Identity Services Engine Guest and Posture flows Troubleshooting

Transcription

1 Cisco Support Community Expert Series Webcast Identity Services Engine Guest and Posture flows Troubleshooting Sam Hertica Maciej Podolski August 30th, 2016

2 Become an Event Top Contributor Participate in Live Interactive Technical Events and much more

3 Rate Content Now your ratings on documents, videos, and blogs count give points to the authors!!! So, when you contribute and receive ratings you now get the points in your profile. Help us to recognize the quality content in the community and make your searches easier. Rate content in the community. Encourage and acknowledge people who generously share their time and expertise

4 Cisco Support Community Expert Series Webcast Sam Hertica Cisco TAC Maciej Podolski Cisco TAC

5 Question Managers Tim Beebe Cisco TAC Valerii Palkin Cisco TAC

6 Ask the Expert Event following the Webcast Now through Sept 9th Join the discussion for these Ask The Expert Events:

7 Thank You For Joining Us Today! If you would like a copy of the presentation slides, click the PDF file link in the chat box on the right or go to: Need the link here

8 Submit Your Questions Now! Use the Q & A panel to submit your questions and the panel of experts will respond. Please take a moment to complete the survey at the end of the webcast

9 Cisco Support Community Expert Series Webcast Identity Services Engine Guest and Posture flows Troubleshooting Sam Hertica Maciej Podolski August 30th, 2016

10 Guest Portal URL s Anatomy Troubleshooting redirection On ISE Agenda Load Balancing WLC and on Switch Certificate Issues Common ISE deployment bugs/issues QnA

11 How many different portal types are in ISE? (Version 2.0) Polling Question 1 A. 2 B. 3 C. 6 D. 10

12 Identity Services Engine (ISE) - Uses Authentication Authorization Accounting Profiling Guest access BYOD Posture Trustsec PxGrid

13 It s all about proper deployment A lot of issues could be avoided with proper deployment. Lets deep dive into designing the guest flows and most common issues / mis-configurations / bugs. We will cover Central Web Authentication Cisco recommends that you use Centralized Web Authentication (CWA) with the ISE whenever possible. URL s Anatomy

14 encrypted FQDN Portal ID Port RADIUS audit session-id

15 URL s Anatomy Cont.. URL is always unique per RADIUS session. The URL is valid only one the ISE node that has that RADIUS session The session id is constructed from

16 URL s Anatomy Cont.. URL is always unique per RADIUS session. The URL is valid only one the ISE node that has that RADIUS session [NAS IP Address][Session Count][TimeStamp] The session id is constructed from

17

18 Make sure that the RADIUS session and the Guest portal will be on the SAME NODE

19 Make sure that the RADIUS session and the GUEST portal will be on the SAME NODE ISE 1 ISE 2

20 Make sure that the RADIUS session and the GUEST portal will be on the SAME NODE 1. The endpoint connects to the SSID via MAB/dot1x ISE 1 ISE 2

21 Make sure that the RADIUS session and the GUEST portal will be on the SAME NODE 1. The endpoint connects to the SSID via MAB/dot1x 2. Radius session starts RADIUS Access-Request ISE 1 ISE 2

22 Make sure that the RADIUS session and the GUEST portal will be on the SAME NODE 1. The endpoint connects to the SSID via MAB/dot1x 2. Radius session starts 3. ISE sends the RADIUS Access-Accept with redirect ACL + redirect URL POINTING TO ISE 1 RADIUS Access-Request RADIUS Access-Accept ISE 1 ISE 2

23 Make sure that the RADIUS session and the GUEST portal will be on the SAME NODE 1. The endpoint connects to the SSID via MAB/dot1x 2. Radius session starts 3. ISE sends the RADIUS Access-Accept with redirect ACL + redirect URL POINTING TO ISE 1 4. Endpoint resolves the URL on the DNS RADIUS Access-Request RADIUS Access-Accept ISE 1 ISE 2

24 Make sure that the RADIUS session and the GUEST portal will be on the SAME NODE 1. The endpoint connects to the SSID via MAB/dot1x 2. Radius session starts 3. ISE sends the RADIUS Access-Accept with redirect ACL + redirect URL POINTING TO ISE 1 4. Endpoint resolves the URL on the DNS 5. Https session to the guest portal RADIUS Access-Request RADIUS Access-Accept ISE 1 ISE 2

25 Make sure that the RADIUS session and the GUEST portal will be on the SAME NODE 1. The endpoint connects to the SSID via MAB/dot1x 2. Radius session starts 3. ISE sends the RADIUS Access-Accept with redirect ACL + redirect URL POINTING TO ISE 1 4. Endpoint resolves the URL on the DNS 5. Https session to the guest portal RADIUS Access-Request RADIUS Access-Accept ISE 1 ISE 2

26 Troubleshooting redirection on ISE

27 Guest user to MAC mapping When guest user is able to login on the Guest portal ISE is mapping the MAC address of that user with his guest account based on the RADIUS session ID in the URL. That is why portals are created per RADIUS session

28 Guest user to MAC mapping When guest user is able to login on the Guest portal ISE is mapping the MAC address of that user with his guest account based on the RADIUS session ID in the URL. That is why portals are created per RADIUS session The session is valid on one and only one ISE node. (the one who returned the RADIUS Access-accept)

29 Guest user to MAC mapping When guest user is able to login on the Guest portal ISE is mapping the MAC address of that user with his guest account based on the RADIUS session ID in the URL. That is why portals are created per RADIUS session The session is valid on one and only one ISE node. (the one who returned the RADIUS Access-accept)

30 Guest user to MAC mapping When guest user is able to login on the Guest portal ISE is mapping the MAC address of that user with his guest account based on the RADIUS session ID in the URL. That is why portals are created per RADIUS session The session is valid on one and only one ISE node. (the one who returned the RADIUS Access-accept) Guest username Endpoint MAC address

31 Guest user to MAC mapping When guest user is able to login on the Guest portal ISE is mapping the MAC address of that user with his guest account based on the RADIUS session ID in the URL. That is why portals are created per RADIUS session The session is valid on one and only one ISE node. (the one who returned the RADIUS Access-accept) MAB session

32 Guest user to MAC mapping When guest user is able to login on the Guest portal ISE is mapping the MAC address of that user with his guest account based on the RADIUS session ID in the URL. That is why portals are created per RADIUS session The session is valid on one and only one ISE node. (the one who returned the RADIUS Access-accept) Check the details MAB session

33 MAB session MAB

34 Continue option as we do not expect guest endpoints MAC to be in our internal database MAB session

35 MAB session

36 MAB session

37 MAB session MAC

38 MAB session Radius session id

39 Redirect acl name MAB session

40 MAB session ISE node

41 Guest user to MAC mapping When guest user is able to login on the Guest portal ISE is mapping the MAC address of that user with his guest account based on the RADIUS session ID in the URL. That is why portals are created per RADIUS session The session is valid on one and only one ISE node. (the one who returned the RADIUS Access-accept) Guest login on the portal MAB session

42 Guest user to MAC mapping When guest user is able to login on the Guest portal ISE is mapping the MAC address of that user with his guest account based on the RADIUS session ID in the URL. That is why portals are created per RADIUS session The session is valid on one and only one ISE node. (the one who returned the RADIUS Access-accept) COA Guest login on the portal MAB session

43 Guest user to MAC mapping When guest user is able to login on the Guest portal ISE is mapping the MAC address of that user with his guest account based on the RADIUS session ID in the URL. That is why portals are created per RADIUS session The session is valid on one and only one ISE node. (the one who returned the RADIUS Access-accept) COA Guest login on the portal MAB session Second MAB session

44 Guest user to MAC mapping When guest user is able to login on the Guest portal ISE is mapping the MAC address of that user with his guest account based on the RADIUS session ID in the URL. That is why portals are created per RADIUS session The session is valid on one and only one ISE node. (the one who returned the RADIUS Access-accept) Guest login on the portal MAB session Second MAB session COA Same node

45 Common issues We see a lot of cases that could be avoided with this one rule. There are multiple ways to break this rule if one is not careful enough. Think twice deploy once!

46 Static FQDN / IP address Portal FQDNs need to be unique Multiple rules, one rule per PSN, not so scalable If we use static ip address instead of FQDN then the certificate needs to have IP address in the SAN field

47 Dynamic FQDN Dynamic FQDN is created by default. It is safer as it will be automatically generated and point always to the same node.

48 URL Redirect with Multiple Interfaces on PSNs Any ISE portal can be hosted by any interface of a PSN. The dynamic redirect URL will always be generated with the lowest configured allowed interface

49 URL Redirect with Multiple Interfaces on PSNs Any ISE portal can be hosted by any interface of a PSN. The dynamic redirect URL will always be generated with the lowest configured allowed interface Dynamic FQDN will automatically set the FQDN depending on the interface, if available.

50 URL Redirect with Multiple Interfaces on PSNs Any ISE portal can be hosted by any interface of a PSN. The dynamic redirect URL will always be generated with the lowest configured allowed interface Dynamic FQDN will automatically set the FQDN depending on the interface, if available.

51 By default portals are enabled on interface gigabit 0 their URLs will always use the global FQDN configured in the running-config Adding FQDNs to interfaces

52 If we enable the portal on interface Gigabit 1 and disable it on the Gigabit 0 we will return ip address instead of URL Adding FQDNs to interfaces

53 Adding FQDNs to interfaces Using ip host command we can set FQDN per interface: ip host uest1.mpodolsk.example.com Note: This requires restart of ISE.

54 Polling Question 2 How many different portal types are in the ISE? 1. Hotspot 2. Self-registered 3. Sponsored 4. Sponsor 5. BYOD 6. Provisioning and posture 7. My Devices portal 8. Mobile devices Management 9. Certificate provisioning 10. Blacklist

55 Troubleshooting redirection with Load Balancing

56 Most Common Redirect Error

57 Most Common Redirect Error

58 Most Common Redirect Error

59 DNS Load Balancing via Round-Robin ISE ISE

60 DNS Load Balancing via Round-Robin ISE ISE

61 DNS Load Balancing via Round-Robin ISE ISE

62 DNS Load Balancing via Round-Robin ISE ISE

63 DNS Load Balancing via Round-Robin HTTP ISE ISE

64 DNS Load Balancing via Round-Robin ISE ISE

65 DNS Load Balancing via Round-Robin ISE ISE

66 DNS Load Balancing via Round-Robin ISE ISE

67 DNS Load Balancing via Round-Robin ISE ISE

68 DNS Load Balancing via Round-Robin ISE HTTP ISE

69 Load-balance RADIUS Traffic based on NAD or Endpoint A better way to load-balance traffic would be to balance RADIUS traffic, and rely on ISE s dynamic ability to generate redirect URLs based on FQDN or interface host names. For dot1x RADIUS flows, you need to configure persistence based off the Calling-Station-ID (mac address of client) or network device IP. ISE-F5 Deployment Guide

70 Troubleshooting redirection on WLC / Switch

71 Well, I configured everything properly and it doesn t work. ISE Live Logs No Live Log, no RADIUS request Failed Authentication, double-check policies Passed Authentication, check NAD WLC Monitor --> Client tab Switch Show authentication session interface <int> details Show access-session interface <int> details

72 Well, I configured everything properly and it doesn t work. ISE Live Logs No Live Log, no RADIUS request Failed Authentication, double-check policies Passed Authentication, check NAD WLC Monitor --> Client tab Switch Show authentication session interface <int> details Show access-session interface <int> details

73 Well, I configured everything properly and it doesn t work. Validate ISE is sending the correct authorization profile Check AuthZ profile is configured properly Ensure minimum initial configuration is implemented on network devices.

74 Initial Configuration Requirements for IOS Magnifying glass is your friend ISE is passing a url-redirect-acl of ACL_WEBAUTH_REDIRECT, url-redirect, and profilename=unknown Switch didn t have the redirect ACL. Aaa authentication dot1x default Aaa authorization network default... Ip http server Layer 3 IP address somewhere Dot1x system-auth-control Radius-server vsa send authentication Radius-server vsa send accounting Interface config (mileage may vary) Mab Dot1x pae authenticator Authentication port-control auto Authentication order mab dot1x Authentication event fail action next-method rtp12-shertica-sw#show ip access-l ACL_WEBAUTH_REDIRECT Extended IP access list ACL_WEBAUTH_REDIRECT 5 deny udp any eq bootpc any eq bootps 10 deny udp any any eq domain 20 deny tcp any host <ISE> eq permit ip any any

75 The Golden Rule of Redirect ACLs A redirect ACL is about identifying traffic you want to send to ISE.

76 The Golden Rule of Redirect ACLs A redirect ACL is about identifying traffic you want to send to ISE. Deny is bypassing the redirect, Permit is enforcing *

77 The Golden Rule of Redirect ACLs A redirect ACL is about identifying traffic you want to send to ISE. Deny is bypassing the redirect, Permit is enforcing * You need an IP address (deny udp any any eq bootps)

78 The Golden Rule of Redirect ACLs A redirect ACL is about identifying traffic you want to send to ISE. Deny is bypassing the redirect, Permit is enforcing * You need an IP address (deny udp any any eq bootps) DNS has to function (deny udp any any eq domain)

79 The Golden Rule of Redirect ACLs A redirect ACL is about identifying traffic you want to send to ISE. Deny is bypassing the redirect, Permit is enforcing * You need an IP address (deny udp any any eq bootps) DNS has to function (deny udp any any eq domain) To send traffic to ISE, you need to not redirect traffic destined for your PSNs

80 The Golden Rule of Redirect ACLs A redirect ACL is about identifying traffic you want to send to ISE. Deny is bypassing the redirect, Permit is enforcing * You need an IP address (deny udp any any eq bootps) DNS has to function (deny udp any any eq domain) To send traffic to ISE, you need to not redirect traffic destined for your PSNs If you want to access other resources during the captive portal phase, deny it in the ACL.

81 The Golden Rule of Redirect ACLs A redirect ACL is about identifying traffic you want to send to ISE. Deny is bypassing the redirect, Permit is enforcing * You need an IP address (deny udp any any eq bootps) DNS has to function (deny udp any any eq domain) To send traffic to ISE, you need to not redirect traffic destined for your PSNs If you want to access other resources during the captive portal phase, deny it in the ACL. Everything else is redirected (permit ip any any)

82 The Golden Rule of Redirect ACLs A redirect ACL is about identifying traffic you want to send to ISE. Deny is bypassing the redirect, Permit is enforcing * You need an IP address (deny udp any any eq bootps) DNS has to function (deny udp any any eq domain) To send traffic to ISE, you need to not redirect traffic destined for your PSNs If you want to access other resources during the captive portal phase, deny it in the ACL. Everything else is redirected (permit ip any any) *AirOS is special. Everything is backwards.

83 Initial Configuration Requirements for IOS Magnifying glass is your friend ISE is passing a url-redirect-acl of ACL_WEBAUTH_REDIRECT, url-redirect, and profilename=unknown Switch didn t have the redirect ACL. Aaa authentication dot1x default Aaa authorization network default... Ip http server Layer 3 IP address somewhere Dot1x system-auth-control Radius-server vsa send authentication Radius-server vsa send accounting Interface config (mileage may vary) Mab Dot1x pae authenticator Authentication port-control auto Authentication order mab dot1x Authentication event fail action next-method rtp12-shertica-sw#show ip access-l ACL_WEBAUTH_REDIRECT Extended IP access list ACL_WEBAUTH_REDIRECT 5 deny udp any eq bootpc any eq bootps 10 deny udp any any eq domain 20 deny tcp any host <ISE> eq permit ip any any

84 Initial Configuration Requirements

85 On 8.0 and higher, Interim Update enabled and set to 0 interval. On earlier codes, disable interim updates. Initial Configuration Requirements

86 Initial Configuration Requirements

87 Initial Configuration Requirements

88 Initial Configuration Requirements

89 Make Sure CoA is Enabled CSCux37498 CoA with WLC shows error message on ISE server Purely cosmetic. If you check client status in controller you should see the client in the RUN state. Fixed in 8.0(122.47) 8.0(132.0) 8.2(111.2) 8.2(113.2) 8.2(121.0) 8.3(102.0) 8.3(15.34)

90 Initial Authorization Working

91 Initial Authorization Working

92 Ok, now my client doesn t go anywhere Lovingly referred as the Sad Dinosaur error from a previous TAC case. Redirect DNS Query for purple.com 3-way handshake intercepted by network device (NAD). HTTP GET for anything Wired 302 Redirect Wireless 200 OK DNS Query for ISE PSN 3-way handshake on portal

93 Ok, now my client doesn t go anywhere Lovingly referred as the Sad Dinosaur error from a previous TAC case. Redirect DNS Query for purple.com 3-way handshake intercepted by network device (NAD). HTTP GET for anything Wired 302 Redirect Wireless 200 OK DNS Query for ISE PSN 3-way handshake on portal Quick tip! Try substituting IP addresses instead of DNS names to bypass DNS lookups.

94 Wireshark

95 Wireshark Oops! DHCP server handed back wrong DNS server. We ll update to the proper dns server and try again

96 Wireshark Oops! DHCP server handed back wrong DNS server. We ll update to the proper dns server and try again Ok, now the DNS server is the proper one, but I m still having issues.

97 Wireshark Oops! DHCP server handed back wrong DNS server. We ll update to the proper dns server and try again Ok, now the DNS server is the proper one, but I m still having issues. rtp12-shertica-sw#sh ru inc http ip http server ip http access-class 5 ip http secure-server rtp12-shertica-sw#sh ip access-l 5 Standard IP access list 5 10 permit , wildcard bits

98 Wireshark Oops! DHCP server handed back wrong DNS server. We ll update to the proper dns server and try again Ok, now the DNS server is the proper one, but I m still having issues. rtp12-shertica-sw#sh ru inc http ip http server ip http access-class 5 ip http secure-server Disable web management access and other modules ip http secure-active-session-modules none ip http active-session-modules none rtp12-shertica-sw#sh ip access-l 5 Standard IP access list 5 10 permit , wildcard bits

99 Wireshark Oops! DHCP server handed back wrong DNS server. We ll update to the proper dns server and try again Ok, now the DNS server is the proper one, but I m still having issues. rtp12-shertica-sw#sh ru inc http ip http server ip http access-class 5 ip http secure-server rtp12-shertica-sw#sh ip access-l 5 Standard IP access list 5 10 permit , wildcard bits Disable web management access and other modules ip http secure-active-session-modules none ip http active-session-modules none Other issues could include, but aren t limited to: DNS isn t allowed through redirect ACL ip http server is disabled Ip device tracking isn t working (no ip address in show auth sess ) No layer 3 ip address on switch Auth-default-acl blocking traffic to ISE

100 Layer 3 Address on different VLAN than Client SVI Vlan Gi0/ Gi0/ PC: /24 Vlan: 10

101 Layer 3 Address on different VLAN than Client SVI Vlan Gi0/ Gi0/ SYN from Client to [Anywhere]. VLAN 10 PC: /24 Vlan: 10

102 Layer 3 Address on different VLAN than Client SVI Vlan Gi0/ Gi0/ SYN from Client to [Anywhere]. VLAN SYN-ACK from [Anywhere] to Client. VLAN 5 PC: /24 Vlan: 10

103 Layer 3 Address on different VLAN than Client SVI Vlan Gi0/ Gi0/ PC: /24 Vlan: SYN from Client to [Anywhere]. VLAN SYN-ACK from [Anywhere] to Client. VLAN 5 3. SYN-ACK from [Anywhere] to Client. VLAN 10

104 Layer 3 Address on different VLAN than Client SVI Vlan Gi0/ Gi0/ PC: /24 Vlan: SYN from Client to [Anywhere]. VLAN SYN-ACK from [Anywhere] to Client. VLAN 5 3. SYN-ACK from [Anywhere] to Client. VLAN SYN-ACK from [Anywhere] to Client. VLAN 10

105 Layer 3 Address on different VLAN than Client SVI Vlan Gi0/ Gi0/ PC: /24 Vlan: SYN from Client to [Anywhere]. VLAN SYN-ACK from [Anywhere] to Client. VLAN 5 3. SYN-ACK from [Anywhere] to Client. VLAN SYN-ACK from [Anywhere] to Client. VLAN 10

106 Layer 3 Address on different VLAN than Client SVI Vlan Gi0/ TCP State Bypass Gi0/ PC: /24 Vlan: SYN from Client to [Anywhere]. VLAN SYN-ACK from [Anywhere] to Client. VLAN 5 3. SYN-ACK from [Anywhere] to Client. VLAN SYN-ACK from [Anywhere] to Client. VLAN 10

107 IPDT? 15.2(1) and later IPDT is enabled as needed. Earlier codes require global config ip device tracking. IP Device Tracking is used to map the layer 2 mac address to a layer 3 IP address. Without this mapping, when an HTTP Get is intercepted by the CPU we re unable to determine which authz policy the IP address is mapped to, and subsequently what unique URL is provided to the client IPDT works by listening to ARP, or relying on DHCP Snooping if configured. IPDT is the source of windows complaining a duplicate address exists. You can configure a delay in IPDT probes from starting with ip device tracking probe delay 10.

108 Auth-Default-ACL? 802.1x closed mode port will generate an Auth- Default-ACL that s used to permit or deny traffic post authentication if there is no ACL applied on the interface x open mode port will generate an Auth- Default-ACL-OPEN with permit ip any any if there is no ACL applied on the interface. Any dacl from ISE will be appended to the top of the auth-default-acl If multiple endpoints are connected to the same switch, and IPDT learns the source IP, the switch will take the source statement <any> in the dacl and replace it with the specific host, making a unique peruser ACL.

109 Auth-Default-ACL? 802.1x closed mode port will generate an Auth- Default-ACL that s used to permit or deny traffic post authentication if there is no ACL applied on the interface x open mode port will generate an Auth- Default-ACL-OPEN with permit ip any any if there is no ACL applied on the interface. Any dacl from ISE will be appended to the top of the auth-default-acl If multiple endpoints are connected to the same switch, and IPDT learns the source IP, the switch will take the source statement <any> in the dacl and replace it with the specific host, making a unique peruser ACL.

110 Working Wireshark Walking through the capture, there s really four steps when it comes to redirection.

111 Working Wireshark Walking through the capture, there s really four steps when it comes to redirection. Initial DNS

112 Working Wireshark Walking through the capture, there s really four steps when it comes to redirection. Initial DNS NAD Spoofing TCP

113 Working Wireshark Walking through the capture, there s really four steps when it comes to redirection. Initial DNS NAD Spoofing TCP DNS for ISE

114 Working Wireshark Walking through the capture, there s really four steps when it comes to redirection. Initial DNS NAD Spoofing TCP DNS for ISE ISE Portal Traffic

115 Portal Page Looping? If your redirect portal is looping, it s time to revisit your policies Make sure whatever conditions you re trying to match on are actually being passed The magnifying glass is your friend!

116 Captive Portal OS Detection Lots of modern operating systems will try to reach a static site on the internet to determine if their user has full access on joining any network. Microsoft for example, attempts to reach If the page returns Microsoft NCSI exactly, the device knows it can access the internet freely. If the page returns an HTTP 302 redirect or anything else weird, with 8.1 and above a separate pop-up appears indicating to the user a different set of credentials may be required to join the network. Source: Brandtk Deviant Art If the user clicks the prompt, the default browser in the OS would open and navigate to the redirect.

117 Captive Portal OS Detection Not all browsers operate in this fashion however. Mobile devices like android or idevices make similar call-home checks. However, if the device detects it s stuck in a redirect flow, instead of opening a default browser it automatically opens a pseudo-browser that doesn t support all the native intricacies of modern web programming. As a result, many advanced BYOD flows will fail with ISE. Basic flows (CWA or Hotspot) can still work, but your mileage will vary. The only supported browser for guest flows on mobile devices are fully-fledged browsers. Source: Brandtk Deviant Art

118 Captive Portal OS Detection Web-Auth captive-bypass on Controllers fix the pseudo browser problem. The client device (Apple IOS device) sends a WISPr request to the controller, which checks for the user agent details and then triggers an HTTP request with a web authentication interception in the controller. After verification of the IOS version and the browser details provided by the user agent, the controller allows the client to bypass the captive portal settings and provides access to the internet. Show network summary Full Network Access!!! Config network web-auth captive-bypass enable Source: Brandtk Deviant Art Toggling this setting requires controller reload.

119 Which certificate role protects the posture/provisioning port :8905? Polling Question 3 A. Admin B. Portal C. EAP D. pxgrid

120 Certificate issues

121 Certificate roles ADMIN port 443, admin gui, Authentication of the nodes ( joining to the deployment ) PORTAL port 8443 default for guest/sponsor/client posture and provisioning portals EAP used for EAP authentications, presented by the ISE to the endpoint pxgrid integration with Firepower, WSA etc Posture and provisioning 8905 always ADMIN role Certificate is used

122 When uploading a new certificate Use base 64 encoded format / PEM not DER Make sure you upload the whole chain to the ISE. Upload one certificate at the time not the whole chain in one file.

123 FQDN other than the ISE node New FQDN per each portal? Important thing is that the URL on each node needs to be unique Do not use.local public ca will not sign it, apple ios will not resolve the URL on DNS or local host file 2 different guest portals x 3 ISE nodes = 6 certificates to issue, export, sign, import

124 Wildcard certificates Maybe its good to consider a wildcard certificate? Guest1.ise.example.com for node 1 Sponsor1.ise.exapme.com for node 1 Guest2.ise.example.com for node 2 Sponsor2.ise.exapme.com for node 2 All can be covered by one certificate with wildcard *.ise.example.com You can put the wildcard in the Subject Alternative Name (SAN) field of the certificate. Per ISE user guide, we are recommending wildcard character in the SAN field but not in the Subject Name (CN) of the cert. How to install wildcard certificate:

125 What are certificate tags? ISE can have multiple portals running on same port e.g If we want to use different certificates, we need to use different ports. Certificate tags define which certificate will be used for the portal. On port can use only one certificate

126 What are certificate tags? ISE can have multiple portals running on same port e.g If we want to use different certificates, we need to use different ports. Certificate tags define which certificate will be used for the portal. On port can use only one certificate

127 CSCut12983 Unable to delete certificate with Default Portal Certificate Group tag Symptom: Unable to delete certificate with Default Portal Certificate group tag. Error: Portal certificate that is currently in use cannot be deleted. Change the portal configuration and try again. Conditions: All portals seen from GUI mapped to different group tag. One of the previous portals on ISE 1.3 deleted from GUI. Workaround: None from GUI. Open TAC case to correct DB reference for the Default Portal Fix is in ISE 1.4. Certificate group tag. This has the ability to cause database corruption.

128 Trust issues?

129 Trust issues? Instead of guest portal the guest gets a warning in the browser.

130 Trust issues? Instead of guest portal the guest gets a warning in the browser.

131 Trust issues? Instead of guest portal the guest gets a warning in the browser.

132 Trust issues? Instead of guest portal the guest gets a warning in the browser.

133 Trust issues? Instead of guest portal the guest gets a warning in the browser.

134 ISE portals always use TLS Guests coming to your network will not have you private CA certificate! Use public CA to sign your guest certificate. Check if correct certificate is presented? Check the certificate does the URL match the CN or the SAN?

135 ISE portals always use TLS Guests coming to your network will not have you private CA certificate! Use public CA to sign your guest certificate. Check if correct certificate is presented? Check the certificate does the URL match the CN or the SAN?

136 ISE portals always use TLS Guests coming to your network will not have you private CA certificate! Use public CA to sign your guest certificate. Check if correct certificate is presented? Check the certificate does the URL match the CN or the SAN?

137 ISE portals always use TLS Guests coming to your network will not have you private CA certificate! Use public CA to sign your guest certificate. Check if correct certificate is presented? Check the certificate does the URL match the CN or the SAN?

138 ISE portals always use TLS Guests coming to your network will not have you private CA certificate! Use public CA to sign your guest certificate. Check if correct certificate is presented? Check the certificate does the URL match the CN or the SAN? Ip address in the url instead of FQDN and the certificate does not have the ip address in the SAN field

139 WLC anchor / foreign scenario

140 WLC Mobility and ISE CWA and Auto Anchor Anchor/Foreigner design allow you to land traffic of guest users in restricted part of the network. Ex: DMZ

141 WLC Mobility and ISE CWA and Auto Anchor MAB Req / Resp Anchor Foreign Capwap Tunnel 1. User connects to SSID 2. Foreign is sending Access-Request to ISE 3. As a result Foreign is getting Redirect-URL/ACL

142 WLC Mobility and ISE CWA and Auto Anchor Anchor Client Anchor WEBAUTH_REQD Foreign Client Foreign RUN Mobility Exchange Capwap Tunnel Anchor apply redirect attributes to user

143 WLC Mobility and ISE CWA and Auto Anchor HTTP Request To Internet Anchor Client Anchor WEBAUTH_REQD Foreign Client Foreign RUN Web redirect HTTP 302 Etherip Tunnel Capwap Tunnel Foreign is sending Accounting-Start Anchor is sending Accounting-Start

144 WLC Mobility and ISE CWA and Auto Anchor Guest Auth on ISE Anchor Client Anchor WEBAUTH_REQD Foreign Client Foreign RUN Etherip Tunnel Capwap Tunnel User logins to guest portal

145 WLC Mobility and ISE CWA and Auto Anchor CoA Reauth Anchor Foreign Client Foreign RUN Client Anchor WEBAUTH_REQD Etherip Tunnel Mobility Exchange Capwap Tunnel ISE is sending COA to last NAS from which information about session been received. If it is send to Anchor, user will be stuck in WEBAUTH_REQD state, this is why the accounting should be disabled on the anchor.

146 WLC Mobility and ISE CWA and Auto Anchor CoA Reauth Anchor Foreign Client Foreign RUN Client Anchor RUN Etherip Tunnel Mobility Exchange Capwap Tunnel ISE is sending COA to last NAS from which information about session been received. If it is send to Anchor, user will be stuck in WEBAUTH_REQD state, this is why the accounting should be disabled on the anchor.

147 WLC Mobility and ISE CWA and Auto Anchor Client Anchor RUN Client Foreign RUN Anchor Foreign Etherip Tunnel Capwap Tunnel Traffic Allowed

148 WLC Mobility and ISE CWA and Auto Anchor Remember that: Radius communication is taking place between Foreign and ISE User data traffic will be landed on Anchor Redirection is happening on Anchor Best practices: Authentication server can be configured on both WLANs (Anchor and Foreign) Accounting must be enabled only on Foreign Redirect ACL need to be defined on Both On Foreign ACL can be empty, only name is important

149 Common ISE Defects

150 Common ISE Defects

151 CSCuh22029 Endpoints (Windows OS) have issue with wildcard cert when CN contains * This bug is with regard to using wildcard certificate for EAP role. Not an ISE issue! Symptom: Some endpoint devices (Windows OS) have issues with wildcard cert when CN contains * (start) as wildcard the PEAP authentication fails due to "12511 Unexpectedly received TLS alert message; treating as a rejection by the client Conditions: when the wildcard cert contains * (start) as wildcard in CN Workaround: create wildcard with * (start) e.g. CN= aaa.cisco.com Put the wildcard in the SAN pcr

152 IPhone BYOD issues

153 IPhone BYOD issues Provisioning works on port 8905 During BYOD iphone is installing XML Profile, it contains data, which is needed to generate CSR. It is signed by ISE Admin Certificate chain

154 IPhone BYOD issues Provisioning works on port 8905 During BYOD iphone is installing XML Profile, it contains data, which is needed to generate CSR. It is signed by ISE Admin Certificate chain Signed by Certificate with Admin role

155 CSCut63262 ISE BYOD Apple ios does not accept certificate chain with 4 certificates Symptom: This bug has been created to track is a problem on Apple ios. Apple ios does accept certificate chain with 4 certificates correctly when using http. But it does not accept scep response signed by http certificate with chain which consists of 4 certificates. When performing BYOD with ISE Apple ios 8.2 will not accept https certificate which consists of more then 3 certificates. If ISE http is protected by certificate signed with subca+subca+ca Apple ios will not accept that profile and will not proceed with scep request. Workaround: Use on ISE http certificate with up to 3 certificates in the chain. longer than 3 ROOT CA SUB CA 1 SUB CA 2 ISE Admin Certificate

156 Hotspot guest portal Symptoms: Clients complain that is takes a long time after they accept AUP to get internet access Client devices switches to another SSID after the AUP is accepted

157 Hotspot guest portal Symptoms: Clients complain that is takes a long time after they accept AUP to get internet access Client devices switches to another SSID after the AUP is accepted Endpoint connects to SSID Doing MAB Https session to guest portal Endpoint is disconnected by WLC RADIUS Access-Request RADIUS Access-Accept URL + ACL CoA Reset Admin-Reset Endpoint has to connect back has to do dhcp again

158 Hotspot guest portal Symptoms: Clients complain that is takes a long time after they accept AUP to get internet access Client devices switches to another SSID after the AUP is accepted Endpoint connects to SSID Doing MAB Https session to guest portal Endpoint is disconnected by WLC RADIUS Access-Request RADIUS Access-Accept URL + ACL CoA Reset Admin-Reset Endpoint switches to preferred network, which is different

159 CSCut93791 It is because on hotspot portal the COA type send is reset. This means that the client will be disconnected from the SSID and needs to associate again. We have an enhancement open for this to change the COA type to reauth. Fix in ISE 2.1 patch 1.

160 Google PLAY store 1. Endpoint connects to the BYOD portal 2. Tries to open play store 3. The PLAY store will not open

161 WLC ACL / / / / x/ /16 (POSSIBLY) /8 Android.clients.google.com Play.google.com Ggpht.com Android.pool.ntp.org Market.android.com Mtalk.google.com *.android.clients.google.com *.*.android.clients.google.com *.gstatic.com (for bypassing internet check on Android - Disables mini-browser popup) NOTE: When doing DNS ACL's for countries outside of the US, try the following. Add a.*.* for the domain extensions: google.*.* android.clients.google.*.*

162 DNS based ACL At the client authentication phase, the ISE server returns the pre-authentication ACL (url-redirect-acl). The DNS snooping is performed on the AP for each client until the registration is complete and the client is in SUPPLICANT PROVISIONING state. When the ACL configured with the URLs is received on the Cisco WLC, the CAPWAP payload is sent to the AP enabling DNS snooping on the client and the URLs to be snooped. Note: it is not supported in Anchor / foreign scenario

163 Android app cannot find ISE Check if the 4G data is enabled, some android devices will prefer that on the connection Disable the 4G during BYOD

164 What is the point of posturing endpoints? Polling Question 4 A. Configure the dot1x supplicant without user interaction B. Ensure endpoints are up-to-date before granting network access C. Synergize security solutions across dynamic environments D. To avoid endpoints having to visit the chiropractor

165 Posture Phases Discovery Tries to redirect to ISE to get the session ID. Hard-coded to enroll.cisco.com, the default gateway, or the discovery host if set on port 80. Discovery host should NEVER be a PSN node!

166 Posture Phases Discovery Tries to redirect to ISE to get the session ID. Hard-coded to enroll.cisco.com, the default gateway, or the discovery host if set on port 80. Discovery host should NEVER be a PSN node! Client Provisioning Checks to see if new versions are available to download for AnyConnect, NAC Agent, or Compliance Module

167 Posture Phases Discovery Tries to redirect to ISE to get the session ID. Hard-coded to enroll.cisco.com, the default gateway, or the discovery host if set on port 80. Discovery host should NEVER be a PSN node! Client Provisioning Checks to see if new versions are available to download for AnyConnect, NAC Agent, or Compliance Module Posture Enforcement Checks posture rules against local machine. If any mandatory requirements fail, client tries to auto-remediate or instruct the user on how to fix.

168 Posture Considerations If you re having issues, make sure TCP 8905/8443 and UDP 8905 is open Try swapping to a different NAC Agent/AnyConnect version. Try swapping to a different compliance module. Posture on ASA post 9.2(1) is easiest. Supports RADIUS CoA. If earlier than 9.2.(1), an IPN from ISE is required. Not supported after ISE 2.0. If split-tunnel, include enroll.cisco.com. Auto-remediation relies on the individual software to update!

169 Useful links Demystifying RADIUS Server Configurations TECSEC Identity Services Engine 1.3 Best Practices (Free Cisco Live Acct Required) ISE Traffic Redirection on the Catalyst 3750 Series Switch BRKSEC Deploying ISE in a Dynamic Public Environment (Free Cisco Live Acct Required) Configure the RADIUS Server Fallback Feature on Wireless LAN Controllers Wired 802.1X Deployment Guide 802.1x DACL, Per-User ACL, Filter-ID, and Device Tracking Behavior ISE Profiling Design Guide Integrating Aruba Wireless Networks with Cisco Identity Service Engine Network Access Device Profiles with Cisco Identity Services Engine Prevent Large-Scale Wireless RADIUS Network Melt Downs Cisco CLI Analyzer (Free Cisco.com Account Required)

170 Submit Your Questions Now! Use the Q & A panel to submit your questions and our expert will respond

171 Ask the Expert Event following the Webcast Now through Sept 9th Join the discussion for these Ask The Expert Events:

172 Collaborate within our Social Media Facebook- Twitter- You Tube Google+ LinkedIn Instgram Learn About Upcoming Events Newsletter Subscription

173 Cisco has support communities in other languages! If you speak Spanish, Portuguese, Japanese, Russian or Chinese we invite you to participate and collaborate in your language Spanish Portuguese Japanese Russian Chinese

174 More IT Training Videos and Technical Seminars on the Cisco Learnin View Upcoming Sessions Schedule

175 Thank you for participating!. Redeem your 35% discount offer by entering code: CSC when checking out: Visit Cisco Press at: Cisco Press

176 Thank you for Your Time! Please take a moment to complete the survey

177