White Paper Cisco Catalyst Access Switching: Cat2K, Cat3K, Cat4K Series with ISE Solution – General Guidelines And Best Practices White Paper Sanjay Shah - sshah@cisco.com Wafo Tengueu - ltengueu@cisco.com © 2015 Cisco Systems, Inc. All rights reserved.
White Paper Table of Contents Cisco Catalyst Access Switching: .............................................................................................. 1 Cat2K, Cat3K, Cat4K Series with .............................................................................................. 1 ISE Solution – General Guidelines ............................................................................................ 1 And Best Practices White Paper...............................................................
White Paper Introduction The Cisco® Identity Services Engine (ISE) is the market-leading platform for security-policy management. It unifies and automates highly secure access control to proactively enforce rolebased access to enterprise networks and network resources. The purpose of this document is to present general guidelines on ISE solution with 2K, 3K, 4K series access switching platform.
White Paper Simulated Test Topology © 2015 Cisco Systems, Inc. All rights reserved.
White Paper HW Details Hardware / Devices 4500 VSS: WS-X45-SUP7-E, WS-X4748-RJ45V+E, WS-X4748UPOE+E 3850 Stack (5-member): WS-C3850-48T, WS-C3850-24P 3750X Stack (6-member): WS-C3750X-48P, WS-C3750X-48, WSC3750X-24P 2960X Stack (3-member) Access Points: AIR-CAP2602E-A-K9 ISE: UCS240 HTTP/HTTPS Server: UCS240 Client Simulator: IXIA Optixia x16 Client Simulator - Pagent: 3825, 3845 PC Clients: Lenova laptops 4xx VM Clients Voice Clients: Cisco 7961, 7962, 7975, 7942, CP-9971 and Avaya Android Clients: C2305
White Paper Authentication and Authorization Use Cases Local authentication with configured username, password, radius attributes and ACL Local authentication with different authentication profiles - PEAP/LEAP/TLS/EAPFAST/MD5 Remote authentication with various host modes (single-host, multi-host, multi-domain, multi-auth) PCs, Laptops, Phones, PC behind phones - data and voice domains configured in same VLAN and different VLANs Webauth with gateway for that VLAN
White Paper PACL/VACL/DACL policy co-existing on ingress - traffic is filtered based on the order ACLs are applied (PACL, VACL and then DACL) DACL downloaded only for Data client on MDA mode (no DACL for voice) Client access - fully qualified domain name (FQDN) ACL with multiple domain names Download different DACL/Filter-ID for multiple sessions on the MA ports Download 64 ACE DACL for multiple sessions on the MA port Per user ACL for data users Policies Use Cases VLAN pol
White Paper Critical Voice VLAN for new and existing session on MA and MDA ports with local reauth timer configured Existing pre-Critical Auth authorized clients still authorized with local/user profile and continue to send traffic with un-reachable AAA Re-trigger authentication for Critical Auth session when AAA becomes alive Client get new IP during DHCP renew on MA and MDA ports - traffic is allowed from clients as per DCAL policy Idle timeout change
White Paper Local Web Authentication (LWA) with 550 bytes redirect URL - URL redirected 25 domain names in Fully Qualified Domain Name (FQDN) list 2000 Authenticated sessions with 2000 HTTP/HTTPS requests Re-authenticate 2000 sessions with re-auth timer Simulate continuous Dot1X Authentication failure (~500 sessions with correct credentials) for 8 hours on Access Reject with 10 sec re-authentication timeout.
White Paper Timer Considerations Switch CLI radius-server timeout authentication periodic authentication timer inactivity authentication timer reauthenticate authentication timer restart Default Comments Use default settings. If you configure both global and per Radius server timeout, the per-server timer will override global timer. Please note, switch will attempt to reach radius server three times after 5 sec which it will timeout – (3 X 5 sec = 15 sec).
White Paper 2960X, 3650-3850, and 4K-Sup8 Maximum Scale Numbers Scale Test Maximum VLANs Maximum class-maps per policy-maps Maximum class-maps per system Maximum egress policers Maximum ingress policers Maximum Dot1x OR MAB clients sessions Maximum Web Authentication sessions Maximum Dot1X sessions with Critical Auth VLAN enabled and server reinitialize Maximum Dot1X sessions with service templates OR session features applied Maximum MAB sessions with various session features applied Maximum supported Dot1
White Paper Sample AAA Config >>> ! ! aaa authentication login default none aaa authentication dot1x default group ISE aaa authorization exec default none aaa authorization network default group ISE aaa accounting auth-proxy default start-stop group ISE aaa accounting dot1x default start-stop group ISE aaa accounting delay-start all aaa accounting update periodic 120 ! ! aaa server radius dynamic-author client 172.25.51.8 server-key cisco ! ! radius server ISE address ipv4 172.25.51.
White Paper Sample Interface Config – Legacy Mode >>> ! ! interface GigabitEthernet1/0/1 switchport access vlan 11 switchport mode access switchport voice vlan 16 ip device tracking maximum 2 trust device cisco-phone authentication event fail action next-method authentication event server dead action authorize vlan 100 authentication event server alive action reinitialize authentication host-mode multi-auth authentication order dot1x mab webauth authentication priority dot1x mab webauth authentication port
White Paper Sample Interface Template Config – eEdge Mode >>> ! ! service-template webauth-global-inactive inactivity-timer 3600 service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE service-template DEFAULT_CRITICAL_VOICE_TEMPLATE voice vlan service-template FAIL_OPEN_ACL description Service template for Fail open mode access-group ISE-ACL-ALLOW tag FAIL_OPEN_ACL service-template ISE-ACL-DEFAULT access-group ISE-ACL-DEFAULT service-template ISE-ACL-ALLOW
White Paper ! class-map type control subscriber match-all MAB_FAILED match method mab match result-type method mab authoritative ! class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE match activated-service-template FAIL_OPEN_ACL ! ! policy-map type control subscriber IDENTITY-POLICY event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x retries 2 retry-time 0 priority 10 event authenticatio
White Paper 10 clear-session 20 class NOT_IN_CRITICAL_AUTH do-until-failure 10 resume reauthentication event authentication-success match-all 10 class always do-until-failure 10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE event violation match-all 10 class always do-until-failure 10 restrict ! ! >>> © 2015 Cisco Systems, Inc. All rights reserved.
White Paper Glossary of Acronyms CISP CoA CoS CTS CWA DACL DHCP Dot1X EAP EAP-FAST EAPOL FQDN ISE LEAP LWA MA MAB MD5 MDA MH PACL PEAP QoS SAP SGACL SGT SH SSH SXP TACACS TLS ToS VACL VIP Webauth Webconsent Client Information Signalling Protocol Change of Authorization Class Of Service Cisco TrustSec Centralized Web Authentication Downloadable Access Control List Dynamic Host Configuration Protocol 802.
White Paper Conclusion The use cases exercised in Cisco lab provides a base understanding on ISE solution capabilities. This effort reflects Cisco IOS release 3.6.3 (15.2(2)E3) with ISE 1.3 patch 3. Some key observations and recommendations: Dot1X support requires an authentication server such as ISE. Dot1X authentication does not work unless the network access switch can route packets to the configured ISE server.
White Paper References Catalyst 3650 Series Switch Platform Configuration Guide, Cisco IOS XE 3.6E Catalyst 3850 Series Switch Platform Configuration Guide, Cisco IOS XE 3.6E Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, Cisco IOS XE 3.6.0E and IOS 15.2(2)E ISE Design Guides ISE 1.3 Compatibility Chart Cisco TrustSec Identity-Based Networking Services 2.0 Deployment Guide © 2015 Cisco Systems, Inc. All rights reserved.