12-03-2015 02:37 PM - edited 03-10-2019 11:17 PM
Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to ask questions about Cisco Identity Service Engine (ISE) to Artem Tkachov and Wojciech Cecot.
Ask questions from Monday December 14 to Wednesday December 23rd , 2015
The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the attack continuum. The market-leading platform for security-policy management, it unifies and automates access control to enforce compliance-driven role-based access to networks and network resources.
This session will help customers with troubleshooting, configuring and implementing ISE solutions in their networks.
Artem and Wojciech will be helping you with all your queries on all of the above.
Artem Tkachov is a Customer Support Engineer in Cisco TAC Security team in Poland. He has been working with TAC for past 3 years and has 8 years of industry experience working with enterprise deployment and troubleshooting. His areas of expertise currently includes Firewalls, VPNs, AAA, 802.1X (MacSec/TrustSec), ISE (BYOD, HotSpot, etc.), ACS, as well as knowledge and in Routing and Switching, Service Provider, Data Center technologies. Artem holds CCIE certifications (# 39668) in Routing and Switching, Service Provider, Wireless, as well as CCNP in Security, JNCIS-SP, RHCSA, and ITIL certification.
Wojciech Cecot is a Customer Support Engineer in Cisco TAC Security team in Poland. He has been working with TAC since May 2014 and has 3 years of industry experience working with enterprise deployment and troubleshooting. His area of expertise covers ISE, TrustSec, BYOD, ACS 5.x, 802.1x. Prior to joining Cisco, he worked as a junior system engineer at Comarch. He is graduated with a Bachelor's and Master's degrees in Electronics and Telecommunications from AGH University of Science and Technology.
Find other https://supportforums.cisco.com/expert-corner/events.
Because of the volume expected during this event, Artem and Wojciech might not be able to answer every question.
**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions
12-16-2015 06:08 PM
Thanks for the reply.
I had another specific question regarding the External RESTful Services API. Is there any way to directly obtain session details via an IP address? I know that the documentation allows for NAS IP Address searching, but I want to search for an active session where the user has a particular IP address (not the NAS IP). Is there any way to do this?
Also, going back to the scenario where Super Admin rights are required to access the API - is there any way to secure the credentials of the Super Admin account in the HTTPS requests? It can be a big issue if these credentials are compromised because it gives total access. This would not be too big of an issue if the bug you mentioned was not present.
Thanks
12-17-2015 12:23 AM
Hello Sir,
I'm afraid, it's not possible to check/search the session based on IP address.
Usually end station/device identifies based on Mac address or/and ID number.
Please check more using ERS page stored on ISE, this will give you an idea which filters are supported and what kind of API call you need to make.
Link to ERS page:
https://<ISE IP address>:9060/ers/sdk
*Make sure you have enabled it first following: Administration --> System --Settings -->ERS settings
Regarding your second question.
Basic authentication adds a header to each request which contains a Base64 encoded username/password pair. However, it's "simple" cipher and might be decoded in a simple way. But this will be only an issue when you do the API call using "HTTP", if you use "HTTPS" it will be secure by SSL. So, use only "HTTPS" with your API Calls.
12-16-2015 03:37 AM
Hi,
Is there any specific support or way to handle imaging/installation of pc's from Microsoft SCCM initiated with PXE boot ?
A way to allow the client to temporary get access to the required network resources during the installation, since the pc is not able to authenticate itself before it's fully installed.
Thanks.
12-16-2015 04:48 AM
Hello Sir/Madame,
Thank you for that questions. When PXE device is booting we could use MAB authentication and limit its access using dACL: to allow DHCP and access to MS server.
Once device will be fully installed, dot1x can take precedence (authentication priority dot1x mab) and machine will be securely authenticated with dot1x.
That is explained with the example in the guide below (Low-Impact Mode section):
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_24_low_impact_mode.pdf
Thank you
Wojciech
12-16-2015 04:58 AM
Hi Wojciech
The current SCCM setup requires access to a lot of different resources during the install, which makes it almost impossible to get a full dACL configured to allow access,
So I was looking for if SCCM & ISE could exchange information, like when a PC is about to be installed the MAC address could be exchanged from SCCM to ISE allowing it full access to the network for a very limited amount of time, could something like this be possible ?
Thanks.
12-16-2015 06:01 AM
Hi,
Well, I am afraid that will be not possible in the way that was described. ISE needs to know exactly what access should be allowed for the PXE process in order to send that to switch (VLAN or dACL). Another way could be to create some endpoint group for devices which will be allowed to access full resources. However that will require to manually add endpoint to that group and then either remove it or set some purge policy (like after one day endpoint will be removed from the PXE group and no longer will have full access).
Hope that clarifies your question.
Thank you,
Wojciech
12-16-2015 01:01 PM
It's possible to create an ADAM/LDS instance in your AD, where you can store mac addresses for PXE use, and then have ISE look for mab there, your sccm server can execute a powershelle script when you choose a machine to PXE in the sccm management system, this script should then create the mac of the machine (which should be in the sccm inventory already), next time the machine reboots to load WinPE via PXE, it will fail dot1x, but then it's mac is in the LDS tree, and ISE can mab authenticate it. You of course also need a script that runs when the machine has been completely imaged, that removes the mac addres from the LDS tree again.
12-16-2015 06:02 AM
Hi Guys,
I wonder if you could share your experiences working with OSX and ISE and what is the best method for getting a working Posture/Dot1x setup in place when the workstation is joined to an active directory domain? I have had many issues with creating profiles for OSX etc and although I'm sure you may not want to go into the specifics of OSX profiles if you could give a general overview of the approach that has worked best in your experiences it would help me greatly!
Thanks in advance,
Mike
12-16-2015 11:43 AM
Hello Michael,
Thank you for your question.
We have few guide, following which you can set all for posture, sharing some of them with you:
1. http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html
2. http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
3. https://supportforums.cisco.com/discussion/12446131/posture-mac-os-x
Needless to say to check "Posture Assessment Options" for Macintosh before the integration, to be sure that your posture scenario is supported.
From "real life", posture integration and posture issues are really depends on specific project needs and I'm not sure there is a best practice, that we can share.
Thanks
/Artem
12-16-2015 06:16 AM
Hi Experts,
Recently we've upgraded from ISE 1.1 to 1.3 and although we gained lots of useful features we have lost a very important one:
With v1.1 if we created a guest user with the sponsor portal and set up the account validity for 24 hours the clock started ticking whenever the user first logged into the network. With 1.3 this is not possible.
Does 1.4 or 2.0 support this feature or is there any patch that can be applied to the current version (1.3) to get this feature back?
Many thanks,
Csaba
12-16-2015 06:30 AM
Hello Csaba,
Thank you for that question. More and more customers are reporting willingness to have that feature back (FromFirstLogin), so for sure that is hot topic.
There is already enhancement request opened for that, you could subscribe and you will be notified if something will change in that matter:
https://tools.cisco.com/bugsearch/bug/CSCus05072/?reffering_site=dumpcr
I can see that there are plans to get that feature back to ISE next year.
Thank you,
Wojciech
12-16-2015 06:48 AM
Many thanks Wojciech for the prompt and detailed reply, it is very much appreciated!
12-16-2015 08:40 AM
Hello,
My question is regardless to integration between ISE and ASA VPN. Cisco ASA from version 9.2 is able to send to ISE some of the endpoint’s attributes via RADIUS protocol. (mdm-tlv=device-platform, mdm-tlv=device-type=, mdm-tlv=device-mac=, mdm-tlv=device-platform-version=, mdm-tlv=device-uid=), Based on those attributes we are able to create the authorization Policy in Cisco ISE like if mdm-tlv=device platform EQUAL windows THAN xxxx. Yes, this could be nice, but it is not in the corporate environment.
Usually our customers wants to have possibility to establish VPN connection only with corporate devices. For that purpose we can use the attribute mdm-tlv=device-mac. If we have a database of MAC addresses (wired, wifi ) of corporate devices in some specific ISE group like “group name “VPN-ALLOW”, we are able to match the condition like “IF network-device-group EQUAL to VPN-ALLOW THAN xxx “
Yes, this is “more secure“, and we suppose that Cisco ISE works it this specific scenario like this:
Use the attribute mdm-tlv=device-mac and compare it with internal DB of MAC addresses. If match then assign this MAC address to founded internal Endpoint Group
But still the most secure scenario should be using the attribute mdm-tlv=device-uid – Unique identification of every endpoint device. We thought to fill this attribute into Active Directory to every user (bind the domain user with his asset) and then ask in ISE – IF user attribute from AD equal to mdm-tlv=device-uid – THAN connect.
Unfortunately, this is not possible in ISE.
We can just create condition like IF uid STARTS with abc... THAN connect – this is not scalable solution at all (text comparison from ASA attribute against predefined constants)
Will be there any improvement with integration of ASA vs ISE and checking the ASA attributes from ASA? Still this solution is possible to implement on ASA via hostscan, DAP and LUA…
Or is there any way, how to use this scenario in corporate environment?
Thank you
Tomas
12-17-2015 02:24 AM
Hello Tomas,
Thank you for this question.
In your scenario, in addition to HostScan/DAP/LUA or checking mac addresses in a way you described, you might consider Posture with Registry check action. On ISE side you can create specific registry condition, where you will be checking your domain name.
Unfortunately, the functionally that you are asking for is not available on ISE and I doubt to see it in the Road Map for ISE.
Thanks
/Artem
12-18-2015 08:07 AM
Thank you for your answer. If we summarize it - ASA with HostScan and LUA are "good tools" for checking of the endpoint. ASA attribute (send via RADIUS to ISE) except the attribute mdm-tlv=device-mac= are useless. Yes, possible solution is the posture module of AnyConnect, but it is not scalable for external organizations which usually connecting via VPN into the customer network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide