top of page
Writer's pictureMukesh Chanderia

ISE

Updated: Aug 4, 2022

ISE Use Cases





1) Visibility:


What all users & devices are on the network and where are they connected. Where are phones, printers, Desktop etc.


Profiling: It is an information gathering service which is used for dynamic detection and classification of endpoints connected to the network using MAC addresses as the unique identifier.


ISE collects various attributes for each network endpoint to classify it to build an internal endpoint database it could be based on prebuilt or user-defined conditions & creates profiles.


These profiles include mobile clients (iPads, Android tablets, Chromebooks etc.), desktop operating systems (for example, Windows, Mac OS X or Linux), and devices such as printers, phones, cameras


Change of Authorization: Change of authorization (CoA) is a method by which authorization changes can be performed dynamically after the device or user is authenticated.


Example: Cisco Firepower detects that a particular host is infected then it could communicate this to ISE through Radius protocol.


ISE through COA push the policy to switch to put particular port to reauthenticate or may be put that port in quarantine vlan and once all parameters are satisfied then only allow to join the network.


Once classified, endpoints can be authorized to the network and granted access based on their profile. For example, endpoints that match the IP phone profile can be placed into a voice VLAN using MAC Authentication Bypass (MAB) as the authentication method.


2) Compliance:


Deeper visibility and control over devices. It is achieved through posture.


Posture: Posture conditions are the set of rules in our security policy that define a compliant endpoint. It can be applied to default or custom profile.


It is used for Compliance check, health check and Remediation service.


3) Control:


To enable Secure access on wired, wireless & VPN users.


4) Device Admin:


Role base network device administrator over TACAS+: AAA (Authentication, Authorization and Accounting) concept for secure login & control.


5) Guest & Secure Wi-Fi:


Manage Guest & Corporate Wireless Network Access with ease.


Example: Receptionist can be assigned sponsor portal to create Guest user and password. The user account must have validity as per requirement.


Note: Guest users will have access to the internet.

Corporate network may have multiple SSID but user login can be restricted on particular SSID for security purposes.

6) BYOD:


Users love to work on their own devices. May be company's policy doesn't allow to access social media on corporate systems but they still allow users to open social media on their personal mobile or tablet.

Obviously, they might be allowed to connect to Guest SSID from their personal device so they could connect to internet.

Now in this case either user have to submit their mobile/tablet to IT or they could self-board their device.


Onboarding will depend on Compliance and Profiling.

To help users to onboard device ISE can redirect towards remediation portal where all policies regarding compliance are listed and user is suggested to complete certain tasks to onboard device say update antivirus, install certain batch file etc.

What ISE do when it onboard a device?

After a device passes all required criteria, the ISE pushes a certificate to device before onboarding.

This certificate could be self-sign or CA authority internal like Microsoft Server assigned CA Role or external CA like GoDaddy.

Each device is valid for a certain time and once the certificate is unassigned it would be deboarded automatically.

Do ISE authenticate each BYOD every day? It's not every day but every time user connects to ISE it has to pass through all policies in order to connect to network.


How do ISE control Mobile/Tablet apps?

MDM is an application which could be used for deploying, securing, monitoring, integrating and managing mobile devices.


The MDM software that is downloaded to the mobile device/Tablet and can be integrated with ISE to control device.

7) Segmentation: Software defined segmentation without Ip or vlans.

1) Authorization Policy: Read Only Access or Read Write Access, allow to run only show command etc.

2) Vlan Allocation: Dynamic Allocation

3) DACLs: IP based ACLs to devices.

4) SGT: Security Group Tag: Example user with vlan 12 with ip address 192.168.12.x should have access to all resources (same policy has to be applied) which is access by user on vlan 21 which is having ip of 192.168.21.x


ISE Architecture




Type of Services


Profiling: Information Gathering which leads to asset gathering.

Posture: Compliance check / Health Check / Remediation Profile

SGT: Segmentation

Radius: AAA of Data Plane

Tacas : AAA of Management Plane



Node


Physical


SNS 3500

SNS 3600

Virtual

Vmware : Esxi KVM: RHEL 7

Hyper-V: Evaluation / Small / Medium / Large


Node Type


Inline or Promiscuous


Inline: ISE blocks unwanted traffic, It's usually in non cisco environment


Promiscuous: Switch push policy on behalf of ISE




Persona


PAN: Policy Administration Node

It is responsible for GUI of ISE and without GUI configuration can't be added or modified.


MNT: Monitoring & Troubleshooting Node

It is used for Logging & Generating Report


PSN: Policy Service Node:

It is used for Radius / Tacas service


PXG: Platform Exchange Grid Node

It is responsible for communication between ISE and other devices (Both Cisco & other Vendors)


Maximum Nodes in ISE deployment is 56


2 Nodes for Primary and Secondary

Primary unit has PAN, MNT, PSN & PXG active

Secondary unit has PAN, MNT standby & PSN & PXG as active

2 Nodes for MNT

2 Nodes for Inline Posture

50 nodes for PSN

2 nodes for PXG


50 PSN nodes are identical and configuration is done on WLC / Switches / Routers to choose which is primary and which is secondary.


In case you want to assign dedicated nodes for PXG then it could be max 2 & in that case max nodes for PSN will be 48



Cisco ISE Distributed System





License



Licenses are uploaded to the Primary Administrative Node (PAN) and propagated to other cisco ISE nodes in the cluster.


Base License


It is a perpetual license i.e. will never expire. It is required for both Data Plane & Management Plane.


So, if there are 900 users who are required to do authentication from ISE and there are 100 devices (router, switches, firewall etc.) then total base license requirement will be 1000.


Plus License


This is used for data planes. It consists of Profiling, visibility and compliance.

It can be purchased on the basis of subscription of one, three or five years.


It is required for BYOD for ISE functionality.


Apex License


It is used for Data Plane traffic. It is regarding Posture.

It can be purchased on the basis of subscription of one, three or five years.

If you are using cisco AnyConnect then you will need Apex user license in addition to Cisco ISE Apex License.


It is required for third party Mobile Device Management (MDM) integration with ISE.


Device Administration


It is used for management planes.

The number of device management licenses must be equal to the number of policy service nodes with TACAS persona enabled on them.


VM License (Small, Medium & Large)


Evaluation License


It's valid for 90 Days and has all full ISE functionality provided up to 100 devices.


ISE License Consumption


Purchased license for number of concurrent users i.e. the number of users logs at a time.


Example: If there are 3 shifts in the company and in each shift, there are 30 employees then ideally 30 licenses for 90 employees is good.


The base license is consumed for any active license (Data or management plane).


An endpoint will be going to consume base license but depending on feature it is using it can consume Apex & Plus license as well.


The endpoint must consume the PLUS license before it consumes an Apex license.


DATA PLANE


1500 endpoints (including Guest)

- AAA

- Posture

- Profiles


MGMT PLANE

- 40 Switches (40 licenses)

- 20 APs: No license needed because logging in AP isn't required.

- 1 WLC (1 license)


show application status?


Application Server is running ---> GUI will work


The number of nodes can be seen & promoted as primary configured for ISE as Administrator --> Deployment


ISE Node Setup


PAN failover


Manual: Go to secondary Node GUI and promote it as primary.


Automatic: It requires 3 nodes.


The third node can be dedicated node only having health check services running on it.

No other persona running on it (No PAN, No MNT, No PSN, No PXGRID)


OR


It can be enabled on any third node that may be serving any other persona.


F5 with active passive setup can be used.



Identity Management


To obtain user information for authentication and authorization Cisco ISE can connect with external identity sources such as


-Microsoft Active Directory

-LDAP

-Radius Token

-RSA SecureID servers

-External identity sources also include certificate authentication profiles for certificate-based authentications


To join ISE to AD, it must have DNS and correct time setup.


Administration --> Identity Management --> External Identity Sources


TACACS+ Vs RADIUS


Terminal Access Controller Access Control System (TACACS)


Remote Access Dial In User Service (RADIUS)





1812 - Authentication & Authorization

1813 - Accounting


1645 - Authentication & Authorization

1646 - Accounting



We covered till now


ISE configuration

ISE Redundancy

ISE External ID Service

ISE ID Source Sequence

ISE PSN

Enable Device Admin Service: Tacas

Device Profile Service: Radius


ISE Network Design (NAD) on the basis of Policy Set:


NAD --> Network Access Device


Policy Set


It works under conditions & allowed protocols.


TACACS+: Allows change in password to user

: Authentication protocols are PAP & CHAP


RADIUS: You rely on ISE admin to change password

: Authentication protocols are PAP, CHAP & EAP



Policy sets enable you to logically group specific authentication & authorization policies within the same container (location wise or device type).


You can have several policies sets matching different conditions such as policy sets based on location, device type & access type etc.


Say, if location is Delhi put Policy Set 1

If the device type is Router, then put policy Set 2

If access type then if device is coming from VPN/wired/wireless then set Policy 3


When you install ISE, there is always one policy set defined, which is the default policy set per type.


Policy sets are of two types:


- Device Admin Policy Sets: Data Plane & Protocol used is Radius


Path: Policy --> Policy Set


- Network Access Policy Sets: Management Plane & Protocol used is TACAS+


Path: Work Center --> Device Administrator --> Device Admin Policy Sets


* Wireless Device connected to WLC having MSE "Mobile Service Engine" feature will tell user location i.e. building & floor and then it's possible to block user on basis of building and floor.


Policy Set - Conditions


Cisco ISE allows you to create conditions as individual, reusable policy elements that can be referred to from other rule-based polices.


Conditions can be of two types:


- Simple Condition



Device type equals to Router


Note: There could location or access type could be used in place of Device


- Compound Condition


Compound condition is made up of one or more simple conditions that are connected by the AND, OR operator.


Compound conditions are built on top of simple conditions.


Compound conditions can also be used on a fly or saved and used in other rule-based policies.


Device: Model Name Equals Cat6880


AND


Device: Location Equals Udaipur


AND


Network Access: Use case equals Wired_Dot1x



Work Center --> Device Administrator --> Policy Elements




Allowed Protocols


Allowed protocols define the set of protocols that Cisco ISE can use to communicate with the device that requests access to the network resources.


Policy --> Results --> Authentication --> Allowed Protocols


Work Center --> Device Administrator --> Policy Elements --> Results --> Allowed Protocols





Policy Set Hierarchy






Work Center --> Device Administrator --> Policy Elements






Now this determines the sequence of authentication











Work Center --> Device Administrator --> Device Admin Policy Sets


There is default authorization policy which says Deny all


We are going to create a custom authorization policy which says "permit all"


and also, for helpdesk to run all show command


Work Center --> Device Administrator --> Policy Elements --> Result --> TACAS command sets




Commands Sets Processing Order


1) Deny_Always

2) Follow the Sequence





Wild Card use




Shell Profile








Cisco IOS Local Privilege Levels (Without ISE)


These steps are being used on NAD (Router, switch or firewall) when ISE isn't available.


Step 1: Enable Privilege level from 2-14


Sw>en

Sw # config t

Sw # enable secret level 3 cisco123

Sw# exit

Sw>enable 3

Will ask for password and prompt changes

Sw#


Step 2: Assign permissions to be run in privilege level 3


Sw>en

Sw# config t

# Privilege exec level 3 show running config


Now suppose we want users with privilege level 6 to configure rip


We know that for configuring rip users must be able to login in config terminal


Sw>en

Sw# config terminal

# Privilege exec level 6 router rip


(Privilege exec level 6 configures terminal) This command is not required to assign to level 6 user as it will available to it by default as it has been assigned to users with level 3



Note: By default, privilege level 1 and 15 are active.

: When any command is applied to a lower level then it is automatically allowed for all higher levels


IOS/IOS-XE/IOS-XR (With ISE)


AUTHENTICATION


We need to do management plane authentication to enter IOS shell.


Shell has LINES which can be further divided into Character (Console & AUX) Mode & Packet Mode (SNMP, ssh, telnet).


User is allowed to enter in privilege level 15 but each and every command has to be validated by ISE.


Hence, the user can type all commands but output will be displayed for only allowed commands as per privilege level.


Note: SNMP credentials can be authenticated by ISE but it's not for all versions.


*aaa new-model


aaa authentication A B C D


A = event you want to authenticate ex login/ppp


B = name of the authentication rule (default keyword/Custom_String)


C = Keyword group (refers to either tacas+ or radius)


D = group name Identitu Store Pointer (local/none/enable/radius/tacas/custom_string)



aaa new-model


tacas server PSN01

address ipv4 192.168.1.151

key cisco123*


tacas server PSN02

address ipv4 192.168.1.161

key cisco123*


aaa group server tacas TACAS-GROUP

server name PSN02

server name PSN01


aaa authentication login AuthC group TACAS-GROUP local


- password incorrect (no fallback to local, access will be denied)

- user not found (no fallback to local, access will be denied)

- server(s) not responding (fallback to local, authenticate from local username/passwords)


aaa authentication login AuthC group TACAS-GROUP none


- password incorrect (no fallback to local, access will be denied)

- user not found (no fallback to local, access will be denied)

- server(s) not responding (do not authenticate, permit access)


aaa authentication login AuthC group tacas+ local


tacas+ --> it will include all the tacas server defined



aaa authentication login AuthC group ISE-GROUP local

aaa authentication enable default group ISE-GROUP enable --> enable password can be set from ISE


line vty 0 4

login authentication AuthC


AUTHORIZATION


Step 1: Prepare ISE for authorization by making changes in shell profile




Step 2: Configure switch to check authorization from ISE


aaa authorization exec Delhi group ISE-GROUP local


line vty 0 4

authorization exec Delhi


Now users will directly login in privilege 15




CISCO ASA AUTHENTICATION CONFIGURATION


ASA


domain-name mukesh.com

crypto key generate rsa modules 2048 noconfirm


enable password Abc123*

username admin password Abc123* privilege 15


ssh 192.168.0.0 255.255.0.0 inside

telnet 192.168.0.0 255.255.0.0 inside


aaa-server TACAS-GROUP protocol TACAS+

aaa-server TACAS-GROUP (inside) host 192.168.1.171


key Cisco123!


aaa authentication telnet console TACAS-GROUP local

aaa authentication ssh console TACAS-GROUP local

aaa authentication serial console local

aaa authentication enable console TACAS-GROUP local


Nexus has an inbuilt profile for Nexus





show role to see all preconfigured roles


Nexus9k# show role name network-operator


Nexus9k# show role name network-admin


Nexus9k# show user-account






on Nexus switch run following commands


feature tacas+


username admin password cisco


tacas-server host 192.168.168.168 key Cisco123! timeout 10

tacas-server host 192.168.168.169 key Cisco123! timeout 10


aaa group server TACACS+ TACACS-GROUP


server 192.168.168.168

server 192.168.168.169


deadtime 10


use-vrf default


source-interface Ethernet 1/1


aaa authentication login ascii-authentication


aaa authentication login default group TACAS-GROUP local


aaa authentication login console local There are two ways for command authorization in NX-OS


-Command Sets (in ISE, Allocated by ISE)


-Following commands needed on NAD


aaa authorization commands default group TACAS-GROUP local


aaa authorization config-commands default group TACAS-GROUP local


Note: Command authorization disables user role-based authorization control (RBAC), including the default roles in NX-OS


Wireless Controller


Step 1: Configure AAA server in ISE



Step 2: Define Priority Order





Cisco Secure Firewall Management Center (formerly Firepower Management Center)


Radius is supported for external authentication & not TACAS +




Define the user role as per attributes returned by ISE





Users have to be created in FMS & for password they can be redirected to radius server.





ISE Configuration for FMS


Step 1: Add Device




Step 2: Create an authorization profile




Step 3: Create a Policy Set




Match Protocol as Radius




Let allowed Protocol be Default



Create an Authorization Profile




Define Radius Class and put device role as Administrator







Add authorization policy as default policy is to "Deny ALL"




Add new Authorization policy




Add Conditions to it by clicking "+"





NETWORK ACCESS USING ISE




Authentication based on


1) user / group

2) Mac address

3) Web based AAA (Certificate linked to user/group)


Vlan 15

name Limited


ip access extended InternetOnly

deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 (assuming your internal network is on vlan 10)

permit ip any any


interface vlan 15

ip add 192.168.1.1 255.255.255.0

no shut

ip access-group InternetOnly in


interface Gi0/1

Description # PC Connection #

switchport mode access

switchport access vlan 1

---extra ise related config---


And then even PC is connected to vlan 1 but on basis of ISE configuration vlan 15 will be pushed to PC.


Note: Ethernet protocol 802.3 doesn't support any type of authentication. So, we use 802.1x for authentication which rides over 802.3.


For devices which do not support 802.1x like printers are addressed by using the MAC authentication bypass (MAB) feature. When MAB is enabled, the controller uses the MAC address as the client identity.


Web Based Authentication is something in which the user is redirected towards Captive portal so that user can put his username and password.


Asymmetric Key or public/private key pair


crypto isakmp key cisco123 address --> This key is just to authenticate peer not to encrypt data


Crypto iskamp policy 1

authentication pre-share

group 2 --> Diffie–Hellman key to generate public & private key

enc 3des

hash sha

lifetime 86400


Note: A Subject Alternate Name (or SAN) certificate is a digital security certificate which allows multiple hostnames to be protected by a single certificate. A SAN certificate may also be called a Unified Communication Certificate (or UCC).


Root Certificate: These are self -signed certificate of CA.It is used to identify CA.


Identity/User/Client: This certificate has been issued by CA to its client devices.



Use Case : A and B want to communicate securely using PKI


Enrollment Process


A should generate CSR.


a) Generate Public Private Key Paie

b) Provide DN information (CN, O, OU, L, P, C etc)

c) Submit CSR to CA Go Daddy.

d) Receive Identity Certificate signed by Go Daddy.

e) configure identity certificate for use on respected device.

f) download Go Daddy root certificate.



B should generate CSR.


a) Generate Public Private Key Paie

b) Provide DN information (CN, O, OU, L, P, C etc)

c) Submit CSR to CA Digicert

d) Receive Identity Certificate signed by Digicert.

e) configure identity certificate for use on respected device.

f) download Digicert root certificate.



Verification Process ............ Mutual Authentication Case


Steps:


A sends its identity certificate to B for acceptance.

a1. B will calculate the hash of the A's receive certificate content.

a2. B will decrypt signature information using the Public Key of A's CA.

a3. If calculated hash = signature hash value, then the certificate is validated by B.


Now B will start using the public key of A received via validating identity certificate.



B sends its identity certificate to A for acceptance.

a1. A will calculate the hash of the B's receive certificate content.

a2. A will decrypt signature information using the Public Key of B's CA.

a3. If calculated hash = signature hash value, then the certificate is validated by A.


Now A will start using the public key of B received via validating identity certificate.


Note: Mutual authentication is optional. It's possible that the server need not verify the client.


Your browser will validate google.com cert but vice versa isn't required.


802.1x Terminology







PPP has PAP/CHAP


PPPoE : PPP over ethernet


Extensible Authentication Protocol (EAP) rides over ethernet.


Supplicant uses EAPOL or PPPoE to communicate with Authenticator.


Authenticator uses Radius to communicate to Authentication Server (ISE/LDAP)





How to enable disable EAP flavors in ISE?


You may do this in the Default allowed Protocol section.







Cisco IOS NAD -- Dot1x Initialization


aaa new-model


radius server ISE

address ipv4 192.168.1.171

key Cisco123!


Change of Authorization Command (optional)


aaa server radius dynamic-author

client 192.168.1.171 server-key Cisco123!



aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius


dot1x system-auth-control



aaa authentication dot1x default group radius


aaa authorization network default group radius


aaa accounting dot1x default start-stop group radius


dot1x system-auth-control



Start configuring ports on switch


interface gigabitethernet 1/0/1


switchport mode access

switchport access vlan 1

spanning-tree portfast


dot1x pae authenticator

authentication port-control auto (as per ISE)/ force-authorize (data traffic will allow without checking with ISE)/ force-unauthorize (the data flow won't be allowed evenif as per ISE it's good)


Low Impact: DACLs are pushed by ISE which override existing ACL (if present)


ip access-group 101 in ---> It's present on port & will be override by existing ACL


no authentication open ---> High Security


authentication open --> Monitor




mab --> To enable mab on interface


authentication order mab | dot1x --> Try to authenticate device by mab first and if not successful then try dot1x

authentication priority dot1x | mab --> Incase device supports dot1x then it will send "EAPoL start" frame & if that is detected then first dot1x will be used for authentication and later mab.


authentication host-mode single-host/multi-host/multi-auth/multi-domain


Sample Config


aaa new-model


radius server ISE

address ipv4 192.168.0.1

key Cisco123!


aaa server radius dynamic-author

client 192.168.0.1 server-key Cisco123!


switchport config


Interface fa0/1

switchport mode access

switchport access vlan 1

spanning-tree portfast


dot1x pae authenticator

authentication port-control auto


no authentication open


mab


authentication order mab dot1x

authentication priority dot1x mab


authentication host-mode single-host


ISE configuration for MAB


Go to ID Group (Can be reached through multiple paths)


Work Centers --> Network Access --> Id Groups


Endpoint Identity Groups: Collection of MAC addresses


User Identity Groups: Collection of users



Step 1: Create a new group or use existing ones.

Let's say we want to add a new group to Endpoint Identity Groups named PRINTERS


Step 2: Add an endpoint which is mac address of device.




Note: If you enable profiling then endpoint is automatically added in group


Step 3:



Here we are pushing vlan 110 from ISE to switchport (It's optional)


show authentication session interface fa0/1


Wireless MAB



Step 1: Configure WLC to talk to ISE


Step 2: Enable MAB in WLC


Check mark MAC filtering




Step 3: Allow ISE to use COA (Change of Authorization)








ISE Configuration


Step 4: Create an Authentication Profile




Step 5: Create an Authorization Profile


Step 6: Create Authorization Rule






How to Control which SSID client can connect?


Change Authorization Rules to match vlan ID




Control Traffic By ACL


Step 1: Create ACL on WLC



Step 2: Add Rules in ACL just we do in normal ACL


Step 3: Apply ACL in Authorization Policy when you push vlan




Step 4: You may apply this ACL on any of WVLAN manually through "Override Interface ACL" and selecting ACL in drop down menu.





Step 5: Push ACL through ISE (This step or Step 4 one has to be followed)




Step 6: Now go to client who has been applied above policy and you find ACL there




DACLs


DALC's are used in "Low Impact" port control & are pushed to switch.


Step 1: Create Downloadable ACL


Step 2: Link them with Authorization Profile




Additionally, commands to be configured on relatively older IOS NAD for DACL to work ip device tracking


radius-server vsa send



PORTALS


Guest users will by default become part of a contractor group which has different policies.


We may create our own group as well.








This "vlan-redirect" authorization profile is redirecting guest users towards captive portal.




Hotspot profile is redirecting towards "Hotspot" Guest portal.


The "redirect" ACL is created on WLC.



ISE PROFILING










Step 1: Go to the mac address of device and find out OUI


Step 2: Set condition to match OUI




Step 3: Create Profiler Policy


In Policy we set a condition that if OUI matches then set certainty factor as 10



Note: Here we are creating Endpoint ID Group along with Profiling Policy.


So, while creating an Authorization Policy we do have the option to match either on the basis of Profiling Policy or Endpoint ID Group.







Note: Since Profiling feature has been used for IoT sensor so it's going to consume plus license along with base license.


Remote Access VPN Admission control


Configuration to be done on Firewall


aaa-server RADIUS-GROUP protocol radius

aaa-server RADIUS-GROUP (outside) host 192.168.1.1 key Cisco123!


tunnel-group AnyConnect-TG type remote-access


tunnel-group AnyConnect-TG general-attiributes

address-pool AnyConnect-Pool

authentication-server-group RADIUS-GROUP

default-group-policy AnyConnect-GP


tunnel-group AnyConnect-TG webvpn-attributes

group-alias "IT staff" enable


Let's Configure ISE for VPN authentication


Step 1: Create an Authorization Policy to match group Policy on VPN



Note: In WLC access-list or "Aerospace ACL" was created in WLC and only its name was configured in ISE to push it to client as per authorization policy.


Similarly, Group Policy is being created locally in ASA & only its name will be put in ISE so that it can use AD credentials to allow users.




Step 1: Create Authentication Profile


Step 2: Create an Authorization Profile



Step 3: Create Policy set




ISE PKI CERTIFICATES




In the case of external CA, generate CSR from ISE. Submit this CSR to CA.

CA will issue an "identity certificate" to ISE.

Upload "identity certificate" in ISE and select for which role it has to be used.

Also download "Root Certificate" of CA Upload "Root Certificate" in trusted certificate.


In windows system you need to start "Wired Autoconfig" service.



By default,, there is just Networking & Sharing tab.




After starting the service "Authentication Tab" will appear.




Now we can define authorization profile with conditions that if user is coming from wired/wireless then particular vlan must be pushed from ISE.


Obviously, this isn't implemented in corporate networks.




Trust Sec





SGT is Cisco's Metadata i.e. developed by cisco. It uses 802.1ae.


SGT is inserted by ISE on user basis and that flows to firewall to implement SGACL


SXP Enablement in Data Plane








BYOD (BRING YOUR OWN DEVICE)




Native supplicant will be pushed by ISE to do complex configuration on device i.e., 802.1x


For checking posture of device MDM/EMM application are installed on device which can integrate with ISE to check posture of device.


It's very important as the user can install applications which could be vulnerable and cause security thread to the network.









My Device Portal





ISE AUTOMATES BYOD WORKFLOW




Authorization Profile configured to push native supplicant to BYOD portal




POSTURE


Posture and Compliance are co-related.


Agent (Cisco AnyConnect) is pushed in system who validates all compliance policies (Firewall is on).


If policies are matched then access is allowed and if not, the user is redirected towards a remediation portal.


74 views0 comments

Recent Posts

See All

Comments


bottom of page