Ads

Cisco ISE Guide - "CookBook" Part 1

This is a “cook-book” on how to set up ISE on a customer network and covers “most common” scenarios. Very little explanation is given to why certain settings are used.  The ultimate goal is to be able to go into a customer network and create all of the rules, policies, etc. to begin using ISE successfully.  This guide is based on using a single ISE VM appliance for all node functionality.  Using a distributed node environment is beyond the scope of this documentation.


The ISE Licenses needed to deploy all of the features in this guide are

- Base License

- Device Admin License

- Endpoint Plus License

- Endpoint Apex License

- Advanced Malware Protection

Configuration in this document will setup

-        PEAP-EAP-TLS Dot1x for wired employee PCs on the domain

-        PEAP-EAP-TLS Dot1x for wireless employee PCs on the domain

-        Certificate based BYOD for employee devices

-        Wired guest access using Central Web Auth and the Sponsor portal

-        Guest Sponsor based wireless access

-        Guest Hotspot based wireless access

-        Profiled access for non Dot1x or WebAuth capable devices

-        AMP client integration to detect malware and do port control

-        AMP and Anyconnect installation and posture assessment on Active Directory Domain devices

-        Enable 802.1x on Cisco IP phones with the MIC certificate that is loaded on all Cisco IP Phones by default

-        TACACS on IOS and Wireless LAN Controller

Test malware file to do testing – go to EICAR .org

*For BYOD MSCEP support on Windows, all versions of 2012 and 2008 R2 Enterprise are supported.  2008 Standard does not support the Network Device Enrollment Services.

PEAP-TLS certificate services will be provided by Active Directory Enterprise CA

Windows configuration (Based on Windows 2012)

1.     On a Domain Controller, add the ROLE Active Directory Certificate Services

2.     Add all the role services

3.     After installation, in Server Manager choose the option to configure Active Directory Certificates and follow the wizard prompts.  Afterwards you should have an operational Ent CA

4.     Open up the CA MMC and go to Certificate Templates

5.     Right click the User Template and choose to duplicate it

6.     On the duplicated template, go to the General tab and give it a new name like GPO-USER

7.     On the Request Handling Tab, uncheck Allow private key to be exported box

8.     On the Extensions Tab highlight the Applications Policies click Edit and add the Server Authentication Policy

9.     On the Security tab, highlight the Domain Users and add the permissions for ReadEnroll, and Autoenroll

10.  On the Subject Name tab, and uncheck Email

11.  Click OK

12.  Duplicate the Workstation Authentication certificate template

13.  General tab give it a new name like GPO-COMPUTER

14.  Extensions tab, hightlight Applications Policies and edit.  Add the Server Authentication policy

15.  On the Security tab, highlight Domain Computers and check the Allow boxes for Read, Enroll, and Autoenroll

16.  Subject Name tab, check the User Principle Name (UPN) box and under Subject Name Format, change it to Fully distinguished name

17.  Click OK

18.  Highlight the previously created GPO-User template and duplicate this template. On the General tab, name this template Pxgrid

19.  Security tab, highlight Domain Users uncheck autoenroll.

20.  Extensions tab, edit the Application Policies and remove everything except Client Authentication and Server Authentication

21.  Subject Name tab, choose the radio button for Supply in the request

22.  Ok

23.  Highlight the User template and duplicate it again. name it BYOD

24.  Subject Name tab, change it to Supply in the request

25.  On the Security tab, make sure that the Administrator account has access to enroll, read and write the certificate

26.  Ok

27.  On the Certification Authority window, highlight the Certificate Templates folder and right-click. Choose New>Certificate Template to Issue and in the pop-up, highlight the templates you just created and click Ok. This will publish the new templates to the Certificate Authority and make them usable

28.  Go to REGEDIT HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Cryptography>MSCEP

29.  change the following data values for the following to BYOD: EncryptionTemplate, GeneralPurposeTemplate ,SignatureTemplate

30.  EnforcePassword folder, change the value to 0

31.  UseSinglePassword is set to 0

32.  Open Group Policy Management. Highlight the domain and right-click on it. Choose Create GPO for this domain and link it

33.  Highlight the new Group Policy just created and right-click it. Choose Edit

34.  Computer Configuration>Policies>Windows Settings>Security Services>Public Key Policies>Certificate Services Client - Auto-Enrollment. Open this up and change the setting to Enable and check the top two boxes. This will enable computers to auto-enroll using the computer certificate template previously created

35.  User Configuration>Windows Settings>Public Key Policies>Certificate Services Client - Auto Enrollment and do the same thing as the previous step.

36.  Computer Configuration>Windows Settings>Security Settings>Wired Network  right-click. Choose Create a New Wired Network Policy.  Name policy whatever you'd like it to be and make sure the Use Windows Wired Auto Config service for clients box is checked. 

37.  On the Security tab, ensure that the Enable use of IEEE 802.1X authentication for network access box is checked and from the Select a network authentication method drop-down, choose Microsoft: Protected EAP (PEAP). Click on the Properties button to the right of it

38.  In the Properties box that pops up, check the boxes next to the “AD Root Certificates” root certifies under the Trusted Root Certificate Authorities header

39.  Under the Select Authentication Method drop-down, this is where we will select our inner method. Choose Smart Card or Other Certificate from the available options. Click on the Configure... box next to it.

40.  The Smart Card or Other Certificate Properties box should pop up. Check the boxes for the AD CA root certificates and click OK to save settings.

41.  Navigate to Computer Configuration>Policies>Windows Settings>Security Settings>System Services>Wired Autoconfig. Check the box for Define this policy setting and choose the radio button for Automatic.

42.  Navigate to Computer Configuration>Policies>Windows Settings>Security Settings>Wireless Network (IEEE 802.11) Policy. Right-click on it and choose Create a New Wireless Network Policy.

43.  Name it SecurityWireless Policy. Under Connect to available networks in the order of profiles listed below box, click Add and choose Infrastructure

44.  The New Profile Properties box will open. Name it the same as the SSID. Under the Network Names(s) (SSID) field, put the EXACT name of the SSID that clients will connect to. Check the boxes below to connect automatically if they are in range.

45.  On the Security tab for this profile, Choose Microsoft: Protected EAP (PEAP) from the drop-down and click on Properties right next to it.

46.  Check the boxes next to the root CA's certificates and for the inner method, choose Smart Card or other certificate from the drop-down. Click Configure... to the right of it. 

47.  On the Smart Card or Other Certificate Properties box, check the Root CA certificates again and click Ok to save. Click Ok on each box associated with the Wireless policy to save them and close them out. 

48.  **DO THIS FOR PASSIVE-ID SETUP** go to step 52 if not doing PassiveID

49.   If using a Domain Admin account to set this up on all the Domain Controllers

a.      in Registry give the account full control of HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

b.     HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

50.  For non-domain admin account on the DCs

a.      Registry give the account full control of HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

b.     HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

c.      Run dcomcnfg tool from the CLI

d.     Expand Component Services, Expand Computers and click on My Computer, Select Action from the menu bar, click on properties and click on COM Security, user account has Allow permissions for Access and Launch. The user account should be added to all four options (Edit Limits and Edit Default for both Access Permissions and Launch and Activation Permissions. Allow all Local and Remote access for both Access Permissions and Launch and Activation permissions

e.      Start>Run and type wmimgmt.msc

f.       Right-click WMC Control and click Properties, Under the Security tab, expand Root and choose CIMV2, Click Security, Add the user account and give the required permissions of Allow for Execute Methods, Enable Account and Remote Enable

g.      Access to Read the Security Event Log of the AD Domain controller - This can be done by adding the user to the Event Log Readers group in AD

h.     Copy the following into a text file, rename it with .reg extension and double-click it to make the registry changes:

[HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}]

"AppID"="{76A64158-CB41-11D1-8B02-00600806D9B6}"

 

[HKEY_CLASSES_ROOT\AppID\{76A64158-CB41-11D1-8B02-00600806D9B6}]

"DllSurrogate"=" "

[HKEY_CLASSES_ROOT\Wow6432Node\AppID\{76A64158-CB41-11D1-8B02-00600806D9B6}]
"DllSurrogate"=" "

i.       The owner of the keys must be the user account. Also, make sure that you include two spaces in the value of the key "DllSurrogate." Keep the empty line at the end of the script above

51.  In group policy management, Computer Configuration>Windows Settings>Security Settings> Local Policies>Audit Policies> Audit Account logon events: Check Define and Success
Computer Configuration>Windows Settings>Security Settings> Local Policies>Audit Policies>Audit Logon Events: Check Define and Success
Computer Configuration>Windows Settings>Security Settings>Advanced Audit Policy Configuration>Audit Policies>Account Logon>Audit Kerberos Authentication Service:Check Define and Success
Computer Configuration>Windows Settings>Security Settings>Advanced Audit Policy  Configuration>Audit Policies>Account Logon>Audit Kerberos Service Ticket Operations:Check Define and Success
Computer Configuration>Windows Settings>Security Settings>Local Policies>Security Options> Network Security:LAN Manager authentication level: Define and Send NTLM response only

52.  On the Group Policy Management window, right-click the policy you just created and choose Enforced

53.  Go to cmd and run gpupdate /force

54.  Do step 49 above even if not doing Passive ID

55.   Last items to verify – NTP is setup correctly, DNS A records added for all servers/ISE/etc/Root certs are being issued to clients.