Cisco ISE NAC Dot1x

請先看ISE NAC MAB再看ISE NAC 802.11x

Cisco ISE NAC MAB

我們首先安裝CA Server

選擇Active Directory Certificate Services

一直Next, 然後除了原有的Certification Authority, 亦需要Click Certificate Enrollment Web Service

然後都是Next, Install

完成後按下圖右上角的Configure Active Directory Certificate Services on the destination server

因為要先安裝Certification Authority才能安裝Web Service, 所以現在先安裝 Certification Authority

這裏按需要選擇, 這個Lab是用預設的

安裝完CA後, 再來安裝Certificate Enrollment Web Service

都是Next & Config, CA已經安裝完畢

AD 帳號需要注意一下, 必須加入email

把電腦和user放到OU裏, 然後在GPO設定

在以下這個位置, 增加Computer

然後到Computer & User Policy裏面的Public Key Policies的Certificate Services Client – Auto-Enrollment 把Configuration Model都一樣Enable

使用mmc打開Certificate Templates, 指住User按右鍵Duplicate Template一個v2版本的User Template

Domain Users需要增加Autoenroll Allow

設定好User v2 Certificate Templates之後就到Certification Authority增加剛才設定好的User v2

然後重啟一下電腦, 用domain account登入, 應該就可以看到Local Computer已經生成了Computer Cert, 但是User還是要手動Request New Certificate增加

然後選擇剛才增加的User v2

還有一個command的方法, 應該可以加到GPO裏, 但是我只是獨立在PC測試了

certreq -Enroll -user -q "User v2"

另外在PC裏還要Start這個Service, GPO的設定還沒空找

Administration -> Identity Management -> Identity Source Sequences

輸入名稱, 然後選擇預設的Preloaded_Certificate_Profile就可以Submit, 或者可以到External Identity Sources -> Certificate Authentication Profile這裏新增一個Profile

Administration-> System -> Certificates -> Certificate Management -> Certificate Signing Requests -> Certificate Signing Requests -> Generate Certificate Signing Requests (CSR)

然後去CA Server Sign這張Certificate

修改一下Default Policy

Policy -> Policy Sets -> Default -> 按右邊的 >

aaa new-model

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius

aaa server radius dynamic-author
client xxx.xxx.xxx.15 server-key cisco123

ip device tracking

dot1x system-auth-control

radius-server attribute 6 on-for-login-auth
radius-server dead-criteria time 5 tries 3
radius-server host xxx.xxx.xxx.15 auth-port 1645 acct-port 1646 key cisco123
radius-server deadtime 10
radius-server vsa send accounting
radius-server vsa send authentication

interface GigabitEthernet0/1
switchport access vlan 172
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 172
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x
authentication priority dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end