Dot1x ISE Lab Book Pro

Download as pdf or txt
Download as pdf or txt
You are on page 1of 40

Cisco Security ISE dot1x and mab

EVE-NG Lab guide

_____________________________________________
Author Uldis Dzerkals
EVE-NG Pro, 2020
Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

Content
Content 2
I. Lab nodes, image versions 3
II. Install NTP and Active Directory Server 3
III. Configure DNS Server 7
IV. Configure AD Corporate users 8
V. Join PCs to the AD domain 8
VI. ISE pre-stage 10
VII. Active Directory joining to the ISE 11
VIII. Lab Switch AAA configuration 14
IX. Lab switch joining to the ISE 15
X. Create authorization Profiles and DACLs 18
XI. Create Source Identity sequence 20
XII. Create Policy Set 21
XIII. Lab Switch Ports configuration DOT1x and MAB 29
XIV. Windows 10 Dot1x Authentication 30
XV. Windows 7 Dot1x Authentication 34
XVI. Android Tablet Authentication 38
XVII. Final verification 39

2 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

Preface: Lab concept: Practical Cisco Security ISE 3.0 configuration accordingly given objectives.
EVE Community version of lab is using Windows Server 2019 as management station for ISE https.

I. Lab nodes, image versions


• Cisco ISE 3.0,
• Switch: i86bi_linux_l2-adventerprisek9-ms.SSA.high_iron_20190423.bin
• ISP Router: IOL i86bi_LinuxL3-AdvEnterpriseK9-M2_157_3_May_2018.bin
• DNS/CA/NTP, Windows 2019 x64 Server
• Windows 10 x86, Domain PC
• Windows 7 x86, Domain PC
• Android node 9.1 as BOYD (Pro Lab with Android)
• Management Host: Docker server-gui (Pro Lab)

II. Install NTP and Active Directory Server


NOTE: Windows server must have installed WinSCP and Tftpd64 applications.

Objective: Configure Windows 2019 network interfaces with following:

1. Set static IP address for Windows 2019 interface Ethernet:


✓ IP Address: 10.1.1.201
✓ Mask: 255.255.255.0
✓ Gateway: 10.1.1.254
✓ DNS Server: 8.8.8.8, 8.8.4.4

Objective: Configure Windows 2019 Time Zone and Time:

✓ Configure the appropriate Time zone and Time on the Windows Server.

Objective: Configure Windows 2019 as NTP server with following:

3 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

1. Create firewall NTP inbound rule


✓ Control Panel/Windows Defender Firewall/Advanced settings
✓ Inbound Rules/New rule

✓ Rule type: Port > Next


✓ Protocol and Ports: UDP 123 > Next
✓ Action: Allow the Connection > Next
✓ Profile: check all, domain, private, public > Next
✓ Name: NTP_inbound

2. Configure external NTP server, Internet must be reachable from your server
✓ Open windows CMD (administrator rights!!!)
✓ Enter: External real NTP server:
w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:MANUAL
/reliable:yes

3. Edit Registry files


✓ Select Start > Run, type regedit, and then select OK
✓ Navigate to the following path in the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

✓ Right-click Announce Flags, and then select Modify


✓ Change the type Value as 5 and click on OK.

4 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Navigate to the following path in the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type

✓ Right-click Type, and then select Modify


✓ Change the type Value as NTP and click on OK.

✓ Enable NTP server. Open Location


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpSer
ver
✓ Right-click Enabled, and then select Modify
✓ In Edit DWORD Value, type 1 in the Value data box, and then

5 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

4. Restart NTP service


Open windows CMD (administrator rights!!!)
✓ Open windows CMD (administrator rights!!!)
✓ Enter:
net stop w32time && net start w32time

5. Verify NTP
✓ Open windows CMD (administrator rights!!!)
✓ Enter:
w32tm /query /status /verbose this will display last sync status or any
error

w32tm /query /peers this will display NTP external peers

6 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

Objective: Configure Windows 2019 server name with following:

✓ Open Server manager


✓ Click Local Server
✓ Click Computer Name
✓ Click Change
✓ Enter Name: ad
✓ Click OK
✓ Click Close and restart Server

Objective: Configure Windows 2019 server Active Directory:

1. Install Active Directory Server role


✓ Open Server manager
✓ Click Add roles and features
✓ Click 3 times Next
✓ Select Active Directory Domain Services, and click Add features
✓ Click 3 times Next, and Install
✓ After installation is completed, Click close
2. Navigate to Server manager, Notifications (Yellow triangle)
✓ Click on Promote this server to a domain controller
✓ Select “Add new forest”
✓ Put domain name “eve.lab”
✓ Click Next
✓ Type 2 times DSRM password (example: Test123)
✓ Click Next 5 times
✓ Click Install
✓ After server is rebooted and if required, change administrator password (example:
ADserver123)

III. Configure DNS Server


Objective: Configure Windows 2019 as DNS server with following:

1. Navigate to Server manager, Tools/DNS


✓ Expand AD Server one the right
2. Create 2 new Reverse Lookup Zones
✓ Right click on Reverse lookup Zones/New Zone, Next
✓ Leave Primary Zone and click Next
✓ Leave To all DNS servers running in domain controllers in this domain: eve.lab, click
Next
✓ IPv4 Reverse Lookup Zone, Next
✓ Network ID: 10.1.1, Next, Next
✓ Allow both non-secure and secure dynamic updates, Next
✓ Finish
✓ New Zone, Next
✓ Leave Primary Zone and click Next
✓ Leave To all DNS servers running in domain controllers in this domain: eve.lab, click
Next

7 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ IPv4 Reverse Lookup Zone, Next


✓ Network ID: 10.1.2, Next, Next
✓ Allow both non-secure and secure dynamic updates, Next
✓ Finish
3. Create new A record
✓ Navigate to forward lookup zone eve.lab
✓ Create New host (A or AAAA)
✓ Name: ise
✓ IP Address: 10.1.1.200
✓ Enable checkbox Create associated pointer (PTR) record
✓ Add Host

IV. Configure AD Corporate users


Objective: Configure Active Directory Corporate Users:

1. Navigate to Server manager, Tools/Active Directory Users and Computers


✓ Right click on Users directory/New/user
✓ First Name: Jenny
✓ Last name: Doe
✓ Username: jennydoe
✓ Click Next
✓ Password (2 times): Silver2021
✓ Uncheck User must change password at next login
✓ Check: User cannot change password and Password never expires
✓ Click Next and Finish
2. Navigate to Server manager, Tools/Active Directory Users and Computers
✓ Right click on Users directory/New/user
✓ First Name: John
✓ Last name: Doe
✓ Username: johndoe
✓ Click Next
✓ Password (2 times): Gold2021
✓ Uncheck User must change password at next login
✓ Check: User cannot change password and Password never expires
✓ Click Next and Finish

V. Join PCs to the AD domain


Objective: Join corporate users to the Active directory:

Note: Your windows hosts must be configured to obtain IP via DHCP. The Lab switch and ISP router is
configured with proper VLANs and DHCP Pools.

1. Windows 10 host
✓ Navigate: Start/Settings/About
✓ Navigate: Advanced System Settings, Click
✓ Click Tab: Computer Name
✓ Click: Change

8 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Type Computer Name: John-PC


✓ Select radio button: Domain
✓ Type domain: eve.lab
✓ Click OK
✓ Type your AD server administrator username and password (example:
administrator/Test123)
✓ Click OK
✓ Click Close and restart PC
✓ Select Other user and login with AD credentials: johndoe/Gold2021

2. Windows 7 host
✓ Navigate: Start/Control Panel/System and Security/System/Advanced system settings
✓ Click Tab: Computer Name
✓ Click: Change
✓ Type Computer Name: Jenny-PC
✓ Select radio button: Domain
✓ Type domain: eve.lab
✓ Click OK
✓ Type your AD server administrator username and password (example:
administrator/Test123)
✓ Click OK
✓ Click Close and restart PC
✓ Select Switch user/Other user
✓ Login with AD credentials: jennydoe/Silver2021

Verification: Both hosts Windows 10 as John-PC and Windows 7 as Jenny-PC must be joined and
domain eve.lab and have full network/internet access.

9 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

VI. ISE pre-stage


Objective: Pre-stage ISE

1. Setup ISE settings


✓ Type: setup

✓ Hostname: ise
✓ IP address: 10.1.1.200
✓ Netmask: 255.255.255.0
✓ Default gateway: 10.1.1.254
✓ Default domain: eve.lab
✓ Primary name server: 10.1.1.201
✓ NTP Server: 10.1.1.201
✓ User: admin
✓ Password: Test123

✓ Wait till ise installs and brings up, Services must be in running state

Objective: Allow SHA1 ciphers for WIN7 nodes

1. Open Mgmnt host and navigate to Applications/Internet/Chromium Web Browser

10 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Log into the ISE by browsing to https://ise.eve.lab using a username: admin and a
password: Test123
✓ Navigate to ISE Management

✓ Click Tab Administration/System/Settings

✓ Navigate Security Settings and Allow SHA1 Ciphers. This option is necessary for
Windows 7 nodes.

VII. Active Directory joining to the ISE


Objective: Join Active Directory as External Identity Source to the ISE

1. Open Mgmnt host and navigate to Applications/Internet/Chromium Web Browser


✓ Log into the ISE by browsing to https://ise.eve.lab using a username: admin and a
password: Test123
✓ Navigate to ISE Management

✓ Click Tab Administration/Identity Management/External Identity Sources

11 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Click Active Directory and “+ Add”

✓ Joint point name: ad.eve.lab


✓ Active Directory domain name: eve.lab

✓ Click Submit and Yes for Join

✓ Fill credentials AD User name: administrator, Password: Test123 (AD Server


administrator password)

12 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Click OK, Status must be completed (green)

✓ Click Tab Groups/Select Groups From Directory

✓ Click Retrieve Groups

✓ Select Domain Computers and Domain Users, Click OK

13 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ To complete configuration at the bottom of screen click Save

VIII. Lab Switch AAA configuration


Objective: Configure lab switch AAA and ISE Radius

✓ Open SW switch console and configure following:


aaa new-model
dot1x system-auth-control

radius server ISE


address ipv4 10.1.1.200 auth-port 1812 acct-port 1813
key eve1

radius-server attribute 6 on-for-login-auth


radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server timeout 2

aaa group server radius ISE-GROUP


server name ISE
ip radius source-interface Vlan10

aaa authentication dot1x default group ISE-GROUP


aaa authorization network default group ISE-GROUP
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group ISE-GROUP

aaa server radius dynamic-author


client 10.1.1.200 server-key eve1

14 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

snmp-server community eve1 RO


snmp-server enable traps snmp linkdown linkup

IX. Lab switch joining to the ISE


Objective: Create Device Type Group

✓ Navigate to ISE Management

✓ Click Tab Administration/Network Resources/Network Devices

✓ Click to tab “Network Device Groups”


✓ Click “+ Add”

✓ Name: LAN Switches


✓ Parent Group: All Device Types
✓ Click Save

15 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

Objective: Create Location Group

✓ Click “+ Add”

✓ Name: My LAN
✓ Parent Group: All Locations
✓ Click Save

Objective: Join SW switch to the ISE radius

✓ Click to tab “Network Devices”


✓ Click “+ Add”

16 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Name: SW
✓ Description: LAB SW
✓ IP Address: 10.1.1.253
✓ Model Name: IOL
✓ Version: 15.2
✓ Location: My LAN
✓ Device Type: LAN Switches
✓ Select Radius checkbox
✓ Shared Secret: eve

✓ Enable SNMP Settings


✓ SNMP Version: 2c
✓ SNMP RO Community: eve1

17 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Click Submit

X. Create authorization Profiles and DACLs


Objective: Create three DACLs

✓ Navigate to ISE Management

✓ Click Tab Policy/Policy Elements/Results


✓ Navigate to Authorization/Downloadable ACLs
✓ Click “+ Add”

✓ Navigate to Authorization/Downloadable ACLs


✓ Click “+ Add”
✓ Name: EVE_DHCP_ACL
✓ IP Version: IPv4
✓ Add ACL line
permit udp any eq 68 any eq 67

✓ Check DACL Syntax, must be Valid


✓ Click Save.

18 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Click “+ Add”
✓ Name: PERMIT_AD_ONLY
✓ IP Version: IPv4
✓ Add ACL lines
permit udp any eq 68 any eq 67
permit udp any any eq 53
permit ip any host 10.1.1.201

✓ Check DACL Syntax, must be Valid


✓ Click Save.

✓ Click “+ Add”
✓ Name: WIRED_PERMIT_ALL
✓ IP Version: IPv4
✓ Add ACL line
permit ip any any

✓ Check DACL Syntax, must be Valid


✓ Click Save.

Objective: Create three Authorization Profiles

✓ Navigate to Authorization/Authorization Profiles


✓ Click “+ Add”

19 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Name: MAB_DHCP_PROFILE
✓ Enable checkbox DACL
✓ Select previously created DACL: EVE_DHCP_ACL

✓ Click “+ Add”
✓ Name: WIRED_AD_ONLY_PROFILE
✓ Enable checkbox DACL
✓ Select previously created DACL: PERMIT_AD_ONLY

✓ Click “+ Add”
✓ Name: WIRED_PERMIT_ALL_PROFILE
✓ Enable checkbox DACL
✓ Select previously created DACL: WIRED_PERMIT_ALL

XI. Create Source Identity sequence


Objective: Create Source identity sequence

✓ Navigate to ISE Management

✓ Click Tab Administration/Identity Management/Groups


✓ Click Tab: Identity Source Sequences

20 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Click “+ Add”

✓ Name: EVE_Sequence
✓ Select Identity sources: ad.eve.lab and Internal Endpoints

✓ Click: Save

XII. Create Policy Set


Objective: Create mab and dot1x Policy

✓ Navigate to ISE Management

✓ Click Tab Policy/Policy Sets


✓ Click “+ Add”

21 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Name: EVE-POLICY
✓ Click “+” for New conditions

✓ In Conditions Studio “Click to add an attribute”

✓ In Editor “Click Tab Location”


✓ Select Attribute DEVICE:Location

✓ Select equals from list: All Locations/My LAN

✓ Click New to add another attribute

✓ In Editor “Click Tab Network Device”

22 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Select Attribute DEVICE: Device Type


✓ Select equals from list: All Device Types/LAN Switches

✓ Click New to add another attribute


✓ In Editor “Click Tab Port”
✓ Under Dictionary select: Radius
✓ Select Radius/NAT-Port-Type

✓ Select Equal: Ethernet

23 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Click Use
✓ Select Default Network Access for allowed Protocols

Objective: Authentication Policy

✓ Click to View Policy “>”

✓ Expand Authentications Policy


✓ For Default rules select Use: EVE_Sequence

Objective: Create Corporate PC Authorization Policy

✓ Navigate to Authorization Policy

24 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Expand Authorization Policy


✓ Click “+” To add New rule

✓ Name: AD_PC_RULE
✓ Click “+” For new Condition

✓ Select Tab: Identity Group


✓ Select: ad.eve.lab/ExternalGroups

✓ Select Equal: eve.lab/Users/Domain Computers


✓ Click: Use

25 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Select Profiles: WIRED_AD_ONLY


✓ Select Security Group: Employees

Objective: Create Corporate User Authorization Policy

✓ Navigate to AD_PC_RULE/Actions/Insert new rule below

✓ Name: AD_USER_ACCESS
✓ Click “+” to add New conditions

✓ Select Tab: Identity Group


✓ Attribute: ad.eve.lab/ExternalGroups
✓ Equals: eve.lab/Users/Domain Users
✓ Click Use

26 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Click New for another condition in this rule

✓ Select Tab: Unclassified


✓ Select Dictionary: Network Access
✓ Select Attribute: WasMachineAuthenticated
✓ Equals: True
✓ Click Use

✓ Select Profiles: WIRED_PERMIT_ALL_PROFILE


✓ Select Security Group: Employees

27 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

Objective: MAB Authorization Policy (EVE PRO Lab with Android)

✓ Navigate to AD_USER_ACCSS Actions/Insert New Rule below

✓ Name: MAB_RULE
✓ Click “+” to add New conditions

✓ Select Tab Identity Group


✓ Attribute: Name

✓ Equals: Endpoint Identity Groups: Profiled: Android

✓ Click: New to add another condition


✓ Select Tab: Unclassified
✓ Select Condition: Normalized Radius/Radius FlowType

✓ Equals: WiredMAB

28 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Click Use

✓ Select Profiles: MAB_DHCP_PROFILE


✓ Select Security Groups: BOYD

Objective: Save Authorization Policy

✓ Click SAVE below

XIII. Lab Switch Ports configuration DOT1x and MAB


Objective: Configure lab switch ports

✓ Open SW switch console and configure following:


interface Ethernet1/0
description win10 node
switchport access vlan 20
switchport mode access
authentication host-mode multi-auth

29 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

authentication port-control auto


mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpdufilter enable
spanning-tree bpduguard enable

interface Ethernet1/1
description win7 node
switchport access vlan 20
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpdufilter enable
spanning-tree bpduguard enable

interface Ethernet1/2
description Tablet EVE Pro lab with Android
switchport access vlan 30
switchport mode access
authentication host-mode multi-auth
authentication open
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpdufilter enable
spanning-tree bpduguard enable

XIV. Windows 10 Dot1x Authentication


Objective: Configure Windows 10 PC for Dot1x anuthentication

✓ Open Windows 10
✓ Navigate To Windows Control Panel, Administrative Tools/Services
✓ Make sure if your Windows has enabled and running Wired Autoconfig Service
✓ If it is not running, then log off Windows and log in to it as Administrator
✓ Login: eve\administrator, Password: Test123
Note: It is domain administrator user which we set previously on Windows Server 2019

30 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Navigate to Start/Settings/Network & Internet


✓ Navigate to Advanced Network Settings/Change Adapter Settings
✓ Right click on ethernet adapter and choose Properties.
Note: On Windows 10, it will ask you Administrator rights, login in PC as administrator
Username: eve\administrator, Password: Test123

✓ Select Tab Authentication


✓ Check Enable IEEE 802.1X authentication

31 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Click Choose a network authentication method Settings


✓ Unselect Verify the Server’s identity by validating the certificate
✓ Click on Select Authentication Method: Configure
✓ Check: When connecting, Automatically use my Windows Logon name and password
and domain if any
✓ Click OK 2 times

✓ Click Additional Settings


✓ Check Specify authentication mode
✓ Choose User or Computer authentication
✓ Click OK 2 times

32 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Reboot Windows 10

✓ Click OK 2 times
✓ Reboot Windows 10

Objective: Windows 10 Verification

Note: after reboot Windows 10 machine, do not login into it, but check results on Switch:

✓ Issue command show access-lists

You must notice that DACL PERMIT_AD_ONLY is in use. Means your Windows 10 received IP address,
and can communicate with AD server
SW#sh access-lists
Extended IP access list xACSACLx-IP-PERMIT_AD_ONLY-5fdf2f06 (per-
user)
1 permit udp any eq bootpc any eq bootps
2 permit udp any any eq domain
3 permit ip any host 10.1.1.201
SW#

✓ Navigate to ISE management/Operations/Live Logs

33 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ You must see that John-PC is authenticated but has assigned only to
WIRED_AD_ONLY_PROFILE

✓ Now login in Windows 10 john-PC as, user: johndoe and password: Gold2021
✓ Navigate to switch and issue again show access-list, Now you will see that ACL is
changed to permit all
SW#sh access-lists
Extended IP access list xACSACLx-IP-WIRED_PERMIT_ALL-5fe06c43 (per-
user)
1 permit ip any any
SW#

✓ Navigate to ISE management/Operations/Live Logs again


✓ Now you will see that John Doe user is authenticated but has assigned only to
WIRED_PERMIT_ALL_PROFILE

XV. Windows 7 Dot1x Authentication


Objective: Configure Windows 7 PC for Dot1x anuthentication

✓ Reboot Windows 7 and login as: eve\administrator, password: Test123


✓ Open Windows 7
✓ Navigate to Windows Control Panel, Administrative Tools/Services
✓ Make sure if your Windows has enabled and running Wired Autoconfig Service

34 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Navigate to Control panel/Network and Internet/Network and Sharing center


✓ Navigate to Change Adapter Settings
✓ Right click on ethernet adapter and choose Properties.
✓ Select Tab Authentication
✓ Check Enable IEEE 802.1X authentication

✓ Click Choose a network authentication method Settings


✓ Unselect Verify the Server’s identity by validating the certificate
✓ Click on Select Authentication Method: Configure
✓ Check: When connecting, Automatically use my Windows Logon name and password
and domain if any
✓ Click OK 2 times

35 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Click Additional Settings


✓ Check Specify authentication mode
✓ Choose User or Computer authentication
✓ Click OK 2 times

✓ Click OK 2 times

36 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Reboot Windows 7

Objective: Windows 7 Verification

Note: after reboot Windows 7 machine, do not login into it, but check results on Switch:

✓ Issue command show access-lists

You must notice that DACL PERMIT_AD_ONLY is in use. Means your Windows 10 received IP address,
and can communicate with AD server
SW#sh access-lists
Extended IP access list xACSACLx-IP-PERMIT_AD_ONLY-5fdf2f06 (per-
user)
1 permit udp any eq bootpc any eq bootps
2 permit udp any any eq domain
3 permit ip any host 10.1.1.201
SW#

✓ Navigate to ISE management/Operations/Live Logs

✓ You must see that Jenny-PC is authenticated but has assigned only to
WIRED_AD_ONLY_PROFILE

✓ Now login in Windows 7 Jenny-PC as, user: jennydoe and password: Silver2021
✓ Navigate to switch and issue again show access-list, Now you will see that ACL is
changed to permit all
SW#sh access-lists
Extended IP access list xACSACLx-IP-WIRED_PERMIT_ALL-5fe06c43 (per-
user)
1 permit ip any any
SW#

✓ Navigate to ISE management/Operations/Live Logs again


✓ Now you will see that John Doe user is authenticated but has assigned only to
WIRED_PERMIT_ALL_PROFILE

37 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

XVI. Android Tablet Authentication


Objective: Configure Android Device MAB authentication (EVE PRO Lab with Android)

✓ Boot Android Device


✓ Navigate to ISE management/Operations/Live Logs
You will notice that authentication is failed

✓ Navigate to ISE management/Context Visibility/Endpoints

✓ Select Android rejected device, and click edit

✓ Select Android rejected device, and click edit


✓ Description: Android
✓ Static assignment: Android
✓ Static group assignment: Android
✓ Click save

38 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

✓ Issue command show access-lists


✓ You must notice that EVE_DHCP_ACL is in use. Means your Android has received IP
address, and have network access
SW#sh access-lists
Extended IP access list xACSACLx-IP-EVE_DHCP_ACL-5fe79837 (per-user)
1 permit udp any eq bootpc any eq bootps
SW#

✓ Navigate to ISE management/Operations/Live Logs again


✓ Now you will see that Android device is authenticated and assigned to
MAB_DHCP_PROFILE

XVII. Final verification


Objective: Check authentication sessions for mab and dot1x

✓ Issue command show access-lists


✓ You must notice that dot1x authentication has Windows nodes and mab is Android
device
SW#sh authentication sesssions

Interface Identifier Method Domain Status Fg Session ID


Et1/2 500a.0008.0000 mab DATA Auth 0A0101FD0000001000292FE5
Et1/0 500a.0005.0000 dot1x DATA Auth 0A0101FD000000110034F2B6
Et1/1 500a.0007.0000 dot1x DATA Auth 0A0101FD0000001200354CBE

39 Created by Uldis Dzerkals, EVE-NG Ltd, 2020


Cisco Security Lab ISE dot1x & mab
EVE-PRO, 2020
__________________________________________________________________________________

Session count = 3
SW#

✓ Navigate to ISE management/Operations/Live Logs again

✓ Navigate to ISE management/Context visibility/Evndpoints

40 Created by Uldis Dzerkals, EVE-NG Ltd, 2020

You might also like