connect AD to ISE

1- Verify basic functionality and DNS

2- Join ISE to AD

3- Make an Identity Source Sequences

go to Administration > External Identity Sources and add active directory. Click on Add and then enter information of AD, you probably get the prompt for Username and Password. So, Enter your AD administrator in the prompt.

Then, if everything goes well, your ISE successfully join the Active Directory.

You can prove your connection by going to Active Directory again and check  the Computers section. As it is shown in the picture, ISE computer should be shown.

Now, we can tell the ISE to authenticate first from AD then if you can’t find the user go to local database. So, you have to make a Identity Source Sequence to change the order.

In the Name box select the optional Name then in the selected section first select AD then Internal Users. Finally select “Treat as if the user was not found and proceed to the next store in the sequence” option and save.

Now, go to Policy > Authentication Policy > Use  select your previous Identity “first_AD_then_local”.

To test, you can make new a user in AD

As you can see, user logs shows successful login.

 

 

 

802.1X Mac Authentication Bypass (MAB)

First, configure the interface which is connected to the endpoint, previously we configured the interface as below:

SW(config)#int gi1/0/2

SW(config-if)#switchport mode access
SW(config-if)#authentication host-mode multi-auth
SW(config-if)#authentication open
SW(config-if)#dot1x pae authenticator
SW(config-if)#dot1x timeout tx-period 10
SW(config-if)#authentication port-control auto
SW(config-if)#authentication periodic
SW(config-if)#authentication timer reauthenticate server

Now, add this configuration for the interface:

SW(config-if)#mab
SW(config-if)#authentication order mab dot1x
SW(config-if)#authentication priority dot1x mab

so the result:

SW#sh authentication sessions int gi1/0/2

Interface MAC Address Method Domain Status Fg Session ID
———————————————————————-
Gi1/0/2 b8ca.3a7e.0f5a N/A UNKNOWN Unauth C0A80AFC00000FB4034126C2

Key to Session Events Blocked Status Flags:

A – Applying Policy (multi-line status for details)
D – Awaiting Deletion
F – Final Removal in progress
I – Awaiting IIF ID allocation
N – Waiting for AAA to come up
P – Pushed Session
R – Removing User Profile (multi-line status for details)
U – Applying User Profile (multi-line status for details)
X – Unknown Blocker

Runnable methods list:
Handle Priority Name
16 5 dot1x
18 10 mab
21 15 webauth
–More–

 

And if you check on the ISE:

802.1x wired authentication

SWTEST(config)#aaa authentication dot1x default group radius
SWTEST(config)#aaa accounting dot1x default start-stop group radius
SWTEST(config)#aaa authorization network default group radius
SWTEST(config)#radius-server attribute 8 include-in-access-req
SWTEST(config)#! enable D dot1x
SWTEST(config)#dot1x system-auth-control
SWTEST(config)#int gi1/0/2
SWTEST(config-if)#shut
SWTEST(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled

SWTEST(config-if)#authentication host-mode multi-auth
SWTEST(config-if)#authentication open
SWTEST(config-if)#authentication periodic
SWTEST(config-if)#authentication timer reauthenticate server
SWTEST(config-if)#dot1x pae authenticator
SWTEST(config-if)#dot1x timeout tx-period 10
SWTEST(config-if)#authentication port-control auto
SWTEST(config-if)#no shut
SWTEST(config-if)#
SWTEST(config-if)#
SWTEST(config-if)#exit
SWTEST(config)#do sh dot1x all
Sysauthcontrol Enabled
Dot1x Protocol Version 3

Dot1x Info for GigabitEthernet1/0/2
———————————–
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 10

How to Connect ISE to Switch

SW1(config)#enable secret YourPassword
SW1(config)#aaa new-model
SW1(config)#aaa authentication login default enable

SW1(config)#radius server ISE
SW1(config-radius-server)#address ipv4 192.168.10.6 auth port 1812 acct-port 1813
SW1(config-radius-server)# key …..

SW1(config)#aaa group server radius ISE-group
SW1(config-sg-radius)#server name ISE

SW1(config)#radius-server vsa send authentication

SW1#test aaa group ISE-group hamid YourPassword new-code