Mukesh Chanderia

Jun 23, 202216 min read

ISE

Updated: Aug 4, 2022

ISE Use Cases

1) Visibility:

What all users & devices are on the network and where are they connected. Where are phones, printers, Desktop etc.

Profiling: It is an information gathering service which is used for dynamic detection and classification of endpoints connected to the network using MAC addresses as the unique identifier.

ISE collects various attributes for each network endpoint to classify it to build an internal endpoint database it could be based on prebuilt or user-defined conditions & creates profiles.

These profiles include mobile clients (iPads, Android tablets, Chromebooks etc.), desktop operating systems (for example, Windows, Mac OS X or Linux), and devices such as printers, phones, cameras

Change of Authorization: Change of authorization (CoA) is a method by which authorization changes can be performed dynamically after the device or user is authenticated.

Example: Cisco Firepower detects that a particular host is infected then it could communicate this to ISE through Radius protocol.

ISE through COA push the policy to switch to put particular port to reauthenticate or may be put that port in quarantine vlan and once all parameters are satisfied then only allow to join the network.

Once classified, endpoints can be authorized to the network and granted access based on their profile. For example, endpoints that match the IP phone profile can be placed into a voice VLAN using MAC Authentication Bypass (MAB) as the authentication method.

2) Compliance:

Deeper visibility and control over devices. It is achieved through posture.

Posture: Posture conditions are the set of rules in our security policy that define a compliant endpoint. It can be applied to default or custom profile.

It is used for Compliance check, health check and Remediation service.

3) Control:

To enable Secure access on wired, wireless & VPN users.

4) Device Admin:

Role base network device administrator over TACAS+: AAA (Authentication, Authorization and Accounting) concept for secure login & control.

5) Guest & Secure Wi-Fi:

Manage Guest & Corporate Wireless Network Access with ease.

Example: Receptionist can be assigned sponsor portal to create Guest user and password. The user account must have validity as per requirement.

Note: Guest users will have access to the internet.

Corporate network may have multiple SSID but user login can be restricted on particular SSID for security purposes.

6) BYOD:

Users love to work on their own devices. May be company's policy doesn't allow to access social media on corporate systems but they still allow users to open social media on their personal mobile or tablet.

Obviously, they might be allowed to connect to Guest SSID from their personal device so they could connect to internet.

Now in this case either user have to submit their mobile/tablet to IT or they could self-board their device.

Onboarding will depend on Compliance and Profiling.

To help users to onboard device ISE can redirect towards remediation portal where all policies regarding compliance are listed and user is suggested to complete certain tasks to onboard device say update antivirus, install certain batch file etc.

What ISE do when it onboard a device?

After a device passes all required criteria, the ISE pushes a certificate to device before onboarding.

This certificate could be self-sign or CA authority internal like Microsoft Server assigned CA Role or external CA like GoDaddy.

Each device is valid for a certain time and once the certificate is unassigned it would be deboarded automatically.

Do ISE authenticate each BYOD every day? It's not every day but every time user connects to ISE it has to pass through all policies in order to connect to network.

How do ISE control Mobile/Tablet apps?

MDM is an application which could be used for deploying, securing, monitoring, integrating and managing mobile devices.

The MDM software that is downloaded to the mobile device/Tablet and can be integrated with ISE to control device.

7) Segmentation: Software defined segmentation without Ip or vlans.

1) Authorization Policy: Read Only Access or Read Write Access, allow to run only show command etc.

2) Vlan Allocation: Dynamic Allocation

3) DACLs: IP based ACLs to devices.

4) SGT: Security Group Tag: Example user with vlan 12 with ip address 192.168.12.x should have access to all resources (same policy has to be applied) which is access by user on vlan 21 which is having ip of 192.168.21.x

ISE Architecture

Type of Services

Profiling: Information Gathering which leads to asset gathering.

Posture: Compliance check / Health Check / Remediation Profile

SGT: Segmentation

Radius: AAA of Data Plane

Tacas : AAA of Management Plane

Node

Physical

SNS 3500

SNS 3600

Virtual

Vmware : Esxi KVM: RHEL 7

Hyper-V: Evaluation / Small / Medium / Large

Node Type

Inline or Promiscuous

Inline: ISE blocks unwanted traffic, It's usually in non cisco environment

Promiscuous: Switch push policy on behalf of ISE

Persona

PAN: Policy Administration Node

It is responsible for GUI of ISE and without GUI configuration can't be added or modified.

MNT: Monitoring & Troubleshooting Node

It is used for Logging & Generating Report

PSN: Policy Service Node:

It is used for Radius / Tacas service

PXG: Platform Exchange Grid Node

It is responsible for communication between ISE and other devices (Both Cisco & other Vendors)

Maximum Nodes in ISE deployment is 56

2 Nodes for Primary and Secondary

Primary unit has PAN, MNT, PSN & PXG active

Secondary unit has PAN, MNT standby & PSN & PXG as active

2 Nodes for MNT

2 Nodes for Inline Posture

50 nodes for PSN

2 nodes for PXG

50 PSN nodes are identical and configuration is done on WLC / Switches / Routers to choose which is primary and which is secondary.

In case you want to assign dedicated nodes for PXG then it could be max 2 & in that case max nodes for PSN will be 48

Cisco ISE Distributed System

License

Licenses are uploaded to the Primary Administrative Node (PAN) and propagated to other cisco ISE nodes in the cluster.

Base License

It is a perpetual license i.e. will never expire. It is required for both Data Plane & Management Plane.

So, if there are 900 users who are required to do authentication from ISE and there are 100 devices (router, switches, firewall etc.) then total base license requirement will be 1000.

Plus License

This is used for data planes. It consists of Profiling, visibility and compliance.

It can be purchased on the basis of subscription of one, three or five years.

It is required for BYOD for ISE functionality.

Apex License

It is used for Data Plane traffic. It is regarding Posture.

It can be purchased on the basis of subscription of one, three or five years.

If you are using cisco AnyConnect then you will need Apex user license in addition to Cisco ISE Apex License.

It is required for third party Mobile Device Management (MDM) integration with ISE.

Device Administration

It is used for management planes.

The number of device management licenses must be equal to the number of policy service nodes with TACAS persona enabled on them.

VM License (Small, Medium & Large)

Evaluation License

It's valid for 90 Days and has all full ISE functionality provided up to 100 devices.

ISE License Consumption

Purchased license for number of concurrent users i.e. the number of users logs at a time.

Example: If there are 3 shifts in the company and in each shift, there are 30 employees then ideally 30 licenses for 90 employees is good.

The base license is consumed for any active license (Data or management plane).

An endpoint will be going to consume base license but depending on feature it is using it can consume Apex & Plus license as well.

The endpoint must consume the PLUS license before it consumes an Apex license.

DATA PLANE

1500 endpoints (including Guest)

- AAA

- Posture

- Profiles

MGMT PLANE

- 40 Switches (40 licenses)

- 20 APs: No license needed because logging in AP isn't required.

- 1 WLC (1 license)

show application status?

Application Server is running ---> GUI will work

The number of nodes can be seen & promoted as primary configured for ISE as Administrator --> Deployment

ISE Node Setup

PAN failover

Manual: Go to secondary Node GUI and promote it as primary.

Automatic: It requires 3 nodes.

The third node can be dedicated node only having health check services running on it.

No other persona running on it (No PAN, No MNT, No PSN, No PXGRID)

It can be enabled on any third node that may be serving any other persona.

F5 with active passive setup can be used.

Identity Management

To obtain user information for authentication and authorization Cisco ISE can connect with external identity sources such as

-Microsoft Active Directory

-LDAP

-Radius Token

-RSA SecureID servers

-External identity sources also include certificate authentication profiles for certificate-based authentications

To join ISE to AD, it must have DNS and correct time setup.

Administration --> Identity Management --> External Identity Sources

TACACS+ Vs RADIUS

Terminal Access Controller Access Control System (TACACS)

Remote Access Dial In User Service (RADIUS)

1812 - Authentication & Authorization

1813 - Accounting

1645 - Authentication & Authorization

1646 - Accounting

We covered till now

ISE configuration

ISE Redundancy

ISE External ID Service

ISE ID Source Sequence

ISE PSN

Enable Device Admin Service: Tacas

Device Profile Service: Radius

ISE Network Design (NAD) on the basis of Policy Set:

NAD --> Network Access Device

Policy Set

It works under conditions & allowed protocols.

TACACS+: Allows change in password to user

: Authentication protocols are PAP & CHAP

RADIUS: You rely on ISE admin to change password

: Authentication protocols are PAP, CHAP & EAP

Policy sets enable you to logically group specific authentication & authorization policies within the same container (location wise or device type).

You can have several policies sets matching different conditions such as policy sets based on location, device type & access type etc.

Say, if location is Delhi put Policy Set 1

If the device type is Router, then put policy Set 2

If access type then if device is coming from VPN/wired/wireless then set Policy 3

When you install ISE, there is always one policy set defined, which is the default policy set per type.

Policy sets are of two types:

- Device Admin Policy Sets: Data Plane & Protocol used is Radius

Path: Policy --> Policy Set

- Network Access Policy Sets: Management Plane & Protocol used is TACAS+

Path: Work Center --> Device Administrator --> Device Admin Policy Sets

* Wireless Device connected to WLC having MSE "Mobile Service Engine" feature will tell user location i.e. building & floor and then it's possible to block user on basis of building and floor.

Policy Set - Conditions

Cisco ISE allows you to create conditions as individual, reusable policy elements that can be referred to from other rule-based polices.

Conditions can be of two types:

- Simple Condition

Device type equals to Router

Note: There could location or access type could be used in place of Device

- Compound Condition

Compound condition is made up of one or more simple conditions that are connected by the AND, OR operator.

Compound conditions are built on top of simple conditions.

Compound conditions can also be used on a fly or saved and used in other rule-based policies.

Device: Model Name Equals Cat6880

AND

Device: Location Equals Udaipur

AND

Network Access: Use case equals Wired_Dot1x

Work Center --> Device Administrator --> Policy Elements

Allowed Protocols

Allowed protocols define the set of protocols that Cisco ISE can use to communicate with the device that requests access to the network resources.

Policy --> Results --> Authentication --> Allowed Protocols

Work Center --> Device Administrator --> Policy Elements --> Results --> Allowed Protocols

Policy Set Hierarchy

Work Center --> Device Administrator --> Policy Elements

Now this determines the sequence of authentication

Work Center --> Device Administrator --> Device Admin Policy Sets

There is default authorization policy which says Deny all

We are going to create a custom authorization policy which says "permit all"

and also, for helpdesk to run all show command

Work Center --> Device Administrator --> Policy Elements --> Result --> TACAS command sets

Commands Sets Processing Order

1) Deny_Always

2) Follow the Sequence

Wild Card use

Shell Profile

Cisco IOS Local Privilege Levels (Without ISE)

These steps are being used on NAD (Router, switch or firewall) when ISE isn't available.

Step 1: Enable Privilege level from 2-14

Sw>en

Sw # config t

Sw # enable secret level 3 cisco123

Sw# exit

Sw>enable 3

Will ask for password and prompt changes

Sw#

Step 2: Assign permissions to be run in privilege level 3

Sw>en

Sw# config t

# Privilege exec level 3 show running config

Now suppose we want users with privilege level 6 to configure rip

We know that for configuring rip users must be able to login in config terminal

Sw>en

Sw# config terminal

# Privilege exec level 6 router rip

(Privilege exec level 6 configures terminal) This command is not required to assign to level 6 user as it will available to it by default as it has been assigned to users with level 3

Note: By default, privilege level 1 and 15 are active.

: When any command is applied to a lower level then it is automatically allowed for all higher levels

IOS/IOS-XE/IOS-XR (With ISE)

AUTHENTICATION

We need to do management plane authentication to enter IOS shell.

Shell has LINES which can be further divided into Character (Console & AUX) Mode & Packet Mode (SNMP, ssh, telnet).

User is allowed to enter in privilege level 15 but each and every command has to be validated by ISE.

Hence, the user can type all commands but output will be displayed for only allowed commands as per privilege level.

Note: SNMP credentials can be authenticated by ISE but it's not for all versions.

*aaa new-model

aaa authentication A B C D

A = event you want to authenticate ex login/ppp

B = name of the authentication rule (default keyword/Custom_String)

C = Keyword group (refers to either tacas+ or radius)

D = group name Identitu Store Pointer (local/none/enable/radius/tacas/custom_string)

aaa new-model

tacas server PSN01

address ipv4 192.168.1.151

key cisco123*

tacas server PSN02

address ipv4 192.168.1.161

key cisco123*

aaa group server tacas TACAS-GROUP

server name PSN02

server name PSN01

aaa authentication login AuthC group TACAS-GROUP local

- password incorrect (no fallback to local, access will be denied)

- user not found (no fallback to local, access will be denied)

- server(s) not responding (fallback to local, authenticate from local username/passwords)

aaa authentication login AuthC group TACAS-GROUP none

- password incorrect (no fallback to local, access will be denied)

- user not found (no fallback to local, access will be denied)

- server(s) not responding (do not authenticate, permit access)

aaa authentication login AuthC group tacas+ local

tacas+ --> it will include all the tacas server defined

aaa authentication login AuthC group ISE-GROUP local

aaa authentication enable default group ISE-GROUP enable --> enable password can be set from ISE

line vty 0 4

AUTHORIZATION

Step 1: Prepare ISE for authorization by making changes in shell profile

Step 2: Configure switch to check authorization from ISE

aaa authorization exec Delhi group ISE-GROUP local

line vty 0 4

authorization exec Delhi

Now users will directly login in privilege 15

CISCO ASA AUTHENTICATION CONFIGURATION

ASA

domain-name mukesh.com

crypto key generate rsa modules 2048 noconfirm

enable password Abc123*

username admin password Abc123* privilege 15

ssh 192.168.0.0 255.255.0.0 inside

telnet 192.168.0.0 255.255.0.0 inside

aaa-server TACAS-GROUP protocol TACAS+

aaa-server TACAS-GROUP (inside) host 192.168.1.171

key Cisco123!

aaa authentication telnet console TACAS-GROUP local

aaa authentication ssh console TACAS-GROUP local

aaa authentication serial console local

aaa authentication enable console TACAS-GROUP local

Nexus has an inbuilt profile for Nexus

show role to see all preconfigured roles

Nexus9k# show role name network-operator

Nexus9k# show role name network-admin

Nexus9k# show user-account

on Nexus switch run following commands

feature tacas+

username admin password cisco

tacas-server host 192.168.168.168 key Cisco123! timeout 10

tacas-server host 192.168.168.169 key Cisco123! timeout 10

aaa group server TACACS+ TACACS-GROUP

server 192.168.168.168

server 192.168.168.169

deadtime 10

use-vrf default

source-interface Ethernet 1/1

aaa authentication login ascii-authentication

aaa authentication login default group TACAS-GROUP local

aaa authentication login console local There are two ways for command authorization in NX-OS

-Command Sets (in ISE, Allocated by ISE)

-Following commands needed on NAD

aaa authorization commands default group TACAS-GROUP local

aaa authorization config-commands default group TACAS-GROUP local

Note: Command authorization disables user role-based authorization control (RBAC), including the default roles in NX-OS

Wireless Controller

Step 1: Configure AAA server in ISE

Step 2: Define Priority Order

Cisco Secure Firewall Management Center (formerly Firepower Management Center)

Radius is supported for external authentication & not TACAS +

Define the user role as per attributes returned by ISE

Users have to be created in FMS & for password they can be redirected to radius server.

ISE Configuration for FMS

Step 1: Add Device

Step 2: Create an authorization profile

Step 3: Create a Policy Set

Match Protocol as Radius

Let allowed Protocol be Default

Create an Authorization Profile

Define Radius Class and put device role as Administrator

Add authorization policy as default policy is to "Deny ALL"

Add new Authorization policy

Add Conditions to it by clicking "+"

NETWORK ACCESS USING ISE

Authentication based on

1) user / group

2) Mac address

3) Web based AAA (Certificate linked to user/group)

Vlan 15

name Limited

ip access extended InternetOnly

deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 (assuming your internal network is on vlan 10)

permit ip any any

interface vlan 15

ip add 192.168.1.1 255.255.255.0

no shut

ip access-group InternetOnly in

interface Gi0/1

Description # PC Connection #

switchport mode access

switchport access vlan 1

---extra ise related config---

And then even PC is connected to vlan 1 but on basis of ISE configuration vlan 15 will be pushed to PC.

Note: Ethernet protocol 802.3 doesn't support any type of authentication. So, we use 802.1x for authentication which rides over 802.3.

For devices which do not support 802.1x like printers are addressed by using the MAC authentication bypass (MAB) feature. When MAB is enabled, the controller uses the MAC address as the client identity.

Web Based Authentication is something in which the user is redirected towards Captive portal so that user can put his username and password.

Asymmetric Key or public/private key pair

crypto isakmp key cisco123 address --> This key is just to authenticate peer not to encrypt data

Crypto iskamp policy 1

authentication pre-share

group 2 --> Diffie–Hellman key to generate public & private key

enc 3des

hash sha

lifetime 86400

Note: A Subject Alternate Name (or SAN) certificate is a digital security certificate which allows multiple hostnames to be protected by a single certificate. A SAN certificate may also be called a Unified Communication Certificate (or UCC).

Root Certificate: These are self -signed certificate of CA.It is used to identify CA.

Identity/User/Client: This certificate has been issued by CA to its client devices.

Use Case : A and B want to communicate securely using PKI

Enrollment Process

A should generate CSR.

a) Generate Public Private Key Paie

b) Provide DN information (CN, O, OU, L, P, C etc)

c) Submit CSR to CA Go Daddy.

d) Receive Identity Certificate signed by Go Daddy.

e) configure identity certificate for use on respected device.

f) download Go Daddy root certificate.

B should generate CSR.

a) Generate Public Private Key Paie

b) Provide DN information (CN, O, OU, L, P, C etc)

c) Submit CSR to CA Digicert

d) Receive Identity Certificate signed by Digicert.

e) configure identity certificate for use on respected device.

f) download Digicert root certificate.

Verification Process ............ Mutual Authentication Case

Steps:

A sends its identity certificate to B for acceptance.

a1. B will calculate the hash of the A's receive certificate content.

a2. B will decrypt signature information using the Public Key of A's CA.

a3. If calculated hash = signature hash value, then the certificate is validated by B.

Now B will start using the public key of A received via validating identity certificate.

B sends its identity certificate to A for acceptance.

a1. A will calculate the hash of the B's receive certificate content.

a2. A will decrypt signature information using the Public Key of B's CA.

a3. If calculated hash = signature hash value, then the certificate is validated by A.

Now A will start using the public key of B received via validating identity certificate.

Note: Mutual authentication is optional. It's possible that the server need not verify the client.

Your browser will validate google.com cert but vice versa isn't required.

802.1x Terminology

PPP has PAP/CHAP

PPPoE : PPP over ethernet

Extensible Authentication Protocol (EAP) rides over ethernet.

Supplicant uses EAPOL or PPPoE to communicate with Authenticator.

Authenticator uses Radius to communicate to Authentication Server (ISE/LDAP)

How to enable disable EAP flavors in ISE?

You may do this in the Default allowed Protocol section.

Cisco IOS NAD -- Dot1x Initialization

aaa new-model

radius server ISE

address ipv4 192.168.1.171

key Cisco123!

Change of Authorization Command (optional)

aaa server radius dynamic-author

client 192.168.1.171 server-key Cisco123!

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

dot1x system-auth-control

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

dot1x system-auth-control

Start configuring ports on switch

interface gigabitethernet 1/0/1

switchport mode access

switchport access vlan 1

spanning-tree portfast

dot1x pae authenticator

authentication port-control auto (as per ISE)/ force-authorize (data traffic will allow without checking with ISE)/ force-unauthorize (the data flow won't be allowed evenif as per ISE it's good)

Low Impact: DACLs are pushed by ISE which override existing ACL (if present)

ip access-group 101 in ---> It's present on port & will be override by existing ACL

no authentication open ---> High Security

authentication open --> Monitor

mab --> To enable mab on interface

authentication order mab | dot1x --> Try to authenticate device by mab first and if not successful then try dot1x

authentication priority dot1x | mab --> Incase device supports dot1x then it will send "EAPoL start" frame & if that is detected then first dot1x will be used for authentication and later mab.

authentication host-mode single-host/multi-host/multi-auth/multi-domain

Sample Config

aaa new-model

radius server ISE

address ipv4 192.168.0.1

key Cisco123!

aaa server radius dynamic-author

client 192.168.0.1 server-key Cisco123!

switchport config

Interface fa0/1

switchport mode access

switchport access vlan 1

spanning-tree portfast

dot1x pae authenticator

authentication port-control auto

no authentication open

mab

authentication order mab dot1x

authentication priority dot1x mab

authentication host-mode single-host

ISE configuration for MAB

Go to ID Group (Can be reached through multiple paths)

Work Centers --> Network Access --> Id Groups

Endpoint Identity Groups: Collection of MAC addresses

User Identity Groups: Collection of users

Step 1: Create a new group or use existing ones.

Let's say we want to add a new group to Endpoint Identity Groups named PRINTERS

Step 2: Add an endpoint which is mac address of device.

Note: If you enable profiling then endpoint is automatically added in group

Step 3:

Here we are pushing vlan 110 from ISE to switchport (It's optional)

show authentication session interface fa0/1

Wireless MAB

Step 1: Configure WLC to talk to ISE

Step 2: Enable MAB in WLC

Check mark MAC filtering

Step 3: Allow ISE to use COA (Change of Authorization)

ISE Configuration

Step 4: Create an Authentication Profile

Step 5: Create an Authorization Profile

Step 6: Create Authorization Rule

How to Control which SSID client can connect?

Change Authorization Rules to match vlan ID

Control Traffic By ACL

Step 1: Create ACL on WLC

Step 2: Add Rules in ACL just we do in normal ACL

Step 3: Apply ACL in Authorization Policy when you push vlan

Step 4: You may apply this ACL on any of WVLAN manually through "Override Interface ACL" and selecting ACL in drop down menu.

Step 5: Push ACL through ISE (This step or Step 4 one has to be followed)

Step 6: Now go to client who has been applied above policy and you find ACL there

DACLs

DALC's are used in "Low Impact" port control & are pushed to switch.

Step 1: Create Downloadable ACL

Step 2: Link them with Authorization Profile

Additionally, commands to be configured on relatively older IOS NAD for DACL to work ip device tracking

radius-server vsa send

PORTALS

Guest users will by default become part of a contractor group which has different policies.

We may create our own group as well.

This "vlan-redirect" authorization profile is redirecting guest users towards captive portal.

Hotspot profile is redirecting towards "Hotspot" Guest portal.

The "redirect" ACL is created on WLC.

ISE PROFILING

Step 1: Go to the mac address of device and find out OUI

Step 2: Set condition to match OUI

Step 3: Create Profiler Policy

In Policy we set a condition that if OUI matches then set certainty factor as 10

Note: Here we are creating Endpoint ID Group along with Profiling Policy.

So, while creating an Authorization Policy we do have the option to match either on the basis of Profiling Policy or Endpoint ID Group.

Note: Since Profiling feature has been used for IoT sensor so it's going to consume plus license along with base license.

Remote Access VPN Admission control

Configuration to be done on Firewall

aaa-server RADIUS-GROUP protocol radius

aaa-server RADIUS-GROUP (outside) host 192.168.1.1 key Cisco123!

tunnel-group AnyConnect-TG type remote-access

tunnel-group AnyConnect-TG general-attiributes

address-pool AnyConnect-Pool

authentication-server-group RADIUS-GROUP

default-group-policy AnyConnect-GP

tunnel-group AnyConnect-TG webvpn-attributes

group-alias "IT staff" enable

Let's Configure ISE for VPN authentication

Step 1: Create an Authorization Policy to match group Policy on VPN

Note: In WLC access-list or "Aerospace ACL" was created in WLC and only its name was configured in ISE to push it to client as per authorization policy.

Similarly, Group Policy is being created locally in ASA & only its name will be put in ISE so that it can use AD credentials to allow users.