Professional Documents
Culture Documents
ISE Auth-Feature Flows - v1
ISE Auth-Feature Flows - v1
1
IEEE 802.1X
Port-based access control with authentication
RADIUS Access-Accept
End EAP Success [AVP: EAP Success]
[AVP: VLAN 10, dACL-n]
• 802.1X (EAPOL) is a delivery mechanism and it doesn't provide the actual authentication
mechanisms.
• When utilizing 802.1X, you need to choose an EAP type, such as Transport Layer Security
BRKSEC-2044 (EAP-TLS) or PEAP, which
© 2013 Cisco and/or defines how
its affiliates. All rights the authentication takes
reserved. place.
Cisco Public 2
IEEE 802.1X with Change of Authorization (CoA)
RADIUS CoA-Request
[VSA: subscriber: reauthenticate]
Change of
Authorization RADIUS CoA-Ack
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
MAC Authentication Bypass (MAB)
Non-802.1X capable devices and no “user intelligence” behind
00.0a.95.7f.de.06
Authenticator RADIUS Server
Internal
MAB if Wired_MAB then
Endpoints
Dot1X If Wired_802.1X then AD1
RADIUS:Service-Type = Login
LWA if RADIUS:NAS-Port-Type= then Internal Users
Wireless – IEEE 802.11
Default if <no match> then AD1_Internal
Authorization Policy
Status Rule Name Conditions Permissions
Authentication Policy
ip admission name WEBAUTH proxy http
ip access-list extended PRE_AUTH_POLICY Status Rule Name Conditions Identity Source
permit udp any any eq bootps
permit udp any any eq domain Internal
MAB if Wired_MAB then
fallback profile WEBAUTH_PROFILE Endpoints
ip access-group PRE_AUTH_POLICY in
ip admission WEBAUTH Dot1X If Wired_802.1X then AD1
interface GigabitEthernet1/0/1
RADIUS:Service-Type =
authentication port-control auto
authentication fallback WEBAUTH_PROFILE Outbound
LWA if then Internal Users
dot1x pae-authenticator RADIUS:NAS-Port-Type=
mab Ethernet
authentication event fail action next-method
Default if <no match> then AD1_Internal
MAB
NAD
Fails Authorization Policy
Status Rule Name Conditions Permissions
SWITCHPORT
PSN
00.0a.95.7f.de.06
Authenticator RADIUS Server
Any Packet
RADIUS Access-Request
[AVP: 00.0a.95.7f.de.06]
RADIUS Access-Accept
Limited Network Access
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
CWA – Session Flow
Switch / AP-WLC
• Switch configured for ISE Server
DHCP/DNS
1 802.1X / MAB only
• Open SSID on
1 WLC w/ MAC
802.1X Filtering enabled
MAB 4
Host Acquires IP Address, Triggers Session State
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
CWA – Session Flow
Switch / AP-WLC
• Switch configured for ISE Server
DHCP/DNS
802.1X / MAB only
802.1X 1
• Open SSID on
Timeout/ 1 WLC w/ MAC
failure Filtering enabled
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Wireless CWA Config
Authentication Policy
Status Rule Name Conditions Identity Source
Internal
MAB if Wireless_MAB then
Endpoints
Dot1X If Wireless_802.1X then AD1
Default if <no match> then AD1_Internal
Authorization Policy
Status Rule Name Conditions Permissions
802.1X Timeout
802.1X Failure
1 MAB Unknown Device
Port Opens with
2limited access
Returns Default Policy with
3 URL Redirect + dACL/VLAN
Host Acquires IP Address via DHCP, triggers Session State
4 Host Opens Browser
5 URL Redirect ACL redirects HTTP to ISE
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
dACL + URL-Redirect for CWA
Switch DHCP/DNS ISE PSN
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sample ACLs for CWA Redirection
ip access-list extended ACL-DEFAULT
permit udp any eq bootpc any eq bootps
ip access-list extended ACL-WEBAUTH-REDIRECT
permit udp any any eq domain
deny udp any eq bootpc any eq bootps
permit tcp any any eq http
deny udp any any eq domain
permit tcp any any eq https
deny tcp any host 10.1.1.100 eq 8080
permit tcp any host 10.1.1.100 eq 8080
deny tcp any host 10.1.1.100 eq 8443
permit tcp any host 10.1.1.100 eq 8443
permit ip any any
(deny ip any any)
Port ACL Redirect
or dACL ACL
DHCP x.x.x.x
DNS x.x.x.x
SSH x.x.x.x
FTP x.x.x.x
HTTP x.x.x.x
302: TCP/8443 10.1.1.100
HTTPS x.x.x.x
302: TCP/8443 10.1.1.100 PSN
TCP/8443 10.1.1.100 TCP/8443
10.1.1.100
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Wired Device Registration Web Auth (DRW) Flow
Switch DHCP/DNS ISE PSN
802.1X Timeout
802.1X Failure
Calling-Station-ID=MAC, Service-Type=Call Check
1 MAB Unknown Device
Port Opens with
2limited access
Returns Policy with URL
3 Redirect + Redirect ACL + dACL
Host Acquires IP Address via DHCP, triggers Session State
4 Host Opens Browser
5 URL Redirect ACL redirects HTTP to ISE
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Wired CWA Config Matched AuthC Rule = MAB
Authentication Policy
Status Rule Name Conditions Identity Source
Internal
MAB if Wireless_MAB then
Endpoints
Dot1X If Wireless_802.1X then AD1
Default if <no match> then AD1_Internal
Authorization Policy
Status Rule Name Conditions Permissions
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example of Profiling Flow with multiple probes
SNMP Query, SNMP Trap, RADIUS, DHCP Helper
Point of Profiling
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Profiling without Probes
Direct Profiling using Client Provisioning (Posture Agent or NSP)
PSN
Access Device
User authenticates HTTP GET http://www.google.com
and opens browser RADIUS: URL Redirect=Client Provisioning / Posture
Client
https://psn:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp Provisioning
captures user
HTTP Response: “Please Reconnect”
agent and MAC
RADIUS: CoA = Session Terminate
address from
EAP Exchange SessionID
User re-auth
RADIUS: Access Accept: AVP=Permit Access
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Probeless Profiling Matched AuthC Rule = Dot1X
Wireless 802.1X with Posture Example
Authentication Policy
Rule Name Conditions Identity Source
Employee with iPad connects to corp SSID and logs in
using AD account ‘employee’ Internal
MAB if Wireless_MAB then
Endpoints
Device type Unknown, so hit Emp_NonCompliant rule.
Dot1X If Wireless_802.1X then AD1
Employee redirected to Client Provisioning/Posture
OS detection performed to determine CP policy Default if <no match> then AD1_Internal
User agent captured—iPad not supported for posture
agent so ISE send CoA w/session terminate. Endpoint Profile = iPad Authorization Policy
Endpoint user-agent and other data written to db using
Rule Name Conditions Permissions
MAC address from Session ID lookupProfile=iPad!
On reconnect, match profile=iDevice and Employee. IP Phones if Cisco-IP-Phone then Cisco_IP_Phone
EAPOL ID-Request
EAP Transaction
EAP-Success Access-Accept
Posture Status: Unknown RADIUS Authorization: EMPLOYEE-PRE-POSTURE
Access: Limited [cisco-av-pair] = dACL=PRE-POSTURE-ACL
2 [cisco-av-pair] = url-redirect-acl=REDIRECT-ACL
Posture Start [cisco-av-pair] = url-redirect=https://ISE.DEMO.LOCAL:8443/
Posture Discovery URL-Redirect guestportal/gateway?sessionId=SessionIdValue&action=cpp
Discovery
Posture
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
802.1X End User Authentication with Posture
4
CoA + ReAuth
CoA ACK/NAK
802.1X Re-Authentication
Posture Status: Compliant
Access: Full-Access Access-Accept
Assessmen
5 Reassessment
Posture Status SWISS UDP/8905
Posture Compliant
Re-
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Adding Posture to the Authorization Policy
AGENT-REDIRECT (local to Switch) Rule Name Conditions Permissions
ip access-list extended AGENT-
REDIRECT IP Phones if Cisco-IP-Phone then Cisco_IP_Phone
deny udp any any eq domain
permit tcp any any eq www Employee_ Employee &
if then Posture
NoCompliant Posture != Compliant
PRE-POSTURE-ACL (downloaded) Employee &
Employee if then Employee
permit udp any any eq domain Posture = Compliant
permit icmp any any
permit tcp any host 10.1.1.3 eq 8443 GUEST if GUEST then GUEST
permit tcp any host 10.1.1.3 eq 8905
permit udp any host 10.1.1.3 eq 8905 Default If no matches, then WEBAUTH
permit tcp any any eq 80
permit tcp any any eq 443
NAD
SWITCHPORT
PSN
Matched Rule =
RADIUS Access-Request
Employee_NoCompliant
RADIUS Access-Accept
[cisco-av-pair] = dACL=PRE-POSTURE-ACL
[cisco-av-pair] = url-redirect-acl=AGENT-REDIRECT
[cisco-av-pair] = url-
redirect=https://ISE:8443/guestportal/gateway?sessionId=S
essionIdValue&action=cpp
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Adding Posture to the Authorization Policy
Rule Name Conditions Permissions
NAD
SWITCHPORT
PSN
RADIUS Access-Request
RADIUS Access-Accept
[cisco-av-pair] = dACL=Permit-All
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
BYOD AuthZ Policy
Rule Name Conditions Permissions
Single SSID – Employee using PEAP GUEST if GUEST then GUEST
PSN
SSID = CORP
RADIUS Access-Request
PEAP MSHACPv2 – EAP-ID = Employee1
RADIUS Access-Accept
[cisco-av-pair] = url-redirect-acl=AGENT-REDIRECT
[cisco-av-pair] = url-redirect
Employee =https://ISE:8443/guestportal/gateway?sessionId=Sessi
onIdValue&action=nsp
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
BYOD AuthZ Policy
Rule Name Conditions Permissions
Dual SSID – Employee using CWA GUEST if GUEST then GUEST
PSN
SSID = GUEST
RADIUS Access-Request
[AVP: 00.0a.95.7f.de.06 ]
RADIUS Access-Accept
[cisco-av-pair] = url-redirect-acl=AGENT-REDIRECT
[cisco-av-pair] = url-redirect
Employee =https://ISE:8443/guestportal/gateway?sessionId=Sessi
onIdValue&action=cwa
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
BYOD AuthZ Policy
Rule Name Conditions Permissions
Dual SSID – Employee using CWA GUEST if GUEST then GUEST
Employee Authentication
Succeeded...
PSN
User != Guest
SSID = GUEST
RADIUS Access-Request Start Self-Provisioning Flow
[AVP: 00.0a.95.7f.de.06 ]
RADIUS Access-Accept
[cisco-av-pair] = url-redirect-acl=AGENT-REDIRECT
[cisco-av-pair] = url-redirect
Employee =https://ISE:8443/guestportal/gateway?sessionId=Sessi
onIdValue&action=cwa
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
BYOD AuthZ Policy
Rule Name Conditions Permissions
Dual SSID – Guest using CWA GUEST if GUEST then GUEST
Send CoA…
PSN
User = Guest
SSID = GUEST
Change of Authorization Request Bypass Self-Provisioning Flow
CoA ACK/NAK
RADIUS Access-Request
[AVP: 00.0a.95.7f.de.06 ]
RADIUS Access-Accept
GUEST
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
BYOD AuthZ Policy
Rule Name Conditions Permissions
Dual SSID – Select Employees using CWA GUEST if GUEST then GUEST
PSN
SSID = GUEST
RADIUS Access-Request
[AVP: 00.0a.95.7f.de.06 ]
RADIUS Access-Accept
[cisco-av-pair] = url-redirect-acl=AGENT-REDIRECT
[cisco-av-pair] = url-redirect=https://ISE:8443
Employee /guestportal/gateway?sessionId=SessionIdValue&action=cwa
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
BYOD AuthZ Policy
Rule Name Conditions Permissions
Dual SSID – Select Employees using CWA GUEST if GUEST then GUEST
PSN
User != Guest
SSID = GUEST
Self-Provisioning Flow Disabled;
Change of Authorization Request Continue normal CWA processing
CoA ACK/NAK
RADIUS Access-Request
[AVP: 00.0a.95.7f.de.06 ]
RADIUS Access-Accept
Employee
[cisco-av-pair] = url-redirect-acl=ACL=NSP-ACL
[cisco-av-pair] = url-redirect=
https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=nsp
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
BYOD AuthZ Policy
Rule Name Conditions Permissions
Post-Supplicant Provisioning GUEST if GUEST then GUEST
PSN
SSID = CORP
RADIUS Access-Request
PEAP MSHACPv2 – EAP-ID = Employee1
RADIUS Access-Accept
[cisco-av-pair] = url-redirect-acl=AGENT-REDIRECT
[cisco-av-pair] = url-redirect=
Employee https://ISE:8443/guestportal/gateway?sessionId
=SessionIdValue&action=nsp
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
BYOD AuthZ Policy
Rule Name Conditions Permissions
Post-Supplicant Provisioning GUEST if GUEST then GUEST
PSN
SSID = CORP
RADIUS Access-Request
NATIVE SUPPLICANT PROVISIONING
EAP-TLS - CN = Employee1
Change of Authorization Request
CoA ACK/NAK
Employee
RADIUS Access-Accept Note: Once registered via NSP, ID group statically set to
RegisteredDevices. Recommend use profile attribute, not ID
BRKSEC-2044
groups, to match profileCisco
© 2013 Cisco and/or its affiliates. All rights reserved.
inPublic
Authorization Policy! 34
Native Supplicant Provisioning (iOS Use-Case)
PSN
Device Provisioning
CSR sent to ISE SCEP to MS Cert Authority
RegisteredDevice
Employee Wireless Controller ISE / SCEP Proxys CA / SCEP Server Google Play
SSID = BYOD-Open / CWA CWA Redirect / Redirect ACL = CWA Device Registration
CENTRAL_WEB_AUTH state
User opens browser
Redirect to ISE for CWA
CWA login
CoA to WLC
Sample WLC ACL: ALLOW_GOOGLE
permit udp any any dns
Download SPW
Redirect browser to http://play.google.com (Session:DeviceOS=Android) permit tcp any <ISE_PSN>
Access-Request deny ip any <internal_network>
permit tcp any 74.125.0.0 255.255.0.0
SUPPLICANT_PROVISIONING state NSP Redirect / Redirect ACL = ALLOW_GOOGLE permit tcp any 173.194.0.0 255.255.0.0
permit tcp any 206.111.0.0 255.255.0.0
Download Supplicant Provisioning Wizard (SPW) app from Google Playstore
deny ip any any