After setting up ACS command authentication yesterday, and cleaning it up today so that it's using a new Access Service, it's time to return to ISE and look at Web Authentication. I might try and throw in some profiling as well, depending how well it goes.
We start by creating an identity group, which I have called Web-Guest:
Next, we create a user, which I will also call "Web-Guest", and give it the password of "Cisco123".
They get assigned to the group Web-Guest which we just created.
As we don't want our guests having full network access, we'll create a simple dACL, allowing ICMP to the AP-DNS router:
We then create an Authorization policy, also called Web-Guest, that calls the dACL, and places the user into VLAN 99:
We also need Web Auth, so scroll down and make sure that is ticked:
Before we can set up the rule, we need to set up a compound condition, for the service-type (Framed, which equals 2) and NAS-port (15):
NAS-Port 15 equates to Ethernet (http://www.iana.org/assignments/radius-types/radius-types.xhtml#radius-types-13), and Service-Type Framed means that we will carry the authentication within the packets (https://en.wikipedia.org/wiki/RADIUS).
Then we add the Authorization profile:
And an Authentication profile:
Now, once we have saved this, we need to configure the switch. Some commands are there from previous, others are new:
aaa new-model ! aaa group server radius ISE server name ISE20 deadtime 15 ! aaa authentication login default group ISE aaa authentication login CON none aaa authentication dot1x default group radius aaa authorization network default group radius aaa authorization auth-proxy default group ISE local aaa accounting update periodic 5 aaa accounting auth-proxy default start-stop group ISE aaa accounting dot1x default start-stop group radius ! aaa server radius dynamic-author client 192.168.90.205 server-key Radius123 ! aaa session-id common ! ip device tracking ! ip admission name Web-Guest proxy http inactivity-time 5 ! dot1x system-auth-control ! fallback profile Web-Guest-Fallback ip access-group Web-Auth-ACL in ip admission Web-Guest ! interface GigabitEthernet3/0/19 switchport access vlan 99 switchport mode access switchport block unicast authentication event fail action next-method authentication host-mode multi-auth authentication open authentication order webauth authentication priority webauth authentication port-control auto authentication fallback Web-Guest-Fallback mab dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast ! interface Vlan99 ip address 10.1.99.50 255.255.255.0 ip helper-address 10.1.4.100 ! ip access-list extended Web-Auth-ACL permit udp any any eq bootps permit udp any any eq domain ! ip radius source-interface Vlan4 radius-server attribute 6 on-for-login-auth radius-server attribute 6 support-multiple radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server dead-criteria tries 3 radius-server deadtime 30 radius-server vsa send accounting radius-server vsa send authentication ! radius server ISE20 address ipv4 192.168.90.205 auth-port 1812 acct-port 1813 key Radius123 ! line con 0 login authentication CON line vty 0 4 login authentication CON width 255 line vty 5 15 ! mac address-table notification change interval 0 mac address-table notification changeThe results are:
3750X#sh auth sess int gi 3/0/19 Interface: GigabitEthernet3/0/19 MAC Address: 685b.35cc.3a6a IP Address: 10.1.99.12 Status: Authz Success Domain: DATA Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-auth Oper control dir: both Authorized By: Authentication Server Vlan Policy: N/A Session timeout: N/A Idle timeout: N/A Common Session ID: 0A01013200000013008953E7 Acct Session ID: 0x00000037 Handle: 0xA2000014 Runnable methods list: Method State webauth Authc Success 3750X#We can see the webauth success. As well as getting the success message on the client.
This did take a few attempts to get right. I found this URL to be really useful, and it stopped me getting locked out of the switch:
It is important to note that the current implementation of WebAuth requires the use of the default login authentication group as RADIUS. As soon as it is configured, the default login group applies to all login attempts for the switch, including virtual teletype terminal (VTY) and console access. Everyone attempting to use Telnet to access the switch or to access the console is required to authenticate through RADIUS. To prevent the default AAA login configuration from applying to the console and VTY sessions, define a nondefault login group and apply this to the VTYs and the console.
We are not getting the dACL though. We are not getting a username either. Let's change the authentication order and see what we get:
3750X(config-if)#authen order dot1x webauth 3750X(config-if)#auth pri dot web 3750X(config-if)#Nope, still no username, so the ACL is not applied. But why are we not getting the username? Let's turn to the logs and try and find out.
Here is a clue, we are not hitting the right policy. Instead of getting to the Web-Auth authentication rule, we are hitting the Dot1x rule:
Because of that being matched first, we go to the Basic_Authentication_Access policy:
So that is why!
Could it be as simple as just moving our authentication policy up?
Let's try it now:
Better. We have the Web-Auth AuthC profile but are still getting the Basic_Authentication. I want to get the Web-Auth AuthZ rule instead.
Let's dissect the AuthC profile and see what we are not matching up with.
We match on the Web-Guest User Identity Group, but we also need to match in the Web-AuthZ-Condition:
These are being queried:
Are we getting these back?
Looks like we are sending a service type of Outbound, and an NAS-Port type of Ethernet. So the Ethernet one is correct, so let's try changing the service type:
Still no dice, but notice that NAS-Port and NAS Port Type are not the same things, so I changed it again:
Boom!
We have the previous incorrect (but working) authentication at the bottom and our corrected Web-AuthZ-Condition (desired) at the top.
3750X#sh auth sess int gi 3/0/19 Interface: GigabitEthernet3/0/19 MAC Address: 685b.35cc.3a6a IP Address: 10.1.99.10 Status: Authz Success Domain: DATA Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-auth Oper control dir: both Authorized By: Authentication Server Vlan Policy: N/A Session timeout: N/A Idle timeout: N/A Common Session ID: 0A0101320000004A1A0D46AA Acct Session ID: 0x0000007B Handle: 0x2900004B Runnable methods list: Method State dot1x Failed over webauth Authc Success 3750X# 3750X#sh access-lists Extended IP access list Auth-Default-ACL-OPEN 10 permit ip any any (45 matches) Extended IP access list Web-Auth-ACL 10 permit udp any any eq bootps 20 permit udp any any eq domain Extended IP access list xACSACLx-IP-PERMIT_ALL_TRAFFIC-56161e32 (per-user) 10 permit ip any any 3750X#We still don't get the dACL though, even though the setup is looking correct:
So, I went into the AuthZ profile, clicked on the advanced attributes setting, did not change anything, but that was enough to allow me to save it again. This time, it looks like it's working:
3750X#sh auth sess int gi 3/0/19 Interface: GigabitEthernet3/0/19 MAC Address: 685b.35cc.3a6a IP Address: 10.1.99.10 Status: Authz Success Domain: DATA Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-auth Oper control dir: both Authorized By: Authentication Server Vlan Policy: N/A ACS ACL: xACSACLx-IP-Web-Guest-5763fd31 Session timeout: N/A Idle timeout: N/A Common Session ID: 0A0101320000004C1A3389CE Acct Session ID: 0x00000081 Handle: 0x8D00004D Runnable methods list: Method State dot1x Failed over webauth Authc Success 3750X# 3750X#sh access-lists Extended IP access list Auth-Default-ACL-OPEN 10 permit ip any any (55 matches) Extended IP access list Web-Auth-ACL 10 permit udp any any eq bootps 20 permit udp any any eq domain Extended IP access list xACSACLx-IP-PERMIT_ALL_TRAFFIC-56161e32 (per-user) 10 permit ip any any Extended IP access list xACSACLx-IP-Web-Guest-5763fd31 (per-user) 10 permit tcp any any eq www 20 permit tcp any any eq 443 30 permit tcp any any eq 8443 40 permit udp any any eq domain 50 permit icmp any host 10.1.4.101 60 deny ip any any 3750X#Finally, we have success!
We can test this from the client, and would expect to get an ICMP ping reply from 10.1.4.101, but not from 10.1.4.254 (as per the ACL above):
Troubleshooting ISE is actually pretty fun. It's just about knowing where to look, and the logs show exactly what is what, so issues like this can be picked up on quickly, though it is useful to triple-check and save work regularly, even if you haven't made any changes - hopefully these issues won't be in the lab and it will be a bit smoother, but we will see.
I can leave ISE and move on. I am also on track, down from triple digits away from the exam to double-digits.
Next, will be some more IPS, and we will link the WLC to this as well.