Cisco 9800 Wireless 2024 – Phase 13 – Part 2 – PoC

Part one can be found here

Join the DMZ ISE server to Active Directory

Why did the ISE node fail to join AD?

The DMZ networks cannot communicate with the internal network from a security context unless a firewall rule exists. The image below shows that ISE (10.0.66.36) is trying to communicate with the domain controller (10.0.206.21) on UDP port 389. The firewall will deny the network traffic unless a rule is in place.

This meets one of the basic segmentation requirements.

The ISE node continues to fail while trying to join the Active Directory domain.

CoA failure – firewall rules must be in place

To successfully join the Active Directory domain additional ports must be opened.

  • From the DMZ VLAN 666 to the Internal VLAN 206 (Active Directory)
  • From the DMZ VLAN 666 (10.0.66.36) ISE to the Internal WLC (10.0.0.18)
PortDescription
UDP – 389The Lightweight Directory Access Protocol (LDAP) uses this TCP and UDP port for directory updates and basic LDAP queries. LDAP is the foundation of Active Directory and is used for user authentication and directory lookups
TCP/UDP – 88This TCP/UDP port provides users with access to the Kerberos authentication protocol. This protocol allows users to access privileged network resources using tickets from the server
TCP/UDP – 135This port is used for Remote Procedure Call (RPC), a Windows service that many services, including Active Directory, rely on.
TCP – 445This port is used for file sharing and authentication. It’s also used to share network device resources using SMB, which is a key component of Microsoft Active Directory
TCP – 3268In Active Directory, TCP port 3268 is used for the “Global Catalog” which allows for searches across the entire domain forest, meaning you can query for objects from any domain within the forest by accessing this port on a domain controller that is configured as a Global Catalog server; essentially, it’s a specific LDAP port for broader searches than the standard LDAP port (389)
UDP – 1700RADIUS Change of Authorization (CoA) Send: UDP/1700
RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700, 3799
Bring Your Own Device
(BYOD) / Network Service
Protocol (NSP)
Redirection
Provisioning
SCEP
Provisioning – URL Redirection: See Web Portal Services: Guest Portal
and Client Provisioning.
For Android devices with EST authentication: TCP/8084. Port 8084
must be added to the Redirect ACL for Android devices.
Provisioning – Active-X and Java Applet Install (includes the launch
of Wizard Install): See Web Portal Services: Guest Portal and Client
Provisioning
Provisioning – Wizard Install from Cisco ISE (Windows and Mac OS):
TCP/8443
Provisioning – Wizard Install from Google Play (Android): TCP/443
Provisioning – Supplicant Provisioning Process: TCP/8905
SCEP Proxy to CA: TCP/80 or TCP/443 (Based on SCEP RA URL
configuration)
ProfilingNetFlow: UDP/9996
Note This port is configurable.
DHCP: UDP/67
Note This port is configurable.
DHCP SPAN Probe: UDP/68
HTTP: TCP/80, 8080
DNS: UDP/53 (lookup)
Note This port is route table dependent.
SNMP Query: UDP/161
Note This port is route table dependent.
SNMP TRAP: UDP/162
Note This port is configurable.
OCSP and CRL Service Ports
OCSP 2
For the OCSP, the default ports that can be used are TCP 80/ TCP 443, TCP/2560. Cisco ISE Admin portal expects
http-based URL for OCSP services, and so, TCP 80 is the default. You can also use non-default ports.
For the CRL, the default protocols include HTTP, HTTPS, and LDAP and the default ports are 80, 443, and
389 respectively. The actual port is contingent on the CRL server.
SCEPTCP/9090
SessionRADIUS Authentication: UDP/1812
RADIUS Accounting: UDP/1813
RADIUS DTLS Authentication/Accounting: UDP/2083.
RADIUS Change of Authorization (CoA) Send: UDP/1700
RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700,
3799
Note UDP port 3799 is not configurable.
Web Portal Services:
Guest/Web Authentication
Guest Sponsor Portal
My Devices Portal
Client Provisioning
Certificate Provisioning
BlackListing Portal
HTTPS (Interface must be enabled for service in Cisco ISE):
Blacklist Portal: TCP/8000-8999 (Default port is TCP/8444.)
Guest Portal and Client Provisioning: TCP/8000-8999 (Default port
is TCP/8443.)
Certificate Provisioning Portal: TCP/8000-8999 (Default port is
TCP/8443.)
My Devices Portal: TCP/8000-8999 (Default port is TCP/8443.)
Sponsor Portal: TCP/8000-8999 (Default port is TCP/8443.)
SMTP guest notifications from guest and sponsor portals: TCP/25

Configure ISE Guest portal on GigabitEthernet 1

interface GigabitEthernet 1
 ip address 10.0.77.36 255.255.255.192
 ipv6 enable
 ipv6 address autoconfig
!
ip route 0.0.0.0 0.0.0.0 gateway 10.0.77.23 
The route above will send traffic to the captive portal out interface GigabitEthernet 1

Test the Portal


Configure ISE Sponsor portal on GigabitEthernet 0

Test the sponsor portal


Configure an ACL on the DMZ controller which will be sent to the client and trigger the captive portal.

  • Deny = deny the traffic from being redirected.
  • Permit = allow the traffic to be redirected.

Reference:

You need to deny traffic to your ISE PSNs nodes as well as deny DNS and permit all the rest. This redirect ACL is not a security ACL but a punt ACL that defines what traffic goes to the CPU (on permits) for further treatment (like redirection) and what traffic stays on the data plane (on deny) and avoids redirection (but is not dropped necessarily).

It is more ideal to restrict to the port 8443 which is typically the port used by the guest portal (although in some specific cases, other ports can be involved).

You also need to deny DNS traffic (potentially only towards your DNS server IPs) and DHCP and NTP in certain cases.

ip access-list extended WEBAUTH_REDIRECT_CWA
 20 deny tcp any host 10.0.0.36 eq 8443
 21 deny tcp any host 10.0.77.36 eq 8443
 40 deny tcp host 10.0.0.36 any eq 8443
 41 deny tcp host 10.0.77.36 any eq 8443
 49 deny ip any host 72.163.1.80
 50 deny ip any 72.163.0.0 0.0.255.255
 60 deny tcp any host 10.0.0.36 eq 8905
 61 deny tcp any host 10.0.77.36 eq 8905
 70 deny tcp any host 10.0.0.36 eq 8084
 71 deny tcp any host 10.0.77.36 eq 8084
 100 permit tcp any any eq www
 110 deny udp any host 10.0.206.21 eq domain

  • Ensure that the respective user VLANs are defined in DNS.
  • Ensure that the ISE VLANs, captive portal, and hostname is defined in DNS

Create simple policy sets


Conduct a test to verify that the captive portal is working.

  • Create a guest account

Note to self: The GigabitEthernet 1 interface resolved the guest portal to the 10.0.77.36 address.

visedmz/admin(config)#ip host 10.0.77.36 dmzwlan dmzwlan.netprojekralac.com

Host alias was modified. You must restart ISE for change to take effect.
Do you want to restart ISE now? (yes/no) yes

This command is used to add a static hostname-to-IP address mapping ETH1's network interface. Here's what it does step-by-step:

1. ip host: Indicates the command to create a static mapping.
2. 10.0.77.36: The IP address of the host.
3. dmzwlan : The short hostname for the device.
4. dmzwlan.netprojekralac.com: The Fully Qualified Domain Name (FQDN) for the device.

By entering this command on a network device, you’re manually associating the IP address 10.0.77.36 and its ETH 1 FQDN dmzwlan.netprojekralac.com. Ensure that the corresponding DNS entry is configured.


ISE Live logs


DHCP server


Anchor WLC


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.