Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configure Cisco ISE and Juniper EX Switches for 802.1X-Based Authentication

 

About This Network Configuration Example

This network configuration example (NCE) shows you how to configure Cisco Identity Services Engine 2.X (Cisco ISE) and Juniper EX switches for IEEE 802.1X-based authentication.

Overview

Cisco ISE 2.X comes with many pre-imported network device profiles, but it doesn’t come with one for Juniper. Network device profiles specify how to handle MAC Radius, dot1x authentication, VLAN and ACL assignment, and CoA features.

Cisco ISE allows you to import network device profiles in XML format, enabling integration with any IEEE 802.1X standard network device. This example shows you how to import the Juniper network device profile, and configure settings to allow IEEE 802.1X-based authentication with Cisco ISE and Juniper EX switches.

Topology

In this example, we use the following network topology Figure 1:

Figure 1: Example Topology
 Example Topology

Here’s more details about the hardware and software components used in this example:

Device

Software Version

Role

Juniper EX2300-C-12P

Junos 18.2R1-S1

Switch and Authenticator

Cisco ISE

2.4.0.357 Patch2-18080100

RADIUS Server

Polycom VVX 310 IP Phone

SIP/5.5.1.11526/22-Nov-16 15:05

Supplicant (MAC Radius)

Windows 10 Professional

All recommended patches as of 2018-08-22

Supplicant (Dot1x)

Network Printer

N/A

Supplicant (MAC Radius)

Juniper Mist AP43

0.6.18981

Supplicant (MAC Radius)

All users and endpoints are stored in the internal Cisco ISE database.

For external user database integration such as Microsoft Active Directory, LDAP and Certificate Based Authentication, refer to the Cisco Identity Services Engine Administrator Guide, Release 2.4.

Step-by-Step Procedure

  1. Import the Juniper Wired Device Profile

  2. Add EX Switches to the Juniper Device Profile

  3. Create Authorization Profiles

  4. Create Endpoint Identity Groups

  5. Add Endpoints

  6. Create User Identity Groups

  7. Add Users

  8. Set Authentication Policies

  9. Set Authorization Policies

  10. Configure a Cisco ISE Policy to Enable Guest Access

  11. Configure a Colorless Port Using IETF Egress-VLAN-ID Attributes

  12. Configure the 802.1X Protocol on the EX Switch

  13. Configure Windows 10

Import the Juniper Wired Device Profile

Assuming you’ve got Cisco ISE up and running on your network, the first thing you’ll need to do is add a Juniper EX switch device profile.

  1. Download the latest Juniper EX Switch Device Profile for Cisco ISE (validated with Cisco ISE 2.7).
  2. In Cisco ISE, choose Administration > Network Resources > Network Device Profiles.
  3. Click Import and select the Juniper EX switch device profile you downloaded in step 1. Once you import the Juniper network device profile, it will be listed in the Cisco ISE Network Device Profiles list as Juniper_Wired.

Add EX Switches to the Juniper Device Profile

You can add your EX switches individually, or as an IP address range.

  1. In Cisco ISE, choose Administration > Network Resources > Network Devices.
  2. In the Network Device screen, select the Juniper_Wired device profile.
  3. Give a name and IP address for your EX switch. If you are adding multiple EX switches, you can specify an IP address range.
  4. Specify a RADIUS password. You’ll need this later when configuring the EX switches.

Create Authorization Profiles

Authorization profiles allow you to apply different attributes to users or endpoints. You can change the VLAN by name or by VLAN ID. You can also assign a firewall filter that you have already configured on the switch. In this example, we create four authorization profiles:

  • Juniper_VoIP_VLAN_500

  • Juniper_VoIP_VLAN_100

  • Juniper_VoIP_VLAN_100_ACL

  • Juniper_VoIP_VLAN_100_dACL

The first profile sets the VoIP VLAN to 500 using the Juniper-VoIP-VLAN attribute.

  1. In Cisco ISE, choose Policy > Results, then from the left pane, choose Authorization > Authorization Profiles.
  2. Name the profile Juniper_VoIP_VLAN_500.
  3. Set the VLAN ID/Name to 500.
  4. Click Add.

The second authorization profile sets the Data VLAN to 100 using the standard RADIUS attribute for VLAN ID.

  1. In Cisco ISE, choose Policy > Results, then from the left pane, choose Authorization > Authorization Profiles.
  2. Name the profile Juniper_VoIP_VLAN_100.
  3. Set the VLAN ID/Name to 100.
  4. Click Add.

The third profile sets the Data VLAN to 100 and applies a local firewall filter/ACL to the supplicant. This firewall filter/ACL must already be configured on the switch. The firewall filter/ACL is applied using the standard Filter-ID radius attribute. Enter the name of the local filter configured on the switch.

  1. In Cisco ISE, choose Policy > Results, then from the left pane, choose Authorization > Authorization Profiles.
  2. Name the profile Juniper_VoIP_VLAN_100_ACL.
  3. Under Common Tasks, set ACL (Filter-ID) to deny-all.
  4. Set the VLAN ID/Name to 100.
  5. Click Add.

The fourth authorization profile sets the Data VLAN to 100 and applies a dynamic/downloadable firewall filter/ACL to the supplicant. This firewall filter/ACL is created dynamically, so you don’t need to configure it locally on the switch. This authorization profile uses the Juniper-Switching-Filter attribute.

Note

The syntax and feature sets differ from regular Junos firewall filters/ACLs. Multiple entries are separated by commas. See Juniper-Switching-Filter VSA Match Conditions and Actions for information about the syntax.

Create Endpoint Identity Groups

Endpoints, such as IP Phones, can be grouped together in endpoint identity groups to make it easier to apply common attributes, for example, VoIP VLAN.

  1. In Cisco ISE, choose Administration > Groups > Endpoint Identity Groups.
  2. Click Add.
  3. Enter a Name and Description under Endpoint Identity Group.
  4. Click Submit.

Add Endpoints

The Polycom IP Phone in this setup is not configured for dot1x authentication. Instead, we rely on MAC RADIUS and MAC Authentication Bypass (MAB).

  1. In Cisco ISE, choose Context Visibility > Endpoints.
  2. Click +.
  3. Add the IP Phone’s MAC address and assign it a policy group.
  4. Click Save.

Create User Identity Groups

User Identity Groups allow you to apply specific attributes to users that are members of the group. In this example, we create three new User Identity Groups:

  • VLAN_100_User_ID_Group

  • VLAN_100_ACL_User_ID_Group

  • VLAN_100_dACL_User_ID_Group

  1. In Cisco ISE, choose Administration > Groups > User Identity Groups.
  2. Click Add.
  3. Enter a name for the User Identity Group and click Submit.

Add Users

In this example, we create three local users named user1, user2 and user3. Each user is assigned to a different User Identity Group.

  1. In Cisco ISE, choose Administration >Identity Management.
  2. Click Add.
  3. Enter a name and login password.
  4. From the User Groups drop-down list, choose the User Identity Group that you want to assign to the new user.

    In this example, we assign the new users to these User Identity Groups:

    • user1 to VLAN_100_User_ID_Group

    • user2 to VLAN_100_ACL_User_ID_Group

    • user3 to VLAN_100_dACL_User_ID_Group

Here’s an overview of the three users we just created:

Set Authentication Policies

The authentication policy contains three entries per default.

The predefined MAB and dot1x rules have conditions that are tied to the network device profile. When requests come from a Juniper device, the switch automatically uses the attributes configured in the Juniper network device profile to authenticate a MAB and dot1x request. The authentication policy named Default contains a default network access policy for allowed protocols. This network access policy is compatible with Juniper EX switches.

In this example, we use the Default authentication policy.

  1. Choose Policy > Policy Sets.
  2. Click > to the far right of the Default policy set and choose Default Network Access from the drop-down box.

Cisco ISE Default Network Access Profile

Here’s the Cisco ISE configuration for the Default Network Access profile for Juniper EX switches.

Set Authorization Policies

The order of the authorization policies is important and may vary depending on your setup. Make sure that you don’t have more general rules above the rules you are about to create, otherwise they won’t match.

In this example, we create four new rules, each with three conditions:

  • VLAN 500 for Polycom IP Phones connected to Juniper EX Switches

  • VLAN 100 for dot1x users connected to Juniper EX Switches

  • VLAN 100 with ACL for dot1x users connected to Juniper EX Switches

  • VLAN 100 with dACL for dot1x users connected to Juniper EX Switches

  1. Expand Authorization Policy and click the + button in the top left corner of the screen.
  2. Enter a name for the rule, for example, VLAN 500 for Polycom IP Phones connected to Juniper EX Switches.
  3. Click condition to open the Condition Studio.
  4. Drag and drop from the library on the left side to the editor on the right side. Build the different attributes you want to match on.
  5. When you’re finished don’t click Save. Instead, click the USE button in the bottom right corner.

Here’s an example of the Conditions Studio:

Let’s analyze these four new rules. Each rule has three conditions. The first two conditions are the same, but the third condition matches on a different attribute. A rule is applied to a port only when all three conditions are met.

Rule

If the endpoint

Then the switch assigns the port/supplicant to

VLAN 500 for Polycom IP Phones connected to Juniper EX Switches

Passes network access authentication AND the request comes from a Juniper EX switch AND the endpoint is in the Polycom-IP-Phone group

Voice VLAN 500

VLAN 100 for dot1x users connected to Juniper EX Switches

Passes network access authentication AND the request comes from a Juniper EX switch AND the endpoint is in the VLAN_100_User_ID_Group

Data VLAN 100

VLAN 100 with ACL for dot1x users connected to Juniper EX Switches

Passes network access authentication AND the request comes from a Juniper EX switch AND the endpoint is in the VLAN_100_ACL_User_ID_Group

Data VLAN 100 and an ACL

VLAN 100 with dACL for dot1x users connected to Juniper EX Switches

Passes network access authentication AND the request comes from a Juniper EX switch AND the endpoint is in the VLAN_100_dACL_User_ID_Group

Data VLAN 100 and a dynamic/downloadable ACL

Configure a Cisco ISE Policy to Enable Guest Access

For guest access use-cases involving the Cisco ISE guest portal, Juniper EX switches support Juniper-CWA-Redirect-URL VSA along with a special Filter-Id JNPR_RSVD_FILTER_CWA to redirect unknown guest clients to the Cisco ISE portal. The following diagram outlines the guest access flow with Cisco ISE:

Here’s the Juniper EX switch configuration for this scenario:

Here’s how to configure a Cisco ISE policy to enable guest access:

  1. In Cisco ISE, choose Policy Sets > Wired Access.
  2. Verify that the WIRED MAB authentication policy is set to Internal Endpoints for the data store and Continue for If User not found and If Process fail.
  3. Create two authorization policies. If the client (MAC) already registered in the GuestEndpoints Identity Group, Cisco ISE will send a “Permit Access” message. Otherwise, Cisco ISE will send a CWA Redirect attribute to move the client to the Cisco ISE guest portal.

    Here’s an example of the Guest Redirect Wired authorization profile configuration.

    Note

    You’ll need to configure a static IP address instead of the FQDN for the CWA Filter to work. Alternatively, you can use a Juniper-Switching-Filter with a FQDN-based redirect URL.

  4. Verify the configuration in the EX switch CLI:

    Once the client authenticates with Cisco ISE, Cisco ISE sends a CoA. Upon re-authentication, the CLI output for the EX switch shows a successful MAC Authentication:

Configure a Colorless Port Using IETF Egress-VLAN-ID Attributes

With Junos 20.4 and above, you can automatically configure switch ports into access/trunk ports and assign multiple VLANs based on the RADIUS (Cisco ISE) response. For example, you can have a common port configuration on the switch and then reconfigure it automatically based on the identity of a connecting device, such as a Mist AP, a printer, or a corporate laptop.

Here’s an example of a trunk port configured for Mist AP with an untagged native VLAN for management:

By default, the port is configured as an access port with 802.1X and MAC-Radius enabled.

Here’s how to create a new profiler policy in Cisco ISE to auto-profile Mist APs based on Mist MAC-OUI. The profiler policy will send the full switch port configuration (trunk, with native vlan 51 and all the other required VLAN tagged).

  1. Choose Policy > Profiling > Profiling Policies > Create New.
  2. Create two rules using Radius_Calling_Station_ID_STARTSWITH 5c-5b-35 or d2-20-b0 to specify the current Mist MAC OUIs.
  3. Save your profiler policy.
  4. Navigate to your profiler policy and add another authorization rule:

    The authorization profile looks like this:

How did we get all the numbers above? We used the following formula:

  1. Create hex values for each VLAN you want to push in access-accept. The hex format is 0x31000005. The first seven characters can either be 0x31000 (tagged) or 0x32000 (untagged). The last three characters are the actual VLAN ID converted to hex. You can use a Decimal to hexadecimal converter to figure out the hexadecimal value. For example, to send untagged VLAN 51, the value is 0x32000033.
  2. Once you enter this hex value, convert the whole value back to decimal. You can use this Hexidecimal to decimal converter to figure out the decimal value.

    In this example, if you convert 0x32000033 to decimal, the value is 52428851.

  3. Configure the Cisco ISE authorization profile using the decimal value.
  4. Plug in a Mist AP and verify the output:

Configure the 802.1X Protocol on the EX Switch

Configure Windows 10

  1. Press the Windows key on your keyboard and search for services.msc.
  2. Right click to enable the Wired Autoconfig service.
  3. Choose Control Panel > Network and Sharing Center > Change Adapter Settings.
  4. Right click on the adapter used for your wired connection and select Properties.
  5. Click the Authentication tab, select Microsoft Protected EAP, then click Settings.
  6. Clear the check box to verify the server identity certificate. Caution

    This is for testing purposes only. Never disable this in production. Always provision your clients with trusted CA certifications. In a production environment, you should install the Cisco ISE certificate. Refer to the Cisco Identity Services Engine Administrator Guide, Release 2.4.

    Click OK.

  7. You are returned to the Ethernet Properties window. Click Additional Settings.
  8. Select User Authentication and click Save Credentials.
  9. Enter the username and password, for example user1, user2, or user3.
  10. Click OK.

Testing and Validation

Verify IP Phone Authentication Status

  1. After connecting the IP Phone to port ge-0/0/0, run the show dot1x interface ge-0/0/0 command to verify it is authenticated using MAC Authentication Bypass.
  2. Run the show dot1x interface ge-0/0/0 detail command to view the detailed output and verify that you are using MAC Radius to authenticate the IP Phone.
  3. Run the show ethernet-switching interface ge-0/0/0 command to verify that Cisco ISE has applied Voice VLAN 500 as a tagged VLAN on port ge-0/0/0.
  4. Run the show lldp neighbors interface ge-0/0/0 command to view the LLDP output and verify that the IP Phone is using tagged VLAN 500 for Voice.
  5. Verify authentication status in Cisco ISE. Choose Operations > Live Logs.
  6. Choose Operations > Live Sessions.

Verify Connections to Windows 10 Clients

Verify User 1

  1. Enter the dot1x credentials in Windows for user1 and connect the PC to the IP Phone. Verify that user1 is authenticated:
  2. Verify that Cisco ISE has applied Data VLAN 100 to port ge-0/0/0:
  3. View the Cisco ISE logs. Choose Operations > Live Logs.
  4. Choose Operations > Live Sessions

Verify User 2

  1. Change credentials in Windows to user2.
  2. Verify that user2 is authenticated.
  3. Verify that Cisco ISE has applied Data VLAN 100, and also applied the locally configured firewall filter/ACL called deny_all.
  4. View the Cisco ISE logs. Choose Operations -> Live Logs. Note the different authorization policy applied for user2, Data VLAN 100 + ACL deny_all.
  5. Choose Operations > Live Sessions.

Verify User 3

  1. Change credentials in Windows to user3.
  2. Verify that user3 is authenticated.
  3. Verify that Cisco ISE has applied Data VLAN 100, and also applied a dynamic/downloadable firewall filter/ACL to the supplicant.
  4. Verify that the firewall filter is active for the supplicant. The terms should be in this order:
    • t0 is the first term

    • t1 is the second term

    • T term without a t-name is the last term to allow all traffic

  5. View the Cisco ISE logs. Choose Operations > Live Logs. Note the different authorization policy applied for user3, Data VLAN 100 + dACL.
  6. Choose Operations > Live Sessions.
  7. Verify that user3 is authenticated.
  8. View the Cisco ISE log. Choose Operations > Live Sessions > Show CoA Actions > Session termination for user3.
  9. Click Show CoA Actions and session termination.
  10. Verify that the user3 session is terminated.

Verify CoA Session Disconnect with Port Bounce

  1. Verify that the IP Phone is authenticated. (0004f228b69d1)
  2. View the Cisco ISE log. Choose Operations > Live Sessions > Show CoA Actions > Session termination for IP Phone.
  3. Click Show CoA Actions then choose Session termination with port bounce.
  4. Run the command show dot1x interface and notice that all sessions are now terminated because the port was bounced.