Embed Size (px)
Citation preview
Configure EasyConnect on ISE 2.1 Contents
IntroductionPrerequisitesRequirementsComponents UsedBackground InformationEasyConnect Feature InformationEasyConnect Process FlowEasyConnect Feature LimitationsConfigure ISEJoin ISE 2.1 to Active DirectoryConfigure Authorization ProfilesConfigure EasyConnectConfigure Identity MappingConfigure SwitchVerifySwitchIdentity Services EngineMS Active DirectoryTroubleshootDebugs on ISETypical IssuesIssue 1. Active directory is not showing Event 4768Issue 2. Cannot connect to AD from Identity MappingIssue 3. Secure Access rule is not triggered
Introduction
This document describes how to configure EasyConnect Authentication with Identity ServiceEngine (ISE) 2.1. ISE uses Microsoft Active Directory (AD) as an external identity store to storeresources such as users, machines, groups and attributes.
Contributed by Eugene Korneychuk and Harisha Gunna, Cisco TAC Engineers.
Prerequisites
Requirements
This document assumes that there is full ip connectivity between Switch, AD, ISE and Windows 7Workstation. ISE Server is bootstrapped.
Components Used
The information in this document is based on these software and hardware versions:
Cisco Identity Service Engine 2.1●
Cisco 3750X switch with IOS® Software Release 15.0(1)SE2●
Microsoft Windows Server 2008 R2●
Microsoft Window 7 Workstation●
Background Information
EasyConnect Feature Information
EasyConnect provides port-based authentication similar to 802.1X, but easier to implement.EasyConnect learns about the authentication from Active Directory and provides session-trackingfor active network sessions. Session Directory notifications can be published with PxGrid.
Both EasyConnect and 802.1x can be configured on the same port, but you must have a differentISE policy for each service.EasyConnect is supported in High Availabilty mode. It is recommended to have dedicated PSN forWMI. Best practice is to have two PSN – one is active and the second is in standby.
All of the PSNs receive the data from the DC but only one is set as the master and forward theevents to the MnT. The PSNs elect the active one and automatically handle the case of promotingthe standby in case of a failure. The process of electing PSN as primary by PassievID Managmentservice is transparent.
EasyConnect Process Flow
The switch is configured for MAB, which sends an Authentication request to PSN. PSN replies
with limited access, which allows the user authenticate with Active Directory. PSN authenticatingthe client forwards the information about MAB auth, RADIUS accounting start and interim stop toMNT. Primary PSN ( This might not be the Authenticating PSN. This is the PSN elected as primaryby PassiveId Management Service) forwards WMI Auth events to MnT. Once all the data iscollected and merged in the session directory by MnT, MnT proxies CoA request to AuthenticatingPSN which forwards CoA to NAD and re-evaluates the user for authorization.
EasyConnect Feature Limitations
EasyConnect cannot be used with BYOD use case.●
Supports only Cisco Devices.●
Endpoint logoff Event is not supported.●
In order to configure AD to support passive identity service, refer to the this link: Active DirectoryRequirements to Support Passive Identity Service
Permissions are different when AD user is part of Domain Admins group and if AD user is not partfo Domain Admins group.
Configure ISE
Join ISE 2.1 to Active Directory
1. Navigate to Administration > Identity Management > External Identity Stores > ActiveDirectory > Add. Provide the Join Point Name, Active Directory Domain and click Submit.
2. When prompted to Join all ISE Nodes to this Active Directory Domain, click Yes.
3. Provide AD User Name and Password, click OK.
AD account required for domain access in ISE should have either of these:
Add workstations to domain user right in corresponding domain.●
Create Computer Objects or Delete Computer Objects permission on correspondingcomputers container where ISE machine's account is created before joining ISE machine tothe domain.
●
Tip: Cisco recommends to disable the lockout policy for the ISE account and configure theAD infrastructure to send alerts to the admin if a wrong password is used for that account.When entering wrong password, ISE does not create or modify its machine account when itis necessary and therefore possibly deny all authentications.
4. Review Operation Status, Node Status should shown up as Completed, click Close.
5. Status of AD should be Operational.
6. Navigate to Groups > Add > Select Groups From Directory > Retrieve Groups. Selectcheckboxes for required AD Groups to be referenced in authorization policy.
Note: User hargadmin is member of Domain Users AD Group. After reassesment is made,Domain Users membership is used in Authorization condition.
7. Click on Save to save retrieved AD Groups.
Configure Authorization Profiles
1. Create an Authorization Profile for Limited Access Policy > Results, select Authorization >Authorization Profiles and Add a new one named LimitedAccess
a) Check the box for Passive Identity Tracking
b) Add DACL Name and choose the Limited Access DACL allowing DNS, DHCP, ISE, and DCaccess from the drop down list
c) Save
2. Create an Authorization Profile for other desired access and save. There is no need for PassiveIdenitty Tracking to be enabled on any other Authorization Profiles, just the initial access.
Configure EasyConnect
1. Enable Identity Mapping on your Policy server. Navigate to Administration > Deployment,select a node and under General Settings, enable Enable Identity Mapping.
2. Create a Policy Set. Navigate to Policy > Policy Sets, and create a new policy set namedEzconnect. Then add those policies:a) Create an Authentication Policy named EzconnectAuth with condition Wired_MAB.
b) Create an Authorization Policy named Domain_Users, condition AD:ExternalGroupsEQUALS example.com/Users/Domain Users .c) Create an Authorization policy named Ezconnect_Limited, condition Wired_MAB.
As a result of Limited Access, Access to AD should be given.
Configure Identity Mapping
Navigate to Administration > PassiveID > AD Domain Controller. Click Add. In the GeneralSettings section, enter the Display Name, Domain FQDN and Host FQDN of the DC. In theCredentials section, enter the Username and Password of the DC. Click Save. An updated tableis displayed with the newly-defined DC included in the list of DCs. The status column indicates thedifferent states of DC.
(Optional) Test the connection to the specified domain by clicking Verify DC ConnectionSettings. This test ensures that the connection to the DC is healthy. However it does not checkwhether Cisco ISE can fetch the user information upon login.Click Save.
Configure Switch
This configuration ensures that switch performs MAB authentication for the clients connected onport FastEthernet1/0/23.
aaa new-model
!
aaa group server radius ISE-group
server name PSN1
server name PSN2
!
aaa authentication dot1x default group ISE-group
aaa authorization network default group ISE-group
aaa accounting update newinfo
aaa accounting dot1x default start-stop group ISE-group
!
aaa server radius dynamic-author
client 10.201.228.86 server-key 7 0822455D0A16
client 10.201.228.87 server-key 7 094F471A1A0A
!
interface FastEthernet1/0/23
switchport access vlan 903
switchport mode access
authentication order mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
!
radius-server vsa send accounting
radius-server vsa send authentication
!
radius server PSN1
address ipv4 10.201.228.86 auth-port 1812 acct-port 1813
key 7 13061E010803
!
radius server PSN2
address ipv4 10.201.228.87 auth-port 1812 acct-port 1813
key 7 00071A150754
Verify
Switch
After successful authentication both username and ip address should be seen on the switch.
Switch#show authentication sessions interface fastEthernet 1/0/23 details
Interface: FastEthernet1/0/23
MAC Address: 3c97.0e52.3fd3
IPv6 Address: Unknown
IPv4 Address: 10.229.20.122
User-Name: admin
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0AE514F000000017011140BC
Acct Session ID: 0x00000009
Handle: 0xFC000007
Current Policy: POLICY_Fa1/0/23
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Method status list:
Method State
mab Authc Success
Identity Services Engine
ISE should show multiple reports. Logs are described starting from the bottom one:
1. Machine is authenticated via MAB. Limited Access Authorization Profile is assigned, whichallows icmp, dns, access to AD;
2. DACL with Limited Privileges is downloaded to the NAD;
3. ISE learns username via WMI (because of ip to username mapping on AD) and AD Groups ofthe user via LDAP from AD. Since there is a Authorization Rule, and ISE learned new datamatching its condition, CoA is initiated.
4. As a result of CoA user admin gets Secure Access Authorization Profile.
Live Log screenshot
Live Sessions screenshot
MS Active Directory
From Event viewer 4768 and 4769 Events should be seen, it is the result of successful userauthentication.
Troubleshoot
Debugs on ISE
In order to review logs on PSN for WMI, change logging to debug level for the componentPassiveID
passiveid-mgmt.log file shows which PSN is elected as primary.
psn1-21/admin# sh logging application passiveid-mgmt.log tail
2016-07-04 21:34:15,856 INFO [admin-http-pool187][] cisco.cda.mgmt.rest.ADProb
eElectionManager- PassiveID Management Service :: The node 'psn2-21.example.com' was selected as
primary. 2016-07-04 21:34:15,856 INFO [admin-http-pool187][] cisco.cda.mgmt.rest.ADProb
eElectionManager- PassiveID Management Service :: This node (psn1-21.example.com ) was selected
as standby.
Based on the above, we need to review psn2-21 logs for WMI Auth and since psn1-21 is handlingthe auth request from NAD, psn1-21 logs have to be reviewed for MAB auth.
passiveid.log from psn2-21 file gives details of WMI auth event
psn2-21/admin# sh logging application passiveid.log tail
, Identity Mapping.dc-domainname = example.com , Identity Mapping.dc-connection-type = Current
events , Identity Map
ping.dc-name = ez_example , Identity Mapping.dc-host = win-e78u0frcjd6.example.com/10.201.228.91
,
2016-07-04 21:42:00,592 DEBUG [Thread-10][] com.cisco.cpm.cda- Received login event. Identity
Mapping.ticket =
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 20, 128, 96, 0, 0, 0, 112, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0,
0, 2, 0, 76, 0, 3, 0,
0, 0, 0, 0, 20, 0, 69, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 24, 0, 69, 0, 0, 0,
1, 2, 0, 0, 0, 0, 0,
5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 61,
2, 0, 0, 1, 2, 0, 0,
0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 14339;
CategoryString = "Kerberos Authentication Service"; ComputerName = "WIN-
E78U0FRCJD6.example.com"; EventCode = 4768; EventIdentifier = 4768; EventType = 4;
InsertionStrings = {"hargadmin", "EXAMPLE", "S-1-5-21-4290790397-2086052146-77444135-1113",
"krbtgt", "S-1-5- 21-4290790397-2086052146-77444135-502", "0x40810010", "0x0", "0x12", "2",
"::ffff:10.201.228.104", "56060", "", "", " "}; Logfile = "Security"; \nAdditional
Informatio60ffff:10.201.228.10452146-77444135-502requested. \nPre-authentication types, ticket
options, encryption types and result codes are defined in RFC 4120."; RecordNumber = 372847;
SourceName = "Microsoft-Windows-Security-Auditing"; TimeGenerated = "20160704214131.733498-000";
TimeWritten = "20160704214131.733498-000"; Type = "Audit Success"; }; TIME_CREATED =
"131121420933871015"; }; , Identity Mapping.dc-domainname = example.com , Identity Mapping.dc-
connection-type = Current events , Identity Map ping.dc-name = ez_example , Identity
Mapping.event-user-name = hargadmin , Identity Mapping.dc-host = win-e78u0frcjd6
.example.com/10.201.228.91 , Identity Mapping.server = psn2-21 , Identity Mapping.event-ip-
address = 10.201.228.104 , 2016-07-04 21:42:01,510 DEBUG [Thread-15][] com.cisco.cpm.cda-
Forwarded login event to ISE session directory. Ident ity Mapping.dc-domainname = example.com ,
Identity Mapping.event-user-name = hargadmin , Identity Mapping.dc-host = w in-
e78u0frcjd6.example.com/10.201.228.91 , Identity Mapping.server = psn2-21 , Identity
Mapping.event-ip-address = 10 .201.228.104 ,
Packet capture from psn1-21 ( PSN that is handling the MAB request). The packet capture showsthe syslog data for MAB auth and accounting packets being frowarded to MnT node.
Packet capture from psn2-21 (PSN elected as primary by PassiveID Mangement Service). Thiscapture shows primary PSN forwarding WMI auth pass syslog info to MnT
Typical Issues
Issue 1. Active directory is not showing Event 4768
There can be multiple reasons behind it:
1. Ensure that within Limited Access DACL you allow PC to contact Active Directory, so this eventis generated;
2. Ensure that Audit Policy is corrrectly configured, so corresponding log will be seen in EventViewer, refer to the section
Setting Audit Policy in this document.
Issue 2. Cannot connect to AD from Identity Mapping
The error displayed is:
"The connection was tested on 'Fibi.example.com' Identity Mapping active node.Connection to 'AD' failed.Unable to connect to the machine, please check the DC state"
This error is seen if you don't have enough privileges for the Administrator2 user, please carefullyverify that all settings required on AD are properly configured.
Issue 3. Secure Access rule is not triggered
1. Ensure you have successful connection to AD, you can check corresponding log in the IdentityMapping Report:
2. Ensure that Framed-IP-Address attribute is resevied from NAD, you can verify it with debugradius on the Switch;
