Configure EasyConnect on ISE 2.1

Introduction

This document describes how to configure EasyConnect Authentication with Identity Service Engine (ISE) 2.1. ISE uses Microsoft Active Directory (AD) as an external identity store to store resources such as users, machines, groups and attributes.  

Contributed by Eugene Korneychuk and Harisha Gunna,  Cisco TAC Engineers.

Prerequisites

Requirements

This document assumes that there is full ip connectivity between Switch, AD, ISE and Windows 7 Workstation. ISE Server is bootstrapped.

Components Used

The information in this document is based on these software and hardware versions:

• Cisco Identity Service Engine 2.1
• Cisco 3750X switch with IOS^® Software Release 15.0(1)SE2
• Microsoft Windows Server 2008 R2
• Microsoft Window 7 Workstation

Background Information

EasyConnect Feature Information

EasyConnect provides port-based authentication similar to 802.1X, but easier to implement. EasyConnect learns about the authentication from Active Directory and provides session-tracking for active network sessions. Session Directory notifications can be published with PxGrid.

Both EasyConnect and 802.1x can be configured on the same port, but you must have a different ISE policy for each service.
EasyConnect is supported in High Availabilty mode. It is recommended to have dedicated PSN for WMI. Best practice is to have two PSN – one is active and the second is in standby.

All of the PSNs receive the data from the DC but only one is set as the master and forward the events to the MnT. The PSNs elect the active one and automatically handle the case of promoting the standby in case of a failure. The process of electing PSN as primary by PassievID Managment service is transparent.

EasyConnect Process Flow

The switch is configured for MAB, which sends an Authentication request to PSN. PSN replies with limited access, which allows the user authenticate with Active Directory. PSN authenticating the client forwards the information about MAB auth, RADIUS accounting start and interim stop to MNT. Primary PSN ( This might not be the Authenticating PSN. This is the PSN elected as primary by PassiveId Management Service) forwards WMI Auth events to MnT. Once all the data is collected and merged in the session directory by MnT, MnT proxies CoA request to Authenticating PSN which forwards CoA to NAD and re-evaluates the user for authorization.

EasyConnect Feature Limitations

• EasyConnect cannot be used with BYOD use case.
• Supports only Cisco Devices.
• Endpoint logoff Event is not supported.

In order to configure AD to support passive identity service, refer to the this link: Active Directory Requirements to Support Passive Identity Service

Permissions are different when AD user is part of Domain Admins group and if AD user is not part fo Domain Admins group.

Configure ISE

Join ISE 2.1 to Active Directory

1. Navigate to Administration > Identity Management > External Identity Stores > Active Directory > Add. Provide the Join Point Name, Active Directory Domain and click Submit.

2. When prompted to Join all ISE Nodes to this Active Directory Domain, click Yes.

3. Provide AD User Name and Password, click OK.

AD account required for domain access in ISE should have either of these:

• Add workstations to domain user right in corresponding domain.
• Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ISE machine's account is created before joining ISE machine to the domain.

Tip: Cisco recommends to disable the lockout policy for the ISE account and configure the AD infrastructure to send alerts to the admin if a wrong password is used for that account. When entering wrong password, ISE does not create or modify its machine account when it is necessary and therefore possibly deny all authentications.

4. Review Operation Status, Node Status should shown up as Completed, click Close.

5. Status of AD should be Operational.

6. Navigate to Groups > Add > Select Groups From Directory > Retrieve Groups. Select checkboxes for required AD Groups to be referenced in authorization policy.

Note: User hargadmin is member of Domain Users AD Group. After reassesment is made, Domain Users membership is used in Authorization condition.

 7. Click on Save to save retrieved AD Groups.

Configure Authorization Profiles

1. Create an Authorization Profile for Limited Access Policy > Results, select Authorization > Authorization Profiles and Add a new one named LimitedAccess

a) Check the box for Passive Identity Tracking

b) Add DACL Name and choose the Limited Access DACL allowing DNS, DHCP, ISE, and DC access from the drop down list

c) Save

2. Create an Authorization Profile for other desired access and save.  There is no need for Passive Idenitty Tracking to be enabled on any other Authorization Profiles, just the initial access.

Configure EasyConnect

1. Enable Identity Mapping on your Policy server. Navigate to Administration > Deployment, select a node and under General Settings, enable Enable Identity Mapping.

2. Create a Policy Set. Navigate to Policy > Policy Sets, and create a new policy set named Ezconnect. Then add those  policies:
a) Create an Authentication Policy named EzconnectAuth with condition Wired_MAB.

b) Create an Authorization Policy named Domain_Users, condition AD:ExternalGroups EQUALS example.com/Users/Domain Users .
c) Create an Authorization policy named Ezconnect_Limited, condition Wired_MAB.

As a result of Limited Access, Access to AD should be given.

Configure Identity Mapping

Navigate to Administration > PassiveID > AD Domain Controller. Click Add. In the General Settings section, enter the Display Name, Domain FQDN and Host FQDN of the DC. In the Credentials section, enter the Username and Password of the DC. Click Save. An updated table is displayed with the newly-defined DC included in the list of DCs. The status column indicates the different states of DC.

(Optional) Test the connection to the specified domain by clicking Verify DC Connection Settings. This test ensures that the connection to the DC is healthy. However it does not check whether Cisco ISE can fetch the user information upon login.
Click Save.

Configure Switch

This configuration ensures that switch performs MAB authentication for the clients connected on port FastEthernet1/0/23.

aaa new-model
!
aaa group server radius ISE-group
 server name PSN1
 server name PSN2
!
aaa authentication dot1x default group ISE-group
aaa authorization network default group ISE-group 
aaa accounting update newinfo
aaa accounting dot1x default start-stop group ISE-group

!
aaa server radius dynamic-author
 client 10.201.228.86 server-key 7 0822455D0A16
 client 10.201.228.87 server-key 7 094F471A1A0A

!
interface FastEthernet1/0/23
 switchport access vlan 903
 switchport mode access
 authentication order mab
 authentication port-control auto
 mab
 dot1x pae authenticator      
 spanning-tree portfast

!
radius-server vsa send accounting
radius-server vsa send authentication
!
radius server PSN1
 address ipv4 10.201.228.86 auth-port 1812 acct-port 1813
 key 7 13061E010803
!
radius server PSN2
 address ipv4 10.201.228.87 auth-port 1812 acct-port 1813
 key 7 00071A150754

Verify

Switch

After successful authentication both username and ip address should be seen on the switch.

Switch#show authentication sessions interface fastEthernet 1/0/23 details 
            Interface:  FastEthernet1/0/23
          MAC Address:  3c97.0e52.3fd3
         IPv6 Address:  Unknown
         IPv4 Address:  10.229.20.122
            User-Name:  admin
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  single-host
     Oper control dir:  both
      Session timeout:  N/A
    Common Session ID:  0AE514F000000017011140BC
      Acct Session ID:  0x00000009
               Handle:  0xFC000007
       Current Policy:  POLICY_Fa1/0/23

Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Method status list:
       Method           State
       mab              Authc Success

Identity Services Engine

ISE should show multiple reports. Logs are described starting from the bottom one:

1. Machine is authenticated via MAB. Limited Access Authorization Profile is assigned, which allows icmp, dns, access to AD;

2. DACL with Limited Privileges is downloaded to the NAD;

3. ISE learns username via WMI (because of ip to username mapping on AD) and AD Groups of the user via LDAP from AD. Since there is a Authorization Rule, and ISE learned new data matching its condition, CoA is initiated.

4. As a result of CoA user admin gets Secure Access Authorization Profile.

Live Log screenshot

Live Sessions screenshot

MS Active Directory

From Event viewer 4768 and 4769 Events should be seen, it is the result of successful user authentication.

Troubleshoot

Debugs on ISE

In order to review logs on PSN for WMI, change logging to debug level for the component PassiveID

passiveid-mgmt.log file shows which PSN is elected as primary.

psn1-21/admin# sh logging application passiveid-mgmt.log tail
2016-07-04 21:34:15,856 INFO   [admin-http-pool187][] cisco.cda.mgmt.rest.ADProb
eElectionManager- PassiveID Management Service :: The node 'psn2-21.example.com'
 was selected as primary.
2016-07-04 21:34:15,856 INFO   [admin-http-pool187][] cisco.cda.mgmt.rest.ADProb
eElectionManager- PassiveID Management Service :: This node (psn1-21.example.com
) was selected as standby.

Based on the above, we need to review psn2-21 logs for WMI Auth and since psn1-21 is handling the auth request from NAD, psn1-21 logs have to be reviewed for MAB auth.

passiveid.log from psn2-21 file gives details of WMI auth event

psn2-21/admin# sh logging application passiveid.log tail

 , Identity Mapping.dc-domainname = example.com , Identity Mapping.dc-connection-type = Current events , Identity Map
ping.dc-name = ez_example , Identity Mapping.dc-host = win-e78u0frcjd6.example.com/10.201.228.91 , 
2016-07-04 21:42:00,592 DEBUG  [Thread-10][] com.cisco.cpm.cda- Received login event. Identity Mapping.ticket = 
instance of __InstanceCreationEvent
{
        SECURITY_DESCRIPTOR = {1, 0, 20, 128, 96, 0, 0, 0, 112, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 76, 0, 3, 0, 
0, 0, 0, 0, 20, 0, 69, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 24, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 
5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 61, 2, 0, 0, 1, 2, 0, 0, 
0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
        TargetInstance = 
instance of Win32_NTLogEvent
{
        Category = 14339;
        CategoryString = "Kerberos Authentication Service";
        ComputerName = "WIN-E78U0FRCJD6.example.com";
        EventCode = 4768;
        EventIdentifier = 4768;
        EventType = 4;
        InsertionStrings = {"hargadmin", "EXAMPLE", "S-1-5-21-4290790397-2086052146-77444135-1113", "krbtgt", "S-1-5-
21-4290790397-2086052146-77444135-502", "0x40810010", "0x0", "0x12", "2", "::ffff:10.201.228.104", "56060", "", "", "
"};
        Logfile = "Security";
\nAdditional Informatio60ffff:10.201.228.10452146-77444135-502requested.
\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.";
        RecordNumber = 372847;
        SourceName = "Microsoft-Windows-Security-Auditing";
        TimeGenerated = "20160704214131.733498-000";
        TimeWritten = "20160704214131.733498-000";
        Type = "Audit Success";
};
        TIME_CREATED = "131121420933871015";
};
 , Identity Mapping.dc-domainname = example.com , Identity Mapping.dc-connection-type = Current events , Identity Map
ping.dc-name = ez_example , Identity Mapping.event-user-name = hargadmin , Identity Mapping.dc-host = win-e78u0frcjd6
.example.com/10.201.228.91 , Identity Mapping.server = psn2-21 , Identity Mapping.event-ip-address = 10.201.228.104 ,
 
2016-07-04 21:42:01,510 DEBUG  [Thread-15][] com.cisco.cpm.cda- Forwarded login event to ISE session directory. Ident
ity Mapping.dc-domainname = example.com , Identity Mapping.event-user-name = hargadmin , Identity Mapping.dc-host = w
in-e78u0frcjd6.example.com/10.201.228.91 , Identity Mapping.server = psn2-21 , Identity Mapping.event-ip-address = 10
.201.228.104 , 

Packet capture from psn1-21 ( PSN that is handling the MAB request). The packet capture shows the syslog data for MAB auth and accounting packets being frowarded to MnT node.

Packet capture from psn2-21 (PSN elected as primary by PassiveID Mangement Service). This capture shows primary PSN forwarding WMI auth pass syslog info to MnT

Typical Issues

Issue 1. Active directory is not showing Event 4768

There can be multiple reasons behind it:

1. Ensure that within Limited Access DACL you allow PC to contact Active Directory, so this event is generated;

2. Ensure that Audit Policy is corrrectly configured, so corresponding log will be seen in Event Viewer, refer to the section

Setting Audit Policy in this document.

Issue 2. Cannot connect to AD from Identity Mapping

The error displayed is:

"The connection was tested on 'Fibi.example.com' Identity Mapping active node.
Connection to 'AD' failed.
Unable to connect to the machine, please check the DC state"

This error is seen if you don't have enough privileges for the Administrator2 user, please carefully verify that all settings required on AD are properly configured.

Issue 3. Secure Access rule is not triggered

1. Ensure you have successful connection to AD, you can check corresponding log in the Identity Mapping Report:

2. Ensure that Framed-IP-Address attribute is resevied from NAD, you can verify it with debug radius on the Switch;