This entry in our Cisco ISE blog series expands on the previous entries, the first of which can be found here: Authenticate all the things!. Some of the vernacular we established in those entries will be repeated here, but not explained. So, if you haven’t had a chance to read the series yet, go ahead, we’ll wait right here for you! In this entry, we will take a deep dive look at the first phase of a wired 802.1X deployment; Monitor Mode!
I’m glad you asked. You will recall from our previous blog entry, Native 802.1X EAP Supplicant Provisioning, that we successfully provisioned our wired endpoint 802.1X supplicants to authenticate to the network. Err…wait…did we? Did it work? Did we miss anything on the configuration? Did we miss any endpoints entirely? What if I provision the network for 802.1X and nothing can connect to the network? I love my job!! How do I secure the wired network AND keep my job!?
Enter 802.1X monitor mode. Monitor mode allows us to complete an end to end (supplicant -> authenticator -> authentication server -> identity store) configuration of 802.1X wired network authentication and remove all the FUD (fear, uncertainty, and doubt) from the equation. Using a couple special commands on the authenticator switch ports, we can ensure that network access services are not impacted while we validate our end to end wired 802.1X configuration. In monitor mode, the endpoint is granted access to the network regardless of whether they pass or fail their authentication request (and you will still have a job!!!). Fantastic!
There are a couple things to know right off the bat about monitor mode.
Here below is a common configuration template we use at LookingPoint during our wired 802.1X monitor mode phase. This configuration was built using the great reference documentation provided by Cisco. I won’t attempt to explain each command in detail, however there are inline comments in the below configuration that will give an overview of what a given snippet of configuration accomplishes. In the configuration you will find two commands in bold on the access port configuration; ip access-group ACL-ALLOW in and authentication open. These two commands are the magic behind the monitor mode behavior. In our example ACL-ALLOW is set to permit all IP traffic. A layer three ACL applied to a layer two switchport? Yes! This is known as the port ACL, or PACL. The authentication open command enables the Pre-Authentication Open Access feature on the switch port. With this feature enabled, anything matching the PACL is permitted regardless of the 802.1X authentication state. Since our monitor mode PACL permits all IP traffic, network access is uninterrupted even if authentication fails. Magic!
We are not going to get into the nitty gritty details of ISE yet, but here we will provide you with some best practices we follow in Cisco ISE when deploying a wired 802.1X monitor mode policy. These are not step by step instructions.
Now that we have completed the supplicant, authenticator, and authentication server configurations for monitor mode, we’ll usually let it run for a period to gather data, and at regular intervals pull reports to audit the progress. We are particularly interested in looking for failed 802.1X authentications as well as the successful authentications matching our default MAB authorization rule. The end goal of the audit period is to run a report that shows zero 802.1X failures and zero matches on the catch-all MAB authorization rule from corporate approved endpoints. Corporate approved endpoints being the key phrase in the preceding sentence as you will surely see at least a few devices failing 802.1X or matching the catch-all MAB rule, but if they aren’t corporate approved you will be fine (you won’t lose your job!) to kick them off the network come time for enforcement phase.
The report we are interested in auditing here comes from the ISE menu Operations > Reports > Endpoints and Users > RADIUS Authentications.
After you are sufficiently comfortable with your audit data and have performed all necessary remediations, you can decide to move to one of two next step deployment phases; low impact mode or closed mode. Low impact mode works similar to monitor mode in that it makes use of the pre-authentication ACL (PACL) and authentication open on the access switch port configuration, but as opposed to the PACL allowing all IP traffic, we will typically limit this to a subset of access such as DHCP, PXE boot, etc. In closed mode, we will remove the pre-authentication ACL (PACL) and the authentication open configuration from the access switch port and traffic will not be allowed to pass prior to a successful authentication/authorization. In either case, your supplicant (endpoint) configuration does not change. From the ISE policy set perspective, we would create a duplicate of the monitor mode policy, update the entry conditions (to specify the new Deployment Stage value), apply our enforcement authorization profiles (that used downloadable ACL’s, VLAN switching, etc.), and remove our catch-all MAB authorization rule. Finally, you would update the “Deployment Stage” attribute on the appropriate network access devices to “low impact mode” or “closed mode” depending upon your deployment needs.
For a blog series that is supposedly about Cisco ISE, you may be thinking that we haven’t talked much about ISE. I agree, but that changes soon. So far, we’ve made it through the supplicants (endpoints), the authenticators (access switches), and next up is the authentication server itself, Cisco ISE. So, stay tuned for the next entry in our Cisco ISE series, where we look at the high-level overview of a Cisco ISE deployment.
Check out our awesome tech talk on ISE:
Written By: Dominic Zeni, LookingPoint Consulting Services SME - CCIE #26686
If you are interested in LookingPoint installing ISE into your network, feel free to contact us here!
Check out Dominic Zeni's podcast on ISE on IT in the Bay podcast: