Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
36 views9 pages

38 Mab Lab

Cisco ISE configuration

Uploaded by

muhammad farooq
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
36 views9 pages

38 Mab Lab

Cisco ISE configuration

Uploaded by

muhammad farooq
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

MAB LAB:

Cisco ISE Primary IP Address 192.168.100.210


Cisco ISE Secondary IP Address 192.168.100.220
AD, DNS and CA Server IP Address 192.168.100.230
Domain Name test.local
Test User/Group N/A
Test VLAN VLAN 20
VLAN Subnet 192.168.20.0/24
VLAN 20 Gateway 192.168.20.1
Authenticator Switch SW2
Authentication Switch MGMT IP 192.168.100.254
SW2 MAB Interface Ethernet 0/2
MAB Endpoint Android 9.1
MAB Endpoint MAC Address 50:01:00:07:00:00

1 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


MAB Configuration
SW2(config)#aaa new-model
SW2(config)#dot1x system-auth-control
SW2(config)#radius server ISE1
SW2(config-radius-server)# address ipv4 192.168.100.210 auth-port 1812 acct-port 1813
SW2(config-radius-server)#key Test123
SW2(config-radius-server)#radius server ISE2
SW2(config-radius-server)# address ipv4 192.168.100.220 auth-port 1812 acct-port 1813
SW2(config-radius-server)#key Test123
SW2(config-radius-server)#radius-server attribute 6 on-for-login-auth
SW2(config)#radius-server attribute 8 include-in-access-req
SW2(config)#radius-server attribute 25 access-request include
SW2(config)#radius-server vsa send accounting
SW2(config)#radius-server vsa send authentication
SW2(config)#radius-server dead-criteria time 30 tries 3
SW2(config)#radius-server timeout 2
SW2(config)#aaa group server radius ISE-GROUP
SW2(config-sg-radius)#server name ISE1
SW2(config-sg-radius)#server name ISE2
SW2(config-sg-radius)#ip radius source-interface Vlan100
SW2(config-sg-radius)#aaa authentication dot1x default group ISE-GROUP
SW2(config)#aaa authorization network default group ISE-GROUP
SW2(config)#aaa accounting update periodic 5
SW2(config)#aaa accounting dot1x default start-stop group ISE-GROUP
SW2(config)#aaa server radius dynamic-author
SW2(config-locsvr-da-radius)#client 192.168.100.210 server-key Test123
SW2(config-locsvr-da-radius)#client 192.168.100.220 server-key Test123
SW2(config-locsvr-da-radius)#snmp-server community Test123 RO
SW2(config)#interface Ethernet0/2
SW2(config-if)#description Android Tablet
SW2(config-if)#switchport access vlan 20
SW2(config-if)#switchport mode access
SW2(config-if)#authentication host-mode multi-auth
SW2(config-if)#authentication open
SW2(config-if)#authentication port-control auto
SW2(config-if)#mab
SW2(config-if)#dot1x pae authenticator
SW2(config-if)#dot1x timeout tx-period 10
SW2(config-if)#spanning-tree portfast edge
SW2(config-if)#authentication event fail action next-method
SW2(config-if)#authentication order dot1x mab

2 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Add Network Device:
Go to Administration > Network Resources > Network Devices to add the Device (SW2).

Click on Add button to add Network Device like Router and Switch.

Configure Name of device, IP address configured. Scroll down to set Authentication settings.

3 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Scroll down to set Authentication settings. Set Password configured as Server key on Switch
device “Test123” and save settings.

Scroll down to check SNMP Settings and set SNMP RO Community string settings, Click Submit.

4 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


MAB Authentication Polices:
choose Work Centers > Network Access > Policy Sets>Authentication Policy. Use the default
MAB Authentication Policy which check Internal endpoints MAC address.

If the authentication fail the Device will be Rejected, if user not found the user will be rejected,
while if the process fail the Device will be dropped.

5 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


MAB Authorization Polices:
Navigate to Policy>Policy Sets > click on Arrow Icon >

Navigate to Authorization Policy section, there is default and Basic_Authenticated_Access rules


already it will use these default Authorization Policy to permit access.

MAB Device Authentication:


Boot Android Device. Navigate to ISE Operations>RADIUS>Live Logs. You will notice that
authentication is failed because Android MAC address is not found in Internal database.

6 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Navigate to ISE Context Visibility>Endpoints. Select Android rejected device, and click edit.

Description: Android, Static assignment: Android, Static group assignment: Android, Click Save

7 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Navigate to ISE management Operations>Live Logs again. Now you will see that Android device
is authenticated because this time the MAC address is now in Internal Endpoint database.

Verification:
Navigate to Operations > RADIUS Livelog.

Verification Commands on Cisco Switch


SW2# show mab all
SW2# debug radius authentication
SW2# Show authentication sessions
SW2# Show authentication sessions interface ethernet 0/2
SW2# Show authentication sessions interface ethernet 0/2 details

8 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


9 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

You might also like