Security PoC SXP ISE & ASAv 9.10 lab by UD
Posted: Wed Dec 12, 2018 11:10 pm
Created another security EVE-NG Pro lab to test newest ASAv 9.10, ISE 2.3 for SXP TrustSec.
Task:
1. Configure ASAv in HA active/standby
2. Configure CTS SXP peering between SW1 and ASAv. ASAv and SW1 are ISE TrustSec clients
3. VLAN 11 (inside) is SXP trusted communication between ASAv and SW1
4. ISE is configured with SGT Corp_DOT1X and Guest_MAB, dACL and authorization profiles VLAN 11 tag.
5. Authenticate PC1-MAB with ISE (mab) and authorize it in security group Guest_MAB
6. Authorize PC2-DOT1X with ISE (dot1x) and authorize it in security group Corp_DOT1X
7. PC1-MAB are able to reach http dmz1.eve.lab server only
8. PC2-DOT1X are able to reach http dmz2.eve.lab server and internet (ping 8.8.8.8 lo0 on ISP)
And here is result:
In screen below PC1-MAM after successfully authorized with ISE, match policies on ASAv and can reach only http://dmz1.eve.lab
ISE Policies:
Task test result:
Images used:
IOL SW 15.2 (version with mab, dot1x, cts/sxp support)
IOL L3 15.4.2T
ASAv 9.10 (demo lic)
ISE 2.3 (eval lic)
Winserver 2008 as DNS and AD server
Windows 7 32 bit as MAB and DOT1X hosts
EVE-PRO Docker server-gui as dmz servers and Mgmnt host
NTP server, simple L3 IOL router 15.4.2T
Cloud (cloud5) Mgmt100 is used simple EVE free cloud network to stretch mgmt vlan across lab and for better looking.
Task:
1. Configure ASAv in HA active/standby
2. Configure CTS SXP peering between SW1 and ASAv. ASAv and SW1 are ISE TrustSec clients
3. VLAN 11 (inside) is SXP trusted communication between ASAv and SW1
4. ISE is configured with SGT Corp_DOT1X and Guest_MAB, dACL and authorization profiles VLAN 11 tag.
5. Authenticate PC1-MAB with ISE (mab) and authorize it in security group Guest_MAB
6. Authorize PC2-DOT1X with ISE (dot1x) and authorize it in security group Corp_DOT1X
7. PC1-MAB are able to reach http dmz1.eve.lab server only
8. PC2-DOT1X are able to reach http dmz2.eve.lab server and internet (ping 8.8.8.8 lo0 on ISP)
And here is result:
In screen below PC1-MAM after successfully authorized with ISE, match policies on ASAv and can reach only http://dmz1.eve.lab
ISE Policies:
Task test result:
Images used:
IOL SW 15.2 (version with mab, dot1x, cts/sxp support)
IOL L3 15.4.2T
ASAv 9.10 (demo lic)
ISE 2.3 (eval lic)
Winserver 2008 as DNS and AD server
Windows 7 32 bit as MAB and DOT1X hosts
EVE-PRO Docker server-gui as dmz servers and Mgmnt host
NTP server, simple L3 IOL router 15.4.2T
Cloud (cloud5) Mgmt100 is used simple EVE free cloud network to stretch mgmt vlan across lab and for better looking.