Ask the Expert: Implementing and Troubleshooting Cisco Identity Services Engine (ISE)

Monica Lluis · ‎12-03-2015

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to ask questions about Cisco Identity Service Engine (ISE) to Artem Tkachov and Wojciech Cecot.

Ask questions from Monday December 14 to Wednesday December 23rd , 2015

The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the attack continuum. The market-leading platform for security-policy management, it unifies and automates access control to enforce compliance-driven role-based access to networks and network resources.

This session will help customers with troubleshooting, configuring and implementing ISE solutions in their networks.

Artem and Wojciech will be helping you with all your queries on all of the above.

Artem Tkachov is a Customer Support Engineer in Cisco TAC Security team in Poland. He has been working with TAC for past 3 years and has 8 years of industry experience working with enterprise deployment and troubleshooting. His areas of expertise currently includes Firewalls, VPNs, AAA, 802.1X (MacSec/TrustSec), ISE (BYOD, HotSpot, etc.), ACS, as well as knowledge and in Routing and Switching, Service Provider, Data Center technologies. Artem holds CCIE certifications (# 39668) in Routing and Switching, Service Provider, Wireless, as well as CCNP in Security, JNCIS-SP, RHCSA, and ITIL certification.

Wojciech Cecot is a Customer Support Engineer in Cisco TAC Security team in Poland. He has been working with TAC since May 2014 and has 3 years of industry experience working with enterprise deployment and troubleshooting. His area of expertise covers ISE, TrustSec, BYOD, ACS 5.x, 802.1x. Prior to joining Cisco, he worked as a junior system engineer at Comarch. He is graduated with a Bachelor's and Master's degrees in Electronics and Telecommunications from AGH University of Science and Technology.

Find other https://supportforums.cisco.com/expert-corner/events.

Because of the volume expected during this event, Artem and Wojciech might not be able to answer every question.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead

John Ventura · ‎12-14-2015

Hi guys,

Is there any configuration guide regarding integration ISE 2.0 with 3rd party devices, like Aruba?

Thank you for your prompt response.

- John

Artem Tkachov · ‎12-14-2015

Hello John,

Thank you for your question.

Indeed there are few guides for ISE 2.0 and Aruba integration, hence sharing the links below:

1. http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200270-ISE-2-0-3rd-Party-integration-with-Aruba.html

2. http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-85-Integrating_Aruba_Networks.pdf

Also, sharing link to ISE 2.0 release notes, which might be useful:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/release_notes/ise20_rn.html

Thanks

/Artem

James Devan · ‎12-14-2015

I am researching utilizing 802.1X and ISE for both wired and wireless access. The wireless access seems fairly straightforward when paired with Meraki MDM. The wired access seems a little more daunting. I would plan on leveraging Active Directory for the majority of device authentication. What is the recommended practice for authenticating devices not associated with AD? I am referring to network printers, medical devices, IP cameras, WAPs, etc. Does the solution add a large amount of complexity and difficulty for management?

Artem Tkachov · ‎12-14-2015

Hello James,

Thank you for your question.

To find the best solution in your scenario, we would need definitely to know more about your network and requirements for dot1x integraton project you will have.

In general, majority of the devices you mentioned usually don't support dot1x/EAP authentication, hence most probably you will use MAB (mac address bypass) authentication method. Having said this, MAB method is not really secure and would require some work on authentication/authorization rules on ISE. Also, switch/interface configuration is important here, for example, if you don't use dot1x authentication on end device, better to keep mab related configuration only on switch interface level.

In your scenario you might consider to use profiling to have more granular access to your network.

Sharing with you "how to" guide for profiling:

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-30-ISE_Profiling_Design_Guide.pdf

In short, I wouldn't say it's extremely complex to implement, but would require a time to plan all components correctly.

Thanks

/Artem

James Devan · ‎12-14-2015

Thank you very much!

manjeetsing_thakur · ‎12-15-2015

Hi Artem/Wojciech,

I have few project related with ISE as I am working with channel partner, in beginning I struggled a lot as no proper training material, videos not there (Or I might not be able to find them). But when i started watching Videos on labminutes.com, I understood the config details etc. Still a lot there which I need to master.

May I know if Cisco has such video tutorials? or simple step by step config guides to deploy something like posture deployment, WSUS check etc?

I see many config guides on Cisco.com but none of them help with real life config and scenarios. They are all generic.

Thanks & Regards,

Manjeetsing

Wojciech Cecot · ‎12-15-2015

Hello Manjeetsing,

Thank you for that question.

Let me start with videos. Indeed there is such channel on youtube.com, it still under development however I could see many useful videos there already. Colleagues from US came up with that idea around 2 months ago and I can see that more and more videos related to ISE 2.0 are uploaded. Please take a look:

https://www.youtube.com/user/CiscoISE/videos

Regrading articles: ISE is quickly growing product, having many features and configuration strongly depends on particular deployment, however I could find article that should match your requirement: with posture/WSUS configuration:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/119214-configure-ise-00.html

Hope that helps.

Thank you

Wojciech

Marvin Rhoads · ‎12-16-2015

Manjeetsing,

If you're a Cisco Partner, please check out the video training on PEC.

There is a course to help prepare for the CCNP SISAS exam (which focuses primarily on ISE).

http://tools.cisco.com/pecx/login?URL=offeringDetail?offeringId=491927__1421978424455

(Your cisco.com ID must have partner level access.)

susim · ‎12-15-2015

Hi,
In all what areas ISE and ASA can work together ?
How can maximum utilize for VPN ?
Thank you

Wojciech Cecot · ‎12-15-2015

Hello Sir/Madame

Thank you for that question.

That is quite general one, let me try to answer it in the following way. We have:

--- TACACS+ for ASA administration (starting from ISE 2.0),
--- authentication of the VPN users,
--- VPN Posture, described in:
http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200271-ISE-2-0-and-AnyConnect-4-2-Posture-BitLo.html
--- TrustSec (we can assign SGT tags to the VPN users),
--- Certificate provisioning for VPN users --- SCEP functionality on ISE.

I might be missing something, however those are the most common use cases.

Thank you,

Wojciech

jay.pandya1 · ‎12-15-2015

Hi,

Is there any way to give an ERS Admin access to the External RESTful API? Currently I am only able to access the "ActiveList" using Super Admin privileges.

Thanks

Artem Tkachov · ‎12-15-2015

Hello Sir,

Thank you for your question.

Unfortunately this is expected behavior. When authenticating external REST requests in addition to verifying admin user name and password, there will be a check that the admin role is SuperAdmin. This ensures that admins with lower permissions will not be able to issue REST requests.

We do have bug for this scenario --> CSCur87193. It's marked to be fixed in ISE 1.5 version.

As for now you have to use accounts from Super Admin group to be able to use External Restful API.

Thanks

/Artem

jay.pandya1 · ‎12-15-2015

Thanks for the response. I had another question. In the ISE documentation there is a mention of a response code returned by the External RESTful Services API called "429 Too many requests" which means too many simultaneous requests. Is there a particular number of simultaneous requests which would trigger this response code?

Thanks

Artem Tkachov · ‎12-16-2015

Hello Sir,

Thank you for this question.

The message you referring to might come from 2 different layers - application itself as well as transport/TCP layer. Since the newest ISE 2.0 is using Apache Tomcat Server 8.x, application configuration should be stored there. Sharing with you link where you can read more on Tomcat Server 8.x and default settings:

https://tomcat.apache.org/tomcat-8.0-doc/config/http.html

Unfortunately, this is very specific question and without engineering team looking into the source code I won't be able to fully answer this question. Because of that, if you still would like to have an answer to this question, I would encourage you to open a TAC case.