Dot1x ISE Lab Book Pro
Dot1x ISE Lab Book Pro
Dot1x ISE Lab Book Pro
_____________________________________________
Author Uldis Dzerkals
EVE-NG Pro, 2020
Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________
Content
Content 2
I. Lab nodes, image versions 3
II. Install NTP and Active Directory Server 3
III. Configure DNS Server 7
IV. Configure AD Corporate users 8
V. Join PCs to the AD domain 8
VI. ISE pre-stage 10
VII. Active Directory joining to the ISE 11
VIII. Lab Switch AAA configuration 14
IX. Lab switch joining to the ISE 15
X. Create authorization Profiles and DACLs 18
XI. Create Source Identity sequence 20
XII. Create Policy Set 21
XIII. Lab Switch Ports configuration DOT1x and MAB 29
XIV. Windows 10 Dot1x Authentication 30
XV. Windows 7 Dot1x Authentication 34
XVI. Android Tablet Authentication 38
XVII. Final verification 39
Preface: Lab concept: Practical Cisco Security ISE 3.0 configuration accordingly given objectives.
EVE Community version of lab is using Windows Server 2019 as management station for ISE https.
✓ Configure the appropriate Time zone and Time on the Windows Server.
2. Configure external NTP server, Internet must be reachable from your server
✓ Open windows CMD (administrator rights!!!)
✓ Enter: External real NTP server:
w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:MANUAL
/reliable:yes
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
5. Verify NTP
✓ Open windows CMD (administrator rights!!!)
✓ Enter:
w32tm /query /status /verbose this will display last sync status or any
error
Note: Your windows hosts must be configured to obtain IP via DHCP. The Lab switch and ISP router is
configured with proper VLANs and DHCP Pools.
1. Windows 10 host
✓ Navigate: Start/Settings/About
✓ Navigate: Advanced System Settings, Click
✓ Click Tab: Computer Name
✓ Click: Change
2. Windows 7 host
✓ Navigate: Start/Control Panel/System and Security/System/Advanced system settings
✓ Click Tab: Computer Name
✓ Click: Change
✓ Type Computer Name: Jenny-PC
✓ Select radio button: Domain
✓ Type domain: eve.lab
✓ Click OK
✓ Type your AD server administrator username and password (example:
administrator/Test123)
✓ Click OK
✓ Click Close and restart PC
✓ Select Switch user/Other user
✓ Login with AD credentials: jennydoe/Silver2021
Verification: Both hosts Windows 10 as John-PC and Windows 7 as Jenny-PC must be joined and
domain eve.lab and have full network/internet access.
✓ Hostname: ise
✓ IP address: 10.1.1.200
✓ Netmask: 255.255.255.0
✓ Default gateway: 10.1.1.254
✓ Default domain: eve.lab
✓ Primary name server: 10.1.1.201
✓ NTP Server: 10.1.1.201
✓ User: admin
✓ Password: Test123
✓ Wait till ise installs and brings up, Services must be in running state
✓ Log into the ISE by browsing to https://ise.eve.lab using a username: admin and a
password: Test123
✓ Navigate to ISE Management
✓ Navigate Security Settings and Allow SHA1 Ciphers. This option is necessary for
Windows 7 nodes.
✓ Click “+ Add”
✓ Name: My LAN
✓ Parent Group: All Locations
✓ Click Save
✓ Name: SW
✓ Description: LAB SW
✓ IP Address: 10.1.1.253
✓ Model Name: IOL
✓ Version: 15.2
✓ Location: My LAN
✓ Device Type: LAN Switches
✓ Select Radius checkbox
✓ Shared Secret: eve
✓ Click Submit
✓ Click “+ Add”
✓ Name: PERMIT_AD_ONLY
✓ IP Version: IPv4
✓ Add ACL lines
permit udp any eq 68 any eq 67
permit udp any any eq 53
permit ip any host 10.1.1.201
✓ Click “+ Add”
✓ Name: WIRED_PERMIT_ALL
✓ IP Version: IPv4
✓ Add ACL line
permit ip any any
✓ Name: MAB_DHCP_PROFILE
✓ Enable checkbox DACL
✓ Select previously created DACL: EVE_DHCP_ACL
✓ Click “+ Add”
✓ Name: WIRED_AD_ONLY_PROFILE
✓ Enable checkbox DACL
✓ Select previously created DACL: PERMIT_AD_ONLY
✓ Click “+ Add”
✓ Name: WIRED_PERMIT_ALL_PROFILE
✓ Enable checkbox DACL
✓ Select previously created DACL: WIRED_PERMIT_ALL
✓ Click “+ Add”
✓ Name: EVE_Sequence
✓ Select Identity sources: ad.eve.lab and Internal Endpoints
✓ Click: Save
✓ Name: EVE-POLICY
✓ Click “+” for New conditions
✓ Click Use
✓ Select Default Network Access for allowed Protocols
✓ Name: AD_PC_RULE
✓ Click “+” For new Condition
✓ Name: AD_USER_ACCESS
✓ Click “+” to add New conditions
✓ Name: MAB_RULE
✓ Click “+” to add New conditions
✓ Equals: WiredMAB
✓ Click Use
interface Ethernet1/1
description win7 node
switchport access vlan 20
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
interface Ethernet1/2
description Tablet EVE Pro lab with Android
switchport access vlan 30
switchport mode access
authentication host-mode multi-auth
authentication open
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
✓ Open Windows 10
✓ Navigate To Windows Control Panel, Administrative Tools/Services
✓ Make sure if your Windows has enabled and running Wired Autoconfig Service
✓ If it is not running, then log off Windows and log in to it as Administrator
✓ Login: eve\administrator, Password: Test123
Note: It is domain administrator user which we set previously on Windows Server 2019
✓ Reboot Windows 10
✓ Click OK 2 times
✓ Reboot Windows 10
Note: after reboot Windows 10 machine, do not login into it, but check results on Switch:
You must notice that DACL PERMIT_AD_ONLY is in use. Means your Windows 10 received IP address,
and can communicate with AD server
SW#sh access-lists
Extended IP access list xACSACLx-IP-PERMIT_AD_ONLY-5fdf2f06 (per-
user)
1 permit udp any eq bootpc any eq bootps
2 permit udp any any eq domain
3 permit ip any host 10.1.1.201
SW#
✓ You must see that John-PC is authenticated but has assigned only to
WIRED_AD_ONLY_PROFILE
✓ Now login in Windows 10 john-PC as, user: johndoe and password: Gold2021
✓ Navigate to switch and issue again show access-list, Now you will see that ACL is
changed to permit all
SW#sh access-lists
Extended IP access list xACSACLx-IP-WIRED_PERMIT_ALL-5fe06c43 (per-
user)
1 permit ip any any
SW#
✓ Click OK 2 times
✓ Reboot Windows 7
Note: after reboot Windows 7 machine, do not login into it, but check results on Switch:
You must notice that DACL PERMIT_AD_ONLY is in use. Means your Windows 10 received IP address,
and can communicate with AD server
SW#sh access-lists
Extended IP access list xACSACLx-IP-PERMIT_AD_ONLY-5fdf2f06 (per-
user)
1 permit udp any eq bootpc any eq bootps
2 permit udp any any eq domain
3 permit ip any host 10.1.1.201
SW#
✓ You must see that Jenny-PC is authenticated but has assigned only to
WIRED_AD_ONLY_PROFILE
✓ Now login in Windows 7 Jenny-PC as, user: jennydoe and password: Silver2021
✓ Navigate to switch and issue again show access-list, Now you will see that ACL is
changed to permit all
SW#sh access-lists
Extended IP access list xACSACLx-IP-WIRED_PERMIT_ALL-5fe06c43 (per-
user)
1 permit ip any any
SW#
Session count = 3
SW#