2013/11/13

Cisco ISE - part 3 - Prepare your switch for dot1x and Cisco ISE

Network switch and Cisco ISE communicate with each other through RADIUS protocol. So first step is to configure radius support on switch.

!
aaa new-model
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req 
radius-server attribute 25 access-request include
!
radius-server host ISE_IP_ADDRESS key RADIUS_KEY 
!
radius-server vsa send accounting
radius-server vsa send authentication
!

With Cisco ISE you can enable RADIUS Change of Authorization (CoA) feature. This actually means that Cisco ISE can trigger change in port authorization status, without request from switch. With this configuration Cisco ISE could for example force authorized port to unauthorized status. Configuration on the switch is as bellow.

!
aaa server radius dynamic-author
 client ISE_IP_ADDRESS server-key RADIUS_KEY
!

You can enable device tracking and DHCP snooping. To support downloadable ACL device tracking configuration is required. DHCP snooping command is optional and it is used for profiling services.

!
ip dhcp snooping
!
ip device tracking
!

To enable dot1x globally you must use the following command.

!
dot1x system-auth-control
!

Commands above are all global commands. To enable authentication on the port you should use commands bellow.

!
!enable dot1x
!
dot1x pae authenticator
!
!enable MAB (MAC Authentication Bypass)
!
mab
!
!various authentication commands
!
authentication host-mode multi-auth
authentication periodic
authentication timer reauthenticate server
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
!

These are some configuration options that you should use on switch to work with Cisco ISE features. I recommend that you create configuration template for global commands and interface commands. Then these templates should be used on all LAN switches in the environment. If you will do it in the right way you will have huge reduce in the workload on LAN segment, since all policy will be done on the Cisco ISE.







No comments:

Post a Comment