Académique Documents
Professionnel Documents
Culture Documents
Table of Contents
3850 Switch Wired C3PL Configuration ........................................................................................................................ 3
Overall Design............................................................................................................................................ 3
3850 Switch C3PL Configuration Steps ..................................................................................................... 4
Configure the HTTP Server on the Switch ................................................................................................. 4
Configure the Global AAA Commands ....................................................................................................... 5
Configure the Global RADIUS Commands................................................................................................. 6
Configure Local Access Control Lists and Local Service Templates .......................................................... 8
Configure the Global 802.1X Commands ................................................................................................... 9
Configure Control Class ............................................................................................................................. 9
Configure Control Policy .......................................................................................................................... 10
ISE Configuration .......................................................................................................................................................... 15
Overall Design
Following diagram shows the overall layout of the components. There are two types of users, Employee user and
Contractor user. Employee users will authenticate via Active Directory and Contractor user will authenticate locally
via ISE internal database. Also Contractor user will be assigned VLAN 40 using the service template feature on 3850
switch. Although we won't go into the details of different Bring Your Own Device (BYOD) policies or posture policies
within Cisco Identity Services Engine (ISE), this setup will provide a baseline for such operations. This document will
only cover the baseline configurations on 3850 switches for wired configuration using C3PL syntax, for deploying
3850 on wireless network or other ISE configurations please refer to respective ISE How-to documents.
Components
Cisco ISE 1.2.0.899
Sample output
3850#
Note: Simply put, once we start entering CPL based commands, we will not be able to revert back to the legacy style
configuration mode. Warning will appear when C3PL commands are entered. To go back to legacy mode enter
‘authentication display legacy’.
Cisco IOS® Software does not allow for certificates, or even self-generated keys, to be created and
installed without first defining a DNS domain name on the device. Enter the following:
Note: To avoid possible certificate mismatch errors during web redirection, we recommend that you use a
certificate that is issued by your trusted certificate authority instead of a local certificate. This topic is
beyond the scope of this document.
Step 3 Enable the HTTP servers on the switch.
The HTTP server must be enabled on the switch to perform the HTTP / HTTPS capture and redirection.
Enter the following:
Note: Do not run the ip http secure-server command prior to generating the keys in step 2. If you
perform the commands out of order, the switch will automatically generate a certificate with a smaller key
size. This certificate can cause undesirable behaviour when redirecting HTTPS traffic. Unlike WLC with
AireOS, 3850 Series wireless supports redirection of HTTPS request, however, endpoints will be prompted
to trust the switch’s self-signed certificate during the redirection.
Step 4 Disable HTTP & HTTPS for other switch management functions (Optional):
Note: This will disable management access to the 3850 wireless configuration as well as configuration from NCS
Prime Infrastructure.
3850(config)#aaa new-model
Note: This command enables any of the services that AAA network security services provide—for example, local
login authentication and authorization, defining and applying method lists, and so on. For further details, please refer
to the Cisco IOS Security Configuration Guide.
Step 2 Create an authentication method for 802.1X.
An authentication method is required to instruct the switch on which group of RADIUS servers to use for
802.1X authentication requests:
Best Practice: With ISE 1.2 there is a feature to suppress authentications with certain conditions. We will use that
feature to suppress any RADIUS keepalive messages. See end of this document for instructions.
Step 1 Add the Cisco ISE servers to the RADIUS group.
In this step we will add each Cisco ISE Policy Services Node (PSN) to the switch configuration, using the
radius-test account. Repeat for each PSN.
3850(config)#radius-server host 192.168.201.88 auth-port 1812 acct-port 1813 test username radius-
test idle-time 5 key cisco123
Note: The server will be proactively checked for responses once every 5 minutes, in addition to any authentications or
authorizations occurring through normal processes. This value may be too aggressive for non ISE 1.2 deployments due
to lack of log suppression feature on older versions of ISE, in that case increase this value to 60 minutes or higher.
Step 2 Set the dead criteria.
The switch has been configured to proactively check the Cisco ISE server for RADIUS responses. Now configure the
counters on the switch to determine if the server is alive or dead. Our settings will be to wait 10 seconds for a response
from the RADIUS server and attempt the test 3 times before marking the server dead. If a Cisco ISE server doesn’t
have a valid response within 30 seconds, it will be marked as dead. Also deadtime defines how long the switch will
mark the server dead, which we are setting it to 15 minutes.
Note: We will discuss high availability in more detail in the deployment mode sections.
Step 3 Enable change of authorization (CoA).
Previously we defined the IP address of a RADIUS server that the switch will send RADIUS messages to. However,
we define the servers that are allowed to perform change of authorization (RFC 3576) operations in a different listing,
also within global configuration mode, as follows:
Step 5 Ensure the switch always sends traffic from the correct interface for RADIUS request.
Switches may often have multiple IP addresses associated to them. Therefore, it is a best practice to always
force any management communications to occur through a specific interface. This interface IP address
must match the IP address defined in the Cisco ISE Network Device object.
Cisco Best Practice: As a network management best practice, use a loopback adapter for all management
communications, and advertise that loopback interface into the internal routing protocol.
Step 2 Add the following ACL to be used for initial ACL on the interface prior to authentication:
Step 3 Add the following ACL to be used for when none of the RADIUS servers are reachable:
Step 4 Add the following Service Template called ‘CRITICAL’ to be used for when none of the RADIUS servers
are reachable:
3850(config)#service-template CRITICAL
3850(config-service-template)#description Apply When none of the RADIUS servers are reachable
3850(config-service-template)#access-group PERMIT-ANY
Note: Just like Downloadable ACL (DACL), Service Template can be centrally located on ISE and be downloaded
during authorization, however, the purpose of above template is to be used while none of the ISE nodes are available,
which means there will be no way to download the service template, as such we are creating a local service template.
3850(config)#
3850(config)#
Note: There are some uncommon cases with Windows 7 and devices that do not respond to ARPs where it may be
required to use the command ‘ip device tracking use SVI’.
Step 2 Configure Control Class for when 802.1x authentication failed for the session.
Here, the control policy will be created with control class created in the previous section and finally apply it to range of
interfaces.
Step 3 Configure control policy that will be applied to all 802.1X/MAB-enabled interfaces.
Step 6 When a supplicant is detected on the endpoint, switch will attempt to authenticate the endpoint using
802.1X.
Step 7 Configure action for when 802.1X authentication failed due to lack of available RADIUS servers or due to
failed authentication.
This is broken into two parts. First failure is when there are no RADIUS server is available to process the
authentication request. In this case, the policy will activate local service template called ‘CRITICAL’,
which will apply permit-all ACL and a specific VLAN if necessary. The second failure is when
authentication for 802.1x fails, in which case MAB will be performed.
Note: Since we will be using Central WebAuth, which sends ACCESS-ACCEPT even for unknown MAC address,
there will be no failure for MAB, thus failure event for MAB is not defined in the above configuration.
3850(config-if-range)#spanning-tree portfast
3850(config-if-range)#authentication periodic
3850(config-if-range)#authentication timer reauthenticate server
3850(config-if-range)#mab
3850(config-if-range)#ip access-group DEFAULT-ACL in
3850(config-if-range)#access-session host-mode multi-auth
3850(config-if-range)#no access-session closed
3850(config-if-range)#dot1x timeout tx-period 10
3850(config-if-range)#access-session port-control auto
3850(config-if-range)#no shutdown
hostname 3850
!
aaa new-model
aaa session-id common
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update periodic 15
!
aaa server radius dynamic-author
client 192.168.201.88 server-key cisco123
auth-type any
!
vlan 10
name USER
vlan 11
name VOICE
!
interface vlan 10
ip address 192.168.10.1
ip helper 192.168.201.72
ip helper 192.168.201.88
no shut
interface vlan 11
ip address 192.168.11.1
ip helper 192.168.201.72
ip helper 192.168.201.88
no shut
!
ip device tracking
!
ip domain-name example.com
!
crypto key generate rsa general-keys modulus 2048
!
dot1x system-auth-control
!
ip http serverw
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none
!
ip access-list extended DEFAULT-ACL
permit udp any host 192.168.201.72 eq domain
permit udp any eq bootpc any eq bootps
deny ip any any
ip access-list extended PERMIT-ANY
permit ip any any
ip access-list extended REDIRECT-ACL
deny udp any host 192.168.201.72 eq domain
deny udp any eq bootpc any eq bootps
deny ip any host 192.168.201.88
permit ip any any
!
service-template CRITICAL
description Apply When none of the RADIUS servers are reachable
access-group PERMIT-ANY
!
class-map type control subscriber match-any AAA-DOWN
match result-type aaa-timeout
!
class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative
!
policy-map type control subscriber DOT1X-DEFAULT
event session-started match-all
10 class always do-all
ISE Configuration
With ISE 1.2, service-template can be configured and be applied during authorization on the 3850 switches. The
service templates are collection of authorizations such as VLANs, ACL, URL-redirect ACLs, etc. that can be applied
as part of authorization once an endpoint is authenticated via 802.1X, MAB, WebAuth, or CoA. Service template can
be configured locally on the switch as well as on the ISE. When ISE applies a service template as part of authorization
and if the service template does not exist on the switch, the switch will retrieve the service-template from ISE. This
operation is similar to how dACL works between IOS platforms and ISE. Other than service template, there are no
specific configurations for ISE to integrate with 3850 switches. While this document covers policies related to BYOD,
please refer to BYOD how-to guide for configuring the underlying services to enable BYOD. This includes
configuration of CA server, external identity sources, and supplicant provisioning policy.
Step 4 Click on Add to create Permit_ACL Authorization Profile with following parameters.
Table 1. Authorization Profile Parameters
Name Permit_ACL
Name Internet_VLAN_Template
VLAN 40
RADIUS:Session- 7200
Timeout
Configure Policy
Step 1 Navigate to Policy Policy Set.
Step 2 Click on the + sign on the left pane and click Create Above.
Step 5 Select ‘User Name’ from the Attribute pull down menu.
Step 6 Enter ‘radius-test’ for Value.
Step 7 Select ‘Filter All’ from the Filter Type pull down menu.
Step 8 Click Save.
Validation
Server Policies:
3850#
3850#
Server Policies:
Template: Internet_VLAN_Template (priority 100)
Vlan Group: Vlan: 40
3850#
3850#
Also, notice that there is an event in ISE that shows username of ‘Internet_VLAN_Template, this is when 3850
requested template content from the ISE.
Figure 8. Template
Local Policies:
Template: CRITICAL (priority 150)
Filter-ID: PERMIT-ANY
3850#
3850#