ISE Slides PDF

Cisco ISE Training
Course Overview
Kevin Rodgers CCIE# 47151
Instructor
• CCIE #47151
• Over 20 years of IT experience
• Over 10 years of training experience
• Currently active in the industry
Course Format
• Video Length
• Each video will take exactly how long it takes to complete a topic.
• Videos will not be split up into tiny topics.
• PowerPoint
• Used for focus while explaining a given topic.
• Faster and “neater” than drawings or notepad.
• Demonstration
• Each technology will have a full demonstration with detailed explanations.
Course Overview
• Lab Setup
• Configuration of VMware to support all lab servers.
• Switch configuration to support ISE features and infrastructure.
• ASA configuration for Internet Access.
• Windows Server Configuration
• Wireless Configuration
• ISE Overview
• ISE Initial Installation
• CLI & GUI Walkthrough
• ISE Certificates
• ISE Personas
• ISE Protocols
• ISE Deployment Models
Course Overview
• ISE Overview
• ISE High Availability
• ISE Patching
• ISE Upgrades
• ISE AD Integration
• ISE Management
• ISE Logging
• ISE Licensing
• Wired ISE
• Wired Modes
• Network Access Devices
• ISE Authentication
• ISE Authorization Profiles
• Switch Configuration
• MAB
• User-Only PEAP
Course Overview
• Wired ISE
• Easy Connect
• User and Machine Authentication/Authorization
• EAP-TLS
• Device Profiling
• Client Provisioning
• ISE Posture
• EAP Chaining
• Wireless ISE
• WLC Configuration
• Wireless Policy
• Wireless Guest Access
• ISE Temporal Posture
• ISE BYOD
Course Overview
• ISE – A little extra
• ISE Failover Testing Introduction
• IBNS 2.0 Introduction
• Device Administration Introduction
• VPN Introduction
Level of Detail
• This is not an expert level course.
• Going beyond what is required is not beneficial!
• This course, and the CCNA in general, is the foundation required to build
your expertise.
• Focus on the foundation first and all new material will be infinitely easier.
• Finally, if you see the irony in me rambling on all this time about how
efficient the course is, well, so do I.
Cisco ISE Training
Switch Configuration
Switch Config
• VLANs 10,20,30,40, and 100
• SVIs for each VLAN of .1
• IP Routing
• IP default route to ASA
• Telnet Management
• G1/0/1: Test Workstation | Access Port | VLAN 10
• G1/0/2: Wireless AP | Trunk Port | Native VLAN 100
• G1/0/3: To VMware | Access Port | VLAN 100
• G1/0/4: To ASA | Routed Port | 10.0.99.1
• G1/0/5: To Test Printer | Access Port | VLAN 10
Cisco ISE Training
ASA Configuration
ASA Config
• E0/0: VLAN 99
• E0/1: VLAN 123
• VLAN99 | Inside | 10.0.99.10
• VLAN123 | Outside | 192.168.1.10
• Inspect ICMP
• Route Inside | 10.0.0.0/8 | 10.0.99.1
• Route Outside | 0.0.0.0/0 | 192.168.1.1
• Telnet Management
Cisco ISE Training
Windows Server Config
Windows Config
• Completed:
• IP: 10.0.100.23 | DG: 10.0.100.1 | DNS: 8.8.8.8
• Permit RDP Access
• Change name to Win-2012
• To Do:
• Configure Active Directory and DNS
• Domain: Acme.local
• Configure DHCP for each VLAN (10,20,30,40, and 100)
• Configure the Microsoft CA Server
• Configure Webserver for testing
• Configure FTP Server for ISE Repository
• Configure Email Server for Email Alerts and Guest Configuration
• Configure AD Groups and Users
• User: Kevin | Group: Employee
• User: Bob | Group: Contractor
• User: Mary | Group: Restricted
Cisco ISE Training
ISE Initial Configuration
Section Overview
• ISE Initial Installation
• ISE CLI/GUI Walkthrough (Basic)
• ISE Certificate Stores
• ISE Personas
• ISE Deployment Models
• ISE Design
• ISE Distributed Deployment
• ISE High Availability
• ISE Patching
• ISE Backup and Restore
• ISE Upgrade
• ISE AD Integration
• ISE Administration
• ISE Logging and Alerting
• ISE Licensing
Cisco ISE Training
ISE Certificate Stores
ISE Certificates Overview
• System Certificates
• The Certificates associated to the individual ISE Node.
• Trusted Certificates
• Certificates Authorities ISE trusts.
• OCSP Client Profile
• Checks with the CA for revoked certificates.
• Certificate Signing Requests
• Template to create a signing request with the CA.
• Certificate Periodic Check
• Uses the legacy CRL method of checking certificate revocation.
• Certificate Authority
• Settings to turn ISE into a CA Server. Will cover in a later lesson.
Certificate Configuration
• Modular System
• The same or different certificates can be used for each function:
• pxGrid
• EAP Authentication
• Admin Portal
• Portals
• Portals use a certificate group, which can be customized for each portal. RADIUS DTLS
• A method used to authenticate network access devices with certificates instead of shared
secrets (password).
• SAML
• Method used of sharing authentication/authorization with 3rd parties.
• Distributed Deployment
• CA Certificate Store = Shared
• System Certificates = Per Server
Certificate Types
• Per Node or Per Service
• One certificate for every node within a distributed deployment. E.g.
• Certificate 1 CN = ise1.acme.local
• Certificate 2 CN = ise2.acme.local
• Wildcard Certificate
• One certificate covering all possible host names. E.g.
• *.acme.local
• Will not work with for 802.1x authentication with a Windows Native Supplicant!
• SAN Certificate
• One certificate for all servers/services, but each hostname must be include in the
SAN (Subject Alternative Name). E.g.
• CN = ACME-ISE
• SAN 1 = ise1.acme.local
• SAN 2 = ise2.acme.local
Lesson Tasks
• Import the Microsoft CA Certificate into the ISE Trusted Store.
• Create a Certificate Signing Request on ISE1.
• CN = ACME-ISE
• SAN = ise1.acme.local
• SAN = ise2.acme.local
• SAN = 10.0.100.21
• SAN = 10.0.100.22
• Sign the CSR with the Microsoft CA.
• Bind the signed certificate to ISE and trust for:
• Admin
• Portals
• EAP Authentication
• Configure Management PC to trust the MS CA.
Cisco ISE Training
ISE Personas
ISE Terminology
• Node: A node is a server, either physical or virtual.
• Persona: A Persona is the role the server is filling.
• Service: A Service is a feature within a persona.
• Deployment: A Deployment is all ISE Servers that run under the same
administrative domain or more specifically under the same
administrative personas.
ISE Administration Persona
• Responsible for syncing other node types with itself.
• Responsible for maintaining the overall deployment configuration.
• Responsible for providing the GUI for configuration and
management.
• Administration Persona (PAN)
• Maximum Per Deployment: 2
• HA Mode: Active/Passive
ISE Monitoring Persona
• Responsible for managing and storing log files.
• Responsible for troubleshooting tools.
• Monitoring & Troubleshooting Persona (M&T)
• HA Mode: Active/Passive (kind of)
• All M&T nodes receive all log copies.
ISE Policy Service Persona
• Responsible for processing all requests:
• Authentication
• Authorization
• Profiling
• pxGrid
• Etc…
• Policy and Service Persona (PSN)
• HA Mode: Active/Active
Cisco ISE Training
ISE Protocols
RADIUS
• Remote Authentication Dial-In User Service
• Been around forever.
• Very simple protocol, but also works perfectly for our purposes.
• Uses UDP port 1812 for authentication and 1813 for accounting.
• Legacy ports are 1645 and 1646.
• Simple, easy to read, messages:
RADIUS
Code Assignment
1 Access-Request
2 Access-Accept
3 Access-Reject
4 Accounting-Request
5 Accounting-Response
11 Access-Challenge
43 CoA-Request
44 CoA-ACK
TACACS+
• Terminal Access Controller Access-Control System
• Used to control management access to networking equipment such
as a switch or router.
• Uses TCP/49
• Allows for authorization as well, including shell privileges and
command level authorization.
RADIUS vs TACACS+
RADIUS TACACS+
Protocol/Port UDP: 1812 and 1813 TCP: 49

UDP: 1645 and 1646
Encryption Only the password Entire packet
Authentication/Authorization Combined Separate
Usage Client Authentication Device authentication and

command level authorization
EAP (Extensible Authentication Protocol)
• There are many flavors of EAP supported by ISE, we will be covering the most commonly
used three options.
• PEAP (Protected Extensible Authentication Protocol)
• Security works much like a web site using SSL/TLS.
• Client uses the server certificate to encrypt data.
• Does not require a client certificate.
• EAP-TLS (Transport Layer Security)
• Does require both server and client certificates for mutual authentication.
• E.g. The network knows it is Bob from Accounting and Bob knows he is truly attaching to the
correct network (not a spoofed SSID).
• Considered the most secure option.
• EAP-FAST (Flexible Authentication via Secure Tunneling)
• Does not require client certificates.
• Uses PAC files to create the secure tunnel.
• Can be used for Machine and User simultaneous authentication.
• Requires the Anyconnect Supplicant on the workstation.
Some Jargon
• Supplicant
• The endpoint is essentially the supplicant. However, technically, the
supplicant is software that runs on the endpoint.
• Authenticator
• The authenticator is the device the Supplicant is attached to.
• Wired Network Authenticator: Switch.
• Wireless Network Authenticator: WLC
• Authentication Server
• The Authentication Server in our case is the ISE Server.
PEAP
• Outer and Inner Method
• The Outer method is PEAP and uses the server certificate to create a secure
tunnel.
• The Inner method is the authentication protocol that goes within the PEAP
created tunnel. In the case of AD, the inner protocol will be MSCHAPv2.
• Has two phases
• Phase 1 creates the outer tunnel.
• Phase 2 does the “inner” authentication.
PEAP Authentication Process
Supplicant Authenticator Authentication Server
EAPoL Start
Identity Request
Identity (may be fake)
RADIUS Access Request
Start PEAP
Server Certificate Sent
Validate Certificate and Establish Outer Tunnel
EAP Request Identity
EAP Response (Real Identity)
EAP Request (Challenge)
EAP Response (Challenge)
EAP Request (Success)
EAP Response ACK
Tear Down Tunnel
RADIUS Access-Accept or Access-Reject
EAP Success or Failure
4-Way EAPoL Handshake
Encrypted Data Channel Open
EAP-TLS Authentication Process
EAPoL Start
Identity Request
Server Certificate
Client Certificate
Validate Certificate and Establish Outer Tunnel
RADIUS Access-Accept or Access-Reject
Encrypted Data Channel Open
EAP-FAST Authentication Process
PAC Provisioning either automated or manual

EAPoL Start
Identity Request
EAP Request
Client PAC
Establish Outer Tunnel
Identity Request (MSCHAPv2 or Certificate)
Identity Response (MSCHAPv2 or Certificate)
Remove Tunnel
RADIUS Access Accept
Channel Open
Cisco ISE Training
ISE Deployment Models
ISE Small Deployment
• (2) nodes in the same DC.
• All nodes run all personas.
• All nodes run all services.
• Designed for a small LAN or a low-latency WAN.
• General recommendation is no more than 300ms round-trip latency between
nodes.
• Small Network Split Deployment
• Same as above, but the two nodes are in different Data Centers.
ISE Medium Deployment
• Requires anywhere from 3 to 8 Nodes.
• Node 1: Primary Administration and Secondary Monitor.
• Node 2: Primary Monitor and Secondary Administration
• Node 3 – 5: Dedicated PSN.
ISE Large Deployment
• (x) Nodes
• Node 1: Dedicated Administration
• Node 2: Secondary Administration
• Node 3: Primary Monitoring
• Node 4: Secondary Monitoring
• Node 5+: Dedicated PSNs.
• May include separate load balancers or node groups.
• PSN placement is typically determined by volume in any given
geographical region.
Cisco ISE Training
ISE Design
Network Considerations
• Bandwidth and latency between locations.
• Latency between ISE Nodes must not exceed 300ms, but should be
under 200ms where possible.
• Location of AD Servers.
• Network reliability at remote locations.
• Bandwidth Calculator
Sizing Considerations
• Leave enough room for growth.
• I typically size to 50% of the Cisco maximums and error on the side of caution.
• In a two-PSN deployment, either PSN should be able to shoulder the entire load if one PSN
goes offline. This could be due to a failure, but could also occur during maintenance.
• Consider “basic” load balancing.
• Wireless:
• PSN1 = Primary
• PSN2 = Secondary
• Wired:
• PSN2 = Primary
• PSN1 = Secondary
• Consider future requirements
• If it is a wireless deployment, will the customer add wired in the future?
• Plan on 2-3 devices for every user that will be on the network at any given time.
• Laptop, Cell Phone, Tablet, Etc…
VM or Physical
• VM Pros
• Easy to add nodes in the future.
• Easy to scale up resources due to growth.
• Easy Disaster Recovery.
• Cheap.
• VM Cons
• ISE will complain if any resource is not 100% available, 24/7. E.g. a disk I/O slowdown will
generate critical errors.
• Gray area when calling TAC.
• Physical Appliances
• Fully supported by TAC, top-to-bottom.
• Obviously, dedicated resources.
• Difficult to upgrade and will have to be replaced ever x years.
• Kind of a pain when an appliance goes EOL.
• Expensive.
Think it Through
• In a centralized network, what would happen if the WAN connection
to a remote site goes down? Is this expected and acceptable?
• What would happen if an entire DC goes down?
• What would happen if ISE goes down?
• If a PSN is lost, will the secondary provide an acceptable level of
service? Latency? Etc…?
Cisco ISE Training
Deployment Configuration
Deployment Prerequisites
• All ISE nodes must be on the same version and patch number.
• The “primary” ISE Node must not be in standalone mode.
• We must know the admin username/password of the new node.
• Each node must be able to resolve the hostname of every other node
in DNS. E.g. ISE1 must be able to resolve ISE2, and the other way
around.
• The primary ISE node must trust the system certificate being
presented by the new node.
• E.g. ISE1 must trust the certificate of ISE2.
• We can either import the ISE2 self-signed certificate into the ISE1 trusted
store, or we can export/import the MS Signed Cert and CA into ISE2.
Deployment Process
• ISE1 → ISE2
• Here are your admin credentials and I want you to join my deployment.
• Note: ISE1 and ISE2 must both be resolvable via DNS.
• ISE2 → ISE1
• Okay.
• ISE1 → ISE2
• First, I need you to prove to me that you are in fact ISE2.
• ISE2 → ISE1
• Sure, here is my certificate.
• ISE1 → ISE2
• I don’t trust your certificate, so forget about the whole thing.
• I do trust your certificate and you are now a member of my deployment.
• ISE2 → ISE1
• Okay, I’m going to start synchronization with you now.
Task List
• Create DNS Entries for ISE1 & ISE2, including reverse lookup.
• Make ISE1 the primary node.
• Begin the process to demonstrate the certificate requirement.
• Export/Import the SAN Certificate into ISE2.
• Restart the join process using the MS Signed Certificate.
Cisco ISE Training
ISE High Availability
ISE HA
• Based on Persona, not node.
• Designed to remain up during a node failure and comes with the
ability to quickly reinstitute HA.
• Automated HA features can be difficult to manage.
Administration Persona
• No more than two admin personas.
• One primary admin node will service all admin functions and sync the
configuration with the secondary.
• Automated or manual recovery.
• Failure
• When the Primary Admin node goes down, all services will remain up and running
with the exception of new accounts.
• If new accounts or configuration changes are necessary, the secondary Admin
must be promoted to primary.
• Manual Failover: Login to secondary and click the promote to primary
button.
• Automatic Failover: One or more of the PSNs act as a health check server.
The PSN basically queries the primary admin node at set intervals, and will
automatically promote the Secondary if it detects the Primary is down.
Monitoring Persona
• No more than two monitoring personas.
• Logs are automatically sent to both the primary and secondary monitor
nodes.
• Manual recovery only
• Failure
• When the Primary Monitor node goes down, all services will remain up and
running.
• The Secondary Monitor mode is set to read-only.
• Manual Failover: Login to secondary and click the promote to primary
button.
• Recovery: If the “old” primary returns to service, it will automatically assume
the Secondary Monitor Persona.
PSN Persona
• No more than fifty PSN personas.
• All PSNs are up and capable of servicing clients.
• No Recovery Necessary.
• High Availability is a function of the network devices. For example:
• WLC
• Radius Server 1: 192.168.1.1
• Radius Server 2: 192.168.1.2
• When Radius Server 1 goes down, the WLC will automatically send
authentication/authorization requests to Radius Server 2.
• Many network devices will not be aware Radius Server 1 is down and will
continuously try to send it requests. After a timeout period, the network
device will try the next server. This can introduce problems in a busy
network.
Cisco ISE Training
ISE Patching
A Few Notes
• I typically recommend waiting a week or two after a patch is
released, before deployment.
• Always check the release notes to make sure there is nothing in the
patch that will interfere with your configuration.
• Also check to make sure your patch is cumulative, if going from an
earlier patch to a later patch.
• To function, ISE must have an Admin Node, Monitoring Node, and at
least one PSN. ISE will install the patches in a specific order, to ensure
at least one of each persona type is always up.
• Always install the latest patch before attempting an upgrade.
Cisco ISE Training
ISE Backups
A Few Notes
• Backups require a repository which can utilize any one of several
different protocols. You can also have multiple repositories for
different functions.
• You can configure the repository two different ways:
• CLI: The repository will only be configured on the individual node.
• GUI: The repository will be configured and usable from all nodes in the
deployment.
• There are two types of backups:
• Configuration: Backs up the configuration of the ISE Application and the
Linux “ADE”.
• Operational Data: Backs up the log data and troubleshooting information.
• Can be an on-demand backup or run on a schedule.
Cisco ISE Training
ISE AD Integration
A Few Notes
• An account with permissions to create a machine account is required
initially.
• Once ISE is integrated with AD, ISE will exclusively use the machine
account created above.
• The machine account can also be pre-created and ISE will use it.
• The ISE machine account will periodically change its own password.
• ISE will do a DNS Lookup for a domain controller and attach to the DC
that has the fastest response time.
• Before AD can be used, the groups, OUs, or attributes you would like
to use must be added to ISE.
• The ISE/AD Integration is reliant on NTP functioning properly.
Cisco ISE Training
ISE Administration
A Few Notes
• ISE can use either the built-in account database or Active
Directory/LDAP for administration.
• ISE has the ability to limit accounts to specific sections of ISE.
• Menu: Whether or not a menu can even be seen by the logged in user.
• Access: If the menu can be seen, do we want read-only or read-write access.
• We are going to create one custom policy:
• CustomUser: User has permissions to view logs and modify endpoints.
• We will do the configuration using local groups first and then
transition to Active Directory Groups.
Cisco ISE Training
ISE Logging
A Few Notes
• ISE offers full control over the information you want to capture and
where that information is sent.
• All logs, by default, will go exclusively to the M&T nodes. However,
you can add additional servers such as Splunk.
• Debugs can be turned on/off easily and come in very handy when
you have unexplained problems. Plus, this is often the first thing TAC
will do when there is a problem.
• We will not go through every log or every settings, but once you
understand the basics, it will be easy to find what you are looking for.
Cisco ISE Training
Licensing
ISE Licensing
Base Plus Apex Device Admin VM
AAA Profiling Posture TACACS+ Per Node*
TrustSec BYOD w/ Cert MDM Per Node*
802.1x pxGrid TC-NAC
Guest Services ANC AnyConnect
MSE
Cisco ISE Training
Wired Modes
Wired Modes
• Wired is usually a “phased” deployment.
• Nearly all ISE deployments begin in Monitor Mode and transition into
Closed or Low-Impact Mode.
• Monitor Mode (AKA Open Mode or AKA Audit Mode)
• Full ISE Deployment, but all users/devices are allowed network access by
default.
• Low-Impact Mode
• An ingress ACL is applied to every switchport, granting basic access, and the
ACL is replaced after a successful authentication/authorization.
• Closed Mode
• Only EAPoL traffic is allowed until authentication takes place.
Monitor Mode
• Will not impact a production network.
• Authentication will be attempted, but denied authentication
attempts will be allowed on the network anyway.
• Audit logs can be used to understand what is on the network and
what would have failed if policy was being enforced.
• Potential problems can be identified and corrected before
transitioning to Low-Impact Mode.
Low-Impact Mode
• Deploys an ACL to every switchport.
• The ACL typically allows basic “IT” services such as DHCP, DNS, AD,
etc…
• The authentication/authorization takes place and the ACL is replaced,
in real-time, with a defined ACL based on the authorization result.
• E.g. If user is in Sales AD Group, then grant Sales-ACL.
• This can be and often is the finished product.
Closed Mode
• Only EAP traffic is allowed before authentication.
• E.g. No DHCP, DNS, Etc…
• Most secure option as no traffic is allowed prior to authentication.
Cisco ISE Training
Network Access Device
A Few Notes
• Before ISE accepts any authentication requests from a network
access device, we must authorize the device within ISE.
• The Shared Secret must match on both ISE and the network device
(Switch)
• We will create groups of devices to separate our various policies. E.g.
Wired, Wireless, and VPN.
• We will also place the network devices in locations. This isn’t relevant
for our topology, but may be in yours.
Lab Tasks
• Create one single location – Chicago
• Create one single Device Type – Wired
• Add the lab 3750 to ISE.
Cisco ISE Training
ISE Authentication Config
Authentication Overview
• For any given “umbrella” policy, we have to tell ISE a few things:
• Which protocols is ISE allowed to accept?
• PEAP, EAP-TLS, Etc…
• Which databases is ISE allowed to authenticate against?
• Internal, Active Directory, Etc…
• Which order should the databases be checked?
• Try AD first, then Internal, Etc…
• What should happen if there is a problem?
• The username is not found in AD, should we try Internal?
• AD has rejected the password, should we try internal?
• AD is down and the process failed, should we try internal?
Lab Tasks
1. Overview of ISE allowed protocols.
2. Create a new ISE Identity Source Sequence.
1. Active Directory
2. Internal Users
3. Internal Endpoints
4. Guest
Cisco ISE Training
ISE Authorization Profile
Lab Tasks
• DACLs
• Acme-Contractor
• Deny http/s to 10.0.100.23
• Permit any
• Acme-Employee
• Permit any
• Acme-Limited
• Deny http to 10.0.100.23
• Permit any
• Acme-Machine
• Permit DNS
• Permit AD
• Permit ISE
• Acme-Printer
• Permit tcp/9100
• Authorization Profiles
• Acme-Contractor: Apply DACL.
• Acme-Employee: Apply DACL.
• Acme-Limited: Apply DACL.
• Acme-Machine: Apply DACL.
• Acme-Printer: Apply DACL
Cisco ISE Training
ISE Switch Configuration
A Few Notes
• Typically you would create a base config and adjust it based on
needs.
• ISE has a built-in function that will help create the switch
configuration.
• This works okay, but is seldom the finished product.
• Switch configuration is complicated and long.
• The good news is, once you get it figured out, you are really only
going to cut/paste the config into your other switches.
Cisco ISE Training
ISE MAB
Lab Tasks
• Configure and test Monitor Mode.
• Configure Low-Impact Mode
• Create an identity group for Printers.
• Manually assign the lab printer to the above printer identity group.
• Create policy granting access to the printer identity group.
• Configure Closed-Mode
Cisco ISE Training
User-Only PEAP
Lab Tasks
• Add IP-Helper addresses to SVIs.
• Apply ISE configuration to g1/0/1 (test workstation).
• Configure Policy to match on Contractor AD Group and assign
authorization profile.
• Configure Contractor Authorization Policy to change VLAN to 20.
• Configure Policy to match on Employee AD Group and assign
authorization profile.
• Walkthrough of the Windows Built-in Supplicant including CA Root
Certificate.
• Testing.
Cisco ISE Training
ISE Easy Connect
What is it?
• The 4 second version is, it is a toned down version of 802.1x.
• Uses a process called Passive Identity to learn of successful
authentications directly from Active Directory and apply network
policy based on the outcome.
• During the initial connection, ISE will grant access to login to AD.
• ISE will obtain the status of the authentication from AD, and
potentially send a CoA for additional “authenticated” access.
Lab Tasks
• Join test workstation to the acme.local domain.
• Disable the supplicant on the test workstation.
• Enable the passiveID service on the ISE PSNs.
• Configure Easy Connect.
• Configure a default rule granting limited access to all devices with
passiveID.
• Configure a new rule matching on a passiveID AD Group (employee).
• Test.
Cisco ISE Training
User and Machine
User and Machine
• Within the Windows supplicant, there is no mechanism that will
allow you to send both user and machine credentials at the same
time.
• Within this course, we will go through several workarounds to
authorize both the machine and the user.
• Machine Access Restrictions (MAR)
• When a machine logs in, ISE will remember its MAC Address for a
configurable amount of time, after a successful machine authentication.
• When the user logs in, ISE will check the MAR DB for the machine MAC
Address. If found, the device is considered authenticated. If not found, the
authentication is “user only”.
Windows Supplicant
• There are three overall methods:
• User Only: Only user credentials are used for 802.1x authentication. This
occurs during the initial login, and can occur at any point after.
• Machine Only: Only machine credentials are used for 802.1x authentication.
This occurs before the user logs in, and can occur at any point after.
• User or Machine: Machine authentication occurs before the user logs in, and
never again. User authentication occurs during the initial login, and at any
point after.
The Pain 1
• ISE is only configured for Wireless and the MAR cache is set for 16 hours.
• Bob comes into the office on Monday morning, boots up while attached to
the wireless network, both authentications go through and all is well.
• Monday at 5pm, Bob runs out of the building and does not take his laptop
with him. Instead, he simply shuts the lid.
• Tuesday morning comes and Bob opens his lid.
• The MAR cache expired.
• The device was never logged off and therefore never re-triggered machine
authentication.
• Bob cannot access the wireless network or has limited access.
• The CIO calls you and says “ISE Sucks”.
The Pain 2
• ISE is only configured for Wireless and the MAR cache is set for 16
hours.
• Bob comes into the office on Monday morning, docks his laptop, and
begins working on the wired network.
• Bob is a busy guy and opens 47 applications.
• Bob goes to his 10am meeting, undocks, and cannot connect to
wireless as there never was a machine authentication.
• Bob has to close his 47 applications and logout to trigger machine
authentication.
• Bob gets fired because it always takes him 15 minutes to get ready
for the meeting.
MAR Bottom Line
• A balance is needed between the MAR cache and reasonable
expectations of the end users.
• Example: If the MAR Cache is set to 16 hours, the end user will have
to logout or boot up while attached to wireless every morning.
• Example: If the MAR Cache is set to 1 Week, the end user will have to
logout or boot up while attached to wireless once per week.
• 16-Hours = The end user is angry because it is such a pain to get on wireless.
• 1-Week = The end user is angry because he “naturally” logged out at least
once per week for months, but then doesn’t, and forgot the process.
• 6-Months = The security policy gets diluted and easier to crack.
• Well, what if ISE is on both wired and wireless? Problem solved?
Cisco ISE Training
EAP-TLS
A Few Notes
• EAP-TLS is considered more secure than PEAP.
• In an environment with a Microsoft PKI, the process is rather easy.
• ISE also has a built-in CA Server, but it is not recommended for use as
a main CA for all authentications. Rather, it is mostly use for BYOD
(lesson to follow).
• Many customers push back on this as they feel standing up the PKI
infrastructure is difficult.
• EAP-TLS order-of-operations issue.
Cisco ISE Training
Device Profiling
Profiling Probes
• ISE has several methods of detecting what type of device is
connecting to the network.
• Netflow
• Collects Netflow data and forwards to ISE for analysis.
• DHCP
• The DHCP probe looks at DHCP broadcasts for information about the endpoint. This is
the most useful and widely used probe. An IP Helper is required to send the data to the
ISE PSNs.
• DHCPSPAN
• Similar to above, but spans the data instead of the IP Helper.
• HTTP
• Gathers information from the HTTP header when a user hits an ISE Portal.
• RADIUS
• Collects RADIUS Session attributes from each authenticating device.
Profiling Probes (Continued)
• Network Scan (NMAP)
• Will run an intrusive scan on the endpoint. Typically used in conjunction with
other probes and only when necessary.
• DNS
• Checks DNS records for additional information.
• SNMPQUERY/SNMPTRAP
• Gathers information from SNMP. This is typically used to help identify
networking equipment.
• Active Directory
• Queries AD for additional endpoint information for AD joined devices.
• pxGrid
• Used with the Cisco Industrial Network Director (not covered in this course).
Built-In Database
• ISE comes with a database of endpoint attributes which gets updated
frequently.
• Each profile rule is assigned a numerical value, if matched.
• The matched rules are added together to determine a Certainty
Factor.
• If the added rules exceed the “Minimum Certainty Factor”, the
overall profile is matched.
• For example:
Profile Values
• There is a built-in profile named “Aastra-Device”.
• For ISE to believe the connecting device is an “Aastra-Device”, it must
have a minimum certainty factor of 5. There are three rules:
• OUI: Does the OUI contain the word “Aastra”. If so, +5.
• DHCP Class Identifier: Does the DHCP Class Identifier contain the word
“Aastra”. If so, +5
• LLDP System Description: Does the LLDP System Description contain the
word “Aastra”. If so, +5
• If any one of these three rules matches, we meet the minimum
certainty factor and ISE will profile the device as an “Aastra-Device”.
Ties
• If any given device matches more than one profile, the highest value
of all matched rules will win.
• Back to our “Aastra-Device”. This is a “main” profile, and under it is
another profile named “Aastra-IP-Phone”, which requires a certainty
factor of 10. The IP Phone Profile has two rules:
• DHCP Class Identifier: If the DHCP Class Identifier has the word
“AastraIPPhone”, +10
• LLDP System Description: If it has the word “Aastra IP Phone”, +10
• If a device has a class identifier, for example, with the word
“AastraIPPhone”, it will match the parent profile and the child profile.
However, since the child has a rule weight of “10” and the parent has
a rule weight of “5”, the child profile will be matched and ISE will
consider it an “Aastra-IP-Phone”.
Profile Updates
• When a device first attaches to the network, ISE does not know what
it is yet. Seconds later, ISE receives the profiling data and we must
configure which action we want ISE to take. This can be set globally
or under each profile:
• Take No Action
• The device will remain “unknown” until it does a re-authentication naturally.
• Port Bounce
• ISE will instruct the network access device to bounce the connection. The device will re-
authenticate, but now we have the profiling data and it will match whichever profile.
• Reauth
• ISE will force the endpoint to re-authenticate (faster than port bounce).
Profile Options
• We can also use a “generic” profile to trigger an NMAP Scan to gain
more detail.
• We also have the option of automatically placing the endpoint into
an endpoint group, which we can call in our policy. For example:
• If you match the profile “HP Printer”, place the MAC Address in an Endpoint
Group named “HP Printer”
• From there, we can call the endpoint group in our access policy:
• If the device is in the endpoint group “HP Printer”, then grant the authorization profile
“HP Printer”.
Custom Profile
• While Cisco does a pretty good job, they can’t possibly maintain a
database of every single device every produced.
• We can create custom profiles to match the endpoints we have on
our network that are not in the Cisco Database.
• Our job is to find a series of attributes that will match our custom
profile, but will not match anything else. Or, create a high value in our
rules to make sure the device matches the profile we want it to
match.
Profile Caveats
• Exercise caution when you make changes to the profiling database.
• Let’s say you have 2,000 Cisco IP Phones and they are all profiled as the parent
profile of “Cisco-IP-Phone” and you want them to match a child policy for a
specific model of IP Phone.
• You make the change to the profile to match the specific model.
• If your COA Policy is port bounce, ISE will realize the phones have a new profile,
and do the port bounce.
• Every phone in your organization just rebooted at the exact same time.
• Profiling is not 100%, so try not to rely on it 100%. For example, often a
company will want differentiated policy for workstations as opposed to
mobile devices. We have two choices:
• Make sure ISE will match on every workstation type ever produced on earth.
• Make sure ISE will match on every mobile device ever produced on earth.
• The point is, sometimes the policy may not be 100% and manual changes will be
required.
Cisco ISE Training
Client Provisioning
Client Provisioning Overview
• The first step in a posture policy is typically a client provisioning
policy.
• For the most part, ISE requires Anyconnect for posture assessment.
• In addition, there are also several Anyconnect modules and
configuration files that are required to be installed on top of
Anyconnect.
• It’s not pretty, but it does work.
Client Provisioning Conditions
• Native Supplicant Profile.
• Tells the built-in supplicant what to do.
• NAM Profile
• Tells the Anyconnect client which networks the client is allowed to attach to, and
the associated settings (security, etc…).
• Anyconnect Configuration
• Tells Anyconnect which modules and profiles it should use, as well as when it
should update itself.
• ISE Posture Agent Profile
• Many settings related to posture.
• Anyconnect Compliance Module
• The capabilities of the Anyconnect Posture Agent.
• xxxWizard
• Supplicant Provisioning Wizard
Client Provisioning Process
• Create a Redirect ACL on the network device to redirect traffic to the client
provisioning portal.
• Build all client provisioning conditions (profiles, modules, etc…) and options.
• Create a client provisioning policy and point it to newly created conditions.
• Create an authorization profile that points to the Client Provisioning Portal.
• Create access policy based on the three possible states of posture
compliance:
• Not Compliant: The device failed the compliance check.
• Compliant: The device passed the compliance check.
• Unknown: The device did not run the compliance check yet, this is the rule that
will point to the Client Provisioning Portal.
Client Provisioning Options
• Timers
• Remediation Timer: If a device has to do something to become compliant,
the device is given X minutes to complete the update before the check runs
again.
• Network Transition Delay: How long to wait in-between states.
• Continuous Monitoring Interval: How often Anyconnect should send updates
to ISE.
• Cache Last Known Posture Compliant Status: Grace period between when a
device is compliant and then becomes non-compliant, before the posture
policy is enforced.
• Posture Lease: How often to run the posture check. E.g. 7 Day posture checks
means once a device is compliant, it will remain compliant and no further
checks will be run for 7 days.
• Default Posture Status: Compliant or Non-Compliant
Cisco ISE Training
ISE Posture
Posture Clients
• Only runs on Windows or Macintosh.
• Three Client Options:
• Anyconnect
• Anyconnect (Stealth Mode)
• Temporal Agent
• Differences between the Operating System and Client Options.
• The posture checks on Windows are different than the posture checks on
Macintosh.
• The posture checks in Stealth Mode are different than full Anyconnect or the
Temporal agent.
Posture Hierarchy
• Posture Condition
• What CAN be checked?
• Remediation Action
• What should we do if an endpoint fails one of the requirements?
• Posture Requirement
• Posture Condition + Posture Remediation + OS + Compliance Module
Type/Version.
• Posture Policy
• Turns on the Posture Requirement.
Windows Posture Conditions
• Anti-Malware installed and updates.
• Anti-Spyware installed and updates.
• Anti-Virus installed and updates.
• Application: Checks if a specific application is installed and/or
running.
• Compound Condition: Checks more than one item in a single policy.
• Disk Encryption: Ensures the disk is encrypted by a specific vendor.
• File Condition: Confirms a file is present on the hard disk of the
client.
• Firewall Condition: Checks if an endpoint firewall is running.
Windows Posture Conditions (Cont)
• Patch Management: Checks for the installation of software patches
for several vendors.
• Registry: Checks for the existence of a registry key or value.
• Service Condition: Checks for a running service.
• USB Condition: Checks if USB storage device is connected.
• Hardware Attributes: Collects details about the endpoint hardware.
Windows Remediation
• Application: Uninstall or Kill an application (Automatic).
• Anti-Malware: Update Anti-Malware (Automatic).
• Anti-Spyware: Update (Automatic).
• Anti-Virus: Update (Automatic).
• File: Upload file to endpoint (Automatic).
• Firewall: Enables firewall (Automatic).
• Launch Program: Launches application (Automatic).
• Link Remediation: Displays a clickable link.
• Patch Management: Download/install patches (Automatic).
Windows Remediation (Cont)
• USB: Blocks USB Ports (Automatic).
• Windows Server Updates: Updates patches (Automatic).
• Windows Updates: Updates patches (Automatic).
Cisco ISE Training
EAP Chaining
Lab Tasks
• Configure EAP-FAST
• Configure EAP-Chaining Policy
• Modify client provisioning policy to support EAP Chaining.
• Test client updates and connectivity.
Cisco ISE Training
ISE Wireless Policy
Lab Tasks
• Add new Network Device Type (Wireless)
• Create Network Device (WLC)
• Create new Overall Wireless Policy
• Create Authorization Profiles
• Create/Test Policy for ISE-Corp:
• PEAP (User-Only)
Cisco ISE Training
Guest Access
Guest Models
• Hotspot Portal
• The guest connects to the Guest SSID and is automatically forward to a splash screen.
• Optional AUP Acceptance
• Optional Code Required
• Sponsored Guest Portal
• The connect connects and is forwarded to a form to fill out.
• Configurable – Items such as name, company name, email address, etc…
• Guest must know the email address of the employee being visited.
• The employee receives an email and approves or rejects the guest access.
• The guest receives an email with their credentials, if approved.
• Lobby Ambassador
• An employee in reception simply creates a guest account and distributes to the guest.
• Prints and physically hands out credentials.
• SMS Text Message
• Email
Guest Types
• Prebuilt and custom options.
• Contractor
• Grant access for 1-365 days (90 day default).
• Maximum of 3 simultaneous logins.
• Maximum of 5 registered devices.
• Daily
• Access from 1-5 days (1 day default).
• 3 logins and maximum of 5 devices.
• Weekly
• Access from 1-14 days (5 day default)
• SocialLogin
• Access from 1-5 Days (1 day default)
Guest Sponsor Groups
• Typically each Guest (ISE) Group is associated to an AD Group.
• Also has built-in and custom options.
• ALL_ACCOUNTS
• Sponsor can manage all guest accounts.
• Manage = Change passwords, terminate accounts, etc…
• GROUP_ACCOUNTS
• Sponsor can manage guest accounts created by anyone within the same
sponsor group.
• OWN_ACCOUNTS
• Sponsor can manage guest accounts they created only.
Guest Portals
• Pre-Built or Custom
• Hotspot Guest
• No username required, only an optional passcode.
• Self-Registered Guest
• Guest create their own accounts.
• Sponsored Guest Portal
• The sponsor creates the guest account.
Cisco ISE Training
ISE BYOD Overview
BYOD Overview
• Method used to allow employees to “onboard” their personal or
company issued devices.
• Supports
• Android
• Apple IOS
• Google Chromebook
• Macintosh
• Windows
• Increases security and is often used to allow limited access to
internal resources on non-company owned devices.
• Can also be used to increase security for non-domain joined devices
(Macintosh).
BYOD Flow (Single SSID)
• User connects to SSID and logs in with Active Directory credentials
using PEAP.
• The device is profiled as a device type that requires onboarding.
• The endpoint is redirected to a BYOD Portal for device onboarding.
• The endpoint downloads required software and a profile.
• The endpoint is issued a client certificate by ISE.
• The endpoint reauthenticates using EAP-TLS and presents ISE with
the client certificate.
BYOD Caveats
• An endpoint may require Internet Access to download the required
software (Google Play, Apple Store, etc…).
• Option 1: Grant full Internet Access before onboarding.*
• *With this option we also have to change the way traffic is redirected.
• Option 2: Create an WLC URL ACL that allows access.
• Option 3: Add the IP Address of each “store” to the ACL.
• Mostly cloud services so the IP Address may change frequently.
• The IP Address to reach the store may be different based on where the traffic originates
from.
• The BYOD Device will receive a certificate error and it must be
manually approved before the process continues.
• We are using the Single SSID Method, but you can also configure with
dual-SSID.
Cisco ISE Training
IBNS 2.0
IBNS 2.0 Overview
• Offers greater control and granularity.
• Offers the ability to process MAB and 802.1x at the same time (significant
performance improvement).
• Follows the familiar C3PL (Cisco Common Classification Policy Language)
syntax.
• Create Control Classes
• E.g. What are we matching?
• Session Start?
• AAA Down?
• Failure or Success?
• Create Control Policy
• E.g. What do we want to happen when a Class is matched?
• Pause?
• Move on?
• Apply Configuration?

ISE Slides PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISE Slides PDF

Uploaded by

Copyright:

Available Formats

Cisco ISE Training

Protocol/Port UDP: 1812 and 1813 TCP: 49

Authentication/Authorization Combined Separate

Usage Client Authentication Device authentication and

PAC Provisioning either automated or manual

Base Plus Apex Device Admin VM

AAA Profiling Posture TACACS+ Per Node*

TrustSec BYOD w/ Cert MDM Per Node*

802.1x pxGrid TC-NAC

Guest Services ANC AnyConnect

You might also like