This document describes how to configure EasyConnect Authentication with Identity Service Engine (ISE) 2.1. ISE uses Microsoft Active Directory (AD) as an external identity store to store resources such as users, machines, groups and attributes.
Contributed by Eugene Korneychuk and Harisha Gunna, Cisco TAC Engineers.
This document assumes that there is full ip connectivity between Switch, AD, ISE and Windows 7 Workstation. ISE Server is bootstrapped.
The information in this document is based on these software and hardware versions:
Cisco Identity Service Engine 2.1
Cisco 3750X switch with IOS® Software Release 15.0(1)SE2
Microsoft Windows Server 2008 R2
Microsoft Window 7 Workstation
EasyConnect Feature Information
EasyConnect provides port-based authentication similar to 802.1X, but easier to implement. EasyConnect learns about the authentication from Active Directory and provides session-tracking for active network sessions. Session Directory notifications can be published with PxGrid.
Both EasyConnect and 802.1x can be configured on the same port, but you must have a different ISE policy for each service. EasyConnect is supported in High Availabilty mode. It is recommended to have dedicated PSN for WMI. Best practice is to have two PSN – one is active and the second is in standby.
All of the PSNs receive the data from the DC but only one is set as the master and forward the events to the MnT. The PSNs elect the active one and automatically handle the case of promoting the standby in case of a failure. The process of electing PSN as primary by PassievID Managment service is transparent.
EasyConnect Process Flow
The switch is configured for MAB, which sends an Authentication request to PSN. PSN replies with limited access, which allows the user authenticate with Active Directory. PSN authenticating the client forwards the information about MAB auth, RADIUS accounting start and interim stop to MNT. Primary PSN ( This might not be the Authenticating PSN. This is the PSN elected as primary by PassiveId Management Service) forwards WMI Auth events to MnT. Once all the data is collected and merged in the session directory by MnT, MnT proxies CoA request to Authenticating PSN which forwards CoA to NAD and re-evaluates the user for authorization.
Permissions are different when AD user is part of Domain Admins group and if AD user is not part fo Domain Admins group.
Join ISE 2.1 to Active Directory
1. Navigate to Administration > Identity Management > External Identity Stores > Active Directory > Add. Provide the Join Point Name, Active Directory Domain and click Submit.
2. When prompted to Join all ISE Nodes to this Active Directory Domain, click Yes.
3. Provide AD User Name and Password, click OK.
AD account required for domain access in ISE should have either of these:
Add workstations to domain user right in corresponding domain.
Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ISE machine's account is created before joining ISE machine to the domain.
Tip: Cisco recommends to disable the lockout policy for the ISE account and configure the AD infrastructure to send alerts to the admin if a wrong password is used for that account. When entering wrong password, ISE does not create or modify its machine account when it is necessary and therefore possibly deny all authentications.
4. Review Operation Status, Node Status should shown up as Completed, click Close.
5. Status of AD should be Operational.
6. Navigate to Groups > Add > Select Groups From Directory > Retrieve Groups. Select checkboxes for required AD Groups to be referenced in authorization policy.
Note: User hargadmin is member of Domain Users AD Group. After reassesment is made, Domain Users membership is used in Authorization condition.
7. Click on Save to save retrieved AD Groups.
Configure Authorization Profiles
1. Create an Authorization Profile for Limited Access Policy > Results, select Authorization > Authorization Profiles and Add a new one named LimitedAccess
a) Check the box for Passive Identity Tracking
b) Add DACL Name and choose the Limited Access DACL allowing DNS, DHCP, ISE, and DC access from the drop down list
2. Create an Authorization Profile for other desired access and save. There is no need for Passive Idenitty Tracking to be enabled on any other Authorization Profiles, just the initial access.
1. Enable Identity Mapping on your Policy server. Navigate to Administration > Deployment, select a node and under General Settings, enable Enable Identity Mapping.
2. Create a Policy Set. Navigate to Policy > Policy Sets, and create a new policy set named Ezconnect. Then add those policies: a) Create an Authentication Policy named EzconnectAuth with condition Wired_MAB.
b) Create an Authorization Policy named Domain_Users, condition AD:ExternalGroups EQUALS example.com/Users/Domain Users . c) Create an Authorization policy named Ezconnect_Limited, condition Wired_MAB.
As a result of Limited Access, Access to AD should be given.
Configure Identity Mapping
Navigate to Administration > PassiveID > AD Domain Controller. Click Add. In the General Settings section, enter the Display Name, Domain FQDN and Host FQDN of the DC. In the Credentials section, enter the Username and Password of the DC. Click Save. An updated table is displayed with the newly-defined DC included in the list of DCs. The status column indicates the different states of DC.
(Optional) Test the connection to the specified domain by clicking Verify DC Connection Settings. This test ensures that the connection to the DC is healthy. However it does not check whether Cisco ISE can fetch the user information upon login. Click Save.
This configuration ensures that switch performs MAB authentication for the clients connected on port FastEthernet1/0/23.
aaa new-model ! aaa group server radius ISE-group server name PSN1 server name PSN2 ! aaa authentication dot1x default group ISE-group aaa authorization network default group ISE-group aaa accounting update newinfo aaa accounting dot1x default start-stop group ISE-group
! interface FastEthernet1/0/23 switchport access vlan 903 switchport mode access authentication order mab authentication port-control auto mab dot1x pae authenticator spanning-tree portfast
! radius-server vsa send accounting radius-server vsa send authentication ! radius server PSN1 address ipv4 10.201.228.86 auth-port 1812 acct-port 1813 key 7 13061E010803 ! radius server PSN2 address ipv4 10.201.228.87 auth-port 1812 acct-port 1813 key 7 00071A150754
After successful authentication both username and ip address should be seen on the switch.
Switch#show authentication sessions interface fastEthernet 1/0/23 details Interface: FastEthernet1/0/23 MAC Address: 3c97.0e52.3fd3 IPv6 Address: Unknown IPv4 Address: 10.229.20.122 User-Name: admin Status: Authorized Domain: DATA Oper host mode: single-host Oper control dir: both Session timeout: N/A Common Session ID: 0AE514F000000017011140BC Acct Session ID: 0x00000009 Handle: 0xFC000007 Current Policy: POLICY_Fa1/0/23
Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Method status list: Method State mab Authc Success
Identity Services Engine
ISE should show multiple reports. Logs are described starting from the bottom one:
1. Machine is authenticated via MAB. Limited Access Authorization Profile is assigned, which allows icmp, dns, access to AD;
2. DACL with Limited Privileges is downloaded to the NAD;
3. ISE learns username via WMI (because of ip to username mapping on AD) and AD Groups of the user via LDAP from AD. Since there is a Authorization Rule, and ISE learned new data matching its condition, CoA is initiated.
4. As a result of CoA user admin gets Secure Access Authorization Profile.
Live Log screenshot
Live Sessions screenshot
MS Active Directory
From Event viewer 4768 and 4769 Events should be seen, it is the result of successful user authentication.
Debugs on ISE
In order to review logs on PSN for WMI, change logging to debug level for the component PassiveID
passiveid-mgmt.log file shows which PSN is elected as primary.
psn1-21/admin# sh logging application passiveid-mgmt.log tail
2016-07-04 21:34:15,856 INFO [admin-http-pool187] cisco.cda.mgmt.rest.ADProb
eElectionManager- PassiveID Management Service :: The node 'psn2-21.example.com'
was selected as primary.
2016-07-04 21:34:15,856 INFO [admin-http-pool187] cisco.cda.mgmt.rest.ADProb
eElectionManager- PassiveID Management Service :: This node (psn1-21.example.com
) was selected as standby.
Based on the above, we need to review psn2-21 logs for WMI Auth and since psn1-21 is handling the auth request from NAD, psn1-21 logs have to be reviewed for MAB auth.
passiveid.log from psn2-21 file gives details of WMI auth event