In this blog post, I'm going to set up my 3650 switch with basic Layer 2, Layer 3 and dot1x configurations. I'll walk through some of the basic configurations and explain why I'm configuring it as I am.
ISE 2.0 - Adding Network Access Devices
In this blog post, I'm going to add my network access devices (NADs) to my ISE deployment. These are the devices that will be sending RADIUS requests and profiling information to ISE about endpoints on the network and, depending on the policy, ISE will be returning an authorization profile which will give the access device instructions on how to treat that endpoint.
ISE 2.0 Initial Configuration - Finishing Touches
ISE 2.0 Initial Configuration - Enabling Services and Identity Mapping/PassiveID Configuration
In this post, we are going to enable the services for our ISE node and configure the Identity Mapping Service (known as PassiveID in ISE 2.1) between ISE and Active Directory in this blog post. The Identity Mapping service enables ISE to monitor users that are authenticated by a domain controller and not by ISE. This feature will be useful for the EasyConnect configuration that I will go over in later posts. It is able to gather this information by connecting to Active Directory using the Microsoft WMI interface and by querying logs from the Windows event messaging.
ISE 2.0 Initial Configuration - Creating Certificate Authentication Profiles
In this next post, we are going to create the Certificate Authentication Profiles. This profile is necessary for our authentication methods that we will create in later posts. Since we will be using an EAP certificate-based authentication method in our policy, ISE will compare the certificate received from a client with the one in the server to verify the authenticity of a user or computer. This is considered a much more secure method than the traditional username and password method.
ISE 2.0 Initial Configuration - Adding Certificates to ISE
Certificates are crucial to the operation of Identity Services Engine. Some of the uses that ISE for certificates include the following: dot1x authentication, Pxgrid communication, adding and communicating with new ISE nodes, BYOD, etc. Unless you are using a single ISE node on the network with only a Guest portal and basic profiling, this is going to be a post that you'll want to follow along with as much as possible.
ISE 2.0 Initial Configuration - Bootstrapping and Joining to AD Domain
Now that we have Active Directory configured, we're going to start setting up ISE. I'm going to walk through basic bootstrapping of ISE and how to join it to the Active Directory domain in this post. I'm using ISE 2.0 in my lab which is the latest version of ISE as of this post but the process for bootstrapping and joining to an Active Directory domain remains unchanged from previous versions.
Server 2012 Configuration - Finishing Touches
Server 2012 Configuration - pxGrid Identity Mapping/PassiveID Settings
When configuring ISE Pxgrid integration with Active Directory, there are certain audit settings and permissions that need to be set in order to allow the information to pass to ISE. If you've ever configured Cisco Context Directory Agent, you're about to receive a blast from the past. This is because the settings and permissions are exactly the same.
Server 2012 Configuration - Group Policy Creation
This is where we're going to create our group policy to push down to our clients. The idea of pushing the settings down to users via GPO is to make security mandatory but also try to make it as transparent to a user as possible. Little things such as pushing the dot1x SSID information and enabling the users to auto-connect to the SSID when in range goes a long way to user experience. Likewise, having your users automatically be enrolled with a user certificate and their NIC card settings automatically configured increases the transparency of ISE from a user perspective. Ideally, the users should never know ISE is there authenticating and authorizing their corporate computers and acting as the gatekeeper between them and the rest of the network UNLESS a policy is violated somehow.
Server 2012 Configuration - Certificate Templates
Certificate Templates will play a big role in ISE and Pxgrid integration in our lab and most likely in any production rollout of ISE. While recent versions of ISE do support using ISE as a certificate authority, most implementations of ISE that I've seen implemented leverage an Active Directory Certificate Authority. In later blog posts, I might end up going through a lot of these same steps using the ISE CA instead but I'd rather cover what's going to be used in the majority of implementations first.
Server 2012 Configuration - Adding and Configuring Roles
If you're implementing any of this in production, you probably have a domain controller and Certificate Authority in place already. Depending on what you plan on using ISE for though, there are settings that you might need to adjust. Since this is a lab environment that I'm setting up, I'm going to make an assumption that you might be setting up a lab as well and walk you through some of the things I do as I'm setting it up.