ISE 2.0 - Understanding Policy and Configuring Dot1x

In this next post, I'm going to walk through the policy creation for dot1x for wired and wireless access. As stated in a previous post, I'm going to be using PEAP-EAP-TLS but there are many different methods you can use. I'm also going to configure differentiated access based on a user's role to demonstrate some of the possibilities with ISE.

Wireless Controller Configuration

In this post, I am going to configure my wireless controller to use ISE for AAA, set up my SSIDs, and configure other basic settings. I'm going to start from the initial installation of the Virtual Wireless Controller and go through those steps. After I have that completed, I will set up all the initial configurations you will need in order to have the Wireless Controller use ISE.

ISE 2.0 - Adding Network Access Devices

In this blog post, I'm going to add my network access devices (NADs) to my ISE deployment. These are the devices that will be sending RADIUS requests and profiling information to ISE  about endpoints on the network and, depending on the policy, ISE will be returning an authorization profile which will give the access device instructions on how to treat that endpoint. 

ISE 2.0 Initial Configuration - Enabling Services and Identity Mapping/PassiveID Configuration

In this post, we are going to enable the services for our ISE node and configure the Identity Mapping Service (known as PassiveID in ISE 2.1) between ISE and Active Directory in this blog post. The Identity Mapping service enables ISE to monitor users that are authenticated by a domain controller and not by ISE. This feature will be useful for the EasyConnect configuration that I will go over in later posts. It is able to gather this information by connecting to Active Directory using the Microsoft WMI interface and by querying logs from the Windows event messaging. 

ISE 2.0 Initial Configuration - Creating Certificate Authentication Profiles

In this next post, we are going to create the Certificate Authentication Profiles. This profile is necessary for our authentication methods that we will create in later posts. Since we will be using an EAP certificate-based authentication method in our policy, ISE will compare the certificate received from a client with the one in the server to verify the authenticity of a user or computer. This is considered a much more secure method than the traditional username and password method. 

ISE 2.0 Initial Configuration - Adding Certificates to ISE

Certificates are crucial to the operation of Identity Services Engine. Some of the uses that ISE for certificates include the following: dot1x authentication, Pxgrid communication, adding and communicating with new ISE nodes, BYOD, etc. Unless you are using a single ISE node on the network with only a Guest portal and basic profiling, this is going to be a post that you'll want to follow along with as much as possible.

ISE 2.0 Initial Configuration - Bootstrapping and Joining to AD Domain

Now that we have Active Directory configured, we're going to start setting up ISE. I'm going to walk through basic bootstrapping of ISE and how to join it to the Active Directory domain in this post. I'm using ISE 2.0 in my lab which is the latest version of ISE as of this post but the process for bootstrapping and joining to an Active Directory domain remains unchanged from previous versions. 

Server 2012 Configuration - pxGrid Identity Mapping/PassiveID Settings

When configuring ISE Pxgrid integration with Active Directory, there are certain audit settings and permissions that need to be set in order to allow the information to pass to ISE. If you've ever configured Cisco Context Directory Agent, you're about to receive a blast from the past. This is because the settings and permissions are exactly the same.

Server 2012 Configuration - Group Policy Creation

This is where we're going to create our group policy to push down to our clients. The idea of pushing the settings down to users via GPO is to make security mandatory but also try to make it as transparent to a user as possible. Little things such as pushing the dot1x SSID information and enabling the users to auto-connect to the SSID when in range goes a long way to user experience. Likewise, having your users automatically be enrolled with a user certificate and their NIC card settings automatically configured increases the transparency of ISE from a user perspective. Ideally, the users should never know ISE is there authenticating and authorizing their corporate computers and acting as the gatekeeper between them and the rest of the network UNLESS a policy is violated somehow. 

Server 2012 Configuration - Certificate Templates

Certificate Templates will play a big role in ISE and Pxgrid integration in our lab and most likely in any production rollout of ISE. While recent versions of ISE do support using ISE as a certificate authority, most implementations of ISE that I've seen implemented leverage an Active Directory Certificate Authority. In later blog posts, I might end up going through a lot of these same steps using the ISE CA instead but I'd rather cover what's going to be used in the majority of implementations first. 

Server 2012 Configuration - Adding and Configuring Roles

If you're implementing any of this in production, you probably have a domain controller and Certificate Authority in place already. Depending on what you plan on using ISE for though, there are settings that you might need to adjust. Since this is a lab environment that I'm setting up, I'm going to make an assumption that you might be setting up a lab as well and walk you through some of the things I do as I'm setting it up.