ISE Auth-Feature Flows - v1

Collection of ISE Auth and Service Flows
Craig Hyps, Principal Engineer
1
IEEE 802.1X
Port-based access control with authentication
Layer 2 Point-to-Point Layer 3 Link

Supplicant EAP over LAN Authenticator RADIUS Auth Server
(EAPoL)
EAPoL Start
Beginning
EAPoL Request Identity
EAP-Response Identity: Alice

RADIUS Access Request
[AVP: EAP-Response: Alice]
EAP-Request: PEAP RADIUS Access-Challenge

Middle Multiple
[AVP: EAP-Request PEAP] Challenge-
EAP-Response: PEAP Request
RADIUS Access Request Exchanges
Possible
[AVP: EAP-Response: PEAP]
RADIUS Access-Accept
End EAP Success [AVP: EAP Success]
[AVP: VLAN 10, dACL-n]
• 802.1X (EAPOL) is a delivery mechanism and it doesn't provide the actual authentication
mechanisms.
• When utilizing 802.1X, you need to choose an EAP type, such as Transport Layer Security
BRKSEC-2044 (EAP-TLS) or PEAP, which
© 2013 Cisco and/or defines how
its affiliates. All rights the authentication takes
reserved. place.
Cisco Public 2
IEEE 802.1X with Change of Authorization (CoA)

Supplicant EAP over LAN Authenticator RADIUS
(EAPoL)
Auth Server
Initial EAP Success
[AVP: EAP Success]
Authentication [AVP: VLAN 10, dACL-n]
RADIUS CoA-Request
[VSA: subscriber: reauthenticate]
Change of
Authorization RADIUS CoA-Ack
EAPoL Request Identity
EAP-Response Identity: Alice

RADIUS Access Request
[AVP: EAP-Response: Alice]
RADIUS Access-Challenge
Re-Authentication EAP-Request: PEAP Multiple
[AVP: EAP-Request PEAP] Challenge-
EAP-Response: PEAP Request
RADIUS Access Request Exchanges
Possible
[AVP: EAP-Response: PEAP]
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
MAC Authentication Bypass (MAB)
Non-802.1X capable devices and no “user intelligence” behind
00.0a.95.7f.de.06
Authenticator RADIUS Server
EAPoL: EAP Request-Identity

Total Time
From Link Time until endpoint
• IEEE 802.1X Times Out
Up To sends first packet after
• MAB Starts
Network IEEE 802.1X timeout
Access Any Packet
RADIUS Access-Request
[AVP: 00.0a.95.7f.de.06]
Network Access Granted
LWA – Session Flow
•802.1X Timeout DHCP/DNS ISE Server
Switch / AP-WLC
1 •802.1X Failure
802.1X •MAB Failure
Timeout/ •Open SSID

1
failure •With web auth
MAB 2 Port Enabled,

ACL Applied
MAB Host Acquires IP Address, Triggers Session State

Fails 3
Local Host Opens Browser

Web Auth 4 Login Page
Host Sends Password
Flex Auth: After timeout or Switch Queries AAA Server Server

failure, port automatically tries 5 AAA Server Returns Policy
authorizes
user
“next-method” if another
method configured. 6 Switch/WLC Applies New ACL Policy
Wireless LWA Config
Authentication Policy
Status Rule Conditions Identity Source
Name
Internal
MAB if Wired_MAB then
Endpoints
Dot1X If Wired_802.1X then AD1
RADIUS:Service-Type = Login
LWA if RADIUS:NAS-Port-Type= then Internal Users
Wireless – IEEE 802.11
Default if <no match> then AD1_Internal
Authorization Policy
Status Rule Name Conditions Permissions
IP Phones if Cisco-IP-Phone then Cisco_IP_Phone

NAD BYOD if BYOD and Employee then Employee
Guest if Guest then Guest
Contractor if Contractor then Contractor
Username = GuestUser Employee if Employee then Employee
Password = MyPassword
No Supplicant Default If no matches, then WEBAUTH
[AVP: Airespace ACL
PAP Login = Internet_Only]
Local
Wired LWA Config 802.1X Timeout/
Failure MAB Failure
Web Auth
ip admission name WEBAUTH proxy http
ip access-list extended PRE_AUTH_POLICY Status Rule Name Conditions Identity Source
permit udp any any eq bootps
permit udp any any eq domain Internal
fallback profile WEBAUTH_PROFILE Endpoints
ip access-group PRE_AUTH_POLICY in
ip admission WEBAUTH Dot1X If Wired_802.1X then AD1
interface GigabitEthernet1/0/1
RADIUS:Service-Type =
authentication port-control auto
authentication fallback WEBAUTH_PROFILE Outbound
LWA if then Internal Users
dot1x pae-authenticator RADIUS:NAS-Port-Type=
mab Ethernet
authentication event fail action next-method
MAB
NAD
Fails Authorization Policy
SWITCHPORT
PSN

BYOD if BYOD and Employee then Employee
RADIUS Access-Request Guest if Guest then Guest

Username = GuestUser
Password = MyPassword
No Supplicant Employee if Employee then Employee
[AVP: dacl = Internet_Only] Default If no matches, then WEBAUTH
PAP Login
Web Authentication
00.0a.95.7f.de.06
Authenticator RADIUS Server
Time until endpoint

• IEEE 802.1X Times Out
sends first packet after
• MAB Starts Unknown MAC address
IEEE 802.1X timeout
Any Packet
[AVP: 00.0a.95.7f.de.06]
Limited Network Access
CWA – Session Flow
Switch / AP-WLC
• Switch configured for ISE Server
DHCP/DNS
1 802.1X / MAB only
• Open SSID on
1 WLC w/ MAC
802.1X Filtering enabled
First authentication session

2
Timeout/
failure AuthC success; AuthZ for unknown user returned:
3 Redirect/filter ACL, portal URL
MAB 4
Host Acquires IP Address, Triggers Session State
Host Opens Browser – Switch redirects browser to ISE CWA page

Login Page AUP
5
process, if
Host Sends Username/Password configured
Flex Auth: If host not
found (MAB lookup fails), 6 Web Auth Success results in CoA
then Continue to
Authorization Policy MAB re-auth Session lookup—policy matched Server
authorizes
7
processing MAB Success Authorization dACL/VLAN returned. user
CWA – Session Flow
Switch / AP-WLC
• Switch configured for ISE Server
DHCP/DNS
802.1X / MAB only
802.1X 1
• Open SSID on
Timeout/ 1 WLC w/ MAC
failure Filtering enabled
First authentication session

2
MAB AuthC success; AuthZ for unknown user returned:
3 Redirect/filter ACL, portal URL
MAB
Continue Host Acquires IP Address, Triggers Session State
4
Central
Host Opens Browser – Switch redirects browser to ISE CWA page
Web Auth 5
Login Page AUP
process, if
Host Sends Username/Password configured
Flex Auth: If host not found
6 Web Auth Success results in CoA
(MAB lookup fails), then
Continue to Authorization Session lookup—policy matched Server
MAB re-auth
Policy processing 7 Authorization dACL/VLAN returned.
authorizes
user
MAB Success
Wireless CWA Config
Status Rule Name Conditions Identity Source
Internal
MAB if Wireless_MAB then
Endpoints
Dot1X If Wireless_802.1X then AD1

PSN Guest if Guest then Guest
RADIUS Access-Request Employee if Employee then Employee
Username = 00-10-18-88-22-24
Password = 00-10-18-88-22-24 Default If no matches, then WEBAUTH
No Supplicant
[AVP: Airespace
url-redirectACL
= CWA]
MAB username
CWA Failed -> Continue
matches Matched
MatchedAuthZ
AuthZ Rule
Rule == Default
Guest
MAB = Internet_Only]
Wired CWA Config For Your
Reference
ip access-list extended PRE-AUTH-ACL
permit udp any any eq bootps Authentication Policy
permit udp any any eq domain
permit tcp any any eq http
permit tcp andy any eq https
ip access-list extended ACL-WEBAUTH-REDIRECT Internal
deny udp any any eq domain Endpoints
deny tcp any host PSN eq 8443
permit ip any any Dot1X If Wired_802.1X then AD1
dot1x pae-authenticator
mab
authentication order dot1x mab Authorization Policy
authentication event fail action next-method Status Rule Name Conditions Permissions
NAD IP Phones if Cisco-IP-Phone then Cisco_IP_Phone

SWITCHPORT
PSN
Username = 00-10-18-88-22-24
No Supplicant
[AVP: dacl
url-redirect
= Internet_Only]
= CWA]
MAB
Central Web Authentication (CWA) with ISE
Switch DHCP/DNS ISE PSN
802.1X Timeout
802.1X Failure
1 MAB Unknown Device
Port Opens with
2limited access
Returns Default Policy with
3 URL Redirect + dACL/VLAN
Host Acquires IP Address via DHCP, triggers Session State
4 Host Opens Browser
5 URL Redirect ACL redirects HTTP to ISE
Switch prompt Login Page

6
7 AUP Process
User sends credential
Web Auth Authorized 8
Port Reauthenticated
10
CoA 9
MAB Reinitiates Authentication
11
MAB Request &
12 New ACL Policy Authorize
Applied AAA Server returns Policy
User
dACL + URL-Redirect for CWA
ip access-list extended ACL-DEFAULT

permit tcp any any eq 8905 802.1X Timeout
permit udp any any eq 8905 802.1X Failure
permit tcp any any eq 8080
permit udp any any eq bootps
permit udp any any eq bootpc
2 Port Opens with
limited access
Returns Default Policy with
permit udp any 3 any eq domain URL Redirect + dACL/VLAN
Host Acquires IP Address via DHCP, triggers Session State PRE-POSTURE-ACL
permit icmp any any permit udp any eq bootpc any eq bootps
4 5 URL Redirect
ACL redirects
Host Opens Browser permit HTTP
tcp any to
anyISE
eq 80
Switch prompt Login Page

permit tcp any any eq 8905 6
permit udp any any eq 8905
7 permit tcp any any eq 8080 AUP Process
ip access-list extended ACL-WEBAUTH-REDIRECT User sends credential permit tcp any any eq 8443
deny tcp any host <remediation server> eq www
Web permit icmp any any
Auth Authorized 8
permit tcp any any eq www deny ip any any deny ip any any
10 Port Reauthenticated
CoA 9
11
MAB Request &
Applied AAA Server returns Policy
User
BRKSEC-2044 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sample ACLs for CWA Redirection
ip access-list extended ACL-DEFAULT
permit udp any eq bootpc any eq bootps
ip access-list extended ACL-WEBAUTH-REDIRECT
deny udp any eq bootpc any eq bootps
permit tcp any any eq http
deny udp any any eq domain
permit tcp any any eq https
deny tcp any host 10.1.1.100 eq 8080
permit tcp any host 10.1.1.100 eq 8080
deny tcp any host 10.1.1.100 eq 8443
permit ip any any
(deny ip any any)
Port ACL Redirect
or dACL ACL
DHCP x.x.x.x
DNS x.x.x.x
SSH x.x.x.x
FTP x.x.x.x
HTTP x.x.x.x
302: TCP/8443 10.1.1.100
HTTPS x.x.x.x
302: TCP/8443 10.1.1.100 PSN
TCP/8443 10.1.1.100 TCP/8443
10.1.1.100
Wired Device Registration Web Auth (DRW) Flow
802.1X Timeout
802.1X Failure
Calling-Station-ID=MAC, Service-Type=Call Check
Port Opens with
2limited access
Returns Policy with URL
3 Redirect + Redirect ACL + dACL
Host Acquires IP Address via DHCP, triggers Session State
5 URL Redirect ACL redirects HTTP to ISE
Optional AUP Page

6
7 AUP Process
User Accepts AUP
10
CoA 9
11
Calling-Station-ID=MAC, Service-Type=Call Check &
Applied ISE returns policy based on registered ID group match
Device
Wired CWA Config Matched AuthC Rule = MAB
ip access-list extended PRE-AUTH-ACL

permit udp any any eq bootps Authentication Policy
permit tcp any any eq http Status Rule Name Conditions Identity Source
permit tcp andy any eq https
ip access-list extended ACL-WEBAUTH-REDIRECT Internal
deny udp any any eq domain Endpoints
deny tcp any host PSN eq 8443
permit ip any any Dot1X If Wireless_802.1X then AD1
dot1x pae-authenticator
mab
authentication order dot1x mab Authorization Policy
authentication event fail action next-method
NAD IP Phones if Cisco-IP-Phone then Cisco_IP_Phone

SWITCHPORT
PSN
Username = 00-10-18-88-22-24
No Supplicant
[AVP: url-redirect
dacl = Internet_Only]
= CWA]
CWA
MAB username
Failed -> Continue
matches Matched
MatchedAuthZ
AuthZ Rule
Rule == Default
Guest
MAB
Wireless CWA Config Matched AuthC Rule = MAB
Internal
Endpoints

PSN Guest if Guest then Guest
Username = 00-10-18-88-22-24
No Supplicant
[AVP: Airespace
url-redirectACL
= CWA]
CWA
MAB username
Failed -> Continue
matches Matched
MatchedAuthZ
AuthZ Rule
Rule == Default
Guest
MAB = Internet_Only]
Wireless DRW Flow
Wireless Controller DHCP/DNS ISE PSN
Open SSID with MAC Filtering enabled

Calling-Station-ID=MAC, Service-Type=Call Check
MAC Filtering Unknown Device
1
ISE Returns Policy with 2
3 URL Redirect to DRW +
Host Acquires IP Address via DHCP Redirect ACL
5 URL Redirect ACL redirects HTTP to ISE DRW
Optional AUP Page

6
7 AUP Process
User Accepts AUP
10
CoA 9
11
Calling-Station-ID=MAC, Service-Type=Call Check &
Applied ISE returns policy based on registered ID group match
Device
Example of Profiling Flow with multiple probes
SNMP Query, SNMP Trap, RADIUS, DHCP Helper
Device Authenticator ISE

authentication order dot1x mab
Initial Attempt
Link-State trap if configured
Open Mode: Time when MAC
address is moved to FWD state MAC-Notification Trap
30 sec to
MAC-Notification Trap is sent if start SNMP Query
configured
DCHP Discovery / Request DHCP Helper

Primary Key:
00:11:22:33:44:55:66
EAPOL / ID-Req Attributes
802.1X Username:00:11:22:33:44:55:66 Switch IP
(max-reauth-req +1) x tx-timer Password: 00:11:22:33:44:55:66 Port ID
MAB CDP Info
802.1X times out VLAN Data
Authorized Access-Accept Session Data
DHCP Options
SNMP Query
SNMP Response
Point of Profiling
Profiling without Probes
Direct Profiling using Client Provisioning (Posture Agent or NSP)
PSN
Access Device
User authenticates HTTP GET http://www.google.com
and opens browser RADIUS: URL Redirect=Client Provisioning / Posture
Client
https://psn:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp Provisioning
captures user
HTTP Response: “Please Reconnect”
agent and MAC
RADIUS: CoA = Session Terminate
address from
EAP Exchange SessionID
User re-auth
RADIUS: Access Accept: AVP=Permit Access
HTTP GET http://www.google.com
HTTP RESPONSE http://www.google.com
Probeless Profiling Matched AuthC Rule = Dot1X
Wireless 802.1X with Posture Example
Rule Name Conditions Identity Source
 Employee with iPad connects to corp SSID and logs in
using AD account ‘employee’ Internal
Endpoints
 Device type Unknown, so hit Emp_NonCompliant rule.
 Employee redirected to Client Provisioning/Posture
 OS detection performed to determine CP policy Default if <no match> then AD1_Internal
 User agent captured—iPad not supported for posture
agent so ISE send CoA w/session terminate. Endpoint Profile = iPad Authorization Policy
 Endpoint user-agent and other data written to db using
Rule Name Conditions Permissions
MAC address from Session ID lookupProfile=iPad!
 On reconnect, match profile=iDevice and Employee. IP Phones if Cisco-IP-Phone then Cisco_IP_Phone
NAD BYOD if iDevice and Employee then Internet

PSN Employee if PC and Employee then Full_Access
Guest if Guest then Internet
RADIUS Access- Employee and

Emp_NonCompliant If then Posture
Request NonCompliant
EAP Request = PEAP
iPad Default If <no matches then CWA_Posture
RADIUS
CoA
PEAP [AVP: url-redirect
Airespace
Terminate Session ACL
= CPP]
= Internet_Only]
User
802.1X
Agent
success
+ MAC
using
Captured
PEAP Matched
Matched
AuthZ Rule
AuthZ= Rule
Emp_NonCompliant
= BYOD
802.1X End User Authentication with Posture
802.1X Start ise.demo.local

1 EAPOL-Start
802.1X Authentication
EAPOL ID-Request
EAPOL ID-Response RADIUS-Request

Authorization
EAP Transaction
EAP-Success Access-Accept
Posture Status: Unknown RADIUS Authorization: EMPLOYEE-PRE-POSTURE
Access: Limited [cisco-av-pair] = dACL=PRE-POSTURE-ACL
2 [cisco-av-pair] = url-redirect-acl=REDIRECT-ACL
Posture Start [cisco-av-pair] = url-redirect=https://ISE.DEMO.LOCAL:8443/
Posture Discovery URL-Redirect guestportal/gateway?sessionId=SessionIdValue&action=cpp
Discovery
Posture
Redirect 302: https://ISE.DEMO.LOCAL:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

URL-Redirect
https://ISE.DEMO.LOCAL:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp to Discovery
Redirect 302: https://ISE.DEMO.LOCAL:8905/auth/discovery?sessionId=SessionIdValue
(user agent =
NAC Agent)
https://ISE.DEMO.LOCAL:8905/auth/discovery?sessionId=SessionIdValue
Posture/Downloader URL
Flow continues to next slide
802.1X End User Authentication with Posture
Assessment EAP-Success Access-Accept ise.demo.local

Posture Start
Posture Discovery
Posture
Posture Negotiation, Agent Updates SWISS UDP/8905

3 Posture Request / Requirement HTTPS TCP/8905
Posture Report (Result: Compliant) SWISS UDP/8905
4
CoA + ReAuth
Change of Authorization Request
CoA ACK/NAK
802.1X Re-Authentication
Posture Status: Compliant
Access: Full-Access Access-Accept
Assessmen
5 Reassessment
Posture Status SWISS UDP/8905
Posture Compliant
Re-
Adding Posture to the Authorization Policy
AGENT-REDIRECT (local to Switch) Rule Name Conditions Permissions
ip access-list extended AGENT-
REDIRECT IP Phones if Cisco-IP-Phone then Cisco_IP_Phone
deny udp any any eq domain
permit tcp any any eq www Employee_ Employee &
if then Posture
NoCompliant Posture != Compliant
PRE-POSTURE-ACL (downloaded) Employee &
Employee if then Employee
permit udp any any eq domain Posture = Compliant
permit icmp any any
permit tcp any host 10.1.1.3 eq 8443 GUEST if GUEST then GUEST
permit udp any host 10.1.1.3 eq 8905 Default If no matches, then WEBAUTH
NAD
SWITCHPORT
PSN
Matched Rule =
Employee_NoCompliant
[cisco-av-pair] = dACL=PRE-POSTURE-ACL
[cisco-av-pair] = url-redirect-acl=AGENT-REDIRECT
[cisco-av-pair] = url-
redirect=https://ISE:8443/guestportal/gateway?sessionId=S
essionIdValue&action=cpp
Adding Posture to the Authorization Policy
Permit-All (downloaded ACL) IP Phones if Cisco-IP-Phone then Cisco_IP_Phone

permit ip host any
Employee_ Employee &
if then Posture
NoCompliant Posture != Compliant
Employee &
Posture = Compliant
GUEST if GUEST then GUEST
Default If no matches, then WEBAUTH
NAD
SWITCHPORT
PSN
[TLS] Posture communication Matched Rule = Employee

RADIUS CoA
[cisco-av-pair] = dACL=Permit-All
BYOD AuthZ Policy
Single SSID – Employee using PEAP GUEST if GUEST then GUEST
Open Rule if Wireless_MAB then WEBAUTH

1. Any PEAP authentications:
– Send directly to Native Supplicant Provisioning. Network Access:EapTunnel
PEAP if then Supp-Provision
EQUALS PEAP
2. Add CWA to Open SSID Employee if
Employee & EAP-TLS &
then Employee
Certificate SAN = MAC_Addr
– Need to know who they are, and IF we should provision them.
Default If no matches, then Deny Access
Matched Rule = PEAP…
Redirect to Supplicant Provisioning…
PSN
SSID = CORP
PEAP MSHACPv2 – EAP-ID = Employee1
[cisco-av-pair] = url-redirect
Employee =https://ISE:8443/guestportal/gateway?sessionId=Sessi
onIdValue&action=nsp
BYOD AuthZ Policy
Dual SSID – Employee using CWA GUEST if GUEST then GUEST

EQUALS PEAP
then Employee
Matched Rule = Open Rule…
Send HTTP traffic to CWA Portal.
PSN
SSID = GUEST
[AVP: 00.0a.95.7f.de.06 ]
onIdValue&action=cwa
BYOD AuthZ Policy
Dual SSID – Employee using CWA GUEST if GUEST then GUEST

EQUALS PEAP
then Employee
Employee Authentication
Succeeded...
PSN
User != Guest
SSID = GUEST
RADIUS Access-Request Start Self-Provisioning Flow
[AVP: 00.0a.95.7f.de.06 ]
onIdValue&action=cwa
BYOD AuthZ Policy
Dual SSID – Guest using CWA GUEST if GUEST then GUEST

EQUALS PEAP
then Employee
Guest Authentication Succeeded...
Send CoA…
PSN
User = Guest
SSID = GUEST
Change of Authorization Request Bypass Self-Provisioning Flow
CoA ACK/NAK
[AVP: 00.0a.95.7f.de.06 ]
GUEST
BYOD AuthZ Policy
Dual SSID – Select Employees using CWA GUEST if GUEST then GUEST
EmpWebAuth if Employee & Guest-Flow then Supp-Provision

– Send directly to Native Supplicant Provisioning. Open Rule if Wireless_MAB then WEBAUTH
Network Access:EapTunnel
2. Add CWA to Open SSID PEAP if then Supp-Provision
EQUALS PEAP
– Need to know who they are, and IF we should provision them. Employee & EAP-TLS &
Matched Rule = Open Rule… Default If no matches, then Deny Access
Send HTTP traffic to CWA Portal...
PSN
SSID = GUEST
[AVP: 00.0a.95.7f.de.06 ]
[cisco-av-pair] = url-redirect=https://ISE:8443
Employee /guestportal/gateway?sessionId=SessionIdValue&action=cwa
BYOD AuthZ Policy
Dual SSID – Select Employees using CWA GUEST if GUEST then GUEST
EmpWebAuth if Employee & Guest-Flow then Supp-Provision

– Send directly to Native Supplicant Provisioning. Open Rule if Wireless_MAB then WEBAUTH
Network Access:EapTunnel
2. Add CWA to Open SSID PEAP if then Supp-Provision
EQUALS PEAP
– Need to know who they are, and IF we should provision them. Employee & EAP-TLS &
Employee Authentication Succeeded… Default If no matches, then Deny Access

Send CoA…
Start Native Supplicant Provisioning…
PSN
User != Guest
SSID = GUEST
Self-Provisioning Flow Disabled;
Change of Authorization Request Continue normal CWA processing
CoA ACK/NAK
[AVP: 00.0a.95.7f.de.06 ]
Employee
[cisco-av-pair] = url-redirect-acl=ACL=NSP-ACL
[cisco-av-pair] = url-redirect=
https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=nsp
BYOD AuthZ Policy
Post-Supplicant Provisioning GUEST if GUEST then GUEST
1. Trigger Native Supplicant Provisioning Open Rule if Wireless_MAB then WEBAUTH

– PEAP-MSCHAPv2 (Single SSID) Network Access:EapTunnel
– CWA to Open SSID (Dual SSID) EQUALS PEAP
2. Reconnect using EAP-TLS Certificate SAN = MAC_Addr
Matched Rule = PEAP…
Redirect to Supplicant Provisioning…
PSN
SSID = CORP
PEAP MSHACPv2 – EAP-ID = Employee1
[cisco-av-pair] = url-redirect=
Employee https://ISE:8443/guestportal/gateway?sessionId
=SessionIdValue&action=nsp
BYOD AuthZ Policy
Post-Supplicant Provisioning GUEST if GUEST then GUEST
1. Trigger Native Supplicant Provisioning Open Rule if Wireless_MAB then WEBAUTH

– PEAP-MSCHAPv2 (Single SSID) Network Access:EapTunnel
– CWA to Open SSID (Dual SSID) EQUALS PEAP
2. Reconnect using EAP-TLS Certificate SAN = MAC_Addr
Suppliant Provisioning Completes…
Send CoA (Session Terminate)…
PSN
SSID = CORP
NATIVE SUPPLICANT PROVISIONING
EAP-TLS - CN = Employee1
Change of Authorization Request
CoA ACK/NAK
Employee
RADIUS Access-Accept Note: Once registered via NSP, ID group statically set to
RegisteredDevices. Recommend use profile attribute, not ID
BRKSEC-2044
groups, to match profileCisco
© 2013 Cisco and/or its affiliates. All rights reserved.
inPublic
Authorization Policy! 34
Native Supplicant Provisioning (iOS Use-Case)
PSN
Employee ISE / SCEP Proxy RegisteredDevices CA / SCEP Server
SSID = BYOD-Open / CWA CENTRAL_WEB_AUTH state

Device Registration
HTTPS to the NSP Portal
ISE sends CA certificate to endpoint for trust with OTA

User clicks register.
ISE sends Profile Service to iOS Device Device Enrollment

CSR is Generated Encrypted Profile Service:
on iOS https://ISE:8905/auth/OTAMobileConfig?sessionID
CSR sent to ISE
SCEP to MS Cert Authority Device Certificate Issued
Certificate sent to ISE CN = 74ba333ef6548dfc82054d0c7fec36e6ddddcbf1#employee1
ISE sends Device Certificate to iOS Device SAN = 00-0a-95-7f-de-06
Device Provisioning
CSR sent to ISE SCEP to MS Cert Authority
Certificate sent to ISE User Certificate Issued

CN = Employee
ISE sends User Certificate to iOS Device
SAN = 00-0a-95-7f-de-06
Signing Cert + User Cert: Wi-Fi Profile + EAP-TLS configured
SSID = CTS-CORP / EAP-TLS Connect using EAP-TLS

RUN state Access-Accept
NSP (Android Use-Case)
PSN
RegisteredDevice
Employee Wireless Controller ISE / SCEP Proxys CA / SCEP Server Google Play
SSID = BYOD-Open / CWA CWA Redirect / Redirect ACL = CWA Device Registration
CENTRAL_WEB_AUTH state
User opens browser
Redirect to ISE for CWA
CWA login
CWA login successful / Redirect to NSP Portal

User clicks Register
CoA to WLC
Sample WLC ACL: ALLOW_GOOGLE
permit udp any any dns
Download SPW
Redirect browser to http://play.google.com (Session:DeviceOS=Android) permit tcp any <ISE_PSN>
Access-Request deny ip any <internal_network>
permit tcp any 74.125.0.0 255.255.0.0
SUPPLICANT_PROVISIONING state NSP Redirect / Redirect ACL = ALLOW_GOOGLE permit tcp any 173.194.0.0 255.255.0.0
permit tcp any 206.111.0.0 255.255.0.0
Download Supplicant Provisioning Wizard (SPW) app from Google Playstore
deny ip any any
User installs application and launches

Device Provisioning
App sends request to http://DFG/auth/discovery Redirect Discovery to ISE
ISE sends Device BYOD_Profile to Android Device
CSR sent to ISE SCEP to MS Cert Authority
Certificate sent to ISE User Cert Issued

ISE sends User Certificate to Android Device
SSID = CTS-CORP / EAP-TLS CN = Employee

Connect using EAP-TLS SAN = 00-0a-95-7f-de-06
Access-Accept
RUN state

ISE Auth-Feature Flows - v1

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISE Auth-Feature Flows - v1

Uploaded by

Copyright:

Available Formats

Collection of ISE Auth and Service Flows

Craig Hyps, Principal Engineer

Layer 2 Point-to-Point Layer 3 Link

EAP-Response Identity: Alice

EAP-Request: PEAP RADIUS Access-Challenge

Layer 2 Point-to-Point Layer 3 Link

EAPoL Request Identity

EAP-Response Identity: Alice

EAPoL: EAP Request-Identity

EAPoL: EAP Request-Identity

EAPoL: EAP Request-Identity

Timeout/ •Open SSID

MAB 2 Port Enabled,

MAB Host Acquires IP Address, Triggers Session State

Local Host Opens Browser

Flex Auth: After timeout or Switch Queries AAA Server Server

IP Phones if Cisco-IP-Phone then Cisco_IP_Phone

IP Phones if Cisco-IP-Phone then Cisco_IP_Phone

RADIUS Access-Request Guest if Guest then Guest

EAPoL: EAP Request-Identity

EAPoL: EAP Request-Identity

EAPoL: EAP Request-Identity

Time until endpoint

First authentication session

Host Opens Browser – Switch redirects browser to ISE CWA page

First authentication session

IP Phones if Cisco-IP-Phone then Cisco_IP_Phone

NAD BYOD if BYOD and Employee then Employee

NAD IP Phones if Cisco-IP-Phone then Cisco_IP_Phone

Switch prompt Login Page

ip access-list extended ACL-DEFAULT

Switch prompt Login Page

Optional AUP Page

ip access-list extended PRE-AUTH-ACL

NAD IP Phones if Cisco-IP-Phone then Cisco_IP_Phone

IP Phones if Cisco-IP-Phone then Cisco_IP_Phone

NAD BYOD if BYOD and Employee then Employee

Open SSID with MAC Filtering enabled

Optional AUP Page

Device Authenticator ISE

DCHP Discovery / Request DHCP Helper

HTTP GET http://www.google.com

HTTP RESPONSE http://www.google.com

NAD BYOD if iDevice and Employee then Internet

RADIUS Access- Employee and

Layer 2 Point-to-Point Layer 3 Link

802.1X Start ise.demo.local

EAPOL ID-Response RADIUS-Request

Redirect 302: https://ISE.DEMO.LOCAL:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

Layer 2 Point-to-Point Layer 3 Link

Assessment EAP-Success Access-Accept ise.demo.local

Posture Negotiation, Agent Updates SWISS UDP/8905

Posture Report (Result: Compliant) SWISS UDP/8905

Change of Authorization Request

Permit-All (downloaded ACL) IP Phones if Cisco-IP-Phone then Cisco_IP_Phone

GUEST if GUEST then GUEST

Default If no matches, then WEBAUTH

[TLS] Posture communication Matched Rule = Employee

Open Rule if Wireless_MAB then WEBAUTH

Redirect to Supplicant Provisioning…

Open Rule if Wireless_MAB then WEBAUTH

Send HTTP traffic to CWA Portal.