Cisco Security ISE dot1x and mab EVE-NG Lab guide _____________________________________________ Author Uldis Dzerkals EVE-NG Pro, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ Content Content 2 I. Lab nodes, image versions 3 II. Install NTP and Active Directory Server 3 III. Configure DNS Server 7 IV. Configure AD Corporate users 8 V. Join PCs to the AD domain 8 VI. ISE pre-stage 10 VII. Active Directory joining to the ISE 11 VIII. Lab Switch AAA configuration 14 IX. Lab switch joining to the ISE 15 X. Create authorization Profiles and DACLs 18 XI. Create Source Identity sequence 20 XII. Create Policy Set 21 XIII. Lab Switch Ports configuration DOT1x and MAB 29 XIV. Windows 10 Dot1x Authentication 30 XV. Windows 7 Dot1x Authentication 34 XVI. Android Tablet Authentication 38 XVII. Final verification 39 2 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ Preface: Lab concept: Practical Cisco Security ISE 3.0 configuration accordingly given objectives. EVE Community version of lab is using Windows Server 2019 as management station for ISE https. I. • • • • • • • • II. Lab nodes, image versions Cisco ISE 3.0, Switch: i86bi_linux_l2-adventerprisek9-ms.SSA.high_iron_20190423.bin ISP Router: IOL i86bi_LinuxL3-AdvEnterpriseK9-M2_157_3_May_2018.bin DNS/CA/NTP, Windows 2019 x64 Server Windows 10 x86, Domain PC Windows 7 x86, Domain PC Android node 9.1 as BOYD (Pro Lab with Android) Management Host: Docker server-gui (Pro Lab) Install NTP and Active Directory Server NOTE: Windows server must have installed WinSCP and Tftpd64 applications. Objective: Configure Windows 2019 network interfaces with following: 1. Set static IP address for Windows 2019 interface Ethernet: ✓ IP Address: 10.1.1.201 ✓ Mask: 255.255.255.0 ✓ Gateway: 10.1.1.254 ✓ DNS Server: 8.8.8.8, 8.8.4.4 Objective: Configure Windows 2019 Time Zone and Time: ✓ Configure the appropriate Time zone and Time on the Windows Server. Objective: Configure Windows 2019 as NTP server with following: 3 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ 1. Create firewall NTP inbound rule ✓ Control Panel/Windows Defender Firewall/Advanced settings ✓ Inbound Rules/New rule ✓ ✓ ✓ ✓ ✓ Rule type: Port > Next Protocol and Ports: UDP 123 > Next Action: Allow the Connection > Next Profile: check all, domain, private, public > Next Name: NTP_inbound 2. Configure external NTP server, Internet must be reachable from your server ✓ Open windows CMD (administrator rights!!!) ✓ Enter: External real NTP server: w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:MANUAL /reliable:yes 3. Edit Registry files ✓ Select Start > Run, type regedit, and then select OK ✓ Navigate to the following path in the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags ✓ Right-click Announce Flags, and then select Modify ✓ Change the type Value as 5 and click on OK. 4 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ Navigate to the following path in the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type ✓ Right-click Type, and then select Modify ✓ Change the type Value as NTP and click on OK. ✓ Enable NTP server. Open Location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpSer ver ✓ Right-click Enabled, and then select Modify ✓ In Edit DWORD Value, type 1 in the Value data box, and then 5 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ 4. Restart NTP service Open windows CMD (administrator rights!!!) ✓ Open windows CMD (administrator rights!!!) ✓ Enter: net stop w32time && net start w32time 5. Verify NTP ✓ Open windows CMD (administrator rights!!!) ✓ Enter: w32tm /query /status /verbose this will display last sync status or any error w32tm /query /peers this will display NTP external peers 6 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ Objective: Configure Windows 2019 server name with following: ✓ ✓ ✓ ✓ ✓ ✓ ✓ Open Server manager Click Local Server Click Computer Name Click Change Enter Name: ad Click OK Click Close and restart Server Objective: Configure Windows 2019 server Active Directory: 1. Install Active Directory Server role ✓ Open Server manager ✓ Click Add roles and features ✓ Click 3 times Next ✓ Select Active Directory Domain Services, and click Add features ✓ Click 3 times Next, and Install ✓ After installation is completed, Click close 2. Navigate to Server manager, Notifications (Yellow triangle) ✓ Click on Promote this server to a domain controller ✓ Select “Add new forest” ✓ Put domain name “eve.lab” ✓ Click Next ✓ Type 2 times DSRM password (example: Test123) ✓ Click Next 5 times ✓ Click Install ✓ After server is rebooted and if required, change administrator password (example: ADserver123) III. Configure DNS Server Objective: Configure Windows 2019 as DNS server with following: 1. Navigate to Server manager, Tools/DNS ✓ Expand AD Server one the right 2. Create 2 new Reverse Lookup Zones ✓ Right click on Reverse lookup Zones/New Zone, Next ✓ Leave Primary Zone and click Next ✓ Leave To all DNS servers running in domain controllers in this domain: eve.lab, click Next ✓ IPv4 Reverse Lookup Zone, Next ✓ Network ID: 10.1.1, Next, Next ✓ Allow both non-secure and secure dynamic updates, Next ✓ Finish ✓ New Zone, Next ✓ Leave Primary Zone and click Next ✓ Leave To all DNS servers running in domain controllers in this domain: eve.lab, click Next 7 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ IPv4 Reverse Lookup Zone, Next ✓ Network ID: 10.1.2, Next, Next ✓ Allow both non-secure and secure dynamic updates, Next ✓ Finish 3. Create new A record ✓ Navigate to forward lookup zone eve.lab ✓ Create New host (A or AAAA) ✓ Name: ise ✓ IP Address: 10.1.1.200 ✓ Enable checkbox Create associated pointer (PTR) record ✓ Add Host IV. Configure AD Corporate users Objective: Configure Active Directory Corporate Users: 1. Navigate to Server manager, Tools/Active Directory Users and Computers ✓ Right click on Users directory/New/user ✓ First Name: Jenny ✓ Last name: Doe ✓ Username: jennydoe ✓ Click Next ✓ Password (2 times): Silver2021 ✓ Uncheck User must change password at next login ✓ Check: User cannot change password and Password never expires ✓ Click Next and Finish 2. Navigate to Server manager, Tools/Active Directory Users and Computers ✓ Right click on Users directory/New/user ✓ First Name: John ✓ Last name: Doe ✓ Username: johndoe ✓ Click Next ✓ Password (2 times): Gold2021 ✓ Uncheck User must change password at next login ✓ Check: User cannot change password and Password never expires ✓ Click Next and Finish V. Join PCs to the AD domain Objective: Join corporate users to the Active directory: Note: Your windows hosts must be configured to obtain IP via DHCP. The Lab switch and ISP router is configured with proper VLANs and DHCP Pools. 1. Windows 10 host ✓ Navigate: Start/Settings/About ✓ Navigate: Advanced System Settings, Click ✓ Click Tab: Computer Name ✓ Click: Change 8 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ ✓ ✓ ✓ ✓ Type Computer Name: John-PC Select radio button: Domain Type domain: eve.lab Click OK Type your AD server administrator username and password (example: administrator/Test123) ✓ Click OK ✓ Click Close and restart PC ✓ Select Other user and login with AD credentials: johndoe/Gold2021 2. Windows 7 host ✓ Navigate: Start/Control Panel/System and Security/System/Advanced system settings ✓ Click Tab: Computer Name ✓ Click: Change ✓ Type Computer Name: Jenny-PC ✓ Select radio button: Domain ✓ Type domain: eve.lab ✓ Click OK ✓ Type your AD server administrator username and password (example: administrator/Test123) ✓ Click OK ✓ Click Close and restart PC ✓ Select Switch user/Other user ✓ Login with AD credentials: jennydoe/Silver2021 Verification: Both hosts Windows 10 as John-PC and Windows 7 as Jenny-PC must be joined and domain eve.lab and have full network/internet access. 9 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ VI. ISE pre-stage Objective: Pre-stage ISE 1. Setup ISE settings ✓ Type: setup ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Hostname: ise IP address: 10.1.1.200 Netmask: 255.255.255.0 Default gateway: 10.1.1.254 Default domain: eve.lab Primary name server: 10.1.1.201 NTP Server: 10.1.1.201 User: admin Password: Test123 ✓ Wait till ise installs and brings up, Services must be in running state Objective: Allow SHA1 ciphers for WIN7 nodes 1. Open Mgmnt host and navigate to Applications/Internet/Chromium Web Browser 10 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ Log into the ISE by browsing to https://ise.eve.lab using a username: admin and a password: Test123 ✓ Navigate to ISE Management ✓ Click Tab Administration/System/Settings ✓ Navigate Security Settings and Allow SHA1 Ciphers. This option is necessary for Windows 7 nodes. VII. Active Directory joining to the ISE Objective: Join Active Directory as External Identity Source to the ISE 1. Open Mgmnt host and navigate to Applications/Internet/Chromium Web Browser ✓ Log into the ISE by browsing to https://ise.eve.lab using a username: admin and a password: Test123 ✓ Navigate to ISE Management ✓ Click Tab Administration/Identity Management/External Identity Sources 11 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ Click Active Directory and “+ Add” ✓ Joint point name: ad.eve.lab ✓ Active Directory domain name: eve.lab ✓ Click Submit and Yes for Join ✓ Fill credentials AD User name: administrator, Password: Test123 (AD Server administrator password) 12 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ Click OK, Status must be completed (green) ✓ Click Tab Groups/Select Groups From Directory ✓ Click Retrieve Groups ✓ Select Domain Computers and Domain Users, Click OK 13 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ To complete configuration at the bottom of screen click Save VIII. Lab Switch AAA configuration Objective: Configure lab switch AAA and ISE Radius ✓ Open SW switch console and configure following: aaa new-model dot1x system-auth-control radius server ISE address ipv4 10.1.1.200 auth-port 1812 acct-port 1813 key eve1 radius-server radius-server radius-server radius-server radius-server attribute 6 on-for-login-auth attribute 8 include-in-access-req attribute 25 access-request include dead-criteria time 30 tries 3 timeout 2 aaa group server radius ISE-GROUP server name ISE ip radius source-interface Vlan10 aaa aaa aaa aaa authentication dot1x default group ISE-GROUP authorization network default group ISE-GROUP accounting update periodic 5 accounting dot1x default start-stop group ISE-GROUP aaa server radius dynamic-author client 10.1.1.200 server-key eve1 14 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ snmp-server community eve1 RO snmp-server enable traps snmp linkdown linkup IX. Lab switch joining to the ISE Objective: Create Device Type Group ✓ Navigate to ISE Management ✓ Click Tab Administration/Network Resources/Network Devices ✓ Click to tab “Network Device Groups” ✓ Click “+ Add” ✓ Name: LAN Switches ✓ Parent Group: All Device Types ✓ Click Save 15 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ Objective: Create Location Group ✓ Click “+ Add” ✓ Name: My LAN ✓ Parent Group: All Locations ✓ Click Save Objective: Join SW switch to the ISE radius ✓ Click to tab “Network Devices” ✓ Click “+ Add” 16 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Name: SW Description: LAB SW IP Address: 10.1.1.253 Model Name: IOL Version: 15.2 Location: My LAN Device Type: LAN Switches Select Radius checkbox Shared Secret: eve ✓ Enable SNMP Settings ✓ SNMP Version: 2c ✓ SNMP RO Community: eve1 17 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ Click Submit X. Create authorization Profiles and DACLs Objective: Create three DACLs ✓ Navigate to ISE Management ✓ Click Tab Policy/Policy Elements/Results ✓ Navigate to Authorization/Downloadable ACLs ✓ Click “+ Add” ✓ ✓ ✓ ✓ ✓ Navigate to Authorization/Downloadable ACLs Click “+ Add” Name: EVE_DHCP_ACL IP Version: IPv4 Add ACL line permit udp any eq 68 any eq 67 ✓ Check DACL Syntax, must be Valid ✓ Click Save. 18 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ ✓ ✓ ✓ Click “+ Add” Name: PERMIT_AD_ONLY IP Version: IPv4 Add ACL lines permit udp any eq 68 any eq 67 permit udp any any eq 53 permit ip any host 10.1.1.201 ✓ Check DACL Syntax, must be Valid ✓ Click Save. ✓ ✓ ✓ ✓ Click “+ Add” Name: WIRED_PERMIT_ALL IP Version: IPv4 Add ACL line permit ip any any ✓ Check DACL Syntax, must be Valid ✓ Click Save. Objective: Create three Authorization Profiles ✓ Navigate to Authorization/Authorization Profiles ✓ Click “+ Add” 19 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ Name: MAB_DHCP_PROFILE ✓ Enable checkbox DACL ✓ Select previously created DACL: EVE_DHCP_ACL XI. ✓ ✓ ✓ ✓ Click “+ Add” Name: WIRED_AD_ONLY_PROFILE Enable checkbox DACL Select previously created DACL: PERMIT_AD_ONLY ✓ ✓ ✓ ✓ Click “+ Add” Name: WIRED_PERMIT_ALL_PROFILE Enable checkbox DACL Select previously created DACL: WIRED_PERMIT_ALL Create Source Identity sequence Objective: Create Source identity sequence ✓ Navigate to ISE Management ✓ Click Tab Administration/Identity Management/Groups ✓ Click Tab: Identity Source Sequences 20 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ Click “+ Add” ✓ Name: EVE_Sequence ✓ Select Identity sources: ad.eve.lab and Internal Endpoints ✓ Click: Save XII. Create Policy Set Objective: Create mab and dot1x Policy ✓ Navigate to ISE Management ✓ Click Tab Policy/Policy Sets ✓ Click “+ Add” 21 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ Name: EVE-POLICY ✓ Click “+” for New conditions ✓ In Conditions Studio “Click to add an attribute” ✓ In Editor “Click Tab Location” ✓ Select Attribute DEVICE:Location ✓ Select equals from list: All Locations/My LAN ✓ Click New to add another attribute ✓ In Editor “Click Tab Network Device” 22 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ Select Attribute DEVICE: Device Type ✓ Select equals from list: All Device Types/LAN Switches ✓ ✓ ✓ ✓ Click New to add another attribute In Editor “Click Tab Port” Under Dictionary select: Radius Select Radius/NAT-Port-Type ✓ Select Equal: Ethernet 23 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ Click Use ✓ Select Default Network Access for allowed Protocols Objective: Authentication Policy ✓ Click to View Policy “>” ✓ Expand Authentications Policy ✓ For Default rules select Use: EVE_Sequence Objective: Create Corporate PC Authorization Policy ✓ Navigate to Authorization Policy 24 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ Expand Authorization Policy ✓ Click “+” To add New rule ✓ Name: AD_PC_RULE ✓ Click “+” For new Condition ✓ Select Tab: Identity Group ✓ Select: ad.eve.lab/ExternalGroups ✓ Select Equal: eve.lab/Users/Domain Computers ✓ Click: Use 25 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ Select Profiles: WIRED_AD_ONLY ✓ Select Security Group: Employees Objective: Create Corporate User Authorization Policy ✓ Navigate to AD_PC_RULE/Actions/Insert new rule below ✓ Name: AD_USER_ACCESS ✓ Click “+” to add New conditions ✓ ✓ ✓ ✓ 26 Select Tab: Identity Group Attribute: ad.eve.lab/ExternalGroups Equals: eve.lab/Users/Domain Users Click Use Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ Click New for another condition in this rule ✓ ✓ ✓ ✓ ✓ Select Tab: Unclassified Select Dictionary: Network Access Select Attribute: WasMachineAuthenticated Equals: True Click Use ✓ Select Profiles: WIRED_PERMIT_ALL_PROFILE ✓ Select Security Group: Employees 27 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ Objective: MAB Authorization Policy (EVE PRO Lab with Android) ✓ Navigate to AD_USER_ACCSS Actions/Insert New Rule below ✓ Name: MAB_RULE ✓ Click “+” to add New conditions ✓ Select Tab Identity Group ✓ Attribute: Name ✓ Equals: Endpoint Identity Groups: Profiled: Android ✓ Click: New to add another condition ✓ Select Tab: Unclassified ✓ Select Condition: Normalized Radius/Radius FlowType ✓ Equals: WiredMAB 28 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ Click Use ✓ Select Profiles: MAB_DHCP_PROFILE ✓ Select Security Groups: BOYD Objective: Save Authorization Policy ✓ Click SAVE below XIII. Lab Switch Ports configuration DOT1x and MAB Objective: Configure lab switch ports ✓ Open SW switch console and configure following: interface Ethernet1/0 description win10 node switchport access vlan 20 switchport mode access authentication host-mode multi-auth 29 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ authentication port-control auto mab dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast edge spanning-tree bpdufilter enable spanning-tree bpduguard enable interface Ethernet1/1 description win7 node switchport access vlan 20 switchport mode access authentication host-mode multi-auth authentication port-control auto mab dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast edge spanning-tree bpdufilter enable spanning-tree bpduguard enable interface Ethernet1/2 description Tablet EVE Pro lab with Android switchport access vlan 30 switchport mode access authentication host-mode multi-auth authentication open authentication port-control auto mab dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast edge spanning-tree bpdufilter enable spanning-tree bpduguard enable XIV. Windows 10 Dot1x Authentication Objective: Configure Windows 10 PC for Dot1x anuthentication ✓ ✓ ✓ ✓ ✓ 30 Open Windows 10 Navigate To Windows Control Panel, Administrative Tools/Services Make sure if your Windows has enabled and running Wired Autoconfig Service If it is not running, then log off Windows and log in to it as Administrator Login: eve\administrator, Password: Test123 Note: It is domain administrator user which we set previously on Windows Server 2019 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ Navigate to Start/Settings/Network & Internet ✓ Navigate to Advanced Network Settings/Change Adapter Settings ✓ Right click on ethernet adapter and choose Properties. Note: On Windows 10, it will ask you Administrator rights, login in PC as administrator Username: eve\administrator, Password: Test123 ✓ Select Tab Authentication ✓ Check Enable IEEE 802.1X authentication 31 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ . ✓ ✓ ✓ ✓ Click Choose a network authentication method Settings Unselect Verify the Server’s identity by validating the certificate Click on Select Authentication Method: Configure Check: When connecting, Automatically use my Windows Logon name and password and domain if any ✓ Click OK 2 times ✓ ✓ ✓ ✓ 32 Click Additional Settings Check Specify authentication mode Choose User or Computer authentication Click OK 2 times Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ Reboot Windows 10 ✓ Click OK 2 times ✓ Reboot Windows 10 Objective: Windows 10 Verification Note: after reboot Windows 10 machine, do not login into it, but check results on Switch: ✓ Issue command show access-lists You must notice that DACL PERMIT_AD_ONLY is in use. Means your Windows 10 received IP address, and can communicate with AD server SW#sh access-lists Extended IP access list xACSACLx-IP-PERMIT_AD_ONLY-5fdf2f06 (peruser) 1 permit udp any eq bootpc any eq bootps 2 permit udp any any eq domain 3 permit ip any host 10.1.1.201 SW# ✓ Navigate to ISE management/Operations/Live Logs 33 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ You must see that John-PC is authenticated but has assigned only to WIRED_AD_ONLY_PROFILE ✓ Now login in Windows 10 john-PC as, user: johndoe and password: Gold2021 ✓ Navigate to switch and issue again show access-list, Now you will see that ACL is changed to permit all SW#sh access-lists Extended IP access list xACSACLx-IP-WIRED_PERMIT_ALL-5fe06c43 (peruser) 1 permit ip any any SW# ✓ Navigate to ISE management/Operations/Live Logs again ✓ Now you will see that John Doe user is authenticated but has assigned only to WIRED_PERMIT_ALL_PROFILE XV. Windows 7 Dot1x Authentication Objective: Configure Windows 7 PC for Dot1x anuthentication ✓ ✓ ✓ ✓ 34 Reboot Windows 7 and login as: eve\administrator, password: Test123 Open Windows 7 Navigate to Windows Control Panel, Administrative Tools/Services Make sure if your Windows has enabled and running Wired Autoconfig Service Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ ✓ ✓ ✓ ✓ Navigate to Control panel/Network and Internet/Network and Sharing center Navigate to Change Adapter Settings Right click on ethernet adapter and choose Properties. Select Tab Authentication Check Enable IEEE 802.1X authentication . ✓ ✓ ✓ ✓ Click Choose a network authentication method Settings Unselect Verify the Server’s identity by validating the certificate Click on Select Authentication Method: Configure Check: When connecting, Automatically use my Windows Logon name and password and domain if any ✓ Click OK 2 times 35 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ ✓ ✓ ✓ Click Additional Settings Check Specify authentication mode Choose User or Computer authentication Click OK 2 times ✓ Click OK 2 times 36 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ Reboot Windows 7 Objective: Windows 7 Verification Note: after reboot Windows 7 machine, do not login into it, but check results on Switch: ✓ Issue command show access-lists You must notice that DACL PERMIT_AD_ONLY is in use. Means your Windows 10 received IP address, and can communicate with AD server SW#sh access-lists Extended IP access list xACSACLx-IP-PERMIT_AD_ONLY-5fdf2f06 (peruser) 1 permit udp any eq bootpc any eq bootps 2 permit udp any any eq domain 3 permit ip any host 10.1.1.201 SW# ✓ Navigate to ISE management/Operations/Live Logs ✓ You must see that Jenny-PC is authenticated but has assigned only to WIRED_AD_ONLY_PROFILE ✓ Now login in Windows 7 Jenny-PC as, user: jennydoe and password: Silver2021 ✓ Navigate to switch and issue again show access-list, Now you will see that ACL is changed to permit all SW#sh access-lists Extended IP access list xACSACLx-IP-WIRED_PERMIT_ALL-5fe06c43 (peruser) 1 permit ip any any SW# ✓ Navigate to ISE management/Operations/Live Logs again ✓ Now you will see that John Doe user is authenticated but has assigned only to WIRED_PERMIT_ALL_PROFILE 37 Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ XVI. Android Tablet Authentication Objective: Configure Android Device MAB authentication (EVE PRO Lab with Android) ✓ Boot Android Device ✓ Navigate to ISE management/Operations/Live Logs You will notice that authentication is failed ✓ Navigate to ISE management/Context Visibility/Endpoints ✓ Select Android rejected device, and click edit ✓ ✓ ✓ ✓ ✓ 38 Select Android rejected device, and click edit Description: Android Static assignment: Android Static group assignment: Android Click save Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ ✓ Issue command show access-lists ✓ You must notice that EVE_DHCP_ACL is in use. Means your Android has received IP address, and have network access SW#sh access-lists Extended IP access list xACSACLx-IP-EVE_DHCP_ACL-5fe79837 (per-user) 1 permit udp any eq bootpc any eq bootps SW# ✓ Navigate to ISE management/Operations/Live Logs again ✓ Now you will see that Android device is authenticated and assigned to MAB_DHCP_PROFILE XVII. Final verification Objective: Check authentication sessions for mab and dot1x ✓ Issue command show access-lists ✓ You must notice that dot1x authentication has Windows nodes and mab is Android device SW#sh authentication sesssions Interface Et1/2 Et1/0 Et1/1 39 Identifier 500a.0008.0000 500a.0005.0000 500a.0007.0000 Method mab dot1x dot1x Domain DATA DATA DATA Status Fg Session ID Auth 0A0101FD0000001000292FE5 Auth 0A0101FD000000110034F2B6 Auth 0A0101FD0000001200354CBE Created by Uldis Dzerkals, EVE-NG Ltd, 2020 Cisco Security Lab ISE dot1x & mab EVE-PRO, 2020 __________________________________________________________________________________ Session count = 3 SW# ✓ Navigate to ISE management/Operations/Live Logs again ✓ Navigate to ISE management/Context visibility/Evndpoints 40 Created by Uldis Dzerkals, EVE-NG Ltd, 2020
