Service Desk Troubleshooting Guide for Cisco ISE · Web viewService Desk Troubleshooting Guide for...

Service Desk Troubleshooting Guide for Cisco ISE

Version 2.0

10-05-2016


Document Revision HistoryRevision History

REVISION DATE AUTHOR DESCRIPTION


Overview:xxxx has decided to enhance its network security by enabling 802.1X port based authentication on its access switches and wireless SSIDs. Cisco’s ISE (Identity Services Engine) was chosen as the authentication server and as a result all switches and Wireless LAN Controllers are configured to forward authentication requests to one of the x ISE policy nodes (xxxx, xxxx and xxxx). Please take time to carefully read through this guide and get yourself familiar and become comfortable with this product. ISE is going to be an integral part of the network and as a result it is very important that you can navigate through it.

Requirements to access to the Wired and Wireless network:A device/user can get different type of access based on different types of criteria. Please refer to the list and flowchart below that outlines the current configured policies:

Blacklist: If a device is manually entered in this ISE internal group then it will by default be denied any type of access

Whitelist: If a device is manually entered in this ISE internal group then it will by default be given full access to the network

Quarantine: If a device is quarantined by a pxGrid client to limit internal access, ISE moves the user to this authorization profile

Profiled Printers: Cisco ISE nodes use internal algorithms that can dynamically profile printers. If a printer is manufactured by xxxx then it will be allowed on the network

Profiled Cisco Phones: Similar to profiling printers, the ISE nodes can dynamically profile Cisco IP phones. Profiled phones are granted specific access to the network that will allow them to perform their functions.

Profiled Cisco TelePresence Units: Profiled Cisco TelePresence units will also be allowed on the network

Profiled Cisco WAPs: Last but not the least, when a Cisco wireless access point is connected to the network it should also be dynamically profiled and authorized


Domain PCs with a CA-signed Domain Digital Certificate: Every corporate computer that is joined on the domain and is successfully receiving group policies will have a domain digital certificate. ISE will verify both domain membership and certificate validity. A computer that is NOT a corporate asset and it is NOT on the domain will NOT get access to internal resources.

Default Rule/Web Portal: If all of the above security checks fail then users connecting to the network will be redirected to an internal ISE web portal (Users must launch their internet browser). Once the web portal is up the user can either enter an active directory username/password or perform a self-registration for a temporary guest account. The active directory users can be part of one of the following:

1) Domain Users: When a user enters his/hers domain username/password he/she will be granted Internet access only

1) Contractors: If a user is part of the contractor’s group then he/she will be granted specific access to the network.

The flow chart below outlines the decision process that takes place when a device is connecting to the network:


Troubleshooting Issues

Logging in to ISETo get access to the ISE infrastructure open your browser and go to one of the x available nodes:

xxxxx - Primary - Always login to this server unless the server is unavailable xxxxx - Secondary

The ISE system is setup so any domain members of the Service Desk group (AD-group-name) can login to the system with read-only/monitor rights. Thus, once the ISE page loads just enter your domain credentials and select “AD” as the identity source and click “Login.”


Supported BrowsersYou can access the Cisco ISE administrative user interface using the following browsers:• Mozilla Firefox(applicable for Windows, Mac OS X, and Linux-based operating systems)• Mozilla Chrome (applicable for Windows, Mac OS X, and Linux-based operating systems)• Windows Edge

Accessing the Live Authentication Window:Once you are logged in to the system hover over the Operations tab and from the drop down menu

select Live Logs.


Understanding the Live Authentications Window:The live authentication field contains a lot of useful information that can help you troubleshoot an authentication window:

1) Time - Data and time when the event occurred2) Status - Was access granted or denied3) Details – Click here for more details 4) Identity - The name of the machine/user that is authenticating5) Endpoint ID - The MAC address of the end point6) Authorization Profiles - The authorization profile that was applied to that

switchport/workstation that is connecting to it7) IP Address - The IP address of the endpoint8) Network Device - The network device where the end point is coming from. For example, if the

device the authenticating device is coming from a switch or a wireless LAN controller9) Device Port - The actual switch port that the device is being plugged in10) Identity Group - The internal ISE identity group where the end point is assigned to. For

example, profiled Cisco Phones should be in a group that is called “Profiled:Cisco-IP-Phones”


11) Failure Reason - The reason behind the failure

Advanced TroubleshootingIf you want to find more detailed information on why a particular authentication failed/succeeded then you can click on the “Details” icon that can be located next to each entry authentication entry:

This will open a new windows (Make sure to allow popups from that site) that will provide a more detailed information about the particular authentication session

Tweaking and searching the Live Authentications screen:You can customize the live authentication screen by tweaking the settings located on the top right corner (1). Also, you can manually refresh the screen (2) or Add/Remove columns (3)

Some Examples of Successful Authentications:1) Domain computers wired : The entry below shows a successful machine authentication for

corporate owned devices. You can see that the Identity is an actual domain computer name.


2) Cisco IP Phone : Here you can see that both the Authorization Profile and Endpoint Group are Cisco IP Phone related.

3) Printer : Here you can see that both the Authorization Profile and Endpoint Profile are Printer related

4) Cisco WAPs: Here you can see that both the Authorization Profile and Endpoint Profile are Access Point related

5) Guest/Consultants : Here you can see guest access granted after the guest account is created and the user logs in

Some Examples of Failed Authentications:1) Non domain computer or domain computer missing a digital certificate : You can see

that both the “Identity” and the “MAC address” of the machine are the same. This is a good indicator that the machine is not part of the domain. Also, you can see that the “Authorization Profile” that they got was “Central_Web_Auth” which means that the user will be getting redirected to the Web Portal for further authentication:

Supplicant ConfigurationsIn order for domain computers to connect either on the wired or the wireless network they are going to need to have the following supplicant configurations:


Windows 7

ServicesThe Windows “Wired AutoConfig” service needs to be modified to start automatically as both Windows XP and Windows 7 have default settings for the service as manual:


Authentication Tab


Settings Tab


Additional Settings Tab

Machine Certificates:

A digital certificate is needed for EAP-TLS machine authentication to succeed. Thus, ensure that every machine has a Computer Certificate:

1. Start the MMC console2. Click “File” then “Add/Remove Snap-in”


3. From the new window select “Certificates” then click “Add” and select “Computer account”

4. Click “OK” and then “Finish” while leaving the rest of the settings with their default values

5. Under “Personal” certificates ensure that a machine certificate is present and that it was issued by the internal CA

Windows XP:

Service Pack

All Windows XP machines must have service pack 3 installed on them. Without service pack 3 the “Wired AutoConfig” service that is referenced in the next steps won’t even be present.

Services

The Windows “Wired AutoConfig” service needs to be modified to start automatically as both Windows XP and Windows 7 have default settings for the service as manual:


Authentication Tab


Settings Tab

Machine Certificates:

A digital certificate is needed for EAP-TLS machine authentication to succeed. Thus, ensure that every machine has a Computer Certificate by:

1. Start the MMC console2. Click “File” then “Add/Remove Snap-in”


3. From the new window select “Certificates” then click “Add” and select “Computer account”

4. Click “OK” and then “Finish” while leaving the rest of the settings with their default values5. Under “Personal” certificates ensure that a machine certificate is present and that it was

issued by the internal CA


Additional Reading:EAP-TLS:http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS

Cisco ISE Communities:https://communities.cisco.com/community/technology/security/pa/ise

https://communities.cisco.com/community/technology/security/pa/ise

http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS

Service Desk Troubleshooting Guide for Cisco ISE · Web viewService Desk Troubleshooting Guide for...

Documents

Transcript of Service Desk Troubleshooting Guide for Cisco ISE · Web viewService Desk Troubleshooting Guide for...