In this blog post, we'll be exploring a practical example of how to configure wired 802.1X with Cisco Identity Services Engine (ISE) and PEAP. We're breaking down a typical network scenario and explaining it in a way that's easy to understand.
The process we'll detail involves a domain-joined PC connecting to a switch port. We'll walk you through configuring the ISE, the PC, and the switch to enable this sequence of events. By the end of this post, you'll understand this specific network access control scenario and be better equipped to manage it in your own network environment.
Assumptions and Prerequisites
Before we proceed, let's establish the assumptions and prerequisites for this guide. This blog post assumes that you have a foundational understanding of Cisco ISE and the 802.1X protocol.
Additionally, it is assumed that the PC we're focusing on is already joined to the domain and operating correctly. Active Directory' (AD) has also been integrated with the ISE. By doing so, ISE can verify user credentials against the information stored in AD.
It's also important to note that this example operates in a 'Closed Mode'. In this mode, the switch will not permit any traffic other than EAPoL until successful authentication. If this is a potential issue, consider using 'Low Impact' mode where a Pre-Auth ACL (that allows DHCP, DNS for example) on the switch port allows network access until successful authentication. Upon successful authentication, a specific level of access is granted via a downloadable ACL (dACL) from ISE. I will try to cover this in another post.
If you want to learn more about 802.1X or NAC in general or Wired-EAP-TLS, please check out my other blog posts below.
What is 802.1X?
802.1X is an IEEE standard for port-based network access control that provides secure network access to corporate networks. You cannot secure if you don't know what's on your network. The 802.1X framework functions as a gatekeeper for entry to enterprise networks (wired and wireless).
When a user or device wants to gain access to a network, 802.1X acts as a framework that verifies the person/device connecting is who they say they are. When we enable 802.1X on a port, the switch drops all traffic received on that port except EAPoL packets (more on this later). Only after the 802.1X authentication has successfully completed will the switch allow any other traffic on that port.
The Components of 802.1X
802.1X consists of three components:
- The Supplicant (laptop) is the device attempting to gain access to the network. The supplicant communicates with the authenticator via 802.1X-encapsulated EAP packets
- The Authenticator (Switch) is the gatekeeper to the network and permits or denies access to the supplicants. The authenticator acts as an intermediary (proxy) between the supplicant and the authentication server. The authenticator requests identity information (credentials/certificates) from the supplicant via EAP packets, verifies that information with the authentication server and then relays a response to the supplicant (access permit or deny)
- The Authentication Server (Cisco ISE) performs the actual authentication of the supplicant. By examining the information in the encapsulated EAP messages relayed from the authenticator, the authentication server validates the identity of the supplicant and responds back to the authenticator whether or not the supplicant is authorized to access the network.
Choosing an EAP Method
When deploying 802.1X, it is important to choose an EAP method that meets your organization’s security standards. Choosing which EAP method to use is one of the most important decisions because different EAP methods offer differing levels of security and complexity. This example solely focuses on EAP-PEAP.
Which EAP type to implement solely depends on the level of security that the organization requires and the administrative overhead. If you are looking for a higher level of security, EAP-TLS is the best choice, providing the strongest authentication method using client and server-side certificates. EAP-PEAP or EAP-FAST on the other hand also offers very good security which uses credentials and only server-side certificates.
Even though there are many EAP types available, I've listed the most popular ones.
- EAP-TLS relies on client-side and server-side certificates to perform mutual authentication. This is considered one of the strongest EAP types however, it requires each and every client to have a certificate pre-installed.
- EAP-PEAP requires only server-side certificates for the client to authenticate the authentication server. PEAP is known as a tunnelled EAP type because it first establishes an outer tunnel using TLS and then sends the credentials via an inner tunnel. The inner tunnel can be virtually any EAP type but the widely used inner method is MSCHAPV2.
- EAP-FAST is very similar to PEAP, it first establishes an outer TLS tunnel. Inside this encrypted tunnel, a secondary inner EAP method (such as MSCHAPv2) is used to authenticate the user.
Windows 10 / Supplicant Configurations
In a production environment, typically, group policies would be used to configure the network settings across the organization. However, for the purpose of this tutorial, we'll simplify the process by directly configuring these settings on the PC.
To begin, navigate to the Network adapter settings. You can access this via Control Panel > Network and Sharing Center > Change Adapter Settings. Once here, right-click on the desired network connection, and select 'Properties'. Look for the 'Authentication' tab and ensure that the 802.1X authentication is enabled and PEAP is selected within these settings.
Switch / Authenticator Configuration
In configuring the switch for our use case, it's important to note that there are a lot of settings that could be adjusted to tweak and tune the behaviour of 802.1X. For the sake of simplicity, our example will only focus on the most essential configurations.
aaa new-model ! radius server ise-01 address ipv4 10.10.0.100 auth-port 1812 acct-port 1813 key cisco123 ! aaa group server radius ISE-GROUP server name ise-01 ip radius source-interface Vlan5 ! aaa server radius dynamic-author client 10.10.0.100 server-key cisco123 ! aaa authentication dot1x default group ISE-GROUP aaa authorization network default group ISE-GROUP aaa accounting dot1x default start-stop group ISE-GROUP aaa accounting update newinfo periodic 2880
interface Ethernet0/2 description WINDOWS-10 switchport access vlan 5 switchport mode access authentication port-control auto authentication periodic authentication timer reauthenticate server mab dot1x pae authenticator dot1x timeout tx-period 15 spanning-tree portfast edge
Cisco ISE / Authentication Server Configuration
Step 1: Add the Switch as a Network Device in ISE
The very first step is to add the switch as a network device in ISE. To do this, navigate to the ISE management interface and select 'Network Resources' followed by 'Network Devices'.
Here you can add a new device (our switch) by specifying the IP address and shared secret, which should match the configurations set in the switch.
Step 2 - Create a Policy Set
At a high level, a Policy Set in ISE is a bundle of rules, each of which contains conditions and results. When a device tries to access the network, ISE applies these policy sets to determine whether the device meets certain conditions and assigns results (like allowing or denying access) based on that.
Imagine you have a list of policy sets created for different types of network users, such as VPN users, guest users, and wired/wireless clients. Each of these policy sets has specific conditions tailored to the type of network access they manage.
Now, when a request comes from a device through the switch to access the network, ISE starts to evaluate these policy sets, going from top to bottom. It checks each policy set to see if the conditions of that policy match the incoming request.
In our case, we're dealing with a wired 802.1X request from a domain-joined PC. So, ISE will scan through the policy sets until it finds the one that's specifically designed for wired 802.1X requests. Once it finds a match, it applies the corresponding authentication and authorization policies to this request. Here I'm creating a new policy set called
EAP-PEAP with the pre-built smart condition
Radius:NAS-Port-Type = Ethernet and
Radius:Service-Type = Framed are specific attributes included in the
Wired_802.1X smart condition.
Radius:NAS-Port-Type = Ethernet: This attribute tells the RADIUS server (in this case, Cisco ISE) that the access request is coming from a device connected to an Ethernet port. This helps ISE understand the type of network access being attempted.
Radius:Service-Type = Framed: This attribute indicates that the user data is framed, meaning that it's encapsulated in a protocol.
Here you must have noticed that the 'Allowed Protocols' is set to 'Default Network Access'. This is the default list that comes with ISE. Here you can specify which EAP protocols the clients can use. In our case, we are using EAP-PEAP which is already allowed (by the check box)
within a policy set, we need to define two key types of police that are Authentication and Authorization.
Step 3 - Authentication Policy
An Authentication Policy is essentially a set of rules that the ISE uses to verify the identity of a device or user trying to access the network. This is the "who are you" part of the process, checking the credentials provided by the device or user against AD or Internal User Group.
For our configuration, we are using the default authentication policy. This policy checks the credentials against the data stored in AD. When a user attempts to authenticate, ISE takes the provided credentials and cross-checks them with the AD. If the authentication is successful the process proceeds to the next step, which is authorization.
Step 4 - Authorization Policy
On the other hand, an Authorization Policy determines what a successfully authenticated user or device can do within the network. It dictates the level of access, the resources that can be used, and any restrictions that need to be applied. This is the "what you can do" part of the process, defining the permissions for each authenticated device or user.
Our Authorization Policy in this setup is quite straightforward. It has a single condition, if a user is part of the 'desktop-users' group in Active Directory (AD), the policy 'permitAccess' is applied.
By defining these policies within a policy set, we create a rulebook for how the ISE should handle devices trying to access the network, from verifying their identity to deciding what they can do once they're in.
Now that we have our setup configured, it's time to put it to the test. To do this, I'm going to log in to a domain-joined PC with a user named 'max'. This user, being a part of the 'desktop-users' group in Active Directory, meets our defined authorization policy condition.
Given this, upon successful authentication, ISE should authorize the access request. This would confirm that our configuration of 802.1X with Cisco ISE using EAP-PEAP is working as intended.
switch_01#show authentication sessions interface e0/2 details Interface: Ethernet0/2 MAC Address: 5000.0001.0000 IPv6 Address: Unknown IPv4 Address: 10.10.20.10 User-Name: max <<<<<< Status: Authorized <<<<<< Domain: DATA Oper host mode: single-host Oper control dir: both Session timeout: N/A Restart timeout: N/A Periodic Acct timeout: 172800s (local), Remaining: 171072s Session Uptime: 1732s Common Session ID: 0A0A141F00000015009088BB Acct Session ID: 0x00000004 Handle: 0x22000008 Current Policy: POLICY_Et0/2 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Security Policy: Should Secure Security Status: Link Unsecure Server Policies: Method status list: Method State dot1x Authc Success <<<<<<
I hope this blog post has provided you with a clearer understanding of the 802.1X process using Cisco ISE and EAP-PEAP. Remember, network configurations are rarely a one-size-fits-all scenario. The settings and processes we've explored here offer a solid starting point, but you'll likely need to adjust and refine them to perfectly suit your specific environment and needs.
And while EAP-PEAP serves as a useful example for this discussion, it's worth noting that there are more secure methods out there, such as EAP-TLS.