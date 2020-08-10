Successfully reported this slideshow.
Cisco ISE & F5 Configuration Guide Dot1x Load Balancing Using F5 BIG-IP
On Switch SW-1, configure radius service. Use the IP address 10.1.6.99, this is the IP address of the virtual server we wi...
General Properties: Name: PSN-Auth-Monitor Type: RADIUS Parent Monitor: radius Configuration: User Name: f5-monitor Passwo...
Create a RADIUS Health Monitors for accounting to determine RADIUS Server Health Status General Properties: Name: PSN-Acct...
Create a Pools for authentication and accounting requests. Navigate to Local Traffic » Pools » Pool List, then click Creat...
Address:Port 10.1.5.11:1812 Click Add When complete, click Finished For Radius accounting requests : Configuration section...
Address:Port 10.1.5.11:1813 Click Add When complete, click Finished For Non-LB Traffic such as PAN/MnT/PSN node communicat...
Availability: Unknown (No service validation via health monitors) Configuration (Advanced) Protocol: All Protocols VLANs a...
Configure a Virtual Server Type Forwarding IP Forward General Outbound IP Traffic, this virtual server is applied to conne...
Create a Virtual Servers that will use the pool created in the previous step. Navigate to Local Traffic » Virtual Servers ...
General Properties section: Name: PSN-auth-vs Type: Standard Destination Address/Mask: 10.1.6.99 Service Port: 1812 State:...
For radius accounting processing, create a virtual server with the following settings. General Properties section: Name: P...
Verify the states of the virtual servers. Because all ISE nodes are standalone by default, you must first promote the ISE ...
From the the PAN-MnT-1 GUI on the primary PAN, you will register and assign personas to all ISE nodes. Choose Administrati...
From the the PAN-MnT-1 GUI on the primary PAN, you will register the two PSNs PSN-1 and PSN-2 located behind the F5 BIG-IP...
From the the PAN-MnT-1 GUI on the primary PAN, you will register the second PSN PSN-2 located behind the F5 BIG-IP. Choose...
You should see all nodes PAN-MnT-2, PSN-1 and PSN-2 are joined as shown below. Configure Node Groups for Policy Service No...
Add the PSN-1 and PSN-2 to the Node Groups. Add a PSN to a node group by clicking the name of the PSN from either the left...
Repeat the steps for PSN-2 to be added to the node group.
Create a user group. Navigate to Administration > Identity Management > Groups. Under the User Identity Groups, click Add....
Define an Internal User for F5 LTM RADIUS Health Monitor. F5 BIG-IP LTM has the ability to treat a failed authentication (...
Add F5 BIG-IP LTM as a NAD for RADIUS Health Monitoring Create Network Device Group Navigate to Administration > Network R...
Add the F5 BIG-IP as AAA Client in the Cisco ISE Navigate to Administration > Network Resources > Network Devices. The Net...
We need to include the identity store used for checking F5 RADIUS credentials in the Authentication Policy Rule used to au...
Create Authentication Policy to validate the radius access-request credentials sent by the F5 BIG-IP. Navigate to Policy >...
Create an Authorization Policy for user administrator. Enter the name AuthoZ F5 BIG-IP. Click in the Conditions field to a...
Navigate to Operations > Radius > Live Logs. To see the ISE Live Authentications dashboard and notice that the health chec...
Integrate the Cluster ISE with Active Directory In the pan-mnt-1 Admin Portal, navigate to Administration > Identity Manag...
Click the lab.local entry under Active Directory. Click the Groups tab. Click the +Add button and choose Select Groups fro...
Observe the list and notice there are many groups that likely would not be applicable for utilization in Cisco ISE for pol...
From that list, select the following groups. lab.local/Users/Domain Controllers lab.local/Users/Employee lab.local/Users/I...
Your list should match the following screenshot. Click Save at the bottom.
Create Network Device Group Navigate to Administration > Network Resources > Network Device Groups. Click Add and Type Wir...
Add the Switch SW-1 as AAA Client in the Cisco ISE Navigate to Administration > Network Resources > Network Devices. The N...
Navigate to Policy > Policy Sets. Click the plus icon (+) to create a new Policy Set. Enter Wired as the policy set Name. ...
Click the words Click to add an attribute to select an attribute for the new condition. Click the Symbol Network device an...
Create Authentication Policy for the Wired connection. Navigate to Policy > Policy Set > Wired Edit the Policy Set. Click ...
Enter the name DOt1X. Click the (+) symbol to assign a condition to the rule. Assign the condition Wired_802.1X. Use the I...
Create an Authorization Policy for user administrator. Enter the name Sales Access. Click in the Conditions field to add a...
From the Client PC, open the AnyConnect client and select the wired connection named Wired-lab-local. A warning certificat...
A username and password are required to access the network, enter the jdoe as username and Cisco123 as password, these cre...
To verify if the authentication is successful, try to ping the AD 10.1.8.14, the ping should be successful.
Access the BIG-IP TMSH command line and run the following tcpdump command to capture the traffic sourced from and destined...
From the pan-mnt-1 GUI, navigate to Operations > Radius > Live Logs. the authentication is successful for Client PC with t...
From the Client PC, open the AnyConnect client and select the wired connection named Wired-lab-local. A warning certificat...
The traffic captured by the BIG-IP shown that the NAD 10.1.7.2 sent a Radius Access- Request with destination udp port 181...
Note the following to confirm that the user jdoe has been authenticated against the authentication Policy DOT1X and the Au...
  1. 1. Cisco ISE & F5 Configuration Guide Dot1x Load Balancing Using F5 BIG-IP
  2. 2. On Switch SW-1, configure radius service. Use the IP address 10.1.6.99, this is the IP address of the virtual server we will configure later on BIG-IP. SW-1(config)#radius server ISE-RAD SW-1(config-radius-server)#address ipv4 192.168.1.254 SW-1(config-radius-server)#key cisco Enable AAA and create an 802.1X authentication method list. SW-1(config)#aaa new-model SW-1(config)#aaa authentication dot1x default group radius Enable 802.1X authentication globally on your switch. SW-1(config)#dot1x system-auth-control Configure the switch for use RADIUS authorization. SW-1(config)#aaa authorization network default group radius Configure the switch for RADIUS accounting. SW-1(config)#aaa accounting dot1x default start-stop group radius Configure the port F2/10 for access mode. SW-1(config)#int fa2/10 SW-1(config-if)#switchport mode access Enable 802.1X authentication on the port F2/10. SW1(config)#int fa0/1 SW1(config-if)#authentication port-control auto SW1(config-if)#dot1x pae authenticator Access the BIG-IP.lab.local GUI. Create a RADIUS Health Monitors for authentication to determine RADIUS Server Health Status. Navigate to Local Traffic » Monitors » New Monitor.
  3. 3. General Properties: Name: PSN-Auth-Monitor Type: RADIUS Parent Monitor: radius Configuration: User Name: f5-monitor Password: Cisco123 Secret: cisco Alias Service Port: 1812
  4. 4. Create a RADIUS Health Monitors for accounting to determine RADIUS Server Health Status General Properties: Name: PSN-Acct-Monitor Type: RADIUS_Accounting Parent Monitor: radius_accounting Configuration: User Name: f5-monitor Secret: cisco Alias Service Port: 1813
  5. 5. Create a Pools for authentication and accounting requests. Navigate to Local Traffic » Pools » Pool List, then click Create. For Radius authentication requests: Configuration section : Configuration: Basic Name: PSN-Auth-Pool Health Monitors: PSN-Auth-Monitor Resource section: Load Balancing Method: Round Robin Priority Group Activation: Disabled Node Name: (Leave blank) New Members: Address:Port 10.1.5.10:1812 Click Add
  6. 6. Address:Port 10.1.5.11:1812 Click Add When complete, click Finished For Radius accounting requests : Configuration section : Configuration: Basic Name: PSN-Acct-Pool Health Monitors: PSN-Acct-Monitor Resource section: Load Balancing Method: Round Robin Priority Group Activation: Disabled Node Name: (Leave blank) New Members: Address:Port 10.1.5.10:1813 Click Add
  7. 7. Address:Port 10.1.5.11:1813 Click Add When complete, click Finished For Non-LB Traffic such as PAN/MnT/PSN node communications, we need a Virtual Server Type Forwarding IP. Configure a Virtual Server Type Forwarding IP to Forward General Inbound IP Traffic, this virtual server is applied to connections initiated from outside (external) network (from PAN/MnT to PSNs). General Properties Name: in-fwr-vs Type: Forwarding (IP) Destination Address/Mask: 10.1.5.0/24 Service Port: * (All Ports)
  8. 8. Availability: Unknown (No service validation via health monitors) Configuration (Advanced) Protocol: All Protocols VLANs and Tunnels: external When complete, click Finished
  9. 9. Configure a Virtual Server Type Forwarding IP Forward General Outbound IP Traffic, this virtual server is applied to connections initiated from PSN (internal) network (from PSNs to PAN/MnT). General Properties Name: out-fwr-vs Type: Forwarding (IP) Destination Address/Mask: 10.1.8.0/24 Service Port: * (All Ports) Availability: Unknown (No service validation via health monitors) Configuration (Advanced) Protocol: All Protocols VLANs and Tunnels: internal When complete, click Finished
  10. 10. Create a Virtual Servers that will use the pool created in the previous step. Navigate to Local Traffic » Virtual Servers » Virtual Server List, then click Create. For radius authentication processing, create a virtual server with the following settings.
  11. 11. General Properties section: Name: PSN-auth-vs Type: Standard Destination Address/Mask: 10.1.6.99 Service Port: 1812 State: Enabled Configuration section: Protocol: UDP Resources section: Default Pool: PSN-auth-pool When complete, click Finished
  12. 12. For radius accounting processing, create a virtual server with the following settings. General Properties section: Name: PSN-acct-vs Type: Standard Destination Address/Mask: 10.1.6.99 Service Port: 1813 State: Enabled Configuration section: Protocol: UDP Resources section: Default Pool: PSN-acct-pool When complete, click Finished
  13. 13. Verify the states of the virtual servers. Because all ISE nodes are standalone by default, you must first promote the ISE node that will become the Primary Administration Node (PAN) to be a primary device instead of a standalone. From the PAN-MnT-1 GUI, perform the following steps: Choose Administration > System > Deployment. Select the ISE node and click the Make Primary button. Ensure the PAN-MnT-1 is the primary PAN and secondary MnT.
  14. 14. From the the PAN-MnT-1 GUI on the primary PAN, you will register and assign personas to all ISE nodes. Choose Administration > System > Deployment. Choose Register an ISE Node. In the Host FQDN field, enter the DNS name of the first ISE node PAN-MnT- 2.lab.local.com, you will be joining to the deployment. In the username and password fields, enter the administrator name (admin) and password. Click Next. Select the PAN-MnT-2 node as the secondary PAN and primary MnT, PAN-MnT-1 is the primary PAN and secondary MnT.
  15. 15. From the the PAN-MnT-1 GUI on the primary PAN, you will register the two PSNs PSN-1 and PSN-2 located behind the F5 BIG-IP. Choose Administration > System > Deployment. Choose Register an ISE Node. In the Host FQDN field, enter the DNS name of the first ISE node PSN-1.lab.local.com, you will be joining to the deployment. In the username and password fields, enter the administrator name (admin) and password. Click Next. Ensure the Policy Service, Profiling Service and Device Admin are enabled on PSN-1 node.
  16. 16. From the the PAN-MnT-1 GUI on the primary PAN, you will register the second PSN PSN-2 located behind the F5 BIG-IP. Choose Administration > System > Deployment. Choose Register an ISE Node. In the Host FQDN field, enter the DNS name of the first ISE node PSN-2.lab.local.com, you will be joining to the deployment. In the username and password fields, enter the administrator name (admin) and password. Click Next. Ensure the Policy Service, Profiling Service and Device Admin are enabled on PSN-2 node.
  17. 17. You should see all nodes PAN-MnT-2, PSN-1 and PSN-2 are joined as shown below. Configure Node Groups for Policy Service Nodes in a Load-Balanced Cluster. When integrating with F5 BIG IP load balancer, the SE Node Groups optimize the replication of endpoint profiling data amongst PSNs and also offer recovery of Posture Pending sessions in the event of a node failure. From the ISE admin interface PAN-MnT-1, navigate to Administration > System > Deployment. From the left panel. Click the gear icon to display the Create Node Group option. Enter the ISE_Cluster_PSN as a name and click Submit.
  18. 18. Add the PSN-1 and PSN-2 to the Node Groups. Add a PSN to a node group by clicking the name of the PSN from either the left or right panel. Edit PSN-1 node and click the drop down next to Include Node in Node Group box, select the name of the node group created for the load-balanced PSNs. Click Save to commit the changes.
  19. 19. Repeat the steps for PSN-2 to be added to the node group.
  20. 20. Create a user group. Navigate to Administration > Identity Management > Groups. Under the User Identity Groups, click Add. In the Name field, enter F5-group. Click Submit.
  21. 21. Define an Internal User for F5 LTM RADIUS Health Monitor. F5 BIG-IP LTM has the ability to treat a failed authentication (RADIUS Access-Reject) as a valid response to the RADIUS health monitor. If ISE is able to provide a response, this indicates that the service is running. If you desire the LTM send valid credentials and receive a successful authentication response (RADIUS Access-Accept), then you need to configure the correct Identity Store— either internal or external to ISE with the username and password sent by the BIG-IP LTM. Navigate to Administration > Identity Management > Identities. Create a user f5-monitor with password Cisco123. In the User Groups field, select F5- group. Click Submit.
  22. 22. Add F5 BIG-IP LTM as a NAD for RADIUS Health Monitoring Create Network Device Group Navigate to Administration > Network Resources > Network Device Groups. Click Add and Type F5-Device as the Name. Select All Device Types in the Parent Group field. Click Save.
  23. 23. Add the F5 BIG-IP as AAA Client in the Cisco ISE Navigate to Administration > Network Resources > Network Devices. The Network Devices window will open. In the right section window, click Add. The AAA Client window opens. In the Name field, type BIG-IP.lab.local as the name of your switch. In the IP Address field, enter 10.1.5.1/32. This is IP address (Self IP) of the BIG-IP LTM’s Internal interface and the source IP address of RADIUS request as seen by the ISE PSNs. From the Device Type drop-down menu, select F5-Device. To activate Radius Authentication Settings, click the check box. In the Shared Secret field, enter a shared secret of cisco. Click the Submit button.
  24. 24. We need to include the identity store used for checking F5 RADIUS credentials in the Authentication Policy Rule used to authenticate the F5 monitor. In this example, the identity store Internal Users must be included as the ID store for matching F5 BIG-IP requests. Navigate to Policy > Policy Sets. Click the plus icon (+) to create a new Policy Set. Enter F5 BIG-IP as the policy set Name. Click in the Conditions field to create a new condition and treat the following conditions: Click the words Click to add an attribute to select an attribute for the new condition. Click the Symbol Network device and select the following condition DEVICE:Device Type EQUALS All Device Types#F5-Device. Assign the Allowed Protocols/Server Sequence named Default Network Access. Click Save.
  25. 25. Create Authentication Policy to validate the radius access-request credentials sent by the F5 BIG-IP. Navigate to Policy > Policy Set > F5 BIG-IP Edit the Policy Set. Click the (+) symbol to create a new authentication policy. Enter the name AuthC F5 BIG-IP. Click the (+) symbol to assign a condition to the rule. Assign the condition Network Access Device IP Address EQUALS 10.1.5.1. Use the Identity Source Internal Users.
  26. 26. Create an Authorization Policy for user administrator. Enter the name AuthoZ F5 BIG-IP. Click in the Conditions field to add a condition with the following attributes: Internal Users: Identity Groups EQUALS User Identity Groups: F5-group. In the Results (Profiles), select authorization profile PermitAccess. Click Save. Note: It is best practice to create ISE Authorization Policy Rule that matches specifically on the F5 IP address or ISE Network Device Group and the specific F5 test username and return policy that denies network access with a DACL=deny ip any any.
  27. 27. Navigate to Operations > Radius > Live Logs. To see the ISE Live Authentications dashboard and notice that the health check is successful. Click Authentication Detail Report. You should the appropriate Policy Set, Auhentication Policy and Authorization Policy applied to the radius requests sent by the F5 BIG-IP device.
  28. 28. Integrate the Cluster ISE with Active Directory In the pan-mnt-1 Admin Portal, navigate to Administration > Identity Management > External Identity Sources and then in the left pane, select Active Directory. Enter AD in the Join Point Name and the lab.local in the Active Directory Domain field. Click Submit. Select all to join all ISE nodes to this Active Directory Domain. In the Join Domain box, use the credentials Administrator / Cisco123 You should see similar output with node status Completed.
  29. 29. Click the lab.local entry under Active Directory. Click the Groups tab. Click the +Add button and choose Select Groups from Directory. Leave the Type Filter as ALL and click the Retrieve Groups… button.
  30. 30. Observe the list and notice there are many groups that likely would not be applicable for utilization in Cisco ISE for policy matching.
  31. 31. From that list, select the following groups. lab.local/Users/Domain Controllers lab.local/Users/Employee lab.local/Users/IT-Admin lab.local/Users/Managers lab.local/Users/Marketing lab.local/Users/Sales lab.local/Users/Trainig Click OK.
  32. 32. Your list should match the following screenshot. Click Save at the bottom.
  33. 33. Create Network Device Group Navigate to Administration > Network Resources > Network Device Groups. Click Add and Type Wired as the Name. Select All Device Types in the Parent Group field. Click Save.
  34. 34. Add the Switch SW-1 as AAA Client in the Cisco ISE Navigate to Administration > Network Resources > Network Devices. The Network Devices window will open. In the right section window, click Add. The AAA Client window opens. In the Name field, type SW-1 as the name of your switch. In the IP Address field, enter 10.1.7.2/32. this the IP address of the switch interface that will forward RADIUS packets to Cisco ISE. From the Device Type drop-down menu, select Wired. To activate Radius Authentication Settings, click the check box. In the Shared Secret field, enter a shared secret of cisco. Click the Submit button.
  35. 35. Navigate to Policy > Policy Sets. Click the plus icon (+) to create a new Policy Set. Enter Wired as the policy set Name. Click in the Conditions field to create a new condition and treat the following condition:
  36. 36. Click the words Click to add an attribute to select an attribute for the new condition. Click the Symbol Network device and select the following condition DEVICE:Device Type EQUALS All Device Types#Wired. Assign the Allowed Protocols/Server Sequence named Default Network Access. Click Save.
  37. 37. Create Authentication Policy for the Wired connection. Navigate to Policy > Policy Set > Wired Edit the Policy Set. Click the (+) symbol to create a new authentication policy.
  38. 38. Enter the name DOt1X. Click the (+) symbol to assign a condition to the rule. Assign the condition Wired_802.1X. Use the Identity Source AD (External Identity Source).
  39. 39. Create an Authorization Policy for user administrator. Enter the name Sales Access. Click in the Conditions field to add a condition with the following attributes: AD ExternalGroups Equals lab.local/Users/Sales. In the Results (Profiles), select the default authorization profile PermitAccess. Click Save.
  40. 40. From the Client PC, open the AnyConnect client and select the wired connection named Wired-lab-local. A warning certificate is prompted, the issuer is the PSN-1.lab.local which is the first pool member 10.1.5.10. Click Trust.
  41. 41. A username and password are required to access the network, enter the jdoe as username and Cisco123 as password, these credentials are already configured on the Active Directory 10.1.8.14 and assigned to group Sales.
  42. 42. To verify if the authentication is successful, try to ping the AD 10.1.8.14, the ping should be successful.
  43. 43. Access the BIG-IP TMSH command line and run the following tcpdump command to capture the traffic sourced from and destined to 10.1.7.2 the NAD Switch on port 18.12. The traffic captured by the BIG-IP shown that the NAD 10.1.7.2 sent a Radius Access- Request with destination udp port 1812 to the Virtual Server 10.1.6.99:1812, according to the load balancing algorithm configured on the pool associated to this virtual server (default round robin), the BIG-IP select the first pool member available in the associated pool, in this case the PSN-1 with IP address 10.1.5.10 is selected. Once the pool member is chosen, the BIG-IP performs a destination NAT, by translating the destination IP 10.16.99 of the Radius Access-Request to 10.1.5.10 as shown in the second Radius Access-Request. At the end, we can see the pool member 10.1.5.10 sent a Radius Access-Accept, the destination is the NAD’s IP 10.1.7.2. The BIG-IP performs a source NAT, the source IP 10.1.5.10 is translated back to the Virtual Server 10.1.6.99 as shown in the second Radius Access-Accept.
  44. 44. From the pan-mnt-1 GUI, navigate to Operations > Radius > Live Logs. the authentication is successful for Client PC with the username jdoe. Click Authentication Detail Report. (This option can be found under Details, next to the green check of your authenticated account). Note the following to confirm that the user jdoe has been authenticated against the authentication Policy DOT1X and the Authorization Policy Sales Access is applied, the Policy Server PSN-1.
  45. 45. From the Client PC, open the AnyConnect client and select the wired connection named Wired-lab-local. A warning certificate is prompted, the issuer now is the PSN-2.lab.local which is the second pool member 10.1.5.11. Click Trust.
  46. 46. The traffic captured by the BIG-IP shown that the NAD 10.1.7.2 sent a Radius Access- Request with destination udp port 1812 to the Virtual Server 10.1.6.99:1812, according to the load balancing algorithm configured on the pool associated to this virtual server (default round robin), the BIG-IP select the second pool member available in the associated pool, in this case the PSN-2 with IP address 10.1.5.11 is selected. Once the pool member is chosen, the BIG-IP performs a destination NAT, by translating the destination IP 10.16.99 of the Radius Access-Request to 10.1.5.11 as shown in the second Radius Access-Request. At the end, we can see the pool member 10.1.5.11 sent a Radius Access-Accept, the destination is the NAD’s IP 10.1.7.2. The BIG-IP performs a source NAT, the source IP 10.1.5.11 is translated back to the Virtual Server 10.1.6.99 as shown in the second Radius Access-Accept.
  47. 47. Note the following to confirm that the user jdoe has been authenticated against the authentication Policy DOT1X and the Authorization Policy Sales Access is applied, the Policy Server PSN-2.

