Cisco Identity service engine (ISE) can act as a RADIUS server. Radius protocol can be used to authenticate, authorize the users when they try to connect to a network whether its a wired network or wireless network.
The network switches or wireless controllers need to be configured so that they will make sure they authenticate, authorize the user against Cisco ISE.
Authentication and authorization flow with Cisco ISE Radius Server
We will explain in details about packets which are exchanged between Cisco Identity service engine (ISE) which is active as radius server, Radius client (Switch or wireless controller) and the user machine.
Step by step packet level explanation of flow:
1> As soon as the user tries to connect on a switch port where 802.1x is configured. The switch will send a EAPol-Start message and request for identity from the machine. Between switch and user machine EAP protocol is used for the communication.
2> Once the machine receives the packet and if 802.1x is enabled then it will respond with Response identity.
3> The switch upon receiving the response will start a communication with Cisco ISE using radius protocol and sends access-request packet basically the response from the user machine will be encapsulated into RADIUS packet and sent to Cisco ISE.
4> Cisco ISE will respond with access-challenge and request switch to check which authentication protocol is supported by the end user machine.
5> The switch act as intermediate device and pass the information to end machine using EAP protocol.
6> Couple of more packet will get exchanges in similar way and a secure TLS tunnel is negotiated between the user machine and Cisco ISE. We need to make sure the signer of EAP certificate of Cisco ISE is trusted by end user machine.
7> Cisco ISE will validate the credentials/certificate sent by the end user machine during the authentication against local database or with active directory or with CA server and upon the validate if successful Cisco ISE will allow the connect by sending access-accept, if the validation fails Cisco ISE will not allow the to connect by sending access-reject.
8> Once the switch receives the final response from Cisco ISE, it will further send the response to end machine and inform about the status of authentication. The switch will send EAP success or EAP failure to end machine.
9> The switch will send accounting start to Cisco ISE. Using Accounting Cisco ISE will maintain when the user connected on which switch port, what ip address the user have got and many more details. License consumption will also be maintained by ISE.
10> When the user disconnect his laptop from the switch accounting stop would be sent and ISE will remove the license consumption of the machine.
Now to have the above flow work, we need to configure Cisco ISE, Switch and the end user machine.
Switch configuration for 802.1x authentication of users using Cisco ISE radius.
!Enable AAA on switch aaa new-model ! IP address of radius server 1 ! Ensure to put strong key in this example I have kept key as cisco radius server Radius_Server_IP_1 address ipv4 10.16.3.1 auth-port 1812 acct-port 1813 key 0 cisco ! IP address of radius server 2 (Optional but needed for redundancy) radius server Radius_Server_IP_2 address ipv4 10.17.1.8 auth-port 1812 acct-port 1813 key 0 cisco ! Group the radius server into a single group. aaa group server radius Radius_Server_Group server name Radius_Server_IP_1 server name Radius_Server_IP_2 ! Enable 802.1x on the switch dot1x system-auth-control ! Authentication and authorize the users for network access against the group we created above aaa authentication dot1x default group Radius_Server_Group aaa authorization network default group Radius_Server_Group ! Send VSA attributes in accounting radius-server vsa send accounting radius-server vsa send authentication ! Add more attributes to be send to ISE radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 25 access-request include ! Configure switch to send only new updates to ISE and start, stop packets. aaa accounting update newinfo aaa accounting dot1x default start-stop group Radius_Server_Group !Configure switch to listen for Change of authorization CoA. aaa server radius dynamic-author client 10.16.37.1 server-key cisco client 10.17.1.88 server-key cisco ! interface configuration, We need to apply on all interfaces where we want to enable 802.1x authentication, except trunk port. interface GigabitEthernet2/0/18 switchport access vlan 16 switchport mode access authentication order mab dot1x authentication priority dot1x mab authentication port-control auto mab dot1x pae authenticator
Window Machine configuration for 802.1x authentication
Step 1> We need to enable dot1x service on the PC. Go to run and type services.msc and hit enter.
Double click on wired auto config and under general tab change the startup type to automatic, click apply and click ok.
Step 2> Configure interface for dot1x authentication. Go to run and type ncpa.cpl and hit enter.
Right click on the wired nic and click on properties.
A new authentication tab will start appearing. Select Enable IEEE 802.1x Authentication.
Click on Setting next to authentication method. Unselect validate server certificate, this we need to do only in case Cisco ISE EAP certificate is trusted by endpoint, if we have public CA signed certificate or internal CA signed certificate then we don’t need to un-select..
Select the authentication method as EAP-MSCHAP v2 and click configure, Select automatically use my windows logon name and password.
Click ok and then click on Additional setting, select user authentication.
Cisco ISE configuration
Step 1> Add the switch on ISE: We have to specify the IP address of the switch with which the request will come to ISE.
Step 2> Ensure ISE is joined to the active directory. Check this post for joining ISE with active directory.
Step 3> Create a new policy under policy set. Under condition select Wired_802.1x and under allowed protocols select the Default network access.
Policy for a specific switch can be created by entering IP address of the switch.
Step 4> Click on the symbol next to gear icon and under authentication select the active directory join point name
Step 5> Create a new authorization policy, add the group from domain controller selected while joining ISE to active directory and under authorization profile select permit access.
Below is what we have configured in above 4 steps.
Verification on Cisco ISE:
Under operation radius live logs we can see the latest authentication logs. Also we can search for user machine mac address under endpoint ip. If we click on details icon we will get more details.
Verification on Switch:
3700-2#show auth se int G2/0/18 Interface: GigabitEthernet2/0/18 MAC Address: b496.9126.e632 IP Address: 10.16.7.3 User-Name: CLICKSOLUTION\pankaj Status: Authz Success Domain: DATA Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-auth Oper control dir: in Authorized By: Authentication Server Vlan Policy: N/A Session timeout: N/A Idle timeout: N/A Common Session ID: 0A12120200001029353D0425 Acct Session ID: 0x00001ED8 Handle: 0x9E000032 Runnable methods list: Method State dot1x Authc Success