Ise Configuration

Posted onby

This guide is designed to be used an environment where ISE and the switch are already configured. We will also demonstrate how to provide Active/Standby load balancing without a Load Balancing. ISE Configuration Certificates. For each ISE PSN hosting a Portal, use a wildcard certificate issued from a Public Certificate Authority. This course is designed to teach you everything you need to know to get up and running with ISE quickly. The course was built from the ground up in late 2018 and early 2019 and covers ISE Version 2.4. Complete and unlimited access to: All ISE basic configuration. ISE for the Wired Network. ISE for the Wireless Network. Guest, BYOD, Posture,.

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 5: Configuring wired network devices
First some terminology and guidelines:
Single host mode / Multi host mode. This defines 1 or multiple hosts on the switchport. Only the first device needs authentication.
Ports are authenticated first before any other traffic can pass.
802.1x is disabled in a SPAN port configuration, trunk ports, dynamic ports, dynamic access ports and etherchannels.
The windows client configuration can be pushed by a GPO. Configuration of this GPO is out of scope for this blog.
Configuration
First, add the RADIUS clients in the ISE deployment.
Click: Administration – Network Resources – Network Devices and click Add. Enter the requested information:
Repeat this step for all devices with ports which need authentication. Don’t forget the Cisco WLC’s if you want to authenticate on wireless.
Click Administration – Network Resources – Network Device Groups – Expand Groups – All Locations and click Add.
Create a location, like “corporate_office” or “hq” and click Submit.
Next, select All Device Types and click Add. In the Name field type Router (or switch, or any other type of device you’re using)
You can create sub layers by type. Like: Routers – 800 or Routers – 2900.
Associate a radius client to a location and device type.
Click – Administration – Network Resources – Network Devices and edit a Radius client. Select the correct Location and Device Type.
Devices (NADs) need TCP 1812 and TCP 1645 for radius communiction to the Policy node.
Configure a router for using radius:

Configure a switch:

In the ISE console you can see the user denied logging. Click Operations – Authenications.
Enabling authentication on clients
First, make sure the correct protocols are selected. Click Policy – Policy elements – Results – Authentication – Allowed protocol – default network access (or create a new one).
In my case, I’ll only enable PEAP and disable all the others.
Make sure the correct sequence is used. Click Policy – Authentication. Click the Dot1x rule and change the sequence to AD_then_Local (or the one you desire and created before)
Make sure your switchports are configured as described:

More about ttis configuration in part 6 of this blog post series.
For periodic reauthentication of the switchports every 7200 sec (3600 is default), configure:

Configuring the Win7 Supplicant
Start the “Wired Autoconfig” service in services.msc
Click to your adapter settings and click the tab “authentication”.
Check “enable IEEE802.1x authentication”. For the EAP type, select PEAP in the drop down list.
Click Settings, ensure that Validate Server Certificate is checked. Also make sure that the client does have the root certificate of your CA. Select this root certificate.
Ensure that EAP-MSCHAPv2 is selected and Enable Fast Reconnect is checked.
Check the switchport authentication:

And:

You can check the authentication logging in ISE:
Click Operations – Authentications
Authorization with DACL
Let’s create a DACL that will override the interface port based ACL.
Click: Policy – Policy Elements – Results – Authorization – Downloadable ACLs.
Click Add to create a new one and enter the required ACL:
Click Policy – Policy Elements – Results – Authorization – Authorization Profiles. Click Add, give this profile a name and select the DACL in the drop down menu. Check the reauthentication checkbox!
Make sure there is an Active Directory group available with the needed computer accounts. Make this group available in ISE:
Click Adminsitration – Identity management – External identity – Sources – Active directory – groups.
Click Add – select groups from directory and add the group.
Now it’s time to create a authorization policy. Click Policy – Authorization, click the down arrow at a rule, click Insert new rule above.
Click Create new condition (Advanced option)
Fill in the Expression and correct user group.
In the ‘then’ portion of the rule, add a authorization policy. Click the created Dot1x authorization policy.
That’s it, start testing!
Next week part 6 of this blog post series: Policy enforcement and MAB

This chapter covers the following topics:

  • Configuring ISE nodes in a distributed environment

  • Understanding the HA options available

  • Using load balancers

  • IOS load balancing

  • Maintaining ISE deployments

Chapter 5, “Making Sense of the ISE Deployment Design Options,” discussed the many options within ISE design. At this point, you should have an idea of which type of deployment will be the best fit for your environment, based on the number of concurrent endpoints and the number of Policy Service Nodes (PSN) that will be used in the deployment. This chapter focuses on the configuration steps required to deploy ISE in a distributed design. It also covers the basics of using a load balancer and includes a special bonus section on a very cool high-availability (HA) configuration that uses Anycast routing, and covers patching distributed ISE deployments.

Configuring ISE Nodes in a Distributed Environment

All ISE nodes are installed in a standalone mode by default. When in a standalone mode, the ISE node is configured to run all personas by default. That means that the standalone node runs Administration, Monitoring, and Policy Service personas. Also, all ISE standalone nodes are configured as their own root certificate authority (CA).

It is up to you, the ISE administrator, to promote the first node to be a primary administration node and then join the additional nodes to this new deployment. At the time of joining, you also determine which services will run on which nodes; in other words, you determine which persona the node will have.

You can join more than one ISE node together to create a multinode deployment, known commonly in the field as an ISE cube. It is important to understand that before any ISE nodes can be joined together, they must trust each other’s administrative certificate. Without that trust, you will receive a communication error stating that the “node was unreachable,” but the root cause is the lack of trust.

Similar to a scenario of trying to connect to a secure website that is not using a trusted certificate, you would see an SSL error in your web browser. This is just like that, only it is based on Transport Layer Security (TLS).

If you are still using the default self-signed certificates in ISE, you’ll be required to import the public certificate of each ISE node into each other ISE node’s Administration > System > Certificates > Trusted Certificates screen, because they are all self-signed (untrusted) certificates and each ISE node needs to trust the primary node, and the primary node needs to trust each of the other nodes.

Ise 2.1 Configuration Guide

Instead of dealing with all this public key import for these self-signed certificates, the best practice is to always use certificates issued from the same trusted source. In that case, only the root certificates need to be added to the Trusted Certificates list.

Make the Policy Administration Node a Primary Device

Because all ISE nodes are standalone by default, you must first promote the ISE node that will become the Primary Policy Administration Node (PAN) to be a primary device instead of a standalone.

From the ISE GUI, perform the following steps:

  • Step 1. Choose Administration > System > Deployment. Figure 18-1 shows an example of the Deployment screen.

Figure 18-1Deployment Screen

  • Step 2. Select the ISE node (there should only be one at this point).

  • Step 3. Click the Make Primary button, as shown in Figure 18-2.

  • Step 4. At this point, the Monitoring and Policy Service check boxes on the left have become selectable. If the primary node will not also be providing any of these services, uncheck them now. (You can always return later and make changes.)

  • Step 5. Click Save.

After saving the changes, the ISE application restarts itself. This is a necessary process, as the sync services are started and the node prepares itself to handle all the responsibilities of the primary PAN persona. Once the application server has restarted, reconnect to the GUI, log in again, and proceed to the next section.

Example 18-1 show application status ise Command Output

Register an ISE Node to the Deployment

Now that there is a primary PAN, you can implement a multinode deployment. From the GUI on the primary PAN, you will register and assign personas to all ISE nodes.

ConfigurationIse Configuration

From the ISE GUI on the primary PAN, perform the following steps:

Ise

Cisco Ise 2.0 Configuration Guide

  • Step 1. Choose Administration > System > Deployment.

  • Step 2. Choose Register > Register an ISE Node, as shown in Figure 18-3.

Figure 18-3Choosing to Register an ISE Node

  • Step 3. In the Host FQDN field, enter the IP address or DNS name of the first ISE node you will be joining to the deployment, as shown in Figure 18-4.

  • Step 4. In the User Name and Password fields, enter the administrator name (admin by default) and password.

  • Step 5. Click Next.

  • Step 6. On the Configure Node screen, shown in Figure 18-5, you can pick the main persona of the ISE node, including enabling of profiling services. You cannot, however, configure which probes to enable yet. Choose the persona for this node. Figure 18-5 shows adding a secondary Administration and Monitoring node, while Figure 18-6 shows adding a Policy Service Node.

Ise configuration guide

Figure 18-5Configure Node Screen Secondary Admin and MnT Addition

Figure 18-6Configure Node Screen Policy Service Node Addition

Ise Configuration
  • Step 7. Click Submit. At this point, the Policy Administration Node syncs the entire database to the newly joined ISE node, as you can see in Figure 18-7.

  • Step 8. Repeat these steps for all the ISE nodes that should be joined to the same deployment.

Ensure the Persona of All Nodes Is Accurate

Now that all of your ISE nodes are joined to the deployment, you can ensure that the correct personas are assigned to the appropriate ISE nodes. Table 18-1 shows the ISE nodes in the sample deployment and the associated persona(s) that will be assigned. Figure 18-8 shows the final Deployment screen, after the synchronization has completed for all nodes (a check mark in the Node Status column indicates a node that is healthy and in sync).

Figure 18-8Final Personas and Roles

Ise Configuration

Table 18-1 ISE Nodes and Personas

ISE NodePersona
atw-ise244Administration, Monitoring
atw-ise245Administration, Monitoring
atw-ise246Policy Service
atw-ise247Policy Service