In a perfect world, you could authenticate your hosts onto the network with either dot1x or going through a guest portal but the reality is that not every device connected to your network will have the ability to navigate the guest flow or utilize dot1x. Unfortunately, most of us don't live in a perfect world and have to connect devices to our networks such as phones, IP cameras, printers, badge readers, access points, etc so for that reason, profiling comes in. What ISE will do is gather a series of attributes from the NADs that the endpoints are connected to and based on those collections of attributes, ISE is able to make a determination of what kind of device that endpoint is
In this post, I'm going to configure Hotspot access. Hotspot access is a little different than regular guest access in ISE. The use case for Hotspot is where you might want to allow guests to access the internet without issuing them credentials or directly identifying them but still have some level of control. An example of this is if you own a chain of retail stores and you want to give your customers guest access to the internet and you don't want them to have to self-register or disclose information about their identity. Hotspot would be the solution to provide access. With Hotspot access, you can have a branded portal for marketing reasons, have the user accept an AUP for legal reasons, redirect them to your company's page or maybe a webpage with the latest deals/coupons, and you can even have them enter an access code that you have displayed in this location to reduce random connections to the network from users not location in the establishment.
In this post, I'm going to create my guest wireless policy. Guest access is typically what you think of when you visit a company, connect to the wireless and then get a splash page to enter some sort of credentials you were either provided or you self-register to get your own credentials. I'm going to create a basic guest wireless policy but I'll walk you through some of the different options you can use with this policy if you want to play around with this in your own lab or you're looking to deploy this in your production network.
In this guide, I'm going to walk through MDM integration with ISE. MDM is used to deploying, securing, monitoring, integrating and managing mobile devices in the workplace. The MDM software that is download to the mobile device can control the distribution of application and patches as well as control data and configuration on the endpoint.
In this post, I'm going to walk through the BYOD policy configuration. This policy will be pushing certificate to my users via the SCEP profile we previously created inside ISE. I'll walk through some of the different options you can configure in this policy but overall, I'm going to keep the policy itself pretty simple.
In this next post, I'm going to walk through the policy creation for dot1x for wired and wireless access. As stated in a previous post, I'm going to be using PEAP-EAP-TLS but there are many different methods you can use. I'm also going to configure differentiated access based on a user's role to demonstrate some of the possibilities with ISE.
In this post, I am going to configure my wireless controller to use ISE for AAA, set up my SSIDs, and configure other basic settings. I'm going to start from the initial installation of the Virtual Wireless Controller and go through those steps. After I have that completed, I will set up all the initial configurations you will need in order to have the Wireless Controller use ISE.
In this blog post, I'm going to set up my 3650 switch with basic Layer 2, Layer 3 and dot1x configurations. I'll walk through some of the basic configurations and explain why I'm configuring it as I am.
In this blog post, I'm going to add my network access devices (NADs) to my ISE deployment. These are the devices that will be sending RADIUS requests and profiling information to ISE about endpoints on the network and, depending on the policy, ISE will be returning an authorization profile which will give the access device instructions on how to treat that endpoint.
This post is going to be focused on the rest of the initial configurations that I like to tweak on ISE as I'm setting it up and that don't warrant their own post. I'll go through some of the optimizations and configurations I like to set as well as try to explain why I do so.
In this post, we are going to enable the pxGrid services for our ISE node and configure the Identity Mapping Service between ISE and Active Directory. The Identity Mapping service enables ISE to monitor users that are authenticated by a domain controller and not by ISE. This will add additional visibility for ISE outside of the endpoints that are directly using ISE for AAA services. It is able to gather this information by connecting to Active Directory using the Microsoft WMI interface and by querying logs from the Windows event messaging.
In this next post, we are going to create the Certificate Authentication Profiles. This profile is necessary for our authentication methods that we will create in later posts. Since we will be using an EAP certificate-based authentication method in our policy, ISE will compare the certificate received from a client with the one in the server to verify the authenticity of a user or computer. This is considered a much more secure method than the traditional username and password method.
Certificates are crucial to the operation of Identity Services Engine. Some of the uses that ISE for certificates include the following: dot1x authentication, Pxgrid communication, adding and communicating with new ISE nodes, BYOD, etc. Unless you are using a single ISE node on the network with only a Guest portal and basic profiling, this is going to be a post that you'll want to follow along with as much as possible.
Now that we have Active Directory configured, we're going to start setting up ISE. I'm going to walk through basic bootstrapping of ISE and how to join it to the Active Directory domain in this post. I'm using ISE 2.0 in my lab which is the latest version of ISE as of this post but the process for bootstrapping and joining to an Active Directory domain remains unchanged from previous versions.
At this point, we've added our roles, created Certificate Templates, pushed out a GPO, and laid the groundwork for Pxgrid Identity Mapping. This is the point where I finish up with some last minute housekeeping items and run a couple of tests.
When configuring ISE Pxgrid integration with Active Directory, there are certain audit settings and permissions that need to be set in order to allow the information to pass to ISE. If you've ever configured Cisco Context Directory Agent, you're about to receive a blast from the past. This is because the settings and permissions are exactly the same.
This is where we're going to create our group policy to push down to our clients. The idea of pushing the settings down to users via GPO is to make security mandatory but also try to make it as transparent to a user as possible. Little things such as pushing the dot1x SSID information and enabling the users to auto-connect to the SSID when in range goes a long way to user experience. Likewise, having your users automatically be enrolled with a user certificate and their NIC card settings automatically configured increases the transparency of ISE from a user perspective. Ideally, the users should never know ISE is there authenticating and authorizing their corporate computers and acting as the gatekeeper between them and the rest of the network UNLESS a policy is violated somehow.
Certificate Templates will play a big role in ISE and Pxgrid integration in our lab and most likely in any production rollout of ISE. While recent versions of ISE do support using ISE as a certificate authority, most implementations of ISE that I've seen implemented leverage an Active Directory Certificate Authority. In later blog posts, I might end up going through a lot of these same steps using the ISE CA instead but I'd rather cover what's going to be used in the majority of implementations first.
If you're implementing any of this in production, you probably have a domain controller and Certificate Authority in place already. Depending on what you plan on using ISE for though, there are settings that you might need to adjust. Since this is a lab environment that I'm setting up, I'm going to make an assumption that you might be setting up a lab as well and walk you through some of the things I do as I'm setting it up.
As versions and tools change, I wanted to make a note of the hardware and version I'm currently using in my lab. I also want to use this post to give you a roadmap of what I plan on posting in the near future on this blog.