View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0038 - ISE 1.1 802.1X Switch & WLC Recommended Config (Part 1)

Rating: 
5
Average: 5 (3 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>

 

The video presents you with Cisco recommended switch and Wireless LAN Controller (WLC) configuration to interoperate with Cisco ISE. Most configurations are for enabling 802.1X and RADIUS, while the remaining (eg. SNMP, DHCP etc) are for providing additional information as part of ISE device profiling. Here we use a Cisco 3750 and vWLC in our demonstration, and we will also add them to Network Device. The video closes by going through the switch configuration validator.
Part 1 of the video covers switch configurations.
Topic:
  • ISE Recommended 802.1X Switch Configuration
  • ISE Recommended WLC Configuration
  • Network Devices Group
  • Network Devices
  • ISE Configuration Validator
 

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

27 comments

Just curious where can we find the line by line config for "ISE Recommended 802.1X Switch Configuration"? Did you use Cisco Doc CD? I couldn't find it, can you post a link please? Many thanks.

Here is the Cisco official guide. Hope it helps.
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/...

Excellent, thanks! Love the videos, keep up the good work!!!

In a Distribution scenario:

SNMP mac-notification --> Admin/Monitor or Policy Node?
ip-helper address --> Admin/Monitor or Policy Node?
Loggin host --> Admin/Monitor or Policy Node?

There is a big delay for live authentications failures or doesn't appear anything about failures

All of them should be sent to PSN except logging. There is no need to send device logging to ISE.

I'm testing some failures in ISE and ACL_DEFAULT is a problem if there is a total failure, because the user will be allow at the port, however will not be released in the ACL, right?

The ACL_DEFAULT should be replaced by DACL from ISE whether it is from successfuly 802.1X or MAB. If they both fail for some reason, then you probably don't want to let user on the network unless you are in a pilot stage and want to let user on regardless.

Sorry about my bad english, if ISE stop to work, the user can't find the ISE anymore.. so u need to configure some like that: authentication event server dead action authorize vlan XYZ.

In this case, the ACL_DEFAULT can be a problem.. or is there some configuration to this?

any suggestion?

If all ISE nodes are unreachable, you usually wouldn't want users to be authomatically authorized to the network (ie. fail-close). If you for some reason would like to allow users (ie. fail-open) then you will need to remove the port default ACL so when the port become authorized, the traffic will be allowed to enter 

Hi
what is the benefit of this command

C3750X(config-if-range)#authentication event fail action next-method

You allow user to tryto the next type of authentication when an authentication fails. See link below. 
 

Thanks you for the videos they have been very helpful.

When I use the command
"radius-server host x.x.x.x auth-port 1812 acc-port 1813 test username XXX key YYY" I get an authentication error 24408, wrong AD password. I verified my shared secret PW and AD account credentials and I also verified on the switch using the
"test aaa group radius server x.x.x.x XXX YYY legacy" and it checks out but fails when using radius-server command.
I got it to work by building an Authentication Policy using the Internal Users, but in my work environment they don't want local accounts. Any suggestions on how I could get it to work using the account in AD?

Are you trying to get your switch to continually perform test RADIUS against ISE (ie. synthetic RADIUS)? If so, the password of the test account is not the RADIUS key. You need to specficy the password on a separate "username XXX password ZZZ" command and have your AD account set to the same credential. You can see the link below.

https://supportforums.cisco.com/discussion/11692401/synthetic-radius-tra...

 

 

Thanks for the feedback and the link, I tried it and it worked but I had to turn off "service password-encryption".

Thanks again.

Hi, I have a questio. What kind of software you use to make this lab ? I install Cisco ISE on VMWare WorkStation. I use GNS3 VM with IOU to make a switch. But in the Switch i use, some command are not available. Did you make this lab on real device. My English skills is terrible but please answer.

All of our labs were created on real hardware. 

Hi, i get this log in my Switch
*Feb 7 13:56:03.212: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.11.69:1812,1813 is not responding.
*Feb 7 13:56:03.212: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.11.69:1812,1813 is being marked alive.

I can ping between switch and ISE. I has check the share secret. It same on both Switch and ISE.
And i can't find any reason why it happen. Here is my config on Switch :

ena
conf t
no ip domain lookup
lin con 0
logg syn
exit
hostname PSN

vlan 139
name IT
exit
vlan 150
name SERVER
exit

ip routing
interface Vlan150
ip address 192.168.11.2 255.255.255.0
no shut
interface Vlan139
ip address 10.137.4.1 255.255.255.0
no shut
ip helper-address 192.168.11.69
ip helper-address 192.168.11.1
exit
int range e0/1-3
switchport access vlan 150
int e0/0
switchport access vlan 139
exit

ip domain-name hcmpc.com.vn
username admin priv 15 sec evnhcmpc
enable secret evnhcmpc
crypto key generate rsa gen modulus 1024
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update periodic 5
radius-server host 192.168.11.69 auth-port 1812 acct-port 1813 key evnhcmpc
radius-server dead-crite ti 30 tries 3
radius-server vsa send account
radius-server vsa send authentication
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
ip radius source-interface vlan139
aaa server radius dynamic-author
client 192.168.11.69 server-key evnhcmpc
exit

dot1x system-auth-control
ip device tracking
int e0/0
switchp host
switchp acce vlan 139
switchport mode access
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
exit

Please help me.

What is the IP you use for network device when added to ISE?

Hello, i'm using Cisco 2960 Switch with IOS 15. This not support command : authentication host-mode multi-auth. What is the effect of missing this commad. Can i skip this command

'multi-auth' allows multiple endpoint to authenticate .1x on the same port. Without the command, you obviously cannot do that. Your next option would be 'multi-domain'  which allows one endpoint and one IP Phone. 

Can i use "multi-host" ? Is "multi-host" allows multiple endpoint to authenticate .1x on the same port.
If i can, so what is the different between "multi-host" and "multi-auth". And one more question is MAB use "Lookup" as Authentication Method right ??

'multi-host' requires only the first endpoint to be authenticated and any subsequent endpoints will automatically get the same access as the first one. Unless this is the behavior that you want, multi-domain would be more appropriate.And Yes, MAB uses host lookup.

My switch dosen't support "authentication host-mode multi-auth". I have a computer connect to IPphone and IPphone connect to switch. After Iphone authentication success with it MAC. Port state change to "Author sucess". IPphone work fine, but a computer connect to IPphone don't need to do any authentication step still can get access to network because computer using the success authentication session of IPphone. Have any way to force both compyter and IPphone authentication before get access when my switch don't have "multi-auth" command ?

You other option is to use 'multi-domain' command.

When i go to Policy > Policy Elements > Results > Authorization Profiles. Inside any Authorization Profiles, below Common Tasks i see the VLAN checkbox. If i check it, the "Tag ID "number"", Edit Tag button and ID/Name field appear. I want to ask what it use for ? For Dynamic VLAN assignment or what else ??

I have a switch with vlan 1 and vlan 2, all port default assignment on vlan 1, i want if user authentication and authorization success, that user will automatic assignment to vlan 2 and can access to network A, any client belong to vlan 1 can't connect to network A. Can ISE 1.2 help me do that ??

Yes, that's where you configure dynamic VLAN assignment. So create an auth profile with VLAN 2 and assign that it to an auth policy rule that identify the user, so if user successfully logs in, they will get VLAN 2 assigned to port. You can block all access on VLAN1.

Poll

Vote for the Next Video Series