Scribd
Upload
43 views

03 - Test Easy Connect Solution

In this session, we tested the Easy Connect solution configured on ISE by authenticating two users - contractor1 and employee1 - on a corp PC connected to a switch. We saw how passive ID integration with Active Directory allowed ISE to authenticate users based on their Windows logon events without 802.1X. The users received different authorizations based on their group membership as determined through passive ID. At the end, we cleaned up the Easy Connect configuration.

Uploaded by

Nguyen Le
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
43 views

03 - Test Easy Connect Solution

In this session, we tested the Easy Connect solution configured on ISE by authenticating two users - contractor1 and employee1 - on a corp PC connected to a switch. We saw how passive ID integration with Active Directory allowed ISE to authenticate users based on their Windows logon events without 802.1X. The users received different authorizations based on their group membership as determined through passive ID. At the end, we cleaned up the Easy Connect configuration.

Uploaded by

Nguyen Le
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

In this session, we'll be testing the Easy Connect solution that we've configured

on ISE in our lab. At this point, we've got ISE set up with the join point
configured to support the passive ID integration with our Active Directory domain
controller. And we're-- passive ID is now allowed to investigate WMI logon events.
And then ISE has also been set up with a new policy set for Easy Connect with very
precise conditions for testing to allow access into the policy set itself. And then
an authentication policy interacting with the internal endpoint database for MAC
addresses and authorization rules in place to support passive ID tracking.
Before we begin testing, let's modify our corp PC and disable the wired AutoConfig
service so 802.1X no longer occurs. I'm using a local machine account for
administration of this. And we'll set the wired AutoConfig service to a manual
start and stop the service.
And before we leave here, let's document the MAC address of this corp PC. And
focusing on the last four characters, D5-50, and then we can remember that when
we're looking at events in the live log. And then we'll restart the corp PC. Going
back to the admin PC, I've got a SSH session open to the 3k access switch.
And here we'll go into the g1/0/1 interface and sh and then no sh this interface.
And that will clear out any previous authorizations that were in place on there
with respect to 802.1X or what have you. So those will be completely removed.
Back on the corp PC, it should be ready for logon now. And now we'll provide a
domain account, where you can go back and review the live log to see events related
to this. And we already see some updates with respect to the services running. And
kind of stepping through, if you recall, D5-50 is the Mac address for our core PC
endpoint.
We've got a separate MAC address due to the virtualized environment our lab is in.
We're seeing some interaction from that MAC, which we can disregard. And then
focusing, we can see the D5-50 match the default rule within our Easy Connect
policy. And we provided AD access and then provided the host look up access list to
that.
In this case, this is the NAD itself requesting the contents of that dACL. Then
we're getting a little bit of a session update. And then we can see that,
ultimately, we provided contractor access to that. And then a request for the dACL
for contractor access-- and then the rest of the interactions look like session
update information and a little bit of interaction with that separate oddball MAC
address.
To view some more details, we can investigate context visibility endpoints. And we
could see our D5-50 MAC address is currently authenticated. And we can see that
it's been provided the contractor's authorization policy.
You can click on Details on this MAC. And in particular, focusing on the passive ID
service, and we can see that, through passive ID interaction, that we got the match
to the domain group, passive ID groups that have been learned. And we provided and
interacted and understood the passive ID username based on that interaction as
contractor1.
Another place where we can investigate results is on the 3k access switch. We could
see our D5-50 MAC address is MAB authenticated. If we show details on this, we
should be able to see that our core PC MAC address is what's provided the ACL
contractor's dACL.
Another place where we can investigate is on the Active Directory domain
controller, which I had previously started. And we're looking at the Event Viewer
and the Security view within the Event Viewer. And I've got this filtered to look
at only 4768 event IDs, which are Kerberos logon events. We'll do a refresh on
this.
And we should see a recent authentication. And we see that we've toggled that back
and forth. The rest of the interactions are ISE attempting to interact with the
WMI.
Now let's go back to our corp PC. And we'll log out. In this case, understand that
for Easy Connect and the Easy Connect Solution, the switch user is not viable
because we wouldn't be able to pick up that new logon event without that. And so
we've logged off as contractor. And now we'll log on as employee1.
And we'll look at events related in the live log. You can see the initial
interactions with the employee, where it went back to the default rule and generic
AD access and then got matched to the employee1 logon and provided the employee
access authorization profile. And ultimately, the NAD requested the contents of the
dACL and provided that on behalf of the session itself.
In quick review, we saw Easy Connect in action. Passive ID, used a relatively new
introduction, came about with ISE version 2.3, has made this integration with
Windows much, much easier, much more reliable. We saw some of the basic components
to put in place for doing some very precise testing with ISE in general, and
overall, saw passive ID.
So now let's do a little bit of cleanup. This task is made pretty easy with our
Policy Sets view, where we can simply disable this policy set and it will no longer
be utilized or evaluated. And then on the corp PC, let's reactivate the wired
AutoConfig service. OK, so, basically, I cleaned up and evaporated any possible
impact of Easy Connect within our ISE deployment. And we're ready to move forward
with our next session.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy