gain a better understanding of current activity on the network .

Cisco ISE is now configured to authenticate users and to profile endpoints based on RADIUS and DHCP information. The reporting capabilities of

Cisco ISE allow you to determine what type of device is connecting to your network, when it connects, and where it connects from. Also, you will know who is connecting to your network and what authentication method was used.

February 2012 Series

Deployment Details

49

Procedure 1 Cisco ISE Dashboard

The first place to view this information is on the Cisco ISE Home Dashboard.

It gives a summary view of the health status of the servers in the group, how devices are authenticating, and what types of devices have been profiled.

Step 1: On the menu bar, click Home . Each section can be expanded by clicking the upper-right corner.

Procedure 2 Configure identity groups

Cisco ISE has more in-depth reporting options to give more details on the devices connecting to the network. To help identify the endpoints, you can use identity groups to classify profiled endpoints and to generate reports.

The example below describes how to do this for an Apple iPad. The procedure for other types of devices is similar.

Step 1: In the menu bar, mouse over Policy , and then choose Profiling .

Step 2: Click Apple-iPad.

This enables you to edit this policy.

Step 3: Select Create Matching Identity Group , and then click Save .

February 2012 Series

You can repeat these steps for other endpoint types as needed. You can also investigate the rules used to profile the endpoint to understand the process. In the case of the Apple iPad, Cisco ISE uses two rules. One is based on DHCP information, and the other is based on HTTP.

Deployment Details

50

Procedure 3 Add a custom profile

Although there are many pre-defined profiles, you may find that a device you want to profile doesn’t have an existing profile. You can create a new one using unique characteristics of the device. Review some of the existing profiles to get an idea of the options and methods available to you for device profiling.

The example below creates a profile for the Cisco Cius using information obtained from the device’s DHCP request.

Step 1: Connect to https://ise-1.cisco.local.

Step 2: Mouse over Policy , and then, from the drop-down menu, and choose Profiling .

Step 3: Click Create .

Step 4: Give the policy the name “Cisco-Cius” and a description.

Step 5: In the rules section, next to Conditions, click the + symbol, and then click Create New Condition (Advance Option) .

Step 6: In the Expression drop-down list, next to DHCP, click the > symbol, and then select dhcp-class-identifier .

Step 7: In the second drop-down list, choose CONTAINS, and then, in the final box, enter Cisco Cius .

Step 8: Choose Certainty Factor Increases, set the value to 20 , and then click Submit .

Procedure 4 Examining the authentication log

Step 1:

On the menu bar, mouse over

Monitor

, and then choose

Authentications

. The authentication log displays. The default option is to display the last 20 records from the last 24 hours.

For devices that authenticated via MAB, the MAC address of the client is listed as the user name and the endpoint. For device that authenticated via

RADIUS over wireless or VPN, the user name is displayed.

If the device was able to be profiled, that information is displayed.

February 2012 Series

Deployment Details

51

Step 2: In the details column of the MAB record, click the “paper with magnifying glass” icon. This displays detailed authentication information for the record.

In the Authentication Summary section, the network device lists the IP address and the port of the switch that the endpoint is connected to.

You can find additional details, such as the Identity Group and Identity

Policy, in the Authentication Details section.

Similar data can be found for endpoints that have authenticated with

RADIUS. The user name is displayed in these records as well the EAP method used.

February 2012 Series

Deployment Details

52

Procedure 5 Create custom authentication reports

The default authentication log view is limited to displaying only the most recent entries. To get in-depth reporting, you need to create a custom report.

Step 1: On the menu bar, mouse over Monitor , and then, in the Reports section, choose Catalog .

Step 2: In the left pane, select AAA Protocol .

Step 3: Select RADIUS Authentication .

Step 4: Click Run . Different time ranges for producing the default report are displayed. For time ranges not listed, choose Query and Run .

Figure 2 - RADIUS report parameters

Step 5:

If you choose

Query and Run

, all the parameters available for the report display. After choosing the parameters you want, click

Run

to generate the report.

Procedure 6 Identify endpoints

Using information gleaned from the RADIUS and DHCP requests, Cisco ISE can identify what types of devices are connecting to the network. This can assist in determining network security policy based on the type of device that is in use.

Step 1: On the menu bar, mouse over Monitor , and then, in the Reports section, choose Catalog .

Step 2: In the left pane, click Endpoint . This displays the available endpoint reports.

Step 3: Select Endpoint Profiler Summary , and then click Run .

February 2012 Series

Deployment Details

53

Step 4: Select the desired time period to run the report.

Figure 4 - Endpoint Details

Step 5:

Once the report is generated, you can view the details of a profiled endpoint by clicking the magnifying glass icon.

The details given in the summary section are the MAC address, the endpoint policy, and the identity group for the endpoint. Additional details such as IP address and network access devices are available in the Endpoint Details section. For wireless and remote access VPN endpoints that authenticated with RADIUS, the user name is also listed.

Figure 3 - Endpoint profile summary

February 2012 Series

Deployment Details

54

Procedure 7 Create device type reports

You can create reports to identify specific devices based on the identity groups configured previously. This example uses the group created to identify Apple iPads.

Step 1: On the menu bar, mouse over Monitor , and then, in the Reports section, choose Catalog .

Step 2: In the left pane, click AAA Protocol .

Step 3: Select RADIUS Authentication .

Step 4: Click Run, and choose Query and Run .

Step 7: Select the group Profiled:AppleiPad , and then click Apply .

Step 8:

Select a time range for the report, and then click

Run.

The report generates.

Figure 5 - Sample report

Step 5: Click Select next to the Identity Group field for the identity group you want to query. A search window appears.

Step 6: Leave the search field empty and click Select to search all groups.

February 2012 Series

Deployment Details

55

Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project