Here is ZBISE12 and with it is our Wired XBOX One Use Case! If you recall we are going to authenticate our XBOX One with MAB and then we are going to assign a dACL to the session. Shall we jump right into it now???
Network and Server Diagram:
Here is our reference diagram that we will be using throughout this blog series.
Related Posts:
If you haven’t seen these posts yet, you should check them out
- ZBISE01 – Basic Cisco ISE 2.3 VM Installation
- ZBISE02 – Building a Cisco ISE 2.3 Distributed Cluster
- ZBISE03 – Overview of our Cisco ISE 2.3 Use Cases for the ZBISE Blog Series
- ZBISE04 – Cisco ISE 2.3 Adding the ISE Cluster to Active Directory
- ZBISE05 – Virtual Wireless LAN Controller (vWLC) Install
- ZBISE06 – Cisco ISE 2.3 Adding Network Access Devices (NADs) – Cisco Switch
- ZBISE07 – Cisco ISE 2.3 Adding Network Access Devices (NADs) – Cisco vWLC
- ZBISE08 – Cisco ISE 2.3 Wired Authorization Profiles
- ZBISE09 – Cisco ISE 2.3 802.1x Auth – PEAP Wired Use Cases
- ZBISE10 – Cisco ISE 2.3 802.1x Auth – EAP-TLS Wired Use Cases
- ZBISE11 – Cisco ISE 2.3 Cisco VoIP Phone with MAB Auth on Wired
Wired Use Cases
Here is our Wired Use Cases table for reference as we go through today’s installment of creating our XBOX One with MAB Auth Use Case!
The Steps!!
Note: For this installment, we are not showing some of the filler screenshots. At this point in our series I believe they are not 100% needed. Please leave a comment if my assumption is incorrect here.
1. Create our ISE Policies for our XBOX One with MAB Use Case
You will first need to log into your ISE Cluster and traverse to your Wired Authorization policy. Within this policy, you will want to create a new use case / row / whatever you want to call it. For the condition of your XBOX One policy, we want to check for Wired_MAB and the specific XBOXONE Policy. This is shown in the below screenshot.
Once you have the condition the way you want it for your new XBOX One Authorization Policy, we need to make sure we select the proper permissions for the rule. We already pre-built our Authorization Profile for our XBOX Access, and it is called WIRED-XBOX. As you can see below, we have it selected in our policy.
Thats its on the ISE side. If you run into any issues with your XBOX not being properly Profile, you can always add your XBOX into the End Point Policy manually.
2. Configure our Switchport for ISE…ISE THAT PORT…ISE THAT PORT!!
Now lets take a look at our XBOX One’s switchport on our Lab 3750 Switch. For this Use Case our XBOX One is on Port Gi1/0/6.
Taking a look at our port, we can see that it has not been ISED yet! Well lets go ahead and ISE that Port!!
Note: For some reason, when I say ISE that port, I feel like we should start chanting: ISE that Port…ISE that Port…ISE that Port! 🙂
Lets pull the ISE Port Configuration from ZBISE06.
Below is what we are going to use for our ISE Port Configuration.
switchport access vlan 100 switchport mode access authentication event fail action next-method authentication event server dead action authorize vlan 100 authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-auth authentication open authentication order mab dot1x authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer inactivity server authentication violation restrict mab dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast
Below, like usual, is a screenshot of our switchport after the ISE Port configuration has been applied.
Now we move into Step # 3!!
3. Validation and Testing of our XBOX One Use Case
On our Lab switch, lets pull out our favorite CLI command, show auth sessions, to see what is taking place with our port.
As we expected to see, our XBOX One is getting a successful AuthC and AuthZ.
If we take a quick look at the dACL just to verify its correct, it should be but we never know. 😉
And look at that, the dACL is correct.
Lets jump over to the ISE Radius Live log side, to view what ISE shows for the authentication session.
Now we just need to verify the dACL is properly working as expected. We shouldn’t be able to ping the XBOX One from an internal IP address (RFC 1918) but we should be able to ping it from a public address. (I know in this lab I am using the 1.1.1.1 address that is now actually a real world address, I will eventually change it, I promise! :))
Below is the screenshot of our testing, and it looks like everything is working as expected!! We are good to go!
And that is it for our XBOX One with MAB Auth use case. Pretty straight forward once you get used to it. As always, if you have any issues or questions, leave a comment and I will be there to assist!!
Related Resources:
Ask questions and give feedback
- You can leave a comment on the blog!
- You can leave a voicemail at (617) 913-4103
- You can email us at Feedback@zigbits.tech
Engage with Zigbits further:
- Subscribe to the podcast on an iPhone or on an Android
- Follow Zigbits on Twitter!
- Follow Zigbits on LinkedIn!
- Follow Zigbits on Facebook!
Engage with me further:
Transparency:
This post may contain affiliate links to products or services were I may receive a level of compensation from your actions by following those links. This is seamless to you and does not add any additional cost to the products or services in question. In addition, I do not let any affiliate relationship cloud my judgement or my recommendation of a product or service. My recommendations will always be above reproach. This is my commitment to you Ziglets!