Yep, it's me. Back again, but bearing some good news. I rebuilt, using Arista vEOS switches, and things are more stable.
The network looks like this now:
I just have two switches. vEOS need more memory than the vIOS, so I traded off there. The syntax is pretty similar, but things like VTP are missed. Other than that, it's working OK. Can't get LLDP working between the physical switch and SW1, but that could be an ESXi-related issue. Ping times were quite high at the start, but they have come down to a reasonable level now.
Ignore the four switches at the bottom, I have just left those there in case I need the interface configs.
So, after much reconfiguring, you know it's Saturday night, so of course I am doing some studying (#lastmanstanding), things are looking much more promising.
I also fired up the AP-DNS router, not so much for the DNS/AP side of things, we will get back to that in a moment, but because I needed an NTP server, as the ISE was not reaching the AD domain, because of NTP issues.
Once that was sorted, ISE was talking to AD, and I though I'd give connecting to the WLAN a go, you know, just in case it worked.
And it did.
Little tweak to be made here, in that the search domain is incorrect, but this is a minor thing. I think I could have had a little success earlier on, if I had this router running, but who knows.
It definitely looks to be working properly, as it's taking the username and password that's in AD:
Finally, we are starting to make decent headway! Oddly, I didn't see any activity in ISE last night, and here we encounter the gap between knowledge and just trying stuff out. Though checking just now, I do actually see some info, maybe ISE does not update this bit straight away, and I just need more patience.
This is all good. Still having issues with NTP, and I think I jut need to set up something to keep the network more "awake", but these issues are getting resolved faster. Maybe I can leverage some device tracking, or something similar...
This must all be using the default authentication and authorization rules, so I will set up another user, in an OU called "Deny-Wifi" to test rejection on wireless, but permit on wired, and to make sure that I can figure out the rule syntax properly.
I also need to set up the CCIE.Sec-Guest WLAN, and have this redirect to a portal for authentication, and to test out the phone dot1x/MAB setup. I came across this excellent blog by Katherine McNamara: http://www.network-node.com/. Good stuff lies within, so do check it out.
ISE: Denying Authentications based on AD group membership
This is Dodgy Bob. Because of a Mexican wrestling moustache porn incident, Bob is not allowed Wifi. He is a member of the security group "No-Wifi":
Now we need to block him, using ISE, which makes sense as this post is about ISE.
So far, this is what I have come up with. We don't want to wholesale block all of the No-Wifi group, ONLY when they are coming in through the Wifi, so we need a rule to specify that wireless and the AD group No-Wifi is blocked, but everything else is OK. I have added two rules, technically I do only need one rule, as the catch-all at the end will permit the authorization. But this way I get used to the rule setup, and can track it better in the logs.
We can use conditions, either simple or compound. I am using a compound one:
Next we have the authorization policies:
I don't really need the Bob-Wired-OK rule, it is kinda redundant, but like I said, hopefully I should see this getting hit in the logs when I hook up the laptop and log in as DodgyBob.
First of all, this is our goal:
I have enabled the HTTP server using the commands:
AP-DNS(config)#do sh run | i enable|http enable password cisco ip http server ip http secure-server AP-DNS(config)#I just login with the password cisco, leaving the username field blank. This is quite handy as it gives me an internal endpoint to test WCCP and the IPS with as well. You can do cool stuff with it, like this:
Lot's of fun to be had with this.
So, can I reach this page as me, with my AD account?
I can. Dodgy Bob, however, does not even connect to the wifi. The iPhone just sits there connecting, as does the Kindle.
This is what we see in the ISE logs:
So, let's make sure that he can connect using a wired connection.
The port configuration is at the end of the post.
We need to make sure that the Wired AutoConfig service is started, otherwise we won't see the Authentication tab on the properties of the network card.
We can then put in our credentials, and enable single sign-on if we want (I don't, because the laptop is not joined to AD).
Unfortunately, despite what would appear to be a connection, the laptop does not receive an IP address. ISE does see it though:
It also sees the IP Phone, which will be good later on.
I changed two things. I added the ISE server int to the ip helper-address list for VLAN 4, and I swapped the cable out. Bingo, we have connection!
It's pulling the IP address from the AD server's DHCP pool, rather than the AP-DNS router, which is fine, I can live with that. We can even see that we have hit the policy created earlier:
Great stuff!
We can dig in a little using the switch to tell us what's going on as well:
3750X#sh authentication interface gi3/0/20
Client list:
Interface MAC Address Method Domain Status Session ID
Gi3/0/20 e411.5b25.c2e9 dot1x DATA Authz Success 0A0101320000000A0051A301
Available methods list:
Handle Priority Name
3 0 dot1x
4 1 mab
Runnable methods list:
Handle Priority Name
3 0 dot1x
4 1 mab
3750X#
3750X#sh authentication sessions interface gi3/0/20
Interface: GigabitEthernet3/0/20
MAC Address: e411.5b25.c2e9
IP Address: Unknown
User-Name: dodgybob
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: 3600s (local), Remaining: 3486s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: 0A0101320000000A0051A301
Acct Session ID: 0x0000000E
Handle: 0x2600000B
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
3750X#
Below is the switch configuration in full:3750X#sh run ! hostname 3750X ! enable password admin ! username admin password 0 admin aaa new-model ! ! aaa group server radius ISE server name ISE20 deadtime 15 ! aaa authentication dot1x default group ISE local aaa authorization network default group ISE local aaa authorization auth-proxy default group ISE local aaa accounting update periodic 5 aaa accounting auth-proxy default start-stop group ISE aaa accounting dot1x default start-stop group ISE ! aaa server radius dynamic-author client 192.168.90.205 server-key Radius123 ! aaa session-id common switch 3 provision ws-c3750x-24p system mtu routing 1500 ip routing ! dot1x system-auth-control ! ip ftp username cisco ip ftp password cisco lldp run ! interface GigabitEthernet3/0/1 description Uplink to ESXi switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet3/0/2 ! interface GigabitEthernet3/0/3 description IP Phone switchport access vlan 21 switchport mode access switchport voice vlan 9 spanning-tree portfast ! interface GigabitEthernet3/0/5 description AP switchport access vlan 4 switchport mode access spanning-tree portfast ! interface GigabitEthernet3/0/20 switchport access vlan 4 switchport mode access authentication event fail action next-method authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic mab dot1x pae authenticator spanning-tree portfast ! interface Vlan1 ip address 10.1.1.50 255.255.255.0 ! interface Vlan4 ip address 10.1.4.50 255.255.255.0 ip helper-address 10.1.4.101 ip helper-address 192.168.90.205 ! interface Vlan9 ip address 10.1.9.50 255.255.255.0 ip helper-address 10.1.4.100 ! interface Vlan11 ip address 10.1.11.50 255.255.255.0 ! interface Vlan21 ip address 10.1.21.50 255.255.255.0 ip helper-address 10.1.4.100 ! interface Vlan90 ip address 192.168.90.5 255.255.255.0 ! ip forward-protocol udp 5246 ip forward-protocol udp 5247 ! ip http server ip http secure-server ! ip radius source-interface Vlan4 ip sla enable reaction-alerts ! radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server dead-criteria tries 3 radius-server deadtime 30 radius-server vsa send accounting radius-server vsa send authentication ! radius server ISE20 address ipv4 192.168.90.205 auth-port 1812 acct-port 1813 key Radius123 ! 3750X#We are definitely cooking here.