Cisco ISE Wired 802.1X with EAP-PEAP Example

In this blog post, we'll be exploring a practical example of how to configure wired 802.1X with Cisco Identity Services Engine (ISE) and PEAP. We're breaking down a typical network scenario and explaining it in a way that's easy to understand.

The process we'll detail involves a domain-joined PC connecting to a switch port. We'll walk you through configuring the ISE, the PC, and the switch to enable this sequence of events. By the end of this post, you'll understand this specific network access control scenario and be better equipped to manage it in your own network environment.

💡
It's worth highlighting that the EAP-PEAP method, which we are using for the purpose of this example, has been considered insecure for several years due to potential vulnerabilities. In a real-world scenario, it's recommended to use a more secure EAP method, such as EAP-TLS that offers enhanced security through mutual authentication, using certificates for both the client and the server
How to Implement 802.1X from Scratch?
If you’re a Network Engineer looking to get a handle on what exactly 802.1X is and how you can implement it in your network, you’ve come to the right place

Assumptions and Prerequisites

Before we proceed, let's establish the assumptions and prerequisites for this guide. This blog post assumes that you have a foundational understanding of Cisco ISE and the 802.1X protocol.

Additionally, it is assumed that the PC we're focusing on is already joined to the domain and operating correctly. Active Directory' (AD) has also been integrated with the ISE. By doing so, ISE can verify user credentials against the information stored in AD.

It's also important to note that this example operates in a 'Closed Mode'. In this mode, the switch will not permit any traffic other than EAPoL until successful authentication. If this is a potential issue, consider using 'Low Impact' mode where a Pre-Auth ACL (that allows DHCP, DNS for example) on the switch port allows network access until successful authentication. Upon successful authentication, a specific level of access is granted via a downloadable ACL (dACL) from ISE. I will try to cover this in another post.

If you want to learn more about 802.1X or NAC in general or Wired-EAP-TLS, please check out my other blog posts below.

Everything you need to know about NAC, 802.1X and MAB
In a simpler form, Network Access Control ensures that only users and devices that are authenticated and authorized can enter the corporate network
Cisco ISE Wired 802.1X with EAP-TLS Example
In this blog post, we’ll be exploring a practical example of how to configure wired 802.1X with Cisco Identity Services Engine (ISE) and EAP-TLS. We’re breaking down a typical

What is 802.1X?

802.1X is an IEEE standard for port-based network access control that provides secure network access to corporate networks. You cannot secure if you don't know what's on your network. The 802.1X framework functions as a gatekeeper for entry to enterprise networks (wired and wireless).

When a user or device wants to gain access to a network, 802.1X acts as a framework that verifies the person/device connecting is who they say they are. When we enable 802.1X on a port, the switch drops all traffic received on that port except EAPoL packets (more on this later). Only after the 802.1X authentication has successfully completed will the switch allow any other traffic on that port.

The Components of 802.1X

802.1X consists of three components:

  1. The Supplicant (laptop) is the device attempting to gain access to the network. The supplicant communicates with the authenticator via 802.1X-encapsulated EAP packets
  2. The Authenticator (Switch) is the gatekeeper to the network and permits or denies access to the supplicants. The authenticator acts as an intermediary (proxy) between the supplicant and the authentication server. The authenticator requests identity information (credentials/certificates) from the supplicant via EAP packets, verifies that information with the authentication server and then relays a response to the supplicant (access permit or deny)
  3. The Authentication Server (Cisco ISE) performs the actual authentication of the supplicant. By examining the information in the encapsulated EAP messages relayed from the authenticator, the authentication server validates the identity of the supplicant and responds back to the authenticator whether or not the supplicant is authorized to access the network.
💡
While the IEEE 802.1X specification does not dictate which protocol should be used for communication between the authenticator and the authentication server, the industry has converged on Radius as the go-to protocol.

Choosing an EAP Method

When deploying 802.1X, it is important to choose an EAP method that meets your organization’s security standards. Choosing which EAP method to use is one of the most important decisions because different EAP methods offer differing levels of security and complexity. This example solely focuses on EAP-PEAP.

Which EAP type to implement solely depends on the level of security that the organization requires and the administrative overhead. If you are looking for a higher level of security, EAP-TLS is the best choice, providing the strongest authentication method using client and server-side certificates. EAP-PEAP or EAP-FAST on the other hand also offers very good security which uses credentials and only server-side certificates.

💡
Not all supplicants/clients support all EAP methods. Please make sure to verify that the supplicants support the EAP method you are planning to deploy. 

Even though there are many EAP types available, I've listed the most popular ones.

  • EAP-TLS relies on client-side and server-side certificates to perform mutual authentication. This is considered one of the strongest EAP types however, it requires each and every client to have a certificate pre-installed.
  • EAP-PEAP requires only server-side certificates for the client to authenticate the authentication server. PEAP is known as a tunnelled EAP type because it first establishes an outer tunnel using TLS and then sends the credentials via an inner tunnel. The inner tunnel can be virtually any EAP type but the widely used inner method is MSCHAPV2.
  • EAP-FAST is very similar to PEAP, it first establishes an outer TLS tunnel. Inside this encrypted tunnel, a secondary inner EAP method (such as MSCHAPv2) is used to authenticate the user.

Windows 10 / Supplicant Configurations

In a production environment, typically, group policies would be used to configure the network settings across the organization. However, for the purpose of this tutorial, we'll simplify the process by directly configuring these settings on the PC.

To begin, navigate to the Network adapter settings. You can access this via Control Panel > Network and Sharing Center > Change Adapter Settings. Once here, right-click on the desired network connection, and select 'Properties'. Look for the 'Authentication' tab and ensure that the 802.1X authentication is enabled and PEAP is selected within these settings.

💡
In case you do not see the 'Authentication' tab in the properties window, it's possible that the 'Wired AutoConfig' service is not running. You can start this service by opening the 'Services' app, locating 'Wired AutoConfig' in the list and starting it.

Switch / Authenticator Configuration

In configuring the switch for our use case, it's important to note that there are a lot of settings that could be adjusted to tweak and tune the behaviour of 802.1X. For the sake of simplicity, our example will only focus on the most essential configurations.

aaa new-model
!
radius server ise-01
 address ipv4 10.10.0.100 auth-port 1812 acct-port 1813
 key cisco123
!
aaa group server radius ISE-GROUP
 server name ise-01
 ip radius source-interface Vlan5
!
aaa server radius dynamic-author
 client 10.10.0.100 server-key cisco123
!
aaa authentication dot1x default group ISE-GROUP
aaa authorization network default group ISE-GROUP 
aaa accounting dot1x default start-stop group ISE-GROUP
aaa accounting update newinfo periodic 2880
interface Ethernet0/2
 description WINDOWS-10
 switchport access vlan 5
 switchport mode access
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 15
 spanning-tree portfast edge

Cisco ISE / Authentication Server Configuration

Step 1: Add the Switch as a Network Device in ISE

The very first step is to add the switch as a network device in ISE. To do this, navigate to the ISE management interface and select 'Network Resources' followed by 'Network Devices'.

Here you can add a new device (our switch) by specifying the IP address and shared secret, which should match the configurations set in the switch.

Step 2 - Create a Policy Set

At a high level, a Policy Set in ISE is a bundle of rules, each of which contains conditions and results. When a device tries to access the network, ISE applies these policy sets to determine whether the device meets certain conditions and assigns results (like allowing or denying access) based on that.

Imagine you have a list of policy sets created for different types of network users, such as VPN users, guest users, and wired/wireless clients. Each of these policy sets has specific conditions tailored to the type of network access they manage.

Now, when a request comes from a device through the switch to access the network, ISE starts to evaluate these policy sets, going from top to bottom. It checks each policy set to see if the conditions of that policy match the incoming request.

In our case, we're dealing with a wired 802.1X request from a domain-joined PC. So, ISE will scan through the policy sets until it finds the one that's specifically designed for wired 802.1X requests. Once it finds a match, it applies the corresponding authentication and authorization policies to this request. Here I'm creating a new policy set called EAP-PEAP with the pre-built smart condition Wired_802.1x

The Radius:NAS-Port-Type = Ethernet and Radius:Service-Type = Framed are specific attributes included in the Wired_802.1X smart condition.

  1. Radius:NAS-Port-Type = Ethernet: This attribute tells the RADIUS server (in this case, Cisco ISE) that the access request is coming from a device connected to an Ethernet port. This helps ISE understand the type of network access being attempted.
  2. Radius:Service-Type = Framed: This attribute indicates that the user data is framed, meaning that it's encapsulated in a protocol.

Here you must have noticed that the 'Allowed Protocols' is set to 'Default Network Access'. This is the default list that comes with ISE. Here you can specify which EAP protocols the clients can use. In our case, we are using EAP-PEAP which is already allowed (by the check box)

within a policy set, we need to define two key types of police that are Authentication and Authorization.

Step 3 - Authentication Policy

An Authentication Policy is essentially a set of rules that the ISE uses to verify the identity of a device or user trying to access the network. This is the "who are you" part of the process, checking the credentials provided by the device or user against AD or Internal User Group.

For our configuration, we are using the default authentication policy. This policy checks the credentials against the data stored in AD. When a user attempts to authenticate, ISE takes the provided credentials and cross-checks them with the AD. If the authentication is successful the process proceeds to the next step, which is authorization.

Step 4 - Authorization Policy

On the other hand, an Authorization Policy determines what a successfully authenticated user or device can do within the network. It dictates the level of access, the resources that can be used, and any restrictions that need to be applied. This is the "what you can do" part of the process, defining the permissions for each authenticated device or user.

Our Authorization Policy in this setup is quite straightforward. It has a single condition, if a user is part of the 'desktop-users' group in Active Directory (AD), the policy 'permitAccess' is applied.

By defining these policies within a policy set, we create a rulebook for how the ISE should handle devices trying to access the network, from verifying their identity to deciding what they can do once they're in.

Verification

Now that we have our setup configured, it's time to put it to the test. To do this, I'm going to log in to a domain-joined PC with a user named 'max'. This user, being a part of the 'desktop-users' group in Active Directory, meets our defined authorization policy condition.

Given this, upon successful authentication, ISE should authorize the access request. This would confirm that our configuration of 802.1X with Cisco ISE using EAP-PEAP is working as intended.

switch_01#show authentication sessions interface e0/2 details 
            Interface:  Ethernet0/2
          MAC Address:  5000.0001.0000
         IPv6 Address:  Unknown
         IPv4 Address:  10.10.20.10
            User-Name:  max		<<<<<<
               Status:  Authorized		<<<<<<
               Domain:  DATA
       Oper host mode:  single-host
     Oper control dir:  both
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  172800s (local), Remaining: 171072s
       Session Uptime:  1732s
    Common Session ID:  0A0A141F00000015009088BB
      Acct Session ID:  0x00000004
               Handle:  0x22000008
       Current Policy:  POLICY_Et0/2
Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure
      Security Status:  Link Unsecure
          
Server Policies:
Method status list: 
      Method            State 
      dot1x              Authc Success		 <<<<<<

Closing Thoughts

I hope this blog post has provided you with a clearer understanding of the 802.1X process using Cisco ISE and EAP-PEAP. Remember, network configurations are rarely a one-size-fits-all scenario. The settings and processes we've explored here offer a solid starting point, but you'll likely need to adjust and refine them to perfectly suit your specific environment and needs.

While EAP-PEAP serves as a useful example for this discussion, it's worth noting that there are more secure methods out there, such as EAP-TLS.