My last post covered some of the bring-your-own-device (BYOD) issues companies are facing and how to use Cisco’s Identity Services Engine (ISE) to help define access restrictions, while still providing users a good experience. I also went through and demonstrated how this segmentation worked and how it was enforced on the wireless LAN controller (WLC).
As a reminder this is our example policy.
In this post, I am going to cover how to configure the WLC and ISE to enforce these policies. Let’s get started!
Wireless LAN Controller Configuration
On the WLC, we will configure the radius server(s), access control lists, and the SSID that the user will connect to.
1. From the WLC GUI go to Security->AAA->RADIUS->Authentication
2. Select New
3. From the WLC GUI go to Security->AAA->RADIUS->Accounting
4. Select New
5. Enter the IP Address of ISE
1. From the WLC GUI go to Security->Access Control Lists->Access Control Lists
2. Select New
3. Enter the desired name
Take note of this name as it will be needed to set up the ISE policy.
4. Select Apply
5. Now Select the Access-list that was just created
6. Enter the set of rules needed to provide the correct permissions
Let’s take some time to explain these rules.
Outbound means leaving the controller going toward the client. Inbound means coming into the controller from the client.
- Permit Any traffic – Outbound (same default action as a switch)
- Allow UDP DNS traffic to the internal DNS Server – Inbound
- Allow Any traffic to our ISE Server – Inbound
- Allow HTTPS to our Exchange OWA Server – Inbound
- Allow HTTP to our Exchange OWA Server – Inbound
- Deny Any to 10.0.0.0/8 – Inbound
- Deny Any to 192.168.0.0/16 – Inbound
- Deny Any to 172.16.0.0/12 – Inbound
- Permit Any to Any – Inbound
In summary, this access-list is allowing access to DNS, ISE and OWA, then blocking all private address space and then allowing access to everything. In effect, it’s blocking access to the internal network (assuming it is all private addresses) but allowing the device to go anywhere on the Internet.
1. From the WLC GUI go to WLANS
2. Either Create a new SSID or modify an existing one
Note: If you are editing an existing SSID, changes will disconnect devices.
3. Now under the SSID’s Security tab and enter the desired Layer 2 security settings
4. Now under the SSID’s Security, AAA Servers select your ISE Server(s)
5. Select Allow AAA Override and set NAC State to Radius NAC
These settings allow ISE to change the session information based on the policy match.
6. Click Apply to Save the changes
Before we move to ISE, let’s recap what has been configured.
1. ISE has been added into the WLC as a AAA server
2. The INET_Exchange access-list is staged on the controller with the desired access policy
3. The SSID has been set up for 802.1X authentication and ISE is allowed to change the session access privileges on-the-fly
Identity Services Engine Configuration
In ISE, we will be adding the WLC, configuring the identity sources, defining our user permissions, and lastly, setting up the authentication and authorization policies.
Network Access Devices
1. Add the WLC into ISE by going to Administration->Network Resources->Network Devices.
2. Select Add
3. Enter at a minimum the Name, Management Interface IP Address, and the RADIUS Shared Secret
4. Select Save
Certificate Authority (CA)
1. Add the Trusted Certificate Authority for your user Certificates Administration->Certificates->Certificate Store
2. Select Import
3. Browse to the Public key file for your CA
4. Select Trust for client authentication or Secure Syslog services
1. To add ISE to Active Directory go to, Administration->Identity Management->External Identity Sources->Active Directory
2. Enter your Domain Name
3. Give the Identity Store a friendly name in the Identity Store Name
4. Select the ISE server(s) in your deployment
5. Select Join and Enter a username and password combination with privileges to join a computer to the domain, select OK
6. Once joined, your server(s) should show a Connected To:
8. Select Add, Select Groups from the Directory
9. Search for your desired AD Groups and select them and select OK
10. Select Save Configuration
11. Your mapped groups will look something like the below image
Certificate Authentication Profile
12. Add a Certificate Authentication Administration->Identity Management->Certificate Authentication Profile
14. Enter a Name and select where you will find the AD ID of your users
15. Select Save
1. Policy->Authentication Policy
2. Insert a new Policy that has the following settings
A. Match on Wireless_802.1X
B. If EAP-TLS, use the Certificate Identity Store that was created
C. If Default, use the Active Directory Identity Store
3. Click Save
These can be created while creating the authorization policy, but I prefer to stage them ahead of time.
2. Navigate to the authorization profiles Policy->Policy Elements->Results
Then Authorization->Authorization Profiles
3. Select Add
4. Enter a Name for the BYOD permission and the guest VLAN ID
5. Scroll down and select Save
6. Repeat for the other Computer Policy. Note: If the VLAN on the controller and the desired VLAN is the same, it is not required to be set here
7. Repeat for the Mobile Device Policy, defining the access-list we set up on the WLC
1. Insert a new authorization policy Policy->Authorization Policy
2. Add a new policy for PEAP-BYOD matching PEAP (EAP-MSCHAPv2) and Domain Users with the Permission of the BYOD Profile
3. Repeat for the Mobile Policy matching EAP-TLS and Domain User defining your Mobile Device Permission
4. Repeat for the Computer Policy matching EAP-TLS and Domain Computer defining your Computer Permission
When you are finished, your policy should look something like this.
For a cleaner looking policy:setup conditions
We walked through a bare minimum ISE configuration. This will allow the WLC to authenticate the device to either Active Directory or use the certificate it was issued from the company certificate authority. When the device connects, we will also be able to take the information available to define a precise policy to get the user the permission that was defined by the security policy.
As you have seen, ISE is highly customizable and can be complicated at times. But with the right knowledge and set of skills, it can be your Swiss Army knife of network access tools. It allows you to craft an access policy that is unique for your requirements. I hope this information gets you thinking about your network access polices and offers ideas for using these tools to help mitigate organizational risk.