Ask the Expert: BYOD with Identity Services Engine - Page 2

ciscomoderator · ‎06-28-2013

with Cisco Expert Bernardo Gaspar

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Identity Services Engine (ISE) and its various usage scenarios and integrations such as BYOD, Active Directory, profiling, posture and radius authentication with Cisco subject matter expert Bernardo Gaspar.

Bernardo Gaspar is Customer Support Engineer at the Technical Assistance Center at Cisco Europe especialized in wireless and authentication, authorization, and accounting (AAA). He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, NAC and Identity Services Engine as part of the escalation TAC team since 2007. He also focuses on filing technical and documentation bugs. Bernardo Gaspar holds a degree from the University of Porto.

Remember to use the rating system to let Bernardo know if you have received an adequate response.

Bernardo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community, AAA, Identity and NAC discussion forum shortly after the event.

This event last through Friday July 12, 2013. Visit the community often to view responses to youe questions of other community members.

Octavian Szolga · ‎07-02-2013

Hello Bernardo,

Can you please detail how can one configure posture for remote access users using iPEP and an ASA that is providing RA VPN services, internet connectivity for internal users and resource publishing by using DMZ?

I'm asking this in the context in which the ASA has to send the traffic from RA VPN pool to inside network and only this traffic by the means of iPEP, and ASA does not support Policy Based Routing so that the routing decision to be made using the source IP address.

Any thoughts/ideas? Is there any Cisco tehnical support team /portal for cases like this one?

I've also wrote a fairly long post about this problem, but nobody had the pleasure or willing to answer.

(https://supportforums.cisco.com/thread/2224538)

Bernardo Gaspar · ‎07-04-2013

Hello Octavian,

If I understand correctly, your main challenge is how to separate in ASA the traffic that needs to be sent directly from the traffic that needs to flow through IPEP.

For this, I'd suggest to post your question in an ASA forum. The ASA is out of my area of expertise, I don't know if this is possible to achieve.

Thank you and best regards,

Bernardo

radu.ioncu · ‎07-03-2013

Hello Bernardo,

I am having issues with the Cisco NAC Agent popping up in my current ISE deployment. ISE version is 1.1.3 patch 2, and the deployed NAC agent version is 4.9.0.51.

The Cisco NAC agent has no problem popping - no preconfigured XML file - up with PC's connected via both Wi-Fi (WLC 4400) and wired (CAT4500 15.0.2 - SGA6) on VLANs with DHCP turned on. When I connect the PC - wired - to a VLAN with no DHCP server configured and with a static IP address, the NAC Agent does not pop up, and the PC is stuck in the Posture_Discovery_AuthZ phase.

This happens on the same switch, on the same port with the same configuration - the only difference being the VLAN swap (works with DHCP VLAN, doesn't work with STATIC IP VLAN).

Are there any known caveats for NAC Agent popping up with PC's with Static IP's set?

Thanks!

Bernardo Gaspar · ‎07-03-2013

Hello Radu,

I'm not aware of any caveats for NAC Agent with static IP address.

When the Agent starts, it tries to discover the policy node like like this:

1. HTTP discovery probe on port 80 to discovery host, if one is configured.

2. HTTPS discovery probe on port 8905 to the discovery host, if one is configured.

3. HTTP discovery probe on port 80 to default gateway.

4. HTTPS reconnect probe on 8905 to previously contacted ISE policy node.

5. Repeat from 1.

As you don't have a discovery host configured, the first 2 steps are skipped. Then, the Agent should send the HTTP discovery probe on port 80 to the default gateway. This request should be redirected by the switch, with the redirect URL it receives from ISE.

I suggest checking:

- client default gateway configuration

- that the switch interface is getting the redirect URL

- that the ACL redirects the HTTP traffic towards the ISE

Thank you and best regards,

Bernardo

Eduardo Aliaga · ‎07-03-2013

Hello Bernardo

1) What would you say it's the best practice to configure the "discovery host" in a distributed deployment. Will it be to put the ip addresses of every ISE PSNs in the "discovery host field" ? or leaving this field empty ?

2) Is it possible to trigger the NAC agent immediately after computer authentication ? currently the NAC agent triggers only after user authentication, and for some endpoints it will take up to a minute for the NAC agent to pop-up, that's very annoying for the user.

Best regards

Bernardo Gaspar · ‎07-04-2013

Hello Eduardo,

1) What would you say it's the best practice to configure the "discovery host" in a distributed deployment. Will it be to put the ip addresses of every ISE PSNs in the "discovery host field" ? or leaving this field empty ?

It depends. If you're talking about 802.1x you normally don't need to configure a discovery host. As part of the discovery process, the Agent will send a HTTP packet to its gateway.

If the redirection is properly configured and applied on the port, this request is redirected to the policy server which replies and initiates the posture assessment.

For VPN users with IPEP you need to enter only one discovery host. The recommendation is to NOT use ISE as a discovery host. Rather, it should be an IP/hostname that would trigger a redirection to the active policy node.

2) Is it possible to trigger the NAC agent immediately after computer authentication ? currently the NAC agent triggers only after user authentication, and for some endpoints it will take up to a minute for the NAC agent to pop-up, that's very annoying for the user.

Not that I know of.

Thank you and best regards,

Bernardo

radu.ioncu · ‎07-04-2013

Hi Bernardo,

Thank you for the quick reply. After your answer, we realized that the issue wasn't related to DHCP, it was most likely a PC issue.

During the NAC Agent implementation, I have observed several cases of the NAC Agent not popping up, even though network configuration is OK (I always test with no Discovery Host configuration enabled - or I delete the .xml file). I have not been able to pinpoint the exact cause, though sometimes the NAC Agent does pop up if I restart PC's with the Ethernet cable connected.

We have also seen problems with users going from Wired to Wi-Fi and ending up stuck in Posture_Discovery phase. Do you have any insight into this issue, and why it seems to happen on a random basis? Would a NAC Agent update help with this issue? (currently running 4.9.0.51).

Thank you!

Bernardo Gaspar · ‎07-10-2013

Hi Radu,

This would require analysis of the logs, I'd suggest opening a TAC case if the issue is persisting.

Thank you,

Bernardo

S M85 · ‎07-04-2013

I would like to know if NIC bonding is on the road map of ISE?

Bernardo Gaspar · ‎07-04-2013

Hello Sander,

To the best of my knowledge, it's not on the roadmap yet. I'd advise to get in touch with your local Cisco account/sales team and ask for an enhancement.

Thank you and best regards,

Bernardo

S M85 · ‎07-04-2013

My customer is limited in his VM space. Although he would like to have a active/standby for his administration node, he doesn't need this for his logging. Is it recommended to roll this in production. With a limited HDD space, what would be the recommended space (300 GB?)

	administration	monitoring	policy service
Machine VM	primary	Not enabled	enabled
Machine HW	secondary	primary	enabled

Bernardo Gaspar · ‎07-04-2013

Hello Sander,

If I understand correctly, you want to run the primary administration node in a VM while having the secondary administration node + primary in an appliance. Your concern is how much disk space to allocate to the primary admin VM as you're limited to 300 GB.

Both servers will run as policy nodes.

Here you can find the recommended values for ISE VM Disk size, depending on their role:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_vmware.html#wp1110217

An admin role should have at least 200 GB, a policy node 100 GB, I'd go for the full 300 GB.

Thank you and best regards,

Bernardo

Dipesh Patel · ‎07-05-2013

Hello Gaspar,

I have few queries regarding ISE :

- Is ISE supporting virtual environment ?

- For the Virtual Desktop / Server will ISE help for posture assesment and enforcement?

- If new Machine is connected to network without any agent, what functions can ISE provide?

- How long it will take post installation of the Agent? Is it realtime ? is it configurable?

- What type of Notification ISE can provide in the case of no agent installed in the new Machine?

- Asset classification will be based on what? Is it based on which we have configured i.e. role, domain, IP etc ?

- Can ISE detect rougue AP ?

- Will ISE support virtual machines e.g. hypervisor?

- - If new Network device i.e. siwtch installed in network, will it automatically sync and begin working?

- ISE is capable of inteegration with Existing Symentac AV and SCCM product for the compliance?

- If agent installed, can it be possible for self-remediation ?

- No of end points supported by ISE?

- List of Third party end devices supported ?

Regards

henrikj · ‎07-05-2013

Hi Bernado

While doing eap-chaining i change vlan, when user is posture compliant, works great...

But i also use roaming-profiles.

So when i log off, the vlan changes back to default immediately, and syncronization off roaming-profile fails, because of the vlan change.

I tryied th set the" vlan detect interva"l in the Nag-agent to 10sec, but it didn´t change anything.

Is it possible to have the switch or Anyconnect NAM client to delay the vlan change ??

Regards Henrik

Bernardo Gaspar · ‎07-10-2013

Hello Henrik,

This question is more regarding 802.1x on the switch or AC/NAM. ISE isn't involved in this process, all it does is pass the vlan id to the switch after the client authenticates ;-)

When the user logs off, as soon as the switch receives the EAPOL-Logoff it will set the vlan back to the default one. As you say, potentially delaying the logoff from AC/NAM until the roaming profile is saved might work, but I'm not aware of any way of achieving this.

A potential workaround is to allow the needed traffic to save the roaming profiles on the default vlan. But if the client isn't able to renew its IP address it would probably fail as well. Did you try this?

Regardin the vlan detect interval in the NAC Agent, it wouldn't make delay the logoff process because:

1. NAC Agent doesn't participate in the 802.1x process, only in posture (vlan assignment, eap chaining - not part of the posture process)

2. This is a timer to set how often the NAC Agent searches for a network change, so it communicates with ISE using the correct IP address.

Thank you and best regards,

Bernardo