Campus and Branch
Campus and Branch

How-To: Configure Juniper EX Series switches and Cisco ISE MAB with EAP-MD5

by Juniper Employee on ‎10-12-2015 11:46 AM - edited on ‎09-19-2017 11:00 AM by Administrator Administrator (5,763 Views)

1. Introduction

 

Juniper Networks EX Series switches are designed to meet the demands of today’s high-performance businesses. EX Series Ethernet switches allow companies to grow their networks at their own pace, minimizing large up-front investments. Based on open standards, EX Series switches provide the carrier-class reliability, security risk management, virtualization, application control and lower total cost of ownership (TCO) that businesses need today while allowing them to scale in an economically sensible way for years to come.

 

Cisco Identity Services Engine (ISE) is a security policy management platform. ISE provides the AAA, Posture and Profiler services in Network Admission Control use cases. ISE can address use cases like BYOD, Guest Access management, Device Profiling, etc. for Wired and Wireless users.

 

Enterprises with Cisco wireless infrastructure typically deploy ISE to provide the NAC services for the wireless Infrastructure. Enterprises who also deploy EX Series switches in these environments can leverage the extensive RADIUS capabilities on the EX Series switches to integrate with Cisco ISE. This will enable customers to deploy consistent security policy across wired and wireless infrastructure.

 

There are multiple use cases that can be addressed with Juniper EX and Cisco ISE. This document covers steps to configure Juniper EX4300 switch and Cisco ISE for MAC authentication. The objective of this document is to provide an example configuration for a specific use case.

 

1.1 Use Case

 

o   Configure EX Series switch for basic MAC authentication

o   Configure ISE for MAC authentication

o   Use local data store on ISE for MAC authentication

 
 

 

1.2 Topology

 

isemabimage1.jpg

 

 

 

 

2. Configuration

 

2.1 Configure Juniper EX Series Switches

 

On EX Series switches, you will need the following for configuring MAB authentication

  • Configure Access Profile and provide RADIUS Server Details
  • Configure Dot1X protocol configuration

2.1.1 Access Profile Configuration

 

Configuration of RADIUS server, authentication and accounting server details with access-profile

root@ Juniper-EX-4300# run show configuration access

radius-server {

                        <radius-server-ip> {

                                    secret <secretkey>

                                    source-address <nas-ip-address>;

                        }

}

profile <profile-name> {

                        accounting-order radius;

                        authentication-order radius;

                        radius {

                                    authentication-server <radius-server-ip>;

                                    accounting-server <radius-server-ip>;

                        }

}

Example configuration:

radius-server {

                        10.2.2.2 {

                                    secret ABC123

                                    source-address 10.1.1.1;

                        }

}

profile AUTH_PROFILE1 {

                        accounting-order radius;

                        authentication-order radius;

                        radius {

                                    authentication-server 10.2.2.2;

                                    accounting-server 10.2.2.2;

                        }

}

 

2.1.2 Dot1X Protocol Configuration

 

root@ Juniper-EX-4300# show protocols dot1x

authenticator {

            authentication-profile-name <profile-name>;

            interface {

                        <interface name> {

                                    supplicant single;   #single/multiple/secure

                                    mac-radius {

                                                restrict;

                                    }

                        }

}

}

Example configuration:

root@ Juniper-EX-4300# show protocols dot1x

authenticator {

            authentication-profile-name AUTH_PROFILE1;

            interface {

                        ge-0/0/10.0 {

                                    supplicant single;

                                    mac-radius {

                                                restrict;

                                    }

                        }

}

}

 

2.2 Configure Cisco ISE

 

2.2.1 Configure Network Device Groups

 

  • Under “Administration -> Network Resources -> Network Device Groups -> Groups - > All Device Types”, add Network Device Group “Juniper” and another subgroup called “EX Switches” under “Juniper” groups.

isemabimage2.png

 

2.2.2 Add Network Device

 

  • Under “Administration -> Network Resources -> Network Devices”, click on the Add button to add a new Network device for the EX switch.
  • Provide the IP address of the EX switch
  • Configure the Device Type as “EX Switches”
  • Configure Radius Secret key. This should be same as configured on Juniper EX Access Profile.

 

isemabimage2.png

 

 

 

2.2.3 Add Endpoint MAC to local identity store

 

  • Under “Administration -> Identity Management -> Identities -> Endpoints”, click on the Add button to add a new user to the local identity store on ISE

 

isemabimage4.png

 

 

 

2.2.4 Create Identity Source Sequence

 

  • Under “Administration -> Identity Management -> Identity Source Sequences”, click on Add button to add a new Identity store sequence.
  • “Internal Endpoints” should be the first in the “Authentication Search List”

 

isemabimage5.png

 

2.2.5 Create Allowed Protocols profile for EAP-MD5

 

  • Under “Policy -> Policy Elements -> Results -> Authentication -> Allowed Protocols”, Add an “Allowed Protocols” profile for EAP-MD5.

 isemabimage6.png

 

2.2.6 Create Juniper Wired Authentication Condition

 

  • Under “Policy -> Policy Elements -> Conditions -> Authentication -> Compound Conditions”, add new condition for Juniper Wired authentications.

 isemabimage7.png

 

2.2.7 Create Juniper Wired Authorization Condition

 

  • Under “Policy -> Policy Elements -> Conditions -> Authorization -> Compound Conditions”, add new condition for Juniper Wired MAB authorizations

 isemabimage8.png

 

 

2.2.8 Create an authentication policy for Juniper Wired MAB authentication

 

  • Under “Policy -> Authentication”, add a new policy for Juniper Wired MAC authentication.

 

 isemabimage9.png

 isemabimage10.png

 

 isemabimage11.png

 

 

2.2.9 Create an Authorization policy for Juniper Wired MAB authentication

 

  • Under “Policy -> Authorization”, add a new authorization policy for Juniper MAC authentications.

 isemabimage12.png

 

 isemabimage13.png