topic Hello Sergio, in Network Access Control

Ask the Expert: Implementing and Troubleshooting Cisco Identity Services Engine (ISE)

Monica Lluis — Mon, 11 Mar 2019 06:17:31 GMT

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to ask questions about Cisco Identity Service Engine (ISE) to Artem Tkachov and Wojciech Cecot.

Ask questions from Monday December 14 to Wednesday December 23rd , 2015

The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the attack continuum. The market-leading platform for security-policy management, it unifies and automates access control to enforce compliance-driven role-based access to networks and network resources.

This session will help customers with troubleshooting, configuring and implementing ISE solutions in their networks.

Artem and Wojciech will be helping you with all your queries on all of the above.

Artem Tkachov is a Customer Support Engineer in Cisco TAC Security team in Poland. He has been working with TAC for past 3 years and has 8 years of industry experience working with enterprise deployment and troubleshooting. His areas of expertise currently includes Firewalls, VPNs, AAA, 802.1X (MacSec/TrustSec), ISE (BYOD, HotSpot, etc.), ACS, as well as knowledge and in Routing and Switching, Service Provider, Data Center technologies. Artem holds CCIE certifications (# 39668) in Routing and Switching, Service Provider, Wireless, as well as CCNP in Security, JNCIS-SP, RHCSA, and ITIL certification.

Wojciech Cecot is a Customer Support Engineer in Cisco TAC Security team in Poland. He has been working with TAC since May 2014 and has 3 years of industry experience working with enterprise deployment and troubleshooting. His area of expertise covers ISE, TrustSec, BYOD, ACS 5.x, 802.1x. Prior to joining Cisco, he worked as a junior system engineer at Comarch. He is graduated with a Bachelor's and Master's degrees in Electronics and Telecommunications from AGH University of Science and Technology.

Find other https://supportforums.cisco.com/expert-corner/events.

Because of the volume expected during this event, Artem and Wojciech might not be able to answer every question.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

Hi guys,

John Ventura — Mon, 14 Dec 2015 15:17:16 GMT

Hi guys,

Is there any configuration guide regarding integration ISE 2.0 with 3rd party devices, like Aruba?

Thank you for your prompt response.

- John

I am researching utilizing

James Devan — Mon, 14 Dec 2015 18:32:16 GMT

I am researching utilizing 802.1X and ISE for both wired and wireless access. The wireless access seems fairly straightforward when paired with Meraki MDM. The wired access seems a little more daunting. I would plan on leveraging Active Directory for the majority of device authentication. What is the recommended practice for authenticating devices not associated with AD? I am referring to network printers, medical devices, IP cameras, WAPs, etc. Does the solution add a large amount of complexity and difficulty for management?

Hello John,

Artem Tkachov — Mon, 14 Dec 2015 23:00:44 GMT

Hello John,

Thank you for your question.

Indeed there are few guides for ISE 2.0 and Aruba integration, hence sharing the links below:

1. http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200270-ISE-2-0-3rd-Party-integration-with-Aruba.html

2. http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-85-Integrating_Aruba_Networks.pdf

Also, sharing link to ISE 2.0 release notes, which might be useful:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/release_notes/ise20_rn.html

Thanks

/Artem

Hello James,

Artem Tkachov — Mon, 14 Dec 2015 23:39:16 GMT

Hello James,

Thank you for your question.

To find the best solution in your scenario, we would need definitely to know more about your network and requirements for dot1x integraton project you will have.

In general, majority of the devices you mentioned usually don't support dot1x/EAP authentication, hence most probably you will use MAB (mac address bypass) authentication method. Having said this, MAB method is not really secure and would require some work on authentication/authorization rules on ISE. Also, switch/interface configuration is important here, for example, if you don't use dot1x authentication on end device, better to keep mab related configuration only on switch interface level.

In your scenario you might consider to use profiling to have more granular access to your network.

Sharing with you "how to" guide for profiling:

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-30-ISE_Profiling_Design_Guide.pdf

In short, I wouldn't say it's extremely complex to implement, but would require a time to plan all components correctly.

Thanks

/Artem

Thank you very much!

James Devan — Mon, 14 Dec 2015 23:52:16 GMT

Thank you very much!

Hi Artem/Wojciech,

manjeetsing_thakur — Tue, 15 Dec 2015 11:11:29 GMT

Hi Artem/Wojciech,

I have few project related with ISE as I am working with channel partner, in beginning I struggled a lot as no proper training material, videos not there (Or I might not be able to find them). But when i started watching Videos on labminutes.com, I understood the config details etc. Still a lot there which I need to master.

May I know if Cisco has such video tutorials? or simple step by step config guides to deploy something like posture deployment, WSUS check etc?

I see many config guides on Cisco.com but none of them help with real life config and scenarios. They are all generic.

Thanks & Regards,

Manjeetsing

Hello Manjeetsing,

Wojciech Cecot — Tue, 15 Dec 2015 12:37:50 GMT

Hello Manjeetsing,

Thank you for that question.

Let me start with videos. Indeed there is such channel on youtube.com, it still under development however I could see many useful videos there already. Colleagues from US came up with that idea around 2 months ago and I can see that more and more videos related to ISE 2.0 are uploaded. Please take a look:

https://www.youtube.com/user/CiscoISE/videos

Regrading articles: ISE is quickly growing product, having many features and configuration strongly depends on particular deployment, however I could find article that should match your requirement: with posture/WSUS configuration:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/119214-configure-ise-00.html

Hope that helps.

Thank you

Wojciech

Hi,In all what areas ISE and

susim — Tue, 15 Dec 2015 14:23:25 GMT

Hi,
In all what areas ISE and ASA can work together ?
How can maximum utilize for VPN ?
Thank you

Hello Sir/Madame

Wojciech Cecot — Tue, 15 Dec 2015 15:46:02 GMT

Hello Sir/Madame

Thank you for that question.

That is quite general one, let me try to answer it in the following way. We have:

--- TACACS+ for ASA administration (starting from ISE 2.0),
--- authentication of the VPN users,
--- VPN Posture, described in:
http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200271-ISE-2-0-and-AnyConnect-4-2-Posture-BitLo.html
--- TrustSec (we can assign SGT tags to the VPN users),
--- Certificate provisioning for VPN users --- SCEP functionality on ISE.

I might be missing something, however those are the most common use cases.

Thank you,

Wojciech

Hi,

jay.pandya1 — Tue, 15 Dec 2015 20:09:57 GMT

Hi,

Is there any way to give an ERS Admin access to the External RESTful API? Currently I am only able to access the "ActiveList" using Super Admin privileges.

Thanks

Hello Sir,

Artem Tkachov — Tue, 15 Dec 2015 22:29:50 GMT

Hello Sir,

Thank you for your question.

Unfortunately this is expected behavior. When authenticating external REST requests in addition to verifying admin user name and password, there will be a check that the admin role is SuperAdmin. This ensures that admins with lower permissions will not be able to issue REST requests.

We do have bug for this scenario --> CSCur87193. It's marked to be fixed in ISE 1.5 version.

As for now you have to use accounts from Super Admin group to be able to use External Restful API.

Thanks

/Artem

Thanks for the response. I

jay.pandya1 — Tue, 15 Dec 2015 23:59:09 GMT

Thanks for the response. I had another question. In the ISE documentation there is a mention of a response code returned by the External RESTful Services API called "429 Too many requests" which means too many simultaneous requests. Is there a particular number of simultaneous requests which would trigger this response code?

Thanks

Hello Sir,

Artem Tkachov — Wed, 16 Dec 2015 08:35:04 GMT

Hello Sir,

Thank you for this question.

The message you referring to might come from 2 different layers - application itself as well as transport/TCP layer. Since the newest ISE 2.0 is using Apache Tomcat Server 8.x, application configuration should be stored there. Sharing with you link where you can read more on Tomcat Server 8.x and default settings:

https://tomcat.apache.org/tomcat-8.0-doc/config/http.html

Unfortunately, this is very specific question and without engineering team looking into the source code I won't be able to fully answer this question. Because of that, if you still would like to have an answer to this question, I would encourage you to open a TAC case.

Hi,

stormfidus — Wed, 16 Dec 2015 11:37:20 GMT

Hi,

Is there any specific support or way to handle imaging/installation of pc's from Microsoft SCCM initiated with PXE boot ?

A way to allow the client to temporary get access to the required network resources during the installation, since the pc is not able to authenticate itself before it's fully installed.

Thanks.

Hello Sir/Madame,

Wojciech Cecot — Wed, 16 Dec 2015 12:48:12 GMT

Hello Sir/Madame,

Thank you for that questions. When PXE device is booting we could use MAB authentication and limit its access using dACL: to allow DHCP and access to MS server.

Once device will be fully installed, dot1x can take precedence (authentication priority dot1x mab) and machine will be securely authenticated with dot1x.

That is explained with the example in the guide below (Low-Impact Mode section):

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_24_low_impact_mode.pdf

Thank you

Wojciech

Hi Wojciech

stormfidus — Wed, 16 Dec 2015 12:58:46 GMT

Hi Wojciech

The current SCCM setup requires access to a lot of different resources during the install, which makes it almost impossible to get a full dACL configured to allow access,

So I was looking for if SCCM & ISE could exchange information, like when a PC is about to be installed the MAC address could be exchanged from SCCM to ISE allowing it full access to the network for a very limited amount of time, could something like this be possible ?

Thanks.

Hi,

Wojciech Cecot — Wed, 16 Dec 2015 14:01:19 GMT

Hi,

Well, I am afraid that will be not possible in the way that was described. ISE needs to know exactly what access should be allowed for the PXE process in order to send that to switch (VLAN or dACL). Another way could be to create some endpoint group for devices which will be allowed to access full resources. However that will require to manually add endpoint to that group and then either remove it or set some purge policy (like after one day endpoint will be removed from the PXE group and no longer will have full access).

Hope that clarifies your question.

Thank you,

Wojciech

Hi Guys,

Michael Harding — Wed, 16 Dec 2015 14:02:58 GMT

Hi Guys,

I wonder if you could share your experiences working with OSX and ISE and what is the best method for getting a working Posture/Dot1x setup in place when the workstation is joined to an active directory domain? I have had many issues with creating profiles for OSX etc and although I'm sure you may not want to go into the specifics of OSX profiles if you could give a general overview of the approach that has worked best in your experiences it would help me greatly!

Thanks in advance,

Mike

Hi Experts,

Csaba Nagy — Wed, 16 Dec 2015 14:16:18 GMT

Hi Experts,

Recently we've upgraded from ISE 1.1 to 1.3 and although we gained lots of useful features we have lost a very important one:
With v1.1 if we created a guest user with the sponsor portal and set up the account validity for 24 hours the clock started ticking whenever the user first logged into the network. With 1.3 this is not possible.
Does 1.4 or 2.0 support this feature or is there any patch that can be applied to the current version (1.3) to get this feature back?

Many thanks,
Csaba