One of the best ways of learning something is building a lab for it. Especially when it comes to complex topics like network authentication. When I started learning about network authentication and Cisco Identity Services Engine (ISE), I found that there wasn’t a lot of clear information on how you build a lab. Not in Cisco documentation and also not on blogs, etc. In this post I’ll explain how I built my lab using CML and ESX.
Having a lab with ISE only is not going to get you very far. At a minimum, I think the following devices are needed in a network authentication lab:
- Cisco ISE.
- Active Directory Domain Services.
- Public Key Infrastructure (PKI) such as Active Directory Certificate Services (ADCS).
- Network Authentication Device (NAD) such as Catalyst 9000.
For my lab, I’m using only virtual devices. The focus is on learning network authentication and ISE which is why I’ve setup a very simple PKI, ignoring best practices such as offline root, intermediate CA, and so on. I might lab that at a later stage, but that’s not the current focus.
The topology of my lab is shown below:
Note that some VMs such as the virtual Catalyst 9000 switches and the Windows 10 VM are hosted in CML while others such as AD server and ISE are hosted outside on ESX. This is because they are resource intensive and I prefer to run them straight on ESX.
The goal here is to have a realistic lab without going overboard with the number of devices. I’ll briefly describe each device and their role below.
Win 10 VM – This is the device that will run the 802.1X supplicant and have the certificates that enables it to do network authentication. It’s a domain joined PC.
AS01 – This is an access layer switch which will be configured to be the authenticator using RADIUS. It will also use TACACS+ for device administration.
DS01 – This is a distribution layer switch. It will have the L3 configuration for the VLANs in the lab.
FW01 – The firewall is in the lab to be able to setup rules that give access to the webserver based on IP network or SGT.
RT01 – This router is used to route between the CML lab and my ESX networks that host ISE and the Windows server.
External connector – The external connector bridges between the CML lab and the port group that the CML node is placed in ESX.
ISE – The device that will authenticate and authorize users and device admins. I opted to host ISE on ESX due to the requirements of the VM.
Windows server – I have all the roles such as ADDS, ADCS, DNS, and DHCP. This is obviously not best practice, but works well for a lab.
Now I’ll highlight some of the details and config of each node. Starting with AS01.The config is currently very straight forward, it has a trunk to DS01 and a management interface in VLAN 10. It also has a default route towards DS01:
AS01#sh run int gi1/0/1 Building configuration... Current configuration : 61 bytes ! interface GigabitEthernet1/0/1 switchport mode trunk end AS01#sh run int vlan10 Building configuration... Current configuration : 60 bytes ! interface Vlan10 ip address 10.10.0.2 255.255.255.0 end AS01#show run | i ip route ip route 0.0.0.0 0.0.0.0 10.10.0.1
DS01 has a trunk towards AS01. It has linknets towards the firewall and router. It has static routes. It also hosts the SVIs for the VLANs in the lab:
DS01#sh run int gi1/0/1 Building configuration... Current configuration : 61 bytes ! interface GigabitEthernet1/0/1 switchport mode trunk end DS01#sh run int gi1/0/2 Building configuration... Current configuration : 91 bytes ! interface GigabitEthernet1/0/2 no switchport ip address 10.10.3.9 255.255.255.248 end DS01#sh run int gi1/0/3 Building configuration... Current configuration : 91 bytes ! interface GigabitEthernet1/0/3 no switchport ip address 10.10.3.2 255.255.255.252 end DS01#sh run int vlan10 Building configuration... Current configuration : 60 bytes ! interface Vlan10 ip address 10.10.0.1 255.255.255.0 end DS01#sh run int vlan20 Building configuration... Current configuration : 95 bytes ! interface Vlan20 ip address 10.10.1.1 255.255.255.0 ip helper-address 192.168.128.100 end DS01#sh run int vlan30 Building configuration... Current configuration : 95 bytes ! interface Vlan30 ip address 10.10.2.1 255.255.255.0 ip helper-address 192.168.128.100 end DS01#sh run | i ip route ip route 0.0.0.0 0.0.0.0 10.10.3.1 ip route 10.10.4.0 255.255.255.0 10.10.3.10
The network 10.10.4.0 is going to be used for the web server. The default route points towards the router.
The FW hasn’t been configured yet so I’m skipping it.
The router has an interface towards DS01 and and interface towards ESX via the external connector. The interface towards external has a static IP in the same subnet as ISE and the Windows server. It also has some static routes:
RT01#sh run int gi0/0 Building configuration... Current configuration : 157 bytes ! interface GigabitEthernet0/0 ip address 10.10.3.1 255.255.255.252 RT01#sh run int gi0/1 Building configuration... Current configuration : 162 bytes ! interface GigabitEthernet0/1 ip address 192.168.128.103 255.255.255.0 RT01#sh run | i ip route ip route 0.0.0.0 0.0.0.0 192.168.128.1 ip route 10.10.0.0 255.255.255.0 10.10.3.2 ip route 10.10.1.0 255.255.255.0 10.10.3.2 ip route 10.10.2.0 255.255.255.0 10.10.3.2
The Windows server has routes to the CML lab via RT01:
C:\Users\Administrator>route print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.128.1 192.168.128.100 281
10.10.0.0 255.255.255.0 192.168.128.103 192.168.128.100 26
10.10.1.0 255.255.255.0 192.168.128.103 192.168.128.100 26
10.10.2.0 255.255.255.0 192.168.128.103 192.168.128.100 26
ISE has a route for the management network via RT01:
ise01/admin#show ip route Destination Gateway Iface ----------- ------- ----- 10.10.0.0/24 192.168.128.103 eth0
That’s what my lab currently looks like. In the coming blog posts we’ll take a look at installing the different services. Stay tuned!