Switch Configuration for ISE dot1x

In this blog post, I'm going to set up my 3650 switch with basic Layer 2, Layer 3 and dot1x configurations. I'll walk through some of the basic configurations and explain why I'm configuring it as I am.

I'm starting with a completely unconfigured switch so to start, I like to configure it with a username, SSH, etc:

conf t
username admin privilege 15 password networknode
enable password networknode

ip domain-name securitydemo.net
ip domain-lookup
ip name-server 10.1.100.40
hostname Sw1
crypto key gen rsa
1024

ip ssh version 2
ip ssh authentication-retries 2

line vty 5 15
transport input ssh
login local

 

Next, I'll configure the my Layer 3 configuration. I also include an ip helper-address to the ISE server (10.1.100.21) so ISE can collect additional DHCP profiling information:

ip routing

vlan 10
name MGMT
vlan 50
name USER_VLAN
vlan 70
name GUEST_VLAN
vlan 100
name SERVER_VLAN


interface vlan 10
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

interface vlan 50
ip address 10.1.50.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

interface vlan 70
ip address 10.1.70.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

interface vlan 100
ip address 10.1.100.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

ip route 0.0.0.0 0.0.0.0 10.1.10.99 <- 
This is the inside interface of my ASA 5506

ip ftp source-interface vlan100
ip tftp source-interface vlan100

 

For ports that are directly connected to my server and ASA, I'll start by giving them a base configuration without restriction. In a production environment, you usually have policies already set up and you can restrict this with d0t1x and profiling but in my lab, I don't have any policies set up yet so I need these servers and the ASA to continue to have access:

interface range g1/0/1-6
switchport
switchport mode trunk
switchport trunk native vlan 10
spanning-tree portfast trunk

no shut

The next thing I configure is DHCP. In a production environment, you usually see DHCP centralized on a server and I could easily do so for my lab as well. I would only need to add a second ip helper address to make it work but for the save of simplicity, I'll just go ahead and configure it locally on the switch:

ip dhcp excluded-address 10.1.10.1 10.1.10.100
ip dhcp excluded-address 10.1.50.1 10.1.50.100
ip dhcp excluded-address 10.1.70.1 10.1.70.100
ip dhcp excluded-address 10.1.100.1 10.1.100.100


ip dhcp pool VLAN10
network 10.1.10.0 255.255.255.0
dns-server 10.1.100.40
<-- My AD server
default-router 10.1.10.1

ip dhcp pool VLAN50
network 10.1.50.0 255.255.255.0
dns-server 10.1.100.40
default-router 10.1.50.1

ip dhcp pool VLAN70

network 10.1.70.0 255.255.255.0
dns-server 10.1.100.40
default-router 10.1.70.1


ip dhcp pool VLAN100
network 10.1.100.0 255.255.255.0
dns-server 10.1.100.40
default-router 10.1.100.1

 

Next we are going to configure our AAA commands which basically will configure ISE as the RADIUS server on the switch and it should use ISE for network AAA. I will also configure the switch to send certain RADIUS attributes to ISE. Note: ISE uses ports 1812 and 1813 for authentication and accounting. Older RADIUS devices have been known to use ports 1645 and 1646 for these ports. This is not the case with ISE: 

aaa new-model

radius server ise
address ipv4 10.1.100.21 auth-port 1812 acct-port 1813

key networknode <- This is the shared key that we configured on ISE when we added this NAD

radius-server dead-criteria tries 3 <- Sets the condition to determine when a RADIUS server is considered unavailable. With this configuration, the switch dynamically tries 3 times
radius-server deadtime 30 <- Sets the number of minutes during which a RADIUS server is not sent requests. 

aaa group server radius ise-group
server name ise <- 
We configure this a few lines back. If you have multiple ISE nodes, you'd add them all to this RADIUS group

aaa authentication login console local <- Going to keep console login local for now
aaa authentication login vty local <- Keeping VTY login local as well for now
aaa authentication enable default enable
aaa authorization exec default local
<- Keeping EXEC mode local for now
aaa authentication dot1x default group ise-group <- Specifying to use our RADIUS group for dot1x authentication
aaa authorization exec vty local <- Keeping EXEC VTY authorization local for now
aaa authorization network default group ise-group <- Specifying our RADIUS group for network authorization
aaa authorization auth-proxy default group ise-group <- Required for VLAN/ACL assignment
aaa accounting dot1x default start-stop group ise-group <- Specifying our RADIUS group for dot1x accounting
aaa accounting auth-proxy default start-stop group ise-group  <- Enables accounting for dynamic ACLs and VLANs that can be downloaded
 

aaa session-id common
aaa accounting update periodic 5 <- Updates the accounting information periodically every 5 minutes

aaa server radius dynamic-author <- This enables ISE to act as an AAA server when interacting with the client
client 10.1.100.21 server-key networknode <- Use the same password you set up in ISE
server-key networknode <- You may not need to do this with your version of IOS but I noticed that in XE 3.07.01E, I had to add this extra separate line with the server key

radius-server vsa send accounting <- Tells the switch to send accounting vendor-specific attributes
radius-server vsa send authentication <- Tells the switch to send authentication vendor-specific attributes
Note: To see a list of vendor-specific attributes, check out this list here
radius-server attribute 6 on-for-login-auth <- Used to identify the Service-Type this RADIUS request is used for
radius-server attribute 6 support-multiple <- Supports multiple Service-Type values for each RADIUS profile
radius-server attribute 8 include-in-access-req <- This is to send the IP address of a user to the RADIUS server in the access request. 
radius-server attribute 25 access-request include <- This is to  include the class attribute in the access request which specifies the authorization action
radius-server attribute 31 mac format ietf upper-case <- This is to specify the MAC address in the Calling Station ID. I recommend using IETF on this one
radius-server attribute 31 send nas-port-detail <- This includes all NAS port details in the Calling Station ID

ip radius source-interface vlan 100

captive-portal-bypass <- This might only be necessary if you are using your 3650 as a wireless controller as well. I'll explain this command a bit more in the WLC configuration post.dot1x system-auth-control <- Globally enables 802.1x SystemAuthControl (port-based authentication)

Now that I'm done with the RADIUS configuration, I'm going to add SNMP, logging, and additional configurations to provide ISE more details about the endpoints that connect to this switch.

I like to configure the switch to send MAC notifications, syslog logging and SNMP so the ISE profiler is able to collect information on the network endpoints:

mac address-table notification change
mac address-table notification mac-move

mac address-table notification change interval 0
authentication mac-move permit <- Enables MAC move on a switch between any authentication-enabled ports (MAB, 802.1X or Web-Auth)
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps mac-notification change

snmp-server enable snmp linkdown linkup
snmp-server host 10.1.100.21 version 2c networknode mac-notification

snmp-server community networknode ro <- 
This is the SNMP community string we previously configured in ISE
no snmp-server group networknode v1

snmp-server trap-source vlan100
snmp-server source-interface inform vlan100
lldp run


logging origin-id ip <- This specifies that the IP address of the sending interface will be used as the message origin identifier
logging source vlan100
logging host 10.1.100.21 transport udp port 20514
logging monitor informational


no ip dhcp snooping information option <- Disables the switch from adding Option 82 into the packet before forwarding it to ISE. If this option is enabled, it will send the giaddr field with a zero value to ISE. 
ip dhcp snooping
ip dhcp snooping vlan 10,50,70,100


epm logging <- Sets up standard logging functions on a switch to support possible troubleshooting/recording for ISE functions
ip device tracking <- This allows the switch to maintain an IP device tracking table. You must enable this feature to use web-based authentication
ip device tracking probe use-svi <- This configures the with to send an non-RFC compliant ARP Probe. The IP source will not be 0.0.0.0 but it will be the SVI in the VLAN where the host resides. If it's a Windows machine, it'll no longer see the probe as defined by RFC 5227 and therefore will not flag a potential duplicate IP

device-sensor accounting <- This command enables the addition of sensor protocol data to account records and enables the generation of additional accounting events when new sensor data is detected. 
device-sensor notify all-changes <- Enables client notifications and accounting events for all TLV changes where either a new TLV is received or a previously received TLV is received with a new value in the context of a given sessions. 

In order to have URL-Redirection on the switch for Web-Auth, you must enable HTTP/HTTPs on the switch. You also need to define ACL local default ACLs on your switch:

ip http server
ip http secure-server


ip access-list extended ACL-DEFAULT
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit icmp any any
permit udp any any eq tftp
permit tcp any host 10.1.100.21 eq www
permit tcp any host 10.1.100.21 eq 443
permit tcp any host 10.1.100.21 eq 8443
deny   ip any any log


ip access-list ext GUEST-REDIRECT
deny udp any eq bootpc any eq bootps
deny udp any any eq domain

deny tcp any any eq 8443
deny tcp any any eq 8905

permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any


Note: This GUEST-REDIRECT ACL will be for our WebAuth Redirect. Whatever is "permitted" in this list will be redirected so in order to have the computer get an IP address, be able to use DNS and access ISE, we must create "deny" statements. You can lock this down further by configuring the allowed ports between ISE and the device to be 8443 and 8905 which would be the WebAuth portals. The logic of the ACL is a little backwards compared to what you think of when you think of an ACL but it's only for the WebAuth for the switches. 

The last thing I will do is configure the interfaces that will be ISE-protected. In the following configuration, I will break it up a bit to explain what I am configuring on the port-level:
 

interface range g1/0/7-48
description ISE dot1x Port
switchport access vlan 70
switchport mode access

spanning-tree portfast
spanning-tree bpduguard enable

Under the port configuration, the following set of commands enables re-authentication via RADIUS Session-Timeout:
authentication event fail action next-method
authentication event server dead action reinitialize vlan 50

authentication event server dead action authorize voice
authentication timer reauthenticate server
authentication timer inactivity server

The following command allows voice and multiple endpoints on the same physical access port:
authentication host-mode multi-auth

This command enables pre-auth access before AAA response which is subject to the port ACL:
authentication open

These commands are here to specify that IOS Flex-Auth authentication should perform 802.1X first and then MAB:
authentication order dot1x mab
authentication priority dot1x mab

These commands enable port-based authentication on the interface:
authentication port-control auto
authentication violation restrict

This command enables re-authentication on the interface:
authentication periodic

This command enables MAC Authentication Bypass (MAB) on the interface:
mab

This command enables 802.1x authentication in the interface:
dot1x pae authenticator

This command sets the retransmit period to 10 seconds:
dot1x timeout tx-period 10

These commands enable the SNMP trap for added and removed MACs on the interface:
snmp trap mac-notification change added
snmp trap mac-notification change removed

We configure the default ACL on the interface which will prepend dACLs from the ISE server:
ip access-group ACL-DEFAULT in



 

In the end, the final configuration should resemble the following:

username admin privilege 15 password networknode
enable password networknode


ip domain-name securitydemo.net
hostname Sw1
crypto key gen rsa
1024


ip ssh version 2
ip ssh authentication-retries 2

line vty 5 15
transport input ssh
login local


ip routing

vlan 10
name MGMT
vlan 50
name USER_VLAN
vlan 70
name GUEST_VLAN
vlan 100
name SERVER_VLAN


interface vlan 10
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

interface vlan 50
ip address 10.1.50.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

interface vlan 70
ip address 10.1.70.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

interface vlan 100
ip address 10.1.100.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

ip route 0.0.0.0 0.0.0.0 10.1.10.99 <- 
This is the inside interface of my ASA 5506

ip ftp source-interface vlan100
ip tftp source-interface vlan100


interface range g1/0/1-6
switchport
switchport mode trunk
switchport trunk native vlan 10
spanning-tree portfast trunk

no shut

ip dhcp excluded-address 10.1.10.1 10.1.10.100
ip dhcp excluded-address 10.1.50.1 10.1.50.100
ip dhcp excluded-address 10.1.70.1 10.1.70.100
ip dhcp excluded-address 10.1.100.1 10.1.100.100


ip dhcp pool VLAN10
network 10.1.10.0 255.255.255.0
dns-server 10.1.100.40
<-- My AD server
default-router 10.1.10.1

ip dhcp pool VLAN50
network 10.1.50.0 255.255.255.0
dns-server 10.1.100.40
default-router 10.1.50.1

ip dhcp pool VLAN70

network 10.1.70.0 255.255.255.0
dns-server 10.1.100.40
default-router 10.1.70.1


ip dhcp pool VLAN100
network 10.1.100.0 255.255.255.0
dns-server 10.1.100.40
default-router 10.1.100.1

aaa new-model

radius server ise
address ipv4 10.1.100.21 auth-port 1812 acct-port 1813

key networknode
 

radius-server dead-criteria tries 3
radius-server deadtime 30

aaa group server radius ise-group
server name ise

aaa authentication login console local
aaa authentication login vty local

aaa authentication enable default enable
aaa authorization exec default local
aaa authentication dot1x default group ise-group
aaa authorization exec vty local
aaa authorization network default group ise-group
aaa authorization auth-proxy default group ise-group
aaa accounting dot1x default start-stop group ise-group
aaa accounting auth-proxy default start-stop group ise-group

aaa session-id common
aaa accounting update periodic 5

aaa server radius dynamic-author

client 10.1.100.21 server-key networknode
server-key networknode

radius-server vsa send accounting
radius-server vsa send authentication
radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include

radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail

ip radius source-interface vlan 100


captive-portal-bypass
system-auth-control


mac address-table notification change
mac address-table notification mac-move

snmp-server enable snmp linkdown linkup
snmp-server host 10.1.100.21 version 2c networknode mac-notification
snmp-server community networknode ro
no snmp-server group networknode v1

snmp-server trap-source vlan100
snmp-server source-interface inform vlan100
lldp run


logging origin-id ip
logging source vlan100
logging host 10.1.100.21 transport udp port 20514
logging monitor informational


no ip dhcp snooping information option
ip dhcp snooping
ip dhcp snooping vlan 10,50,70,100

epm logging

ip device tracking
ip device tracking probe use-svi

device-sensor accounting
device-sensor notify all-changes

ip http server
ip http secure-server

ip access-list ext ACL-DEFAULT
deny udp any eq bootpc any eq bootps
deny udp any any eq domain

deny tcp any any eq 8443
deny tcp any any eq 8905

permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any


interface range g1/0/7-48
description ISE dot1x Port
switchport access vlan 70
switchport mode access

spanning-tree portfast
spanning-tree bpduguard enable

authentication event fail action next-method
authentication event server dead action reinitialize vlan 50

authentication event server dead action authorize voice
authentication timer reauthenticate server
authentication timer inactivity server
authentication host-mode multi-auth

authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto

authentication violation restrict
authentication periodic
mab
dot1x pae authenticator

dot1x timeout tx-period 10
snmp trap mac-notification change added
snmp trap mac-notification change removed

ip access-group ACL-DEFAULT in