Académique Documents
Professionnel Documents
Culture Documents
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKSEC-2430
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
A little about me…
• Started as an early ISE 1.1 customer
• 10+ years of network & security
experience
• Lots of paper: BS and MS in IT Security,
2x CCIEs (Data Center + Security),
CISSP, and various other industry
certifications
• Co-organize for the largest Cisco Meetup
study group – Routergods and owner of
network-node.com blog
• ...Have a lot of cats…
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda
• Where To Start
• ISE Appliances & Deployment Options
• Network Devices
• Identity Sources
• Supplicants
• Profiling
• 802.1x Deployment Phases
• Enforcement
• Day 2 Operations
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Deploying any network access
control isn’t easy…
Planning is essential to any
successful deployment.
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Why isn’t there an easy button?
• Discovery
• Planning & Staging
• Often need to work with other teams in the organization:
• Active Directory
• PKI
• Desktop Support
• Virtualized environment
• Etc
• Layer 1 through 8
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Defining your Security Policy
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Why is your IT Security Policy important to ISE?
• ISE cannot write the organization’s security policy
• Know your security policy before you start deploying ISE
• Management Support
• Monitor and update polices
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Understand the Business Objectives
What is the business trying to accomplish with ISE?
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Where can ISE help achieve these objectives?
• Wired pxGrid
and APIs
• Context Sharing
(pxGrid)
• Device Administration
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Agenda
• Where To Start
• ISE Appliances & Deployment Options
• Network Devices
• Identity Sources
• Supplicants
• Profiling
• 802.1x Deployment Phases
• Enforcement
• Day 2 Operations
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Let’s talk about ISE Personas…
• Administration Node (PAN) Policy Administration Node (PAN)
Max 2 in a deployment
- Single plane of glass for ISE admin
• - Replication hub for all database config changes
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Different PSN Services
• Session – RADIUS, Guest, Posture, MDM, BYOD/CA
• Profiling
• Threat-Centric NAC (TC-NAC)
• SGT Exchange Protocol (SXP)
• Device Admin (TACACS+)
• Passive Identity
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Changing the Persona and Enabling Services
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
ISE Deployment Models
• Standalone/All Persona
• Hybrid
• Distributed
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Important Scalability Numbers
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Scaling ISE
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
ISE Deployment Models
Separate pxGrid nodes?
Deployment Type Platform Max Subscribers Max Subscribers
(Shared PSN/PXG) (Dedicated PSN/PXG
Standalone/All 3515/3595 2 N/A
Persona
PAN/MnT/PXG on 3515/3595 5 15
same node +
dedicated PSNs
Dedicated – All 3515 - 15
personas on
dedicated nodes
Dedicated – All 3595 - 25
personas on
dedicated nodes
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Other General Considerations
• Concurrently connected endpoints
• Redundancy & High Availability
• Scaling options
• Latency considerations
• 300ms between PAN and PSN
• QA-tested guardrail
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
ISE Node Communications
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
RADIUS & TACACS+ Deployment Options
Three deployment options:
• Separate ISE Cubes for RADIUS & TACACS+
• Mixed ISE cube with separate PSNs for RADIUS and TACACS+
• Mixed ISE cube where PSNs are not dedicated to either
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
When do we separate TACACS+ and RADIUS?
Keep the following in mind:
• How many network devices?
• Number of TACACS+ & RADIUS sessions
• Scripts?
• Network management tools?
• MnT is not taxed is both deployments are large or busy
• Potential for increased log retention on both deployments
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Hardware Appliance or VM?
• Inter-team communication
• Follow the VM requirements:
• Sizing
• OVAs when possible
• Resource Reservations
• NO Snapshots
• Don’t reduce size of VMs
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Understanding the ISE License Types
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
License Features
Features included by license type
Device ISE Apex +
Base Plus
Admin AnyConnect Apex
Posture
TrustSec Rapid Device
Benefit Use case pxGrid MDM / Threat- (endpoint
RADIUS / security Guest threat profiling BYOD
AAA TACACS+ ANC/EPS context EMM Centric compliance
802.1x group services containm and feed with CA
sharing NAC and
tagging ent service
remediation)
Control all Guest
access from
Provide unique guest permissions to
visitors
● ● ●
one place Secure access
Control user access and ensure
device authentication
● ● ●
Device Admin
Differentiate access for device
administrators
●
BYOD
Seamlessly onboard devices with
the right access
● ● ● ● ●
See and share Visibility
rich user and See when, where, and why users
are on your network
● ● ● ●
device details
Integration
Share information with other
products
● ● ● ● ●
Compliance
Ensure that endpoints meet
network standards
● ● ● ● ●
Stop threats Segmentation
from Limit exposure with pre-defined
access segmentation
● ● ●
getting in and
Containment
spreading Reduce risk with rapid threat
containment
● ● ● ● ● ●
Prevention
Prevent breaches at the endpoint
level
● ● ● ●
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Understanding how licensing works
• Endpoint licenses
• Concurrently connected endpoints
• Endpoint disconnects – license added back to store
• Device Admin
• Per PSN with Device Admin service enabled
• NOT per device count
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Agenda
• Where To Start
• ISE Appliances & Deployment Options
• Network Devices
• Identity Sources
• Supplicants
• Profiling
• 802.1x Deployment Phases
• Enforcement
• Day 2 Operations
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Network Device Discovery
• Support for RADIUS and/or TACACS+?
• Cisco device?
• Hardware Model
• IOS Version
• Count
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Network Device Discovery (cont’d)
• Non-Cisco device?
• Vendor Name
• Hardware Model
• OS Version
• Vendor-Specific RADIUS dictionary needed?
• Support for RADIUS CoA or SNMP CoA?
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Why is this so important?
Preparation will save you a lot of time and tears
• RADIUS Vendor Dictionaries
• Network Device Profiles Creation
• IOS Versions and Capabilities
• Hardware Limitations
• Protocol Support
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Adding RADIUS Vendor Dictionaries
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Creating a Network Device Profile for 3rd Party Vendors
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Easy way to check hardware and OS Feature Support!
ISE Network Component Compatibility Matrix
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Additional Tips
• Favorite study motto: Always Be Labbing!
• 3rd party device documentation
• Standardize! Standardize! Standardize!
• IOS versions
• AAA configuration
• Wireless configuration
• Profiling configuration
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Agenda
• Where To Start
• ISE Appliances & Deployment Options
• Network Devices
• Identity Sources
• Supplicants
• Profiling
• 802.1x Deployment Phases
• Enforcement
• Day 2 Operations
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Identity Source support in ISE
• Active Directory
• LDAP
• ODBC
• RADIUS Token Servers
• RSA SecurID
• SAMLv2 Identity Provider
• Certificate Authentication Profiles for EAP-TLS’
• Social Login
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Integration with Identity Sources is Key
Get the teams that manage the identity source involved early…
• Active Directory?
• Multiple domains?
• Multiple forests?
• Version of AD?
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Prepare the Certificates
• Server Certificate
• Public Certificate (Guest)
• Cert errors if self-signed
• EAP Certificate
• pxGrid Certificate
• Protip: EKU Server & Client Authentication
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Sample User Certificate Template
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sample pxGrid Certificate Template
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Add a Trusted Root Certificate in ISE
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Getting a Certificate Signing Request
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Agenda
• Where To Start
• ISE Appliances & Deployment Options
• Network Devices
• Identity Sources
• Supplicants
• Profiling
• 802.1x Deployment Phases
• Enforcement
• Day 2 Operations
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Understand your Endpoints & Supplicants
• Windows 7, 8/8.1, and 10
• Native Supplicant
• AnyConnect Network Access Manager (NAM)
• Mac OS X
• Apple iOS
• Android
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Windows 7, 8/8.1, and 10 – Native Supplicant
• Group Policy for:
• Supplicant configuration
• Pushing certificates
• Pre-configure SSIDs – better user experience
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Windows 7, 8/8.1, and 10 – AnyConnect NAM
• Eliminates potential issues from drivers
• Standardization for Windows supplicants
• Options for more EAP-Types
• Supports EAP-Chaining (i.e. User + Computer certificate)
• Anyconnect NAM needs to be deployed – Involved Desktop
Support
• Caveats to be aware of:
• AnyConnect Plus licenses
• AnyConnect NAM only for Windows endpoints
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Mac OS X Supplicant
• Version 10.8+ - 802.1X authentication process started
automatically
• Pop-up appears on connect to network
• Zero-touch deployment if alright with pop-up
• Certificates:
• Client Provisioning and BYOD configuration to install certificate
• JAMF or another MDM to install the certificate and supplicant
profile
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Android and Apple iOS BYOD
• (Optional) Onboard through ISE for PEAP or EAP-TLS
• Apple iOS will install the supplicant profile during client provisioning
• Android devices are different:
• Doesn’t trust apps installed other than the app store by default
• Download of Cisco Network Setup Assistant App from Google
Play required
• Allow the following URLs in your DNS ACL on the wireless
controller:
• android.clients.google.com
• google.com
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Agenda
• Where To Start
• ISE Appliances & Deployment Options
• Network Devices
• Identity Sources
• Supplicants
• Profiling
• 802.1x Deployment Phases
• Enforcement
• Day 2 Operations
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
ISE Profiling
• Because MAC address alone is not enough
• Pre-loaded profiles covers majority of endpoints
• For everything else: custom profiles
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
ISE Profiling
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Visibility Data Sources
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
RADIUS Probe
• ISE can profile endpoints based on the RADIUS
attributes collected from the RADIUS
request/response messages from the RADIUS
Servers
• Network devices must be configured for AAA
• The following are the known attributes that are
collected by the RADIUS probe:
• User-Name
• Framed-IP-Address
• Acct-Session-Time
• NAS-IP-Address
• Calling-Station-Id
• Acct-Terminate-Cause
• NAS-Port
• Acct-Session-Id
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
DHCP Probe
• Simple method of getting DHCP traffic to ISE
• Requires configuration of NADs to relay DHCP
packets to ISE.
• DHCP probe in ISE will collect DHCP data to use in
profiling policy
• For WLCs disable DHCP proxy
• Can provide host-name, MAC address, parameter
request list, requested address, etc.
Configuration Commands:
Interface Vlan50
Ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.10
Ip helper-address 10.1.100.5 (For ISE)
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
HTTP Probe
• User-agent is an HTTP request header that is sent
from web browsers to web servers. The user-
agent includes application, vendor, and OS
information that can be used in profiling endpoints.
• User-agent attributes can be collected from web
browser sessions redirected to ISE for existing
services, such as:
̶ Central Web Auth (CWA),
̶ Device Registration WebAuth (DRW)
̶ Native Supplicant Provisioning (NSP)
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
SPAN DHCP and HTTP Traffic to ISE
• Traffic is mirrored to an Interface on the ISE policy
services node
• Both SPAN and remote SPAN are supported
• Provides the same information as the previously
mentioned DHCP and HTTP probe but is the least
optimal way of sending this information to ISE
• Would not advise to use this
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
DNS Probe
• DNS probe in the profiler does a reverse DNS lookup
for IP addresses learnt by other means.
• Before a DNS lookup can be performed, one of the
following probes must be started along with the DNS
probe: DHCP, DHCP SPAN, HTTP, RADIUS, or
SNMP.
• You can create an endpoint profiling condition to
validate the FQDN attribute
DNS Configured in ISE: and its value for profiling.
!
ip name-server 171.68.226.120
ip name-server 171.68.226.121
!
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
SNMP Probe
SNMP Query Probe
This probe collects details from network devices
such as Interface, CDP, LLDP and ARP.
’Network devices’ in ISE must be configured for
SNMP
SNMP Trap Probe
The SNMP Trap receives info from the
specific network access devices that
support MAC notification, linkup, link-
down, and informs.
• Configured on a per-PSN bases under
Administration>System>Deployment>PSN-
Name>Profiling
• After enabling it on the PSN, configure the SNMP
communities under the network access device in ISE
under Administration>Network Resources>Network
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
NMAP Probe
• NMAP allows profiler to detect new endpoints through a
subnet scan and classify endpoints based on their OS,
OS version, and services
• Considered an “active” assessment mechanism since it
communicates directly with the endpoint
• Scan can trigger dynamically based on policy or manually
by an administrator.
• NMAP scans can gather:
• OS detection using TCP/IP fingerprinting
• SMB discovery – Profiling detailed Windows info
including FQDN, OS version, Domain, Workgroup,
Common Platform Enumeration (CPE), etc
• SNMP Port
• Common Ports
• Service version information
• Custom Ports
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Netflow Probe
• NetFlow vendor specific attributes reveal device
identity
• Flow reception on Port # 9996/UDP
• ISE profiler implements Cisco IOS NetFlow Version 9,
while backward compatible to earlier versions
• Cisco IOS NetFlow Version 5 packets do not contain
MAC addresses of endpoints.
• As a general rule, avoid this probe – only unique corner
cases where this might be applicable
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Active Directory Probe
• Increases OS fidelity through detailed info extracted
via AD.
• Leverages AD Runtime Connector
• Attempts to fetch AD attributes once computer
hostname learned from DHCP Probe and DNS Probe
• AD queries gated by:
• Rescan interval (default 1 day)
• Profiler activity for endpoint
• If AD probe enabled after endpoint learned and
hostname acquired, then no AD query.
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Simplify Profiling with “Device Sensor”
• Doesn’t require packet redirections
(DHCP Helper) and SPAN sessions for
profiling
• Highly scalable and efficient
• ISE runs only “RADIUS” probe
• Another reason to know what version of
OS your switches are running
• Profiling based on:
• CDP/LLDP
• DHCP
• HTTP (WLC only)
• mDNS
• H323
• MSI-Proxy
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Device Sensor for Wired
3) Disable local analyzer if sending sensor device-sensor filter-list dhcp list my_dhcp_list
updates to ISE (central analyzer) option name host-name
option name class-identifier
no macro auto monitor
option name client-identifier
access-session template monitor
device-sensor filter-spec dhcp include list my_dhcp_list
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Wireless Device Sensor
RADIUS Accounting
HTTP
DHCP
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Profiler Feed Service
• Provides new and updated
• Ways to update:
• Manual
• Scheduled
• Downloaded for offline installation
• Updates MAC OUIs
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Profiler Feed Service
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Profiling Policies
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
What about Unknowns?
• There will be endpoints that don’t have pre-built profiles
• Endpoint profiles will show as “Unknown”
• View your unknown endpoints under Context Visibility>Endpoints
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Custom Profiles
• Gather more information
• Create more traffic from the device
• Run a manual NMAP scan
• Enable more probes
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Custom Profiles (Cont’d)
• Useful attributes to look for when creating custom endpoint
profiles:
• User-Agent
• dhcp-class-identifier
• host-name
• OUI
• IP
• operating-system
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Creating a Custom Profile
• Navigate to Context Visibility>Endpoints and click on MAC address of the
endpoint.
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Creating a Custom Profile (cont’d)
• (Optional) Run a manually NMAP scan against the endpoint by navigating to:
Work Centers>Profiler>Manual Scans
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Creating a Custom Profile (cont’d)
Navigate to Work Centers>Profiler>Policy Elements and click Add to add the
attributes from the endpoint to the profiler conditions
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Creating a Custom Profile (cont’d)
Navigate to Policy>Profiling>Profiling Policy and click Add to create a new
profile policy based on the unique attributes you found
Best practice to start with Minimum Certainty Factor value of at least 1,000
for custom profiler policies
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Creating a Custom Profile (cont’d)
Endpoint should show up under Context Visibility>Endpoints under the new
profile
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Agenda
• Where To Start
• ISE Appliances & Deployment Options
• Network Devices
• Identity Sources
• Supplicants
• Profiling
• 802.1x Deployment Phases
• Enforcement
• Day 2 Operations
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Deploying 802.1X in Phases
Monitor Mode Low-Impact Mode Closed Mode
Port Open permit eap dhcp dns permit ip any any Only EAP
deny any Allowed
Unconditionally
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Monitor Mode
• No impact to existing network
• Prepare for enforcement
• Visibility to:
• Endpoints on network & their supplicant
configuration
• Passed/Failed 802.1x & MAB attempts
• To configure:
• Enable 802.1X and MAB
• Enable Open Access
• Enable Multi-Auth host mode
• No Authorization
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Low Impact Mode
• Begin to control/differentiate access
• Minimize impact to existing network while
retaining visibility of Monitor Mode
• Start from Monitor Mode
• Add ACLs, dACLs, Flex-auth, etc
• Limit number of devices connecting to
ports
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Closed Mode
• Not everyone goes to Closed Mode
• No access at all before authentication
• Rapid access for non-802.1x-capable
corporate assets
• Logical isolation of traffic at the access
layer
• Return to default “closed” access
• Implement identity-based access
assignment
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Utilizing Policy Sets with Modes
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Agenda
• Where To Start
• ISE Appliances & Deployment Options
• Network Devices
• Identity Sources
• Supplicants
• Profiling
• 802.1x Deployment Phases
• Enforcement
• Day 2 Operations
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Many Options for Enforcement
• Downloadable ACL (dACL) • Reauthentication
• ACL • MACSec Policy
• SGT • Network Edge Access Topology
• VLAN (NEAT)
• No east-west segmentation • Local Web Authentication
• DHCP • Interface Template
• Voice Domain Permission • Wireless and VPN ACLs
• Centralized Web Redirection • AVC Profile Name
(Guest, BYOD, Client provisioning,
etc) • Custom attributes
• Auto Smart Port
• Vulnerability scan 88
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
TrustSec for Segmentation
Traditional Segmentation TrustSec DC Servers
DC Firewall / Switch
Static ACL
Enterprise Micro/Macro Segmentation Enterprise
Routing Backbone Backbone ISE
Redundancy Central Policy Provisioning
DHCP
Scope Aggregation Layer No Topology Change Policy
Address VACL
No VLAN Change
VLAN
Access Layer Access Layer
Non-Compliant Voice Employee Supplier BYOD Voice Non-Compliant Employee Supplier BYOD
Employee Tag
Quarantine Voice Data Guest BYOD Voice Data
VLAN VLAN VLAN VLAN VLAN Supplier Tag VLAN VLAN
Non-Compliant Tag
Security Policy based on Topology Use existing topology and automate
High cost and complex maintenance security policy to reduce OpEx
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
What about limiting or allowing
access if ISE becomes
unavailable?
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Inaccessible Authentication Bypass
Critical VLAN
Access VLAN WAN or PSN Down
WAN / Internet
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Critical Auth for Data and Voice
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Default Port ACL Issues with Critical VLAN
Limited Access Even After Authorization to New VLAN
• Data VLAN reassigned to critical auth VLAN, but new (or reinitialized)
connections are still restricted by existing port ACL
Access
Critical VLAN
VLAN Voice VLAN WAN or PSN Down
Gi1/0/2
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Critical ACL using Service Policy Templates
Apply ACL, VLAN, or SGT on RADIUS Server Failure
• Critical Auth ACL applied on Server Down
Access
Critical VLAN Voice VLAN WAN or PSN Down
Gi1/0/2
Default ACL
Only DHCP/DNS/PING/TFTP allowed !
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Critical MAB username 000c293c8dca password 0 000c293c8dca
username 000c293c8dca aaa attribute list mab-local
!
Local Authentication During Server Failure aaa local authentication default authorization mab-local
aaa authorization credential-download mab-local local
!
aaa attribute list mab-local
000c.293c.8dca attribute type tunnel-medium-type all-802
attribute type tunnel-private-group-id "150"
attribute type tunnel-type vlan
attribute type inacl "CRITICAL-V4"
!
policy-map type control subscriber ACCESS-POL
WAN ...
event authentication-failure match-first
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-↵
? until-failure
10 terminate mab
000c.293c.331e 20 terminate dot1x
30 authenticate using mab aaa authc-↵
list mab-local authz-list mab-local
...
• Additional level of check to authorize hosts during a critical condition.
• EEM Scripts could be used for dynamic update of whitelist MAC addresses
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Agenda
• Where To Start
• ISE Appliances & Deployment Options
• Network Devices
• Identity Sources
• Supplicants
• Profiling
• 802.1x Deployment Phases
• Enforcement
• Day 2 Operations
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Supporting ISE After Deployment
• Document, Document, Document!
• Policy Configuration
• Supplicant Configuration
• Certificate Information
• Network Access Devices
• Network Access Device Configuration Template
• Standardize
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Supporting ISE After Deployment (Cont’d)
• Train Your Support
• Avoid being called for every issue
• Playbook for common issues
• Utilized built-in ISE roles for Helpdesk
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Conclusion
Deploying any network access
control isn’t easy…
Planning is essential to any
successful deployment.
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Helpful Links and Training
• Cisco ISE for BYOD and Secure Unified Access (2nd Edition) –
https://tinyurl.com/ise-byod-book
• Cisco Security SISAS - https://tinyurl.com/ise-sisas-book
• Cisco ISE Communities - http://tinyurl.com/ise-communities
• Medical NAC 2.0 Profiles - https://tinyurl.com/ise-medical-nac-2
• ISE Automation and Control Profiles - https://tinyurl.com/ise-
automation-library
• ISE Scalability Numbers - https://tinyurl.com/ise-scale
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Helpful Links and Training
• ISE NAD Compatability Matrix - https://tinyurl.com/ise-
compatibility
• ISE Bandwidth Calculator - http://tinyurl.com/ise-bw-calc
• ISE Switch Configuration Guide - https://tinyurl.com/ise-switch-
guide
• ISE WLC Configuration - https://tinyurl.com/ise-wlc-config
• ISE Loadbalancing Guides - https://tinyurl.com/ise-
loadbalancing
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Helpful Blogs
• Labminutes Videos - http://labminutes.com/video/sec/ISE
• Aaron Woland’s Blog Posts
• https://woland.com
• https://www.networkworld.com/author/Aaron-Woland/
• Brad Johnson’s ISE Support Blog - https://www.ise-support.com/
• My blog - https://www.network-node.com/
• Densemode.com’s series on PKI for Network Engineers
• PKI for Network Engineers Theory: https://tinyurl.com/pki-ne-1
• Diffie Hellman for people who suck at math: https://tinyurl.com/df-no-math
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
ISE Sessions @Live Barcelona 2019
TECSEC-3416
Walking on solid ISE: advanced use cases
and deployment best practices
Manfred Brabec,
Nicolas Darchis,
Francesca Martucci,
Remi Vacher,
Federico Ziliotto
Monday 08:30-18:45
Tuesday
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Action Steps
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKSEC-2430
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Continue Your Education
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Thank you
BRKSEC-2430
Appendix
Add a Trusted Root Certificate in ISE
Administration>System>Certificates>Certificate Management>Trusted Certificates
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Adding RADIUS Vendor Dictionaries
Policy>Policy Elements>Dictionaries>Radius>RADIUS Vendors
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Changing the Persona and Enabling Services
Administration>System>Deployment>ISE-Node
• Avoid overload of
PSN services
• Some services
should be dedicated
to one or more PSNs
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Creating a Network Device Profile for 3rd Party Vendors
Administration>Network Resources>Network Device Profiles
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Sample pxGrid Certificate Template
• In Windows PKI, copy included Web
Server
template
• Add Client Authentication to the
Application
Policies for the template
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Getting a Certificate Signing Request
Administration>System>Certificates>Certificate Management>Certificate Signing Requests
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Getting a Certificate Signing Request (cont’d)
Administration>System>Certificates>Certificate Management>Certificate Signing Requests
• Importing the new certificate into ISE
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Profiler Feed Service
Administration>Feed Service>Profiler
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Critical ACL using Service Policy Templates
Apply ACL, VLAN, or SGT on RADIUS Server Failure
• Critical Auth ACL applied on Server Down
Access
Critical VLAN
VLAN Voice VLAN WAN or PSN Down 2k/3k/4k: 15.2(1)E
Gi1/0/2 3k IOS-XE: 3.3.0SE
4k: IOS-XE 3.5.0E
6k: 15.2(1)SY
Default
Critical ACL
Deny PCI networks; Permit Everything
Only DHCP/DNS/PING/TFTP allowed ! Else !
policy-map type control subscriber ACCESS-POLICY
event authentication-failure match-first
10 class AAA_SVR_DOWN_UNAUTHD do-until-failure ip access-list extended ACL-CRITICAL
ACL-DEFAULT
10 activate service-template CRITICAL_AUTH_VLAN
20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
remark Deny
permit udp access
any to PCIany
eq bootpc zone
eqscopes
bootps
30 activate service-template CRITICAL-ACCESS deny
permittcp any
udp 172.16.8.0
any 255.255.240.0
any eq domain
service-template CRITICAL-ACCESS
access-group ACL-CRITICAL deny
permitudp anyany
icmp 172.16.8.0
any 255.255.240.0
! deny
permitipudp
any any
192.168.0.0 255.255.0.0
any eq tftp
service-template CRITICAL_AUTH_VLAN
vlan 10 permit ip any any
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD
match result-type aaa-timeout
match authorization-status unauthorized
BRKSEC-2430 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
BRKSEC-2430 12