Cisco TrustSec How-To Guide: Authenticating to Multiple AD Domains For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents........................................................................................................................... 2 Introduction ................................................................................................................................... 3 What Is the Cisco TrustSec System? ............................................................................................................................................................................................................................... 3 About the TrustSec How-To Guides ............................................................................................................................................................................................................................... 3 What does it mean to be вЂ�TrustSec Certified’? ......................................................................................................................................................................................................................... 4 Solution Overview.......................................................................................................................... 5 ISE Communication to Active Directory as a LDAP Server ................................................................................................................................................................................... 5 Searching Active Directory ............................................................................................................................................................................................................................................................... 5 EAP Authentication Methods ........................................................................................................................................................................................................................................................... 5 Scenario Overview ................................................................................................................................................................................................................................................................ 6 Configuring ISE for TLS authentication .......................................................................................... 7 Configure an LDAP Server................................................................................................................................................................................................................................................................. 7 Configuration for EAP-TLS Connections ..................................................................................................................................................................................................................................10 Authentication ......................................................................................................................................................................................................................................................................................12 Appendix A ................................................................................................................................... 15 Authenticating Users via PEAP-GTC ........................................................................................................................................................................................................................... 15 Appendix B: References .............................................................................................................. 21 TrustSec System: ................................................................................................................................................................................................................................................................ 21 Device Configuration Guides: ........................................................................................................................................................................................................................................ 21 HowTo-45-Multiple_Active_Directories 2 Introduction What Is the Cisco TrustSec System? Cisco TrustSecВ®, a core component of the Cisco SecureX Architectureв„ў, is an intelligent access control solution. TrustSec mitigates security risks by providing comprehensive visibility into who and what is connecting across the entire network infrastructure, and exceptional control over what and where they can go. TrustSec builds on your existing identity-aware access layer infrastructure (switches, wireless controllers, and so on). The solution and all the components within the solution are thoroughly vetted and rigorously tested as an integrated system. In addition to combining standards-based identity and enforcement models, such as IEEE 802.1X and VLAN control, the TrustSec system it also includes advanced identity and enforcement capabilities such as flexible authentication, Downloadable Access Control Lists (dACLs), Security Group Tagging (SGT), device profiling, posture assessments, and more. Figure 1: TrustSec Architecture Overview RADIUS Guest Services Posture Profiler Ingress Enforcement Wireless user SXP Wired user y rit ag cu T Se oup Gr Campus Network MACsec Ingress Enforcement S Gr ec ou uri p ty Ta g Data Center Egress Enforcement About the TrustSec How-To Guides The TrustSec team is producing this series of How-To documents to describe best practices for TrustSec deployments. The documents in the series build on one another and guide the reader through a successful implementation of the TrustSec system. You can use these documents to follow the prescribed path to deploy the entire system, or simply pick the single use-case that meets your specific need. Each guide is this series comes with a subway-style “You Are Here” map to help you identify the stage the document addresses and pinpoint where you are in the TrustSec deployment process (Figure 2). Figure 2: How-To Guide Navigation Map HowTo-45-Multiple_Active_Directories 3 What does it mean to be вЂ�TrustSec Certified’? Each TrustSec version number (for example, TrustSec Version 2.0, Version 2.1, and so on) is a certified design or architecture. All the technology making up the architecture has undergone thorough architectural design development and lab testing. For a How-To Guide to be marked “TrustSec certified,” all the elements discussed in the document must meet the following criteria: п‚· п‚· п‚· Products incorporated in the design must be generally available. Deployment, operation, and management of components within the system must exhibit repeatable processes. All configurations and products used in the design must have been fully tested as an integrated solution. Many features may exist that could benefit your deployment, but if they were not part of the tested solution, they will not be marked as “TrustSec “certified”. The TrustSec team strives to provide regular updates to these documents that will include new features as they become available, and are integrated into the TrustSec test plans, pilot deployments, and system revisions. (i.e., TrustSec 2.2 certification). Additionally, many features and scenarios have been tested, but are not considered a best practice, and therefore are not included in these documents. As an example, certain IEEE 802.1X timers and local web authentication features are not included. Note: Within this document, we describe the recommended method of deployment, and a few different options depending on the level of security needed in your environment. These methods are examples and step-by-step instructions for TrustSec deployment as prescribed by Cisco best practices to help ensure a successful project deployment. HowTo-45-Multiple_Active_Directories 4 Solution Overview The Cisco Identity Services Engine (ISE) integrates with external identity sources to validate credentials in user authentication functions and to retrieve group information and other attributes that are associated with the user for use in authorization policies. ISE supports multiple types of external identity sources such as Active Directory, Lightweight Directory Access Protocol (LDAP), and other RADIUS servers. Cisco ISE supports integration with a single Active Directory identity source. Cisco ISE uses this Active Directory identity source to join itself to an Active Directory domain. If this Active Directory source has a multidomain forest, trust relationships must exist between its domain and the other domains in order for Cisco ISE to retrieve information from all domains within the forest. This dependency on trust becomes an issue for large-scale deployments that can’t have trust relationships between domains due to compliance policies or government regulations. Active Directory is Microsoft’s implementation of LDAPv3 directory services. Thus, directory clients can use LDAP to search for and retrieve information from an Active Directory server. Cisco ISE can function as a directory client and, in that function, can communicate to multiple LDAP servers. This document explains how Cisco ISE can communicate via LDAP to Active Directory servers in an untrusted domain or forest. ISE Communication to Active Directory as a LDAP Server Searching Active Directory Active Directory supports LDAP-based searches on port 3268 (global catalog) and port 389 (LDAP). The main benefit to searching the global catalog is that the search includes all directory partitions in the forest. Searches using port 389 can only include single domain directory partitions. Configuring Cisco ISE to search the global catalog requires configuration of a single external LDAP identity source rather than multiple identity sources that represent each Active Directory domain. While a global catalog search minimizes Cisco ISE configuration tasks, it poses an issue when authorization rules are defined by Active Directory groups. (See the Appendix for further details.) EAP Authentication Methods Cisco ISE supports all Extensible Authentication Protocol (EAP) versions, including Transport Layer Security (TLS) and Protected EAP-Generic Token Card (PEAP-GTC). However, Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAPv2) is not possible when an LDAP-based authentication server is used. Table 1 shows these authentication and authorization policies (AuthC and AuthZ). Table 1 EAP Authentication Methods and Authentication Types That Work with LDAP Machine AuthC Machine AuthZ User AuthC User AuthZ EAP-TLS (port 389) Yes Yes Yes Yes EAP-TLS (port 3268) Yes Yes Yes Yes; conditions apply* MSCHAPv2 No No No No PEAP-GTC (port 389) No No Yes Yes PEAP-GTC (port 3268) No No Yes Yes; conditions apply* HowTo-45-Multiple_Active_Directories 5 Note: The “memberOf” attribute within the Active Directory schema depicts what Active Directory groups a user belongs to. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The replica of the child domain does not store the “memberOf” attribute, however, so authorization rule definitions based on groups in child domains will fail. Appendix 2 describes a potential workaround for this exception. Scenario Overview Figure 2 shows an example topology. Figure 3 Active Directory Topology In this scenario, ISE must authenticate engineers that are in both the CTS and Demo forests. The CTS and Demo forests do not have a cross-forest trust established between them. ISE is already configured to authenticate against the CTS forest via Active Directory. This document details how to configure ISE to authenticate and authorize users and machines in the Demo forest, which comprises the parent domain, Demo.local, and two child domains, North.demo.local and South.demo.local. The main section of this document details configuration for authentication via EAP-TLS on port 389. Since many of the configuration steps are the same, configuration for authentication via PEAP-GTC is covered in Appendix A. HowTo-45-Multiple_Active_Directories 6 Configuring ISE for TLS authentication Note: Creating and deploying user and machine certificates are out of the scope of this document. Note: Certificates used for this document were generated by a 2008 R2 Microsoft Active Directory Certificate Server. Configure an LDAP Server To complete an LDAP search, Cisco ISE must complete the following steps: п‚· Find a LDAP directory server. п‚· Establish a connection. п‚· Authenticate against (bind to) the LDAP directory server. п‚· Perform a search. The steps below guide you through configuring Cisco ISE to perform these functions. Procedure 1 Configure an LDAP Server Navigate to Administration пѓ Identity Management пѓ External Identity Sources пѓ LDAP. Click Add. Configure the name as Demo. Select Custom as the schema and set the Subject Name Attribute to CN. Figure 4 General LDAP Configuration Click the Connection tab. Enter the hostname/IP. HowTo-45-Multiple_Active_Directories 7 Enter the port number as 389. Select Authenticated Access. Enter the Admin DN. This is the DN (distinguished name) for a user that is a member of the Schema Admins group within Active Directory. For example: cn=SchemaAdmin, cn=Users, dc=demo, dc=local. Enter the Admin DN’s password. Figure 5 LDAP Connection Configuration Click the Directory Organization tab. Configure both the Subject Search Base and the Group Search Base as DC=demo, DC=local. Best Practice: Be as specific as possible when defining the search bases. For a standard Active Directory server configuration, the search base to use for subject and group search is CN=Users, <Domain Component>. (CN=Users, DC=demo, DC=local) Check the box titled “Strip start of subject name up to the last occurrence of the separator.” Enter @ as the separator value. Check the box titled “Strip end of subject name from the first occurrence of the separator.” Enter a period as the separator value. Click Submit. HowTo-45-Multiple_Active_Directories 8 Figure 6 LDAP Identity Source Configuration [[Note: In the figure, the text box that takes the period also shows a pipe symbol. Is this just an unintentional inclusion of the cursor, or does a pipe need to be typed in as well? Could be confusing to the reader.]] Notes: In this example, the search bases are defined to start the directory search at the top of the directory tree. You should refine this based on your directory schema. During user authentication, the username is sent in user@domain format. By enabling the separator, only the username is passed to the LDAP server. During machine authentication, the username is sent in machine.domain format. By enabling the separator, only the machine name is passed to the LDAP server. Navigate to Groups. Click Groups пѓ Add пѓ Select Groups From Directory. Cisco ISE allows a network administrator to select specific groups and attributes from Active Directory. This scenario enables faster lookup times when authenticating a user. It also ensures that, when building policies related to AD groups, the administrator needs to look through only a small list instead of every group in AD. Figure 7 LDAP Identity Group Configuration Note: The groups found are the result of the returned values from a search based on the MemberOf attribute that was configured on the General screen. Of the groups retrieved, select the specific groups that will be used to define authentication and authorization policies. HowTo-45-Multiple_Active_Directories 9 Figure 8 LDAP Identity Group List Click Save. Repeat steps 1–20 for the North child domain. Substitute CN=Users, DC=North, DC=Demo, DC=local for the subject and group base search values in Step 12. Configuration for EAP-TLS Connections Procedure 1 Define a Certificate Authentication Profile A certificate authentication profile (CAP) is used to designate that authentication is based on certificates rather than a username and password sequence. Navigate to Administration пѓ Identity Management пѓ External Identity Sources пѓ Certificate Authentication Profile Name the profile Demo_CAP. Set the Principal Username X509 Attribute to Common Name. This defines what field within the certificate represents the username. This is directly related to the value selected for the Subject Name Attribute within the general configuration settings for the LDAP server. HowTo-45-Multiple_Active_Directories 10 Figure 9 CAP Configuration Navigate to Administration пѓ Identity Management пѓ Identity Source Sequences. Click Add. Name the Identity Source Sequence Demo_ID_Seq. Figure 10 Identity Source Sequence Configuration Check the box titled “Select Certificate Authentication Profile” and choose Demo_CAP from the pull-down list. HowTo-45-Multiple_Active_Directories 11 Figure 11 Select the CAP Within the Authentication Search List, add the Demo and North identity source. Figure 12 Authentication Search List Click Submit. Authentication Procedure 1 User Authentication Navigate to Policy пѓ Policy Element пѓ Conditions пѓ Authentications пѓ Simple Conditions. Add the condition shown in Figure 12. Figure 13 Authentication Condition Configuration Note: Supported regex syntax: – `Starts with'—for example, using the REGEX value of ^(Acme).*—this condition is configured as CERTIFICATE:Organization MATCHES `Acme' (any match with a condition that starts with "Acme"). – `Ends with'—for example, using the REGEX value of.*(mktg)$—this condition is configured as CERTIFICATE:Organization MATCHES `mktg' (any match with a condition that ends with "mktg"). – `Contains'—for example, using the REGEX value of *(1234).*—this condition is configured as CERTIFICATE:Organization MATCHES `1234' (any match with a condition that contains "1234," such as Eng1234, 1234Dev, and Corp1234Mktg). – `Does not start with'—for example, using the REGEX value of ^(?!LDAP).*—this condition is configured as CERTIFICATE:Organization MATCHES `LDAP' (any match with a condition that does not start with "LDAP," such as usLDAP or CorpLDAPmktg). Click Submit. Navigate to Policy пѓ Authentication. Create the rule shown in Figure 14. HowTo-45-Multiple_Active_Directories 12 Figure 14 Authentication Rule Configuration Click Submit. Procedure 2 User Authorization Navigate to Policy пѓ Policy Elements пѓ Results пѓ Authorization пѓ Authorization Profiles. Click Add. Add the profile shown in Figure 15. Figure 15 Authorization Profile Click Submit. Navigate to Policy пѓ Authorization. Create the rule shown in Figure 16 for user authorization. Figure 16 Authentication Rule Create the rule shown in Figure 17 to authorize machines. Figure 17 Authorization Rule HowTo-45-Multiple_Active_Directories 13 Procedure 3 Test Machine and User Authentication Configuration is done! It’s time to verify that both machine and user authentication are working correctly. Connect to the network with a Windows or MAC device configured for an EAP-TLS connection. Note: Native Windows and MAC supplicant configuration is beyond the scope of this document. Note: If the client certificate is issued by a private certificate authority, you must import the root certificate into ISE View the Cisco ISE Live Authentication Log for the machine session. Figure 18 Live Authentication Log Figure 19 Authentication Log for Machine View the Cisco ISE Live Authentication Log for the user session. Figure 20 Live Authentication Log - User Figure 21 Authentication Log for User HowTo-45-Multiple_Active_Directories 14 Appendix A Authenticating Users via PEAP-GTC Authentication via PEAP-GTC does not require the use of certificates. PEAP-GTC is a username- and password-based authentication method. Cisco AnyConnectВ® Network Access Manager 3.1 is one of the only supplicants that supports EAPGTC. Cisco AnyConnect Network Access Manager is a module of Cisco AnyConnect Client for Windows 3.x and provides a fully configurable and powerful supplicant option instead of the native supplicant of the Windows OS. The Network Access Manager (NAM) is licensed with no charge, and more information may be found here: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494.html Below are instructions on how to configure the standalone profile editor. For instructions on how to configure AnyConnect via Cisco Adaptive Security Device Manager (ASDM), please reference the following guide: http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect20/administrative/guide/adminpre.html Procedure 1 Cisco AnyConnect NAM Configuration Select Networks, click Add, enter: wired-peap. Follow the configuration settings in Figure 22 Figure 22 AnyConnect Configuration for Wired 802.1X Connection Click Next. Select Authenticating Network. Set the “startPeriod” to 10 HowTo-45-Multiple_Active_Directories 15 Check “EAP fails” under the Port Authentication Exception Policy. Click the checkbox for “Enable port exceptions” Figure 23 AnyConnect NAM Security Level Configuration Note: Since the switchport is configured for open mode, the above steps configure NAM to allow traffic to flow even if EAP fails. Otherwise NAM, per IEEE 802.1X specifications, will fail the connection if EAP authentication fails. Note: The startPeriod is equivalent to tx-period on the switchport. Because it is a best practice to set the tx-period to 10 seconds, NAM’s startPeriod value must reflect the same value. Click Next. At upper right, select Connection Type, then select the User Connection radio button. HowTo-45-Multiple_Active_Directories 16 Figure 24 AnyConnect Connection Type Configuration At upper right, select User Auth. Set the EAP Methods to PEAP and check EAP-GTC. Figure 25 AnyConnect NAM User Authentication Configuration HowTo-45-Multiple_Active_Directories 17 At upper right, select the Credentials tab. Configure Unprotected Identity Pattern as shown in Figure 26. Note: Single Sign On is selected. Figure 26 AnyConnect User Credential Configuration Note: The “Unprotected Identity Pattern” (also known as the outer identity) is the RADIUS username that is sent to Cisco ISE. It is NOT the username that is sent within the EAP tunnel. This outer identity is what is used to match an authentication rule that is defined to match the RADIUS username. In this step, you’ve appended “@[domain]” to the outer identity, so the resulting identity is anonymous@demo or anonymous@north. This is necessary to designate the domain in which the user belongs. Based on this domain designation, the authentication request can match an authentication rule. Click Done. Select Network Groups. Move the wired-peap connection to the top of the Network Order. From the menu, click File and then Save As to save the configuration with the filename configuration.xml in the \ProgramData\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\newConfigFiles directory. Note: This file name is critical. To apply this new configuration, go to the AnyConnect icon in the system tray. Right-click to view the options. Select Network Repair. This step forces AnyConnect to restart its services. A service restart causes NAM to search the newConfigFiles directory for a configuration.xml file. HowTo-45-Multiple_Active_Directories 18 Figure 27 Network Repair Procedure 2 ISE Configuration Previously, a simple authentication condition was created to match on usernames that contain the string “demo.” When using EAP-TLS, the username is based on FQDN, which means that all usernames contain “demo” in the string, and only a single condition was configured. When using PEAP-GTC, only the domain name (NetBIOS) is sent (e.g., Demo, North, or South). Thus, additional authentication configuration is necessary. Navigate to Policy пѓ Policy Element пѓ Conditions пѓ Authentications пѓ Simple Conditions. Configure a simple condition to match on the North domain. Figure 28 Authentication Condition Configuration Click Submit. Navigate to Policy пѓ Authentication. Create a new authentication rule above as follows: Figure 28 AnyConnect Authentication Rule Click Save. HowTo-45-Multiple_Active_Directories 19 Procedure 3 Test User Authentication Configuration is done! It’s time to verify that user authentication is working correctly. Connect to the network with a Windows or MAC device configured for a PEAP-GTC connection. View Live Log. Figure 29 Live Log Click the Details button. Figure 30 AnyConnect User Authentication Log HowTo-45-Multiple_Active_Directories 20 Appendix B: References TrustSec System: п‚· http://www.cisco.com/go/trustsec п‚· http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html Device Configuration Guides: Cisco Identity Services Engine User Guides: http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html For more information about Cisco IOS Software, Cisco IOS XE Software, and Cisco NX-OS Software releases, please refer to following URLs: п‚· For Cisco Catalyst 2900 series switches: http://www.cisco.com/en/US/products/ps6406/products_installation_and_configuration_guides_list.html п‚· For Cisco Catalyst 3000 series switches: http://www.cisco.com/en/US/products/ps7077/products_installation_and_configuration_guides_list.html п‚· For Cisco Catalyst 3000-X series switches: http://www.cisco.com/en/US/products/ps10745/products_installation_and_configuration_guides_list.html п‚· For Cisco Catalyst 4500 series switches: http://www.cisco.com/en/US/products/hw/switches/ps4324/products_installation_and_configuration_guides_list.ht ml п‚· For Cisco Catalyst 6500 series switches: http://www.cisco.com/en/US/products/hw/switches/ps708/products_installation_and_configuration_guides_list.html п‚· For Cisco ASR 1000 series routers: http://www.cisco.com/en/US/products/ps9343/products_installation_and_configuration_guides_list.html For Cisco Wireless LAN Controllers: http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg.html HowTo-45-Multiple_Active_Directories 21