CCIE Security Lab: Hold the ISE!

Yep, it’s me. Back again, but bearing some good news. I rebuilt, using Arista vEOS switches, and things are more stable.

The network looks like this now:

CCIE security lab version 4

I just have two switches. vEOS need more memory than the vIOS, so I traded off there. The syntax is pretty similar, but things like VTP are missed. Other than that, it’s working OK. Can’t get LLDP working between the physical switch and SW1, but that could be an ESXi-related issue. Ping times were quite high at the start, but they have come down to a reasonable level now.

Ignore the four switches at the bottom, I have just left those there in case I need the interface configs.

So, after much reconfiguring, you know it’s Saturday night, so of course I am doing some studying (#lastmanstanding), things are looking much more promising.

I also fired up the AP-DNS router, not so much for the DNS/AP side of things, we will get back to that in a moment, but because I needed an NTP server, as the ISE was not reaching the AD domain, because of NTP issues.

Once that was sorted, ISE was talking to AD, and I though I’d give connecting to the WLAN a go, you know, just in case it worked.

And it did.

iphone dot1x client
Little tweak to be made here, in that the search domain is incorrect, but this is a minor thing. I think I could have had a little success earlier on, if I had this router running, but who knows.
It definitely looks to be working properly, as it’s taking the username and password that’s in AD:
WLC clients
Finally, we are starting to make decent headway! Oddly, I didn’t see any activity in ISE last night, and here we encounter the gap between knowledge and just trying stuff out. Though checking just now, I do actually see some info, maybe ISE does not update this bit straight away, and I just need more patience.
ISe authentication succeded
ISE authentication succeded
This is all good. Still having issues with NTP, and I think I jut need to set up something to keep the network more “awake”, but these issues are getting resolved faster. Maybe I can leverage some device tracking, or something similar…
This must all be using the default authentication and authorization rules, so I will set up another user, in an OU called “Deny-Wifi” to test rejection on wireless, but permit on wired, and to make sure that I can figure out the rule syntax properly.
I also need to set up the CCIE.Sec-Guest WLAN, and have this redirect to a portal for authentication, and to test out the phone dot1x/MAB setup. I came across this excellent blog by Katherine McNamara Good stuff lies within, so do check it out.

ISE: Denying Authentications based on AD group membership

This is Dodgy Bob. Because of a Mexican wrestling moustache porn incident, Bob is not allowed Wifi. He is a member of the security group “No-Wifi”:
AD security group membership for ISE
Now we need to block him, using ISE, which makes sense as this post is about ISE.

So far, this is what I have come up with. We don’t want to wholesale block all of the No-Wifi group, ONLY when they are coming in through the Wifi, so we need a rule to specify that wireless and the AD group No-Wifi is blocked, but everything else is OK. I have added two rules, technically I do only need one rule, as the catch-all at the end will permit the authorization. But this way I get used to the rule setup, and can track it better in the logs.

We can use conditions, either simple or compound. I am using a compound one:

ISE compound conditions

Next we have the authorization policies:

ISE using AD groups to permit or deny access

I don’t really need the Bob-Wired-OK rule, it is kinda redundant, but like I said, hopefully I should see this getting hit in the logs when I hook up the laptop and log in as DodgyBob.

First of all, this is our goal:

ip http server

I have enabled the HTTP server using the commands:

AP-DNS(config)#do sh run | i enable|http
enable password cisco
ip http server
ip http secure-server

I just login with the password cisco, leaving the username field blank. This is quite handy as it gives me an internal endpoint to test WCCP and the IPS with as well. You can do cool stuff with it, like this:

ip http server

Lot’s of fun to be had with this.

So, can I reach this page as me, with my AD account?

iphone dot1x
I can. Dodgy Bob, however, does not even connect to the wifi. The iPhone just sits there connecting, as does the Kindle.
This is what we see in the ISE logs:
ISE reject based on AD group

Perfect! This is what we want.

So, let’s make sure that he can connect using a wired connection.

The port configuration is at the end of the post.

We need to make sure that the Wired AutoConfig service is started, otherwise we won’t see the Authentication tab on the properties of the network card.

Windows 10 dot1x wired autoconfig

We can then put in our credentials, and enable single sign-on if we want (I don’t, because the laptop is not joined to AD).

Windows 10 dot1x

Unfortunately, despite what would appear to be a connection, the laptop does not receive an IP address. ISE does see it though:

ISE endpoints

It also sees the IP Phone, which will be good later on.

I changed two things. I added the ISE server int to the ip helper-address list for VLAN 4, and I swapped the cable out. Bingo, we have connection!

Windows 10 dot1x client

It’s pulling the IP address from the AD server’s DHCP pool, rather than the AP-DNS router, which is fine, I can live with that. We can even see that we have hit the policy created earlier:

ISE dot1x success

Great stuff!

We can dig in a little using the switch to tell us what’s going on as well:

3750X#sh authentication interface gi3/0/20 

Client list:
Interface  MAC Address     Method   Domain   Status         Session ID
  Gi3/0/20   e411.5b25.c2e9  dot1x    DATA     Authz Success  0A0101320000000A0051A301

Available methods list:
  Handle  Priority  Name
    3        0      dot1x
    4        1      mab
Runnable methods list:
  Handle  Priority  Name
    3        0      dot1x
    4        1      mab

3750X#sh authentication sessions interface gi3/0/20
            Interface:  GigabitEthernet3/0/20
          MAC Address:  e411.5b25.c2e9
           IP Address:  Unknown
            User-Name:  dodgybob
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
      Session timeout:  3600s (local), Remaining: 3486s
       Timeout action:  Reauthenticate
         Idle timeout:  N/A
    Common Session ID:  0A0101320000000A0051A301
      Acct Session ID:  0x0000000E
               Handle:  0x2600000B

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run


Below is the switch configuration in full:

3750X#sh run
hostname 3750X
enable password admin
username admin password 0 admin
aaa new-model
aaa group server radius ISE
 server name ISE20
 deadtime 15
aaa authentication dot1x default group ISE local
aaa authorization network default group ISE local 
aaa authorization auth-proxy default group ISE local 
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group ISE
aaa accounting dot1x default start-stop group ISE
aaa server radius dynamic-author
 client server-key Radius123
aaa session-id common
switch 3 provision ws-c3750x-24p
system mtu routing 1500
ip routing
dot1x system-auth-control
ip ftp username cisco
ip ftp password cisco
lldp run
interface GigabitEthernet3/0/1
 description Uplink to ESXi
 switchport trunk encapsulation dot1q
 switchport mode trunk
interface GigabitEthernet3/0/2
interface GigabitEthernet3/0/3
 description IP Phone
 switchport access vlan 21
 switchport mode access
 switchport voice vlan 9
 spanning-tree portfast
interface GigabitEthernet3/0/5
 description AP
 switchport access vlan 4
 switchport mode access
 spanning-tree portfast
interface GigabitEthernet3/0/20
 switchport access vlan 4
 switchport mode access
 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 dot1x pae authenticator
 spanning-tree portfast
interface Vlan1
 ip address
interface Vlan4
 ip address
 ip helper-address
 ip helper-address
interface Vlan9
 ip address
 ip helper-address
interface Vlan11
 ip address
interface Vlan21
 ip address
 ip helper-address
interface Vlan90
 ip address
ip forward-protocol udp 5246
ip forward-protocol udp 5247
ip http server
ip http secure-server
ip radius source-interface Vlan4 
ip sla enable reaction-alerts
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria tries 3
radius-server deadtime 30
radius-server vsa send accounting
radius-server vsa send authentication
radius server ISE20
 address ipv4 auth-port 1812 acct-port 1813
 key Radius123

We are definitely cooking here.