Part one can be found here
Join the DMZ ISE server to Active Directory
Why did the ISE node fail to join AD?
The DMZ networks cannot communicate with the internal network from a security context unless a firewall rule exists. The image below shows that ISE (10.0.66.36) is trying to communicate with the domain controller (10.0.206.21) on UDP port 389. The firewall will deny the network traffic unless a rule is in place.
This meets one of the basic segmentation requirements.
The ISE node continues to fail while trying to join the Active Directory domain.
CoA failure – firewall rules must be in place
To successfully join the Active Directory domain additional ports must be opened.
- From the DMZ VLAN 666 to the Internal VLAN 206 (Active Directory)
- From the DMZ VLAN 666 (10.0.66.36) ISE to the Internal WLC (10.0.0.18)
Port | Description |
UDP – 389 | The Lightweight Directory Access Protocol (LDAP) uses this TCP and UDP port for directory updates and basic LDAP queries. LDAP is the foundation of Active Directory and is used for user authentication and directory lookups |
TCP/UDP – 88 | This TCP/UDP port provides users with access to the Kerberos authentication protocol. This protocol allows users to access privileged network resources using tickets from the server |
TCP/UDP – 135 | This port is used for Remote Procedure Call (RPC), a Windows service that many services, including Active Directory, rely on. |
TCP – 445 | This port is used for file sharing and authentication. It’s also used to share network device resources using SMB, which is a key component of Microsoft Active Directory |
TCP – 3268 | In Active Directory, TCP port 3268 is used for the “Global Catalog” which allows for searches across the entire domain forest, meaning you can query for objects from any domain within the forest by accessing this port on a domain controller that is configured as a Global Catalog server; essentially, it’s a specific LDAP port for broader searches than the standard LDAP port (389) |
UDP – 1700 | RADIUS Change of Authorization (CoA) Send: UDP/1700 RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700, 3799 |
Bring Your Own Device (BYOD) / Network Service Protocol (NSP) Redirection Provisioning SCEP | Provisioning – URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning. For Android devices with EST authentication: TCP/8084. Port 8084 must be added to the Redirect ACL for Android devices. Provisioning – Active-X and Java Applet Install (includes the launch of Wizard Install): See Web Portal Services: Guest Portal and Client Provisioning Provisioning – Wizard Install from Cisco ISE (Windows and Mac OS): TCP/8443 Provisioning – Wizard Install from Google Play (Android): TCP/443 Provisioning – Supplicant Provisioning Process: TCP/8905 SCEP Proxy to CA: TCP/80 or TCP/443 (Based on SCEP RA URL configuration) |
Profiling | NetFlow: UDP/9996 Note This port is configurable. DHCP: UDP/67 Note This port is configurable. DHCP SPAN Probe: UDP/68 HTTP: TCP/80, 8080 DNS: UDP/53 (lookup) Note This port is route table dependent. SNMP Query: UDP/161 Note This port is route table dependent. SNMP TRAP: UDP/162 Note This port is configurable. |
OCSP and CRL Service Ports OCSP 2 | For the OCSP, the default ports that can be used are TCP 80/ TCP 443, TCP/2560. Cisco ISE Admin portal expects http-based URL for OCSP services, and so, TCP 80 is the default. You can also use non-default ports. For the CRL, the default protocols include HTTP, HTTPS, and LDAP and the default ports are 80, 443, and 389 respectively. The actual port is contingent on the CRL server. |
SCEP | TCP/9090 |
Session | RADIUS Authentication: UDP/1812 RADIUS Accounting: UDP/1813 RADIUS DTLS Authentication/Accounting: UDP/2083. RADIUS Change of Authorization (CoA) Send: UDP/1700 RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700, 3799 Note UDP port 3799 is not configurable. |
Web Portal Services: Guest/Web Authentication Guest Sponsor Portal My Devices Portal Client Provisioning Certificate Provisioning BlackListing Portal | HTTPS (Interface must be enabled for service in Cisco ISE): Blacklist Portal: TCP/8000-8999 (Default port is TCP/8444.) Guest Portal and Client Provisioning: TCP/8000-8999 (Default port is TCP/8443.) Certificate Provisioning Portal: TCP/8000-8999 (Default port is TCP/8443.) My Devices Portal: TCP/8000-8999 (Default port is TCP/8443.) Sponsor Portal: TCP/8000-8999 (Default port is TCP/8443.) SMTP guest notifications from guest and sponsor portals: TCP/25 |
Configure ISE Guest portal on GigabitEthernet 1
interface GigabitEthernet 1
ip address 10.0.77.36 255.255.255.192
ipv6 enable
ipv6 address autoconfig
!
ip route 0.0.0.0 0.0.0.0 gateway 10.0.77.23
The route above will send traffic to the captive portal out interface GigabitEthernet 1
Test the Portal
Configure ISE Sponsor portal on GigabitEthernet 0
Test the sponsor portal
Configure an ACL on the DMZ controller which will be sent to the client and trigger the captive portal.
- Deny = deny the traffic from being redirected.
- Permit = allow the traffic to be redirected.
You need to deny traffic to your ISE PSNs nodes as well as deny DNS and permit all the rest. This redirect ACL is not a security ACL but a punt ACL that defines what traffic goes to the CPU (on permits) for further treatment (like redirection) and what traffic stays on the data plane (on deny) and avoids redirection (but is not dropped necessarily).
It is more ideal to restrict to the port 8443 which is typically the port used by the guest portal (although in some specific cases, other ports can be involved).
You also need to deny DNS traffic (potentially only towards your DNS server IPs) and DHCP and NTP in certain cases.
ip access-list extended WEBAUTH_REDIRECT_CWA
20 deny tcp any host 10.0.0.36 eq 8443
21 deny tcp any host 10.0.77.36 eq 8443
40 deny tcp host 10.0.0.36 any eq 8443
41 deny tcp host 10.0.77.36 any eq 8443
49 deny ip any host 72.163.1.80
50 deny ip any 72.163.0.0 0.0.255.255
60 deny tcp any host 10.0.0.36 eq 8905
61 deny tcp any host 10.0.77.36 eq 8905
70 deny tcp any host 10.0.0.36 eq 8084
71 deny tcp any host 10.0.77.36 eq 8084
100 permit tcp any any eq www
110 deny udp any host 10.0.206.21 eq domain
- Ensure that the respective user VLANs are defined in DNS.
- Ensure that the ISE VLANs, captive portal, and hostname is defined in DNS
Create simple policy sets
Conduct a test to verify that the captive portal is working.
- Create a guest account
Note to self: The GigabitEthernet 1 interface resolved the guest portal to the 10.0.77.36 address.
visedmz/admin(config)#ip host 10.0.77.36 dmzwlan dmzwlan.netprojekralac.com
Host alias was modified. You must restart ISE for change to take effect.
Do you want to restart ISE now? (yes/no) yes
This command is used to add a static hostname-to-IP address mapping ETH1's network interface. Here's what it does step-by-step:
1. ip host: Indicates the command to create a static mapping.
2. 10.0.77.36: The IP address of the host.
3. dmzwlan : The short hostname for the device.
4. dmzwlan.netprojekralac.com: The Fully Qualified Domain Name (FQDN) for the device.
By entering this command on a network device, you’re manually associating the IP address 10.0.77.36
and its ETH 1 FQDN dmzwlan.netprojekralac.com
. Ensure that the corresponding DNS entry is configured.
ISE Live logs
DHCP server
Anchor WLC