This document describes how to configure EasyConnect Authentication with the Identity Service Engine (ISE) 2.1. ISE uses Microsoft Active Directory (AD) as an external identity store to store resources such as users, machines, groups, and attributes.
This document assumes that there is full ip connectivity between Switch, AD, ISE and Windows 7 Workstation. ISE Server is bootstrapped.
The information in this document is based on these software and hardware versions:
EasyConnect provides port-based authentication similar to 802.1X, but easier to implement. EasyConnect learns about the authentication from Active Directory and provides session-tracking for active network sessions. Session Directory notifications can be published with PxGrid.
Both EasyConnect and 802.1x can be configured on the same port, but you must have a different ISE policy for each service.
EasyConnect is supported in High Availability mode. It is recommended to have dedicated PSN for WMI. The best practice is to have two PSN – one is active and the second is in standby.
All of the PSNs receive the data from the DC but only one is set as the active and forward the events to the MnT. The PSNs elect the active one and automatically handle the case of promoting the standby in case of a failure. The process of electing PSN as primary by PassievID Management service is transparent.
The switch is configured for MAB, which sends an Authentication request to PSN. PSN replies with limited access, which allows the user to authenticate with Active Directory. PSN authenticating the client forwards the information about MAB auth, RADIUS accounting start, an interim stop to MNT. Primary PSN ( This might not be the Authenticating PSN. This is the PSN elected as primary by PassiveId Management Service) forwards WMI Auth events to MnT. Once all the data is collected and merged in the session directory by MnT, MnT proxies CoA request to Authenticating PSN which forwards CoA to NAD and re-evaluates the user for authorization.
In order to configure AD to support passive identity service, refer toActive Directory Requirements to Support Passive Identity Service
Permissions are different when AD user is part of Domain Admins group and if AD user is not part fo Domain Admins group.
Step 1. Navigate to Administration > Identity Management > External Identity Stores > Active Directory > Add. Provide the Join Point Name, Active Directory Domain, and click Submit.
Step 2. When prompted to Join all ISE Nodes to this Active Directory Domain, click Yes.
Step 3. Provide AD User Name and Password, click OK.
AD account required for domain access in ISE should have either of these:
Tip: Cisco recommends to disable the lockout policy for the ISE account and configure the AD infrastructure to send alerts to the admin if a wrong password is used for that account. When the wrong password is entered, ISE does not create or modify its machine account when it is necessary and therefore possibly deny all authentications.
Step 4. Review Operation Status, Node Status should be shown up as Completed, click Close.
Step 5. Status of AD should be Operational.
Step 6. Navigate to Groups > Add > Select Groups From Directory > Retrieve Groups. Select checkboxes for required AD Groups to be referenced in authorization policy.
Note: User hargadmin is a member of Domain Users AD Group. After reassessment is made, Domain Users membership is used in Authorization condition.
Step 7. Click on Save to save retrieved AD Groups.
Step 1. Create an Authorization Profile for Limited Access Policy > Results, select Authorization > Authorization Profiles and Add a new one named LimitedAccess
1. Check the box for Passive Identity Tracking.
2. Add DACL Name and choose the Limited Access DACL allowing DNS, DHCP, ISE, and DC access from the drop-down list and click Save.
Step 2. Create an Authorization Profile for other desired access and save. There is no need for Passive Identity Tracking to be enabled on any other Authorization Profiles, just the initial access.
Step 1. Enable Identity Mapping on your Policy server. Navigate to Administration > Deployment, select a node and under General Settings, enable Enable Identity Mapping, as shown in the image.
Step 2. Create a Policy Set. Navigate to Policy > Policy Sets, and create a new policy set named Ezconnect. Then add those policies:
1. Create an Authentication Policy named EzconnectAuth with condition Wired_MAB.
2. Create an Authorization Policy named Domain_Users, condition AD:ExternalGroups EQUALS example.com/Users/Domain Users.
3. Create an Authorization policy named Ezconnect_Limited, condition Wired_MAB.
As a result of Limited Access, Access to AD should be given.
Step 1. Navigate to Administration > PassiveID > AD Domain Controller. Click Add. In the General Settings section, enter the Display Name, Domain FQDN and Host FQDN of the DC.
Step 2. In the Credentials section, enter the Username and Password of the DC. Click Save. An updated table is displayed with the newly-defined DC included in the list of DCs. The status column indicates the different states of DC.
Step 3. (Optional) Test the connection to the specified domain by clicking Verify DC Connection Settings. This test ensures that the connection to the DC is healthy. However, it does not check whether Cisco ISE can fetch the user information upon login or not.
Step 4. Click Save.
This configuration ensures that switch performs MAB authentication for the clients connected on port FastEthernet1/0/23.
aaa new-model
!
aaa group server radius ISE-group
server name PSN1
server name PSN2
!
aaa authentication dot1x default group ISE-group
aaa authorization network default group ISE-group
aaa accounting update newinfo
aaa accounting dot1x default start-stop group ISE-group
!
aaa server radius dynamic-author
client 10.201.228.86 server-key 7 0822455D0A16
client 10.201.228.87 server-key 7 094F471A1A0A
!
interface FastEthernet1/0/23
switchport access vlan 903
switchport mode access
authentication order mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
!
radius-server vsa send accounting
radius-server vsa send authentication
!
radius server PSN1
address ipv4 10.201.228.86 auth-port 1812 acct-port 1813
key 7 13061E010803
!
radius server PSN2
address ipv4 10.201.228.87 auth-port 1812 acct-port 1813
key 7 00071A150754
After successful authentication, both username and IP address should be seen on the switch.
Switch#show authentication sessions interface fastEthernet 1/0/23 details
Interface: FastEthernet1/0/23
MAC Address: 3c97.0e52.3fd3
IPv6 Address: Unknown
IPv4 Address: 10.229.20.122
User-Name: admin
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0AE514F000000017011140BC
Acct Session ID: 0x00000009
Handle: 0xFC000007
Current Policy: POLICY_Fa1/0/23
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Method status list:
Method State
mab Authc Success
ISE should show multiple reports. Logs are described starting from the bottom one:
1. The machine is authenticated via MAB. Limited Access Authorization Profile is assigned, which allows ICMP, DNS, access to AD;
2. DACL with Limited Privileges is downloaded to the NAD;
3. ISE learns username via WMI (because of IP to username mapping on AD) and AD Groups of the user via LDAP from AD. Since there is an Authorization Rule, and ISE learned new data matching its condition, CoA is initiated.
4. As a result of CoA, user admin gets Secure Access Authorization Profile.
Live Log screenshot
This is the image of the Live Sessions.
From Event viewer 4768 and 4769 Events should be seen, it is the result of successful user authentication.
In order to review logs on PSN for WMI, change logging to debug level for the component PassiveID
passiveid-mgmt.log file shows which PSN is elected as primary.
psn1-21/admin# sh logging application passiveid-mgmt.log tail 2016-07-04 21:34:15,856 INFO [admin-http-pool187][] cisco.cda.mgmt.rest.ADProb eElectionManager- PassiveID Management Service :: The node 'psn2-21.example.com' was selected as primary. 2016-07-04 21:34:15,856 INFO [admin-http-pool187][] cisco.cda.mgmt.rest.ADProb eElectionManager- PassiveID Management Service :: This node (psn1-21.example.com ) was selected as standby.
Based on the above, we need to review psn2-21 logs for WMI Auth and since psn1-21 is handling the auth request from NAD, psn1-21 logs have to be reviewed for MAB auth.
passiveid.log from psn2-21 file gives details of WMI auth event
psn2-21/admin# sh logging application passiveid.log tail , Identity Mapping.dc-domainname = example.com , Identity Mapping.dc-connection-type = Current events , Identity Map ping.dc-name = ez_example , Identity Mapping.dc-host = win-e78u0frcjd6.example.com/10.201.228.91 , 2016-07-04 21:42:00,592 DEBUG [Thread-10][] com.cisco.cpm.cda- Received login event. Identity Mapping.ticket = instance of __InstanceCreationEvent { SECURITY_DESCRIPTOR = {1, 0, 20, 128, 96, 0, 0, 0, 112, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 76, 0, 3, 0, 0, 0, 0, 0, 20, 0, 69, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 24, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 61, 2, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0}; TargetInstance = instance of Win32_NTLogEvent { Category = 14339; CategoryString = "Kerberos Authentication Service"; ComputerName = "WIN-E78U0FRCJD6.example.com"; EventCode = 4768; EventIdentifier = 4768; EventType = 4; InsertionStrings = {"hargadmin", "EXAMPLE", "S-1-5-21-4290790397-2086052146-77444135-1113", "krbtgt", "S-1-5- 21-4290790397-2086052146-77444135-502", "0x40810010", "0x0", "0x12", "2", "::ffff:10.201.228.104", "56060", "", "", " "}; Logfile = "Security"; \nAdditional Informatio60ffff:10.201.228.10452146-77444135-502requested. \nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120."; RecordNumber = 372847; SourceName = "Microsoft-Windows-Security-Auditing"; TimeGenerated = "20160704214131.733498-000"; TimeWritten = "20160704214131.733498-000"; Type = "Audit Success"; }; TIME_CREATED = "131121420933871015"; }; , Identity Mapping.dc-domainname = example.com , Identity Mapping.dc-connection-type = Current events , Identity Map ping.dc-name = ez_example , Identity Mapping.event-user-name = hargadmin , Identity Mapping.dc-host = win-e78u0frcjd6 .example.com/10.201.228.91 , Identity Mapping.server = psn2-21 , Identity Mapping.event-ip-address = 10.201.228.104 , 2016-07-04 21:42:01,510 DEBUG [Thread-15][] com.cisco.cpm.cda- Forwarded login event to ISE session directory. Ident ity Mapping.dc-domainname = example.com , Identity Mapping.event-user-name = hargadmin , Identity Mapping.dc-host = w in-e78u0frcjd6.example.com/10.201.228.91 , Identity Mapping.server = psn2-21 , Identity Mapping.event-ip-address = 10 .201.228.104 ,
Packet capture from psn1-21 ( PSN that is handling the MAB request). The packet capture shows the syslog data for MAB auth and accounting packets being frowarded to MnT node.
Packet capture from psn2-21 (PSN elected as primary by PassiveID Management Service). This capture shows primary PSN forwarding WMI auth pass syslog info to MnT
There can be multiple reasons behind it:
1. Ensure that within Limited Access DACL you allow PC to contact Active Directory, so this event is generated;
2. Ensure that Audit Policy is correctly configured, so the corresponding log is seen in Event Viewer, refer to the section
Setting the Audit Policy in this document.
The error displayed is:
"The connection was tested on 'Fibi.example.com' Identity Mapping active node.
Connection to 'AD' failed.
Unable to connect to the machine, please check the DC state"
This error is seen if you don't have enough privileges for the Administrator2 user, please carefully verify that all settings required on AD are properly configured.
1. Ensure you have a successful connection to AD, you can check the corresponding log in the Identity Mapping Report:
2. Ensure that Framed-IP-Address attribute is received from NAD, you can verify it with debug radius on the Switch;