Professional Documents
Culture Documents
Services within a
Converged Plantwide
Ethernet Architecture
June 2015
This Deploying Identity Services within a Converged Plantwide Ethernet Architecture Design and
Implementation Guide (DIG) outlines the following key requirements and design considerations to
help in the successful deployment of the Cisco® Identity Services Engine (Cisco ISE) within
Industrial Automation and Control System (IACS) plant-wide architectures:
• Cisco ISE Use Case Overview
• Review of Cisco ISE Technology
• Important Steps and Considerations for Cisco ISE Implementation and Configuration
Recommendations within IACS applications
• Maintaining and Troubleshooting Cisco ISE
Note This release of the CPwE architecture focuses on EtherNet/IP™, which is driven by the ODVA
Common Industrial Protocol (CIP™ ). Refer to the IACS Communication Protocols section of the
CPwE Design and Implementation Guide.
Document Organization
The Deploying Identity Services within a Converged Plantwide Ethernet Architecture Design and
Implementation Guide contains the following chapters:
Chapter Description
CPwE Identity Services Overview Presents introduction to CPwE Identity Services architecture, Secure Access
Control, Unified Network Access Policy Management for CPwE and CPwE
Identity Services in general.
System Design Considerations Presents an overview of CPwE Identity Services Technology, how to deploy
Distributed CPwE Identity Services, and an overview of Microsoft® Server 2012
Active Directory.
Configuring the Infrastructure Describes how to configure Cisco ISE infrastructure in the CPwE system based
on the design considerations of the previous chapters, covering the configuration
of the network infrastructure, network services, data traversal, Web application
access and network and application security, all from an IDMZ perspective.
Chapter Description
Troubleshooting Tips Describes Cisco ISE and WLC troubleshooting.
References Standard list of references for CPwE, Cisco Unified Access, RF Design and QoS
and Wireless Security.
Configuration Examples Examples of the configurations that have been used in the testing of the wired
and wireless architecture.
Test Hardware and Software Hardware and software components used in CPwE Identity Services testing.
Cisco ISE incorporation for CPwE is brought to market through a strategic alliance between Cisco
Systems and Rockwell Automation. This CPwE Identity Services Cisco Validated Design details
design and implementation considerations to help with the successful design and implementation
of Identity Services within the Industrial Zone.
Enterprise
WAN Internet
External DMZ/
Enterprise Zone: Levels 4-5 Firewall
LWAP
VLANs, Segmenting
Domains of Trust
SSID WGB
Device Hardening Zone-based 5 GHz
• Physical Policy Firewall
• Procedures I/O Soft
(ZFW)
Controller Controller MCC
374623
• Electronic Starter
• Encrypted Communications Level 1 -Controller I/O
Level 0 - Process Drive
Firewalls
(Active/Standby)
Laptop Client
WGB
Levels 0-2 PAC
374640
Cell/Area Zone
FactoryTalk Client IO Drive PAC PAC
MCC
Through the application of Cisco ISE, provision policies are applied across the IACS network in
real-time, creating a consistent user access experience to services from wired and wireless
connections. Cisco ISE allows IT to define roles such as employees and trusted partners. These
roles can be configured to permit and limit access to assets within the Industrial Zone, the Industrial
Demilitarized Zone (IDMZ) and the Enterprise Zone. The Stratix™ and Cisco industrial Ethernet
switches (IES) work in conjunction with Cisco ISE to apply and enforce the security policies that are
configured. For example, if an employee attaches to the IACS network in the Industrial Zone with a
computer, Cisco ISE will be sent the hardware and user information. Cisco ISE will send the pre-
configured network security policies to the Stratix or Cisco IES where the user will be limited by the
security policy. It is also possible to limit or direct traffic of unknown devices with a Cisco ISE
security policy.
Cisco ISE services for wireless access use the Cisco wireless LAN controllers (WLC) to facilitate
authentication and authorization of Microsoft-based computers accessing the IACS network. Cisco
ISE allows IT to define a set of contractors, and for each contractor, define a set of RADIUS attributes
(see across both the wired and wireless environments, see Wired Access Overview, page 2-9 and
Wireless Access Overview, page 2-13). Attributes are used for authorization profiles and in policy
conditions. Through Cisco ISE, IT can create, edit and delete RADIUS contractor dictionaries and
contractor-specific attributes as needed.
Cisco ISE provides a self-service registration portal for plant personnel and contractors to register
and provision their portable Microsoft-based OS computers according to the business policies
defined by IT. Cisco ISE permits the plant personnel to get the automated device provisioning and
profiling they need to comply with industrial security policies while keeping it extremely simple to
get their Microsoft-based OS computers onto the IACS network with limited IT help.
Within the Industrial Zone, Cisco ISE provides centrally managed context-aware identity
management critical for IT to manage access control. Cisco ISE determines if users are accessing
the network on an authorized, policy-compliant computer, and assigns access based on the
assigned user role, group and associated policy. Variables such as employee (plant or corporate),
contractor (OEM, SI or other trusted partner), location and device type are taken into consideration.
Cisco ISE grants access to specific segments of the Industrial Zone to authenticated users.
Note This solution provides support for user validation and authorization when using Microsoft Windows
computers within the context of the Industrial Zone. This solution does not provide support or
include other devices with Bring Your Own Device (BYOD) capabilities such as laptops not running
Windows OS, smart phones or tablets.
Note For more details about the design and implementation of the Industrial Demilitarized Zone (IDMZ)
as part of the CPwE security architecture, refer to the Securely Traversing IACS Data Across the
Industrial Demilitarized Zone Design and Implementation Guide.
This section describes Distributed ISE, Active Directory and Certificate Services and provides
design recommendations for CPwE Identity Services.
Note CPwE Identity Services recommends to have a PSN in the Industrial Zone (Level 0-3), as
shown in Figure 2-1. If the Enterprise and Industrial Zones become isolated, any existing
clients in the Industrial Zone will still be able to securely access the network.
• Monitoring Node (MnT)—A CPwE Identity Services Node with the Monitoring persona, which
functions as the log collector and stores log messages from all the Administration and Policy
Service Nodes in a network. MnT (located in the Enterprise Zone) provides advanced
monitoring and troubleshooting tools that the Enterprise IT team can use to effectively manage
a network and resources. A MnT with this persona aggregates and correlates the data that it
collects, and provides the Enterprise IT team with meaningful reports. CPwE Identity Services
allows the Enterprise IT team to have a maximum of two nodes with this persona, which can take
on primary or secondary roles for high availability. Both the primary and secondary Monitoring
Nodes collect log messages. If the primary Monitoring Node goes down, the secondary
Monitoring Node automatically becomes the primary Monitoring Node. At least one node in a
distributed setup should assume the Monitoring persona.
Note The Monitoring and Policy Service personas should not be enabled on the same CPwE
Identity Services Node. The Monitoring node should be dedicated solely to monitoring for
optimum performance.
Figure 2-1 is an example deployment of the distributed Cisco ISE configuration using the CPwE
logical framework.
2 ISE PAN/PSN
Core
switches
ISE MnT
Firewalls
(Active/Standby)
WLC
(Standby)
Level 3 Distribution
Site Operations switch
LWAP
WGB
Levels 0-2 PAC
374641
Cell/Area Zone
FactoryTalk Client IO Drive PAC PAC
MCC
Note For the recommended installation and deployment of Distributed ISE in the Industrial Zone, please
follow the best practices and deployment guidelines as prescribed in Cisco Identity Services
Engine Administrator Guide, Release 1.3, which is located at the following URL:
• http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/
b_ise_admin_guide_sample_chapter_011.html
• Account organizations, which are organizations that own and manage user accounts can
deploy AD FS federation servers that authenticate local users and create security tokens that
those federation servers in the resource organization use later to make authorization decisions.
Note For information about Active Directory Domain Services, please refer to the following URL:
• https://technet.microsoft.com/en-us/windowsserver/dd448614
Note For information about Active Directory replication, please refer to the following resources:
• How Active Directory Replication Works
https://technet.microsoft.com/en-us/library/cc772726(v=ws.10).aspx
• Active Directory Replication Technologies
https://technet.microsoft.com/en-us/library/cc776877%28v=ws.10%29.aspx
Figure 2-2 illustrates the AD replication between the DCs in the Industrial and Enterprise Zones.
Firewalls
(Active/Standby)
LWAP
WGB
Levels 0-2 PAC
374633
Cell/Area Zone
FactoryTalk Client IO Drive PAC PAC
MCC
Certificate Services
Cisco ISE needs an identity certificate that is signed by a certificate authority (CA) server so that it
can be trusted by endpoints, gateways and servers. The following sections describe certificate
services and provide design recommendations for CPwE Identity Services.
• Use certificate templates to help simplify the choices a certificate requester has to make when
requesting a certificate, depending upon the policy used by the CA.
• Take advantage of the AD service for publishing trusted root certificates, publishing issued
certificates, and publishing CRLs.
• Implement the ability to log on to a Microsoft Windows operating system domain using a smart
card.
Note For more information about CAs, please refer to Certificate Services at the following URL:
• https://technet.microsoft.com/en-us/library/cc758473%28v=ws.10%29.aspx
• Online Responder—The Online Responder service accepts revocation status requests for
specific certificates, evaluates the status of these certificates, and sends back a signed
response containing the requested certificate status information.
• Network Device Enrollment Service—The Network Device Enrollment Service allows routers
and other network devices that do not have domain accounts to obtain certificates.
• Certificate Enrollment Web Service—The Certificate Enrollment Web Service enables users
and computers to perform certificate enrollment that uses the HTTPS protocol. Together with
the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment
when the client computer is not a member of a domain or when a domain member is not
connected to the domain.
• Certificate Enrollment Policy Web Service—The Certificate Enrollment Policy Web Service
enables users and computers to obtain certificate enrollment policy information. Together with
the Certificate Enrollment Web Service, this enables policy-based certificate enrollment when
the client computer is not a member of a domain or when a domain member is not connected
to the domain.
Subordinate CA is responsible for issuing and validating client's Certificate Signing Request (CSR)
and authentication requests inside the Industrial Zone. In addition, to prevent Root-CA and
associated private key from being compromised, certificates needs to be issued to users or
devices in the Industrial Zone instead of forwarding all requests to the Enterprise Zone Root-CA.
Multiple subordinate CA need to be deployed inside the Industrial Zone for redundancy.
Note Please refer to the following URLs for detailed information about AD CS services:
• https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx
• https://technet.microsoft.com/en-us/library/cc772192.aspx
• Employee (non-Plant Personnel)/Trusted Partner access via the Remote Access Server using
Terminal Emulation for all IACS applications such as Studio 5000 Logix Designer® (see
Figure 2-3 on page 2-11)
Both of these access methods use IEEE 802.1X authentication for permitting access to the network
based on user login credentials. Access for both methods will be limited to Levels 0-3 with no
access allowed through the IDMZ firewall.
Authentication
802.1X authentication involves three parties:
• The supplicant, which is a client computer that wishes to attach to the network
• The authenticator, which is the Stratix or Cisco IES
• The authentication server (Cisco ISE), which supports the authentication protocols
Authentication policies are used to define the protocols used by CPwE Identity Services to
communicate with the computers and the identity sources to be used for authentication. CPwE
Identity Services evaluates the conditions and, based on whether the result is true or false, applies
the configured result.
Authorization Policies
Authorization policies are critical to determine what each user is allowed to access within the
network. Authorization policies are composed of authorization rules and can contain conditional
requirements that combine one or more identity groups. The permissions granted to the user are
defined in authorization profiles, which act as containers for specific permissions.
Authorization profiles group the specific permissions granted to a user or computer and can
include tasks such as an associated VLAN and an associated downloadable ACL (dACL).
For CPwE Identity Services, an additional identity group must be defined for the purpose of
uniquely identifying corporate computers. This identity group, named Whitelist, maintains a list of
computers owned by the corporation. The Whitelist is manually updated by the IT administrator and
contains the MAC addresses of the computers that are granted access.
The following is a wired CPwE Identity Services example (as displayed in Figure 2-2 on page 2-6
and Figure 2-3 on page 2-11).
1. User attaches computer to designated Employee/Trusted Partner convenience port on the
IES.
2. Wired computers authenticate using 802.1X against the Cisco ISE PSN located within the
Industrial Zone. Initially, all computers are confined to a single default VLAN. Differentiated
access control for wired computers is provided by different RADIUS dACL applied to the IES,
which overrided a pre-configured static ACL on the IES access port and separate VLANs. The
different access types are.
a. User is allowed complete access to the entire Industrial Zone.
b. User is allowed limited access to the specific Cell/Area Zone or to specific devices within
the Cell/Area Zone.
c. User is allowed access to the RAS.
Caution CONFIGURATION NOTE: IP Device tracking (IPDT), which operates in accordance with RFC 5227,
must be enabled on the IES in order to implement RADIUS downloadable ACL and should ONLY be
enabled on convenience and/or designated non-IACS equipment ports.
Caution IPDT should NOT be enabled on ports connected to IACS devices. IPDT uses ARP probes to
determine the IP addresses of hosts on different ports; IPDT may disrupt IACS applications. Please
see the links below for more details.
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/568750
http://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technot
e-ipdt-00.html
ISE PAN/PSN
Core
switches
ISE MnT
Firewalls
(Active/Standby)
LWAP
4
Laptop Client
1
WGB
Levels 0-2 PAC
374631
Cell/Area Zone
FactoryTalk Client IO Drive PAC PAC
MCC
Figure 2-4 CPwE Identity Services Validation - Access to Devices via Remote Access Server
ISE PAN/PSN
Core
switches
ISE MnT
Firewalls
(Active/Standby)
LWAP
4
Laptop Client
1
WGB
Levels 0-2 PAC
374632
Cell/Area Zone
FactoryTalk Client IO Drive PAC PAC
MCC
Note Use 2.4 GHz band for personnel access. Use only 5 GHz frequency band for critical IACS
applications such as I/O, peer to peer and safety control. For more information, please refer to the
Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture
Design and Implementation Guide at the following URLs:
• http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/NovCVD/CPwE_WLAN_CVD.
html
• http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td006_-en-p.
pdf
Authentication
802.1X authentication involves three parties:
• The supplicant, which is a client computer that wishes to attach to the network
• The authenticator, which is the WLC
• The authentication server (Cisco ISE), which supports the authentication protocols
Authentication policies are used to define the protocols used by CPwE Identity Services to
communicate with the computers and the identity sources to be used for authentication. CPwE
Identity Services evaluates the conditions and, based on whether the result is true or false, applies
the configured result.
Authorization Policies
Authorization policies are critical to determine what each user is allowed to access within the
network. Authorization policies are composed of authorization rules and can contain conditional
requirements that combine one or more identity groups. The permissions granted to the user are
defined in authorization profiles, which act as containers for specific permissions.
Authorization profiles group the specific permissions granted to a user or computer and can
include tasks such as an associated VLAN and ACL. Cisco Wireless LAN Controllers support
named ACLs (known as Airespace ACLs), meaning that the ACL must be previously configured on
the controller rather than being downloaded from ISE. Using the RADIUS Airespace-ACL Name
attribute-value pair, ISE instructs the WLC to apply the ACL.
For CPwE Identity Services, an additional identity group must be defined for the purpose of
uniquely identifying corporate computers. This identity group, named Whitelist, maintains a list of
computers owned by the corporation. The Whitelist is manually updated by the IT administrator and
contains the MAC addresses that are granted full access.
The following is CPwE Identity Services wireless access example (as displayed in Figure 2-5 on
page 2-15 and Figure 2-6 on page 2-16).
1. User connects computer to designated Employee/Trusted Partner SSID.
2. Wireless computers authenticate using 802.1X against the Cisco ISE PSN located within the
Industrial Zone. Differentiated access control for wireless clients is provided by Airespace
ACLs applied to the WLC. The different access scenarios are:
a. User is allowed complete access to the entire Industrial Zone.
b. User is allowed limited access to the specific Cell/Area Zone or to specific devices within
the Cell/Area Zone.
c. User is allowed access to the RAS only.
ISE PAN/PSN
Core
switches
ISE MnT
Remote Desktop
Gateway (RDG) Firewalls
(Active/Standby)
LWAP
WGB
Levels 0-2 PAC
374645
Cell/Area Zone
FactoryTalk Client IO Drive PAC PAC
MCC
ISE PAN/PSN
Core
switches
ISE MnT
Remote Desktop
Gateway (RDG) Firewalls
(Active/Standby)
LWAP
Laptop Client
WGB
Levels 0-2 PAC
374694
Cell/Area Zone
FactoryTalk Client IO Drive PAC PAC
MCC
ISE PAN/PSN
Core
switches
ISE MnT
Remote Desktop
Gateway (RDG) Firewalls
(Active/Standby)
LWAP
WGB
Levels 0-2 PAC
374645
Cell/Area Zone
FactoryTalk Client IO Drive PAC PAC
MCC
This chapter describes how to configure the Cisco ISE infrastructure in the CPwE Identity Services
architecture based on the design considerations of the previous chapters. It covers the
configuration of the network infrastructure, network services, data traversal, Web application access
and network and application security, all from an IDMZ perspective. The included configurations
have been validated during the testing effort. It includes the following major topics:
• Network Infrastructure Configuration, page 3-1
• Initial Cisco ISE Configuration, page 3-6
• Wired Access Configuration, page 3-12
• Wireless Access Configuration, page 3-20
Note For testing purposes, the following services were installed on a single server: AD DS, DHCP,
DNS and Certificate Services.
k. Set up the firewall to allow traffic between the servers for replication.
Step 3 Configure AD replication:
a. From the Active Directory Sites and Services tool in the Administrative Tools program group,
expand the Sites folder.
b. Right-click the Default-First-Site-Name item and then choose Rename.
c. Rename the site to Enterprise-AD.
d. Create a new site by right-clicking the Sites object and then selecting New Site.
e. On the New Object-Site dialog box, type a site name.
f. Click the DEFAULTIPSITELINK item. An information screen displays.
g. Click OK to create the site.
h. Create another new site. Again, choose the DEFAULTIPSITELINK item. Notice the new site is
listed in the Sites object.
i. When you are finished, close the Active Directory Sites And Services tool.
Step 4 Create subnets to define IP address ranges for AD DCs:
a. From the Active Directory Sites and Services tool in the Administrative Tools program group,
expand the Sites folder.
b. Right-click the Subnets folder and then click New Subnet. In the New Object-Subnet dialog box,
you are prompted for information about the IPv4 or IPv6 details for the new subnet.
c. Click the site, and then click OK to create the subnet.
d. In the Active Directory Sites and Services tool, right-click the newly created 10.1.1.0/24 subnet
object and then click Properties.
e. On the subnet's Properties dialog box, type 100Mbit LAN for the description. Click OK to
continue.
f. Create a new subnet for the Industrial AD DC by filling in the Address and Site fields.
g. Finally, create another subnet for the Enterprise AD DC by filling in the Address and Site fields.
Figure 3-2 Windows Server 2012 Active Directory Sites and Services Window
Refer to the following URL for more details on Active Directory setup:
• https://technet.microsoft.com/en-us/library/hh831477.aspx
DNS Configuration
Refer to the following URL for guidance and procedures on configuring DNS:
• https://technet.microsoft.com/en-us/library/cc730921.aspx
DHCP Configuration
Refer to the following URL for guidance and procedures on configuring DHCP:
• https://technet.microsoft.com/en-us/library/cc755282.aspx
Note You must have a network connection to an AD DC in order to install an Enterprise CA.
e. On the Specify CA Type page, click Root CA and then click Next.
f. On the Set Up Private Key page, click Create a new private key and then click Next.
g. On the Configure Cryptography page, select a cryptographic service provider, key length, and
hash algorithm and then click Next.
h. On the Configure CA Name page, create a unique name to identify the CA and then click Next.
i. On the Set Validity Period page, specify the number of years or months that the root CA
certificate will be valid and then click Next.
j. On the Configure Certificate Database page, accept the default locations unless you want to
specify a custom location for the certificate database and certificate database log and then
click Next.
k. On the Confirm Installation Options page, review all of the configuration settings that you have
selected (see Figure 3-3). If you want to accept all of these options, click Install and wait until the
setup process has finished.
Step 3 Create a certificate template with intended purposes of Server and Client Authentication. This
template is needed for Cisco ISE system certificates to function properly. To create the template,
refer to the following guide:
• http://social.technet.microsoft.com/wiki/contents/articles/13303.windows-server-2012-certifica
te-template-versions-and-options.aspx
NTP Configuration
Cisco ISE requires NTP servers for each zone so that it can synchronize the time across the
distributed setup and avoid problems with certificate validity, unsynchronized logs, etc. To
configure NTP, refer to Network Time Protocol: Best Practices White Paper for best practices:
• http://www.cisco.com/c/en/us/support/docs/availability/high-availability/19643-ntpm.html
Prerequisite Configuration
The following steps describe the prerequisite configuration needed before proceeding with the
initial Cisco ISE setup:
Step 2 Install a server certificate signed by the root CA on each Cisco ISE node:
e. From Administration > System > Certificates, choose Certificate Signing Requests in the left
pane.
f. Click Generate Certificate Signing Requests (CSR), fill in the required fields and then click
Generate (see Figure 3-6).
g. Click Export in the window that appears to download the request.
h. From https://<CA_IP_ADDRESS>/certsrv/ > Request a certificate > Advanced Certificate
Request, click Submit a certificate request using base 64-encoded CMC or PKCS # 10 file, or
submit a renewal request by using a base-64-encoded PKCS # 7 file
i. Copy and paste the CSR request > Select the certificate template > Submit > Download the
certificate chain > convert the extension to .csr format.
Note The certificate template selected should be the same one configured as part of the
Certificate Services infrastructure configuration.
j. Click the CSR check box and then click Bind Certificate to append the CA signed certificate.
Now this certificate will be a part of system certificate.
k. Browse to the certificate file returned by the CA, fill in the Friendly Name field, if desired, and
then click Submit.
l. Once complete, click System Certificates in the left pane and verify that the new server
certificate appears there. Select its check box and then click Edit.
m. Under Usage, check all boxes to allow this certificate to be used by all services. Finally click
Save.
Note For disaster recovery, Cisco recommends exporting all system certificates and their private
key pairs to a reliable backup location.
Note When the system certificate is uploaded, the root and subordinate CA certificates will also
be added to the Trusted Certificate store automatically (see Figure 3-6).
Step 3 Configure each Cisco ISE node with the domain name and DNS server in their respective zone:
From the CLI (not configurable via GUI), enter the following commands:
ip domain-name <DOMAIN NAME>
ip name-server <DNS SERVER IP ADDRESS>
Step 4 Confirm each Cisco ISE node is in the correct mode to create the distributed setup (PAN primary,
all other nodes standalone):
a. On the PAN, from Administration > System > Deployment, click the node name in the table.
b. Under Personas and next to Administration, change the Role from STANDALONE to PRIMARY
and then click Save.
c. Wait for Cisco ISE services to restart, then return to the Deployment page and confirm the PAN
Administration Role is now PRIMARY.
d. On the other Cisco ISE nodes, from Administration > System > Deployment, click the node
name and confirm that the Role is STANDALONE. If not, follow the same procedure as above to
change it.
Type of Node Admin node (PAN) Policy node (PSN) Monitoring node (MnT)
Location in CPwE Enterprise Zone Industrial Zone Enterprise Zone
Feature All system-related Evaluates the policies Log collector and store
configuration (that is, and makes all the log messages
AuthC, AuthZ profiles) decisions
To establish the distributed setup, follow the Cisco ISE 1.3 Distributed Setup Guide located at:
• http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/
b_ise_admin_guide_sample_chapter_011.html
Note Once the distributed setup has been created, all configurations should be performed on the PAN,
since that node will then synchronize with the others automatically. The GUI for the other Cisco ISE
nodes will have only limited configuration options available.
Step 3 Retrieve all necessary groups from the AD server (as configured in Active Directory section above):
a. From the Active Directory Join Point window, click the Groups tab.
b. From Add > Select Groups from Directory, click Retrieve Groups.
c. Select the check boxes for any groups that will be referenced in client policies and then click
OK.
d. Verify that the groups are now listed in the table (see Figure 3-10) and then click Save.
Whitelist Configuration
The following steps describe the configuration of the Whitelist:
Step 1 Create network device groups to organize network devices by type and location, if desired. For this
procedure, refer to:
• http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/
b_ise_admin_guide_sample_chapter_01001.html#reference_2424A156765D42E98207B93A
0E0F0CB3.
Step 2 Add any network devices that will send RADIUS requests to Cisco ISE on behalf of clients:
a. From Administration > Network Resources > Network Devices, click Add.
b. Fill in the Name field with the hostname of the device.
c. Fill in the IP Address field with the address of the device.
d. Under Network Device Group, select either the default location and type or any specific groups
created earlier.
e. Select the check box next to Authentication Settings and expand it and then enter the desired
shared secret RADIUS password.
Note The RADIUS shared secret password must match in the configuration of the network device
itself or RADIUS exchanges will fail.
c. Select the check box next to Certificate Based Authentication and then select the certificate
profile created in the previous step from the drop-down.
d. Under Authentication Search List, in the Available list, select the AD join point and then click the
right arrow button to move it to the selected list.
e. Under Advanced Search List Settings, select Do not access other stores in the sequence and
set the AuthenticationStatus attributes to ProcesError.
f. Finally, click Save (see Figure 3-14).
Step 1 Create the allowed protocol service to define which protocols are allowed for authentication:
a. From Policy > Policy Elements > Results, expand Authentication in the left pane and select
Allowed Protocols.
b. Click Add.
c. Fill in the Name field and select the check boxes for only the authentication protocols that will
be used by wired clients.
d. Once complete, click Save (see Figure 3-15).
Step 3 Create an authorization profile to limit wired clients based on the rules defined here:
a. From Policy > Policy Elements > Results, expand Authorization > Authorization profiles.
b. Click Add to add a profile.
IES Configuration
This section describes how to configure the IES hosting the convenience port(s) to communicate
with the computer via 802.1X, relay these requests to Cisco ISE via RADIUS and limit the computer’s
access based on the authorization result.
VLAN Configuration
Log in to the IES and in the global configuration mode enter the VLAN values to create the VLANs
(as defined in the authorization profiles configured on Cisco ISE):
(conf)# vlan 181,182,183,351
Step 1 The following steps are required to configure the IES switch for AAA:
a. Enable Authentication, Authorization, and Accounting (AAA):
(config)# aaa new-model
b. Create an authentication method for 802.1X (default use all RADIUS servers for authentication):
(config)# aaa authentication dot1x default group radius
c. Create an authorization method for 802.1X (enables RADIUS for policy enforcement):
(config)# aaa authorization network default group radius
d. Create an accounting method for 802.1X (provides additional information about sessions to
Cisco ISE):
{config)# aaa accounting dot1x default start-stop group radius
Step 2 The following steps are required to configure the IES access switch for RADIUS:
a. Configure Cisco ISE server dead time (15 seconds total-3 retries of 5 second timeout):
(config)# radius-server dead-criteria time 5 tries 3
ACL Configuration
The following describes the configuration of ACLs on the IES access switch:
Log in to the IES and in the global configuration mode enter the extended access list to be applied
on the interface during client login to restrict access:
ip access-list extended ACL-DEFAULT
permit udp any eq bootpc and eq bootps log permit udp any host <DNS_Server IP_Address>
eq domain
deny ip any any log
Note ACL-DEFAULT—This ACL is configured on the IES and used as a default ACL on the port. Its
purpose is to prevent unauthorized access. In an 802.1X authentication/authorization scenario, after
the computer is authenticated and authorized, if no DACL is applied to the port or if a mistake exists
in the syntax of the downloadable ACL, the IES rejects the DACL sent by Cisco ISE.
802.1X Configuration
The following describes the 802.1x configuration on the IES:
Enable 802.1X globally (command by itself does not enable authentication on the switchports):
(config)# dot1x system-auth-control
Step 1 The following steps describe the configuration on the desired convenience port:
a. Enable IP device tracking:
(config)# ip device tracking
d. Enable Flex-Auth:
(config-if)# authentication event fail action next-method
e. Enable support for more than one MAC address on the physical port:
(config-if)# authentication host-mode multi-auth
f. Configure the violation action (restrict access for additional devices that may fail
authentication):
(config-if)# authentication violation restrict
h. Configure timers:
l. Make the port access to a specific VLAN initially to authenticate with Cisco ISE:
(config-if)# switchport access vlan <number>
Caution CONFIGURATION NOTE: IP Device tracking (IPDT), which operates in accordance with RFC 5227,
must be enabled on the IES to implement RADIUS downloadable ACL and should ONLY be enabled
on convenience and/or designated non-IACS equipment ports.
Caution IPDT should NOT be enabled on ports connected to IACS devices. IPDT uses ARP probes to
determine the IP addresses of hosts on different ports; IPDT may disrupt IACS applications. Please
refer to the URLs below for more details:
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/568750
http://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technot
e-ipdt-00.html
Client Configuration
Wired clients must be preconfigured to use the proper authentication method before they can be
authenticated and authorized via a convenience port. Refer to the following URL for guidance on
configuring Windows clients:
• http://windows.microsoft.com/en-us/windows/enable-802-1x-authentication#1TC=windows-7.
Note The Attribute Value (above case value 7) must match wireless LAN controller WLAN ID # for
that SSID (above case Industrial_Employee_WLAN).
c. Similarly, create a simple condition for rest of the SSID too. That is:
– Trusted_Partner_WLAN: Airespace:Airespace-Wlan-Id Equals 4
– Corporate_Employee_WLAN: Airespace:Airespace-Wlan-Id Equals 6
Step 2 For Industrial Employee to have full access on plant floor, follow the compound condition in Cisco
ISE that includes these expressions (see Figure 3-21).
Step 3 Follow the same format for Industrial partial and RAS-only access use cases.
Step 4 An authorization profile acts as a container where a number of specific permissions allow access to
a set of network services. Airspace ACL controls access on the network. Since this is a user who has
an access to every device in the plant floor, the airspace ACL applied here is ACL_Full_Access.
Note The ACL is configured in WLC. Refer to ACL Configuration using GUI, page 3-40 for more
detail.
Note For more information on how to customize allowed protocol, check Figure 3-15 on page 3-15.
In a normal deployment scenario, the endpoints would primarily use the 802.1X protocol to
communicate with Cisco ISE. Cisco ISE authenticates these endpoints against an AD or
authenticates them via digital certificates.
The default Authentication policy is Deny Access.
Note Based on your requirement, these can all be individual simple condition, combined together in one
compound condition, or a combination of both. The combination is shown here.
The following steps describe the configuration of authorization policies for wireless clients.
Full AuthZ profiles for wireless users are as follows:
Step 1 From ISE PAN node > Policy > Authorization, select how the rule applies from the drop-down menu
First Matched Rule Applies or Multiple Matched Rule Applies. The default is First Matched Rule
Applies.
Step 2 Click Edit to insert authorization rule below or above the existing rule.
Step 3 Enter the rule name in the Standard Rule box and click the If Any box in the Select Endpoint Identity
Group > Whitelist drop-down menu.
Step 4 Click the And conditions box in the Select Existing condition from Library drop-down menu.
Step 5 Click the Select condition > compound condition > Wireless_Industrial_User_Full_Access
drop-down menu.
Step 6 Similarly, click the gear icon and select Add Condition from Library > Select Condition > Simple
Condition > Industrial_Employee_WLAN.
Step 7 Click Done to save the configuration (see Figure 3-24).
Note To create the unified wireless infrastructure and associate APs in the Industrial Zone, refer to the
Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture
Design and Implementation Guide at the following URL:
• http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/NovCVD/CPwE_WLAN_CVD.
html
RADIUS Configuration
RADIUS is a client/server protocol that provides centralized security for users attempting to gain
management access to a network. We are using ISE PSN node as a RADIUS server for user traffic.
The following steps describe the RADIUS configuration on the industrial WLC (see Figure 3-25):
Step 1 From Security > Access Control Lists > Access Control Lists, click New.
Step 2 Write Access Control List Name > Keep default IPv4.
Step 3 Click the ACL name you created and then click Add new rule.
Step 4 Configure the following access lists:
a. Industrial Full Access: Allow access to all devices to plant floor:
– Sequence: 1 > Source: Any > Destination: Any > Protocol: Any > DSCP: Any > Direction: Any
> Action: Permit > Apply
b. Industrial Partial Access: Limit to particular cell area:
– Sequence: 1 > Source: Any > Destination: <Destination IP Address> Protocol: Any > DSCP:
Any > Direction: Inbound > Action: Permit. Then click Apply.
– Sequence: 2 > Source: <Source IP_Adress > Destination: Any > Protocol: Any > DSCP: Any
> Direction: Outbound> Action: Permit. Then click Apply.
– Sequence: 3 > Source: Any > Destination: Any > Protocol: Any > DSCP: Any> Direction: Any
> Action: Deny. Then click Apply.
c. Industrial RAS-only Access: Only to remote access server (RAS):
– Sequence: 1 > Source: Any > Destination: <RAS_Server_IP_Address> Protocol: Any >
DSCP: Any > Direction: Inbound > Action: Permit. Then click Apply.
– Sequence: 2 > Source: <RAS_Server_IP_Address> Destination: Any > Protocol: Any >
DSCP: Outbound > Direction: Any > Action: Permit. Then click Apply.
– Sequence: 3 > Source: Any > Destination: Any > Protocol: Any > DSCP: Any > Direction: Any
> Action: Deny. Then click Apply.
d. Corporate RAS only (via RDG) Access: Only to remote desktop gateway (RDG):
– Sequence: 1 > Source: Any > Destination: <RDG_Server_IP_Address> Protocol: tcp/https
> DSCP: Any > Direction: Any > Action: Permit. Then click Apply.
– Sequence: 2 > Source: <RDG_Server_IP_Address> Destination: Any > Protocol: https >
DSCP: Any > Direction: Any > Action: Permit. Then click Apply.
– Sequence: 3> Source: Any > Destination: Any > Protocol: Any > DSCP: Any> Direction: Any
> Action: Deny. Then click Apply.
Step 5 Click Apply.
Step 6 Click Save Configuration.
Note Refer to Authorization Policy Configuration, page 3-17 for ACL details.
Note Use OLD mobility (EOIP tunnel) to anchor the trusted partner traffic.
The following steps describe the mobility configuration on the industrial WLC (see Figure 3-34
through Figure 3-36):
Step 1 From Controller > Mobility Management, click Default Mobility Domain Name. Give it the same
name as that of the foreign controller.
Step 2 From Controller > Mobility Management > Mobility Groups, click New.
Step 3 Assign the IP address, MAC address and group name of the Anchor Controller's management
interface.
Step 4 From WLAN > trusted_Partner_WLAN, hover your mouse on the down arrow and click Mobility
Anchors.
Step 5 From Switch IP address (Anchor), select Trusted_Partner WLC management IP from the drop-down
menu.
Step 6 Click Mobility Anchor Create.
Step 7 Click OK when a warning "If the WLAN is in Enabled state, adding Mobility Anchors will cause the
WLAN to be momentarily disabled and thus may result in loss of connectivity for some clients.”
displays.
Step 8 Press OK to continue.
Step 9 Repeat the same steps for Corporate_employee WLAN.
Note All controllers within a mobility group must be configured with the similar interface configuration
and same WLAN configuration. Otherwise, inter-controller roaming may appear to work, but the
handoff does not complete and the client loses connectivity for a period of time.
The following steps describe the interface configuration on the trusted partner anchor WLC (see
Figure 3-37):
Step 1 From Controller > Interfaces, open the Interfaces page and then click New.
Step 2 Enter the following parameters:
a. Physical Information > Port number
b. Interface Address > VLAN Identifier, IP address, Netmask, Gateway
c. DHCP information > DHCP proxy mode disables
Step 3 Click Apply to commit your changes.
Note Make sure the WLAN ID # matches the number with Industrial WLC
Trusted_Partners_WLAN.
Step 5 Use the parameters on the General, Security and Advanced tabs to configure this WLAN.
a. General > Interface/Interface groups > Select Trusted_Partners_Provisioning > Radio Policy
(Optional): All / 802.11 b/g only
b. Security > Layer 2 > Layer 2 security: WPA+WPA2
c. Security > AAA servers > Select PSN node as a authentication server
d. Advanced > Allow AAA Override: Checked > NAC state: Radius NAC
Step 6 Click Apply to commit your changes.
Step 7 Click Save Configuration to save your changes.
Note The rest of the WLAN security and advanced configuration is the same as for the industrial
WLC, so refer to WLAN Configuration using GUI, page 3-28 for these configurations.
Note Use the OLD mobility (EOIP tunnel) to anchor the trusted partner traffic.
The following steps describe the mobility configuration on the trusted partner anchor WLC (see
Figure 3-40 through Figure 3-42):
Step 1 From Controller > Mobility Management, give Default Mobility Domain Name the same name as that
of Industrial WLC.
Step 2 From Controller > Mobility Management > Mobility Groups, click New.
Step 3 Assign IP address, MAC address and group name of the Industrial WLC management Interface.
Note Make sure to open mobility ports (UPD port # 16666, 16667 and IP 97) on IDMZ and
enterprise edge firewall to anchor traffic to Anchor WLC.
Step 4 From WLAN > Trusted_Partners_WLAN, hover your mouse on the down arrow and click Mobility
Anchors.
Step 5 Switch IP address (Anchor) > Local.
Step 6 Click Mobility Anchor Create.
Note All controllers within a mobility group must be configured with the similar interface configuration
and same WLAN configuration. Otherwise, inter-controller roaming may appear to work, but the
hand off does not complete, and the client loses connectivity for a period of time.
The following steps describe the interface configuration on the corporate anchor WLC (see
Figure 3-43):
Step 1 From Controller > Interfaces, open the Interfaces page, and then click New.
Step 2 Enter the following parameters:
a. Physical Information > Port number
b. Interface Address > VLAN Identifier, IP address, Netmask, Gateway
c. DHCP information > DHCP proxy mode > Disable
Step 3 Click Apply to commit your changes.
Note Make sure the WLAN ID # matches the number with Industrial WLC
Corporate_Employee_WLAN.
Step 5 Use the parameters on the General, Security and Advanced tabs to configure this WLAN:
a. General > Interface/Interface groups > Select
b. Corporate_Employee_Provisioning > Radio Policy (Optional): All / 802.11 b/g only
c. Security > Layer 2 > Layer 2 security: WPA+WPA2
d. Security > AAA servers > Select PSN node as a authentication server
e. Advanced > Allow AAA Override: Checked > NAC state: Radius NAC
Step 1 From Security > Access Control Lists > Access Control Lists. click New.
Step 2 Configure the following access lists:
a. Corporate RDG-only Access: To RAS via remote desktop gateway:
– Sequence: 1 > Source: Any > Destination: <RDG sever IP address > Protocol: tcp/https >
DSCP: Any > Direction: Any > Action: Permit. Then click Apply.
– Sequence: 2 > Source: <RDG sever IP address> Destination: Any > Protocol: https > DSCP:
Any > Direction: Any > Action: Permit. Then click Apply.
– Sequence: 3 > Source: Any > Destination: Any > Protocol: Any > DSCP: Any > Direction: Any
> Action: Deny. Then click Apply.
Note Use the OLD mobility (EOIP tunnel) to anchor the trusted partner traffic.
The following steps describe the mobility configuration on the corporate anchor WLC (see
Figure 3-46 through Figure 3-48):
Step 1 From Controller > Mobility Management, give Default Mobility Domain Name the same name as that
of Industrial WLC.
Step 2 From Controller > Mobility Management > Mobility Groups, click New.
Step 3 Assign IP address, MAC address and group name of the Industrial WLC management Interface.
Step 4 From WLAN > Corporate_Employee_WLAN, hover your mouse on the down arrow and then click
Mobility Anchors.
Step 5 Switch IP address (Anchor) > Local.
Step 6 Click Mobility Anchor Create.
Note Both Control and Data Path should be up once the mobility tunnel is created.
Figure 3-48 Corporate Employee Anchor WLC Mobility Anchors Control and Data Path
Step 1 From Administrator > Identity Management > External Identity Stores > Active Directory > AD2 >
Connection, select the Cisco ISE node you want to test.
Step 2 Click the user and then click Test user.
Step 3 Click Write credentials > Test (see Figure 4-49).
AD Diagnostic Tool
The Diagnostic Tool allows you to automatically test and diagnose the Active Directory deployment
for general connectivity issues. This tool provides information on:
• The Cisco ISE node on which the test is run
• Connectivity to the Active Directory
• Detailed status about the domain
• Detailed status about Cisco ISE-DNS server connectivity
Follow these steps to run diagnostic report using the Diagnostic Tool:
Step 1 From Administrator > Identity Management > External Identity Stores > Active Directory > AD2 >
Connection, select the Cisco ISE node for which you want to test the user.
Step 2 Click Diagnostic Tool > Run All tests (see Figure 4-50).
Authentication Errors
One of the most useful ways to troubleshoot any error is to check events on Cisco ISE. Follow these
steps to check GUI report of any user authentication / authorization:
• Reason—If End client does not have root CA in a Trusted root CA store, than It will not trust Cisco
ISE during the authentication process thus client will not be able to join the SSID.
• Solution—Add the root CA certificate in a client trusted root CA certificate stores as a part of
user account and retry authenticating the device.
Step 1 Check whether the group member information is correct and if the firewall is blocking any
control/data ports.
Step 2 To test the mobility UDP control packet communication between two controllers, enter this
command:
Step 3 To test the mobility EoIP data packet communication between two controllers, enter this command:
eping <mobility_peer_IP_address>
DHCP-Related Issue
When the client is either unable to get an IP address or encounters delay in getting the IP address
through DHCP. The debug dhcp on the controller indicates the following:
(Cisco Controller) >debug dhcp packet enable
*DHCP Socket Task: May 27 12:28:34.566: [PA] 20:7c:8f:46:83:84 DHCP processing DHCP
NAK (6)
Caution Because debugging output is assigned high priority in the CPU process, it can render the system
unusable. For this reason, use debug commands only to troubleshoot specific problems. Moreover,
use debug commands only during periods of lower network traffic and fewer users. Debugging
during these periods decreases the likelihood that increased debug command processing
overhead will affect system use.
*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP op: BOOTREPLY,
htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP xid: 0x3a26069b
(975570587), secs: 0, flags: 0
*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP chaddr:
20:7c:8f:46:83:84
*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP ciaddr: 0.0.0.0,
yiaddr: 10.13.181.55
*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP siaddr: 0.0.0.0,
giaddr: 10.13.181.1
*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP server id:
10.13.48.26 rcvd server id: 10.13.48.26
*DHCP Socket Task: May 27 12:27:46.539: [PA] 20:7c:8f:46:83:84 DHCP successfully
bridged packet to STA
*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP received op
BOOTREQUEST (1) (len 308,vlan 150, port 1, encap 0xec03, xid 0x71ed59a1)
*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP (encap type
0xec03) mstype 0ff:ff:ff:ff:ff:ff
*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP processing DHCP
INFORM (8)
*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP op: BOOTREQUEST,
htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP xid: 0x71ed59a1
(1911380385), secs: 0, flags: 0
*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP chaddr:
20:7c:8f:46:83:84
*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP ciaddr:
10.13.181.55, yiaddr: 0.0.0.0
*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP siaddr: 0.0.0.0,
giaddr: 0.0.0.0
*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP Opt82 bridge mode
insertion enabled, inserts opt82 if opt82 is enabled vlan=181, datalen =18, optlen=64
*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP successfully
bridged packet to DS
*DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP received op
BOOTREPLY (2) (len 308,vlan 181, port 1, encap 0xec00, xid 0x71ed59a1)
*DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP processing DHCP
ACK (5)
*DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP op: BOOTREPLY,
htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP xid: 0x71ed59a1
(1911380385), secs: 0, flags: 0
*DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP chaddr:
20:7c:8f:46:83:84
*DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP ciaddr:
10.13.181.55, yiaddr: 0.0.0.0
*DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP siaddr: 0.0.0.0,
giaddr: 10.13.181.1
*DHCP Socket Task: May 27 12:27:50.097: [PA] 20:7c:8f:46:83:84 DHCP server id:
10.13.48.26 rcvd server id: 10.13.48.26
*DHCP Socket Task: May 27 12:27:50.097: [PA] 20:7c:8f:46:83:84 DHCP successfully
bridged packet to STA
Debug Client
Use the Debug client to troubleshoot client association and authentication-related issues:
(Cisco Controller) > debug client <Client_MAC _address>
Wireless Security
• Cisco Unified Wireless Network Architecture - Base Security Features
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch
4_Secu.html
• Design Zone for Mobility - Wireless Security
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns820/landing_sec_wireless.htm
l
sysname WLC_Primary
stats-timer realtime 5
stats-timer normal 180
time ntp interval 3600
time ntp server 1 10.13.15.254
advanced sip-snooping-ports 0 0
advanced eap bcast-key-interval 3600
advanced 802.11-abgn pak-rssi-location threshold -100
advanced 802.11-abgn pak-rssi-location trigger-threshold 10
coredump disable
nmheartbeat disable
ipv6 slaac service-port disable
sys-nas Cisco_5f:0e:a4
no ip address
!
interface Vlan148
ip address 10.13.51.6 255.255.255.0
ip helper-address 10.13.48.26
!
interface Vlan181
ip address 10.20.181.6 255.255.255.0
ip helper-address 10.13.48.26
!
interface Vlan182
ip address 10.20.182.6 255.255.255.0
ip helper-address 10.13.48.26
!
interface Vlan183
ip address 10.20.183.6 255.255.255.0
ip helper-address 10.13.48.26
!
interface Vlan184
ip address 10.20.184.6 255.255.255.0
ip helper-address 10.13.48.26
!
interface Vlan185
ip address 10.20.185.6 255.255.255.0
ip helper-address 10.13.48.26
!
interface Vlan186
ip address 10.20.186.6 255.255.255.0
ip helper-address 10.13.48.26
!
interface Vlan200
ip address 10.20.10.6 255.255.255.0
!
interface Vlan4093
ip address 10.40.93.140 255.255.255.0
!
ip default-gateway 10.40.93.1
ip http server
ip http secure-server
!
ip access-list extended ACL-DEFAULT
permit udp any eq bootpc any eq bootps log
permit udp any host 10.13.48.26 eq domain
permit icmp any any
permit udp any any eq tftp
permit ip any any log
ip radius source-interface Vlan4093
access-list 101 permit udp any eq 2222 any dscp 55
access-list 102 permit udp any eq 2222 any dscp 47
access-list 103 permit udp any eq 2222 any dscp 43
access-list 104 permit udp any eq 2222 any
access-list 105 permit udp any eq 44818 any
access-list 105 permit tcp any eq 44818 any
access-list 106 permit udp any eq 319 any
access-list 107 permit udp any eq 320 any
snmp-server enable traps rep
tacacs server TACACS-SERVER-1
address ipv4 192.168.254.24
key 7 01200307490E12242455
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
The hardware and software components listed in Table C-1 were used in CPwE Identity Services
testing.
Table C-1 Test Hardware and Software
Cisco is the worldwide leader in networking that transforms how people connect, communicate and collaborate. Information about Cisco can be found at www.cisco.com. For
ongoing news, please go to http://newsroom.cisco.com. Cisco equipment in Europe is supplied by Cisco Systems International BV, a wholly owned subsidiary of Cisco
Systems, Inc.
www.cisco.com
Americas Headquarters Asia Pacific Headquarters Europe Headquarters
Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV
San Jose, CA Singapore Amsterdam, The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the
Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow
Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Net-
working Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the
WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
Rockwell Automation is a leading provider of power, control and information solutions that enable customers to get products to market faster, reduce their total cost of
ownership, better utilize plant assets, and minimize risks in their manufacturing environments.
www.rockwellautomation.com
Americas: Asia Pacific: Europe/Middle East/Africa:
Rockwell Automation Rockwell Automation Rockwell Automation
1201 South Second Street Level 14, Core F, Cyberport 3 Vorstlaan/Boulevard du Souverain 36
Milwaukee, WI 53204-2496 USA 100 Cyberport Road, Hong Kong 1170 Brussels, Belgium
Tel: (1) 414.382.2000, Fax: (1) 414.382.4444 Tel: (852) 2887 4788, Fax: (852) 2508 1846 Tel: (32) 2 663 0600, Fax: (32) 2 663 0640
FactoryTalk, Stratix™, Stratix 8000, Stratix 5700 and Studio 5000 Logix Designer are trademarks of Rockwell Publication ENET-TD008A-EN-P June 2015
Automation, Inc. Trademarks not belonging to Rockwell Automation are property of their respective companies.
© 2015 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.