How To's - Authenticate users without 802.1X
Hi there, in this post we’re going to see how to provide access for users who don’t have a supplicant (fancy name to say “software/feature” that supports 802.1X). This post is a sequence from the previous one: How To's - Manage Network Access with ISE 2.7, and I highly recommend you to read it before following this one, as some commands have already been covered there.
In this one, we’re going to use MAB and EasyConnect to authenticate the users. Let’s get ready to rumble.
For this lab, I added one PC just to make things a bit more interesting. The port where the Guest PC is connected, has the same configuration as the others ports (for simplicity).
On the SW we have to correct the following config to support EasyConnect:
aaa server radius dynamic-author
client 192.168.234.23 ! it has to be ISE IP address
server-key admin1234
Now let’s start playing with ISE portal.
We have to add the GuestPC mac address to ISE Identity Store by going to Work Centers > Network Access > Identities and click on add (plus symbol) and type the mac address.
Next let’s add a new authentication and authorization rule above the others rules by going to Policy > Policy Sets > Wired
Mab configuration is done.
Now let’s start configuring EasyConnect by enabling the service in Administration > System > Deployment > ISE: Enable Passive Identity Service
Next we’ll Configure Identity Mapping by navigating to Work Centers > PassiveID > Providers
Click on the server name
In PassiveID tab, click on Add DCs
In the Credentials section, enter the Username and Password of the DC, and select WMI as protocol. Click Configure and then Save. An updated table is displayed with the newly-defined DC included in the list of DCs.
Next we’ll create a new Authentication Profile for Allowed Protocols in Policy Elements > Authentication > Allowed Protocols
We’ll enable only Authentication Bypass.
Now let’s enable the Passive Identity feature for Marketing and Finance Authorization profiles in Authorization page.
We’ll create a Downloadable ACLs to be assigned for users being authenticated by EasyConnect. The destination host has to be AD IP.
Now we'll create another authorization profile for AD query and link it to this DACL.
Now let’s create the policy to allow these changes. In Policy > Policy Sets, add a new policy above the others. Set the condition to be the SW and the port where the CRP-PC2 is connected. For Allowed protocols, select the one created earlier.
Now let's create the authentication and authorization policy
It's time to test, so let's run shut/no shut on the switch port for GuestPC and CRP-PC2. For CRP-PC2, I disabled the 802.1X service.
We can see a more detailed output by adding the interface details
We can also verify this events in ISE
NOTE: Cisco does not recommend using vlan change when not using dot1x. There are some options but for this lab I just disabled the interface and re-enabled it on the PC side.
Cisco: When you change a VLAN assigned to an endpoint, that endpoint must know (somehow) to renew the DHCP request. The best solution is to not use VLAN changes on open networks because there is nothing on the client to detect the VLAN change and trigger the DHCP renewal.
And we have provided user authentication on a network, without using 802.1X.
I hope you enjoyed this post, leave your comments below and I'll see you on the next one.
Reference:
https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_sw_cnfg.html#wp1042275
Co-Founder and CEO at ReviveSec
4 年Interesting, thanks