BRKSEC-2059 - Deploying ISE in A Dynamic Environment

Take the Hassel out
of your ISE deployment!
K.I.T.T.
Know ISE Through Training
BRKSEC-2059 - Deploying ISE in a Dynamic Environment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deploying ISE in a
Dynamic
Environment
Clark Gambrel, CCIE #18179
Technical Leader, Engineering, Core Software Group
BRKSEC-2059
Abstract
Managing a secure, yet flexible network in today's public access environments can
be very challenging. Public access networks in areas like universities, hospitals
and airports host a broad array of devices, both privately owned and corporately
managed. With the increasing importance of the Internet of Things, the variety of
devices that need to connect to these public networks is rapidly increasing. Cisco
Identity Services Engine (ISE) plays an integral role in controlling the access to
these dynamic public networks. This session will share lessons learned (best
practice) from an ISE escalation engineer in troubleshooting complex customer
environments.
Introduction
Clark Gambrel, CCIE #18179
Technical Leader – Engineering
Core Software Group
cgambrel@cisco.com
@ClarkGambrel
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
KENTUCKY
Kentucky is known for… BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Cisco ISE Break Out Sessions
BRKSEC-2695 Building an Enterprise Access Control Architecture using ISE and TrustSec
Imran Bashir | Tue 08:00-10:00 AM, Level 3, South Seas F | Wed 1:30-03:30 PM, Level 2, Mandalay Bay E
BRKSEC-3699 Designing ISE for Scale & High Availability

Craig Hyps | Tue 1:30-03:30 PM, Level 2, Mandalay Bay J
BRKSEC-2059 Deploying ISE in a Dynamic Environment

Clark Gambrel | Tue 04:00-05:30 PM, Level 3, South Seas E
BRKSEC-3697 Advanced ISE Services, Tips and Tricks

Aaron Woland | Tue 08:00-10:00 AM, L-2, Mandalay Bay G | Wed 1:30-03:30 PM, L-2, Mandalay Bay H
BRKSEC-2039 Cisco Medical Device NAC

Mark Bernard and Tim Lovelace | Mon 04:00-05:30 PM, Level 3, South Seas D
BRKCOC-2018 Inside Cisco IT: How Cisco Deployed ISE and TrustSec
David Iacobacci, Bassem Khalife | Thu 08:30-10:00 AM, Level 3, South Seas E
Cisco TrustSec Break Out Sessions
BRKSEC-2203 Enabling Software-Defined Segmentation with TrustSec
Fay Lee | Tue 4:00-5:30 PM, Level 2, Mandalay Bay G
BRKCRS-2893 Choice of Segmentation and Group based Policies for Enterprise Networks
Hariprasad Holla | Thu 10:30-12:00 PM, Level 2, Breakers IJ
BRKCRS-2810 Cisco SD-Access - A Look Under the Hood

Shawn Wargo | Mon 1:30-03:30 PM, L-2, Lagoon I | Tue 08:00-10:00 AM L-3, South Seas D
BRKSEC-2205 Security and Virtualization in the Data Center

Justin Poole | Mon 08:00-10:00 AM, Level 2, Reef F
BRKSEC-3014 Security Monitoring with StealthWatch: The detailed walkthrough

Matthew Robertson | Mon 1:30-3:30 PM, Level 2, Breakers IJ
BRKSEC-2026 Building Network Security Policy Through Data Intelligence

Darrin Miller, Matthew Robertson | Wed 4:00-5:30 PM, Level 3, South Seas G
Agenda
• Introduction
• Public environments, Why are they so challenging?
• Advice – Words to live by in any environment (Best Practice!)
• Education – What we have learned
• Hospitals/Medical – Protecting the heart of your network
• Public Transportation – Tips for the thrifty traveler
• Conclusion
Please ask questions!!!
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
Cisco Spark spaces will be cs.co/ciscolivebot#BRKSEC-2059

available until July 3, 2017.
Public environments, Why are they
so challenging?
Public environments, Why are they so challenging?
• On average each person carries 2.9
devices
devices
• Each year new devices are
introduced
Kenny Louie under Creative Commons License
devices
introduced
• Devices add new technology
enhancements, i.e. TLS versions,
mini browsers
New and Improved - http://tvtropes.org
devices
introduced
• Devices add new technology
enhancements, i.e. TLS versions,
mini browsers
Dilbert 2010
• Device behavior differs from one OS

version to the next
• Devices are mostly unmanaged
• End users have different levels of
knowledge when it comes to
configuring their own devices
“Where’s the ANY key?”
• Users expect a simple experience,
similar to home use
• Users expect a simple experience,
similar to home use
• Lots of configuration parameters on
ISE/Wireless Controller, which are
correct?
Advice – Words to live
by in any environment
(Best Practice)
• Profiling sync leverages JGroup channels
• All replication outside node group must traverse
Inter-Node Communications PAN—including Ownership Change!
• If Local JGroup fails, then nodes fall back to
Radius Flapping can be a real mess! Global JGroup communication channel.
MnT MnT
PAN PAN
WLC
PSN5 says “I
own this mac
address”
PSN1 PSN PSN PSN2 PSN4

PSN PSN PSN5
PSN3 says
“Ok PSN5
L2 or L3
owns this mac
address” NODE GROUP A NODE GROUP B
(JGROUP A) (JGROUP B)
PSN PSN
PSN3 PSN6
• Ok, now Radius flapping occurs.
• This could be due to timeouts received to WLC
Inter-Node Communications or due to the “Radius NAC” accounting bug
• This will also happen if a PSN receives profiling
Radius Flapping can be a real mess! information for an endpoint that it doesn’t own
MnT MnT
PAN PAN
WLC
PSN5 says
“Ok PSN3
owns this mac
address”
PSN1 PSN PSN PSN2 PSN4

PSN PSN PSN5
PSN3 says “I
L2 or L3
own this mac
address” NODE GROUP A NODE GROUP B
(JGROUP A) (JGROUP B)
PSN PSN
PSN3 PSN6
Profiling and Data Replication PAN
Before Tuning MnT
MnT
Node Group = DC1-group Node Group = DC2-group

2
PSN
1 PSN PSN PSN PSN
3 PSN PSN
4 PSN
PSN
RADIUS Auth DHCP 1 DHCP 2 NMAP
RADIUS Acctng NetFlow
Ownership
# Change
Global
Replication
Impact of Ownership Changes
Before Tuning
Owner? Owner? Owner? Owner? Owner?

PSN PSN PSN PSN PSN PSN PSN PSN PSN
RADIUS Auth DHCP 1 DHCP 2 NMAP
Advice: Timers
Displaying a Clock Collection - www.doityourself.com

Advice: Timers
WLC: Radius
• Default timer value of 2 seconds is
too short
Advice: Timers
WLC: Radius
too short
• During busy times, Authentication

latency may increase and exceed
the default value
Advice: Timers
WLC: Radius
too short
• During busy times, Authentication

latency may increase and exceed
the default value
• Use best practice value between 5-

10 seconds, typically
Advice: Timers
WLC: Radius
• Use timers appropriate to the
environment (tune for your
environment)
Advice: Timers
WLC: Radius
• Use timers appropriate to the
environment (tune for your
environment)
• Some remote/cloud based radius

servers may have higher
authentication latency and require
some tweaking.
Advice: Timers
WLC: Radius - Continued
• Setting timers too long and the client
might restart its session, retries from
radius server will be dropped
• Avoid unnecessary radius server

flaps with timers that are too short PSN1 PSN2
• Radius flapping can have some Superman II, Warner Brothers 1980
major impacts on an ISE
deployment
Advice: Timers - Radius
Typically 5-10 seconds
Advice: Timers - Radius
Typically 5-10 seconds

Usually matches Auth
server timeout value
Advice: Timers
WLC: Radius - Continued
This can have a big impact
• Make sure that Aggressive
Failover is disabled in the on ISE and Wireless Auths
command line of the WLC
in general
(Cisco Controller) >config radius aggressive-failover disable

Advice: Timers - WLANs
Increase Session Timeout

to 2+ hours (7200+ sec), if
Enabled (recommended)
This can also

be sent as a
Radius attribute
in ISE under
the AuthZ
Profile
Increase Client Exclusion

to 180+ seconds (3+ mins)
For 802.1X SSIDs, Increase For Guest/Hotspot SSIDs, leave

Client Idle Timeout to this low (300 sec) to free up
resources (http redirect sessions)
1 hour (3600 sec)
for clients that have disconnected
Interim Update
• WLC 7.6:
• Recommended setting:
Disabled
• Behavior: Only send update on IP
address change
• Ensures we get critical IP updates
(Framed-IP-Address) and Device
Sensor updates.
• Device Sensor updates not
impacted
Interim Update
• WLC 7.6:
Disabled
• WLC 8.0:
Enabled with Interval set to 0
• Behavior: Only send update on IP
address change
• Device Sensor updates not
impacted
• Settings mapped correctly on
upgrades
Advice: VM Resources
Reservations
• To be successful (and
supported) ISE VMs must be
built with Dedicated Resources
that are equivalent to the
hardware appliance.
Specifications listed in ISE 1.3+ Installation Guide
Reservations
Specifications listed in ISE 2.0.1+ Installation Guide
hardware appliance.
Reservations
hardware appliance.
Reservations
hardware appliance.
Reservations
hardware appliance.
• In 1.3 we added OVA Templates
for deploying SNS-3415 and
SNS-3495 equivalent hardware.
That has been expanded to
include the SNS-3515 and SNS-
3595 platforms as well.
• It is highly recommended that
you use these templates!
Reservations
hardware appliance.
• In 1.3 we added OVA Templates
for deploying SNS-3415 and
SNS-3495 equivalent hardware.
That has been expanded to
include the SNS-3515 and SNS-
3595 platforms as well.
• It is highly recommended that
you use these templates!
Reservations
• Admin and MnT nodes rely
heavily on disk usage
(read/writes).
• Deploying ISE in VMware
environments where shared disk
storage is utilized may not give a
like disk performance when
compared to physical appliances
• Increasing the number of disk
shares that a node is allocated
can in most cases increase
performance of the node.
Reservations - Before & After Chart
Reservations – Before & After Graph
Advice: VM Settings
Settings
• Snapshots are not supported!
Advice: Avoid Meltdowns
ISE Settings
• Make sure that you have
Anomalous Suppression
Detection enabled, suppress
misbehaving clients as well as
repeated successful
authentications
ISE Settings
repeated successful
authentications
AdministrationSettingsProtocolsRadius
ISE Settings
repeated successful
authentications
• Only use the profiling
probes/information that you need.
Don’t have information overload.
Avoid probes that use SPAN.
Start with Radius only first. Use
device sensors in network access
device
AdministrationDeploymentProfiling
ISE Settings
• Enable EndPoint Attribute Filter
AdministrationSettingsProfiling
Load Balancing RADIUS
Sample Flow
VLAN 98 (10.1.98.0/24) VLAN 99 (10.1.99.0/24)
5
PSN
10.1.99.5
1 radius-server host 10.1.98.8
ISE-PSN-1
2 AUTH request
RADIUS ACCTG requesttoto10.1.98.8
10.1.98.8 Load Balancer
PSN
10.1.99.6
AUTH response
RADIUS ACCTG from
response 10.1.98.8
from 10.1.98.8
Access VIP: 10.1.98.8 ISE-PSN-2
User
4
Device PSN-CLUSTER
PSN
1. NAD has single RADIUS Server defined (10.1.98.8) 10.1.99.7
2. RADIUS Auth requests sent to VIP @ 10.1.98.8 3
3. Requests for same endpoint load balanced to different PSN because round- ISE-PSN-3
robin(RR) load balancing is used without persistance (sticky).
4. RADIUS response received from VIP @ 10.1.98.8
(originated by real server ise-psn-3 @ 10.1.99.7 and source translated by LB)
5. RADIUS Accounting sent to/from different PSN based on RR and no sticky
Sample Flow
VLAN 98 (10.1.98.0/24) VLAN 99 (10.1.99.0/24)
PSN
10.1.99.5
1 radius-server host 10.1.98.8
ISE-PSN-1
2 AUTH request
PSN
10.1.99.6
AUTH response
RADIUS ACCTG from
response 10.1.98.8
from 10.1.98.8
User
4 5
Device PSN-CLUSTER
PSN
1. NAD has single RADIUS Server defined (10.1.98.8) 10.1.99.7
2. RADIUS Auth requests sent to VIP @ 10.1.98.8 3
3. Requests for same endpoint load balanced to same PSN via sticky based on ISE-PSN-3
RADIUS Calling-Station-ID and Framed-IP-Address
4. RADIUS response received from VIP @ 10.1.98.8
(originated by real server ise-psn-3 @ 10.1.99.7 and source translated by LB)
5. RADIUS Accounting sent to/from same PSN based on sticky
All NADs are not created equal!
8540
2504
IP vs Calling Station ID Stickiness
$$$
$$$
$$$
$$$
Avoid spraying packets!!!
VLAN 98 (10.1.98.0/24) VLAN 99 (10.1.99.0/24)
PSN
10.1.99.5
radius-server host 10.1.98.8
ISE-PSN-1
AUTH request
PSN
10.1.99.6
AUTH response
RADIUS ACCTG from
response 10.1.98.8
from 10.1.98.8
Device PSN-CLUSTER
User
PSN
10.1.99.7
ISE-PSN-3
Profiling and Data Replication PAN
After Tuning MnT
MnT
Node Group = DC1-group Node Group = DC2-group 2

PSN
1 PSN PSN PSN PSN PSN PSN PSN
PSN
DHCP 1
RADIUS Auth
NMAP
Ownership
# Change
Global
Replication
Impact of Ownership Changes
After Tuning
Owner
PSN PSN PSN PSN PSN PSN PSN PSN PSN
DHCP 1
RADIUS Auth
NMAP
Advice: Sizing
802.1x requires authentication for encryption
• Pairwise Master Key

(PMK) derived from
the Pre-Shared Key
(PSK)
• PMK derived from

802.1X
Advice: Sizing
Endpoint Behavior
=1x
• Different Endpoints behave
differently on a network
• Because of this we need to
consider the types of endpoints
when sizing deployments =2x
• Mobile (handheld) devices are
the most demanding due to
wireless/power restrictions
• Based on observations from
many deployments, a 1x/2x/5x
ratio is a good rule of thumb =5x
Advice: Sizing
Mobile devices typically have…
• Less RF Output power
• Fewer/Smaller Antennas
• Lack support for multiple bands

2.4/5 GHz (some models)
Advice: Sizing
As a Result…
• Roam more often (up to 5x)
• Roam more aggressively
• Repeated Sleep/Wake Cycles to

conserve battery.
ISE Settings
• Enable EndPoint Attribute Filter
• Avoid Radius Flapping
Advice: Bugs!!!
Advice: Bugs
CSCuu68490 - duplicate radius-acct update message sent while roaming
• If “Radius NAC” is configured on a
WLAN and a client connected to it
roams, the WLC will send two
accounting update packets
Advice: Bugs
≈ 47ms
• These packets are unique (different Same data
radius IDs) but contain the same
information Different
ID
Advice: Bugs
• These packets are unique (different
radius IDs) but contain the same
information
• Currently resolved in 8.1.131.0+ and
8.2.100.0+ WLC code versions. 8.0
MR3+
Advice: Bugs
CSCux78389 - Radius Failover should failover both auth/acct server on WLAN
PSN
PSN ISE-PSN-4
ISE-PSN-1
PSN ISE-PSN-5
PSN ISE-PSN-2
Load Balancer
Load Balancer PSN
ISE-PSN-6
PSN
ISE-PSN-3
Client Authentication
Radius Authentication Radius Accounting
Advice: Bugs
CSCux78389 - Radius Failover should failover both authacct server on WLAN
PSN
PSN ISE-PSN-4
ISE-PSN-1
PSN ISE-PSN-5
PSN ISE-PSN-2
Load Balancer
Load Balancer PSN
ISE-PSN-6
PSN
ISE-PSN-3
Advice: Bugs
CSCux78389 - Radius Failover should failover both authacct server on WLAN
PSN
PSN ISE-PSN-4
ISE-PSN-1
PSN ISE-PSN-5
PSN ISE-PSN-2
Load Balancer
Load Balancer PSN
ISE-PSN-6
PSN
ISE-PSN-3
Resolved: 8.0.140.0, 8.2.151.0, 8.3.111.0

Advice: Bugs
CSCuz76370 - Purging of EP's dependency is on Oracle to determine EP Owner
Resolved: 1.4P9, 2.0.1P3, 2.1P1, 2.2
Advice: Bugs
CSCvc52228 - ISE does not delete endpoint mapping in REDIS when endpoint group is deleted from GUI
Resolved: Currently not resolved

Advice: Bugs
CSCve80868 - PAN Crashes because of OutOfMemory Error
Advice: Bugs
CSCvc74307 - ISE /var/cache/logwatch temp files are not removed
Advice: Bugs
CSCvc40801 - ISE MnT sluggishness and high I/O when integrated with Prime Infrastructure
Resolved: 2.0.1P3, 2.1P3, 2.2
Advice: Bugs
CSCva56322 - ISE 2.1 "Internal Server Error" when accessing Workcenters > Identities
Avoid Radius Flapping…
USE BEST
PRACTICE!!!
Education – What
we have learned
Education: High Authentication Latency
eduroam
• eduroam allows users from
participating organizations to use
their local credentials while visiting
other eduroam locations to access
the internet.
• eduroam is a “cloud based” Radius
proxy. It acts as a federation point
between education/research based
entities and their Radius servers.
• eduroam’s Radius proxy is
accessed via the internet.
eduroam
jsmith@usau.edu
username: jsmith@usau.edu Radius: Accept
High Latency?
eduroam
• Due to the high authentication
latency sometimes associated with
cloud based radius servers, it may
be necessary to adjust your radius
timers.
• If using a load balancer, create a
separate VIP for eduroam (can
contain the same PSNs)
• If no load balancer, dedicate PSNs
for eduroam (or other high latency
SSIDs), if possible
Education: Students Converge at Lunch…
High Density
• Student’s roaming patterns

especially during meal times and
events can cause an increased load
on your wireless and ISE
infrastructure.
• Make sure that you have enough
wireless density to handle this
converged access.
• Distribute the load across multiple
PSNs to avoid overwhelming a
single server.
Education: User w/Multiple devices – PEAP Problem
Good reason to use EAP-TLS
• Students carry multiple devices
• PEAP-MSChapV2 as 802.1X
Authentication Method may cause
AD lockouts if not changed on all
devices.
• Locked accounts generate Help
desk calls.
• A single device with old password
may cause repeated AD lockouts
Hospitals/Medical – Protecting the
heart of your network
Hospital: Medical Devices
Securing and Profiling
• Most medical devices don’t support
802.1X
Hospital: Medical Devices Encrypt!
802.1X
• To protect patient data, use WPA2-
PSK with Mac Filtering and Profiling
Hospital: Medical Devices
802.1X
• To protect patient data, use WPA2-
PSK with Mac Filtering and Profiling
• Use unique attributes to profile your
medical devices
• Typical attributes that work well for
medical devices are dhcp-class-
identifier, dhcp-parameter-
request-list and host-name
Hospital: Beware of Profiling Changes
Causes for change
• OUI information changes and Zebra Technologies
Device Feed Service updates.
Completes
Acquisition of
Motorola Solutions'
Enterprise Business
Press Releases 2014
ZIH Corp
Causes for change
• OUI information changes and What this means…
Device Feed Service updates. Before acquisition:
Causes for change
• OUI information changes and What this means…
Device Feed Service updates. After acquisition:
Causes for change
• OUI information changes and
• Device OS/Firmware updates
www.apple.com
Causes for change
• Spoofed MAC Addresses with new
or different profiling attributes
Causes for change
• Spoofed MAC Addresses with new
or different profiling attributes
Alternate Policy Match with Alarms
• It is possible to build a fallback policy
below your original policy that relies on
a static MAC Whitelist (No profiling)
• This policy would catch any device that

was in the configured whitelist and allow
network access, simple right?

• You can then add an alarm to send an

email, whenever a device matches that
policy. Currently we can enable for a
single policy only.

• You can then add an alarm to send an

email, whenever a device matches that
policy. Currently we can enable for a
single policy only.
Hospital: Paging Dr. Ihateloggingin
Suggestions for better user experience
• Doctors by nature are usually very busy
and the last thing they want to do is to
spend time logging into a webportal or
changing a PEAP password.
• Use EAP-TLS
Hospital: Paging Dr. Ihateloggingin
Suggestions for better user experience
• Doctors by nature are usually very busy
and the last thing they want to do is to
spend time logging into a webportal or
changing a PEAP password.
• Use EAP-TLS
• A better option, if available would be to

use EAP-TLS and CWA-Chaining to a
Single Sign On (SSO) server. This
would allow the end user to leverage the
SSO token for other portals as well. Add
an AUP check rule to stay logged in.
Hospital: Nurse Carts/IP Phones
Advice on corporate devices
• Nurses typically use rolling computer
carts for charting patient information.
• To ensure continuous connections for

these devices, survey your wireless for
Voice applications.
• For ease of use and manageability, use

Active Directory Group Policy Objects
(GPO) to manage the supplicants and
certificates of AD joined devices.
Hospital: Medical NAC
Profiles custom built for medical devices
● Secure-access options for
healthcare-specific devices
● Identification and
classification of healthcare- Thanks
specific devices (250+
Craig!
devices)
● Profiling methods and best

practices
● Segmentation of medical
devices
Public
Transportation
– Tips for the
thrifty traveler
Airport: Hotspot setup with custom redirect
Using AP groups/names
• You can use ISE to target

advertising to your clients
• You can use ISE to target

advertising to your clients
• AP groups/names or some unique

Radius attributes returned from the
WLC during authentication can be
used as location
• You can use ISE to target • Matched policies based on these

advertising to your clients locations can send unique portals
that advertise local businesses and
• AP groups/names or some unique shops near the user.
WLC during authentication can be
used as location
• You can use ISE to target • Matched policies based on these

advertising to your clients locations can send unique portals
that advertise local businesses and
• AP groups/names or some unique shops near the user.
WLC during authentication can be • Create unique portal pages for each
used as location area. Advertisements can be built
into the portal page or referenced
from an external server.
Using MSE and ISE 2.0
• New to ISE 2.0, you can now

leverage Mobility Services Engine
(MSE) for physical location tracking
• Location information returned from

the MSE can be used in the
Authorization rule for directing
clients to the portal serving their
location.
Soapbox: Buy Public Certificates
Stop teaching users to accept Man-in-the-middle attacks!
Conclusion
Conclusion
Review
• Public Environments can be challenging
• Avoid ISE “meltdowns”
• Keep up to date with versions and patches, be aware of software defects that
might affect your environment
• Use advice in this guide to solve challenges in your environment
• Use Real Best Practice to ensure that you have a successful deployment.
Public ISE Community
• Public ISE Community: http://cs.co/ise-community

• Monitored and Responded to by TME’s on my Team
• Ask Questions There
• Get Answers by Cisco Experts & Partners
Complete Your Online
Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be

available for viewing on demand after the
event at www.CiscoLive.com/Online.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
ISE and TrustSec in CL 2017
ISE / TrustSec Labs
ISE integration with Firepower Visibility Driven Secure Cisco SD-Access- Hands-on
using pxGrid protocol Segmentation Lab
LTRSEC-2002 LTRCRS-2006 LTRCRS-2810
Vibhor Amrodia Hariprasad Holla Derek Huckaby

Aditya Ganjoo Aaron Rohyans Larissa Overbey
Wed 8:00-12:00 PM Wed 01:00-05:00 PM Wed 01:00 PM, MGM L-1, 116
MGM Grand, Level 1, MGM Grand, Level 1, Thu 08:00 PM, MGM L-1, 101
Room 104 Room 115
Demos
ISE – Secure Access Network Healthcare / Medical Network as a Sensor

Demo Segmentation Demo NAC Demo and Enforcer
📌 World-of-Solutions 📌 World-of-Solutions 📌 World-of-Solutions 📌 World-of-Solutions
Multiple ISE demos: ISE Use of TrustSec to ISE profiles for medical ISE and Stealthwatch for
Visibility, Easy Connect, mitigate Wannacry kind of NAC, TrustSec visibility and control
Posute, etc, ransomware segmentation, RTC
Thank you

BRKSEC-2059 - Deploying ISE in A Dynamic Environment

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKSEC-2059 - Deploying ISE in A Dynamic Environment

Uploaded by

Copyright:

Available Formats

Take the Hassel out

of your ISE deployment!

BRKSEC-3699 Designing ISE for Scale & High Availability

BRKSEC-2059 Deploying ISE in a Dynamic Environment

BRKSEC-3697 Advanced ISE Services, Tips and Tricks

BRKSEC-2039 Cisco Medical Device NAC

BRKCRS-2810 Cisco SD-Access - A Look Under the Hood

BRKSEC-2205 Security and Virtualization in the Data Center

BRKSEC-3014 Security Monitoring with StealthWatch: The detailed walkthrough

BRKSEC-2026 Building Network Security Policy Through Data Intelligence

Cisco Spark spaces will be cs.co/ciscolivebot#BRKSEC-2059

New and Improved - http://tvtropes.org

• Device behavior differs from one OS

“Where’s the ANY key?”

PSN1 PSN PSN PSN2 PSN4

PSN1 PSN PSN PSN2 PSN4

Before Tuning MnT

Node Group = DC1-group Node Group = DC2-group

RADIUS Auth DHCP 1 DHCP 2 NMAP

RADIUS Acctng NetFlow

Owner? Owner? Owner? Owner? Owner?

PSN PSN PSN PSN PSN PSN PSN PSN PSN

RADIUS Auth DHCP 1 DHCP 2 NMAP

RADIUS Acctng NetFlow

Displaying a Clock Collection - www.doityourself.com

• During busy times, Authentication

• During busy times, Authentication

• Use best practice value between 5-

• Some remote/cloud based radius

• Avoid unnecessary radius server

Typically 5-10 seconds

Typically 5-10 seconds

(Cisco Controller) >config radius aggressive-failover disable

Increase Session Timeout

This can also

Increase Client Exclusion

For 802.1X SSIDs, Increase For Guest/Hotspot SSIDs, leave

After Tuning MnT

Node Group = DC1-group Node Group = DC2-group 2

PSN PSN PSN PSN PSN PSN PSN PSN PSN

• Pairwise Master Key

• PMK derived from

• Lack support for multiple bands

• Roam more aggressively

• Repeated Sleep/Wake Cycles to

Resolved: 8.0.140.0, 8.2.151.0, 8.3.111.0

Resolved: 1.4P9, 2.0.1P3, 2.1P1, 2.2

Resolved: Currently not resolved

Resolved: Currently not resolved

Resolved: Currently not resolved

Resolved: 2.0.1P3, 2.1P3, 2.2

Resolved: Currently not resolved

username: jsmith@usau.edu Radius: Accept

• Student’s roaming patterns

• This policy would catch any device that

• This policy would catch any device that

• You can then add an alarm to send an

• This policy would catch any device that

• You can then add an alarm to send an

• A better option, if available would be to

• To ensure continuous connections for

• For ease of use and manageability, use

● Profiling methods and best