Feedback
Table Of Contents
Switch Configuration Required to Support Cisco ISE Functions
Enable Your Switch to Support Standard Web Authentication
Define a Local User Name and Password for Synthetic RADIUS Transactions
Set the NTP Server to Ensure Accurate Log and Accounting Timestamps
Enable RADIUS Change of Authorization (CoA)
Enable Device Tracking and DHCP Snooping
Enable 802.1X Port-Based Authentication
Use EAP for Critical Authentications
Throttle AAA Requests Using Recovery Delay
Define VLANs Based on Enforcement States
Define Local (Default) ACLs on the Switch
Enable Cisco Security Group Access Switch Ports
Send Syslog Messages to Cisco ISE
Enable SNMP v3 Query for Profiling
Enable MAC Notification Traps for Profiler to Collect
Set the Logging Source-Interface for ISE Monitoring
Configure NADs for ISE Monitoring
Switch Configuration Required to Support Cisco ISE Functions
To ensure Cisco ISE is able to interoperate with network switches and functions from Cisco ISE are successful across the network segment, you need to configure network switches with the necessary NTP, RADIUS/AAA, 802.1X, MAB, and other settings for communication with Cisco ISE, according to the following topics:
•
Enable Your Switch to Support Standard Web Authentication
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Enable Your Switch to Support Standard Web Authentication
Ensure you include the following command lines in your switch configuration to enable standard Web Authenticating functions for Cisco ISE, including provisions for URL redirection upon authentication.
ip classlessip route 0.0.0.0 0.0.0.0 10.1.2.3ip http server! Must enable HTTP/HTTPS for URL-redirection on port 80/443ip http secure-serverDefine a Local User Name and Password for Synthetic RADIUS Transactions
Use this function to enable the switch to talk to the Cisco ISE node as though it is the RADIUS server for this network segment.
username test-radius password 0 cisco123Set the NTP Server to Ensure Accurate Log and Accounting Timestamps
Be sure to specify the same NTP server as is set in Cisco ISE at Administration > System > Settings > System Time.
ntp server <IP_address>|<domain_name>Enable AAA Functions
Use the following command lines to enable the various AAA functions between the switch and Cisco ISE, including 802.1X and MAB authentication functions.
aaa new-model! Creates an 802.1X port-based authentication method listaaa authentication dot1x default group radius! Required for VLAN/ACL assignmentaaa authorization network default group radius! Authentication & authorization for webauth transactionsaaa authorization auth-proxy default group radius! Enables accounting for 802.1X and MAB authenticationsaaa accounting dot1x default start-stop group radius!aaa session-id common!aaa accounting update periodic 5! Update AAA accounting information periodically every 5 minutesaaa accounting system default start-stop group radius!aaa server radius dynamic-author <cr>client 10.0.56.17 server-key cisco! Enables ISE to act as a AAA server when interacting with the client at IP address 10.0.56.17RADIUS Servers Configuration
Configure the switch to interoperate with Cisco ISE acting as the RADIUS source server.
!radius-server attribute 6 on-for-login-auth! Include RADIUS attribute 8 in every Access-Requestradius-server attribute 8 include-in-access-req! Include RADIUS attribute 25 in every Access-Requestradius-server attribute 25 access-request include! Wait 3 x 30 seconds before marking RADIUS server as deadradius-server dead-criteria time 30 tries 3!! Use RFC-standard ports (1812/1813)radius-server host <Cisco_ISE_IP_address> auth-port 1812 acct-port 1813 test username test-radius key 0 <RADIUS-KEY>!radius-server vsa send accountingradius-server vsa send authentication!! send RADIUS requests from the MANAGEMENT VLANip radius source-interface <VLAN_number>
Note
Enable RADIUS Change of Authorization (CoA)
Specify the settings here to ensure the switch is able to appropriately handle RADIUS Change of Authorization behavior supporting Posture functions from Cisco ISE.
aaa server radius dynamic-authorclient <ISE-IP> server-key 0 cisco123
Note
Enable Device Tracking and DHCP Snooping
To help provide optional security-oriented functions from Cisco ISE, you can enable device tracking and DHCP snooping for IP substitution in dynamic ACLs on switch ports.
! Optionalip dhcp snooping! Required!ip device trackingEnable 802.1X Port-Based Authentication
This command line turns 802.1X authentication on for switch ports, globally.
dot1x system-auth-controlUse EAP for Critical Authentications
To support supplicant authentication requests over the LAN, enable EAP for critical authentications (Inaccessible Authentication Bypass).
dot1x critical eapolThrottle AAA Requests Using Recovery Delay
When a critical authentication recovery event takes place, you can configure the switch to automatically introduce a delay (in seconds) to ensure Cisco ISE is able to launch services again following recovery.
authentication critical recovery delay 1000Define VLANs Based on Enforcement States
Use the following command lines to define the VLAN names, numbers, and SVIs based on known enforcement states in your network. Create the respective VLAN interfaces to enable routing between networks. This can be especially helpful to handle multiple sources of traffic passing over the same network segments—traffic from both PCs and the IP phone through which the PC is connected to the network, for example.
Note
vlan <VLAN_number>name ACCESS!vlan <VLAN_number>name VOICE!interface <VLAN_number>description ACCESSip address 10.1.2.3 255.255.255.0ip helper-address <DHCP_Server_IP_address>ip helper-address <Cisco_ISE_IP_address>!interface <VLAN_number>description VOICEip address 10.2.3.4 255.255.255.0ip helper-address <DHCP_Server_IP_address>ip helper-address <Cisco_ISE_IP_address>Define Local (Default) ACLs on the Switch
Enable these functions on older switches (with IOS releases earlier than 12.2(55)SE) to ensure Cisco ISE is able to perform the dynamic ACL updates required for authentication and authorization.
ip access-list extended ACL-ALLOWpermit ip any any!ip access-list extended ACL-DEFAULTremark DHCPpermit udp any eq bootpc any eq bootpsremark DNSpermit udp any any eq domainremark Pingpermit icmp any anyremark Pingpermit icmp any anyremark PXE / TFTPpermit udp any any eq tftpremark Allow HTTP/S to ISE and WebAuth portalpermit tcp any host <Cisco_ISE_IP_address> eq wwwpermit tcp any host <Cisco_ISE_IP_address> eq 443permit tcp any host <Cisco_ISE_IP_address> eq 8443remark Drop all the restdeny ip any any log!! The ACL to allow URL-redirection for WebAuthip access-list extended ACL-WEBAUTH-REDIRECTdeny ip any host <Cisco_ISE_IP_address>permit ip any anyEnable Cisco Security Group Access Switch Ports
To ensure Cisco ISE is able to interoperate with an existing Cisco Security Group Access deployment, use the following procedure to ensure you have enabled all of the functions necessary on the switch.
Step 1
interface range FastEthernet0/1-8Step 2
switchport mode accessStep 3
switchport access <VLAN_number>Step 4
switchport voice <VLAN_number>Step 5
! Enables pre-auth access before AAA response; subject to port ACLauthentication openStep 6
! An ACL must be configured to prepend dACLs from AAA server.ip access-group ACL-ALLOW in
Note
Note
Step 7
! Allow voice + multiple endpoints on same physical access portauthentication host-mode multi-auth
Note
Step 8
! Enable re-authenticationauthentication periodic! Enable re-authentication via RADIUS Session-Timeoutauthentication timer reauthenticate serverauthentication event fail action next-methodauthentication event server dead action authorize <VLAN_number>authentication event server alive action reinitialize! IOS Flex-Auth authentication should do 802.1X then MABauthentication order dot1x mabauthentication priority dot1x mabStep 9
! Enables port-based authentication on the interfaceauthentication port-control autoauthentication violation restrictStep 10
! Enable MAC Authentication Bypass (MAB)mabStep 11
! Enables 802.1X authentication on the interfacedot1x pae authenticatorStep 12
dot1x timeout tx-period 10
Note
Step 13
spanning-tree portfastSend Syslog Messages to Cisco ISE
To ensure Cisco ISE is able to compile appropriate syslog messages from the switch, use the following commands. The logs should be sent to the Cisco ISE node with the Monitor persona.
logging monitor informationallogging origin-id iplogging source-interface <interface_id>logging host <syslog_server_IP_address_x> transport udp port 20514Enable EPM Logging
Set up standard logging functions on the switch to support possible troubleshooting/recording for Cisco ISE functions.
epm loggingEnable SNMP Traps
Ensure the switch is able to receive SNMP trap transmissions from Cisco ISE over the appropriate VLAN in this network segment.
snmp-server community public ROsnmp-server trap-source <VLAN_number>Enable SNMP v3 Query for Profiling
Configure the switch to ensure SNMP v3 polling takes place as intended to support Cisco ISE profiling services. First, configure the SNMP settings in Cisco ISE at Administration > Network Resources > Network Devices >Add | Edit > SNMP Settings. See "Table 6-2 Network Devices List Page: SNMP Settings" on page 6-5 for details.
Snmp-server user <name> <group> v3 auth md5 <string> priv des <string>snmp-server group <group> v3 privsnmp-server group <group> v3 priv context vlan-1
Note
If the SNMP Request times out and there is no connectivity issue, then you can increase the Timeout value.
Enable MAC Notification Traps for Profiler to Collect
Configure your switch to transmit the appropriate MAC notification traps so that the Cisco ISE Profiler function is able to collect information on network endpoints.
mac address-table notification changemac address-table notification mac-movesnmp trap mac-notification change addedsnmp trap mac-notification change removedSet the Logging Source-Interface for ISE Monitoring
Normally, a syslog message contains the IP address of the interface it uses to leave the router. The logging source-interface command specifies that syslog packets contain the IP address of a particular interface, regardless of which interface the packet uses to exit the router. ISE monitoring requires that the logging source-interface configuration use the network access server (NAS) IP address.
To configure a switch for ISE monitoring, specify the interface that was configured with the NAS IP address. The NAS IP address is the IP address used to add the switch as a AAA client in ISE.
Use the no form of this command to remove the source designation.
logging source-interface <type number>no logging source-interfaceSyntax Description
Defaults
No interface is specified.
Command Modes
Global configuration
Examples
In the following example, the NAS IP address is assigned to the Ethernet interface 0. The following command specifies the Ethernet interface 0 as the source IP address for all syslog messages:
logging source-interface ethernet 0Related Commands
The following table lists commands related to logging source-interface.
Configure NADs for ISE Monitoring
You can configure the network access devices (NADs) in your network to send syslog messages to the Monitoring ISE node. To do this, you must configure the logging port on the NAD to UDP 20514, and running a few other logging CLI commands.
To enable a NAD in your network to send syslog messages to the Monitoring ISE node, make the following configurations on the NAD through the CLI configuration mode:
•
The following NAD syslog messages are collected:
AP-6-AUTH_PROXY_AUDIT_START
AP-6-AUTH_PROXY_AUDIT_STOP
AP-1-AUTH_PROXY_DOS_ATTACK
AP-1-AUTH_PROXY_RETRIES_EXCEEDED
AP-1-AUTH_PROXY_FALLBACK_REQ
AP-1-AUTH_PROXY_AAA_DOWN
AUTHMGR-5-MACMOVE
AUTHMGR-5-MACREPLACE
MKA-5-SESSION_START
MKA-5-SESSION_STOP
MKA-5-SESSION_REAUTH
MKA-5-SESSION_UNSECURED
MKA-5-SESSION_SECURED
MKA-5-KEEPALIVE_TIMEOUT
