topic Cisco ise 1.2.1 patch 2 I'm in Network Access Control

Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

ciscomoderator — Mon, 11 Mar 2019 05:08:21 GMT

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.

October 27, 2014 through November 7, 2014.

The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.

Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.

Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer. He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio. Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.

Remember to use the rating system to let Craig know if you have received an adequate response.

Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

(Comments are now closed)

hi Craig,We currently utilize

huangedmc — Mon, 27 Oct 2014 17:55:57 GMT

hi Craig,
We currently utilize Cisco NAC (Clean Access) to perform posture assessment, to make sure the endpoints have proper anti-virus software/definition, and up-to-date Windows patches.

What's your take on posture assessment?
Is it still a good investment in today's environments?
We're torn between continuing doing posture, or only doing authentication when we migrate to ISE.
We think it's a good idea to do posture, but it's a hard sale to management because of the premium Cisco charges for Advanced/Apex-AC licenses, and the technical complexity it brings.

Does Cisco have more customers doing posture than those not doing posture?
If you had to guess, what's the percentage breakdown between the two, in general, and in higher education?
I'm guessing most Fed/SLED customers would want to do posture, but I'm interested in knowing what other colleges & universities are doing.

Thank you,
Kevin

Hello Kevin,Whether posture

Craig Hyps — Tue, 28 Oct 2014 14:55:45 GMT

Hello Kevin,

Whether posture or any security control is a good investment is always a balance between security policy, risk, and the cost/impact to organization to deploy such controls. I will not attempt to answer that for your organization here, but will try to shed light on other facets of your query.

I do not have exact counts, but in my years working with both NAC Appliance and ISE, I would say most NAC customers deploy posture. I would say less than half deploy posture with ISE, but realize that many have migrated from a AAA-only deployment, say CiscoSecure ACS, and many are green-field deployments where customer starts with basic authentication and access enforcement and then builds upon that foundation with more advanced functions of profiling and endpoint compliance.

Higher education is a unique vertical and the decision to perform posture or not is often rooted in the university's culture--some have the mantra that students shall have free access to all resources and do not mandate installation of any client software on student PCs; others treat the network as a privilege that is governed by specific terms of use including the installation of posture agent and software to help ensure the connected device is not a threat to other PCs or to the security and productivity of university as a whole. Depending on which camp your organization sits will often dictate whether posture is deployed.

With the growing popularity of Bring Your Own Device (BYOD) in the broader market, endpoint compliance is becoming a more prominent requirement. Endpoint compliance incorporates both the traditional posture assessment functions attributed to PC desktops/laptops as well as the more recent Mobile Device Management (MDM) solutions with a primary focus on mobile devices. With users connecting from personal devices where they have admin controls versus a managed endpoint that has been locked down with a corporate image, customers want to make sure there is a way to validate that the BYOD device meets some minimal compliance level.

Interestingly, Higher Ed has been a BYOD environment many years before the term became popularized in corporate networks. However, the same security concerns exist and the university culture and IT policy will dictate whether endpoint compliance is more important than unfettered student access from their personal devices.

Moving forward I see MDM usage increasing and general endpoint compliance treated simply as a super-set of these device assessment and remediation options. In my opinion, basic posture/MDM makes perfect sense to improve the general security of network and connected devices. I also agree that its use not significantly impact user productivity. ISE 1.3 targeted for end of this month adds support for AnyConnect 4.0 as the posture agent. This is a major step forward to integrate endpoint compliance and security functions into single client and to improve on the end user experience and administration across the entire organization.

I hope this answered your questions.

Regards,

Craig

hi Craig,Thank you for the

huangedmc — Tue, 28 Oct 2014 21:38:47 GMT

hi Craig,
Thank you for the reply to my previous question.

As a higher education operator, we allow any anti-virus software, as part of our posture assessment check.
So on our current Cisco NAC manager, under User Management / User Roles / Temporary

Role / Host, there's a long list of URL's as "Allowed Host", where users can go, to get their AV software installed/patched to be complianed.
For example: .mcafee.com, .symantec.com, .trendmicro.com, etc.

How can we migrate this function to ISE?
A few more recent platforms support DNS based ACL, but most of our Cat2K switches don't.
There are ~50 entries on that list.
Any way to support it on ISE w/o having to manage an ACL that's based on IP's?

Ditto for allowing access to Google Play to onboard Android devices.

Thx,
Kevin

Kevin,NAC Appliance relies on

Craig Hyps — Wed, 29 Oct 2014 15:55:57 GMT

Kevin,

NAC Appliance relies on being an inline enforcement device to perform the DNS snooping function that allows the domain-based ACL policy enforcement.

ISE leverages the existing infrastructure to perform policy enforcement. This keeps your policy server or other overlay appliance out of the data path but consequently requires the access device or other upstream device to perform this function.

As you noted, the WLC 7.6 added support for DNS ACLs to support this requirement for wireless clients during the URL redirection state when BYOD, MDM, and Posture integration are triggered. It is also possible to integrate with web security solutions like the WSA with transparent login such that specific networks can have access controlled based on domain name. There are other options that rely on DNS tricks or other security devices that support host-based policies including ASA, but the best solutions are those like WLC that dynamically allows access based on specific client DNS responses (similar in concept to what NAC Appliance Server is doing).

For the 2960 switch that does not currently support DNS ACLs, I would consider an upstream web security solution that applies transparent proxy with URL-based policy controls to users in a pre-compliance/quarantine VLAN/source network.

I double-checked with switching product team and support for DNS ACLs is being considered but not yet committed, so be sure to work with local Cisco sales team to add your name and business requirement to raise feature prioritization.

Regards,

Craig

Cisco ise 1.2.1 patch 2 I'm

Trent Hurt — Thu, 30 Oct 2014 18:09:13 GMT

Cisco ise 1.2.1 patch 2

I'm using sponsor portal and wondering if I can either eliminate the help link on the sponsor portal or modify the hyperlink to point to another document and not the default sponsor portal user guide that Cisco provides.

Under ISE 1.2.x, you can only

Craig Hyps — Thu, 30 Oct 2014 18:55:15 GMT

Under ISE 1.2.x, you can only change the label under the Sponsor Language Template. This option is intended to serve as a basic online user guide for the sponsor portal.

Sponsor Portal customization is very limited under ISE 1.2 and earlier versions. However, under ISE 1.3 targeted to be released in latter part of November 2014, you will have the ability to fully customize the Sponsor portal as well as other user-facing portals (except Admin web interface).

By default, you will still have the Help button which will link to the online documentation, but you can simply remove that label from Admin UI and it will no longer appear. By default, we will additionally display a Contact Support link next to the Help link. This is fully customizable and provides a simple option to collect and report end user details to aid in troubleshooting. Again, you will decide if you want this label/link to display in the portal, which support info is displayed, and other options such as custom links. ISE 1.3 also supports multiple sponsor portals so more than one portal can be created to serve different geographies or groups of sponsors.

Hope this helps.

Regards,

Craig

Can you change the sponsor

Trent Hurt — Mon, 03 Nov 2014 15:14:07 GMT

Can you change the sponsor portal default timeout value in 1.3? In 1.2 it is 20mins but doesn't seem to be configurable.

Yes, it is configurable in 1

Craig Hyps — Mon, 03 Nov 2014 15:40:19 GMT

Yes, it is configurable in 1.3. This is covered in the ISE 1.3 Admin Guide documentation. If not aware, ISE 1.3 was released on 11/01/14 and documentation posted to Cisco.com.

Portal Settings for Sponsor Portals

Idle timeout

Enter the time in minutes that you want Cisco ISE to wait before it logs out the user if there is no activity in the portal. The valid range is from 1 to 30 minutes.

Regards,

Craig

Hello Craig, We are using ISE

sdoherty — Mon, 03 Nov 2014 20:06:57 GMT

Hello Craig,

We are using ISE 1.2 for guest, and byod with a certificate from an internal MS CA using NDES. We provide access to the corporate network via a standard ssid on our WLC using WPA2 enterprise using an AD back-end.

We would like to move our corporate ssid over to ISE using some kind of certificate. How would we differentiate the CERT issued for the byod from the one for our new network. We would not want someone with an byod CERT to gain access to our corporate network.

Thank you

S Doherty,ISE 1.2 exposes a

Craig Hyps — Mon, 03 Nov 2014 21:42:35 GMT

S Doherty,

ISE 1.2 exposes a number of certificate attributes to the Authentication and Authorization Policy to validate that the issued certificate matches or does not match the specified criteria. For example, you may wish to use Issuer CN or Issuer OU to distinguish between your BYOD certs and other corporate certs.

ISE 1.2.1 added a couple new attributes to validate expiry. The just released ISE 1.3 version exposes additional certificate attributes to the Auth Policy such as Key Usage/EKU. ISE 1.3 attributes include the following:

Serial Number
Template Name
Is Expired
Days to Expiry
Key Usage
Extended Key Usage - Name
Extended Key Usage - OID
Issuer
Issuer - Common Name
Issuer - Country
Issuer - Domain Component
Issuer - Email
Issuer - Location
Issuer - Organization
Issuer - Organization Unit
Issuer - Serial Number
Issuer - State or Province
Issuer - Street Address
Issuer - User ID
Subject
Subject - Common Name
Subject - Country
Subject - Domain Component
Subject - Email
Subject - Location
Subject - Organization
Subject - Organization Unit
Subject - Serial Number
Subject - State or Province
Subject - Street Address
Subject - User ID
Subject Alternative Name
Subject Alternative Name - DNS
Subject Alternative Name - EMail
Subject Alternative Name - Other Name

Note that ISE 1.3 also includes an embedded CA in case you want ISE to manage certs for BYOD. It will allow BYOD certs to be issued by embedded CA or by your private CA using SCEP based on matching conditions.

Regards,

Craig

This command works without

cciesec2011 — Tue, 04 Nov 2014 02:20:12 GMT

This command works without any issues with ISE version 1.1 and 1.2:

ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1

However, it does NOT work in ISE version 1.3. See below:

ciscoisedev/admin(config)# ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1
% Warning: Could not find outgoing interface for gateway 127.0.0.1 while trying to add the route.

% Error: Error adding static route.
ciscoisedev/admin(config)#

Any ideas why it is not working with version 1.3?

Craig,Is there a way to have

mackleyl — Tue, 04 Nov 2014 13:32:54 GMT

Craig,

Is there a way to have confidence that certificate authentication is being done by the device to which certificate was issued? We would like to avoid a certificate being installed on multiple machines.

Hello Craig.I have some

dal — Tue, 04 Nov 2014 14:28:14 GMT

Hello Craig.

I have some questions about ISE v1.3 if you don't mind.

I see that the guest part of ISE has been upgraded, is it now possible for a guest to send a sms to a given phone number and get a login link in return?

If not, is it possible for a guest to self register, and then recieve a link they can click on, and be logged in? I mean so guests don't have to enter username and password at all, it is all embedded in the link?

We use NowSMS as SMS Gateway. Have you heard of it? Any pointers on how to configure ISE against it?

Will we see Norwegian language files for sponsor and guest portal? We we make them ourselves?

Can we use phone number as username?

Where can I change what fields the sponsors have to fill out when making new guest accounts?

Thank you.

For starters, there are basic

Craig Hyps — Tue, 04 Nov 2014 20:04:43 GMT

For starters, there are basic precautions that are possible outside of ISE such as setting issued certificate to be non-exportable. That is not full-proof, but will not make things so simple for typical user.

For Windows PCs, there is also option to have separate machine and user certificates. AnyConnect supplicant can further enhance functionality by allowing separate identities to be chained together using EAP Chaining. This would allow, for example, to validate machine using cert or even AD machine account (not easily hacked) and then user auth to occur via user cert.

For general OSes, one simple option is to issue certificate with endpoint identifiable information that can be verified during authentication and authorization phase. For example, ISE BYOD allows certs to be issued whereby the MAC address of the registering client is captured during enrollment and automatically populated into the issued certificate's SAN field. If issuing client certificates using MDM, similar options exist to capture attributes from client and populate cert fields.

During authentication/authorization, you can then compare the Calling-Station-ID (commonly MAC Address) of client to the certificate field that is populated with the MAC Address. If using MDM, then possible to check if mobile device is rooted/jailbroken which may also indicate possible tampering with device credentials/certs.

We have also supported binary comparison during authentication which basically compares the certificate issued to a user with the one they are presenting. For example, if pushing certificates from AD CA and AD has a copy of issued cert, we will compare that cert presented is actual cert for that endpoint. If user has multiple machines, then certs would be different, even if each valid.

Hope that helps.

Craig

I am not really sure the

Craig Hyps — Tue, 04 Nov 2014 22:13:37 GMT

I am not really sure the purpose of your static route to a loopback address in ISE 1.2. To answer the question on static route changes between ISE 1.2 and 1.3, the answer is YES.

Brief background on situation...

With ISE 1.2 we added support for web services on different interfaces. This was great option for customers that want to segregate user traffic from RADIUS and management traffic, but created a challenge for path symmetry since the routing table was interface specific. In other words, traffic received on a specific interface was not sent out same interface by default and trying to create subnet-specific routes is not feasible for most customers.

For reference, I touch on this use case in a Cisco Live session (BRKSEC-3699: Designing ISE for Scale & High Availability) posted here.
The workaround I propose is to source NAT traffic to the web-portal interface so that client https requests always exit the same interface on which received.

With ISE 1.3 we allow a default route per interface or subnet-specific routes for specific interfaces. As part of these enhancements, we verify the next-hop address is in a valid subnet for one or more local interfaces. This would explain the error that you are seeing.

Hopefully this enhanced functionality addresses your requirements and the purpose for your original static route to a loopback address.

Regards,
Craig

No problem asking questions

Craig Hyps — Wed, 05 Nov 2014 09:25:11 GMT

No problem asking questions on ISE 1.3. When asked for topic for this event, we did not know that ISE 1.3 would be shipping yet, so I listed ISE 1.2 to avoid questions on pre-release code. Now that it is shipping, ISE 1.3 questions are fair game.

1. SMS Notification: Yes, a guest can send SMS to acquire credentials and this is admin configurable. They automatically are redirected to the login page from web browser but will need to manually enter the credentials received via SMS. We hope to provide update in interim release that will offer link with credentials that allows automatic login, but that did not make the first ISE 1.3 release.

2. Auto-Login Guest: When users self-register, YES, you can allow automatic login after they submit the requested information.

3. SMS Provider Support: ISE 1.3 comes preconfigured with a number of major SMS providers including both HTTPS and SMTP gateway support. NowSMS is not one of the preconfigured providers, but you can leverage one of the existing templates as a guide for populating the template for this provider.

4. Language Support: ISE 1.3 does not have Norwegian language support out-of-the-box, but the language files in ISE 1.3 make it much easier for customers to create and customize their own "templates", more similar to the way we support multiple language files with AnyConnect VPN. You will be able to export the language file for selected portal, copy the properties file for supported language like English or German, make all changes to properties file offline, and then import the language file back into ISE with new properties entry.

5. Phone # as Username: There is an option to allow self-registered users to set username. We also support option to set custom username via API so you could create your own sponsor app to do this. For standard sponsor portal, the username is either the email address or derived from first and last name, often with additional numeric suffix to ensure uniqueness. Further testing would be required to see if custom CSS or Javascript could accomplish similar result from a sponsor portal.

6. Sponsor Fields: The fields that will be populated are configured under the Sponsor Portal > Portal Page Customization. Select the Page customization for Create Account for Known Guests. You will see a Preview of the sponsor portal on right side. Click the Settings option above the preview. Here you can select which fields are displayed and whether they are mandatory entry fields. You can also configure specific attributes required for specific Guest Types. These will be automatically added if create guest from that portal when that guest type is selected.

Regards,

Craig

Hello again, and thank you

dal — Wed, 05 Nov 2014 19:20:07 GMT

Hello again, and thank you for your answers.

1. This is actually possible? A guest can send a SMS and get login credentials back? Without any web page involved before the actual login? Do have an example for this?
I'm looking forward to the login link contain login credentials

2. Very nice. Do you have any pointers where I can find that option?

3. I actually found this one out myself, and I now have NowSMS working as SMS Gateway for ISE 🙂

4. Yeah, I downloaded a few of them and started the conversion. Exactly how many language files are there? Is there a way to download them all at once?

5. I'm not sure what you mean (There is an option to allow self-registered users to set username). Where can I do that?

6. Found it, thanks for that.

Thank you again.

1. Self registration flow

Craig Hyps — Wed, 05 Nov 2014 21:13:48 GMT

1. Self registration flow starts with user being redirected to a login web portal, selecting option that they need to setup an account, and then completing form. If self-service portal is also configured to allow notification through SMS, then user will be sent text message with login credentials that will be used at login page.

Below is an example configuration for the self-service portal with SMS options enabled.

If do not want to automatically send credentials via email or SMS, you can set the option to have user select whether they want credentials sent via email or SMS:

Under the Portal Customization, you can use default notification or add your own text and variables. In below example, I was using the optional access code, so added that to the default SMS notification message:

2. See second screenshot above where I highlighted option "Allow guests to log in directly from the Self-Registration Success page" under the Self-Registration Success Settings.

4. Language files in 1.3.0 are portal specific. There is one language file per portal that can be exported as a zip and contains all supported languages under separate properties files. You can make changes to any of the default properties files or add a new one. If you want changes to apply to multiple portals of the same type, then you will need to import new zipped language file into each portal.

5. Yes. For example, maybe the guest wants to use their phone number or other personal ID. See first screenshot where I highlighted the optional User name field under the Self-registration Page Settings.

Regards,

Craig

Hi Craig,A customer of ours,

Aaron Blair — Wed, 05 Nov 2014 23:55:06 GMT

Hi Craig,

A customer of ours, which is intending to grow their deployment wants to deploy F5 load balancing in front of their ISE deployment.

The broad question I have is: Is there any F5/ISE integration/best practice guide that can be used to ensure this deployment is successful?

The technical problem that we are running in to is with traffic that was originated by the ISE PSN, or traffic from a client that addresses the ISE PSN directly instead of through the F5 VIP (such as guest portal traffic). Because the F5 is the PSN's default gateway for all traffic, OCSP traffic from ISE (10.10.10.10) for example, is getting sent through the F5 (10.10.10.253), however the return traffic from the OCSP server is using the regular path to the ISE node, which is through the firewall (10.10.10.254). This causes the stateful firewall to reject this packet, and the conversation is broken.

Is the solution here simply to place the ISE nodes on a L3 segment with the F5 routing all traffic for that network? Or is there something else we can do here?

Thank you,

Aaron