ISE

Showing posts with label ISE. Show all posts

CCIE Security Lab: ISE WebAuth

After setting up ACS command authentication yesterday, and cleaning it up today so that it's using a new Access Service, it's time to return to ISE and look at Web Authentication. I might try and throw in some profiling as well, depending how well it goes.

We start by creating an identity group, which I have called Web-Guest:

Next, we create a user, which I will also call "Web-Guest", and give it the password of "Cisco123".

They get assigned to the group Web-Guest which we just created.

As we don't want our guests having full network access, we'll create a simple dACL, allowing ICMP to the AP-DNS router:

We then create an Authorization policy, also called Web-Guest, that calls the dACL, and places the user into VLAN 99:

We also need Web Auth, so scroll down and make sure that is ticked:

Before we can set up the rule, we need to set up a compound condition, for the service-type (Framed, which equals 2) and NAS-port (15):

NAS-Port 15 equates to Ethernet (http://www.iana.org/assignments/radius-types/radius-types.xhtml#radius-types-13), and Service-Type Framed means that we will carry the authentication within the packets (https://en.wikipedia.org/wiki/RADIUS).

Then we add the Authorization profile:

And an Authentication profile:

Now, once we have saved this, we need to configure the switch. Some commands are there from previous, others are new:

aaa new-model
!
aaa group server radius ISE
 server name ISE20
 deadtime 15
!
aaa authentication login default group ISE
aaa authentication login CON none
aaa authentication dot1x default group radius
aaa authorization network default group radius 
aaa authorization auth-proxy default group ISE local 
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group ISE
aaa accounting dot1x default start-stop group radius
!
aaa server radius dynamic-author
 client 192.168.90.205 server-key Radius123
!
aaa session-id common
!
ip device tracking
!
ip admission name Web-Guest proxy http inactivity-time 5
!
dot1x system-auth-control
!
fallback profile Web-Guest-Fallback
 ip access-group Web-Auth-ACL in
 ip admission Web-Guest
!
interface GigabitEthernet3/0/19
 switchport access vlan 99
 switchport mode access
 switchport block unicast
 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication open
 authentication order webauth
 authentication priority webauth
 authentication port-control auto
 authentication fallback Web-Guest-Fallback
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 5
 spanning-tree portfast
!
interface Vlan99
 ip address 10.1.99.50 255.255.255.0
 ip helper-address 10.1.4.100
!
ip access-list extended Web-Auth-ACL
 permit udp any any eq bootps
 permit udp any any eq domain
!
ip radius source-interface Vlan4 
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria tries 3
radius-server deadtime 30
radius-server vsa send accounting
radius-server vsa send authentication
! 
radius server ISE20
 address ipv4 192.168.90.205 auth-port 1812 acct-port 1813
 key Radius123
!
line con 0
 login authentication CON
line vty 0 4
 login authentication CON
 width 255
line vty 5 15
!
mac address-table notification change interval 0
mac address-table notification change

The results are:

3750X#sh auth sess int gi 3/0/19
  Interface: GigabitEthernet3/0/19
  MAC Address: 685b.35cc.3a6a
  IP Address: 10.1.99.12
  Status: Authz Success
  Domain: DATA
  Security Policy: Should Secure
  Security Status: Unsecure
  Oper host mode: multi-auth
  Oper control dir: both
  Authorized By: Authentication Server
  Vlan Policy: N/A
  Session timeout: N/A
  Idle timeout: N/A
  Common Session ID: 0A01013200000013008953E7
  Acct Session ID: 0x00000037
  Handle: 0xA2000014

Runnable methods list:
  Method State
  webauth Authc Success

3750X#

We can see the webauth success. As well as getting the success message on the client.

This did take a few attempts to get right. I found this URL to be really useful, and it stopped me getting locked out of the switch:

It is important to note that the current implementation of WebAuth requires the use of the default login authentication group as RADIUS. As soon as it is configured, the default login group applies to all login attempts for the switch, including virtual teletype terminal (VTY) and console access. Everyone attempting to use Telnet to access the switch or to access the console is required to authenticate through RADIUS. To prevent the default AAA login configuration from applying to the console and VTY sessions, define a nondefault login group and apply this to the VTYs and the console.

We are not getting the dACL though. We are not getting a username either. Let's change the authentication order and see what we get:

3750X(config-if)#authen order dot1x webauth
3750X(config-if)#auth pri dot web
3750X(config-if)#

Nope, still no username, so the ACL is not applied. But why are we not getting the username? Let's turn to the logs and try and find out.

Here is a clue, we are not hitting the right policy. Instead of getting to the Web-Auth authentication rule, we are hitting the Dot1x rule:

Because of that being matched first, we go to the Basic_Authentication_Access policy:

So that is why!

Could it be as simple as just moving our authentication policy up?

Let's try it now:

Better. We have the Web-Auth AuthC profile but are still getting the Basic_Authentication. I want to get the Web-Auth AuthZ rule instead.

Let's dissect the AuthC profile and see what we are not matching up with.

We match on the Web-Guest User Identity Group, but we also need to match in the Web-AuthZ-Condition:

These are being queried:

Are we getting these back?

Looks like we are sending a service type of Outbound, and an NAS-Port type of Ethernet. So the Ethernet one is correct, so let's try changing the service type:

Still no dice, but notice that NAS-Port and NAS Port Type are not the same things, so I changed it again:

Boom!

We have the previous incorrect (but working) authentication at the bottom and our corrected Web-AuthZ-Condition (desired) at the top.

3750X#sh auth sess int gi 3/0/19
  Interface: GigabitEthernet3/0/19
  MAC Address: 685b.35cc.3a6a
  IP Address: 10.1.99.10
  Status: Authz Success
  Domain: DATA
  Security Policy: Should Secure
  Security Status: Unsecure
  Oper host mode: multi-auth
  Oper control dir: both
  Authorized By: Authentication Server
  Vlan Policy: N/A
  Session timeout: N/A
  Idle timeout: N/A
  Common Session ID: 0A0101320000004A1A0D46AA
  Acct Session ID: 0x0000007B
  Handle: 0x2900004B

Runnable methods list:
  Method State
  dot1x Failed over
  webauth Authc Success

3750X#
3750X#sh access-lists
Extended IP access list Auth-Default-ACL-OPEN
    10 permit ip any any (45 matches)
Extended IP access list Web-Auth-ACL
    10 permit udp any any eq bootps
    20 permit udp any any eq domain
Extended IP access list xACSACLx-IP-PERMIT_ALL_TRAFFIC-56161e32 (per-user)
    10 permit ip any any
3750X#

We still don't get the dACL though, even though the setup is looking correct:

So, I went into the AuthZ profile, clicked on the advanced attributes setting, did not change anything, but that was enough to allow me to save it again. This time, it looks like it's working:

3750X#sh auth sess int gi 3/0/19
            Interface:  GigabitEthernet3/0/19
          MAC Address:  685b.35cc.3a6a
           IP Address:  10.1.99.10
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-Web-Guest-5763fd31
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A0101320000004C1A3389CE
      Acct Session ID:  0x00000081
               Handle:  0x8D00004D

Runnable methods list:
       Method   State
       dot1x    Failed over
       webauth  Authc Success

3750X#
3750X#sh access-lists
Extended IP access list Auth-Default-ACL-OPEN
    10 permit ip any any (55 matches)
Extended IP access list Web-Auth-ACL
    10 permit udp any any eq bootps
    20 permit udp any any eq domain
Extended IP access list xACSACLx-IP-PERMIT_ALL_TRAFFIC-56161e32 (per-user)
    10 permit ip any any
Extended IP access list xACSACLx-IP-Web-Guest-5763fd31 (per-user)
    10 permit tcp any any eq www
    20 permit tcp any any eq 443
    30 permit tcp any any eq 8443
    40 permit udp any any eq domain
    50 permit icmp any host 10.1.4.101
    60 deny ip any any
3750X#

Finally, we have success!

We can test this from the client, and would expect to get an ICMP ping reply from 10.1.4.101, but not from 10.1.4.254 (as per the ACL above):

Troubleshooting ISE is actually pretty fun. It's just about knowing where to look, and the logs show exactly what is what, so issues like this can be picked up on quickly, though it is useful to triple-check and save work regularly, even if you haven't made any changes - hopefully these issues won't be in the lab and it will be a bit smoother, but we will see.

I can leave ISE and move on. I am also on track, down from triple digits away from the exam to double-digits.

Next, will be some more IPS, and we will link the WLC to this as well.

CCIE Security Lab: MAB-ISE in Wonderland

CCIE ISE Security

Unknown 06:18:00 Add Comment

Unknown

Let's test the laptop out with MAB (MAC Authentication Bypass). The idea being that we don't care who logs in, we don't care if they support dot1x, we just care that a particular device (identified by it's MAC address) has certain rules placed on it (such as ACL and VLAN assignment).

Because the laptop (Laptop5-PC at the bottom of the list) is already in the list of endpoints most of the work is already done for us:

We should create a new group for this though:

We then add the laptop to this group:

And add a new AuthZ rule, so that if it is in the Endpoint Identity Group "Bob-MAB", and we are using MAB, then we will permit the traffic:

To switch to MAB we need to disable the dot1x authentication in the Security tab of the NIC properties on the laptop, but even with this disabled, it was not cutting over to MAB.

This was because the timeout was set too high:

3750X#sh run int gi 3/0/20 | i timeout
 dot1x timeout tx-period 65535
3750X#sh authentication sessions 

Interface  MAC Address     Method   Domain   Status         Session ID
Gi3/0/20   (unknown)       dot1x    UNKNOWN  Running        0A010132000000510AF7AC47
Gi3/0/3    e411.5b25.c2e9  dot1x    DATA     Authz Success  0A0101320000004B0A57FC2A
Gi3/0/3    0019.e83e.3b09  dot1x    VOICE    Running        0A0101320000003A02750260

3750X#conf t
3750X(config)#interface GigabitEthernet3/0/20
3750X(config-if)#dot1x timeout tx-period ?
  <1-65535>  Enter a value between 1 and 65535

3750X(config-if)#dot1x timeout tx-period 10
3750X(config-if)#shut
3750X(config-if)#
3750X(config-if)#no shut
3750X(config-if)#                 
3750X(config-if)#do sh auth sess

Interface  MAC Address     Method   Domain   Status         Session ID
Gi3/0/20   (unknown)       mab      UNKNOWN  Running        0A010132000000530AF8FC15
Gi3/0/3    e411.5b25.c2e9  dot1x    DATA     Authz Success  0A0101320000004B0A57FC2A
Gi3/0/3    0019.e83e.3b09  dot1x    VOICE    Running        0A0101320000003A02750260

3750X(config-if)#

Setting it lower means we cut over to MAB much quicker (obviously). We have not blocked Bob from reaching the 10.1.4.50 websites though, but can we, if we change the AuthZ policy to this:

3750X(config-if)#do sh auth sess int gi 3/0/20
            Interface:  GigabitEthernet3/0/20
          MAC Address:  Unknown
           IP Address:  Unknown
               Status:  Running
               Domain:  UNKNOWN
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A010132000000550B0A5532
      Acct Session ID:  0x0000007C
               Handle:  0x84000056

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Running

3750X(config-if)#

Notice that we do not know the MAC address, or IP address. From the previous post, the dACL did not work until we enabled "ip device tracking". But here we do not see the MAC address or IP address, and no dACL has been applied:

3750X#sh ip access-lists interface gi 3/0/20
3750X#

So, do we lose this functionality with MAB? Or have I missed a step?

If we look at the auth state on the interface we can see that do1x has failed over (as we would expect) and that MAB is "running":

3750X(config-if)#do sh auth sess int gi 3/0/20 | b Runnable
Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Running

3750X(config-if)#

We actually need MAB to show an "authc success" for this all to work.

The odd things here is I don't think I changed anything, but it started working (after a few unplug/plug in of the network cable) and gave me exactly what I needed:

3750X#sh auth sess int gi 3/0/20 
            Interface:  GigabitEthernet3/0/20
          MAC Address:  e411.5b25.c2e9
           IP Address:  10.1.4.202
               Status:  Running
               Domain:  UNKNOWN
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A010132000000580B33AD5B
      Acct Session ID:  0x0000007F
               Handle:  0x76000059

Runnable methods list:
       Method   State
       dot1x    Running
       mab      Not run

3750X#sh auth sess int gi 3/0/20 
            Interface:  GigabitEthernet3/0/20
          MAC Address:  e411.5b25.c2e9
           IP Address:  10.1.4.202
            User-Name:  E4-11-5B-25-C2-E9
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  4
              ACS ACL:  xACSACLx-IP-Deny-AP-DNS-to-Bob-57591fa3
      Session timeout:  3600s (local), Remaining: 3600s
       Timeout action:  Reauthenticate
         Idle timeout:  65535s (local), Remaining: 65536s
    Common Session ID:  0A010132000000580B33AD5B
      Acct Session ID:  0x0000007F
               Handle:  0x76000059

Runnable methods list:
       Method   State
       dot1x    Failed over
          
       mab      Authc Success

3750X#

As you can see, we start with dot1x, which shows "running", we get the MAC address and IP address. dot1x fails (because we have disabled the 802.1x support in the Authentication tab on the NIC properties, and we fail over to MAB. This time, however, we see an Authc success for MAB, and because of this, we get the ACL, and access to http://10.1.4.101 is denied.

Not sure why it started working. I did create a new AuthZ profile, called AuthC-Bob-MAB, but this is not different to the existing one (apart from hard-coding the VLAN):

The profile was changed to reflect this:

Maybe I forgot to press save or something.

But at least it's working, and I am learning and getting faster, which is what is needed.

I think it's time to start playing with a new toy! Maybe some WSA should be next.

CCIE Security Lab: ISE that you on the Phone?

CCIE ISE Security

Unknown 02:07:00 Add Comment

Unknown

The good news is that ISE is working really well for me, and (the better news for you) that I am running out of ISE-related puns. But here is a picture of Mr. Freeze anyway:

Thinking about it, from purely a lab point-of-view, the Guest portal is probably not that essential. It'll be a virtual lab, so actually testing the wifi will be difficult. However, an IP Phone connected to a laptop (or other device), now there is a viable possibility.

So, that is what we do do next.

Here is the current port configuration:

3750X(config-if)#do sh run int gi 3/0/3 | b interface
interface GigabitEthernet3/0/3
 description IP Phone
 switchport access vlan 21
 switchport mode access
 switchport voice vlan 9
 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 mab
 dot1x pae authenticator
 spanning-tree portfast
end

3750X(config-if)#

Setting up the phone was a bit tricky, it's my first time playing with a Cisco phone, so a little learning curve and lots of Googling, I got thrown off by an couple of "errors" but apparently these can be ignored. I don't need the phone to be 100%, just working enough to allow the phone to get onto the network.

Initially, I could not get it working on VLAN 21 (for the data port), but that was due to forgetting to add the necessary VIFs to SW1 and SW2 (because of the rebuild a couple of days ago). Once I had the brainwave that this was the missing component, whilst bathing the twins, and confirming this was the case, a quick fix and the correct VLAN is now being used. As a side note, UNetLab works really well on a Kindle Fire 10, and SSH works well through JuiceSSH. I have not tried VNC integration yet though.

For the phone to work, we need a few things. It needs to be pointed to a TFTP server, and this is done by adding an option in DHCP. In the DHCP server, right-click on IPv4 and select "Set Predefined Options", then click on add and add the following:

Once this is added, under the scope we add the option and point it to the TFTP server:

The VLAN VIF does need the "ip helper-address" command to point to the DHCP server, but this is it as far as DHCP goes.

The TFTP server needs a few files. Naturally we need the firmware files, and I am using 7.5.0. I did try 8.X, but whilst troubleshooting decided to downgrade (in case I was going too high).

The other files are the OS79XX file (as I am using a 7940 IP phone). This needs to have one line, which is the firmware version:

This file gets called first, then the phone looks for another couple of files. We have the SIPDefault.cnf file:

Not sure if the proxy stuff is needed, this was added for troubleshooting. The we have the phone-specific config file, which needs to be named SIPMACADDRESS.cnf, where MACADDRESS is the MAC address of the phone:

The we have the xmlDefault.cnf.xml file, not sure if this is necessary for the 7940 or not, but I have it anyway:

The phone does say thats it's still "unprovisioned", but this is related to the proxy_backup and proxy_emergency commands. This is not a show stopper, but I did send a long time chasing this one.

The phone now connects happily, as does the laptop connected to it:

Let's return to ISE and see what that tells us.

We get a green tick, but not a whole lot else. So, are we missing something?

The Live Log is rather useful here:

We can see the denied logs from the previous post, and we can also see that we do, in fact, have an endpoint profile for the phone. We have two successes though, one for MAB, which lists the phone, and one for Dot1x, which lists the workstation. This is confirmed by the switch:

3750X#sh authentication interface gi 3/0/3

Client list:
Interface  MAC Address     Method   Domain   Status         Session ID
  Gi3/0/3    e411.5b25.c2e9  dot1x    DATA     Authz Success  0A01013200000038021D78F6
  Gi3/0/3    0019.e83e.3b09  mab      VOICE    Authz Success  0A01013200000039021D8F8A

Available methods list:
  Handle  Priority  Name
    3        0      dot1x
    4        1      mab
Runnable methods list:
  Handle  Priority  Name
    3        0      dot1x
    4        1      mab

3750X#

So, the phone uses MAB (Mac Authentication Bypass) and the laptop uses dot1x. It's good to know that these both work as it's the only reason I bought the 3750X switch.

The cool thing is that we can confirm that naughty old Bob is hitting the right policy when using the laptop:

Still making really good headway now. ISE is pretty intuitive, most of the hard stuff is remembering what to add on the actual network devices. Most of the commands either begin with an A (aaa), R (radius) or d (dot1x). Remember this and the rest can probably be figured out through a decent bit of context-sensitive help. But do check out the post on troubleshooting ISE, as that's a real bonus in getting things to work!

We have not really pushed the boundaries though. ISE is a big product with lots of options, so what else can we do? We could do something like permit some traffic, and deny others, using a downloadable ACL.

To create a downloadable ACL we go to Policy > Policy Elements > Results >Authorization > Downloadable ACLs:

We can check the syntax as well, which is a useful feature.

We then need to turn this into something we can use, by creating an Authorization profile:

Now we should be able to attach this to the Bob-Wired-OK policy (and now I am pleased that I created this):

How does this fair?

Well, Bob can still reach the server via HTTP and HTTPS, but the dACL is being used:

Line 11022 shows that the dACL is being sent, it's just not being used by the client. Let's eliminate the phone from the equation and move the laptop to gi3/0/20:

3750X#sh access-list                                
Extended IP access list Auth-Default-ACL-OPEN
    10 permit ip any any (3318 matches)
Extended IP access list xACSACLx-IP-Deny-AP-DNS-to-Bob-5757323f (per-user)
    10 deny tcp any host 10.1.4.101 eq www
    20 deny tcp any host 10.1.4.101 eq 443
    30 permit ip any any
Extended IP access list xACSACLx-IP-PERMIT_ALL_TRAFFIC-56161e32 (per-user)
    10 permit ip any any
3750X#sh authentication sessions interface  gi3/0/20
            Interface:  GigabitEthernet3/0/20
          MAC Address:  e411.5b25.c2e9
           IP Address:  Unknown
            User-Name:  dodgybob
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-Deny-AP-DNS-to-Bob-5757323f
      Session timeout:  3600s (local), Remaining: 2836s
       Timeout action:  Reauthenticate
         Idle timeout:  N/A
    Common Session ID:  0A0101320000004609E58FCD
      Acct Session ID:  0x0000005F
               Handle:  0x2C000047

Runnable methods list:
       Method   State
       dot1x    Authc Success
          
       mab      Not run

3750X#

We are definitely getting the right details, the ACL is being applied. I posted yesterday about troubleshooting ISE, so working through that I added as many of the commands as necessary, but still Bob can get to the web page. We also do not see any hits on the access list (which I changed to add the "log" option):

3750X(config-if)#do sh access-lists
Extended IP access list Auth-Default-ACL-OPEN
    10 permit ip any any (6511 matches)
Extended IP access list xACSACLx-IP-Deny-AP-DNS-to-Bob-57591fa3 (per-user)
    10 deny tcp any host 10.1.4.101 eq www log
    20 deny tcp any host 10.1.4.101 eq 443 log
    30 permit ip any any log
Extended IP access list xACSACLx-IP-PERMIT_ALL_TRAFFIC-56161e32 (per-user)
    10 permit ip any any
3750X(config-if)#

So, I hit the Googles again. Turns out, one of the commands I was missing (ip device tracking) was the one I needed (go figure!):

3750X(config)#ip device tracking 
3750X(config)#int gi 3/0/20
3750X(config-if)#shut
3750X(config-if)#no shut
3750X(config-if)#do sh access-lists
Extended IP access list Auth-Default-ACL-OPEN
    10 permit ip any any (6531 matches)
Extended IP access list xACSACLx-IP-Deny-AP-DNS-to-Bob-57591fa3 (per-user)
    10 deny tcp any host 10.1.4.101 eq www log
    20 deny tcp any host 10.1.4.101 eq 443 log
    30 permit ip any any log
Extended IP access list xACSACLx-IP-PERMIT_ALL_TRAFFIC-56161e32 (per-user)
    10 permit ip any any
3750X(config-if)#
3750X(config-if)#

Now, while the ACL hits do not increment, we do get the desired result. We also fill in one of the blanks in the auth session output (the IP Address):

3750X(config-if)#do sh auth sess int gi 3/0/20
            Interface:  GigabitEthernet3/0/20
          MAC Address:  e411.5b25.c2e9
           IP Address:  10.1.4.202
            User-Name:  dodgybob
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-Deny-AP-DNS-to-Bob-57591fa3
      Session timeout:  3600s (local), Remaining: 3420s
       Timeout action:  Reauthenticate
         Idle timeout:  65535s (local), Remaining: 65355s
    Common Session ID:  0A0101320000004A0A50A8B8
      Acct Session ID:  0x00000070
               Handle:  0x4C00004B

Runnable methods list:
       Method   State
       dot1x    Authc Success
          
       mab      Not run

3750X(config-if)#
3750X(config-if)#do sh ip access-lists int gi 3/0/20
     deny tcp host 10.1.4.202 host 10.1.4.101 eq www log
     deny tcp host 10.1.4.202 host 10.1.4.101 eq 443 log
     permit ip host 10.1.4.202 any log (73 matches)
3750X(config-if)#

So let's move the laptop back to the phone connection, and just make sure that it still does what it is supposed to:

3750X(config-if)#do sh authe sess

Interface  MAC Address     Method   Domain   Status         Session ID
Gi3/0/3    e411.5b25.c2e9  dot1x    DATA     Authz Success  0A0101320000004B0A57FC2A
Gi3/0/3    0019.e83e.3b09  mab      VOICE    Authz Success  0A0101320000003A02750260

3750X(config-if)#do sh authe sess in gi 3/0/3
            Interface:  GigabitEthernet3/0/3
          MAC Address:  e411.5b25.c2e9
           IP Address:  10.1.21.20
            User-Name:  dodgybob
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-Deny-AP-DNS-to-Bob-57591fa3
      Session timeout:  3600s (local), Remaining: 3582s
       Timeout action:  Reauthenticate
         Idle timeout:  65535s (local), Remaining: 65518s
    Common Session ID:  0A0101320000004B0A57FC2A
      Acct Session ID:  0x00000071
               Handle:  0x2600004C

Runnable methods list:
       Method   State
       dot1x    Authc Success
          
       mab      Not run

----------------------------------------
            Interface:  GigabitEthernet3/0/3
          MAC Address:  0019.e83e.3b09
           IP Address:  10.1.9.20
            User-Name:  00-19-E8-3E-3B-09
               Status:  Authz Success
               Domain:  VOICE
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-56161e32
      Session timeout:  3600s (local), Remaining: 1318s
       Timeout action:  Reauthenticate
         Idle timeout:  N/A
    Common Session ID:  0A0101320000003A02750260
      Acct Session ID:  0x00000045
               Handle:  0xE800003B

Runnable methods list:
          
       Method   State
       dot1x    Failed over
       mab      Authc Success

3750X(config-if)#

Bob still cannot get to the 10.1.4.101 web page by HTTP or HTTPS. I call that a success! So, what's next? What can we do with ISE? I am kinda tempted to set up the portal for guest access, but not sure if I really need to, maybe we should look at MAB instead.

Yep, let's look at MAB, but let's have a new post for that.

CCIE Security Lab: Troubleshooting ISE, vital tool for the lab exam!

CCIE ISE Security

Unknown 11:39:00 Add Comment

Unknown

Troubleshooting ISE, or just trying to remember what commands need to be put where, is actually REALLY easy.

ISE does it all for you, you just need to tell it to do so.

The Operations menu has a sub-menu, for troubleshooting. In there are some troubleshooting tools. One of these is the "Evaluate Configuration Validator". It's under general tools:

ISE Troubleshooting configuration validation

You tell it what device to query, and what options you want to validate, and it goes away and tries to connect:

We need to put in the username and password, along with the enable password:

Once we have put these in, it goes and queries the device:

As you can see, I first tried to connect using SSH, but then corrected this to telnet, and it it did it's thing. We then need to tell it what ports we are interested in:

Once we have done this, we get a nice little report:

We click on "Show Results Summary" and get this:

Lots of red there!

Drilling down into each of these we can see exactly what we are missing for the AAA global configuration:

For RADIUS:

For Device Discovery:

Logging:

The profiler:

Web Auth:

CTS:

And the interfaces, which have a couple of sections:

As you can see, I have a bit of work that I need to do, but this tool will be a life-saver in the lab exam! All you need to do is point ISE at the device and do the config validator.

Many of the missing commands can be pasted on to the device without modification. Others need a little tweaking, but are all very self explanatory. This will certainly make the lab exam a little smoother, especially as we can see which commands are mandatory (by the orange circle). We won't need ALL of the commands, and some are not valid on different platforms.

Just so long as Cisco don't remove this tool in the lab, this will make life a whole lot easier, and the exam a little less stressful.

802101.com

CCIE Security Lab: ISE WebAuth

CCIE Security Lab: MAB-ISE in Wonderland

CCIE Security Lab: ISE that you on the Phone?

CCIE Security Lab: Troubleshooting ISE, vital tool for the lab exam!