Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 921

    Page 921 •EAP-FAST/EAP-GTC Apartfromthemethodslistedabove,thereareEAPmethodsthatusecertificatesforbothserverandclient authentication. RADIUS-Based EAP Authentication Flow WheneverEAPisinvolvedintheauthenticationprocess,theprocessisprecededbyanEAPnegotiationphase todeterminewhichspecificEAPmethod(andinnermethod,ifapplicable)shouldbeused.EAP-based authenticationoccursinthefollowingprocess: 1Ahostconnectstoanetworkdevice. 2ThenetworkdevicesendsanEAPRequesttothehost.... 
    •EAP-FAST/EAP-GTC
Apartfromthemethodslistedabove,thereareEAPmethodsthatusecertificatesforbothserverandclient
authentication.
RADIUS-Based EAP Authentication Flow
WheneverEAPisinvolvedintheauthenticationprocess,theprocessisprecededbyanEAPnegotiationphase
todeterminewhichspecificEAPmethod(andinnermethod,ifapplicable)shouldbeused.EAP-based
authenticationoccursinthefollowingprocess:
1Ahostconnectstoanetworkdevice.
2ThenetworkdevicesendsanEAPRequesttothehost....

    Page 922

    Page 922 challengeanditspasswordwithMD5.Becauseamaninthemiddlecouldseethechallengeandresponse, EAP-MD5isvulnerabletodictionaryattackwhenusedoveranopenmedium.Becausenoserverauthentication occurs,itisalsovulnerabletospoofing.CiscoISEsupportsEAP-MD5authenticationagainsttheCiscoISE internalidentitystore.HostLookupisalsosupportedwhenusingtheEAP-MD5protocol. Lightweight Extensible Authentication Protocol CiscoISEcurrentlyusesLightweightExtensibleAuthenticationProtocol(LEAP)onlyforCiscoAironet... 
    challengeanditspasswordwithMD5.Becauseamaninthemiddlecouldseethechallengeandresponse,
EAP-MD5isvulnerabletodictionaryattackwhenusedoveranopenmedium.Becausenoserverauthentication
occurs,itisalsovulnerabletospoofing.CiscoISEsupportsEAP-MD5authenticationagainsttheCiscoISE
internalidentitystore.HostLookupisalsosupportedwhenusingtheEAP-MD5protocol.
Lightweight Extensible Authentication Protocol
CiscoISEcurrentlyusesLightweightExtensibleAuthenticationProtocol(LEAP)onlyforCiscoAironet...

    Page 923

    Page 923 PEAP Protocol Flow APEAPconversationcanbedividedintothreeparts: 1CiscoISEandthepeerbuildaTLStunnel.CiscoISEpresentsitscertificate,butthepeerdoesnot.The peerandCiscoISEcreateakeytoencryptthedatainsidethetunnel. 2Theinnermethoddeterminestheflowwithinthetunnel: •EAP-MS-CHAPv2innermethod—EAP-MS-CHAPv2packetstravelinsidethetunnelwithouttheir headers.Thefirstbyteoftheheadercontainsthetypefield.EAP-MS-CHAPv2innermethodssupport thechange-passwordfeature.Youcanconfigurethenumberoftimesthattheusercanattemptto... 
    PEAP Protocol Flow
APEAPconversationcanbedividedintothreeparts:
1CiscoISEandthepeerbuildaTLStunnel.CiscoISEpresentsitscertificate,butthepeerdoesnot.The
peerandCiscoISEcreateakeytoencryptthedatainsidethetunnel.
2Theinnermethoddeterminestheflowwithinthetunnel:
•EAP-MS-CHAPv2innermethod—EAP-MS-CHAPv2packetstravelinsidethetunnelwithouttheir
headers.Thefirstbyteoftheheadercontainsthetypefield.EAP-MS-CHAPv2innermethodssupport
thechange-passwordfeature.Youcanconfigurethenumberoftimesthattheusercanattemptto...

    Page 924

    Page 924 Benefits of EAP-FAST EAP-FASTprovidesthefollowingbenefitsoverotherauthenticationprotocols: •Mutualauthentication—TheEAPservermustbeabletoverifytheidentityandauthenticityofthepeer, andthepeermustbeabletoverifytheauthenticityoftheEAPserver. •Immunitytopassivedictionaryattacks—Manyauthenticationprotocolsrequireapasswordtobeexplicitly provided,eitherascleartextorhashed,bythepeertotheEAPserver. •Immunitytoman-in-the-middleattacks—Inestablishingamutuallyauthenticatedprotectedtunnel,the... 
    Benefits of EAP-FAST
EAP-FASTprovidesthefollowingbenefitsoverotherauthenticationprotocols:
•Mutualauthentication—TheEAPservermustbeabletoverifytheidentityandauthenticityofthepeer,
andthepeermustbeabletoverifytheauthenticityoftheEAPserver.
•Immunitytopassivedictionaryattacks—Manyauthenticationprotocolsrequireapasswordtobeexplicitly
provided,eitherascleartextorhashed,bythepeertotheEAPserver.
•Immunitytoman-in-the-middleattacks—Inestablishingamutuallyauthenticatedprotectedtunnel,the...

    Page 925

    Page 925 CHAPTER 33 Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions ToensureCiscoISEisabletointeroperatewithnetworkswitchesandfunctionsfromCiscoISEaresuccessful acrossthenetworksegment,youneedtoconfigurenetworkswitcheswiththenecessaryNTP,RADIUS/AAA, 802.1X,MAB,andothersettingsforcommunicationwithCiscoISE. •EnableYourSwitchtoSupportStandardWebAuthentication,page880 •LocalUsernameandPasswordDefinitionforSyntheticRADIUSTransactions,page880... 
    CHAPTER 33
Switch and Wireless LAN Controller
Configuration Required to Support Cisco ISE
Functions
ToensureCiscoISEisabletointeroperatewithnetworkswitchesandfunctionsfromCiscoISEaresuccessful
acrossthenetworksegment,youneedtoconfigurenetworkswitcheswiththenecessaryNTP,RADIUS/AAA,
802.1X,MAB,andothersettingsforcommunicationwithCiscoISE.
•EnableYourSwitchtoSupportStandardWebAuthentication,page880
•LocalUsernameandPasswordDefinitionforSyntheticRADIUSTransactions,page880...

    Page 926

    Page 926 •RADIUSIdle-TimeoutConfigurationontheSwitch,page888 •WirelessLANControllerConfigurationforiOSSupplicantProvisioning,page888 •WirelessLANControllerSupportforAppleDevices,page889 •ConfiguringACLsontheWirelessLANControllerforMDMInteroperability,page889 Enable Your Switch to Support Standard Web Authentication EnsurethatyouincludethefollowingcommandsinyourswitchconfigurationtoenablestandardWeb AuthenticatingfunctionsforCiscoISE,includingprovisionsforURLredirectionuponauthentication: ipclassless... 
    •RADIUSIdle-TimeoutConfigurationontheSwitch,page888
•WirelessLANControllerConfigurationforiOSSupplicantProvisioning,page888
•WirelessLANControllerSupportforAppleDevices,page889
•ConfiguringACLsontheWirelessLANControllerforMDMInteroperability,page889
Enable Your Switch to Support Standard Web Authentication
EnsurethatyouincludethefollowingcommandsinyourswitchconfigurationtoenablestandardWeb
AuthenticatingfunctionsforCiscoISE,includingprovisionsforURLredirectionuponauthentication:
ipclassless...

    Page 927

    Page 927 aaaauthorizationauth-proxydefaultgroupradius !Enablesaccountingfor802.1XandMABauthentications aaaaccountingdot1xdefaultstart-stopgroupradius ! aaasession-idcommon ! aaaaccountingupdateperiodic5 !UpdateAAAaccountinginformationperiodicallyevery5minutes aaaaccountingsystemdefaultstart-stopgroupradius ! aaaserverradiusdynamic-author client10.0.56.17server-keycisco !EnablesCiscoISEtoactasaAAAserverwheninteractingwiththeclientatIPaddress10.0.56.17 RADIUS Server Configuration on the Switch... 
    aaaauthorizationauth-proxydefaultgroupradius
!Enablesaccountingfor802.1XandMABauthentications
aaaaccountingdot1xdefaultstart-stopgroupradius
!
aaasession-idcommon
!
aaaaccountingupdateperiodic5
!UpdateAAAaccountinginformationperiodicallyevery5minutes
aaaaccountingsystemdefaultstart-stopgroupradius
!
aaaserverradiusdynamic-author
client10.0.56.17server-keycisco
!EnablesCiscoISEtoactasaAAAserverwheninteractingwiththeclientatIPaddress10.0.56.17
RADIUS Server Configuration on the Switch...

    Page 928

    Page 928 Werecommendthatyouconfigureadead-criteriatimeof30secondswith3retriestoprovidelonger responsetimesforRADIUSrequeststhatuseActiveDirectoryforauthentication. Note Configure the Switch to Send RADIUS Accounting Start/Stop to Inline Posture Nodes ThenetworkaccessdeviceshouldbeconfiguredtosendRADIUSaccounting“Start”and“Stop”messagesat thebeginningandendofasession,respectively,withtheremotedevice’sIPaddressinthosemessagestothe... 
    Werecommendthatyouconfigureadead-criteriatimeof30secondswith3retriestoprovidelonger
responsetimesforRADIUSrequeststhatuseActiveDirectoryforauthentication.
Note
Configure the Switch to Send RADIUS Accounting Start/Stop to Inline Posture
Nodes
ThenetworkaccessdeviceshouldbeconfiguredtosendRADIUSaccounting“Start”and“Stop”messagesat
thebeginningandendofasession,respectively,withtheremotedevice’sIPaddressinthosemessagestothe...

    Page 929

    Page 929 (VLANrangeshouldincludeusedfordataandvlan) Command to Enable 802.1X Port-Based Authentication Enterthefollowingcommandstoturn802.1Xauthenticationonforswitchports,globally: dot1xsystem-auth-control Command to Enable EAP for Critical Authentications TosupportsupplicantauthenticationrequestsovertheLAN,enableEAPforcriticalauthentications (InaccessibleAuthenticationBypass)byenteringthefollowingcommand: dot1xcriticaleapol Command to Throttle AAA Requests Using Recovery Delay... 
    (VLANrangeshouldincludeusedfordataandvlan)
Command to Enable 802.1X Port-Based Authentication
Enterthefollowingcommandstoturn802.1Xauthenticationonforswitchports,globally:
dot1xsystem-auth-control
Command to Enable EAP for Critical Authentications
TosupportsupplicantauthenticationrequestsovertheLAN,enableEAPforcriticalauthentications
(InaccessibleAuthenticationBypass)byenteringthefollowingcommand:
dot1xcriticaleapol
Command to Throttle AAA Requests Using Recovery Delay...

    Page 930

    Page 930 ipaddress10.1.2.3255.255.255.0 iphelper-address iphelper-address ! interface descriptionVOICE ipaddress10.2.3.4255.255.255.0 iphelper-address Local (Default) ACLs Definition on the Switch Enablethesefunctionsonolderswitches(withCiscoIOSsoftwarereleasesearlierthan12.2(55)SE)toensure CiscoISEisabletoperformthedynamicACLupdatesrequiredforauthenticationandauthorizationby enteringthefollowingcommands: ipaccess-listextendedACL-ALLOW permitipanyany ! ipaccess-listextendedACL-DEFAULT remarkDHCP... 
    ipaddress10.1.2.3255.255.255.0
iphelper-address
iphelper-address
!
interface
descriptionVOICE
ipaddress10.2.3.4255.255.255.0
iphelper-address
Local (Default) ACLs Definition on the Switch
Enablethesefunctionsonolderswitches(withCiscoIOSsoftwarereleasesearlierthan12.2(55)SE)toensure
CiscoISEisabletoperformthedynamicACLupdatesrequiredforauthenticationandauthorizationby
enteringthefollowingcommands:
ipaccess-listextendedACL-ALLOW
permitipanyany
!
ipaccess-listextendedACL-DEFAULT
remarkDHCP...
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals