Before we go into deploying 802.1x we will review the three different phases of 802.1x deployment inside of ISE.
The first is called Monitor Mode, this should be phase one of any ISE deployment. Monitor Mode is basically a way of auditing endpoints authenticating on the network, it’s a way to test your policy sets to make sure that endpoints are authenticating correctly but not actually enforcing the policy, e.g. if an endpoint was to fail against the policy set traffic would still be permitted.
The second is called Low Impact Mode, this is sometimes done as the second phase of a deployment but from experience some environments skip this phase and go straight to phase three closed mode. Low Impact Mode has similar resemblances to Monitor Mode except this time we are applying an ACL to the switchport to give limited access to the network until authentication has completed.
The third is called Closed Mode, this is the last phase of any ISE deployment and is where the switchport is completely locked down. When you are moving into a Closed Mode deployment it is best to create a few different deployment groups so that you aren’t putting all NAD’s into this mode at once, this all depends on the size of your environment but just be cautious.
Now lets get onto the fun part of actually deploying what we discussed above, we will deploy all three modes but first we need to get a certificate authority configured so that our endpoints have certificates to authenticate to the network. Below are some bullet points of the steps we are going to be completing in this deployment.
- Install Windows Server Certificate Authority
- Generate a CSR on ISE
- Submit Request to CA
- Import Root CA Certificate into ISE
- Bind Certificate to CSR in ISE
- Generate Certificate Request for Endpoint
- Create a new Certificate Template
- Importing PKCS12 into Windows 10
- Create 802.1x Policy Set
- Radius Config for NAD
- Lets test 802.1x (Cisco Anyconnect NAM)
Install Windows Server CA
Throughout my ISE blogs I have been using a Windows Server that has Active Directory services installed, in one of my previous blogs I joined the ISE server to the domain so that we could use the domain as an external authentication source.
We now need to install the Certificate Authority Service through Server Manager, I won’t go into to much details in regards to the Windows Server side a lot of this can be found on the internet but I will just give a brief overview.
We need to tick the box Active Directory Certificate Services and then press next.
We now need to choose roles we would like to install, there are a few different ones listed below but for now we just need to install the main one called Certification Authority then go to next.
Then click on the install button, depending on your server resources this can take around 3-5 minutes.
Now that the install is complete click on Configure Active Directory Certificate Services on the destination server.
We need to choose the credentials that we are going to use to complete the install, as we are going to be installing an Enterprise Certificate Authority we need to be using a user that is part of the Enterprise Admins group. The next few steps I won’t be writing anything just follow the screenshots through.
Generate a CSR on ISE
We now need to generate a CSR on our ISE node and then get this signed by our Windows CA. Login to your ISE node and go to Administration, Certificates then on the left hand side go to Certificate Signing Requests. We then need to click Generate Certificate Signing Requests (CSR) you will then be presented with the below.
Select Multi-Use and then select your ISE node and then fill in all the relevant subject information that matches your environment and then press generate. ISE will then allow you to export the CSR request.
Submit Request to CA
RDP to your Windows Certificate Authority, and open the program Certificate Authority then right click on the Server name and use Submit Certificate Request. You will then be presented with the below error. A quick google of this error seems to mean that my CSR request doesn’t contain the template name so when you try submit the CSR it doesn’t know which template to bind to.
To get around the above issue you can use the following command in PowerShell, make sure to bind it to the WebServer template. It will then ask you to choose the Certificate Authority that you want to sign your CSR and then ask you where you would like the certificate output saving.
certreq -submit -attrib “CertificateTemplate:WebServer” <request.req>
Import Root CA Certificate into ISE
Before we complete the binding below we need to import the ROOT CA, we can get the root CA by completing an export under computer certificates on the Root CA.
We then need to import the above certificate into the Trusted Certificates in ISE. Make sure this step is done otherwise the next part will fail.
Bind Certificate to CSR in ISE
We are now at the stage we need to bind the certificate to the CSR we created, go back into ISE and select your CSR and click Bind Certificate. As the certificate is Multi-Use make sure to select
- EAP Authentication
- RADIUS DTLS
We can then press submit, at this point ISE services will restart.
Generate Certificate Request for Endpoint
In my test environment I don’t have any endpoints joined to the domain so I can’t push out certificates through group policy. To get my Non Domain endpoint joined to ISE I need to create a certificate request to do this I need to use openssl. As I’m on Windows you will need to install the openssl package which can be found here
https://slproweb.com/products/Win32OpenSSL.html or if you want a GUI version which I will use in the demo you can use this tool called YAOG
Once you have opened up YAOG you should see the following, we now need to fill in the relevant fields.
In the above screenshot make sure to change the Key Size to at least 2048 as this will need to match the certificate template we create shortly.
Once the above is all filled in click Generate next to CSR + key this will then give you the certificate request and private key. Make sure to save both the CSR and Key using the save buttons on each side.
Create a new Certificate Template
What are certificate templates? On Windows Server you can create different Certificate Templates for different usage requirements. We could have one template that is for authenticating users to a service, another certificate that could be authenticating users to an IPSEC VPN and another one that is authenticating an endpoint to the network. Windows Server includes multiple pre generate templates to view these type Certification Authority in the start menu. When you create a new certificate you need to make sure that it is issued so that it appears in the below list.
Lets go ahead an create a new certificate template, in the blank white space above below Administrator, right click and click Manage. This will then present all the certificate templates including ones that haven’t been issued yet.
Once the above is done you can click Apply and OK. We now need to issue our certificate template. We can do this by right clicking Certificate Templates, New and Certificate Template to Issue. Then select NonDomain-Workstation and click OK, the certificate will then show in the list.
We now need to use the CSR we generated before and run the following command in Powershell.
certreq.exe -submit -attrib "CertificateTemplate:NonDomain-Workstation" .\DESKTOP-80EFJQJ.csr
Once the above command has been run you will be asked to save the certificate file.
Lets go back to YOAG and open up the CER file by using the load button on the left hand side, then load the Private Key. It should then look like below we now need to click save PKCS12. If you want to apply a password then you can, just remember you will need this when you importing the certificate.
Importing PKCS12 into Windows 10
Now that we have our .p12 created we need to import it into the certificate store on the endpoint to do this type Manage Computer Certificates it will open up an MMC window. Under Personal, Certificates, All Tasks select Import. Leave all settings as default and enter the .p12 password if you created one in the previous step.
Create 802.1x Policy Set
In ISE go to Policy, Policy Sets if you are following along from the MAB authentication post you will have an existing policy set called MAB Authentication.
Lets create a new Policy Set called 802.1x Authentication and use the pre made condition called Wired_802.1X then select Default Network Access from the Allowed Protocols list and Save.
We now need to open up our new Policy Set, under Authentication Policy create a new rule called 802.1x Auth and use the default condition Wired_802.1X and Use All_User_ID_Stores. In the Authorization Policy section create a new rule called Laptop Authentication and use the default condition called EAP-TLS and set the Profile as PermitAccess. As this is just getting 802.1x up and running quickly we are just using some of the pre-made conditions, in a production environment we could create a new condition that would match certain attributes of a certificate. Once the below policy is created click Save.
Radius Config for NAD
In the below example I’m just reusing the configuration that I used for the MAB article that I created.
dot1x critical eapol
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
client 10.1.7.100 server-key 7 05280F1C22431F5B4A44
ip radius source-interface Vlan7
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius server ISE01
address ipv4 10.1.7.100 auth-port 1812 acct-port 1813
key 7 1531021F07257A767B72
switchport access vlan 7
switchport mode access
authentication event server dead action authorize vlan 7
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate 10
authentication violation restrict
dot1x pae authenticator
spanning-tree bpduguard enable
The above config is not best practice, in a production environment you would be creating a radius group. If you are in an environment that has multiple PSN’s it is worth reading this article https://www.ciscopress.com/articles/article.asp?p=2812072&seqNum=2 that talks about using VIPs on ISE nodes in an Anycast kind of deployment, you could also use a load balancer e.g. Citrix ADC.
Lets test 802.1x (Cisco Anyconnect NAM)
As I have the Anyconnect NAM module installed on my laptop we need to create an EAP-TLS profile. Open up the NAM module and create a new profile called Wired_EAP-TLS with Security set to 802.1x, certificate and EAP-TLS and then click OK.
Select the new profile that you created from the list of networks.
As you can see above I have got an IP address and I am connected. Lets check the Radius logs inside of ISE. Wonderful Authentication was successful and we can see that we hit the correct policy set. The identity field is taken from the common name on the certificate that we created.
Ah well yes there was an issue that I didn’t show you above, my first attempt of using the Wired_EAP-TLS profile in the NAM module was failing, a little bit of head scratching and a check of the Radius logs showed me the following issue. An Unknown CA in the client certificates chain, it’s actually quite simple to fix. Remember before when we added the Root CA to the Trusted Certificates Store well I forgot to tick a box and that was Trust for client authentication and Syslog, as soon as I ticked that box and saved everything came to life and my one endpoint successfully authenticated.
Thanks for reading I hope it was useful, my next post will be about my experience of the ISE exam that I will be taking in the next few days.