Campus and Branch
Campus and Branch

How-To: Configure Juniper EX Series switches and Cisco ISE 802.1X-PEAP

by Juniper Employee on ‎09-28-2015 08:51 AM - edited on ‎09-19-2017 10:58 AM by Administrator Administrator
09.28.15   |   08:51 AM

Configure EX Series Switches and Cisco ISE

 

Juniper Networks EX Series switches are designed to meet the demands of today’s high-performance businesses. EX Series Ethernet switches allow companies to grow their networks at their own pace, minimizing large up-front investments. Based on open standards, EX Series switches provide the carrier-class reliability, security risk management, virtualization, application control, and lower total cost of ownership (TCO) that businesses need today while allowing them to scale in an economically sensible way for years to come.

 

Cisco Identity Services Engine (ISE) is a security policy management platform. ISE provides the AAA, Posture and Profiler services in Network Admission Control use cases. ISE can address use cases such as BYOD, Guest Access management, Device Profiling, and so on for Wired and Wireless users.

 

Enterprises with Cisco wireless infrastructure typically deploy ISE to provide the NAC services for the wireless Infrastructure. Enterprises which also deploy EX Series switches in these environments can leverage the extensive RADIUS capabilities on the EX Series switches to integrate with Cisco ISE. This enables customers to deploy consistent security policy across wired and wireless infrastructure.

 

Multiple use cases can be addressed with Juniper EX Series and Cisco ISE. This document describes an example of how to configure a Juniper EX4300 switch and Cisco ISE for 802.1X-PEAP authentication.

 

Use Case

 

  • Configure EX switch for basic 802.1X authentication
  • Configure ISE for basic 802.1X-PEAP authentication
  • Use local data store on ISE for user authentication

ex1.png

Configure Juniper EX Series Switches

 

On EX Series switches, to configure 802.1X authentication, you need to:

 

  • Configure Access Profile and provide RADIUS server details
  • Configure Dot1X protocol configuration

 

Access Profile Configuration

 

Configuration of RADIUS server, authentication, and accounting server details with access-profile:

 

root@ Juniper-EX-4300# run show configuration access

 

radius-server {

                                <radius-server-ip> {

                                                secret <secretkey>

                                                source-address <nas-ip-address>;

                                }

}

profile <profile-name> {

                                accounting-order radius;

                                authentication-order radius;

                                radius {

                                                authentication-server <radius-server-ip>;

                                                accounting-server <radius-server-ip>;

                                }

}

Example configuration:

radius-server {

                                10.2.2.2 {

                                                secret ABC123

                                                source-address 10.1.1.1;

                                }

}

profile AUTH_PROFILE1 {

                                accounting-order radius;

                                authentication-order radius;

                                radius {

                                                authentication-server 10.2.2.2;

                                                accounting-server 10.2.2.2;

                                }

}

 

Dot1X Protocol Configuration

 

root@ Juniper-EX-4300# show protocols dot1x

 

authenticator {

                authentication-profile-name <profile-name>;

                interface {

                                <interface name> {

                                                supplicant single;   #single/multiple/secure

                                }

}

}

 

Example configuration:

 

root@ Juniper-EX-4300# show protocols dot1x

 

authenticator {

                authentication-profile-name AUTH_PROFILE1;

                interface {

                                ge-0/0/10.0 {

                                                supplicant single;

                                }

}

}

 

Configure Cisco ISE

 

Configure Network Device Groups

 

Under “Administration -> Network Resources -> Network Device Groups -> Groups - > All Device Types”, add Network Device Group “Juniper” and another subgroup called “EX Switches” under “Juniper” groups.

 

ex2.png

 

 

Add Network Device

 

  1. Under “Administration -> Network Resources -> Network Devices”, click on the Add button to add a new Network device for the EX Series switch.
  2. Provide the IP address of the EX Series switch
  3. Configure the Device Type as “EX Switches”
  4. Configure Radius Secret key. This should be same as configured on Juniper EX Access Profile. 

ex3.png 

 

Add Users to Local Identity Store

 

Under “Administration -> Identity Management -> Identities -> Users -> Network Access Users”, click on the Add button to add a new user to the local identity store on ISE.

 

ex4.png

 

 

 

Create Identity Source Sequence

 

Under “Administration -> Identity Management -> Identity Source Sequences”, click on Add button to add a new Identity store sequence. “Internal Users” should be the first in the “Authentication Search List."

 

ex5.png

 

Create Allowed Protocols Profile for PEAP

 

Under “Policy -> Policy Elements -> Results -> Authentication -> Allowed Protocols”, Add an “Allowed Protocols” profile for PEAP.

 

ex6.png

 

 

Create Juniper Wired 802.1X Authentication Condition

 

Under “Policy -> Policy Elements -> Conditions -> Authentication -> Compound Conditions”, add new condition for Juniper Wired 802.1X authentications.

 

ex7.png

 

 

Create Juniper Wired 802.1X Authorization Condition

 

Under “Policy -> Policy Elements -> Conditions -> Authorization -> Compound Conditions”, add new condition for Juniper Wired 802.1X authorizations.

 

ex8.png

 

 

Create an Authentication Policy for Juniper Wired 802.1X Authentication

 

Under “Policy -> Authentication”, add a new policy for Wired 802.1X authentication.

 

ex9.png

 

 

Create an Authorization Policy for Juniper Wired 802.1X Authentication

 

Under “Policy -> Authorization”, add a new authorization policy for Juniper Wired 802.1X authentications.

 

ex10.png