Shulou(Shulou.com)06/01 Report--

The experiment shows that this experiment is built with reference to a part of the production environment, in which Windows Server 2008 is used for the authentication of login users, MAC and other accounts, Cisco ISE is used for authentication and authorization, and the wireless part is tested by VMWLC + Cisco 1702AP. Because it is an experimental environment, all nodes of the overall network architecture are a single point; some functions of Cisco ISE are not applied, such as testing PC patches, antivirus patches, device authentication, etc. (this part is implemented in the production environment). The following figure shows the network architecture diagram of this experiment.

Windows AD: 172.16.1.199

Cisco VMISE: 172.16.1.103

CISCO VMWLC: 172.16.1.201

It is also important to note that in a production environment, wireless AC does not recommend using Vlan 1 as the management Vlan.

1.Windwos Server 2008 Settings Management Section

1.1 Windows Server install AD / DNS and set Domain: vmwlc.com, server name is VMAD.VMWLC.COM (172.16.1.199)

1.2 Windows AD sets five OU and userGroup:

IseGroup1: for 802.1X authorized user storage unit, userGroup is set to isegroup

IseGroup2: used for the login authorized user storage unit of the switch. The permission is set to Priv1,userGroup and set to isegroup02.

NetDeviceManager: used for the login authorized user storage unit of the switch. The permission is set to Priv15,userGroup and set to NetDeviceManager.

MACAddress: for MAB authorization MACAddress deposit authorization unit, userGroup is set to MacAddressGroup,MACAddress format: 00-00-00-00-00-00

IseWebGroup: for wireless network WEB authorized user storage unit, userGroup is set to isewebGroup

1.3 add ISEDNS Domain Anti-question: ISE103.VMWLC.COM (172.16.1.103) / ISE104.VMWLC.COM (172.16.1.104)

1.4 Windows Server installs IIS and sets up that both http/https protocols can communicate with each other in order to provide certificate applications for ISE

2. CISCO ISE setting management part

2.1 add ISE to WindowsAD and set DNS

The picture above shows ISE joining Windows Domain.

The picture above shows the Authentication Domains information generated after ISE joins Windows Domain.

The image above shows the Windows DNS resolution name and IP settings.

2.2 ISE adds Windows AD Group, and all users such as network device authentication, MAB, 802.1X authentication and authorization come from Windows AD userGroup, as shown below:

3. Network equipment authentication, authorization setting

3.1 switch section

Aaa aaa new-model

Aaa authentication login nocon linenone

Aaa authentication login vty group radius local

Aaa authorization exec vty group radius local

Aaa authorization network default group radius

Aaa accounting exec vty start-stop group radius

Radius-server host 172.16.1.103 key cisco (the authentication password for communication between this device is defined by the user)

Line vty 0 4

Authorization exec vty

Login authentication vty

3.2 Cisco ISE settings section

ISE NetworkDevice management needs to add NeworkDeviceGroup and devices. DeviceGroup is divided into two parts:

a. Device class type grouping

b. Regional grouping, the purpose of grouping is to authorize different device types and regional groups, such as the device group and regional group settings in the following figure:

ISE NetworkDevice adds managed devices and assigns them to different device groups, as shown below:

Set the Authention Policy of the user anti-question switch, whose name is Switch_Authen- > condition: Device type EQUALS Device Type#All Device Type#2960G Group (this Group is the defined NetworkDeviceGroup)-> protocol: DefaultNetworkAccess- > user: ISE-03 (that is, the domain name of the Winows AD has been added), as shown below:

Set the Authorization Policy of the user's question-proof exchange, and set two conditions, Swich_Author_Priv1 and Switch_Author_Priv15, respectively, as shown below:

The picture above is the Swich_Author_Priv1 authorization chart, Advanced AttributesSettings: Cisco:cisco-av-pri = priv-lvl=1

The picture above is the Swich_Author_Priv1 authorization chart, Advanced Attributes Settings: Cisco:cisco-av-pri = priv-lvl=15

Set the Authorization Policy of the Switch_Author_1 and Swith_Author_15 of the user's anti-question network device, as shown below:

The image above shows the Authorization Policy of the user's anti-question network device. The usergroup:iserGroup02 is Switch_Author_Priv1 with only priv 1 permission, and the NetDeviceManager condition is that Switch_Author_Priv15 permission is priv 15, as shown below:

4.ISE MAB authentication and authorization setting part

4.1 Network switch setting part

Enable Radius Radius authentication on the switch, the following is the configuration

Aaa new-model

Aaa authentication dot1x default group radius

Aaa authorization network default group radius

Aaa accounting dot1x default start-stop group radius

Aaa server radius dynamic-author

Client 172.16.1.103 server-keycisco

Ip device tracking

Dot1x system-auth-control

Radius-server attribute 6 on-for-login-auth

Radius-server attribute 8 include-in-access-req

Radius-server attribute 25 access-request include

Radius-server dead-criteria time 5 tries 3

Radius-server host 172.16.1.103 auth-port1812 acct-port 1813

Radius-server key cisco

Radius-server vsa send accounting

Radius-server vsa send authentication

Enable MAB and Dot1X authentication on the connected AP switch port G1amp0ax 13, configured as follows:

Interface GigabitEthernet1/0/17

Switchport access vlan 11

Switchport mode access

Ip access-group ACL-DEFAULT in

Authentication event fail action next-method

Authentication event server dead action authorize vlan 12

Authentication event server alive action reinitialize

Authentication host-mode multi-auth

Authentication open

Authentication order dot1x mab

Authentication priority dot1x mab

Authentication port-control auto

Authentication violation restrict

Mab

Dot1x pae authenticator

Spanning-tree portfast

Set the basic ACL: ACL-DEFAULT as follows:

Ip access-list extended ACL-DEFAULT

Permit udp any eq bootpc any eq bootps

Permit udp any any eq domain

Permit icmp any any

Permit udp any any eq tftp

Deny ip any any

4.2 ISE Settings Section

Set Authorization Profile to Wifi_MAB_Guest_Autor in the result of Policy option (wired network is the same as wireless network). DACLName: PERMIT_ALL_TRAFFIC,Vlan: ID/11 is the vlanID set on the switch.

Set the Authentication Policy as Wireless_MAB or Wire_MAB, the protocol as DefaultNetworkAccess, and the user as ISE-03 (that is, the domain name of Winows AD has been added), as shown below:

Authorization Policy. The condition is the mac Address in the MacAddressGroup group in Windows AD, and the preset Wifi_MAB_Guest_Author, as shown below:

The following figure shows the Wifi MAB record that has been authenticated and authorized:

The following figure shows the MAB information passed by the authentication and authorization of cable users.

a. Get the corresponding VlanID: 11

b. Get the corresponding ACSACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-56161e32

c. Assign to the appropriate IP Address:172.16.5.137

D. MABAuthorization Success

5. Wired / wireless network 802.1X MAB authentication settings section (wired 802.1X authentication settings are basically the same as MAB, do not need to be reset, the following section includes only the wireless part):

5.1Wireless controller WLC setting part (only part of the controller setting part, excluding the installation of the wireless controller and AP setting part)

Add Radiu Authentication / Accounting respectively, as shown below:

Add SSID and set it as follows:

AP setting, ap Mode: Flexconnect

5.2 CISCO ISE Settings Section

Set Authentication Allowed Protocols in the result of the Policy precedence item, and the name is Dot1x_EAP_Authen. Since only Dot1x authentication is performed, only part of the protocols are selected, as shown below:

Set Authorization Profile to Dot1x_EAP_Author in the result of Policy option (wired network is the same as wireless network). DACLName: PERMIT_ALL_TRAFFIC,Vlan: ID/11 is the vlanID set on the switch.

Set the user to connect to the wireless network Authentication Policy, the name: Dot1x_EAP_Authen, the condition is Wireless_802.1x and the wireless device group, the protocol is Dot1x_EAP_Authen, and the user is ISE-03 (that is, the domain name of the Winows AD has been joined), as shown below:

Set the user to connect to the wireless network Authorization Policy, whose name is Dot1x_Author_WIFI, and the user is all users in the Windows AD isegroup, and the condition is Dot1x_EAP_Author, as shown below:

The following figure shows the Wifi MAB/ 802.1x record that has been authenticated and authorized:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.