Initial XTENDISE Configuration
This guide describes your first steps in XTENDISE in order to configure basic features. Continue in the Configuration Guide for more details.
Add the first MAC address into ISE using XTENDISE
This guide will help you to synchronize your Endpoint Identity Groups from ISE and add the first MAC address using XTENDISE.
- Navigate to Administration -> Maintenance and run the Group - Sync job. It takes a minute or two to finish. This job manually synchronizes all EIGs from your ISE deployment.
- Navigate to Administration -> Group Authorization and choose a MAC group you want to use (For example a group for Printers or VOIP devices). Click Edit to configure the group. Select the MAB workflow and save the configuration.
- Navigate to New Endpoint -> MAB and fill out the form. The group dropdown should contain the group from the previous step (Refresh the page if you do not see the group).
- Press the save button. Congratulations, you have just added your first MAC address!
Group configuration is an essential part of XTENDISE configuration. Please refer to the configuration guide for more details Here.
Synchronize MAC Addresses from ISE
Navigate to Administration -> Maintenance and run the MAC - Full sync job. This job can be time consuming so let it run in the background. You can continue using XTENDISE without any limitations.
XTENDISE will now synchronize all MAC addresses from your ISE.
Email and Alarms
Navigate to Administration -> User Settings. Enter your email address (if not filled automatically from your Active Directory account) and run test to confirm that email notifications are working correctly. Check the alarm checkbox in order to receive alarm notifications which will inform you if XTENDISE loses connectivity to ISE.
Email address is used for alarm notifications or MAC expiration notifications.
Synchronize Compliance Module
Navigate to Compliance Module -> Configuration -> Actions tab. Click the Run Device Synchronization to run the job. It usually takes a few minutes to complete. Then navigate to Compliance Module -> Devices List. The list should contain network devices synchronized from your ISE deployment.
Choose one switch and click the edit button to see the detail. The switch has not yet been evaluated, so XTENDISE does not know any details about it. Click the evaluate button to retrieve the switch details. At this moment, XTENDISE connects to the network device and downloads various show commands outputs and evaluates them.
You can now see switch details, list of network interfaces and their configuration as well as compliance evaluation result. Do not worry if the result of the compliance evaluation is Non Compliant just proceed to the next article to go through the basics of the Compliance Module configuration.
Configure Compliance Module
Navigate to Compliance Module -> Configuration -> Templates tab. Edit the USER_PORT_BASIC template and validate that the commands listed in the template. This preconfigured template contains the basic commands which enable 802.1X configuration. Some commands parameters may differ from the configurations you deploy on your network switches. Edit the commands in the template so the commands match the configurations you configure your secured switchports.
The default template USER_PORT_BASIC is a pre-configured template that you can start with and test the compliance module functionality. The template contains just the basic 802.1X commands but you may want to add more commands (even commands not related to 802.1X) to the template to check if there are all commands configured on any secured switchports in your network. This is also useful if you use the Compliance Module to rollout 802.1X configurations to your network. Check the configuration guide for more detail about the Compliance Module
Navigate to Compliance Module -> Configuration -> Rules tab. There is a single rule without any conditions. This means that the rule will match any switch and apply the templates configured in the rule. There are two pre-configured templates. The first template AUTH_OPEN detects if there is the command
authentication open configured on a switchport. If so, the interface result will be Non Compliant. The second template USER_PORT_BASIC detects if there is DOT1X configuration configured a switchport. If so, the interface result will be Compliant.
Most of the 802.1X deployments are configured in so cold Closed Mode. This means that no traffic is allowed to pass before a successful 802.1X authentication. The other option is to deploy 802.1X in Low Impact Mode which requires the command
authentication open configured on a secured switchport. If you deploy 802.1X in Low Impact mode remove the AUTH_OPEN template from the compliance rule as this command is a part of valid 802.1X configuration.
Run compliance evaluation a switch again
Navigate to Compliance Module -> Devices List and edit the switch you used in the previous example. Click the evaluate button to evaluate the switch. XTENDISE connects to the network device again downloads various show commands outputs and evaluates it against the preconfigured templates. If interfaces contains all the commads configured in the USER_PORT_BASIC the will become Compliant. If there are only compliant interfaces the switch status will change to Compliant. If there are Non Compliant interfaces, you should check it's configurations fix it, configure another compliant template if there are more valid 802.1X configurations or apply an exception to the interface.
This was just a basic example how to use the Compliance Module, please navigate to the configuration guide here for more detail about the Compliance Module functionality.