Cisco TrustSec – ISE (Part 6)
802.1X(AD)
9. 802.1X(AD)
802.1X Authentication Process
By default:
When a client accesses to switch, switch sends EAP-Request 802.1x to the client;
When a client accesses to switch and if the Client doesn’t receive any EAP-request 帧frames,the client sends EAPoL Start frame to the switch;
When a client acceses,and doesn’t get EAPoL Start frames,client considers this port as authorization status;
Beginning:after a PC accesses to switch and sends EAPoL Start request,switch replys to PC and forward request to ISE.
Middle : switch tells ISE that there is a802.1X authentication request (IETF:NAS-Port- Type=Ethernet,IETF:Service-Type=Framed); ISE starts receiving password,and start setting up a EAP connection,in which contains username and password;ISE determines the group that the user belongs,according to permissions (Vlan DACL etc;),and then sends permission to switch;
End:traffic passes
802.1X Authtication flow chart
Configure PEAP Dot1X
9.3.1 Configur Gi1/0/2 on Win7-1
interface GigabitEthernet1/0/2 description Win7-1 switchport access vlan 2 switchport mode access
ip access-group ACL-DEFAULT in authentication event fail action next-method
authentication event server dead action authorize vlan 10
9.3.2 On Win7-1, start 802.1X service
9.3.3 Configure PEAP 802.1X
9.3.3.1 Add PEAP authentication protocol
new PEAP authentication;
9.3.3.2 Create PEAP Authentication policy
AD database
9.3.3.2.1 Check Win7-1 Authentication status
But no Authorization
9.3.3.3 Add PEAP Authorization
Add Authorization profile
9.3.3.4 Create PEAP Authorization policy
9.3.3.4.1 Check Win7-1 Authentication and Authorization
9.3.3.5 policy turning
Configure EAP-TLS Dot1X
9.4.1 Win7-1 enable EAP-TLS
9.4.2 Add EAP-TLS
9.4.3 CA Profile
9.4.4 EAP-TLS policy
9.4.5 EAP-TLS Authorization
ISEWin7New join Domain
EAP-FAST Tunnel PAC
EAP-FAST Machine PAC
Anyconnect Profile Editor
Anyconnect 3.X
9.5.7 ISE Authorization
9.5.8 ISE Authorization
9.5.9 ISEWin7New Gi1/0/3
interface GigabitEthernet1/0/3 description ISEWin7New switchport access vlan 2 switchport mode access
ip access-group ACL-DEFAULT in authentication event fail action next-method
authentication event server dead action authorize vlan 10 authentication event server alive action reinitialize authentication host-mode multi-auth
authentication open authentication order mab dot1x authentication priority dot1x mab authentication port-control auto authentication violation restrict mab
dot1x pae authenticator spanning-tree portfast end
authentication event server alive action reinitialize authentication host-mode multi-auth authentication open
authentication order mab dot1x authentication priority dot1x mab authentication port-control auto authentication violation restrict mab
dot1x pae authenticator spanning-tree portfast end