Showing posts with label Cisco-ISE. Show all posts
Showing posts with label Cisco-ISE. Show all posts

User and Machine Certificate Authentication using EAP-TLS

on Wednesday, November 21 21 November , in , 2 Comments


User and Machine Certificate Configuration in Cisco ISE:

Step1:
Create Certificate Authentication profile:
Under Identity Store use AD1 (Active directory) or Not Applicable
-Basic certificate checking does not require an Identity store
-When an AD1 is selected all subject names in a certificate can be used to lookup a user.

Use Identity From:
Certificate Attribute: select Common Name (CN)
-This Username will be used for AD lookup and also in ISE Logs.

Any other subject or Alternative Name Attribute:
-All other subject names and alternative names in a certificate will be tried when looking up a user.
The Active directory implicit UPN(User principle name) will be used as username for logs.
Note:it is only available if AD1 is selected as Identity store.


Match Client Certificate Against Certificate in Identity Store:
-For Binary Comparison of certificates (AD or LDAP) must be selected.
-If AD1 is selected then we can also use only to resolve ambiguity during lookup.



Machine Certificate Profile:
User Certificate Profile:

Step2:- Machine Certificate Policy Sets
Create Authentication and Authorization rules under > policy sets as shown below:
Create a condition If it matches Radius:User-Name STARTS WITH host/

Under Authentication Policy use the Certificate authentication Profile which was created in Step1 Machine Certificate Profile
In Authorization policy we are permitting all other traffic.

 Step3: User certificate Policy Sets
Create Authentication and Authorization rules under > policy sets as shown below:
Create a condition If it matches All WLC's OR Radius:Called-Station-ID ENDS WITH <SSID NAME>

Under Authentication Policy use the Certificate authentication Profile which was created in Step1
User Certificate Profile.
In Authorization policy we are permitting all other traffic.

 Step4:-
Under Administration>System>Certificates>system Certificates:
Make sure you have a certificate issued by any of your Internal Root CA, and select "EAP Authentication"
This Root CA has to be present in All Clients PC's>Trusted Root CA's.

Step5:-
Under Administration>System>Certificates>Trusted Certificates:
Import All Root and intermediate certificates over here and check following options
"Trust for client authentication and Syslog"
"Trust for authentication of Cisco Services"

Step6:-
PC wireless NIC card settings:







                                         For User Certificate use Below Settings:-




For Machine Certificate use Below Settings:

































Automated SMS for Guest Implementation:Self Registration using Cisco ISE-2.2 :-

on Friday, November 16 16 November , in , 3 Comments

Automated SMS for Guest Implementation:Self Registration using Cisco ISE-2.2 :- 

 For more details about the guest configuration please check old post  Guest Implementation

 This document explains automated SMS Gateway service for self-registration guest users.
Username and password will be directly sent to users Phone number.

 I'm Using Telenor as SMS gateway Provider.

 Step1:-


Here Telenor service provider is using port 44343, Make sure to allow port 44343 in firewall to external.

 Step2:-
Import all Root Certificates for sms-pro-net into ISE server >trusted Certificates.

 Step3:-
Under guest portal settings, Under self registration page settings check send credentials via sms.



TESTING:-


Guest Implementation:Self Registration using Cisco ISE-2.2

on Sunday, October 21 21 October , in , 3 Comments

Guest Implementation:Self Registration using Cisco ISE-2.2  

 This Document explains the Design plan of Guest Wireless Implementation using automatic self-registration Portal.

This Guest SSID can be used for Both Guests and Internal Employees.
If the user is a Guest they will create self registration account, If the user is a internal Employee he/she can Enter their Active Directory Username/password to login.


Working: -
a) When a user connects to SSID: GUEST, User gets a Login Prompt,
1)If User is Internal employee, they can sign in with their username and password.
2) If User is a guest, they will create an account using the link provided in the same page.
All these traffic is sent to Anchor WLC through Mobility Tunnel.
b) In anchor WLC, default gateway is pointed to Local Firewall DMZ interface.
c)Now all Guest authentications are performed by Cisco ISE server. Once the user is authenticated then they will be accessed to internet.
d) Return traffic from Anchor WLC is send to Firewall, here we will give Access rules Blocking all RFC-1918 IP address (private IP access) and allowing remaining access.


Step1:- Create a HTML Self-registration portal which contains following
a)Login page
b)Self Registration Page
c)Registration Success Page
d)support Information.
You can use ISE2.2 pre-defined image or you can customize the HTML page.

Below are some sample which are created for same..

a)Login Page :-



b)Self-Registration Page:-


All the above fields are mandatory.
Email Address: it should be Guest email Address rajiv@gmail.com, rajiv@outlook.com etc..
Person Being Visited:- This is very Important Field, Here they have to enter any Employees Email id.
so that the approval/deny email will be sent to this person.



I'm using following Java script to make sure only email id ends with @rajcompany.com works. and all other email ids will be blocked as shown below.

<script>
     setTimeout(function(){
          $.validator.addMethod("customemailvalidator", function(value, element) {
       return (/@rajivcompany.com/).test( value );
     }, 'Invalid Email address format');
     jQuery("[name='guestUser.fieldValues.ui_person_visited']").rules("add",{customemailvalidator:true});
     }, 50);
</script>

Working:- when you enter your company email id to whom they are responsible for Approving/Denying Guest users.


No-working:-





Once the user clicks on REGISTER then a Automatic email will be sent to "Person Being visited" so that they can Appove or Deny the Guest user account.

It uses Following code in ISE2.2 to send automatic email which has Approval/Deny links:

$ui_self_reg_email_approve_link_start$ Approve $ui_self_reg_email_approve_link_end$
$ui_self_reg_email_deny_link_start$ Deny $ui_self_reg_email_deny_link_end$
Please approve (or deny) this self-registering guest by clicking in the link above.

The guest provided the following information:
Username: $ui_user_name$
First Name: $ui_first_name$
Last Name: $ui_last_name$
Password: $ui_password$
Phone Number:$ui_phone_number$
Valid From: $ui_start_date_time$
Valid To: $ui_end_date_time$
Person being visited: $ui_person_visited$





--------------------------------------------------------------------------------------------------------------------
This is an Automated Message: Please DO NOT Reply Directly to this email.
For support Please contact the help desk sriramoju@outlook.com 

Sample email:-


c)Guest Self Registration success Page:-




Once the Guest user is approved. they will get an automatic email to Guest email along with username and password as shown below.

Firewall Configuration:-

a)Create a sub-Interface and a separate vlan for Guest in Firewall.
b)Create Firewall Rules in such a way that it Blocks RFC-1918 and allows all other IP communication.
Source:Guest subnets, Destination: RFC-1918, protocol:IP==>action:  Block
Source:Guest subnets, Destination: any, protocol:IP==> action: Permit

 WLC configuration:-

1)Both Foreign and anchor WLC should have similar WLAN configuration. where Interface config and DHCP server will configured in Anchor WLC. There is a mobility tunnel between Anchor and Foreign WLC.
2)Under AAA config configure ISE servers and enable ISE-NAC redirection under WLAN settings.
3)Configure Pre-Auth ACL or REDIRCT ACL in Anchor WLC, this ACL is used to redirect the guest user to ISE selfregistration portal.
ACL:- Permit DNS , Permit ISE servers, Deny all other traffic.
Now all traffic will be redirected from AP to Foreign WLC to Anchor WLC.


If you have any queries then please feel free to comment below.



Subscribe to: Posts (Atom)
Powered by Blogger