Wednesday, 22 April 2015

Cisco TrustSec – ISE (Part 6) - 802.1X(AD)

Cisco TrustSec – ISE (Part 6)

             802.1X(AD)

9.  802.1X(AD)



802.1X Authentication Process





By default:

When a client accesses to switch, switch sends EAP-Request 802.1x to the client;

When a client accesses to switch and if the Client doesn’t receive any EAP-request 帧frames,the client sends  EAPoL Start  frame to the switch;
When a client acceses,and doesn’t get EAPoL Start frames,client considers this port as authorization status;



Beginning:after a PC  accesses to switch and sends EAPoL Start request,switch replys to  PC and forward request to ISE.

Middle : switch tells ISE that there is a802.1X authentication request (IETF:NAS-Port- Type=Ethernet,IETF:Service-Type=Framed); ISE starts receiving password,and start setting up a EAP connection,in which contains username and password;ISE determines the group that the user belongs,according to permissions (Vlan DACL etc;),and then sends permission to switch;

End:traffic passes

802.1X  Authtication flow chart



Configure PEAP Dot1X



9.3.1    Configur Gi1/0/2 on Win7-1


interface GigabitEthernet1/0/2 description Win7-1 switchport access vlan 2 switchport mode access
ip access-group ACL-DEFAULT in authentication event fail action next-method
authentication event server dead action authorize vlan 10

9.3.2    On Win7-1, start 802.1X service




9.3.3    Configure PEAP 802.1X



9.3.3.1 Add PEAP authentication protocol





new PEAP authentication;

9.3.3.2 Create PEAP Authentication policy




AD database
9.3.3.2.1    Check Win7-1 Authentication status




But no Authorization

9.3.3.3 Add PEAP Authorization


Add Authorization profile


9.3.3.4 Create PEAP Authorization policy












9.3.3.4.1    Check Win7-1 Authentication and Authorization






9.3.3.5 policy turning







Configure EAP-TLS Dot1X



9.4.1    Win7-1 enable EAP-TLS







9.4.2 Add EAP-TLS






9.4.3    CA Profile





9.4.4    EAP-TLS  policy




9.4.5    EAP-TLS Authorization






      1. ISEWin7New join Domain




      1. EAP-FAST Tunnel PAC




      1. EAP-FAST Machine PAC








      1. Anyconnect Profile Editor













      1. Anyconnect 3.X






9.5.7    ISE Authorization






9.5.8    ISE Authorization




9.5.9    ISEWin7New Gi1/0/3


interface GigabitEthernet1/0/3 description ISEWin7New switchport access vlan 2 switchport mode access
ip access-group ACL-DEFAULT in authentication event fail action next-method
authentication event server dead action authorize vlan 10 authentication event server alive action reinitialize authentication host-mode multi-auth
authentication open authentication order mab dot1x authentication priority dot1x mab authentication port-control auto authentication violation restrict mab
dot1x pae authenticator spanning-tree portfast end











authentication event server alive action reinitialize authentication host-mode multi-auth authentication open
authentication order mab dot1x authentication priority dot1x mab authentication port-control auto authentication violation restrict mab
dot1x pae authenticator spanning-tree portfast end

No comments:

Post a Comment