In order to do the ISE DOT1X Wired and Wireless Configuration , please follow step by step guide as described below;
2. Name it whatever makes sense. Ex. PEAP-EAP-TLS unchecked all the boxes, except for EAP-TLS (Used for BYOD in later policies) and PEAP with EAP-TLS and MS-CHAPv2 (Used for later) as the inner method
3. Create another Allowed Protocols List named HostLookup and only check the box for Process Host Lookup and uncheck everything else
4. Navigate to Policy>Policy Elements>Results>Authorization>Downloadable ACLs and click Add
5. Name: COMPUTER-ONLY
ACL:
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit ip any host “AD IP”
permit ip any host “ISE IP”
deny ip any any
6. Name: WLC-ONLYpermit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit ip any host “AD IP”
permit ip any host “ISE IP”
deny ip any any
ACL:
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit ip any host “AD IP”
permit ip any host “ISE IP”
deny ip any any
7. Name: EMPLOYEE-ONLYpermit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit ip any host “AD IP”
permit ip any host “ISE IP”
deny ip any any
ACL:
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit ip any host “ISE IP”
permit ip any host “AD IP”
deny ip any host 10.1.10.3(restrictedserver)
deny ip any 10.1.100.0 255.255.255.0(restrictedsubnet)
permit ip any any
8. Name: GUESTpermit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit ip any host “ISE IP”
permit ip any host “AD IP”
deny ip any host 10.1.10.3(restrictedserver)
deny ip any 10.1.100.0 255.255.255.0(restrictedsubnet)
permit ip any any
ACL:
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit ip any host “ISE IP”
permit ip any host “AD IP”
deny ip any 10.0.0.0 255.0.0.0
deny ip any 172.16.0.0 255.240.0.0
deny ip any 192.168.0.0 255.255.0.0
permit ip any any
9. Name: ADMIN-ACCESSpermit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit ip any host “ISE IP”
permit ip any host “AD IP”
deny ip any 10.0.0.0 255.0.0.0
deny ip any 172.16.0.0 255.240.0.0
deny ip any 192.168.0.0 255.255.0.0
permit ip any any
ACL:
permit ip any any
10. Navigate to Policy>Policy Elements>Conditions>Authentication>Compound Conditions and click Addpermit ip any any
11. Name EAP_AUTH
a. Add Attribute/Value - Network Access:AuthenticationMethod Equals x509_PKI
12. Navigate to Policy>Policy Elements>Results>Authorization>Authorization Profiles and click Add13. Name: AD-ONLY
- Check DACL Name and choose COMPUTER-ONLY from the drop-down. This is for wired access
- Check VLAN and choose ID/Name 50
- Check the box next to Airespace ACL Name and enter COMPUTER-ONLY <- this is the ACL we configured in the WLC previously.
14. Name: GUEST-ACCESS- Check VLAN and choose ID/Name 50
- Check the box next to Airespace ACL Name and enter COMPUTER-ONLY <- this is the ACL we configured in the WLC previously.
- Check DACL Name and choose GUEST from the drop-down
- Check VLAN and choose ID/Name 70
- Check the box next to Airespace ACL Name and enter GUEST
15. Name: ADMIN-ACCESS- Check VLAN and choose ID/Name 70
- Check the box next to Airespace ACL Name and enter GUEST
- Check DACL Name and choose ADMIN-ACCESS
- Check VLAN and choose ID/Name 50
- Check the box next to Airespace ACL Name and enter ADMIN-ACCESS
16. Name: WLC-ONLY <- This will be used later for a profiling policy - Check VLAN and choose ID/Name 50
- Check the box next to Airespace ACL Name and enter ADMIN-ACCESS
- Check DACL Name and choose WLC-ONLY
- Check VLAN and choose ID/Name 100
17. Navigate to Policy>Policy Elements>Authorization>Compound Conditions and click Add- Check VLAN and choose ID/Name 100
18. Name: WIRED-MACHINE-DOT1X
Conditions:
Radius:Service-Type equals Framed
Radius:NAS-Port-Type equals Ethernet
ad1:ExternalGroups equal Domain Computers
Network Access:EapTunnel equals PEAP <- This is to specify that the outer authentication method is PEAP
Network Access:EapAuthentication equals EAP-TLS <- This is specifying the inner authentication method as EAP-TLS
19. Name: WIRED-ADMIN-DOT1XRadius:Service-Type equals Framed
Radius:NAS-Port-Type equals Ethernet
ad1:ExternalGroups equal Domain Computers
Network Access:EapTunnel equals PEAP <- This is to specify that the outer authentication method is PEAP
Network Access:EapAuthentication equals EAP-TLS <- This is specifying the inner authentication method as EAP-TLS
Conditions:
Radius:Service-Type equals Framed
Radius:NAS-Port-Type equals Ethernet
ad1:ExternalGroups equals Domain Admins
Network Access:EapTunnel equals PEAP
Network Access:EapAuthentication equals EAP-TLS
20. Name: WIRED-EMPLOYEE-DOT1XRadius:Service-Type equals Framed
Radius:NAS-Port-Type equals Ethernet
ad1:ExternalGroups equals Domain Admins
Network Access:EapTunnel equals PEAP
Network Access:EapAuthentication equals EAP-TLS
Conditions:
Radius:Service-Type equals Framed
Radius:NAS-Port-Type equals Ethernet
ad1:ExternalGroups equals Employee
Network Access:EapTunnel equals PEAP
Network Access:EapAuthentication equals EAP-TLS
21. Name: WIRED-VENDOR-DOT1XRadius:Service-Type equals Framed
Radius:NAS-Port-Type equals Ethernet
ad1:ExternalGroups equals Employee
Network Access:EapTunnel equals PEAP
Network Access:EapAuthentication equals EAP-TLS
Conditions:
ad1:ExternalGroups equals Vendor
22. Name: WIRELESS-MACHINE-DOT1Xad1:ExternalGroups equals Vendor
Conditions:
Radius:Called-Station-ID Ends With EmployeeSSID
Radius:NAS-Port-Type equals Wireless - IEEE 802.11
ad1:ExternalGroups equals Domain Computers
Network Access:EapTunnel equals PEAP
Network Access:EapAuthentication equals EAP-TLS
23. Name: WIRELESS-ADMIN-DOT1XRadius:Called-Station-ID Ends With EmployeeSSID
Radius:NAS-Port-Type equals Wireless - IEEE 802.11
ad1:ExternalGroups equals Domain Computers
Network Access:EapTunnel equals PEAP
Network Access:EapAuthentication equals EAP-TLS
Conditions:
Radius:Called-Station-ID Ends With EmployeeSSID
Radius:NAS-Port-Type equals Wireless - IEEE 802.11
ad1:ExternalGroups equals Domain Admins
Network Access:EapTunnel equals PEAP
Network Access:EapAuthentication equals EAP-TLS
24. Name: WIRELESS-EMPLOYEE-DOT1XRadius:Called-Station-ID Ends With EmployeeSSID
Radius:NAS-Port-Type equals Wireless - IEEE 802.11
ad1:ExternalGroups equals Domain Admins
Network Access:EapTunnel equals PEAP
Network Access:EapAuthentication equals EAP-TLS
Conditions:
Radius:Called-Station-ID Ends With EmployeeSSID
Radius:NAS-Port-Type equals Wireless - IEEE 802.11
ad1:ExternalGroups equals Employee
Network Access:EapTunnel equals PEAP
Network Access:EapAuthentication equals EAP-TLS
25. Name: WIRELESS-VENDOR-DOT1XRadius:Called-Station-ID Ends With EmployeeSSID
Radius:NAS-Port-Type equals Wireless - IEEE 802.11
ad1:ExternalGroups equals Employee
Network Access:EapTunnel equals PEAP
Network Access:EapAuthentication equals EAP-TLS
Conditions:
Radius:Called-Station-ID Ends With EmployeeSSID
Radius:NAS-Port-Type equals Wireless - IEEE 802.11
ad1:ExternalGroups equal Vendor
26. Policy>Policy Sets and click on + on the left-hand side to create a new policy set.Radius:Called-Station-ID Ends With EmployeeSSID
Radius:NAS-Port-Type equals Wireless - IEEE 802.11
ad1:ExternalGroups equal Vendor
27. Name it WirelessDot1x
a. For the top-level conditions, choose the following:
Device:Device type equals Wireless Controllers (whatever the NAD device group is setup from NAD setup)
Radius:Called-Station-ID ends with EmployeeSSID [Alternatively, you could also use the existing simple condition of WirelessDot1x]
b. Under the Authentication Policy, click on the arrow next to the default policy and choose Insert new row above
c. Name: Dot1x- If Wireless_802.1x (Add Condition From Library>Compound Condition - This is a prebuilt condition in the existing library)
then Allowed Protocols: PEAP-EAP-TLS (Allowed Protocol list created before)
d. Click on the Action downward arrow and choose to Insert Row Below.
e. Name: AD Certificate, If Network Access:Authentication Method EQUALS x509_PKI AND CERTIFICATE:Subject Alternative Name CONTAINS example.com then use AD_CA_AltName
f. Name: BYOD Certificate, If EAP_AUTH then use BYOD <- this specifies to use the BYOD certificate
g. Name: Default: Ad1 <- AD as the catchall for this ruleset
h. On the Default Rule, change it to use the ALL_IDENTITY_SEQ created earlier (lock down more if needed and change to a locked down identity)
i. Authorization Policy and click on the arrow next to the Default Policy and choose Insert new row above. In the following order;
j. Rule Name: Computer-Only
If: Leave at Any
Condition(s): Select Condition from Library>Compound Conditions>WIRELESS-MACHINE-DOT1X
Then: Standard>AD-ONLY
k. Rule Name: IT-Admin-Access
If: Leave at Any
Condition(s): Select Condition from Library>Compound Conditions>WIRELESS-ADMIN-DOT1X
Then: Standard>ADMIN-ACCESS
l. Rule Name: Vendor-Access
If: Leave at Any
Condition(s): Select Condition from Library>Compound Conditions>WIRELESS-VENDOR-DOT1X
Then: Standard>GUEST-ACCESS
m. Rule Name: Employee-Access
If: Leave at Any
Condition(s): Select Condition from Library>Compound Conditions>WIRELESS-EMPLOYEE-DOT1X
Then: Standard>EMPLOYEE-ACCESS
n. Save the policy set
28. Create a new policy and name it WiredDot1xDevice:Device type equals Wireless Controllers (whatever the NAD device group is setup from NAD setup)
Radius:Called-Station-ID ends with EmployeeSSID [Alternatively, you could also use the existing simple condition of WirelessDot1x]
b. Under the Authentication Policy, click on the arrow next to the default policy and choose Insert new row above
c. Name: Dot1x- If Wireless_802.1x (Add Condition From Library>Compound Condition - This is a prebuilt condition in the existing library)
then Allowed Protocols: PEAP-EAP-TLS (Allowed Protocol list created before)
d. Click on the Action downward arrow and choose to Insert Row Below.
e. Name: AD Certificate, If Network Access:Authentication Method EQUALS x509_PKI AND CERTIFICATE:Subject Alternative Name CONTAINS example.com then use AD_CA_AltName
f. Name: BYOD Certificate, If EAP_AUTH then use BYOD <- this specifies to use the BYOD certificate
g. Name: Default: Ad1 <- AD as the catchall for this ruleset
h. On the Default Rule, change it to use the ALL_IDENTITY_SEQ created earlier (lock down more if needed and change to a locked down identity)
i. Authorization Policy and click on the arrow next to the Default Policy and choose Insert new row above. In the following order;
j. Rule Name: Computer-Only
If: Leave at Any
Condition(s): Select Condition from Library>Compound Conditions>WIRELESS-MACHINE-DOT1X
Then: Standard>AD-ONLY
k. Rule Name: IT-Admin-Access
If: Leave at Any
Condition(s): Select Condition from Library>Compound Conditions>WIRELESS-ADMIN-DOT1X
Then: Standard>ADMIN-ACCESS
l. Rule Name: Vendor-Access
If: Leave at Any
Condition(s): Select Condition from Library>Compound Conditions>WIRELESS-VENDOR-DOT1X
Then: Standard>GUEST-ACCESS
m. Rule Name: Employee-Access
If: Leave at Any
Condition(s): Select Condition from Library>Compound Conditions>WIRELESS-EMPLOYEE-DOT1X
Then: Standard>EMPLOYEE-ACCESS
n. Save the policy set
a. For the top-level conditions, choose the following:
Device:Device Type equals Switches
Radius:NAS-Port-Type equals Ethernet
b. Under the Authentication Policy, create a top condition for MAB. Name: Wired MAB
If Condition(s): Select Existing Condition>Compound Condition>Wired_MAB
Allowed Protocols: HostLookup
Use: Internal Endpoints and If User Not Found Continue
c. Create another authentication policy rule for dot1x under the MAB policy. The authentication policy will be:
d. Name: Wired Dot1x
If Condition(s): Select Existing Condition From Library>Compound Conditions>Wired_802.1x
Allowed Protocols: PEAP-EAP-TLS
e. Click on the Action downward arrow and choose to Insert Row Below
f. Name: AD Certificate, If Network Access:Authentication Method EQUALS x509_PKI AND CERTIFICATE:Subject Alternative Name CONTAINS example.com then use AD_CA_AltName <- which specifies to user just the CA for this authentication.
g. Name: BYOD Certificate, If EAP_AUTH then use BYOD <- this specifies to use the BYOD certificate
h. Name: Default: Ad1 <- AD as the catchall for this ruleset
i. On the Default Rule, change it to use the ALL_IDENTITY_SEQ
j. Moving to the authorization policy, create the following policy rules:
k. Rule Name: Computer-Only
If: Leave at Any
Condition(s): Select Condition from Library>Compound Conditions>WIRED-MACHINE-DOT1X
Then: Standard>AD-ONLY
l. Rule Name: IT-Admin-Acess
If: Leave at Any
Condition(s): Select Condition from Library>Compound Conditions>WIRED-ADMIN-DOT1X
Then: Standard>ADMIN-ACCESS
m. Rule Name: Vendor-Access
If: Leave at Any
Condition(s): Select Condition from Library>Compound Conditions>WIRED-VENDOR-DOT1X
Then: Standard>GUEST-ACCESS
n. Rule Name: Employee-Access
If: Leave at Any
Condition(s): Select Condition from Library>Compound Conditions>WIRED-EMPLOYEE-DOT1X
Then: Standard>EMPLOYEE-ACCESS
o. Save the policy
Device:Device Type equals Switches
Radius:NAS-Port-Type equals Ethernet
b. Under the Authentication Policy, create a top condition for MAB. Name: Wired MAB
If Condition(s): Select Existing Condition>Compound Condition>Wired_MAB
Allowed Protocols: HostLookup
Use: Internal Endpoints and If User Not Found Continue
c. Create another authentication policy rule for dot1x under the MAB policy. The authentication policy will be:
d. Name: Wired Dot1x
If Condition(s): Select Existing Condition From Library>Compound Conditions>Wired_802.1x
Allowed Protocols: PEAP-EAP-TLS
e. Click on the Action downward arrow and choose to Insert Row Below
f. Name: AD Certificate, If Network Access:Authentication Method EQUALS x509_PKI AND CERTIFICATE:Subject Alternative Name CONTAINS example.com then use AD_CA_AltName <- which specifies to user just the CA for this authentication.
g. Name: BYOD Certificate, If EAP_AUTH then use BYOD <- this specifies to use the BYOD certificate
h. Name: Default: Ad1 <- AD as the catchall for this ruleset
i. On the Default Rule, change it to use the ALL_IDENTITY_SEQ
j. Moving to the authorization policy, create the following policy rules:
k. Rule Name: Computer-Only
If: Leave at Any
Condition(s): Select Condition from Library>Compound Conditions>WIRED-MACHINE-DOT1X
Then: Standard>AD-ONLY
l. Rule Name: IT-Admin-Acess
If: Leave at Any
Condition(s): Select Condition from Library>Compound Conditions>WIRED-ADMIN-DOT1X
Then: Standard>ADMIN-ACCESS
m. Rule Name: Vendor-Access
If: Leave at Any
Condition(s): Select Condition from Library>Compound Conditions>WIRED-VENDOR-DOT1X
Then: Standard>GUEST-ACCESS
n. Rule Name: Employee-Access
If: Leave at Any
Condition(s): Select Condition from Library>Compound Conditions>WIRED-EMPLOYEE-DOT1X
Then: Standard>EMPLOYEE-ACCESS
o. Save the policy
