cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13657
Views
57
Helpful
18
Comments
ahmad_nahawi
Level 1
Level 1

ISE 2.4 Posture using SNMP COA with extreme switches

introduction:

This document describes the posture configuration with 3rd party switches (Extreme switch ).

Prerequisites

Cisco recommends that you have knowledge of these topics:

• Basic knowledge of SNMP Protocol

• Prior knowledge of regular expressions

• Prior knowledge of Cisco Identity Service Engine (ISE)

• Identity Service Engine 2.4.

• Anyconnect 4.5.03040.

• SNMP Supported Switches

• Extreme Switch.

Components Used

The information in this document is based on ISE Version 2.4 & extreme switch X440-48p version 16.2.

The information in this document was created from the devices in a specific lab environment. All of the devices

used in this document started with a cleared (default) configuration. If your network is live, ensure that you

understand the potential impact of any command.

Background Information

Two new feature had been used to get the posture work with extreme switches :

1. Call home list in ISE 2.2 and later :

Extremes switches don't support the URL redirection , so we used this feature to allow AC posture to discover

the PSN and to make a connection with it.

2. SNMP COA separate request in ISE 2.4 :

this feature has been developed in ISE version 2.4 to fix BUG CSCvd06733.

current SNMP CoA sends both values (disable/enable) in same request. The Extreme switch can not perform this request. it requests each value in different request, and this feature fix the compatibility issue with extreme switches.

Configure Switch:

Step.1 AAA & Dot1X configuration:

- configure radius netlogin primary server (PSN IP address) 1812 client-ip (Switch IP address) vr VR-Default

- configure radius netlogin primary shared-secret (plain text)

- enable radius netlogin

- configure netlogin vlan (VLAN name )

- enable netlogin dot1x

- configure netlogin dynamic-vlan enable

- configure netlogin dynamic-vlan uplink-ports 48

- enable netlogin ports 1-40 dot1x

Step.2 SNMP configurations:

- configure snmpv3 add user snmp authentication md5 v3adminauth privacy des v3adminpriv

- configure snmpv3 add group v3group user snmp sec-model usm

- configure snmpv3 add access v3group sec-model usm sec-level priv read-view defaultAdminView write-view defaultAdminView notify-view defaultAdminView

- disable snmp access snmp-v1v2c

- disable snmpv3 default-user

- disable snmpv3 default-group

Configure ISE:

Step.1 add the device profile & enable SNMP separate request :

Administration > Network Resources > Network Device profile > Add

in the attachment a NAD profile for extreme switches has been attached Add NAD Profile-1.PNGAdd NAD Profile-2.PNG

Add NAD Profile-3.PNG

Add NAD Profile-4.PNG

Add NAD Profile-5.PNG

Add NAD Profile-6.PNG

Step.2 add the network device and assign the device profile:

Administration > Network Resources > Add

Add NAD-1.PNG

Add NAD-2.PNG

Add NAD-3.PNG

Add NAD-4.PNG

Step.3 Add Extreme attributes:

we added Extreme VLAN tag attribute and below all extreme attributes

Policy > Policy Elements > Dictionaries > System> Radius > Radius Vendor

Add Atrri.PNG

Add Atrri-2.PNG

Add Atrri-3.PNG

Add Atrri-4.PNG

Step.4 Client Provisioning :

     a. add AnyConnect PKG & and AnyConnect compliance module :

          Policy> Result> Client Provisioning> Resources> Add>

Client Provis Resources-1.PNG

     b.    Create & Upload NAM Profile :

          we created the NAM profile using the NAM profile editor.

          Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.0 - Configuring Network Access Manager [Cisco Any…

     c. Create Posture Profile :

        Posture Profile-1.PNG

Posture Profile-2.PNG

     d. Create AnyConnect configuration:

we configured two profiles ( the first one based on AnyConnect compliance module 4.X & and the second one for version 3.X )

AnyConnect Configuration-1.PNG

AnyConnect Configuration-2.PNG

Step.5 Client Provisioning Policy:

ClientProv-Policy.PNG

Step.6 Posture Conditions:

Anti-virus Condition has been tested.

AntiVir-Cond-1.PNG

AntiVir-Cond-2.PNG

Step.7 Posture requirement:

Posture req-1.PNG

Step.8 Posture Policy:

Posture Policy.PNG

Step.9 Authorization profile:

AuthZ profile.PNG

Step.10 Policy Set :

Policy Set-1.PNG

Policy Set-2.PNG

Policy Set-3.PNG

Deploy NAM module:

the NAM module had been installed on windows 7 from Cisco AnyConnect pre-deploy file.

          Created by Ahmad Al-Nahawi

               System Engineer at BMBGroup

Comments

This is a great document with very helpful information.

Thanks Ahmad to share the knowledge.

ayousef
Cisco Employee
Cisco Employee

Thanks Ahmad for sharing this document,

Way to go my friend   

osama_masoud
Level 1
Level 1

Well done Ahmad. Liked your explanation and screenshots showing everything step by step. A valuable addition to the community. Keep it up buddy

Thank you.. Ahmad for sharing all the details

and can you please share the UnComp-AuthZ authorization profile details as well

ahmad_nahawi
Level 1
Level 1

Thank you Fernando.

the UnComp-AuthZ profile is the same of the Comp-AuthZ profile , I just restrict the user access by push the VLAN TAG in the Un-CompAUthZ profile.

this VLAN have access to the PSN and to the DNS server , also we don't use the Web-redirection because its not supported and we used Call-home list instead of it.

Thank you.. Ahmad

sajid231088
Level 1
Level 1

Hi All,

 

Could you please help me in configuring Posture for ise 2.4 using SNMP COA with CIsco 2960L switches.

 

Thanks in advance.

sajid231088
Level 1
Level 1

Dear Craig,

 

Thanks for your reply.

 

Actually i am a new bee on Cisco ISE, Could you please share configuration required on Cisco 2960 switch and  on ISE for Posturing using SNMP. 

 

Regards,

thomas
Cisco Employee
Cisco Employee
Sajid, please review all of the Identity Services Engine (ISE) Community Resources @ https://community.cisco.com/t5/security-documents/identity-services-engine-ise-community-resources/ta-p/3621621 Specifically, under Secure Wired Access see the ISE Wired Access Deployment Guide @ https://community.cisco.com/t5/security-documents/cisco-ise-wired-access-deployment-guide/ta-p/3641515
Daniel Stefani
Level 1
Level 1

Hello Ahmad, thank you for your contribution.

 

I am implementing using your instructions, but I am getting a loop situation after SNMP CoA, Endpoint restart new authentication process and consequently a new posture process that do a new SNMP CoA. Do you have some tip for my behavior?

 

Best Regards,

Daniel Stefani 

Daniel Stefani
Level 1
Level 1

Hello all,

 

Was missing the following accounting configurations:

 

  • "configure radius-accounting netlogin primary server <PSN-IP-Address> 1813 client-ip <Switch-IP-Address> vr VR-Default"
  • "configure radius-accounting netlogin primary shared-secret <Plain Text>"
  • "enable radius-accounting netlogin"

Now it's working.

 

Best Regards,

Daniel Stefani

CSCO12550173
Level 1
Level 1

Hi all, im getting the following error from ise 

 

Event 5400 Authentication failed
Failure Reason 11014 RADIUS packet contains invalid attribute(s)

 

 

in the extreme device the lines that you put in are::

 

configure radius netlogin primary server 10.8.54.120 1812 client-ip 10.8.54.121 vr VR-Default

configure radius netlogin primary shared-secret encrypted "Didata2019"

enable radius netlogin
configure netlogin vlan cisco

configure netlogin dynamic-vlan enable

configure netlogin dynamic-vlan uplink-ports 48

enable ports 11-24 dot1x

configure netlogin ports 2 mode port-based-vlans
configure netlogin ports 2 no-restart

and snmp is configure

 

so, i have a few questions, it's imperative to have the snmpv3 or can be the snmpv2 to work with?

but the devices and users are not going to the check, when a take a tcp dump

do you know which more attribute do we have to put in the ISE device?

 

 

this is the tcp and the radius challenge

 

18:27:16.482677 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 134)
X.X.X.X.41884 > srv-ise-: RADIUS, length: 106
Access-Request (1), id: 0x5c, Authenticator: 4222cceb304c20525556ce28010d3cf6
User-Name Attribute (1), length: 8, Value: srojas
EAP-Message Attribute (79), length: 13, Value: ..
NAS-IP-Address Attribute (4), length: 6, Value: 10.8.54.121
Service-Type Attribute (6), length: 6, Value: Login
Calling-Station-Id Attribute (31), length: 19, Value: E8-6A-64-2E-6D-3A
NAS-Port-Id Attribute (87), length: 4, Value: 21
NAS-Port Attribute (5), length: 6, Value: 1021
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
Message-Authenticator Attribute (80), length: 18, Value: {....w..]...._.c
18:27:16.486793 IP (tos 0x0, ttl 64, id 11075, offset 0, flags [DF], proto UDP (17), length 180)
srv-ise > X,X,X,X 1884: RADIUS, length: 152
Access-Challenge (11), id: 0x5c, Authenticator: 4a5051e21408fcb0f25eb794f08b3998
State Attribute (24), length: 106, Value: 64CPMSessionID=0a083678VsRdGYwkon5XnlXinUbVtE4xg2G5Jp9VYxWEH0/ql2U;34SessionID=srv-ise-poc/334695666/92;
EAP-Message Attribute (79), length: 8, Value: .d
Message-Authenticator Attribute (80), length: 18, Value: .M>F.
18:27:16.491115 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 355)
X.X.X.X.41884 > srv-ise: RADIUS, length: 327
Access-Request (1), id: 0x5d, Authenticator: 34a2b32737e5e7c059c32f31161a99b3
User-Name Attribute (1), length: 8, Value: srojas
EAP-Message Attribute (79), length: 168, Value: .d
NAS-IP-Address Attribute (4), length: 6, Value: 10.8.54.121
Service-Type Attribute (6), length: 6, Value: Login
Calling-Station-Id Attribute (31), length: 19, Value: E8-6A-64-2E-6D-3A
NAS-Port-Id Attribute (87), length: 4, Value: 21
NAS-Port Attribute (5), length: 6, Value: 1021
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
State Attribute (24), length: 66, Value: 64CPMSessionID=0a083678VsRdGYwkon5XnlXinUbVtE4xg2G5Jp9VYxWEH0/ql
Message-Authenticator Attribute (80), length: 18, Value: <.1.B.^.w....n..
18:27:16.494422 IP (tos 0x0, ttl 64, id 11077, offset 0, flags [DF], proto UDP (17), length 66)
srv-ise > X.X.X.X.41884: RADIUS, length: 38
Access-Reject (3), id: 0x5d, Authenticator: a7b41552a449bf5985ff3ec0b104379e
Message-Authenticator Attribute (80), length: 18, Value: p.......3.@E^.$.

 

 

 

hanguye3
Cisco Employee
Cisco Employee

Hi bros,

 

I am having the integration between ISE (2.4 Patch 8) with the ExtremeSW (15.3.4) and need your advise when you define the flow conditions:

- RADIUS: NAS Identifier X440-48p

 

Correct me if I am wrong that we have to define manually the highlighted item (X440-48p) as it does not exist in the ISE Database, right?

 

Highly appreciated for any quick response. thanks in advanced.

 

Br,

hainm

 

 

rajczmic
Level 1
Level 1

Hi all;

does anyone have experience with MAB working on Extreme EXOS switches? 802.1X works fine, but I am missing some setting that will make the cisco IP phone go to the appropriate vlan using the MAB function. The policy for MAB authentication is the first one, but nothing falls into it... I have  ISE 3.1

Best regards

Michal

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: