CCIE Security Lab: ISE WebAuth

After setting up ACS command authentication yesterday, and cleaning it up today so that it’s using a new Access Service, it’s time to return to Identity Services and look at ISE WebAuth. I might try and throw in some profiling as well, depending on how well it goes.
We start by creating an identity group, which I have called Web-Guest:

Creating ISE identity group

Next, we create a user, which I will also call “Web-Guest”, and give it the password of “Cisco123”.

Create ISE local user

They get assigned to the group Web-Guest which we just created.

As we don’t want our WebAuth guests having full network access, we’ll create a simple dACL, allowing ICMP to the AP-DNS router:

Create ISE dACL
We then create an Authorization policy, also called Web-Guest, that calls the dACL, and places the user into VLAN 99:
Create ISE AuthZ policy
We also need Web Auth, so scroll down and make sure that is ticked:
ISE local web auth
Before we can set up the rule, we need to set up a compound condition, for the service-type (Framed, which equals 2) and NAS-port (15):
ISE compound conditions
NAS-Port 15 equates to Ethernet (http://www.iana.org/assignments/radius-types/radius-types.xhtml#radius-types-13), and Service-Type Framed means that we will carry the authentication within the packets (https://en.wikipedia.org/wiki/RADIUS).
Then we add the Authorization profile:
ISE AuthZ profile
And an Authentication profile:
ISE AuthC profile
Now, once we have saved this, we need to configure the switch. Some commands are there from previous, others are new:
aaa new-model
!
aaa group server radius ISE
 server name ISE20
 deadtime 15
!
aaa authentication login default group ISE
aaa authentication login CON none
aaa authentication dot1x default group radius
aaa authorization network default group radius 
aaa authorization auth-proxy default group ISE local 
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group ISE
aaa accounting dot1x default start-stop group radius
!
aaa server radius dynamic-author
 client 192.168.90.205 server-key Radius123
!
aaa session-id common
!
ip device tracking
!
ip admission name Web-Guest proxy http inactivity-time 5
!
dot1x system-auth-control
!
fallback profile Web-Guest-Fallback
 ip access-group Web-Auth-ACL in
 ip admission Web-Guest
!
interface GigabitEthernet3/0/19
 switchport access vlan 99
 switchport mode access
 switchport block unicast
 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication open
 authentication order webauth
 authentication priority webauth
 authentication port-control auto
 authentication fallback Web-Guest-Fallback
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 5
 spanning-tree portfast
!
interface Vlan99
 ip address 10.1.99.50 255.255.255.0
 ip helper-address 10.1.4.100
!
ip access-list extended Web-Auth-ACL
 permit udp any any eq bootps
 permit udp any any eq domain
!
ip radius source-interface Vlan4 
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria tries 3
radius-server deadtime 30
radius-server vsa send accounting
radius-server vsa send authentication
! 
radius server ISE20
 address ipv4 192.168.90.205 auth-port 1812 acct-port 1813
 key Radius123
!
line con 0
 login authentication CON
line vty 0 4
 login authentication CON
 width 255
line vty 5 15
!
mac address-table notification change interval 0
mac address-table notification change

The results are:

3750X#sh auth sess int gi 3/0/19
  Interface: GigabitEthernet3/0/19
  MAC Address: 685b.35cc.3a6a
  IP Address: 10.1.99.12
  Status: Authz Success
  Domain: DATA
  Security Policy: Should Secure
  Security Status: Unsecure
  Oper host mode: multi-auth
  Oper control dir: both
  Authorized By: Authentication Server
  Vlan Policy: N/A
  Session timeout: N/A
  Idle timeout: N/A
  Common Session ID: 0A01013200000013008953E7
  Acct Session ID: 0x00000037
  Handle: 0xA2000014

Runnable methods list:
  Method State
  webauth Authc Success

3750X#

We can see the webauth success. As well as getting the success message on the client.

ISE Web-Auth success

This did take a few attempts to get right. I found this URL to be really useful, and it stopped me getting locked out of the switch:

It is important to note that the current implementation of WebAuth requires the use of the default login authentication group as RADIUS. As soon as it is configured, the default login group applies to all login attempts for the switch, including virtual teletype terminal (VTY) and console access. Everyone attempting to use Telnet to access the switch or to access the console is required to authenticate through RADIUS. To prevent the default AAA login configuration from applying to the console and VTY sessions, define a nondefault login group and apply this to the VTYs and the console.

We are not getting the dACL though. We are not getting a username either. Let’s change the authentication order and see what we get:

3750X(config-if)#authen order dot1x webauth
3750X(config-if)#auth pri dot web
3750X(config-if)#

Nope, still no username, so the ACL is not applied. But why are we not getting the username? Let’s turn to the logs and try and find out.

ISE troubleshooting

Here is a clue, we are not hitting the right policy. Instead of getting to the Web-Auth authentication rule, we are hitting the Dot1x rule:

ISE policy order

Because of that being matched first, we go to the Basic_Authentication_Access policy:

ISE policy order default

So that is why!

Could it be as simple as just moving our authentication policy up?

ISE policy order web-auth

Let’s try it now:

ISE Web-auth success logs

Better. We have the Web-Auth AuthC profile but are still getting the Basic_Authentication. I want to get the Web-Auth AuthZ rule instead.

Let’s dissect the AuthC profile and see what we are not matching up with.

We match on the Web-Guest User Identity Group, but we also need to match in the Web-AuthZ-Condition:

ISE Radius Service type

These are being queried:

ISE log steps

Are we getting these back?

ISE PAP response

Looks like we are sending a service type of Outbound, and an NAS-Port type of Ethernet. So the Ethernet one is correct, so let’s try changing the service type:

Fixing ISE compound condition

Still no dice, but notice that NAS-Port and NAS Port Type are not the same things, so I changed it again:

Boom!

ISE WebAuth success

We have the previous incorrect (but working) authentication at the bottom and our corrected Web-AuthZ-Condition (desired) at the top.

3750X#sh auth sess int gi 3/0/19
  Interface: GigabitEthernet3/0/19
  MAC Address: 685b.35cc.3a6a
  IP Address: 10.1.99.10
  Status: Authz Success
  Domain: DATA
  Security Policy: Should Secure
  Security Status: Unsecure
  Oper host mode: multi-auth
  Oper control dir: both
  Authorized By: Authentication Server
  Vlan Policy: N/A
  Session timeout: N/A
  Idle timeout: N/A
  Common Session ID: 0A0101320000004A1A0D46AA
  Acct Session ID: 0x0000007B
  Handle: 0x2900004B

Runnable methods list:
  Method State
  dot1x Failed over
  webauth Authc Success

3750X#
3750X#sh access-lists
Extended IP access list Auth-Default-ACL-OPEN
    10 permit ip any any (45 matches)
Extended IP access list Web-Auth-ACL
    10 permit udp any any eq bootps
    20 permit udp any any eq domain
Extended IP access list xACSACLx-IP-PERMIT_ALL_TRAFFIC-56161e32 (per-user)
    10 permit ip any any
3750X#

We still don’t get the dACL though, even though the setup is looking correct:

ISE WebAuth dACL

So, I went into the AuthZ profile, clicked on the advanced attributes setting, did not change anything, but that was enough to allow me to save it again. This time, it looks like it’s working:

3750X#sh auth sess int gi 3/0/19
            Interface:  GigabitEthernet3/0/19
          MAC Address:  685b.35cc.3a6a
           IP Address:  10.1.99.10
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-Web-Guest-5763fd31
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A0101320000004C1A3389CE
      Acct Session ID:  0x00000081
               Handle:  0x8D00004D

Runnable methods list:
       Method   State
       dot1x    Failed over
       webauth  Authc Success

3750X#
3750X#sh access-lists
Extended IP access list Auth-Default-ACL-OPEN
    10 permit ip any any (55 matches)
Extended IP access list Web-Auth-ACL
    10 permit udp any any eq bootps
    20 permit udp any any eq domain
Extended IP access list xACSACLx-IP-PERMIT_ALL_TRAFFIC-56161e32 (per-user)
    10 permit ip any any
Extended IP access list xACSACLx-IP-Web-Guest-5763fd31 (per-user)
    10 permit tcp any any eq www
    20 permit tcp any any eq 443
    30 permit tcp any any eq 8443
    40 permit udp any any eq domain
    50 permit icmp any host 10.1.4.101
    60 deny ip any any
3750X#

Finally, we have success!

We can test this from the client, and would expect to get an ICMP ping reply from 10.1.4.101, but not from 10.1.4.254 (as per the ACL above):

ISE working dACL with WebAuth

Troubleshooting ISE is actually pretty fun. It’s just about knowing where to look, and the logs show exactly what is what, so issues like this can be picked up on quickly, though it is useful to triple-check and save work regularly, even if you haven’t made any changes – hopefully these issues won’t be in the lab and it will be a bit smoother, but we will see.

I can leave ISE and move on. I am also on track, down from triple digits away from the exam to double-digits.

If you are looking for a great book on ISE, then I can totally recommend one.

Next, will be some more IPS, and we will link the WLC to this as well.