ISE "CookBook" - Part 3

ISE Configuration – Adding NADs (Network Access Devices)

1.     Administration>Network Resources>Network Device Groups. There is a default grouping of All Device Types and All Locations. Create the following groups: Switches, Virtual Switch, and Wireless Controller under the parent group of All Device Types. If there will be more devices like Prime, add a group for that. Also create Locations groups under the parent group of All Locations for different physical locations within the deployment

2.     Administration>Network Resources>Network Devices and click Add. While adding devices, make sure to add the device to the logical groups created for Device Type and Location:

3.     Check the box next to RADIUS Authentication Settings and keep everything at it's default except add a secret in the Shared Secret field

4.     TACACS+ Authentication Settings and enter your preferred shared secret

5.     Check the box next to SNMP Settings. Stick with selecting 2c on the SNMP Version drop-down. Under the SNMP RO Community field, enter the community string on the network.

6.     Do steps 2-5 for every network device on the network.  Typically all switches and wireless LAN Controller on the network.  Add Routers and other network devices if enabling TACACS+

SWITCH Configuration

1.     Basic switch settings

a.      ip domain-name example.com
ip domain-lookup
ip name-server “DNS IP”
hostname Sw1
crypto key gen rsa
1024

ip ssh version 2
ip ssh authentication-retries 2

2.     Add IP Helper address for ISE on all User Vlans

a.      interface vlan 100
ip helper-address “ISE IP”

3.     Enable basic AAA settings

a.      aaa new-model

radius server ise
address ipv4 “ISE IP” auth-port 1812 acct-port 1813
key sharedkey

radius-server dead-criteria tries 3

radius-server deadtime 30

aaa group server radius ise-group
server name ise

aaa authentication login console local

aaa authentication login vty local

aaa authentication enable default enable

aaa authorization exec default local

aaa authentication dot1x default group ise-group

aaa authorization exec vty local

aaa authorization network default group ise-group

aaa authorization auth-proxy default group ise-group

aaa accounting dot1x default start-stop group ise-group

aaa accounting auth-proxy default start-stop group ise-group

aaa session-id common
aaa accounting update periodic 5

aaa server radius dynamic-author

client “ISE IP” server-key networknode

server-key sharedsecret

radius-server vsa send accounting

radius-server vsa send authentication

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server attribute 31 mac format ietf upper-case

radius-server attribute 31 send nas-port-detail

ip radius source-interface vlan 100 – or whatever IP you want to source from

dot1x system-auth-control

4.     Add SNMP/Logging/etc settings to provide more info to ISE about the switch

a.      mac address-table notification change
mac address-table notification mac-move
mac address-table notification change interval 0
authentication mac-move permit

snmp-server enable traps mac-notification change move threshold
snmp-server enable traps mac-notification change
snmp-server enable snmp linkdown linkup
snmp-server host “ISE IP” version 2c snmpcommunityname mac-notification

snmp-server community community ro

no snmp-server group community v1

snmp-server trap-source vlan100
snmp-server source-interface inform vlan100
lldp run

logging origin-id ip

logging source vlan100
logging host “ISE IP” transport udp port 20514
logging monitor informational

 

no ip dhcp snooping information option 
ip dhcp snooping
ip dhcp snooping vlan 10,50,70,100

 

epm logging

ip device tracking

ip device tracking probe use-svi

device-sensor accounting
device-sensor notify all-changes

 

ip http server
ip http secure-server

5.     Add the WebAuth redirect ACL

a.     ip access-list ext ACL_WEBAUTH_REDIRECT
deny tcp any host “web server hosting amp client” eq 443 ----only for amp posturing

deny udp any eq bootpc any eq bootps

deny udp any any eq domain

deny tcp any any eq 8443

deny tcp any any eq 8905

permit tcp any any eq 80

permit tcp any any eq 443

deny ip any any

b.     add the default ACL applied to the switchport

                                                    i.     ip access-list ext ACL-DEFAULT

permit udp any eq bootpc any eq bootps

permit udp any any eq domain

permit udp any any eq tftp

permit ip any host “ISE IP”

deny ip any any log

6.     Interface configuration settings

a.      interface range g1/0/7-48
switchport access vlan 70
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable

b.     authentication event fail action next-method
authentication event server dead action reinitialize vlan 50
authentication event server dead action authorize voice
authentication timer reauthenticate server
authentication timer inactivity server

authentication host-mode multi-auth

authentication open

authentication order dot1x mab
authentication priority dot1x mab

authentication port-control auto
authentication violation restrict

authentication periodic

mab

dot1x pae authenticator

dot1x timeout tx-period 10

snmp trap mac-notification change added
snmp trap mac-notification change removed

ip access-group ACL-DEFAULT in

WLC Configuration

Assume a basic configuration of the WLC has already been performed and APs, interfaces, and WLANS are working

1.    Controller>General and make sure that the Fast SSID Change is enabled
2.    Controller>Advanced>DHCP and unchecking the box next to Enable DHCP Proxy. Click Save
3.    Management>SNMP>General and ensure that SNMP v2 in enabled
4.    Management>SNMP>Communities and add SNMP community that will be used in ISE and add the ISE server
5.    Management>SNMP>Trap Recievers and click New and add the same community name and point it to ISE
6.    Security>RADIUS>Authentication. Auth Called Station ID Type is set to AP MAC Address:SSID in the drop-down. Click New.
7.    New RADIUS server is the IP address of ISE server
- shared secret previously configured in ISE for this NAD
- Enable is selected in the drop-down for RFC 3576
- The port number for is 1812
- Server Status is Enabled
- The Management box is unchecked
8.    Security>RADIUS>Accounting. Auth Called Station ID Type is AP MAC Address: SSID from the drop-down. Click New
9.    - IP address of ISE
- Shared secret configured in ISE for this NAD
- Server Status is Enabled
- The port number is 1813
- Network User is checked
10.    Security>Access Control Lists>Access Control Lists and click New
11.    Add for WebAuth – ISE-ONLY
a.    Permit – Source = Any – Destination = Any – Protocol = UDP – Sourceport = DHCPClient – Destport = DHCPServer – Direc = Inbound
b.    Permit – Source = Any – Destination = Any – Protocol = UDP – Sourceport = Any – Destport = DNS – Direc = Inbound
c.    Permit – Source = Any – Destination = ISE Server/32 – Protocol = Any – Sourceport = Any – Destport = Any – Direc = Inbound
d.    Permit – Source = Any – Destination = Client Subnets– Protocol = Any – Sourceport = Any – Destport = Any – Direc = Outbound
e.    Deny– Source = Any – Destination = Any– Protocol = Any – Sourceport = Any – Destport = Any – Direc = Any
12.    Add for corporate computers before users log in – COMPUTER-ONLY
a.    Permit – Source = Any – Destination = Any – Protocol = UDP – Sourceport = DHCPClient – Destport = DHCPServer – Direc = Inbound
b.    Permit – Source = Any – Destination = Any – Protocol = UDP – Sourceport = Any – Destport = DNS – Direc = Inbound
c.    Permit – Source = Any – Destination = ISE Server/32 – Protocol = Any – Sourceport = Any – Destport = Any – Direc = Inbound
d.    Permit – Source = Any – Destination =ServerSubnets– Protocol = Any – Sourceport = Any – Destport = Any – Direc = Inbound
e.    Permit – Source = Any – Destination = Client Subnets– Protocol = Any – Sourceport = Any – Destport = Any – Direc = Outbound
f.    Deny– Source = Any – Destination = Any– Protocol = Any – Sourceport = Any – Destport = Any – Direc = Any
13.     Add for the Employee once logged in – EMPLOYEE-ONLY
a.    Permit – Source = Any – Destination = Any – Protocol = UDP – Sourceport = DHCPClient – Destport = DHCPServer – Direc = Inbound
b.    Permit – Source = Any – Destination = Any – Protocol = UDP – Sourceport = Any – Destport = DNS – Direc = Inbound
c.    Permit – Source = Any – Destination = ISE Server/32 – Protocol = Any – Sourceport = Any – Destport = Any – Direc = Inbound
d.    Permit – Source = Any – Destination =ServerSubnets– Protocol = Any – Sourceport = Any – Destport = Any – Direc = Inbound
e.    Permit – Source = Any – Destination = Client Subnets– Protocol = Any – Sourceport = Any – Destport = Any – Direc = Outbound
f.    Deny - Source = Any – Destination = Restricted subnets– Protocol = Any – Sourceport = Any – Destport = Any – Direc = Any
g.    Permit- Source = Any – Destination = Any– Protocol = Any – Sourceport = Any – Destport = Any – Direc = Any
14.    Add for Guests – GUEST
a.    Permit – Source = Any – Destination = Any – Protocol = UDP – Sourceport = DHCPClient – Destport = DHCPServer – Direc = Inbound
b.    Permit – Source = Any – Destination = Any – Protocol = UDP – Sourceport = Any – Destport = DNS – Direc = Inbound
c.    Permit – Source = Any – Destination = ISE Server/32 – Protocol = Any – Sourceport = Any – Destport = Any – Direc = Inbound
d.    Permit – Source = Any – Destination = clientSubnet – Protocol = Any – Sourceport = Any – Destport = Any – Direc = Outbound
e.    Deny – Source = Any – Destination = clientSubnet – Protocol = Any – Sourceport = Any – Destport = Any – Direc = Any
f.    Permit- Source = Any – Destination = Any– Protocol = Any – Sourceport = Any – Destport = Any – Direc = Any
15.    Add for Admins – ADMIN-ACCESS
a.    Permit- Source = Any – Destination = Any– Protocol = Any – Sourceport = Any – Destport = Any – Direc = Any
16.    Navigate to WLANs.  For the Employee SSID
a.    Security>AAA Servers – add the ISE servers for both Authentication and Accounting
b.    Advanced tab - - Check the box next to Allow AAA Override
- Check the DHCP Addr Assignment box
- Change the NAC State to Radius NAC in the drop-down
- Under Radius client profiling, check the boxes for both HTTP and DHCP profiling
17.    Fore the Guest SSID and Hotspot SSID
a.    - Set Layer 2 Security to None in the drop-down
- Check the box next to MAC Filtering
- Check the box next to Fast Transition
- Uncheck the box for Over the DS:
b.    Security>AAA Servers tab, add the ISE servers
c.    Advanced tab, the configuration is exactly the same as the previous SSID
18.    CLI to the WLC and type config network web-auth captive-bypass enable
19.    Save the configuration and reboot the WLC