ipl-logo

12RADIUS Device Admin Support

.pdf
School
Palo Alto College**We aren't endorsed by this school
Course
BIOL 123
Subject
Computer Science
Date
Dec 18, 2024
Pages
17
Uploaded by misagova
urses 1 2.1 - RADI US DEVice ISE 301 for Field Engineers Admin Support 12.1 - RADIUS Device Admin Support v Done: View Attempt: 1 You have earned 0 point(s) out of 0 point(s) thus far. 1. First, we need to create a User Identity Group for Switch Admins. On ""' npel D. navigate to Administration > Identity Management > Groups.
Background image
4. Name the Identity Group STARK_DEVICE_ADMINS . Then click the Submit button. User Identity Groups > New User Identity Group Identity Group Submit 5. Next, create a user account in ISE. Navigate to Administration > Identity Management > Identities. 6. Click the + Add button. Network Access Users 7. Configure the Network Access User with the following values and then click Submit. o Name: netadmin o On the Login Password line, enter C1sco12345 for the Password and Re- Enter Password fields. o User Groups: STARK_DEVICE_ADMINS
Background image
G 8. Next, create a new Network Device Group (NDG) to represent devices to be managed with RADIUS. This could act as a parent group for other device groups. Navigate to Administration > Network Resources > Network Device Groups. 9. Click + Add. Network Device Groups 10. Name the Group Routers and select All Device Types as the Parent Group. Then click Save. -
Background image
* All Device Typesx 11. Next, let's add a new network device to utilize Device Admin. Navigate to Administration > Network Resources > Network Devices. 13. Configure a new network device. Then scroll down and Save. o Name: BRRTR o IP Address: 198.18.133.101 /32 o Device Type: Routers o RADIUS Authentication Settings: Checked o Shared Secret: C1sco12345
Background image
14. We need to create a new condition to use in our policy. Navigate to Policy > Policy Elements > Conditions. 15. In the Editor, Click to add an attribute, and select the Radius Dictionary from the dropdown, then select NAS-Port-Type attribute. 16. Select Virtual for the Attribute value. [
Background image
18. Select attribute for condition, and select the Radius Dictionary from the dropdown, then select Service-Type attribute.
Background image
20. We need to add yet another final condition. Click New. Click to add an attribute, and select the DEVICE Dictionary from the dropdown, then select Device Type attribute. 111 O L ii 21. Set it to Equals and then All Device Types#Routers. Finally, Save your condition. 22. Save the new Library Condition as STARK_RADIUS_DEVICE_ADMIN. Then click the Save button.
Background image
e aas. o Descrpon cpior) 011 23. Navigate to Policy > Policy Sets. 24. Add a new Policy Set below the Wired Access policy by clicking the cog icon on the Wired Access policy line and selecting Insert new row below. 25. Configure your new policy and then click Save. o Policy Set Name: RADIUS Device Admin o Condition: STARK_RADIUS_DEVICE_ADMIN o Allowed Protocols: Default Network Access © RADIUS Device Adnin [ STARK_RADIUS_DEVICE_ADMIN
Background image
27. Expand Authorization Policy and Add a new rule by clicking the + button. \vAuthorization Policy(1) 28. Rename the rule Router Consoles, then click on + to add Conditions. | tomoomiw 4 29. In the Editor, click the Click to add an attribute field. Select the DEVICE icon the Dictionary dropdown, then click Device Type. DOED0 - DRODDoon ‘H‘ I R E 30. Set it Equals to All Device Types#Routers. Then, add another condition by clicking New. 31. Click to add an attribute. Select the IdentityGroup icon, then click InternalUser:ldentityGroup : R - . hjflfl\ « IEICIEEIEIEIRIRICIEEE
Background image
32. Set it Equals to User Identity Groups:STARK_DEVICE_ADMINS.Then scroll down and click Use. 34. Open a PuTTY SSH connection to BRRTR. Login as admin : C1sc012345. #R PuTTY Configuration Category: () Session - Logging - Terminal - Keyboard ? Basic options for your PuTTY session Specify the destination you want to connect to X Host Name (or IP address) Port [198.18.133.101 |[23 Connection type: OSSH (Serial @ Other: | Telnet v
Background image
i Behaviour Load, save or delete a stored session i rTransta»on Saved Sessions Selection i-- Colours (=)~ Connection i Data - Proxy -SSH i Serial i Telnet - Rlogin ‘- SUPDUP Close window on exit: OAways (ONever (@ Only on clean exit ot || b oo 1| ooes Al Load Save Delete b } 35. Open a new Chrome tab, and navigate to JARVIS using the bookmark. B 2rvis 36. Select ISE from the menu. v [l aRVIS - Dashbosrd x 4+ - o €« » e A Not secure jarvis.starklocal * 2 0 et [ smiappe 0ot [l arvs © onG BMC WS @ ADCA JARVIS =8 Modern Security Lab SessionlD: 390683 @ Lab Resources & Status @ ISE NAME 1P ADDRESS SOFTWARE ZONE STATUS * Comi . JUMPER 1981813336 Windows 10 ouTsiDe o 8 Duwo 37. Scroll down to ISE 301 NAD Configurations and select §12.1. I8 ISE 301 NAD Configurations s12.1 5132 12.1- BRRTR RADIUS Device Admin Config &) aaa authentication login ISE-RADIUS group radius local radius-server attribute 6 on-for-login-auth ' line vty 14 login authentication ISE-RADIUS ' end ' e ' 38.C opy the configuration. @8 ISE 301 NAD Configurations
Background image
N s122 12.1- BRRTR RADIUS Device Admin Config ~ [Gw 39. Return to your PuTTY session to paste the configuration into BRRTR. BRRTR#configure terminal nter configuration commands, one per line. End with CNTL/Z. RRTR (config) #radius server ISE BRRTR (config-radius-server) faddress ipv4 198.19.10.13 RRTR (config-radius-server) $key Clscol2345 BRRTR (config-radius-server) §timeout 60 RRTR (config-radius-server) fexit BRRTR (config) #aaa authentication login ISE-RADIUS group radius local RRTR (config) #line vty 1 4 BRRTR (config-line) #login authentication ISE-RADIUS BRRTR (config-line) #end BRRTR#write memory Building configuration.. [OK) RRTR#] v D We are specifying VTY lines 1-4 so that the first session (line 0) continues to use local authentication to avoid potential lockouts in our lab. 40. To test our configuration, keep the current PuTTY client session open and connected to the router. Configure a new PuTTY session by right-clicking on the PUTTY icon and selecting Duplicate Session. Restore DIUS group radius local Move Size | - Minimize o Maximize x Close Alt+F4 Special Command > Event Log New Session... Duplicate Session Saved Sessions > Change Settings... Copy All to Clipboard Clear Scrollback Reset Terminal Full Screen
Background image
41. Login as netadmin : C1sco12345. & brrtr.starklocal - PuTTYNG - [m} X £ login as: netadmin & Keyboard-interactive authentication prompts from server: | Password: & End of keyboard-interactive prompts from server 42. To see the successful login in ISE, return to ISE in Chrome and navigate to Operations > RADIUS but rather than left-clicking, this time right click on Live Logs and select Open in a new tab. (This allows you to jump back and forth between a configuration tab and monitor tab. You could also open the Live Logs in a new window on a second screen if you had one, which is handy for monitoring while making configuration changes.) Open link in new tab Open link in new window Open link in incognito window Save link as... Copy link address Open in reading mode Inspect 43, Locate the netadmin authentication line. & © Rosot Ropoat Counts (1) Export To RADIUS Device Admin >> Router C Last Updated: Tue May 28 2024 14:37:28 GMT+0000 (Coordinated Universal Time) 44. Click the Details button associated with this entry to view the detailed report. Authentication Details
Background image
45. Iser |dentity Groups:STARK_DEVICE_ADMIN: PAP_ASCII Notice the Authentication Method and Protocol are PAP_ASCII. Either of these could also be used as a matching condition for RADIUS Device Admin with devices that use PAP_ASCII as a password authentication protocol. Also notice the Service Type and NAS Port Type values match as set in the Policy Set match condition. This also presents an opportunity to maximize efficiency of protocol processing. Rather than using the Default Network Access Protocols for the Policy Set, which allows Process Host Lookup, EAP-MD5, PEAP, and other protocols including PAP/ASCII, you could create a custom Allowed Protocols that just allows PAP/ASCII. Another item to notice here is that this session selected Internal Users, All_AD_Join_Points, and Guest Users as identity sources to check as shown below.
Background image
Location Location#All Locations This is because the Default Authentication rule for the Policy Set is using the All_User_ID_Stores as an Identity Source Sequence. This is inefficient, as in our example, the switch admins are stored in the Internal Users store only. 46. Let's fix this by changing the Authentication Policy to use only Internal Users. Return to your original ISE tab in Chrome, leaving the RADIUS Live Logs open in the second tab. Navigate to Policy > Policy Sets. Expand the RADIUS Device Admin Policy Set by clicking the > © #A0WS Dovico Admin ] sTARk_RaDwS.oEvicE_AowN 47. Expand the Authentication Policy and locate the Default Authentication Policy. Change the Default Policy to Use Internal Users instead of All_User_ID_Stores. Then click Save. Policy Sets- RADIUS Device Admin Reset Policyset Hitcounts 48. To test our modified configuration, keep the initial PuTTY client session open and connected to the router. Configure a new PuTTY session by right- clicking on the PuTTY icon and selecting Duplicate Session. ttr.stark.local - P TS - [m} X Restore BRRTR (config) #a - DIUS group radius local BRRTR (config) # = BRRTR (config) # Size | - Minimize o Maximize x Close Alt+F4 Special Command >
Background image
New Session... Duplicate Session Saved Sessions > Change Settings... Copy All to Clipboard Clear Scrollback Reset Terminal Full Screen 49. Login as netadmin : C1sco12345. 50. Return to your Live Logs ISE tab in Chrome and view the Detailed report for the new log entry which only shows Internal Users as the identity store. (AR D) Why did we modify the Authentication Policy to use Internal Users instead of All_User_Identity_Stores? © For demonstration purposes; it doesn't matter either way. O Itis more efficient, since the netdeviceadmin user is only in the Internal Users database.
Background image
© Authentication will fail if we use All_User_ldentity_Stores. You have completed 0% of the lesson Previous Next activity actlvity [ 12.2 - Additional . fump to... R 11.3 - Verify Agent RADIUS Device Based Posture Admin Support G M T Y OlAngli¢tina Cedtina Hlasova funkce je omezena na 200 znaku Moznosti : Historie : Zpétna vazba : Donate Zavrit
Background image