Genie's Tech Blog

Where knowledge has no dimensions

Authenticating Router With ISE As RADIUS

Hello Friends,

Today, I am going to discuss about authenticating a router with a ISE (Identity Services Engine) server. ISE is a security policy management and control platform. It automates and simplifies access control and security compliance for wired, wireless, and VPN connectivity. As a quick feature update, the latest ISE 1.2 has the following capabilities:

1. Integrating with most of the leading Mobile Device Management (MDM) and Mobile Application Management (MAM) technologies.

2. Supports 250,000 active and 1,000,000 registered devices

3. Zero-day profile feed service for new devices

4. Integrates with leading Security Information and Event Management (SIEM) and threat defense technologies to improve cyber security

Before we proceed with our example, We will try to understand what RADIUS is. The Remote Authentication Dial-In User Service (RADIUS) protocol was developed by Livingston Enterprises, Inc., as an access server authentication and accounting protocol. Radius uses UDP for communication between itself and the Network Access Server. Radius server supports different methods for authenticating a user. A user login consists of a query (Access-Request) from the NAS to the RADIUS server and a corresponding response (Access-Accept or Access-Reject) from the server. The Access-Request packet contains the username, encrypted password, NAS IP address, and port. The early deployment of radius was done using UDP port number 1645, which conflicts with the "datametrics" service. Because of this conflict, RFC 2865 officially assigned port number 1812 for radius authentication. So, when we are implementing Radius based authentication, please do not forget to permit udp port number 1812 on the firewall if there is one in the path else the authentication requests won't go through.

Lets now take a look at a simple example in which we shall try to authenticate a router in with the Radius server which is the ISE in our case.

 

The Gig1 (e1) interface of the ASA is configured as the Inside interface and the Gig2 (e2) interface is configured as the outside interface. Lets have a look at the complete config of all the devices necessary for connectivity.

Config on R4:
==========
interface FastEthernet1/0
 switchport access vlan 150
!
interface FastEthernet1/1
 switchport access vlan 4
!
interface Vlan4
 ip address 104.10.4.1 255.255.255.0
!
interface Vlan150
 ip address 192.168.2.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 104.10.4.2

Config on ASA:
===========
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 104.10.4.2 255.255.255.0
!
interface GigabitEthernet2
 nameif out1
 security-level 0
 ip address 13.13.13.1 255.255.255.0
!
access-list OUT extended permit icmp any any
access-list OUT extended permit udp any any eq domain
access-list OUT extended permit tcp any any eq telnet
access-list OUT extended permit tcp any host 192.168.2.20 eq www
access-list OUT extended permit tcp any host 192.168.2.20 eq ldap
!
access-group OUT in interface out1
route out1 0.0.0.0 0.0.0.0 13.13.13.2 1
route inside 192.168.2.0 255.255.255.0 104.10.4.1 1

Config on R5:
==========
interface FastEthernet0/0
 ip address 13.13.13.2 255.255.255.0
 speed auto
 duplex auto
!
interface FastEthernet0/1
 ip address 10.10.1.1 255.255.255.0
 speed auto
 duplex auto
!
ip route 0.0.0.0 0.0.0.0 13.13.13.1
!

From the above config, we see that on the ASA, we have permitted icmp, udp traffic for dns server, telnet traffic, LDAP requests to the Domain controller which is hosted on 192.168.2.20 and also the web request on the same server. Lets now try to confirm the connectivity:

On R5:
=====
R5#ping 192.168.2.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/55/72 ms
R5#

So, the above ping confirms the connectivity to the Domain Controller. Lets now take a look at the ISE configuration.

Lets now check the connectivity from the PC in VMNET2 to ISE in VMNET1.

 

So, now we have the connectivity from VMNET2 to VMNET1. Remember that we can also check the connectivity between the R5 and the ISE since the test-pc is not playing any role in this section.

Lets now try to configure the router R5 for authenticating it with the ISE. First we shall configure the ISE. We need to add a network device which is the router R5. So, we got to Administration -> Network Resources -> Network Devices and on that page, we click on Add.

As you see above, We have added the name of the device as "R5" and then entered the ip which is going to be used for authentication which is the interface towards the ASA FW in this case. Then we select the option of "Authentication Settings" and there we put the shared secret password as "cisco123". Then we click on "Submit".

We now create a user group under the Identity Management section. We go to Administration -> Identity Management -> Groups -> User Identity Groups and there we click on Add.

Now we switch to the Identities Tab under the Identity Management section and under the User Identities, we create a new user by clicking on Add button. There we add the username and password and under the User Groups, we select the group that we created above and click Submit.

We have now created the user named "test". Lets now configure the aaa and radius on the router R5:

aaa new-model
!
aaa authentication login default group radius local
username cisco privilege 15 password 0 cisco
!
aaa server radius dynamic-author
 client 192.168.2.100 server-key cisco123
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server host 192.168.2.100 key cisco123
radius-server retransmit 10
radius-server vsa send accounting
radius-server vsa send authentication
!


From the above radius config, we see that we have set the aaa authentication for radius and local. This is in case, if we are unable to reach to the radius server for some reason / network issues, we can use the local login for authenticating on the router.

Till now we have not configured the ASA for allowing radius traffic. Now if we try to connect to the router from the test-pc, we shall notice that the authentication is not succeeding but we are still able to login using the local username and password.

 

On the ASA we shall see the default 1645 port getting blocked:

%ASA-4-106023: Deny udp src out1:13.13.13.2/1645 dst inside:192.168.2.100/1645 by access-group "OUT" [0x0, 0x0]

%ASA-4-106023: Deny udp src out1:13.13.13.2/1645 dst inside:192.168.2.100/1645 by access-group "OUT" [0x0, 0x0]

Since in the above config, we have not put which port to be used, its using the old default port which is 1645. We need to specifically mention for the udp port 1812 for authentication.

!
radius-server host 192.168.2.100 auth-port 1812 acct-port 1813
!

Now, we shall permit the radius authentication port 1812 and accounting port 1813.

ciscoasa(config)# access-list OUT per udp any host 192.168.2.100 range 1812 1813

The above config will permit the udp traffic for radius authentication. Now, if we try to test radius authentication using radius, we should see a success.

Output on R5:
=========
R5#test aaa group radius test Admin@123 new-code
User successfully authenticated

USER ATTRIBUTES

username             0   "test"
Termination-Action   0   True
R5#

We can now try to telnet onto the router from the test-pc and see the how the authentication works. 

We now see the success. We can also integrate the Active Directory for authenticating users. For this we have to add an external identity source to the ISE. For this, we have added our domain, codergenie.com in the ISE. 

Now, we go to Policy -> Authentication and there we change the Identity Source to codergenie.com from Internal users.

We have our AD configured with the user administrator. Lets try to authenticate the router with user administrator.

Below is the snapshot of the ISE Live authentications.

Hope this post was helpful.

Please feel free to reach out to me in case of questions.

 

Cheers...!!!

Comments are closed