RADIUS - Cisco Identity Service Engine (ISE)

introduction this document describes cisco identity services engine (ise) integration configuration with nile service blocks (nsb) overview cisco identity services engine (ise) is an identity based network access control and policy enforcement system nile service block can be integrated with ise using radius protocol for wireless authentication 802 1x, mab, guest portal and byod certificate of authenticity (coa) authentication prerequisites cisco identity services engine (ise) version 2 7 or higher connectivity between nile gateway over radius port and ise 1\) ise pre configurations a) import nile vendor dictionary add the vsa dictionary tells cisco ise how to send attributes nile understands copy the contents below into a text file and save it as “nile dictionary” to create a microsoft personal dictionary file vendor nile 58313 begin vendor nile attribute redirect url 1 string attribute netseg 2 string attribute nile avpair 3 string end vendor nile to import the file login to ise gui as an administrator navigate to policy menu > policy elements > dictionaries > radius > radius vendors then click import button click browse to choose the “nile dictionary” from the file system running on your client browser click import to import the nile vendor dictionary expand radius and select radius vendors as in below screenshot and verify nile dictionary is listed under radius vendors list double click the nile vsa file and verify that its attributes match those shown in the screenshots below b) add a new radius network device profile a network device profile tells ise if there are vendor specific configurations (like a vsa dictionary) that should be used when communicating with an 802 1x authenticator (i e nile he) login to ise gui as an administrator navigate to administration > network resources > network device profiles add a new device profile using the configuration paramaters highlighted in below screenshot note if a dropdown is unavailable for any parameter, manually enter the value to match the screenshots provided below verify that the summary matches the below screenshot, then click save to store the profile c ) enable ms chapv2 as an allowed protocol on ise ms chapv2 is required for the nile portal to monitor a configured ise server from ise gui, naviate to policy > policy elements > results > authentication > allowed protocols > default network access > make sure that ms chapv2 is allowed 2\) ise integration a) add nile gateway to ise to proceed with this step, you will need the nile he ip address the ip address for the nile he, required for ise configuration, can be found in the authentication settings when adding a new radius server in the nile portal click the "display nas ip's" button to view it from within ise gui, navigate to administration > network resources > network devices and click on 'add' configure the nile gateway as the network device, using the network device profile nile created in the previous step refer to following screen for other parameters b) add radius (ise) to nile portal this section describes the nile portal's configuration to add radius create a radius configuration on the nile portal as following login to the nile portal > click on the settings icon > navigate to the authentication tab click on the ‘ + ’ sign to create a radius entry for the ise server note the user shown here, “nilestatus” is used by the nile portal to poll ise availability and latency every one minute interval this user must exist in an identity store supported by ise the typical approach for a demo is to use the local ise user identity store and create this user within it 3\) use case wireless/wired 802 1x authentication a) create ise authentication/authorization policy from ise gui, navigate to policy > policy sets > select default, click on the right side ‘ > ’ to expand the default policy set click on left side ‘ > ’ to expand the authentication policy click on the ‘ + ’ sign to create a new authentication policy rule as mentioned below rename the ‘authentication rule 1’ to ‘dot1x add the conditions wireless 802 1x or wired 802 1x select all user id store set the ‘option’ rule by as follows if auth fail reject if user not found reject if process fail drop click on left side ‘ > ’ to expand the authorization policy click on the ‘ + ’ sign to create a new authorization rule policy rename the ‘authorization rule 1’ to dot1x add the conditions wireless 802 1x and eap mschapv2 select “permitaccess” as results profile click on save to save the configs b) nile dynamic segments using radius (ise) attribute – netseg (optional) this section is applicable only if you have multiple segments associated with a single dot1x ssid and you prefer to push segments dynamically nile supports dynamic segment allocation that can be assigned by radius (ise) depending on the user account (e g , employee or contractor) to setup the nile dynamic segments, please follow the below steps from ise gui, navigate to policy > select policy elements > results > expand authorization and select authorization profiled, click on “ + ” to create a profile that matches nile segment name enter the name for the new authorization profile, select access type as “access accept” network device profile as nilesecure under advanced attributes, select nile\ netsg and enter nile segment name as a value (name is case sensitive) click on submit to save the config and repeat the same steps to create a new authorization profile for the other segment from ise gui, naviate to policy > policy sets > select default, click on the right side ‘ > ’ to expand the default policy set click on left side ‘ > ’ to expand the authorization policy click on the ‘ + ’ sign to create a new rule rename the ‘authorization rule 1’ to dot1x segment name add the conditions wireless 802 1x and identitygroup equal to user group (e g , employee or contractor) select the respective setment's authorization profile as results profile repeat the same steps to create an authorization policy for the second user groups that will be mapped to the second segment modify the nile wireless ssid to include the multi segments 4\) use case wired mab authentication by default, the standard cisco mab authc policy does not recognize the attributes sent by nile if these attributes are not adjusted, the ise radius live logs will show that the authc policy is not being matched by the data received from nile ise auth policy for mab with nile requires that we call out { radius service type equals “call check” and radius nas port type equals “ethernet” } a) ise authentication/authorization policy from ise gui, naviate to policy > policy sets > default > authentication policy and configure a mab policy, or reconfigure the existing mab authc policy, to match on these conditions configure the options to if auth fail = continue if user not found = continue this tells ise that if the wired mac address is currently unknown or never seen before by ise, to go ahead and let it proceed for authz policies once an endpoint has passed an authentication (authc) policy, ise still needs further context for what to do with the endpoint that is where the authorization (authz) policy comes into play from ise gui, naviate to policy > policy sets> default> authorization policy click the + sign to create a new policy you can match the conditions of authorization policy to same as that of authc policy above and then place all endpoints into segment “internal net3” save policy set and verify results within ise you can review all of the specifics regarding user authentication and authorization from within the ise live logs this is the best resource to figure out if your policy is working or not for any use case the live logs will show exactly what ise is doing and why it is doing it note make sure the ise server is checkbox is configured to support wired mac authentication from within the nile portal if you don’t see this checkbox available, then you will need to get a feature flag enabled on the tenant you are configuring this on 5\) use case wireless guest sponsored portal authentication a guest access captive portal authentication approach has three kinds of portal configurations hotspot guest portal (terms & conditions) self registered guest portal sponsored guest portal in this use case, we will describe the sponsored guest portal options that ise can present to wireless clients for guest authentication a) create an authorization profile for terms & conditions guest redirect from ise gui, naviate to policy > policy elements > results > authorization profiles click on add and enter/select the following name nile redirect access type access accept network device profile nilesecure in ‘advanced attributes settings select the attribute ‘nile\ redirect url’ copy and paste the above url while replacing ‘isehost’ with the ip or fqdn of the ise server note ensure that you add a prefix ' url= ' before the url verify attributes details and click on submit to save the new profile b) create an authorization profile for guest post redirection from ise gui, navigate to policy > policy elements > results > authorization profiles click on add and enter/select the following name nile guest access access type access accept network device profile nilesecure configure advanced attributes settings as per the following screenshot and save the profile c) create new authentication and authorization policies from gui navigate to policy > policy sets > select default, click on the right side ‘ > ’ to expand the default policy set click on left side ‘ > ’ to expand the authentication policy click on the ‘ + ’ sign to create a new rule and rename the ‘authentication rule 1’ to ‘mab’ add the conditions wireless mab or wired mab select internal endpoints set the ‘option’ rule by as follows if auth fail reject if user not found continue if process fail drop click on left side ‘ > ’ to expand the authorization policy click on the ‘ + ’ sign to create a new rule and rename the ‘authorization rule 1’ to “nile guest access” add the conditions as “wireless mab” and “guest flow” select results profile “nile guest access” click on the ‘ + ’ sign to create a second rule and rename the ‘authorization rule 1’ to “nile redirect” add the conditions “wireless mab” only select results profile “nile redirect” and save d) create guest ssid navigate to the wireless tab and click on the ‘ + ’ sign to add an ssid select ‘captive portal’ for security, choose the guest segment with the ise server mapped, and click save 6\) use case byod ssid integration with cisco ise in a single ssid byod deployment, only one ssid is used for both onboarding devices and providing afterwards full access to those registered devices the flow to connect a client to a byod ssid is as follows user connects to the byod ssid with eap peap credentials redirection to the byod portal with limited access device registration native supplicant assistant (nsa) download from ise profile and client certificate download eap tls authentication for full access please refer to below step by step configuration of a single ssid wireless byod on nile service block (nsb) leveraging cisco ise radius services, byod portal and its private pki infrastructure a) create a certificate template for byod users from ise gui, navigate to administration > certificates > certificate authority > certificate templates click on 'add' and configure following parameters add a native supplicant profile (nsp) navigate to > work centers > byod > client provisioning > resources > click on 'add' select native supplicant profile and click on 'add' click the submit at the bottom of the page to save the new nsp modify the client provisioning policy navigate to work centers > byod > client provisioning > client provisioning policy and click on 'edit' for the windows rule select windows all and winspwizard 3 x x x and acme ise nsp then click done followed by save b) create an authorization profile for non registered byod devices from ise gui, navigate to policy > policy elements > results > authorization profiles click 'add' and enter/select the following name nile byod redirect access type access accept network device profile nilesecure web redirection native supplicant provisioning value byod portal click submit to save the new profile collect the static url as it needs to be entered in the nile portal at a later stage c) create an authorization profile post authentication for byod devices from ise gui, navigate to > policy > policy elements > results > authorization profiles then click add enter/select the following name nile byod postauth access type access accept network device profile nilesecure advanced attributes settings nile\ netseg = postauth then click submit to save the new profile note in the case of two nile segments one for peap and one for eap tls, replace ‘postauth’ with the eap tls segment name d) create a policy set, authentication, and authorization profiles from ise gui, navigate to policy> policy sets click on ‘ + ’ sign to add a policy rename the ‘new policy set 1’ to byod policy set set the conditions to radius called station id ends with acme byo set allowed protocols to default network access click on save note the above policy condition references the nile byod ssid acme byod used in this document change it to match the byod ssid configured on the nile portal create two authentication profiles as follows click on the right side arrow ‘ > ’ to expand the policy and create two authorization profiles as follows and click on save when done e) byod nile portal configuration this section touches on the nile portal pertinent configuration to get a byod ssid up and running create/modify the radius configuration on the nile portal connect to the nile portal navigate to the authentication page add the static redirect url generated in the step 6b (create an authorization profile for non registered byod devices), when creating the redirect authorization profile and replace the ‘isehost’ string by the ise server fqdn or ip address configure the byod segment to use the appropriate radius and static url validate the ssid string is matching the ssid used by ise