Integrating Aruba Wireless Networks with Cisco Identity Service Engine
advertisement
Integrating Aruba Wireless Networks with Cisco Identity Service Engine Secure Access How -To Guides Series Author: Tim Abbott Date: November 2014 SECURE ACCESS HOW-TO GUIDES Table of Contents Introduction………………………..……… ..........................................................................................................................4 Compatibility Considerations........................................................................................................................4 Overview…………………….. .............................................................................................................................................5 Components .................................................................................................................................................5 Network Diagram .........................................................................................................................................5 Aruba Controller Configuration .......................................................................................................................................6 Aruba CoA Configuration .............................................................................................................................6 Aruba RADIUS Server Configuration ...........................................................................................................6 Aruba RADIUS Server Rules .......................................................................................................................7 Aruba L2 Authentication Profile....................................................................................................................8 Aruba MAB AAA Profile ...............................................................................................................................8 Aruba 802.1X AAA Profile ............................................................................................................................9 Apply AAA Profiles .....................................................................................................................................10 Basic ISE Configuration .................................................................................................................................................11 Global CoA Behavior..................................................................................................................................11 Enable Policy Sets .....................................................................................................................................11 Network Access Devices............................................................................................................................12 Authorization Profiles .................................................................................................................................13 Allowed Protocols.......................................................................................................................................14 AAA Configuration ..........................................................................................................................................................15 Aruba Policy Set ........................................................................................................................................15 Wireless Authentication Rule .....................................................................................................................15 802.1X Authentication Rule .......................................................................................................................16 MAB Authentication Rule ...........................................................................................................................16 Local Web Authentication Rule ..................................................................................................................16 HR 802.1X Authorization Rule ...................................................................................................................17 Finance Local Web Authorization Rule ......................................................................................................17 Workstation MAB Authorization Rule .........................................................................................................18 Local Web Authentication Rule ..................................................................................................................18 Profiling Considerations ................................................................................................................................................20 Aruba Profiling Configuration .....................................................................................................................20 ISE Profiling Configuration .........................................................................................................................20 Troubleshooting ..............................................................................................................................................................22 Verify Aruba CoA Configuration .................................................................................................................22 Cisco Systems © 2015 Page 2 SECURE ACCESS HOW-TO GUIDES RADIUS Messages ....................................................................................................................................23 APPENDIX A ............................................................................................................. 25 Cisco Systems © 2015 Page 3 SECURE ACCESS HOW-TO GUIDES Introduction This configuration example outlines the steps necessary to integrate Aruba wireless networks with Cisco Identity Service Engine (ISE). This guide will show the configuration steps necessary to set up 802.1X authentication, MAC Authentication Bypass (MAB), Local Web Authentication (LWA), Profiling and RADIUS Change of Authorization (CoA). While not required, Microsoft Active Directory (AD) will be used as an external identity store for use with Authorization Policy in ISE. For information on how to integrate AD with ISE, see the ISE 1.2 End User Guide. Compatibility Considerations While Aruba wireless controllers interoperate with ISE, there are limitations. Specifically, Aruba controllers do not support URL-Redirection with session information from ISE. This limitation prevents features such as BYOD, Native Supplicant Provisioning, Self-Provisioning, and Centralized Web Authentication with Aruba controllers. Posture assessment with Aruba controllers is possible with the use of an ISE Inline Posture Node (IPN). See the references section for more information on posture assessment using ISE IPN. Table 1. Network Compatibility Matrix Feature Compatibility Details IEEE-802.1X Compatible MAC Authentication ByPass Compatible Requires ISE 1.2. Enforcement Compatible Local roles on controller. Guest Services Limitations Sponsored guest accounts. Self-provisioning not supported. Local Web Authentication Compatible Local captive portals on controller. Central Web Authentication Not Compatible No URL-Redirect with session information. Profiling Probes Limitations DHCP and RADIUS only. RADIUS Change of Authorization Compatible Session disconnect message (Port Bounce). Posture Assessment Limitations Requires Inline Posture Node. Cisco Systems © 2015 Page 4 SECURE ACCESS HOW-TO GUIDES Overview This document assumes that the user has a basic understanding of how to configure Aruba mobility controllers to include user roles, Access Control Lists (ACLs) and wireless LANs. It is also assumed that Cisco ISE has been installed properly and an initial configuration applied. Consult the ISE End User Guide for more information. In this example, we will use the following user-roles configured on the Aruba controller: HR, Finance, Workstation and Logon. The HR user role will be used for 802.1X authentication against the Dot1X SSID. The Finance user role will be used for local web authentications. Both the HR and Finance user accounts reside on AD. The Workstation role will be used for devices that have been profiled by ISE and will be allowed access to the network via the MAB SSID. The logon role is used in local web authentication to identify the user attempting to access the network. Consult the Aruba controller Ender User Guide for more information on configuring user roles. Components • • • • • Cisco ISE 1.2 Aruba 650 mobility controller with OS version 6.2 Aruba AP-93 MAB SSID: For LWA and MAB Authentications Dot1X SSID: For 802.1X authentications Network Diagram Figure 1. Network Diagram Cisco Systems © 2015 Page 5 SECURE ACCESS HOW-TO GUIDES Aruba Controller Configuration This section outlines the steps necessary to integrate an Aruba controller with ISE. First, modify the controller’s firewall to allow for CoA messages on UDP port 1700. Then, modify the port the RFC 3576 Server port to listen for CoA messages on port 1700. These configuration steps will allow the controller to process CoA messages sent from ISE. Next, add ISE as a RADIUS server and configure server rules. Lastly, create a Server Group, L2 Authentication Profile, AAA profiles and add the profiles to the Virtual Access Point configuration for the MAB and Dot1x SSIDs. Aruba CoA Configuration Configure Aruba Controller to Support ISE CoA Messages Step Step Step Step 1 2 3 4 Login to the controller CLI. Modify the RFC 3576 Server UDP port to 1700 Modify the control plane firewall to allow UDP packets on port 1700 Save the configuration. (Aruba650) >enable Password:******** (Aruba650) #configure terminal Enter Configuration commands, one per line. End with CNTL/Z (Aruba650) (config) #firewall cp (Aruba650) (config-fw-cp) #permit proto 17 ports 1700 1700 (Aruba650) (config-fw-cp) #exit (Aruba650) (config) #ip radius rfc-3576-server udp-port 1700 (Aruba650) (config) #end (Aruba650) #write memory Saving Configuration... Configuration Saved. (Aruba650) # Aruba RADIUS Server Configuration Add ISE as a RADIUS Server and Configure RADIUS Options Step Step Step Step Step Step Step Step 1 2 3 4 5 6 7 8 In the controller web interface, navigate to Configuration è Authentication. Click RADIUS Server. Enter the host name of the ISE server in the box and click Add. Click Apply. Expand the RADIUS Server menu and click the newly added ISE node. Enter the information for Host, Key, NAS ID, NAS IP and Source Interface. Check the box for Service-type of FRAMED-USER. Click Apply. Cisco Systems © 2015 Page 6 SECURE ACCESS HOW-TO GUIDES Figure 2. Radius Server Configuration Details Aruba RADIUS Server Rules For the Aruba controller to understand what user roles to apply to the session after authentication, we must configure server rules. A default installation of ISE does not contain the Aruba RADIUS dictionaries however; the controller will understand the IETF RADIUS Reply-Message. This section will show you how to configure server rules to map the RADIUS Reply-Message to the appropriate user role on the Aruba controller. Add Server Rules for use with ISE Authorization Policy Step Step Step Step Step Step Step Step Step Step Step Step Step 1 2 3 4 5 6 7 8 9 10 11 12 13 Click Server Group. Enter a name for the new server group. (Example: ISE-SG) Click Add. Select the newly created server group. Under Server Rules click New. In the condition field select Reply-Message. Select equals from the operator drop-down menu. Enter HR. Leave the Set drop-down to set role. In the Value drop-down menu, select the HR role. Click Add. Click Apply. Repeat steps 1 through 8 for each authorization policy that will be sent from ISE. For example, Finance, Logon and Workstation. Cisco Systems © 2015 Page 7 SECURE ACCESS HOW-TO GUIDES Note: Each role was been previously configured and has different firewall policies. Reference Aruba documentation for information on how to configure user roles, firewall policies and captive portals. Consult the Aruba mobility controller end user guide for more detailed configuration information. Use Figure 3 as reference for an example configuration. Figure 3. Server Group Aruba L2 Authentication Profile The section outlines the steps necessary to build a L2 Authentication Profile. The L2 Authentication Profile is a necessary part of the AAA profile that will ultimately be applied to the wireless LANs. The profiles created in this section will be used for the MAB and Dot1X wireless LANs. Create L2 Authentication Profiles Step Step Step Step Step Step Step 1 2 3 4 5 6 7 Navigate to Configuration è Authentication è L2 Authentication. Select MAC Authentication. Give the new profile a name. (Example: ISE-MAC) Click Add. Select 802.1X Authentication. Give the new profile a name. (Example: ISE-Dot1x) Click Add Aruba MAB AAA Profile These steps show you how to build the MAB AAA profile that will be used for MAC Authentication Bypass on the MAB SSID. It uses the previously created profiles combined into a single profile that will be applied to the virtual AP. Create AAA Profile for use with MAB SSID Step 1 Step 2 Step 3 Under the AAA Profiles tab, select AAA. Click Add. Give the new profile a name. (Example: ISE-MAC) Cisco Systems © 2015 Page 8 SECURE ACCESS HOW-TO GUIDES Step Step Step Step Step Step Step Step 4 5 6 7 8 9 10 11 Step 12 Click Add. Click Apply. Select the profile for use with MAB. Select Enforce DHCP. Click Apply. Select MAC Authentication and from the drop-down menu select ISE-MAC. Click Apply. For MAC Authentication Server Group and RADIUS Accounting Server Group select ISE-SG from the drop-down menu. Click Apply. Note: Once configured, your AAA profile for use with the MAB SSID will look similar to Figure 4. Since we are enforcing the clients to use DHCP, be sure to have a DHCP forwarder on an upstream switch. This same switch should also forward DHCP requests to ISE for profiling purposes. Figure 4. AAA Profile Aruba 802.1X AAA Profile These steps show you how to build the ISE-Dot1x AAA profile that will be used for 802.1X authentications on the Dot1x SSID. It uses the previously created profiles combined into a single profile that will be applied to the virtual AP. Create AAA Profile for use with 802.1X SSID Step Step Step Step Step 1 2 3 4 5 Under the AAA Profiles tab select AAA. Click Add. Give the new profile a name. (Example: ISE-AAA) Click Add. Click Apply. Cisco Systems © 2015 Page 9 SECURE ACCESS HOW-TO GUIDES Step Step Step Step Step 6 7 8 9 10 Select the profile for use with 802.1X. Check the box for Enforce DHCP. Click 802.1X Authentication and from the drop-down menu select ISE-Dot1x. For 802.1X Authentication Server Group and RADIUS Accounting Server Group select ISE-SG. Click Apply. Note: Once configured, your AAA profile for use with the 802.1X SSID should look similar to Figure 5. Since we are enforcing the clients to use DHCP, be sure to have a DHCP forwarder on an upstream switch. This same switch should also forward DHCP requests to ISE for profiling purposes. Figure 5. AAA Profile - 802.1X SSID Apply AAA Profiles Now that we have our completed AAA profiles for the MAB and Dot1x SSIDs, it is time to apply them to the wireless LANs. Essentially, applying these profiles enables ISE to authenticate users attempting to join either wireless network. The following steps will show you how to apply the profiles to the virtual APs. Add AAA profiles to MAB and 802.1X SSIDs Step Step Step Step Step Step Step Step 1 2 3 4 5 6 7 8 Navigate to Configuration è AP Configuration è AP Group with MAB and 802.1X SSIDs. Click Wireless LAN. Expand the Virtual AP menu. Click the virtual AP to be used with ISE. Click AAA. If the virtual AP is 802.1X enabled, select the AAA profile (ISE-AAA) from the drop-down menu. Click Apply. Repeat steps 1 through 7 to apply the MAB AAA profile to the MAB SSID. Cisco Systems © 2015 Page 10 SECURE ACCESS HOW-TO GUIDES Basic ISE Configuration This section outlines the steps necessary to integrate ISE with an Aruba controller. First, configure the global CoA behavior in ISE for compatibility purposes with Aruba controllers. Next, enable Policy Sets in ISE to allow for policy separation from Aruba and Cisco networking equipment. Then, add the Aruba controller(s) to ISE as a network access device and configure the shared secret. Lastly, configure Authorization Profiles and Allowed Protocols in ISE. Authorization Profiles will dictate which user-role on the Aruba controller to assign the user. Allowed Protocols will establish the supported protocols for use during authentication. Global CoA Behavior Configure Global CoA Behavior Step 1 Step 2 Step 3 Navigate to Administration è System è Settings è Profiling. Click the CoA Type drop-down menu and select Port Bounce. Click Save. Note CoA Type: Reauth should be used with Cisco networking equipment as it provides a better user experience than Port Bounce. Keep in mind that Port Bounce will significantly affect wired switch port behavior. Aruba wireless controllers do not support the CoA re-authentication messages from ISE. Refer to Figure 6 for a configuration example. Figure 6. Profile Configuration Enable Policy Sets Enable Policy Sets in ISE Step 1 Step 2 Step 3 Navigate to Administration è Settings è Policy Sets. Click Enabled. Click Save. Cisco Systems © 2015 Page 11 SECURE ACCESS HOW-TO GUIDES Note: See Figure 6 for configuration example. Figure 7. Policy Configuration Network Access Devices Add Aruba Controller as a Network Access Device Step Step Step Step Step 1 2 3 4 5 Navigate to Administration è Network Devices. Click Add to create a new network device. Enter a name for the Aruba mobility controller. Enter the IP address for the access point. Define the Device Type and Location of the controller. For example, Device Type è Aruba. Cisco Best Practice: Predefine Device Type and Location in the Network Device Groups menu. Putting all Aruba mobility controllers in a unique Network Device Group simplifies the creation of authentication and authorization policies based on device type or location. Step 6 Step 7 Step 8 Check the box for Authentication Settings and enter the shared secret. Click Save. Repeat steps 1 through 7 for additional Aruba controllers that will be used in the ISE deployment. Note: You have the ability to bulk import network access devices. Simply click on Import and then generate a template. Be sure to fill out all the required fields in the CSV template prior to uploading to ISE. See Figure 8 for a configuration example. Cisco Systems © 2015 Page 12 SECURE ACCESS HOW-TO GUIDES Figure 8. Network Device Configuration Authorization Profiles Configure Authorization Profiles for Network Users Step Step Step Step 1 2 3 4 Step Step Step Step Step 5 6 7 8 9 Navigate to Policy è Results è Authorization è Authorization Profiles. Click Add to create a new Authorization Profile. Name the authorization profile HR_Role and leave the Access Type set to Access_Accept. Under Advanced Attribute Settings, click the down arrow and navigate to RADIUS è Reply-Message – [18]. In the equal (=) field, enter HR. Click Save to save the new Authorization Profile. Repeat steps 1 through 6 and name the profile Finance_Role and use Finance in the Reply-Message. Repeat steps 1 through 6 and name the profile LWA and use Logon in the Reply-Message. Repeat steps 1 through 6 and name the profile WS_Role and use Workstation in the Reply-Message. Cisco Systems © 2015 Page 13 SECURE ACCESS HOW-TO GUIDES Note: Each Reply-Message attribute value maps to a different user role configured on the Aruba controller. This attribute is defined in the ISE Authorization Profile and will be used to assign endpoints to different user roles. The Aruba controller must have a preconfigured server rule that will map the Reply-Message attribute to the proper user role on the controller. Optionally, you may import the Aruba RADIUS dictionary and use the Aruba-User-Role Vendor Specific Attribute (VSA) instead of the IETF Reply-Message attribute. Allowed Protocols Configure ISE Allowed Protocols Step Step Step Step 1 2 3 4 Step 5 Step 6 Navigate to Policy èResults èAuthentication è Allowed Protocols. Click Add. Enter a name for the new allowed protocols list (Example: Aruba). Check the box for Allow PAP/ASCII and ensure Detect PAP as Host Lookup, Check Password and Check Calling-Station-Id equals MAC address are also selected. Check the box for Allow PEAP and under Inner Methods check Allow PEAP-MSCHAPv2. Click Save. Note: This example uses PEAP-MSCHAPv2 as the protocol to authenticate users to the network. Be sure you understand the needs of clients on your network prior to enabling or disabling Allowed Protocols. Also, the Aruba controller will send a RADIUS MAB request (host lookup) as PAP/ASCII. Reference Figure 9 as an example. Figure 9. ISE Allowed Protocol Cisco Systems © 2015 Page 14 SECURE ACCESS HOW-TO GUIDES AAA Configuration This section describes how to configure Authentication and Authorization Policy within an ISE Policy Set. First, configure a top-level rule that will describe authentications for that part of the infrastructure (i.e. wired, wireless or VPN). Then configure rules that will allow for the various types of authentications per security policy (i.e. 802.1X, MAB or Web authentication). Next, configure Authorization Rules for 802.1X, LWA, and MAB. Lastly, a LWA challenge rule will be configured to allow for new devices joining the MAB SSID to be profiled by ISE. Aruba Policy Set Configure ISE Policy Set for Aruba Network Access Devices Step Step Step Step Step Step Step Step 1 2 3 4 5 6 7 8 Step 9 Step 10 Navigate to Policy è Policy Sets. Create a new Policy Set by clicking the green plus sign (+) then Create Above. Click Edit to customize the Policy Set rule. Enter and Name and Description (optional) for the Policy Set rule. Click the plus sign (+) in the conditions box and select Create New Condition (Advanced Option). Navigate to Select Attribute è DEVICE è Device Type. Change the operator drop down from EQUALS to CONTAINS. Select the Device Type group defined earlier in this guide that contains all Aruba controllers that will apply to the new Policy Set. Reference Figure 5 as an example. Click Done on the right hand side of the policy set rule. Click Submit. Figure 10. ISE - Aruba Policy Set Note: You have the ability to reorder the policy set list by dragging them into order of preference. Reference Figure 10 as an example. Wireless Authentication Rule Configure Wireless Authentication Rule Step 1 Step 2 Step 3 Step Step Step Step Step Step Step 4 5 6 7 8 9 10 Create a new Authentication Policy rule by clicking the down arrow next to Edit and select Insert New Rule Above. Enter a name for the new rule. Example: Aruba Wireless. Click the plus sign (+) in the conditions field to access the drop down menu and select Create New Condition (Advanced Option). Select the attribute RADIUS è NAS-Port-Type. Leave the operator box set to EQUALS. In the last drop down box, select Wireless - IEEE 802.11. Add a new Attribute Value by selecting the gear icon. Select attribute RADIUS è Service-Type. Leave the operator box set to EQUALS. In the last drop-down box, select Framed. Cisco Systems © 2015 Page 15 SECURE ACCESS HOW-TO GUIDES Note: By default, Aruba controllers set the Service Type to Login_User instead of Framed. Aruba added the ability to modify this in code version 6.2 of controller software. Step 11 For Allowed Protocols, select the profile previously configured (Example: Aruba). 802.1X Authentication Rule Configure Wireless 802.1X Authentication Step Step Step Step Step Step Step Step 1 2 3 4 5 6 7 8 Select the Actions menu and click Insert New Rule Above. Give the sub-rule a name (Example: Dot1X). Click the small window icon to open the Conditions menu. Select Create New Condition (Advanced Option). Select Network Access è EapAuthentication. Leave the operator box set to EQUALS. In the last box select EAP-MSCHAPv2. In the Use field, select ActiveDirectory as the identity store. MAB Authentication Rule Configure Wireless MAB Authentication Step Step Step Step Step Step Step Step Step 1 2 3 4 5 6 7 8 9 Select the Actions menu then Insert New Rule Above. Give the sub-rule a name (Example: MAB). Click the small window icon to open the Conditions menu. Select Create New Condition (Advanced Option). Select Network Access è UseCase. Leave the operator box set to EQUALS. In the last box select Host Lookup. In the Use field, select Internal Endpoints as the identity store. Set the “If user not found” field to Continue. Local Web Authentication Rule Configure Wireless LWA Authentication Step Step Step Step Step Step Step Step Step 1 2 3 4 5 6 7 8 9 Select the Actions menu then Insert New Rule Above. Give the sub-rule a name (Example: LWA). Click the small window icon to open the Conditions menu. Select Create New Condition (Advanced Option). Select Network Access è AuthenticationMethod. Leave the operator box set to EQUALS. In the last box select PAP_ASCII. In the “Use:” field, select Active Directory as the identity store. Click Save. Cisco Best Practice: Once configured, your Authentication Policy will look similar to Figure 11. If these rules will be used in a production environment, be sure to set the Default rule to use DenyAccess as the identity store. In addition, you can configure an Identity Source Sequence for use with authenticating Active Directory users as well as Cisco Systems © 2015 Page 16 SECURE ACCESS HOW-TO GUIDES guest users via LWA. Simply change the LWA rule to use the name of the Identity Source Sequence instead of Active Directory. See the ISE user guide for more information on Identity Source Sequences. Figure 11. Authentication Policy Note: Due to the way Aruba controllers communicate during 802.1X, MAB and LWA it is recommended that Authentication Policy be configured in a manner similar to Figure 10. Re-ordering the Dot1X, MAB and LWA Authentication Rules leaves the potential for authentication failure as result of an incorrect rule match in Authentication Policy. HR 802.1X Authorization Rule Configure 802.1X Authorization rule for HR Users Step Step Step Step Step Step Step Step Step Step Step Step Step 1 2 3 4 5 6 7 8 9 10 11 12 13 Navigated to Policy è Policy Sets. Click the down arrow in the Default Authorization Policy rule and select Insert new rule above. Enter a name for the new Authorization Policy rule. Example: HR Dot1x. Leave the Identity Group field to Any then click the plus sign in the Condition(s) field. Select Create New Condition (Advanced Option). Select the attribute Active Directory è ExternalGroups and select the AD user group for HR. Add a new Attribute Value by selecting the gear icon. Select the attribute Network Access è EapAuthentication. Leave the operator field to EQUALS. In the last drop-down menu, select EAP-MSCHAPv2. Click the plus sign (+) in the field for permissions. Select HR_Role via Select an item è Standard. Click Save. Finance Local Web Authorization Rule Configure LWA Authorization for Finance Users Step Step Step Step Step 1 2 3 4 5 Click the down arrow in the “HR Dot1x” authorization rule and select Insert new rule below. Enter a name for the new authorization rule. Example: Finance LWA. Leave the “Identity Group” field to Any then click the plus sign in the Condition(s) field. Select Create New Condition (Advanced Option). Select attribute è Active Directory è ExternalGroups and select the AD user group for Finance. Cisco Systems © 2015 Page 17 SECURE ACCESS HOW-TO GUIDES Step Step Step Step Step Step Step 6 7 8 9 10 11 12 Add a new Attribute Value by selecting the gear icon. Select attribute Network Access è AuthenticationMethod. Leave the operator field to EQUALS. In the last drop down menu, select PAP_ASCII. Click the plus sign (+) in the field for Conditions. Select Finance_Role via Select an item è Standard. Click Save. Workstation MAB Authorization Rule Configure Aruba MAB Authorization Rule for profiled workstations Step 1 Step 2 Step 3 Step Step Step Step Step Step Step Step 4 5 6 7 8 9 10 11 Click the down arrow in the Finance LWA authorization rule and select Insert new rule below. Enter a name for the new authorization rule. Example: WS_MAB. In the Identity Field, click the plus sign (+) and select Endpoint Identity Groups è Profiled è Workstation. Click the plus sign (+) in the field for Conditions. Select Create New Condition (Advanced Option). Select Network Access è Use Case. Leave the operator field set to EQUALS. In the last drop down menu, select Host Lookup. Click the plus sign (+) in the field for permissions. Select the previously created Authorization Profile via Select an item è Standard. Click Save. Local Web Authentication Rule Configure LWA Authorization for Devices Not Profiled Step Step Step Step Step Step Step Step Step Step 1 2 3 4 5 6 7 8 9 10 Click the down arrow in the WS_MAB authorization rule and select Insert new rule below. Enter a name for the new authorization rule. Example: LWA. Leave the Identity Group field to Any then click the plus sign in the Condition(s) field. Select Create New Condition (Advanced Option). Select Network Access è Use Case. Leave the operator field set to EQUALS. In the last drop down menu, select Host Lookup. Click the plus sign (+) in the field for permissions. Select the previously create Authorization Profile via Select an item è Standard. Click Save. Note: The purpose of this rule is to allow for the profiling of new wireless devices joining the MAB SSID. New wireless workstations will be allowed to join the network once profiled. Once configured, your new authorization policy should similar to Figure 12. Table 2. Authentication Rules Rule Name Identity Group Conditions Permissions HR Dot1x Any ActiveDirectory:ExternalGroups EQUALS ise.local/Users/Human Resources AND Network HR_Role Cisco Systems © 2015 Page 18 SECURE ACCESS HOW-TO GUIDES Access:EapAuthentication EQUALS EAP-MSCHAPv2 Finance LWA ActiveDirectory:ExternalGroups EQUALS ise.local/Users/Finance AND Network Access:AuthenticationMethod EQUALS PAP_ASCII Finance_Role WS_MAB MicrosoftWorkstation Network Access:UseCase EQUALS Host Lookup WS_Role LWA Any Network Access:UseCase EQUALS Host Lookup LWA Cisco Systems © 2015 Page 19 SECURE ACCESS HOW-TO GUIDES Profiling Considerations This section outlines the steps necessary to configure an Aruba controller for use with profiler probes in ISE. Aruba controllers are capable of interoperating with the profiling feature of ISE to a limited degree. Currently, only DHCP profiling is supported on the Aruba controller. To gain additional profiling data, consider having a Cisco switch upstream of the Aruba controller that supports IOS Device Sensor. Cisco IOS Device Sensor is capable of sending additional profiling data to ISE. Reference Figure 1 for an example diagram. Careful consideration should be given to Authorization Rules utilizing Endpoint Identities with 802.1X wireless networks. Devices attempting to join an 802.1X-protected network will not be profiled prior to authentication. As a result, a failed authentication will occur. Aruba Profiling Configuration Configure DHCP Forwarding for Device Profiling Step 1 Step 2 Step 3 Login to the controller CLI. Configured the VLAN interface to forward DHCP requests to ISE. Save the configuration. (Aruba650) >enable Password:******** (Aruba650) #configure terminal Enter Configuration commands, one per line. End with CNTL/Z (Aruba650) (config) #interface vlan 10 (Aruba650) (config-subif)#ip helper-address 10.2.10.2 (Aruba650) (config-subif)#end (Aruba650) #write memory Saving Configuration... Configuration Saved. (Aruba650) # ISE Profiling Configuration Enable DHCP Profiling Probe in ISE Step Step Step Step Step Step 1 2 3 4 5 6 Navigate to Administration è Deployment. Click the down arrow next to Deployment and select the node running the Policy Service. Select the Profiling Configuration tab. Put a check in the boxes next to DHCP and RADIUS. Click Save. Repeat steps 1 through 5 for each node running the policy service that will require the DHCP and RADIUS profiling features. Cisco Systems © 2015 Page 20 SECURE ACCESS HOW-TO GUIDES Note: Reference Figure 13 for a configuration example. Figure 12. ISE Profiling Configuration Cisco Systems © 2015 Page 21 SECURE ACCESS HOW-TO GUIDES Troubleshooting Verify Aruba CoA Configuration The following commands assist in troubleshooting failed CoA messages in the ISE LiveLog. Verify the control plane firewall in the Aruba controller is allowing UDP packets on port 1700 from ISE. Also, verify the RFC 3567 Server process is listening on port 1700. Lastly, verify the controller is receiving CoA messages from ISE Verify CoA Message are Reaching the Controller Step 1 Log into the controller CLI and enter show aaa-rfc-3576-server statistics Figure 13. Server Statistics Verify CoA Messages are Allowed through the Control Plane Firewall Step 1 Enter show firewall-cp (Aruba650) #show firewall-cp CP firewall policies -------------------IP Version Source IP ---------- --------ipv4 any Source Mask ----------- Protocol -------17 Start Port ---------1700 End Port -------1700 Permit/Deny ----------Permit hits ---13 contract -------- (Aruba650) # Check CoA Port on the Controller Step 2 Log into the controller CLI and enter: show aaa rfc-3576-server udp-port (Aruba650) #show aaa rfc-3576-server udp-port RFC3576 server port = 1700 (Aruba650) # Cisco Systems © 2015 Page 22 SECURE ACCESS HOW-TO GUIDES RADIUS Messages The following commands assist in verifying RADIUS communication and authentication information between the Aruba controller and ISE. Once AAA debugging has been configured on the controller from the CLI, you will be able to see RADIUS messages sent from ISE. Configure Debugging for the AAA Process Step 1 Step 2 Log into the controller CLI and enter global configuration mode. Enable debugging by entering: logging level debugging security process aaa (Aruba650) # (Aruba650) #configure t Enter Configuration commands, one per line. End with CNTL/Z (Aruba650) (config) #logging level debugging security process aaa (Aruba650) (config) #end (Aruba650) # Step 3 Once authentication attempts have occurred, enter: show log security all | include aaa Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1021] Sending radius request to ise1.ise.local:10.2.10.2:1813 id:255,len:282 Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] NAS-IP-Address: 10.4.10.2 Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] User-Name: hruser Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] NAS-Port-Id: 0 Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] NAS-Port-Type: 19 Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] Acct-Session-Id: hruser1CBDB9D79F9E-29 Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] Acct-Multi-Session-Id: 1CBDB9D79F9E-0000000042 Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] Framed-IP-Address: 10.4.20.10 Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] Calling-Station-Id: 1CBDB9D79F9E Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] Called-Station-Id: 000B86640BA0 Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] Class: CACS:0a020a020000000451FA9A0E:ise1/164155497/8011 Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] Acct-Delay-Time: 0 Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] Aruba-Essid-Name: ISE-Aruba Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] Aruba-Location-Id: Aruba-93 Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] Aruba-AP-Group: default Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] Aruba-User-Role: HR Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] Aruba-User-Vlan: Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] Aruba-Device-Type: Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] Acct-Status-Type: Start Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] Acct-Authentic: RADIUS Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1031] NAS-Identifier: aruba Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_acct.c:548] Radius Accounting Start: user hruser Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_acct.c:560] User accounting has already started: state = 1 Aug 1 12:36:55 :124162: <DBUG> |authmgr| Enforcing L2 check for mac 1c:bd:b9:d7:9f:9e. Aug 1 12:36:55 :124163: <DBUG> |authmgr| download-L3: ip=10.4.20.10 acl=57/0 role=HR, Ubwm=0, Dbwm=0 tunl=0x0x1000c, PA=0, HA=1, RO=0, VPN=0, MAC=1c:bd:b9:d7:9f:9e. Aug 1 12:36:55 :124234: <DBUG> |authmgr| Tx message to Sibyte, blocking with ack, Opcode = 164, msglen = 384 3 user messages bundled, actions = 17, 18, 20 Aug 1 12:36:55 :124104: <DBUG> |authmgr| ifmap: user=0x0x10a14cbc, ipuser=0x0x10a17c24, mac=1c:bd:b9:d7:9f:9e, event=1. Aug 1 12:36:55 :124105: <DBUG> |authmgr| MM: mac=1c:bd:b9:d7:9f:9e, state=1, name=hruser, role=HR, dev_type=, ipv4=10.4.20.10, ipv6=0.0.0.0, new_rec=1. Aug 1 12:36:55 :121031: <DBUG> |authmgr| |aaa| [rc_request.c:76] Find Request: id=255, srv=10.2.10.2, fd=76 Cisco Systems © 2015 Page 23 SECURE ACCESS HOW-TO GUIDES Aug 1 12:36:55 fd=76 Aug 1 12:36:55 srv=10.2.10.2, Aug 1 12:36:55 Cisco Systems © 2015 :121031: <DBUG> |authmgr| |aaa| [rc_request.c:82] Current entry: srv=10.2.10.2, :121031: fd=76 :121031: <DBUG> |authmgr| |aaa| [rc_request.c:37] Del Request: id=255, <DBUG> |authmgr| |aaa| [rc_api.c:908] Authentication Successful Page 24 SECURE ACCESS HOW-TO GUIDES APPENDIX A Device Configuration Guides Cisco Identity Services Engine User Guides: http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html Inline Posture Node Integration Guide: http://www.cisco.com/en/US/docs/security/ise/1.0.4/install_guide/ise104_deploy.html Aruba Mobility Controller End User Guide: http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_ViewDeta ils/Default.aspx?EntryId=9143 Table 3. Integrating Aruba Wireless Controller with Cisco ISE 1.2 FCS QA Test Results: Feature Compatibility Details Test Coverage IEEE-802.1X Compatible Tested MAC Authentication By-Pass Compatible Requires ISE 1.2. Tested Enforcement Compatible Local roles on controller. Tested Guest Services Limitations Sponsored guest accounts. Self-provisioning not supported. Tested Local Web Authentication Compatible Local captive portals on controller. Tested Central Web Authentication Not Compatible No URL-Redirect with session information. Profiling Probes Limitations DHCP and RADIUS only. Tested RADIUS Change of Authorization Compatible Session disconnect message (Port Bounce). Tested Posture Assessment Limitations Requires Inline Posture Node. Cisco Systems © 2015 Page 25
