Deploys Cisco ISE for 802.1X wired/wireless authentication, MAB, posture assessment, and dynamic VLAN assignment in enterprise network access control.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
Cisco Identity Services Engine(ISE)通过 802.1X 认证、MAC 认证旁路(MAB)、态势评估和访客访问管理提供集中式网络访问控制。ISE 作为 RADIUS 策略服务器,评估来自网络设备(交换机、无线控制器)的认证请求,并返回授权策略,包括 VLAN 分配、可下载 ACL(dACL)和安全组标签(SGT)。本技能涵盖使用 Active Directory 集成、MAB 回退、态势合规执行和 TrustSec 分段部署 ISE 进行企业有线 802.1X 认证。
Deploys Cisco ISE for 802.1X wired/wireless authentication, MAC Authentication Bypass, posture assessment, and dynamic VLAN assignment for NAC.
Deploys Cisco ISE for 802.1X wired/wireless authentication, MAC Authentication Bypass, posture assessment, and dynamic VLAN assignment for network access control.
Implements 802.1X port-based NAC using RADIUS (FreeRADIUS), PacketFence, and switch configs for identity-based access policies, posture assessment, and dynamic VLAN assignment.
Share bugs, ideas, or general feedback.
Cisco Identity Services Engine(ISE)通过 802.1X 认证、MAC 认证旁路(MAB)、态势评估和访客访问管理提供集中式网络访问控制。ISE 作为 RADIUS 策略服务器,评估来自网络设备(交换机、无线控制器)的认证请求,并返回授权策略,包括 VLAN 分配、可下载 ACL(dACL)和安全组标签(SGT)。本技能涵盖使用 Active Directory 集成、MAB 回退、态势合规执行和 TrustSec 分段部署 ISE 进行企业有线 802.1X 认证。
802.1X 框架涉及三个组件:
| 组件 | 角色 | 示例 |
|---|---|---|
| 认证客户端(Supplicant) | 请求网络访问的客户端 | Windows 802.1X 客户端、AnyConnect NAM |
| 认证方(Authenticator) | 控制端口访问的网络设备 | Cisco Catalyst 交换机 |
| 认证服务器(Authentication Server) | 策略决策引擎 | Cisco ISE(RADIUS) |
1. 端点连接到交换机端口
2. 交换机向端点发送 EAP-Request/Identity
3. 端点响应 EAP-Response/Identity
4. 交换机通过 RADIUS Access-Request 将凭据转发到 ISE
5. ISE 对 AD/LDAP/内部存储进行认证
6. ISE 评估授权策略
7. ISE 返回带属性(VLAN、dACL、SGT)的 RADIUS Access-Accept
8. 交换机在端口上执行授权
| 方法 | 用途 | 安全级别 |
|---|---|---|
| EAP-TLS | 基于证书,最高安全性 | 高 |
| PEAP-MSCHAPv2 | 通过 AD 的用户名/密码 | 中 |
| EAP-FAST | Cisco 专有,快速重认证 | 中 |
| MAB | 非 802.1X 设备(打印机、IP 电话) | 低 |
导航至 Administration > Identity Management > External Identity Sources > Active Directory:
corp.example.com)Domain Users - 标准员工访问Domain Computers - 机器认证IT-Admins - 特权访问BYOD-Users - 个人设备访问导航至 Administration > Network Resources > Network Devices:
名称:SW-ACCESS-01
IP 地址:10.0.1.1/32
RADIUS 共享密钥:C0mpl3x$3cretKey!
SNMP 设置:v2c,团体字符串
设备类型:Cisco Switches
位置:Building-A-Floor-1
创建网络设备组层次结构:
设备类型:
├── Cisco Switches(Cisco 交换机)
│ ├── Access Layer(接入层)
│ └── Distribution Layer(汇聚层)
└── Wireless Controllers(无线控制器)
位置:
├── Building-A(A 栋)
└── Building-B(B 栋)
将以下配置应用到接入交换机:
! 启用 AAA
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update newinfo periodic 2880
! 配置 RADIUS 服务器
radius server ISE-PRIMARY
address ipv4 10.0.5.10 auth-port 1812 acct-port 1813
key 0 C0mpl3x$3cretKey!
automate-tester username radius-test probe-on
radius server ISE-SECONDARY
address ipv4 10.0.5.11 auth-port 1812 acct-port 1813
key 0 C0mpl3x$3cretKey!
automate-tester username radius-test probe-on
aaa group server radius ISE-GROUP
server name ISE-PRIMARY
server name ISE-SECONDARY
deadtime 15
ip radius source-interface Loopback0
! 全局启用 802.1X
dot1x system-auth-control
! 启用 RADIUS CoA(授权变更)
aaa server radius dynamic-author
client 10.0.5.10 server-key C0mpl3x$3cretKey!
client 10.0.5.11 server-key C0mpl3x$3cretKey!
! 启用设备跟踪以映射 IP 到 MAC
device-tracking tracking auto-source
! 配置接入端口模板
interface range GigabitEthernet1/0/1-48
description 802.1X 接入端口
switchport mode access
switchport access vlan 100
! 认证设置
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
! 802.1X 设置
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 2
! MAB 回退
mab
! 启用 spanning-tree portfast(及时认证必需)
spanning-tree portfast
! 应用预认证 ACL
ip access-group PRE-AUTH-ACL in
! 预认证 ACL(允许 DHCP、DNS、ISE 门户)
ip access-list extended PRE-AUTH-ACL
permit udp any any eq 67
permit udp any any eq 68
permit udp any any eq 53
permit tcp any host 10.0.5.10 eq 8443
permit tcp any host 10.0.5.11 eq 8443
deny ip any any
导航至 Policy > Policy Sets:
认证策略:
| 规则名称 | 条件 | 允许协议 | 身份源 |
|---|---|---|---|
| Dot1X-EAP-TLS | Radius:EAP-Type EQUALS EAP-TLS | EAP-TLS | 带证书的 AD |
| Dot1X-PEAP | Radius:EAP-Type EQUALS PEAP | PEAP-MSCHAPv2 | Active Directory |
| MAB | Radius:Service-Type EQUALS Call-Check | MAB Lookup | 内部端点 |
| Default | Default | Default | Deny Access |
授权策略:
| 规则名称 | 条件 | 授权配置文件 |
|---|---|---|
| IT-Admin-Wired | AD:Group EQUALS IT-Admins AND Dot1X | VLAN10-FullAccess |
| Employee-Compliant | AD:Group EQUALS Domain Users AND Posture:Compliant | VLAN100-Corporate |
| Employee-NonCompliant | AD:Group EQUALS Domain Users AND Posture:NonCompliant | VLAN200-Remediation |
| Printer-MAB | EndpointIdentityGroup EQUALS Printers | VLAN150-Printers |
| IP-Phone-MAB | EndpointIdentityGroup EQUALS IP-Phones | VLAN50-Voice |
| BYOD-Onboarding | AD:Group EQUALS BYOD-Users AND !Registered | BYOD-Portal-Redirect |
| Guest-Access | GuestEndpointGroup EQUALS GuestEndpoints | VLAN300-Guest |
| Default | Default | DenyAccess |
授权配置文件:
配置文件:VLAN100-Corporate
VLAN:100
dACL:PERMIT_ALL
SGT:Employees (0x0005)
重认证定时器:28800
配置文件:VLAN200-Remediation
VLAN:200
dACL:REMEDIATION-ACL(仅允许访问修复服务器)
Web 重定向:Posture Discovery
重认证定时器:300
配置文件:DenyAccess
访问类型:ACCESS_REJECT
导航至 Work Centers > Posture:
态势条件:
- Windows 防火墙已启用(注册表检查)
- 防病毒软件运行且已更新(AV 复合条件)
- OS 补丁级别当前(Windows Update 检查)
- 磁盘加密已启用(BitLocker 检查)
态势要求:
要求:Corporate-Windows-Compliance
OS:Windows All
条件:Windows 防火墙 AND 防病毒软件 AND OS 补丁
修复:使用 AnyConnect ISE Posture Module 自动修复
态势策略:
规则:Windows-Endpoints
身份组:Any
OS:Windows All
要求:Corporate-Windows-Compliance
启用基于 SGT 的分段:
! 在交换机上启用 CTS
cts credentials id SW-ACCESS-01 password CtsP@ss
cts role-based enforcement
cts role-based sgt-map 10.0.100.0/24 sgt 5
! 从 ISE 下载 SGT 策略
cts role-based permissions
ISE TrustSec 矩阵(SGACL):
| 源 SGT | 目标 SGT | 策略 |
|---|---|---|
| Employees (5) | Servers (10) | Permit_HTTP_HTTPS |
| Employees (5) | PCI_Zone (15) | Deny_All |
| IT-Admins (3) | Servers (10) | Permit_All |
| Guest (7) | Internet (99) | Permit_HTTP_HTTPS |
| Guest (7) | Servers (10) | Deny_All |
# 在交换机上验证认证状态
show authentication sessions
show authentication sessions interface Gi1/0/1 details
show dot1x all
# 检查 RADIUS 连接
test aaa server radius ISE-PRIMARY username testuser password testpass
# 在 ISE 上检查实时日志
# 导航至 Operations > RADIUS > Live Logs
# 按 MAC 地址或用户名过滤
# 查看认证详情了解失败原因
# 常见失败原因:
# 12514 - EAP-TLS 握手失败(证书问题)
# 22056 - 身份存储中未找到主题
# 24408 - Active Directory 中未找到用户
# 24454 - 用户密码已过期
authentication open 结合预认证 dACL 进行渐进式部署