Professional Documents
Culture Documents
ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Community
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn
more
255253 25 186
Deployment Guide
Authors: Hariprasad Holla (until June 2018), Mahesh Nagireddy (until Dec 2018)
For an offline or printed copy of this document, simply choose ⋮ Options >
Printer Friendly Page. You may then Print, Print to PDF or copy and paste to
any other document format you like.
Table of Contents
Cisco ISE Secure Wired Access Prescriptive Deployment Guide
Table of Contents
Introduction
About Cisco Identity Services Engine (ISE)
What is Covered in This Document?
What is Not Covered in This Document?
About This Guide
Define
ISE Deployment Components
Authentication, Authorization, and Accounting (AAA)
Design
Design Considerations
End-Point Considerations
Network Device Considerations
Cisco Meraki Switching
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 2/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 3/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Introduction
About Cisco Identity Services Engine (ISE)
Cisco ISE is a leading, identity-based network access control and policy enforcement
system. It is a common policy engine for controlling end-point access and network
device administration for enterprises. ISE allows an administrator to centrally control
access policies for wired, wireless, and VPN end points in a network.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 4/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
ISE builds contexts about endpoints, including users and groups (Who), device type
(What), access time (When), access location (Where), access type
(Wired/Wireless/VPN) (How), threats, and vulnerabilities. By sharing vital contextual
data with technology partner integrations and the implementation of the Cisco
TrustSec® policy for software-defined segmentation, ISE transforms a network from a
conduit for data into a security enforcer that accelerates the time-to-detection and
time-to-resolution of network threats.
The configuration examples listed in this document are working configurations that
have been validated on a Cisco Catalyst 9300 Series switch running Cisco IOS XE
Version 16.9.1 with Network Essential License and Cisco ISE Version 2.4.
The following are the IOS XE features and deployment variations described in this
document:
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 5/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
The Define section defines problem areas and provides information about how to plan for
deployment, and other considerations.
The Design section shows how to design a secure, wired access network.
The Deploy section provides information about various configuration and best practices.
The Operate section shows how to manage a wired access network controlled by Cisco ISE.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 6/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Define
This section provides an high level overview of Wired access control solution,
different authentication methods available during the endpoint onboarding process,
problem areas to focus on and various authorization options.
Endpoints need network access and the network devices provide network access to
endpoints, based on instructions from ISE. ISE can optionally leverage external
services to understand more about the corresponding endpoints for policy decisions.
When it comes to rolling out an identity-based network, because these four parts of
the network are involved, various teams and individuals need to be engaged. Various
ISE use cases, such as Guest access, BYOD, Posture, and so on require endpoints
communicating to ISE via network devices.
Authentication, Authorization, and Accounting (AAA)
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 7/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
The core of IBNS is the idea of users and devices authenticating to ISE, and ISE
applying the appropriate network access authorization, using protocols such as EAP
and RADIUS. Network devices covey an endpoint’s session status to ISE via RADIUS
accounting messages. ISE gains visibility into the details of all the assets connecting
to the network and their location. An ISE administrator can permit or deny access to a
specific user or device or a specific group of assets either on the fly or based on ISE
policy configurations.
Authentication Methodologies
IEEE 802.1X
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 8/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
MAB enables port-based access control using the MAC address of an endpoint. A
MAB-enabled port on the switch can be dynamically enabled or disabled based on
the MAC address of the device that connects to it. The MAC addresses of endpoints
must be whitelisted in a database that is present in ISE or in an external location in
order to grant network access to known endpoints. MAB is not truly an authentication
method; it functions more as an authentication bypass when an endpoint is unable to
perform 802.1X authentication. While MAB can protect networks from unauthorized
access, it is not a secure alternative to 802.1X because MAC addresses can be
spoofed easily.
Web Authentication
Web authentications are typically used to onboard guest users for internet access.
Cisco platforms provide a couple of options, Local Web Authentication (LWA) and
Central Web Authentication (CWA). In the former, web pages are hosted in network
devices such as a switch or a wireless LAN controller, and in the latter, all web portals
are hosted centrally on ISE. CWA, which is the preferred method, is typically a MAB
session with URL-redirect authorization on the switch port. Until the corresponding
endpoint is authenticated successfully, web traffic from the endpoint is redirected to
ISE via a login portal for end users to enter their credentials. Upon successful
authentication, ISE initiates a Change-of-Authorization (CoA) to permit additional
access.
EasyConnect
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 9/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 10/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Of the various authentication options discussed until now, IEEE 802.1X is the most
secure and flexible authentication method. There are several EAP methods that allow
a variety of credential types to be handled, depending on the endpoint and the
environment type. Although the Web Authentication and EasyConnect options provide
the necessary user ID context for visibility and access control, they are constrained to
specific types of endpoints, for example, Web Authentication requires user interaction
and a device with a compatible web browser and EasyConnect works only for
Windows Active Directory-managed endpoints. Finally, MAB is less secure
authentication method and fall back mechanism for IEEE 802.1X, but is the easiest
option to configure basic level of controlled access.
Authorization Options
An ISE authorization policy is composed of authorization rules defined for a specific
users and group of users to permit, deny or provide limited access to network
resources. Authorization profiles let you choose the attributes to be returned when a
RADIUS request is accepted or rejected with RADIUS ACCESS-ACCEPT and
ACCESS-REJECT access type commands. Limited access authorization may vary
from environment to environment. The question to be asked is, what should be
limited, and how?
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 11/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
firewalls. ISE can authorize endpoints to specific VLANs using a VLAN name or a
VLAN number. Also, in platforms such as Cisco Catalyst 2960X, 3650 Series, 3850
Series, and 9300 Series, VLANs can be applied on a per-MAC address basis.
using VLAN names rather than numbers. This will make your ISE
authorization easier to read, understand and maintain. When you have a
large switch, it is better to let the switch locally determine the actual VLAN
number assigned with a name.
URL Redirection
An access switch can redirect endpoints to specific URLs that are authorized by ISE
for redirection. Typically, URL redirection is towards the ISE nodes so that the
endpoints can carry out web authentication with ISE. However, endpoints can be
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 12/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
subject to custom URLs as part of RADIUS authorization from ISE. Custom AVPs are
used for URL redirection in an identity-based network.
Session-Aware Networking
ISE along with Cisco Catalyst switches implement session-aware networking which
offers consistent way to configure features across technologies, easy deployment and
features customization along with robust policy control engine . Under this, a session
identifier is attached to an endpoint’s network access session (wired or wireless), and
session ID is used for all reporting purposes such as show commands, MIBs, and
RADIUS messages and allows users to distinguish messages for one session to other
sessions. This common session ID is used consistently across all authentication
methods and features applied to a session.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 13/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
ISE can invoke the network device to enforce specific policies for the endpoint using
the Session ID. After the initial authorization, ISE issues a CoA by referencing the
same Session ID. Distinct access policies for the endpoints on the same port are
applied because of the separation maintained by the Session ID.
Design
Design Considerations
This section focuses on overall design considerations for a secure wired access
solution.
End-Point Considerations
There are a few important things to consider with regard to endpoints in an identity-
based network. Firstly, how will these endpoints authenticate to the network, and are
these using 802.1X, Web Authentication, or some other means? Secondly, do you
require custom agents to perform specific functions that the native supplicants in the
operating system cannot? And, finally, how should endpoints be configured for
appropriate access, for example, manual, using centralized management tools, and so
on?
Agents
For most of the secure wired access environment, an agent on an endpoint is
unnecessary. However, there are a few scenarios that can be handled only by a
Cisco AnyConnect end-point agent:
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 14/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Automation
It is a known fact that implementing port access control with 802.1X means
considerable changes to endpoints. Some of the changes pertain to supplicant
configurations, certificate installation (optional), and agent installation and setup
(optional). Rolling out these changes to thousands of endpoints requires a certain
degree of automation. Some of the options to automate supplicant configuration
are:
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 15/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
The global AAA and RADIUS server configurations govern how a switch talks to ISE, how
RADIUS transactions are load balanced, how frequently accounting updates are sent, how
the switch handles failure scenarios when ISE is not reachable.
The endpoint side configuration includes interface level commands to handle specific
authentication methods such as 802.1X or MAC authentication bypass in a particular order.
The port configurations can be done using IBNS 1.0 or 2.0 methods, which is described next.
ISE might authorize an endpoint with a VLAN, ACL, SGT configuration or URL
redirection. Note that some authorization-related configurations have to be done
locally on the switch.
Apart from significant changes in the Cisco IOS components that handle identity-
based services, from an administration and operations perspective, there are
considerable differences between IBNS 1.0 and IBNS 2.0. As the figure above
depicts, in case of IBNS 1.0, which is sometimes referred to as legacy mode in CLI, a
switch’s local policy for handling an endpoint’s identity-based network access is all
contained within interface configurations (a list of interface commands applied to a
switch port). On the other hand, in case of IBNS 2.0, the configurations take the
structure of a Cisco Modular Quality of Service CLI (MQC). One or more subscriber
policies are used; these policies are defined by the policy-map command, which
classifies various endpoint events into classes that are defined by the <class-map>
command arguments. The various endpoint event classifications are subject to
specific actions, some of which are local and some of which are enforced on
instructions from ISE. The use of templates provides modularity, flexibility, and
reusability of certain policy objects within the switch platform.
There are several benefits to using IBNS 2.0 over IBNS 1.0. The following table
compares the two:
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 17/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Phased Deployments
Enabling 802.1X on switch ports can be disruptive. The need for endpoints to prove
their identity with some sort of authentication and then get network access, may not
work well for all device types. With wireless, this is a norm because the endpoints do
not plug to the network; rather, they have to be configured (for SSIDs) to connect to
the network. The notion of configure and connect is built ground up in the wireless
world, while the same is not the case with the wired side of networks. For decades,
the expectation is that the endpoint must get IP address the moment they plug in to
the wired Ethernet port.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 18/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
1. Monitor Mode (Open Mode)– This Mode enables authentication across Wired infrastructure,
while authorization is kept open. This means that irrespective of the endpoint’s authentication
status (success or failure), the port is always open. When a user plugs in a device after
monitor mode is enabled in the network, there is no impact to the end user irrespective of the
authentication status. Such a setting provides adequate visibility centrally to the security
operator to know how many endpoints authenticate successfully, how many fail, why they fail,
where they are located, and so on. After most of the failures are fixed, one of the below two
enforcement modes can be enabled. Note,Monitor Mode is not for validating enforcement of
more advanced authorization results such as Scalable Group Tags(SGT’s), Scalable Group
ACL’s(SGACL’s), downloadable ACL’s(dACL’s) or even dynamic Vlan Assignment. We simply
want the authentication server to send back a basic RADIUS access accept or access reject
to the authenticator (access switch).
2. Low-Impact Mode–This mode builds on the monitor mode. With open access in place, IP
ACLs are used to control pre-authentication and post-authentication network access. A Pre-
Auth ACL on the switch port controls network access before an endpoint can successfully
authenticate. A named or downloadable ACL that is received from ISE grants specific level of
access upon successful authentication. The Low-Impact mode is ideal for a Preboot
Execution Environment (PXE) boot environments where thin clients have to download the
operating system from the network before attempting network authentication. Since devices
get IP address immediately after they connect to the network, and authentication may take
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 19/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
place in parallel or later, we recommend that you do not make VLAN changes in the Low-
Impact mode.
3. Restricted Mode (Closed Mode)–In this mode, the port is closed by default. Only EAPoL
payloads are allowed for 802.1X authentication. Upon successful authentication, the
endpoints can have access to network services. Since endpoints do not acquire dynamic IP
addresses without authentication, this mode is ideal for VLAN authorizations.
ISE can be deployed as a standalone service or a cluster of multiple ISE nodes. While
the former is a good option for small-sized networks, the latter is the choice for
medium and large environments. Both standalone and multi-node ISE deployments
can be done on bare metal servers (Cisco Secure Network Server [SNS]) or on
supported Hypervisors.
Choose the deployment type and install option depending on your requirements. See
the ISE Performance & Scale page for more details about scale limitations and
performance numbers for each ISE deployment method.
Access switches need to talk to ISE servers for AAA. Typically, two or more RADIUS
servers are defined on the switches for AAA and CoA. For large networks involving
multiple PSNs per site, we recommend that use of Load Balancers. When Load
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 20/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Balancers are used, the virtual IP addresses of these Load Balancers must be
configured as RADIUS server IP addresses on the switches.
The following table summarizes the configuration practice that should be followed,
depending upon the type of deployment and whether Load Balancers are used or not.
ISE Licensing
Cisco ISE licensing provides the ability to manage the application features and
access, such as the number of concurrent endpoints that can use Cisco ISE network
resources. ISE requires one or more of the following three license packages to
service wired endpoints:
Base
Plus
Apex
However, for most of the AAA and access control services, the Base licenses will
suffice. For ISE to automatically detect the endpoint type using profiling service, and
to control access to them, both Base and Plus licenses are required. For deeper
visibility into applications and processes on endpoints and to control them, Apex
licenses are also needed. Note that all these licenses are applied to the endpoint’s
session that is active at a given point of time. Therefore, budgeting for adequate
licenses must not be on the total number of endpoints, but for an estimated number
of active endpoints at a probable peak duration. For more information about licenses,
see the Cisco ISE Ordering Guide.
Certificates
Certificates are used to identify ISE to an endpoint and also to secure the
communication between that endpoint and the ISE node. Certificates are used for all
HTTPS communication and Extensible Authentication Protocol (EAP) communication.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 21/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
The following is a summary of the certificates and their use in the context of endpoint
authentication and access control:
We recommend that you do not use ISE self-signed certificates for production.
Instead, use a Certificate Authority-signed certificate on the ISE nodes for all
purposes. When dealing with internal endpoints that are managed by an organization,
an internal enterprise Public Key Infrastructure (PKI) can be used. For use cases such
as guest internet access and BYOD registration, ISE node certificates signed by a
public CA is recommended to avoid poor user experience due to certificate warnings
on the endpoints. ISE has a built-in CA service, but this is largely limited to BYOD
identity and authentication. For more information about certificates, see How To:
Implement ISE Server-Side Certificates.
Deploy
This section focuses on deployment guidelines with various best practices to greatly
simplify secured wired implementations.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 22/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
does not find a device definition for a particular IP address. For advanced flows (such
as SNMP,CDP,LLDP) you must add separate device definition for each network device.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 23/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note: In the example above, the switch is a VTP client and has the necessary
VLANs configured. Also, the uplink port connected to the data center is
configured as a trunk port. The management IP address for the switch can be
an SVI or a Loopback interface. Ensure that proper routing is set up between
the access switch and the ISE nodes
3. Configure one or more ISE Policy Service nodes as RADIUS servers. Ensure that the RADIUS
key is identical to the shared secret configured on ISE:
c9300-Sw(config)#radius server ISE01
c9300-Sw(config-radius-server)#address ipv4 172.20.254.21 auth-port 1812 acct-
c9300-Sw(config-radius-server)#key ISEisC00L
c9300-Sw(config-radius-server)#exit
c9300-Sw(config)#
c9300-Sw(config)#radius server ISE02
c9300-Sw(config-radius-server)#address ipv4 172.20.254.22 auth-port 1812 acct-
c9300-Sw(config-radius-server)#key ISEisC00L
c9300-Sw(config-radius-server)#exit
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 24/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note: For networks with multi-vendor devices, Its recommended to use Ports
1812 for authentication and 1813 for accounting, however ISE can receive
RADIUS authentication and accounting requests on either of the two port
number combinations.
4. Define a method list for the ISE RADIUS servers and use the switch management interface as
the RADIUS source interface:
c9300-Sw(config)#aaa group server radius ISE
c9300-Sw(config-sg-radius)#server name ISE01
c9300-Sw(config-sg-radius)#server name ISE02
c9300-Sw(config-sg-radius)#ip radius source-interface VLAN 254
5. Configure network authentication to use the RADIUS method list (in this example, ISE):
c9300-Sw(config)#aaa authentication dot1x default group ISE
6. Configure the switch for network (access) authorization via ISE RADIUS servers. This is for
network access authorization from ISE, such as dynamic VLAN assignment, downloadable
ACLs, URL redirection, and so on:
c9300-Sw(config)#aaa authorization network default group ISE
7. Configure the switch to send accounting information to ISE at endpoint session start and end
events:
c9300-Sw(config)#aaa accounting identity default start-stop group ISE
8. Configure the switch to send periodic accounting updates for active sessions once every two
days:
c9300-Sw(config)#aaa accounting update newinfo periodic 2880
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 25/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
2. Execute the following test command on the switch to validate if the switch and ISE can
communicate over RADIUS or if the credentials result in a passed or failed authentication.
test-user and test-password are not a real user name and password; these are variables
used to test RADIUS communication between Switch and ISE
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 26/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note: The Authen Requests Replied: 1 message in the output indicates that a
RADIUS server is responding to the switch’s requests. Such detailed output
for test aaa command is available only from Cisco IOS Version 16.x
3. Log in to ISE web User Interface (UI) and navigate to Operations > RADIUS > Live Logs.
You must see one or two failed entries for test-user identity, which indicates that
the switch and ISE are talking over RADIUS successfully.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 27/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
When you click the Details icon corresponding to a test user, you will see
the reason for failure: 22056 Subject not found in the applicable identity
store(s), which means that the test user account cannot be found, which is
obvious at this stage of the deployment.
Another important thing to note is that the switch is using its management IP
address to communicate with ISE.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 28/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
time-The time during which no properly formed response received from the ISE server.
tries-The number of consecutive timeouts that must occur on the switch before the RADIUS
server is marked dead.
2. When multiple RADIUS servers are defined and the primary server is unavailable, it is a good
practice to mark that server’s Dead to improve the RADIUS response time . This prevents the
RADIUS requests from being sent to a server that could be flapping its status.
The following example shows that the Dead time is set to 15 minutes:
c9300-Sw(config)#radius-server deadtime 15
3. With the configuration defined in previous steps, switch will mark the server as dead for the
amount of time specified in in Step 2. With expiry of dead time, the switch will mark the
server as alive again and begin sending RADIUS traffic to the server. If the RADIUS deadtime
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 29/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
is not specified, it will default to a value of 0, which will bring the server back to the UP state
right away. Because of this behavior, the RADIUS server state could flap, causing additional
authentication issues. To revert the server state back to the UP state before the specified
deadtime expires, a RADIUS probe can be configured. This will periodically test the RADIUS
server to see if it is responding to RADIUS requests. Upon receiving a response to a probe,
the switch will mark the RADIUS server as alive.
c9300-Sw(config)#radius server ISE01
c9300-Sw(config-radius-server)#address ipv4 172.20.254.21 auth-port 1812 acct-
c9300-Sw(config-radius-server)#automate-tester username test-user ignore-acct-
c9300-Sw(config-radius-server)#key ISEisC00L
c9300-Sw(config-radius-server)#exit
c9300-Sw(config)#
c9300-Sw(config)#radius server ISE02
c9300-Sw(config-radius-server)#address ipv4 172.20.254.22 auth-port 1812 acct-
c9300-Sw(config-radius-server)#automate-tester username test-user ignore-acct-
c9300-Sw(config-radius-server)#key ISEisC00L
c9300-Sw(config-radius-server)#exit
4. In the case of an actual probe user account on the ISE’s internal or external database, a
password is required. In the example below, “test-user” is the username and “test-
password” is the password stored in the identity store that the RADIUS server refers to
authenticate. A “User rejected” message too (unless a timeout occurs) indicates that the
RADIUS server is alive.
c9300-Sw(config)#username test-user password 0 test-password
5. To make the switch send an EAPoL success message to the corresponding client when the
port fail-opens or fail-closes in the event that none of the ISE servers are reachable,
c9300-Sw(config)#dot1x critical eapol
Additional RADIUS Best Practice Attributes for ISE
6. Send the Service-Type attribute in the authentication packets, which is important for ISE to
distinguish between the different authentication methods:
c9300-Sw(config)#radius-server attribute 6 on-for-login-auth
7. Send the IP address of an endpoint to the RADIUS server in the access request:
c9300-Sw(config)#radius-server attribute 8 include-in-access-req
8. Include the class attribute in an access request for network access authorization:
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 30/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
9. Set the MAC address of the endpoint in IETF format and in upper case:
c9300-Sw(config)#radius-server attribute 31 mac format ietf upper-case
default-Example: 0000.4096.3e4a
ietf-Example: 00-00-40-96-3E-4A
unformatted-Example: 000040963e4a
10. To include NAS port & MAC address details in Calling-Station-ID (attribute 31) for Access
and Accounting requests:
c9300-Sw(config)#radius-server attribute 31 send nas-port-detail mac-only
Change of Authorization (CoA)
11. Use the following commands to configure ISE nodes as CoA servers
c9300-Sw(config)#aaa server radius dynamic-author
c9300-Sw(config-locsvr-da-radius)#client 172.20.254.21 server-key ISEisC00L
c9300-Sw(config-locsvr-da-radius)#client 172.20.254.22 server-key ISEisC00L
Device Tracking
Starting Cisco IOS XE Denali 16.1.1 version, the new Switch Integrated Security
Features-based “IP Device Tracking” feature acts as a container policy that enables
snooping and device-tracking features available with First Hop Security (FHS) in both
IPv4 and IPv6, using IP agnostic CLI commands.
Note: If upgraded a Cisco Catalyst 3850/3650 switch from Cisco IOS XE 3.x.x release
to a Cisco IOS XE 16.x.x release and if the switch has IPDT configurations prior to the
upgrade, the SISF commands might not be available and we should run the device-
tracking upgrade-cli command to convert and use the new SISF commands.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 31/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note: The device-tracking policy is effective only when applying the policy to
switchport using the following command:
Device Sensor
Device Sensor is a Cisco IOS and Cisco AireOS feature that simplifies device profiling
on ISE. The switch gathers raw endpoint data from protocols such as CDP, LLDP &
DHCP and it made available to ISE through RADIUS accounting messages. ISE
collects these device attributes and profiles the endpoints into specific device groups.
15. Configure below command for the switch to trigger updates to ISE as and when the device
attributes change:
c9300-Sw(config)#device-sensor notify all-changes
16. Configure and apply filters for CDP, LLDP, and DHCP protocols so that only the critical
attributes required for identifying the endpoint type reaches ISE.
The following is an example of a CDP device sensor filter and apply the protocol
filter to the sensor output.
c9300-Sw(config)#cdp run
The following is an example of an LLDP device sensor filter and apply the
protocol filter to sensor output:
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 32/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
c9300-Sw(config)#lldp run
The following is an example of a DHCP device sensor filter and apply the protocol
filter to sensor output:
Note: Device sensor configuration without a filter list will overload ISE with
unnecessary attributes that does not help in the context of device profiling. The
best practice attribute list provided in the example above works well for most
environments. For more details on profiling, see the ISE Profiling Design Guide.
Web authentications are necessary for guest internet access. Even if wired guest
access is not a requirement for your environment, it is a good idea to have the
infrastructure set up for URL redirection because it facilitates notifications to end
users in certain scenarios. For instance, when users are not able to authenticate
successfully, they can be redirected to an internal portal such as the following, which
will guide them about how to resolve the issue themselves.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 33/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
17. Configure the HTTP service on the switch for URL redirection:
c9300-Sw(config)#ip http server
18. Switch’s internal HTTP/HTTPS server is used for redirection process and its highly
encouraged to decouple this service from Switch Management if HTTP/HTTPS isn’t used for
Switch Management. You can accomplish this using below CLI’s:
c9300-Sw(config)#ip http active-session-modules none
c9300-Sw(config)#ip http secure-active-session-modules none
Note: HTTPS redirection is not recommended for production environments because of the
following reasons:
Security concern-HTTPS redirection is intended to hijack a secure web connection
initiated by an endpoint, which is not a good idea.
Failure to work-Most web browsers block intercepted HTTPS connections.
Certificate warnings-Even if web browsers allow access, there can be certificate
warnings because the switch presents its own certificate for TLS handshake.
Scalability issues-Multiple HTTPS redirections can overload the switch CPU there by
degrading the Switch performance
20. (Optional) Generate the crypto keys to be used for HTTPS redirection:
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 34/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note: Do not run the ip http secure-server command prior to generating the
keys. If you run the commands out of order, the switch automatically generates a
certificate with a smaller key size. This certificate can cause undesirable behavior
when redirecting HTTPS traffic.
22. Limit the number of HTTP connections. (The default on a Catalyst 9300 switch is 25, and the
maximum is 50.)
c9300-Sw(config)#ip http max-connections 48
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 35/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note: The ACL name referenced above is identical to the default redirect ACL
name used in fresh ISE 2.0 installation. If you want a different name, make sure
that you update both the switch and the ISE Authorization Profile with a new
redirect ACL name.
It is also a good idea to have a separate URL redirect ACL for blacklisted devices
on ISE. The default rules can redirect all the web traffic. However, depending on
your environment and policies, bypass redirection to specific services.
25. Enable 802.1X globally on the switch,use the dot1x system-auth-controlcommand in global
configuration mode.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 36/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
c9300-Sw(config)#dot1x system-auth-control
Note: In older Cisco IOS versions, the epm access-control open command was
used for hosts without an authorization policy to access ports configured with a
static ACL.This feature is useful in an environment where there is a mixture of
authorization profiles that use dACL and ones that do not. For example, user
devices are enforced with dACL to limit access to the network, but no dACL is
used on IP phones. When an IP phone is connected, the IP phone is authorized to
voice resources by MAB/802.1X (without dACL). When a user's device is
connected to the back of the IP phone, the switch enforces user-device dACL,
which applies the ACL at the interface level. This denies IP access to the IP phone
because the IP phone lacks dACL for authorization. However, when the above
command is entered globally, the switch dynamically inserts the permit ip any any
ACL for sessions without dACL, including the IP phone.
This is also true for multiple devices connected through an unmanaged hub. If
multiple devices are already connected without dACL, when a new device with
dACL AuthZ is authenticated to the same interface that the unmanaged hub is
connected to, then above feature applies the ip permit any anyACL to the
previously connected devices sessions.
26. Permit endpoints to move from one 802.1X-enabled port to another by running below
command:
c9300-Sw(config)#authentication mac-move permit
Switch Global Configuration Dump for AAA, RADIUS
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 37/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 38/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
lldp run
!
device-sensor filter-list dhcp list DHCP-LIST
option name host-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
!
device-sensor filter-list lldp list LLDP-LIST
tlv name system-name
tlv name system-description
tlv name system-capabilities
!
device-sensor filter-list cdp list CDP-LIST
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name version-type
tlv name platform-type
!
device-sensor filter-spec dhcp include list DHCP-LIST
device-sensor filter-spec lldp include list LLDP-LIST
device-sensor filter-spec cdp include list CDP-LIST
!
device-sensor accounting
device-sensor notify all-changes
!
access-session acl default passthrough
!
Authentication mac-move permit
!
device-tracking policy IPDT_POLICY
no protocol udp
tracking enable
!
crypto key generate rsa general-keys mod 2048
!
ip http server
ip http authentication local
ip http secure-server
ip http secure-active-session-modules none
ip http max-connections 48
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 39/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Monitoring Authentications with Open
Access
This section provides information about how to enable identity-based wired network
access without causing any disruption to regular network connectivity.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 40/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Ensure that trust relationships exist between the domain to which ISE is connected and the
other domains that have user and machine information to which you need access.
At least one global catalog server that is operational and accessible by ISE in the domain to
which you are joining ISE.
Domain user account with rights to search, add, and delete machine accounts for ISE, in the
Active Directory domain.
TCP/UDP ports open for communication between ISE and Domain Controllers (DNS, NTP,
MSRPC, Kerberos, LDAP, LDAP-GC and IPC).
For more details, see Active Directory Integration with Cisco ISE 2.x.
2. Navigate to Administration > Identity Management > External Identity Sources > Active
Directory.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 41/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
3. Click ADD
4. Enter a custom name in the Joint Point Name field, and the domain name in the Active
Directory domain field
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 42/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note:The credentials used for the join or leave operation are not stored in Cisco ISE.
Only the newly created Cisco ISE machine account credentials are stored.
11. UnderRetrieve Groups, select the Active Directory groups that you want to use for the
authorization policies and click OK.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 43/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note: The assumption is that Active Directory domain users who are members of
these whitelisted groups exist.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 44/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Let us now see how to validate ISE and Active Directory integration.
13. Click the Connection tab within Active Directory configuration, check the configured ISE
node in the Join Point Name field, and click Test User.
14. In the Test User Authentication window that is displayed, enter a valid domain username
and password and check if the authentication succeeds.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 45/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
16. Log in to the Catalyst switch and execute the testuser command to validate whether end-to-
end authentication is working well.
c9300-Sw#test aaa group radius harry ISEisC00L new-code
User successfully authenticated
USER ATTRIBUTES
username 0 "harry"
c9300-Sw#
AAA/SG/TEST Platform: Testing Status
AAA/SG/TEST: Authen Requests to Send : 1
AAA/SG/TEST: Authen Requests Processed : 1
<Output truncaked>
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 46/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 47/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
23. In the dialog box displayed, enter the corresponding values in the Name,Description and IP
address
24. Check the RADIUS Authentication Settings checkbox and enter the Shared Secret key in
the Shared Secret field.
Note: Optionally, you can configure the other parameters in the Network Device
configuration, such as Model Name, Software Version, Location, Device Type, and so
on. The value defined for these attributes can be used in the ISE authentication and
authorization polices to match specific criteria.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 48/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
One of the options is to upload a CSV file that contains network device details.
The other option is to use REST API calls to the ISE admin node to configure
network devices.
For more information, see the Cisco ISE API Reference Guide.
4. Attach the device-tracking policy to the port. (This configuration is essential in Cisco IOS
Version 16.xfor downloadable ACL, URL redirection, SGT, and other authorization options to
work.
c9300-Sw(config-if)#device-tracking attach-policy IPDT_POLICY
5. To enable open access on the port, use the authentication open command in interface
configuration mode. This command enables monitor mode for the endpoints. New MAC
addresses that are detected on the port are allowed unrestricted Layer 2 access to the
network even before any authentication has succeeded.
c9300-Sw(config-if)#authentication open
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 49/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
6. By default, an 802.1X-enabled switch port accepts only one MAC address. Since the idea of
open mode is to ensure that there is no disruption, enabling multi-auth host mode is
recommended, which allows for one IP Phone an unlimited number of
workstations/data_endpoints to authenticate on the interface.
c9300-Sw(config-if)#authentication host-mode multi-auth
7. For switch to initiate authentication when the link state changes from down to up state, use
the below command to enable authentication on the switch port
c9300-Sw(config-if)#authentication port-control auto
11. (Optional) Enable the reauthentication and inactivity timer for the port. Use the authentication
periodic command to enable automatic reauthentication on a port whether the values are
statically assigned on the port or are derived from the RADIUS server.
c9300-Sw(config-if)#authentication periodic
12. (Optional) To specify the period of time to reauthenticate the authorized port and to allow the
reauthentication timer interval (session timer) to be downloaded to the switch from the
RADIUS server:
c9300-Sw(config-if)#authentication timer reauthenticate server
13. (Optional) Allow the inactivity timer interval to be downloaded to the switch from the RADIUS
server. The dynamic keyword instructs the switch to send out an ARP probe before removing
the session to make sure the device is indeed disconnected.
c9300-Sw(config-if)#authentication timer inactivity server dynamic
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 50/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
interface GigabitEthernet1/0/1
description ** Endpoints and Users **
switchport access vlan 100
switchport mode access
switchport voice vlan 101
device-tracking attach-policy IPDT_POLICY
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast
2. Go to the Services
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 51/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
6. Click Properties.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 52/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
9. Have the Verify the server’s identity by validating the certificateoption unchecked.
Recommended to have correct CA certificate imported on the endpoints, unchecking this
option should only be for testing purpose prior to importing the CA Certificate.
12. In the EAP MSCHAPv2 Propertiesdialog box that is displayed, if the endpoint is an Active
Directory-managed endpoint, and if the Windows domain login name is preferred for 802.1X
authentication, check the “Automatically use my Windows logon name and password” check
box.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 53/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note: We strongly recommend that you do not disable the server certificate
validation option on the supplicant. This can subject endpoints to Man-in-the-middle
and various other attacks. While disabling the server certificate validation in the
supplicant can help in quickly testing an endpoint for 802.1X authentication, we
strongly recommended that you do the exact opposite in a production environment.
15. If you unchecked the Automatically user my Windows logon name check box, under the
EAP MSCHAPv2 Properties, click Additional Settings.
16. From Specify authentication mode drop-down list, choose the authentication mode
(user/computer/user/guest). For quick validation, choose User Authentication.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 54/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note: Although the configuration explained in this section enables 802.1X on a Microsoft
Windows endpoint and can be used to validate the end-to-end configuration in an ISE
deployment, it is not a recommended configuration method for a large-scale production
network. When it comes to a production setup, the following guidelines must be considered:
Install the ISE server certificate or have the root CA certificate (a signed ISE certificate)
installed on the endpoint’s trusted certificate store.
Enable server certificate validation in the supplicant settings for PEAP.
If it is an Active Directory-managed Windows endpoint, enable the user or computer
authentication option.
If it is an Active Directory-managed Windows endpoint, set the Windows domain login
credentials to be used for 802.1X authentication by checking the Automatically use my
Windows logon name and password check box.
For Active Directory-managed Windows endpoints, enable 802.1x settings via Group Policy
Management…. For more information, see Configure 802.1X Wired Access Clients by
using Group Policy Management.
For BYOD Windows endpoints, use ISE’s native supplicant provisioning flow to install the
server certificate and configure the adapter settings.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 55/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
3. In the Account name and Password fields, enter the corresponding values and click OK.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 56/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
You should see the change in IP address and the domain name. Also, note that
the 802.1X session timer starts after successful authentication.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 57/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note: As with Microsoft Windows Active Directory and third-party systems managers for
Windows endpoints, systems managers are available for Apple OS X devices. These managers
can manage inventory, build and deploy applications, and enforce polices on all the managed
OS X endpoints in a given environment. For an example of how a systems manager can be used
to remotely manage 802.1X configurations on Apple Mac endpoints, see 802.1X Network
Authentication for Mac.
Monitoring Authentication Sessions
1. Log in to ISE.
The dashboard displays the total number of endpoints that are connected to the
network.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 58/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
3. Navigate to Operations > RADIUS: Live Logs.You will see that all the endpoints connected to
the network so far have received a permit access.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 59/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
<Output trunckated>
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 60/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Server Policies:
Security Policy: None
Security Status: Link Unsecured
----------------------------------------
Interface: GigabitEthernet1/0/1
IIF-ID: 0x14A4B799
MAC Address: 0064.40b5.794e
IPv6 Address: Unknown
IPv4 Address: 172.20.101.3
User-Name: 00-64-40-B5-79-4E
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 65FE14AC000000201D049D86
Acct Session ID: 0x00000016
Handle: 0xb5000016
Current Policy: POLICY_Gi1/0/1
Server Policies:
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 61/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Configuring and Understanding the IBNS 2.0 Policy
One of the simplest ways to configure IBNS 2.0 is to convert an existing IBNS 1.0
configuration on the switch. However,using a composite configuration in IBNS 1.0
style is recommended for the system to generate the best possible policy
configuration in the new style. Note that when you convert the configurations, a policy
map, a set of class maps, and service templates that will be configured for every
single port that has the identity-related configuration. Therefore, the recommendation
is to covert a single-port IBNS 1.0 configuration to IBNS 2.0 in a lab, and once a level
of comfort is reached in this setting, deploy it in production.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 62/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
You will notice that the identity configurations have changed on the interface and
new control policy added
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 63/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note: The authentication display new-style command converts an existing IBNS 1.0
configuration to IBNS 2.0. The new style configurations can be reverted to the old style with the
authentication display legacy privileged EXEC mode command. However, note that in the new
style, if any changes are made to the policy map or any IBNS 2.0-specific commands, or if the
system is reloaded with new style configurations written to the startup configuration, you will not
be able to revert back to the IBNS 1.0 style configurations from IBNS 2.0.
4. Convert the system authentication configuration mode to the new style, that is, the IBNS 2.0
style
c9300-Sw#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
c9300-Sw(config)#
c9300-Sw(config)#authentication convert-to new-style
This operation will permanently convert all relevant authentication commands t
control-policy equivalents. As this conversion is irreversible and will disabl
CLI 'authentication display [legacy|new-style]', you are strongly advised to b
configuration before proceeding.
Do you wish to continue? [yes]: yes
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 64/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
6. Switch now running new style configuration mode, show authentication commands are now
replaced with show access-session
Additional Best-Practice Configurations for IBNS 2.0
1. Copy the interface configuration from the switch port and configure an interface template
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 65/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
c9300-Sw(config)#template PORT-AUTH-TEMPLATE
c9300-Sw(config-template)#description ** Endpoints and Users **
c9300-Sw(config-template)#switchport access vlan 100
c9300-Sw(config-template)#switchport mode access
c9300-Sw(config-template)#switchport voice vlan 101
c9300-Sw(config-template)#authentication periodic
c9300-Sw(config-template)#authentication timer reauthenticate server
c9300-Sw(config-template)#access-session port-control auto
c9300-Sw(config-template)#mab
c9300-Sw(config-template)#dot1x pae authenticator
c9300-Sw(config-template)#spanning-tree portfast
c9300-Sw(config-template)#service-policy type control subscriber POLICY_Gi1/0/
c9300-Sw(config-template)#end
Note: Certain interface commands are not supported within interface templates currently. They ne
to be explicitly configured on the port. The following are the caveats:
Defect ID Unsupported command(s)
CSCvd77095 ‘no lldp transmit’
CSCvd77088 ‘device-tracking’
CSCvd78152 ‘ip verify source’
CSCvd78154 ‘ip access-group’
Note: Notice that the access-session closed command (as on Step 3) is part of
the conversion and is being omitted in the interface template configuration. This is
because the section focuses on low-impact mode, which is a minor variation of
the open mode; in IBNS 2.0, the default port mode is open mode. To move the
port to closed mode, configure the access-session closed interface command
explicitly either within the interface template or on the physical port
2. Reset the configuration on the interface back to default using “default interface” command
and apply the interface template along with other supporting commands for IBNS
c9300-Sw(config)#default interface GigabitEthernet1/0/1
Interface GigabitEthernet1/0/1 set to default configuration
c9300-Sw(config)#
c9300-Sw(config)#interface GigabitEthernet1/0/1
c9300-Sw(config-if)#source template PORT-AUTH-TEMPLATE
c9300-Sw(config-if)#spanning-tree portfast
c9300-Sw(config-if)#device-tracking attach-policy IPDT_POLICY
c9300-Sw(config-if)#end
c9300-Sw#
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 66/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
You will also notice some minor changes to the global configuration:
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 67/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note:
Global AAA and RADIUS server configurations for IBNS 1.0 and IBNS 2.0 are very
alike, barring a few minor differences:
The aaa accounting dot1x command is converted to aaa accounting identity in IBNS 2.0
style.
The authentication mac-move permit command is the default in IBNS 2.0, and therefore,
the configuration does not show up in the running configuration. If you want to disable
mac-move, configure access-session mac-move deny explicitly in the global
configuration mode.
The device-sensor accounting command is replaced with the access-session
attributes filter-list command set in IBNS 2.0.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 68/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 69/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 70/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
5. Create a backup of your current configuration file on Flash using copy running-config flash:
so that you can restore a Monitor-mode configuration when migrating to Closed Mode.
Migrating from Monitor Mode
In Monitor Mode, authentication occurs but network access is not restricted based on
the authentication result. A combination of Cisco Identity Services Engine (ISE)
policies and switchport commands is used to give all devices full access to the
network. In Monitor Mode, network administrators can determine which users or
devices would have failed authentication and why.
Cisco Recommends deploying 802.1x in a staged approach. The stages begin with
Monitor Mode as the initial stage and end state will be either Low-Impact Mode or
Closed Mode. The deployment modes beyond Monitor-Mode gradually builds access
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 71/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
controls into the design through Port-based ACLs, dACLS and /or VLAN
authorizations.
Pre-Authentication and Post-
Authentication Access Control with Low
Impact
After gaining enough visibility in the monitor mode, the next step is to enforce
restricted access. Low-Impact mode incrementally increases the security level of the
network by configuring an ingress port ACL on top of Monitor-Mode interface
configurations. This provides basic connectivity for hosts while selectively limiting
access and introducing a higher level of security. Pre-authentication access control is
be done via port access control lists which are locally defined on the switchport,
post-authentication access control can be done via downloadable or named access
control lists. Such level of access is required for PXE boot environments where
network access must be granted prior to authentication.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 72/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note: Dynamic VLAN assignment is not a recommended authorization option for low-impact
mode. Since endpoints acquire IP address before network authentication in the default VLAN, a
change in the VLAN assignment forces the endpoints to renew their IP addresses, which might
not happen automatically, thereby locking them out of the network in spite of an authorized
access as per ISE policy.
Some endpoint types have the intelligence to detect network changes. The
Windows workstation for instance, attempts to ping the default gateway (thrice
within seconds) with TTL=1, upon receiving an EAP-Success message from the
switch, endpoint assumes that there is no change in the VLAN and retains its IP
address. If the switch doesn’t respondendpoint releases the IP address . This
feature was introduced in Windows XP SP2 with the following KB:
KB822596: DHCP does not obtain a new address when EAP reauthenticates
across access points with IP subnets that differ.
The behavior with Apple macOS X is similar. However, when the system receives an
EAP success message, the endpoint tries to reach the DHCP server to renew its IP
address, thrice with a minute wait time between the attempts.
3. On a per-port basis, Apply the Pre-Auth-ACL in the ingress direction to convert the port from
Monitor mode to Low Impact Mode.
c9300-Sw(config)#interface gigabitEthernet 1/0/1
c9300-Sw(config-if)#ip access-group IPV4_PRE_AUTH_ACL in
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 73/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Downloadable ACL Authorization
5. Log in to ISE and navigate to Policy > Results
6. In the left pane, click Authorization > Downloadable ACLs.
7. Click Add.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 74/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
In terms of the Access Control Entries (ACEs) for the downloadable ACLs, the
recommendation is to keep it small so that it is easy to download the policy to the
network device. In addition, small ACLs can optimize the Ternary Content
Addressable Memory (TCAM) memory consumption on the access switch. The best
practice limit for dACLs is 64 ACEs (64 lines).
11. In the left pane, click Authorization Profiles and then click Add.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 75/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
12. Create a new Authorization Profile and reference the Employee ACL.
13. Click Submit.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 76/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
14. Repeat the same procedure for the Voice ACL. However, for IP phones, you should check the
Voice Domain Permission authorization check box.
15. Click Submit.
16. Navigate to the Policy > Policy Sets>Authorization Policypage for Employees and IP
phones policy. (Below two policies can be configured using custom policy set or modified
default policy set )
17. Update or create the Employee and IP phone authorization rule as show below and save the
configuration.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 77/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
You will see that both the Employee PC and the IP phones have dACL authorization.
In the
Result dialog box, you will see individual dACL rules that are downloaded to the
switch.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 78/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 79/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Local Policies:
Idle timeout: 65536 sec
Server Policies:
ACS ACL: xACSACLx-IP-VoiceACL-5aee9aa7
----------------------------------------
Interface: GigabitEthernet1/0/1
IIF-ID: 0x1645C323
MAC Address: 0050.56a7.fa8a
IPv6 Address: fe80::e55d:20e1:8f:d008
IPv4 Address: 172.20.100.10
User-Name: harry
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Common Session ID: 65FE14AC0000003432D7C631
Acct Session ID: 0x0000002a
Handle: 0x7d00002a
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 80/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Local Policies:
Idle timeout: 65536 sec
Server Policies:
Security Policy: None
Security Status: Link Unsecured
SGT Value: 4
ACS ACL: xACSACLx-IP-EmployeeAccessACL-5aee9a60
Note: The dACL names are appended with session timestamps when
downloaded from ISE.
22. Verify the downloaded ACL on the switch using “show ip access-list” command
c9300-Sw#show ip access-lists | section xACSACLx-IP-
Extended IP access list xACSACLx-IP-EmployeeAccessACL-5aee9a60
1 deny ip any 172.20.199.0 0.0.0.255
2 permit ip any any
Extended IP access list xACSACLx-IP-VoiceACL-5aee9aa7
1 permit ip any 172.20.254.0 0.0.0.255
2 permit ip any 172.20.100.0 0.0.0.255
3 permit ip any 172.20.101.0 0.0.0.255
4 deny ip any any
23. Further you can run platform-specific command to understand which ACLs are applicable for
specific endpoints. In the example below, which is for a Catalyst 9300 switch, you can see
that on GigabitEthernet 1/0/1 interface, any MAC address (0000.0000.0000) is subject to
IPV4_PRE_AUTH_ACL, the IP phone MAC address is subject to IP-Voice-ACL +
IPV4_PRE_AUTH_ACL, and the Employee’s PC is access controlled by EmployeeAccessACL
+ IPV4_PRE_AUTH_ACLs
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 81/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 82/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Role-Based Critical Authorization
One of the many advantages of using IBNS 2.0 is that it can handle failure scenarios
efficiently. With a few additional tweaks to the previously configured IBNS 2.0
configuration, endpoints that have been authorized previously by ISE can be given the
same level of network access even when the server is not reachable the next time.
The idea is to grant role-based access during critical conditions, instead of applying a
common critical authorization.
In the following procedure, a user role ‘Employees’ is created which is the same name
as Security Group Tag on ISE. When Employee users authenticate the first time, the
user role is downloaded from ISE. Later, when the same users re-connect to the
network when ISE is unreachable, the same network access authorization is applied
locally by the switch.
24. Log in to the switch and configure IP ACL for Employee users.
Note that the ACL rules are the same as the downloadable ACLs configured on
ISE for the Employee user group.
26. Create a class map to match the Employee user role and the AAA down condition.
c9300-Sw(config)#class-map type control subscriber match-all AAA_DOWN_UNAUTHD_
c9300-Sw(config-filter-control-classmap)#match result-type aaa-timeout
c9300-Sw(config-filter-control-classmap)#match authorization-status unauthoriz
c9300-Sw(config-filter-control-classmap)#match user-role Employees
27. Create two class maps that evaluate the critical authorization conditions.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 84/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
28. Either modify the existing policy or create a new policy map to match the differentiated
critical authorization state and apply the new service template when the ISE service is
unavailable for the Employee devices. In this sample procedure, a new policy map is created
in global configuration mode with changes that are minor when compared to the previous
ones. Note the highlighted sections in the following example.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 85/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 86/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
ISE Authorization with User Role
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 87/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 88/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 89/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Local Policies:
Idle timeout: 65536 sec
Server Policies:
Security Policy: None
Security Status: Link Unsecured
SGT Value: 4
ACS ACL: xACSACLx-IP-EmployeeAccessACL-5aee9a60
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 90/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
You will notice that the switch has applied the same policies that ISE would
apply, but locally, based on the cached user role
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 91/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Local Policies:
Idle timeout: 65536 sec
Service Template: EMPLOYEE_CRITICAL_AUTH_ACCESS (priority 150)
Filter-ID: IPV4_EMPLOYEE_CRITICAL_ACL
SGT Value: 4
The access-session cache is cleared either when the switch reloads or the endpoint
logoff (EAPOL-Logoff), which typically occurs in most of the operating systems.
interface.
Separate RADIUS servers based on switch port–Specific switch ports can be configured
for the IBNS 2.0 policy to talk to separate ISE servers.
Example below briefs you how to modify the switch configuration to perform
differentiated authentication so that specific sets of interfaces on the switch talk to
specific ISE servers.
1. Before authoring a policy-map and applying it on the interface, configure the global AAA and
RADIUS parameters to distinguish the two AAA server groups. Define two or more distinct
RADIUS servers in global configuration mode.
radius server ISE01
address ipv4 172.20.254.21 auth-port 1812 acct-port 1813
automate-tester username test-user ignore-acct-port probe-on
key ISEisC00L
!
radius server ISE02
address ipv4 172.20.254.22 auth-port 1812 acct-port 1813
automate-tester username test-user ignore-acct-port probe-on
key ISEisC00L
!
2. Define two server groups and method lists for AAA in global configuration mode.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 93/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
3. (Optional) Run the below AAA accounting commands to make the switch simultaneously
send accounting records to the first server in each group.
aaa accounting Identity default start-stop broadcast group ISE-CUBE-1 group IS
aaa accounting network default start-stop broadcast group ISE-CUBE-1 group ISE
aaa accounting system default start-stop broadcast group ISE-CUBE-1 group ISE-
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 94/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 95/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
template PORT-AUTH-TEMPLATE-CUBE1
description ** Endpoints and Users on Cube-1 ISE **
spanning-tree portfast
dot1x pae authenticator
switchport access vlan 100
switchport mode access
switchport voice vlan 101
mab
access-session control-direction in
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PORT-AUTH-POLICY-CUBE1
!
template PORT-AUTH-TEMPLATE-CUBE2
description ** Endpoints and Users on Cube-2 ISE **
spanning-tree portfast
dot1x pae authenticator
switchport access vlan 100
switchport mode access
switchport voice vlan 101
mab
access-session control-direction in
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PORT-AUTH-POLICY-CUBE2
7. Source the interface template along with the other interface-specific commands for the
desired ports.
c9300-Sw(config)#interface range GigabitEthernet 1/0/1 - 11
c9300-Sw(config-if-range)#source template PORT-AUTH-POLICY-CUBE1
c9300-Sw(config-if-range)#exit
c9300-Sw(config)#
c9300-Sw(config)#interface range GigabitEthernet 1/0/12 - 22
c9300-Sw(config-if-range)#source template PORT-AUTH-POLICY-CUBE2
c9300-Sw(config-if-range)#exit
8. Here is an example of how to configure an IBNS 2.0 policy for differentiated authentication
for 802.1X and MAB on the same switchport.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 96/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
ISE Authorization Profile for Differentiated dACL
When two or more ISE deployments are managed in an environment and
differentiated authentication is used, certain authorizations from ISE may not work well
because they require communication with specific ISE servers for additional attributes.
For example, when an endpoint is authorized for a downloadable ACL from ISE-
Cube-2, the switch only gets the ACL name in the initial flow. In the second flow, it
needs to download the ACL rules, but because it is not a standard session-start, the
switch will query ISE-Cube-1 for ACEs. If the dACL configurations are not consistent
across the ISE deployments, the authorization fails. The fix is to use an additional
Cisco AV pair in the authorization to inform the switch about which server group to
reach out for additional attributes. The following ISE authorization profile shows the
downloadable ACL and the special AVP.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 97/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note: The Method-List AVP (AAA_LIST1 in the example above) on ISE must match the AAA meth
list on the switch and not the AAA server group:
* Only Filter ID and Per-User ACLs are supported on Catalyst 3650, 3850,
and 9300 platforms.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 98/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
<Output truncaked>
Note: In a distributed ISE deployment, each Policy Administration Node (PAN) and Policy
Services Node (PSN) must be configured with an IPv6 address.
All the ISE services on a node restart after a new IPv6 address is configured.
Note: Ensure that end-to-end IPv6 routing is configured so that the access
switch can talk to ISE nodes over IPv6.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 99/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
4. Ensure that the access switch can ping ISE nodes over IPv6.
c9300-Sw#ping ipv6 2001:20:254::21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:20:254::21, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
5. In Cisco IOS 16.X, device tracking is common for both IPv4 and IPv6. Ensure that the device-
tracking policy is configured and is applied for the access ports.
c9300-Sw#show running-config | begin device-tracking
device-tracking policy IPDT_POLICY
no protocol udp
tracking enable
!
interface GigabitEthernet1/0/1
device-tracking attach-policy IPDT_POLICY
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 100/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note: On C3650 and C3850 switch platforms running Cisco IOS version earlier than 16.1,
configure the following commands for IPv6 device tracking:
ipv6 nd suppress
ipv6 snooping
trusted-port
interface GigabitEthernet1/0/24
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 101/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
3. Ensure that the servers are reachable and are marked as Up.
c9300-Sw#show aaa servers | include RADIUS|State
RADIUS: id 1, priority 1, host 2001:20:254::21, auth-port 1812, acct-port 1813
State: current UP, duration 19s, previous duration 199s
Platform State from SMD: current UP, duration 19s, previous duration 2885
Platform State from WNCD: current UP, duration 0s, previous duration 0s
RADIUS: id 2, priority 2, host 2001:20:254::22, auth-port 1812, acct-port 1813
State: current UP, duration 17s, previous duration 0s
Platform State from SMD: current UP, duration 17s, previous duration 0s
Platform State from WNCD: current UP, duration 0s, previous duration 0s
Low-Impact Mode with IPv6 Per-User ACL
1. Configure a pre-authentication IPv6 ACL.
c9300-Sw(config)#ipv6 access-list IPV6_PRE_AUTH_ACL
c9300-Sw(config-ipv6-acl)#permit udp any any eq bootpc
c9300-Sw(config-ipv6-acl)#permit udp any any eq domain
c9300-Sw(config-ipv6-acl)#deny ipv6 any any
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 102/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
IPv6 Critical ACL is very similar to IPv4 Critical ACL configured earlier
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 103/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
5. Log in to ISE, and modify the Network Devices configuration for the Catalyst switch to
whitelist on IPv6 address. Navigate to Administration > Network Resources > Network
Devices. Click the specific switch name, and then configure the IPv6 address and save the
configuration.
6. Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles
and configure an authorization profile for a Per-User ACL.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 104/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note: Current Cisco IOS & ISE software implementation doesn’t support native
IPv6 dACL’s over RADIUS. Its currently implementation of IPv6 on RADIUS uses
Cisco Vendor Specific Attributes(VSA).
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 105/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note: Apart from Per-User ACL, the other two ACL authorization options for IPv6 currently are
Filter ID and Service Template.
ACL local to Switch ACL local to Switch ACL download from ISE
IPv4 Yes Yes Yes
RADIUS Filter- Cisco AVP: Cisco AVP:
Attribute/AVP ID=ACL_Name.in “subscriber:service-name= “ip:inacl#1=permit ipany
TEMPLATE_NAME” any”
IPv6 Yes Yes Yes
RADIUS Filter-ID = Cisco AVP: Cisco AVP:
Attribute/AVP ACL_NAME.in.ipv6 “subscriber:service-name= “ipv6:inacl#1=permit ipv6
TEMPLATE_NAME” any any”
7. Reference this Authorization profile as one of the authorization results for the Employee user
group
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 106/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
8. Re-authenticate the Employee workstation and verify IPv6 ACL download and authorization
for the network access session.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 107/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Server Policies:
Security Policy: None
Security Status: Link Unsecured
SGT Value: 4
ACS ACL: xACSACLx-IP-EmployeeAccessACL-5af1634e
Per-User ACL: Gi1/0/1#v6#1dd98b5e
: deny ipv6 any 2001:20:199::/64
: permit ipv6 any any
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 108/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
In Closed Mode, the switchport does not allow traffic except EAP over LAN(EAPoL)
until a successful authentication takes place. No pre-authentication access to DHCP,
DNS, HTTP and PXE boot servers are allowed while authentication is in progress.
Closed Mode is ideal for Vlan-based enforcement since the client does not get an IP
address until successfully authenticated.
Deploying Closed Mode with Vlan Assignment can have a significant impact on
network architecture. Understanding these potential impacts is essentials for
successful deployment of this mode.
Vlan Considerations: Dynamic VLAN assignment requires that every dynamic VLAN
be supported on every access switch to which a user might connect and authenticate.
Hence a good campus design dictate a fewer VLANs which helps in more
manageable and scalable solution.
Before transitioning to Closed Mode, you should ensure that all endpoints can
authenticate. All identity store database should be up to date and online.
Building on top of the configurations done in Monitor Mode, a few changes can be
made in the network for restricted network access. The idea is that after you have
understood how endpoints behave in the monitor mode and how to fix failures, you
are ready to move on to understanding controlled network access.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 109/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Use the Inaccessible Authentication Bypass (IAB) feature, also referred to as critical
authentication or the AAA fail policy, when the switch cannot reach the configured
RADIUS servers and new hosts cannot be authenticated. When a new host tries to
connect to the critical port, that host is moved to a user-specified access VLAN, the
critical VLAN. The critical VLAN can be the same as the default VLAN on the port. The
administrator gives limited authentication to the hosts.
Enable the critical voice VLAN feature to allow access to IP phones when the ISE
server is unreachable for its authentication. When traffic coming from the host is
tagged with the voice VLAN, the connected device (the phone) is put in the
configured voice VLAN for the port. The IP phones learn the voice VLAN identification
through CDP (Cisco devices) or through LLDP or DHCP.
4. Create a service template referencing the Critical Vlan & Voice Vlan
c9300-Sw(config)#service-template CRITICAL_AUTH_ACCESS
c9300-Sw(config-service-template)#vlan 100
c9300-Sw(config)#service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
c9300-Sw(config-service-template)#voice vlan
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 110/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
5. Create two new class maps or edit the existing class map to match the new service template
created in Step 3:
c9300-Sw(config)#class-map type control subscriber match-any IN_CRITICAL_AUTH
c9300-Sw(config-filter-control-classmap)#match activated-service-template CRIT
c9300-Sw(config-filter-control-classmap)#match activated-service-temp DEFAULT_
c9300-Sw(config-filter-control-classmap)#exit
c9300-Sw(config)#
c9300-Sw(config)#class-map type control subscriber match-none NOT_IN_CRITICAL_
c9300-Sw(config-filter-control-classmap)#match activated-service-template CRIT
c9300-Sw(config-filter-control-classmap)#match activated-service-temp DEFAULT_
c9300-Sw(config-filter-control-classmap)#exit
6. Ensure that the following class maps exist in the system before configuring a new policy map
for Closed mode:
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 111/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
7. Configure a new policy map in global configuration mode. The highlighted parts in the
example below indicates the additional classes added to the system-generated policy as in
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 112/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Monitor-mode:
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 113/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 114/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Wake-On-LAN
The IEEE 802.1x standard is implemented to block traffic between the
unauthenticated clients and network resources. This means that unauthenticated
clients cannot communicate with any device on the network except the authenticator.
The reverse is true, except for one circumstance, when the port is configured as a
unidirectional controlled port.
Unidirectional State
The IEEE 802.1x standard states that a unidirectional controlled port enables a device
on the network to wake up a client so that the client continues to be reauthenticated.
When you use the authentication control-direction in command to configure the
port as unidirectional, the port changes to the spanning-tree forwarding state, thus
allowing a device on the network to wake the client and force it to reauthenticate.
Bidirectional State
(Optional) Allows broadcast traffic from the network to the unauthenticated port. This
assists with the Wake-on-LAN (WoL)) process so that the network management
server can wake up clients on demand. It also assists in the MAB process for certain
types of devices that do not generate much traffic on their own without network
request from another host.
c9300-Sw(config)#template PORT-AUTH-TEMPLATE
c9300-Sw(config-if)#access-session control-direction in
MAC Limits
Limiting the number of MAC addresses on an 802.1X-enabled port is not a
straightforward process. However, there are a couple of options to achieve MAC limits
to a certain extent:
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 115/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
When you opt for restrictive host modes such as single-host mode or multi-
domain authentication host mode, and an authentication violation occurs, for
example, more MAC addresses appearing on the same port, the port will be error
disabled. This might require the immediate attention of the administrator to
remediate the shutdown port state. We, therefore, recommended that you have a
restrictive, yet non-disruptive option to handle authentication violations using
below IBNS 2.0 CLI.
8. Edit the current policy-map to include the authentication violations. The highlighted parts in
the example below indicate the additional configs.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 116/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 117/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Device-tracking policy-The other option to limit the number of endpoints getting identity-
based services in the device-tracking policy. This policy can be configured to limit the
number of endpoints (IP addresses) being tracked for IP-based services such as dACL/URL-
redirect/SGTs, and so on. This does not limit the number of endpoints from connecting or
authenticating on the port. Use “Limit address-count maximum“CLI under the device-
tracking policy to limit the number of endpoints allowed to use identity-based services.
c9300-Sw(config)#device-tracking policy IPDT_POLICY
c9300-Sw(config-device-tracking)#no protocol udp
c9300-Sw(config-device-tracking)#tracking enable
c9300-Sw(config-device-tracking)#limit address-count 10
c9300-Sw(config-device-tracking)#exit
!
c9300-Sw(config)#interface gigabitEthernet 1/0/1
c9300-Sw(config-if)#device-tracking attach-policy IPDT_POLICY
Note: Even though the port-security interface command enforces MAC address limit, it is not
compatible with the authentication/dot1x configurations on the switch port. In general, we
recommend that you do not enable port security when IEEE 802.1x is enabled.
9. Apply the new policy-map to the interface
c9300-Sw(config)#template PORT-AUTH-TEMPLATE
c9300-Sw(config-template)#no service-policy type control subscriber PORT-AUTH-
c9300-Sw(config-template)#service-policy type control subscriber PORT-AUTH-POL
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 118/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Authoring Access Policies on ISE
It is always important to have policy goals in mind before configuring ISE access
policies. Figure21 highlights 802.1X authentication workflow, resulting in either basic
access or access to an employee segment depending on a user’s Active Directory
group membership. IP phones are authorized for voice VLAN and the unknown
endpoints are subject to the guest portal. When the ISE servers are unreachable, the
switch authorizes newly connecting endpoints to the critical VLAN, which can be the
same as the default VLAN. The following is a flow chart of the 802.1x authentication
policy, most part of the decision tree and critical authorization is already configured on
the switch, the right-hand side part in terms of 802.1X and MAB authorization policies
must be configured on ISE:
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 119/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
4. Create a new Authorization Profile for Employee VLAN result by providing the corresponding
information:
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 120/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note: The VLAN name or number that you specify in the Authorization Profile must match the
VLAN name or number configured on the access switch exactly. In this example, a VLAN exists
on the switch name Employees:
6. You can either create a new policy set or edit the default policy set that comes with the ISE
installation. In this example, the default policy set is taken into consideration. Click the > icon
to expand the default policy set.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 121/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 122/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
9. Provide a descriptive name for the policy rule and click the +
10. If you are configuring the policy in ISE for the first time after its installation, a screen tip is
displayed, explaining how to use the Conditions Studio. Click the x
11. In the Editor area, click the field that reads ‘Click to add an attribute’
12. After the Editor options load, click the user group icon and select the ExternalGroups Active
Directory.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 123/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
13. Configure a condition to match on Active Directory group. In this example, the Employees
Active Directory Group is configured.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 124/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
15. To select a Result for the policy created, choose the corresponding “profile” option(in this
case EmployeeVLAN created in step 2)
16. Optionally, you can also add an SGT as an additional authorization result.
17. To adhere to our policy goals as per flowchart on Figure21 , edit the “Default” authorization
policy to fallback to Web Authentication as Tertiary option or as a last resort .
18. Click Save.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 125/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note that for IP phones, a policy rule exists by default. This rule authorizes profiled IP
phones with voice VLAN authorization. Pre-requisites being the IP Phone MAC
address are manually added to the endpoint identity group.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 126/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
USER ATTRIBUTES
username 0 "harry"
tunnel-type 1 13 [vlan]
tunnel-medium-type 1 6 [ALL_802]
tunnel-private-group 1 "Employees"
security-group-tag 0 "0004-0"
3. If you bounce the access port in which the corresponding IP phone and
employee are connected, the new authorization results should be displayed as
below.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 127/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Local Policies:
Idle timeout: 65536 sec
Server Policies:
Vlan Group: Vlan: 150
Security Policy: None
Security Status: Link Unsecured
SGT Value: 4
----------------------------------------
Interface: GigabitEthernet1/0/1
IIF-ID: 0x1AABEBEF
MAC Address: 0064.40b5.794e
IPv6 Address: Unknown
IPv4 Address: 172.20.101.3
User-Name: 00-64-40-B5-79-4E
Status: Authorized
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Common Session ID: 65FE14AC0000002E27DEBD9D
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 128/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Local Policies:
Idle timeout: 65536 sec
Server Policies:
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3
The Overview dialog box shown below highlights the authorization policy rule
matched and what the end result .
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 129/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
6. If you scroll down to the end of the page, you will see the Result details with
License consumed.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 130/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Cisco IP phones support two types of X.509 certificates: the Manufacturing Installed
Certificates (MICs) and the Locally Significant Certificates (LSCs).
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 131/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
As the name indicates, MICs are the certificates that are preinstalled on IP phones
and cannot be deleted or modified by administrators. The certification pre-installed on
the phones are signed by one of the Cisco Manufacturing Certificate Authorities.
When an IP phone authenticates using MIC, it proves that it is a valid Cisco IP phone;
however, it does not validate if the phone is a company-owned asset. Anyone can
connect a personal device that has a Cisco Manufacturing CA-signed certificate on it
and gain network access.
LSCs on the other hand are administrator installed certificates that are signed by the
Cisco Unified Call Manager. These certificates serve the same purpose as MICs in
terms of authentication, but provide greater security because of their local
significance to a given environment.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 132/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
4. Ensure that device and line templates are present, phone numbers are configured, and auto
registration is enabled.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 133/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
For information about the procedure, see the Configuring Windows 2000 DHCP
Server for Cisco CallManager document.
6. By default, the CUCM does not serve the TFTP requests; the services have to be enabled
explicitly. On the top right-hand corner of the CUCM admin window, from the Navigation
drop-down list, choose Cisco Unified Serviceability and click Go.
7. Log in with the CUCM admin credentials and Navigate to Tools > Service Activation.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 134/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
9. Ensure that the phone has open access to the network services or is authorized by ISE for
access to DHCP, DNS, and TFTP services. In the previous example described in Configuring
and Understanding IBNS 2.0 Policy section, the IP phones were MAB-authenticated and a
dACL was applied for the session. Bounce the switch port where the IP phone is connected.
10. Switch to the CUCM admin window by choosing Cisco Unified CM Administration from the
Navigation drop-down list at the top-right corner of the Serviceability window, and click Go.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 135/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
11. Navigate to Device > Phone and search for the phone on the Find and List Phones Page.
12. Click Find button with default settings. When the phone communicates to the CUCM, it
shows up on Find and List Phones page.
Note: The phone’s status must show Registered with CUCM for the administrator to manage
the phone from the Call Manager. If the status is something else, try Hard Reset the phone to
Registered back to CUCM.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 136/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
This section provides information about how to configure the voice network for MIC
authentication and the changes that are required in ISE to support it.
3. Click each of the CA certificates listed as CallManager-trust and export them
to your local disk in PEM format. Note that the last three certificates need not be
exported because they are installed by default in Cisco ISE’s trusted CA store.
However, make sure that those certificates exist on ISE.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 137/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
4. Log in to ISE and Navigate to Administration > System > Certificates.
5. In the left pane, click Trusted Certificates. You will see a list of Root CA
public certificates that are installed on ISE. Notice the three Cisco Manufacturer
certificates you could see in CUCM as in Step 3.
6. Select the disabled ones and click Edit to change the Status to Enabled and
Click Save
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 138/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
8. To import the other root CA certificates that are exported from CUCM, click
Import in the Trusted Certificates area.
9. Upload the CA certificate, give it a name and description, and save it with
default settings.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 139/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
10. If the certificate has weaker key strength or an outdated algorithm, a warning
message is shown. If it is permissible in the given environment to use such
certificates, click Yes and proceed.
11. Repeat the certificate import procedure for all the exported certificates.
13. Click the + button for conditions and in the condition Editor window, click the
field that states Click to add an attribute and Click the user icon and Select
CERTIFICATE Subject – Common Name.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 140/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
15. Click the New button to add another condition to match CERTIFICATE Issuer
– Organization
16. Define the second condition to match such that CERTIFICATE Issuer –
Organization contains Cisco
17. Click Use When the conditions matches the snapshot provide below.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 141/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
18. Add the voice permission that has Voice Domain Permission(Select the
Results Profiles with dACL_Voice in this procedure) and save the configurations.
Enabling 802.1X on IP Phones
19. Log in to CUCM and navigate to Device > Phone
20. Use the Find field to locate a specific registered phone and click a name from
the list that is displayed under Device Name (Line)
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 142/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
21. Use the Find field to locate a specific registered phone and click a name from
the list that is displayed under Device Name (Line)
22. Scroll down the Product Specific Configuration Layout until you see 802.1x
Authentication. Enable it,
click Save, and then click Apply Config at the top of the window
23. The IP phone in the network should now authenticate 802.1x. If you log in to
the switch, you can see the session information.
c9300-Sw#show access-session
Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------------------
Gi1/0/1 0064.40b5.794e dot1x VOICE Auth 00000000000000
Gi1/0/1 0050.56a7.fa8a dot1x DATA Auth 00000000000000
<Output trunckated>
24. The session details display additional information about the phone’s network
access session:
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 143/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Server Policies:
ACS ACL: xACSACLx-IP-VoiceACL-5af16326
Security Policy: None
Security Status: Link Unsecured
25. To view the new session status on ISE, Navigate to Operations > RADIUS >
Live Logs
26. Click on the Details Icon to see that the IP phone is 802.1X authenticated and
is authorized with a dACL
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 144/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
27. Scroll further down the page to view the certificate details.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 145/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note: To enable 802.1X across all the IP phones, specific models or locations, use the Bulk
Administration option in CUCM.
28. Log in to the Cisco Unified Serviceability tool with admin credentials.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 146/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
31. After the CAPF service is enabled, restart the TFTP service so that the IP
phones can download the LSCs. To restart, navigate to Tools > Control Center
Feature Services.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 147/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
36. Export the CAPF Root CA certificate to your local system. (The certificate title
has only CAPF in it.)
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 148/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
37. Log in to ISE and Navigate to Administration > System > Certificates >
Trusted Certificates.
38. In the left pane, navigate to Certificate Management > Trusted Certificates,
and click Import.
40. After the certificate is installed, select it by checking the corresponding check
box, and click View.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 149/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
41. The certificate is locally signed by the CUCM and the organization name with
your specific company name. Make a note of the organization name and close the
certificate view window.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 150/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
45. Use the Find field to locate a specific phone or click the corresponding phone
name under Device Name (Line)
46. In the CAPF Information section, from the Certificate Operation drop-down
list, choose Install/Upgrade.
From the Authentication Mode drop-down list, choose one of the following
options depending on the settings in your environment. In this procedure, the By
Null String option is used.
Option Description
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 151/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
47. Click Save and then Apply Config for the changes to take effect.
48. Navigate to Device > Phone, locate the IP phones, and then click the +
button.
49. Define a new condition to list phone on LSC issued By option from the newly
created search filter and then click Find. If the LSC installation is in progress, you
will see that the LSC Status is Operation Pending.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 152/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
50. Upon upgrade completion, LSC Status changes from Operation Pending to
Upgrade Success .
Note: To deploy LSC at scale, use the Bulk Administration option in CUCM.
Network Edge Authentication Topology (NEAT) offers secure extension of the Layer 2
network beyond the wiring closet. It ensures that a supplicant switch (compact switch
outside the wiring closet) is allowed access to the network only if it authenticates
successfully. For more information on the NEAT click here. This document covers the
NEAT configurations with IOS Interface-templates.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 153/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
NEAT feature enables extended secure access in areas outside the wiring closet
(such as conference rooms). 802.1x supplicant switch acts as a supplicant to another
switch by using the 802.1X supplicant feature for secure connectivity. Once the
supplicant switch authenticates successfully, RADIUS servers sends down Cisco AV
Pair attributes along with ACCESS-ACCEPT to the Authenticator switch.
The following scenario with the Topology above depicts an overview of typical
solution: -
1. The Supplicant switch located in unsecured location first authenticates with wiring closet
or distribution Authenticator Switch. The Authenticator contacts RADIUS server and
receives an authentication success message with Cisco AV-Pair Value specifying
“device-traffic-OR “interface-template-name= …” depending on the type of
authorization profile selected on RADIUS Server.
4. Authenticator switch now trusts the Supplicant switch and network access is granted for
switch and all the clients behind the Supplicant Switch.
5. Supplicant switch triggers a CISP update to the Authenticator switch when a user’s/host
connect/disconnect network to add/remove MAC Address from the database.
NEAT with Macros/Interface-Template
As explained before, when a Supplicant Switch successfully authenticates, the
RADIUS Server sends down Cisco AV Pair “device-traffic-along with
ACCESSACCEPT to the Authenticator switch. The authenticator switch then changes
the port configuration from access to “trunk-mode” with the help of a built-in macro.
1. The macros modify the interface running configuration. When a Supplicant Switch is
authenticated, if a script or administrator saves the running-config on the Authenticator
Switch, then on a power cycle the default port configuration would be lost.
2. If the admin prefers to make modifications to the default macro, it can’t be done. For this
purpose, an ASP macro must be configured on the ASw and ISE must be configured to
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 154/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
authorize the supplicant with the “ASP macro name” along with the custom Cisco AVP for
NEAT.
The solution to this problem is to use the interface-templates instead of macros for
port configuration related changes.
Configuring NEAT with Interface templates
Configuring AAA & Radius on Authenticator and Supplicant switch
1. Log in to Authenticator and Supplicant switch and execute/verify the below
basic authentication, authorization and accounting (AAA) configurations.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 155/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
aaa new-model
aaa session-id common
!
radius server ISE01
address ipv4 172.20.254.21 auth-port 1812 acct-port 1813
automate-tester username test-user ignore-acct-port probe-on
key ISEisC00L
!
radius server ISE02
address ipv4 172.20.254.22 auth-port 1812 acct-port 1813
automate-tester username test-user ignore-acct-port probe-on
key ISEisC00L
!
dot1x system-auth-control
dot1x critical eapol
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server deadtime 15
!
aaa group server radius ISE
server name ISE01
server name ISE02
ip radius source-interface Vlan254
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting Identity default start-stop group ISE
aaa accounting update newinfo periodic 2880
!
aaa server radius dynamic-author
client 172.20.254.21 server-key ISEisC00L
client 172.20.254.22 server-key ISEisC00L!
!
crypto key generate rsa general-keys mod 2048
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 156/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
c9300-Sw(config)#cisp enable
The Client Information Signaling Protocol (CISP) is a layer 2 control plane protocol
used to transport the MAC addresses of the hosts (both authenticated MAC and
MAC learnt by normal learning) from a Supplicant Switch to an Authenticator
Switch. CISP uses CDP address (Cisco Reserved Multicast Address) as a
destination MAC Address and frames are generated only by Supplicant Switch to
which Authenticator switches acts as a responder to the received frames.
interface GigabitEthernet1/0/1
description ** Downlink to supplicant switch **
switchport mode access
switchport access vlan 254
device-tracking attach-policy IPDT_POLICY
access-session port-control auto
dot1x pae authenticator
spanning-tree portfast trunk
spanning-tree bpduguard disable
service-policy type control subscriber PORT-AUTH-POLICY-I
template neat-authz
switchport trunk native vlan 254
switchport mode trunk
c9300-Sw(config)#dot1x system-auth-control
c9300-Sw(config)#cisp enable
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 158/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
c3560CX-Sw(config)#interface TenGigabitEthernet1/0/8
c3560CX-Sw(config-if) description ** Upstream Authenticator switch **
c3560CX-Sw(config-if) switchport trunk native vlan 254
c3560CX-Sw(config-if) switchport mode trunk
c3560CX-Sw(config-if) dot1x pae supplicant
c3560CX-Sw(config-if) dot1x credentials eap-md5-cred
c3560CX-Sw(config-if) dot1x supplicant eap profile eap-md5
c3560CX-Sw(config-if) spanning-tree portfast edge
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 159/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
10. Create NEAT Switch User Account and add the user to NeatSupplicants
group. Navigate to Administration > Identity Management > identities, and
click Add.
11. Enable the required authentication protocols. Navigate to Policy > Results >
Authentication > Allowed protocols, select the protocol service list used by
wired dot1x, and ensure the protocols in this step are enabled.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 160/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Note: On ISE, one major difference between traditional NEAT and “NEAT with
Interface-template” configuration, is that the authorization profile for the former is
Cisco AVP “device-traffic-whereas for the later it is “interface-template-name=
<name>”.
13. Navigate to the Policy > Policy Sets >Authorization Policy page and add
new policies as showing below and save the configuration.
Validating NEAT
Use this section to confirm that your configuration works properly. This section
describes two behaviors:
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 161/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Once authentication and authorization succeed, the CISP exchange occurs. Each
exchange has a REQUEST, which is sent by the supplicant, and a RESPONSE, which
serves as a reply and acknowledgment from the authenticator.
Two distinct exchanges are performed: REGISTRATION and ADD_CLIENT. During the
REGISTRATION exchange, the supplicant informs the authenticator that it is CISP-
capable, and the authenticator then acknowledges this message. The ADD_CLIENT
exchange is used to inform the authenticator about devices connected to the
supplicant's local port. As with REGISTRATION, ADD-CLIENT is initiated on the
supplicant and acknowledged by the authenticator.
The supplicant is configured and plugged into port Te1/0/1. The dot1x exchange causes the
supplicant to use EAP in order to send a pre-configured username and password to the
authenticator.
The authenticator performs a RADIUS exchange and provides credentials for ISE validation.
If the credentials are correct, the ISE returns attributes required by NEAT (“interface-
template-name=), and the authenticator changes its switchport mode from access to trunk.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 162/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
2018/12/01 01:09:26.872 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.872 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (debug): RA
2018/12/01 01:09:26.872 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.872 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.872 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.872 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (debug): RA
RADIUS: 33 37 43 50 4d 53 65 73 73 69 6f 6e 49 44 3d 30 [37CPMSessionID=0^@]
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 163/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (debug): RA
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (debug): RA
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (debug): RA
RADIUS: 99 57 5f 79 e9 0a 25 a6 89 fc 5a ad 9b d9 7c 1d [ W_y?Z|]
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (debug): RA
RADIUS: 02 52 00 16 04 10 d1 fa e0 c1 cc b9 67 4b ba 88 bd a1 08 72 a4 db [
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (debug): RA
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (debug): RA
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
2018/12/01 01:09:26.830 {smd_R0-0}{1}: [radius] [22503]: UUID: 0, ra: 0, TID: 0 (info): RAD
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 164/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
In the example above, the role of authenticator is correctly assigned to the correct
interface (Te1/0/1) and Vlan 200 MAC address is registered.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 165/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Idle timeout: 65536 sec
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 166/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Server Policies:
Interface Template: neat-authz
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 167/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 168/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 169/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 170/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 171/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
Vlan Group: Vlan: 100
SGT Value: 4
Log in to ISE web User Interface (UI) and navigate to Operations > RADIUS >
Live Logs.
Operate
The Operate section provides a comprehensive identity solution for all Cisco ISE run-
time services. The Monitoring component provides a real-time presentation of
meaningful data representing the state of access activities on a network. The
Troubleshooting component provides contextual guidance for resolving access issues
on networks.
Operating ISE
Operating the ISE Session Table
The monitoring component on ISE describes how to use the RADIUS Live Log to view
all the RADIUS authentication logs and how to get details about a specific entry in the
log table. This section covers some important operations that can be performed under
RADIUS live sessions.
1. Log in to ISE.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 172/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
All the active sessions on the network which are controlled by ISE are displayed.
3. Click the Target icon next to Show CoA Actions to view a list of CoA actions
that can be performed on a specific endpoint. For information about the list of
CoA actions ,refer to Change Authorization for Radius Sessions
5. Check the License Type and License Details check boxes, and click Go.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 173/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
License information about the sessions are displayed when you scroll to the right-
hand side of the Live Sessions window.
Note: Live sessions cannot be deleted from the ISE user interface. CoA Session Termination will
current active session, however, the entry still persists in the session table. In order to clear the en
cached session table, perform the below REST API call to ISE:
DELETE: https://<ISE_PAN_IP_Address>/admin/API/mnt/Session/Delete/All
Alternatively, perform a get function to gather the calling station IDs for all the active s
selectively delete them one by one using the following session API:
GET: https://<ISE_PAN_IP_Address>/admin/API/mnt/Session/AuthList/null/
DELETE:
https://<ISE_PAN_IP_Address>/admin/API/mnt/Session/Delete/MACAddress/<calling
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 174/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
1. Log in to ISE.
3. In the left pane, navigate to Reports > Endpoints and Users > Authentication
Summary.
4. By default, report for current data is generated and displayed. To change the
report period, click the Today drop-down list.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 175/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
The Top N Authentication by Failure Reason provides information about the top
authentication failures in the network.
Troubleshooting
The following sections addresses several troubleshooting information that are related
to identifying and resolving problems that you may experience when you use Cisco
ISE & Cisco Catalyst Switches.
Some of the Cisco IOS show and debug commands that help you understand and
troubleshoot ISE operations are:
Starting 16.x IOS XE, tracing functionality logs internal events where trace files are
automatically created and saved to the trace logs subdirectory.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 177/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
The Contents of trace files are useful for troubleshooting & Debugging operations. To
modify the trace level to increase or decrease the amount of trace messages output
(Default set to NOTICE) you can set a new trace level using the set platform
software trace command.
To view the trace levels for respective module under a specific process (Session
Manager process/smd), use the show platform software trace level command
To view the most recent trace information, use the show platform software trace
message command
Refer to attachment below for the sample trace captures for dot1x success and
Failed sessions and major events are highlighted in bold..
ISE Troubleshooting
See the following links for details on ISE troubleshooting:
Troubleshooting TechNotes
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 178/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
dot1x-success-debug.pdf
192 KB
dot1x-fail_mab-success-debug.pdf
76 KB
181 Helpful
Comments
3 Helpful
vusandlovu Beginner
07-08-2018 02:14 AM
2 Helpful
kamlenegi Beginner
07-25-2018 04:44 AM
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 179/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Hello,
Can we have specific document for wired guest in 2.3 version.
Thanks
Kamlesh
https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-
p/3640475
Does anyone know where I can find the latest ISE visio icons? I am referring to the
same ones used in the deployment guides.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 180/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
nickdavitashvili Beginner
10-14-2018 07:36 PM
Hello @hariholla. Thanks a lot for a great doco! Any leads on the awesome stencils
you use in it?
walwar Beginner
10-29-2018 09:11 AM
I have been looking for a guide like this, thank you very much it is very well organized and easy to
follow. Cheers, John Palmason
Darren_Cooper Beginner
10-30-2019 09:22 AM
Hi, This guide is great, however I have an issue that I cannot find any reference to.
When enabling new-style authentication on a switch with only a LAN-Lite license,
some of the commands needed are missing so I cannot configure basic 802.1x with
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 181/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
RADIUS authentication.
Notibly
policy-map and service-policy
All the documents say this should work, and in legacy mode worked fine, however a
converted configuration does not.
Anybody know what I can do?
Just a side note (and question). The document describe, that Windows client perform
a default gateway ICMP reachability probe after an EAP SUCCESS message ("Pre-
Authentication and Post-Authentication Access Control with Low Impact"). In lab
testing with Windows 10 (1903) I dind't see any ICMP probe after the EAP SUCCESS
message. Instead, the Windows 10 client just started to send a DHCP request with
the currently configured IP as the requested IP address. Can someone confirm this?
r1127hyduk Enthusiast
09-15-2020 06:18 PM
Very well written document here for 802.1x and MAB design / deploy options. The
icons and detail are superb.
To lead on for what hardware / software to deploy, does anyone have a general ISE
parts / sku listing's for components - appliance and (VM instance options) they can
share? I'm having some challenges with CCW at this time with part validations and its
rather frustrating. Smartnet support included too!
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 182/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Second question, what challenges are there from migrating from 2.4.x to 2.6 .or 2.7?
00unsv8e5cJnFPrmC5d6 Beginner
05-02-2021 02:54 PM
This manual is intended to offer technical steering to design, configure and function
the Profiling feature inside the Cisco Identity Services Engine page(ISE). The file
provides nice practice configurations for a typical surroundings.
00uv1f4s9lyDNtSj05d6 Beginner
06-02-2021 04:46 PM
That feature may not be referred to in case you are jogging an older model of the ASA
codehere. You will want to upgrade to the minimum version as referenced
approximately.
1 2
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 183/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar
above. New here? Use these resources to familiarize yourself with the community:
Quick Links
Discussions
Guided Resources
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 184/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
Voice over wireless deployment guide with 5760 and 3850 WLC
Serge Yasmine
06-19-2014 08:02 AM
Top
Quick Links -
Contacts
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 185/186
8/11/23, 2:47 PM ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community
©2023 Cisco Systems, Inc.
https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 186/186