cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8706
Views
100
Helpful
40
Replies

Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

ciscomoderator
Community Manager
Community Manager

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.

October 27, 2014 through November 7, 2014.

Cisco Expert, Craig Hyps

The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.

Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.

Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.

Remember to use the rating system to let Craig know if you have received an adequate response.

Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

(Comments are now closed)

1 Accepted Solution

Accepted Solutions

Hello Kevin,

Whether posture or any security control is a good investment is always a balance between security policy, risk, and the cost/impact to organization to deploy such controls.  I will not attempt to answer that for your organization here, but will try to shed light on other facets of your query.

I do not have exact counts, but in my years working with both NAC Appliance and ISE, I would say most NAC customers deploy posture.  I would say less than half deploy posture with ISE, but realize that many have migrated from a AAA-only deployment, say CiscoSecure ACS, and many are green-field deployments where customer starts with basic authentication and access enforcement and then builds upon that foundation with more advanced functions of profiling and endpoint compliance.

Higher education is a unique vertical and the decision to perform posture or not is often rooted in the university's culture--some have the mantra that students shall have free access to all resources and do not mandate installation of any client software on student PCs; others treat the network as a privilege that is governed by specific terms of use including the installation of posture agent and software to help ensure the connected device is not a threat to other PCs or to the security and productivity of university as a whole. Depending on which camp your organization sits will often dictate whether posture is deployed.

With the growing popularity of Bring Your Own Device (BYOD) in the broader market, endpoint compliance is becoming a more prominent requirement. Endpoint compliance incorporates both the traditional posture assessment functions attributed to PC desktops/laptops as well as the more recent Mobile Device Management (MDM) solutions with a primary focus on mobile devices. With users connecting from personal devices where they have admin controls versus a managed endpoint that has been locked down with a corporate image, customers want to make sure there is a way to validate that the BYOD device meets some minimal compliance level.

Interestingly, Higher Ed has been a BYOD environment many years before the term became popularized in corporate networks. However, the same security concerns exist and the university culture and IT policy will dictate whether endpoint compliance is more important than unfettered student access from their personal devices.  

Moving forward I see MDM usage increasing and general endpoint compliance treated simply as a super-set of these device assessment and remediation options.  In my opinion, basic posture/MDM makes perfect sense to improve the general security of network and connected devices. I also agree that its use not significantly impact user productivity. ISE 1.3 targeted for end of this month adds support for AnyConnect 4.0 as the posture agent.  This is a major step forward to integrate endpoint compliance and security functions into single client and to improve on the end user experience and administration across the entire organization.

I hope this answered your questions.

Regards,

Craig

View solution in original post

40 Replies 40

huangedmc
Level 3
Level 3

hi Craig,
We currently utilize Cisco NAC (Clean Access) to perform posture assessment, to make sure the endpoints have proper anti-virus software/definition, and up-to-date Windows patches.

What's your take on posture assessment?
Is it still a good investment in today's environments?
We're torn between continuing doing posture, or only doing authentication when we migrate to ISE.
We think it's a good idea to do posture, but it's a hard sale to management because of the premium Cisco charges for Advanced/Apex-AC licenses, and the technical complexity it brings.

Does Cisco have more customers doing posture than those not doing posture?
If you had to guess, what's the percentage breakdown between the two, in general, and in higher education?
I'm guessing most Fed/SLED customers would want to do posture, but I'm interested in knowing what other colleges & universities are doing.

Thank you,
Kevin

Hello Kevin,

Whether posture or any security control is a good investment is always a balance between security policy, risk, and the cost/impact to organization to deploy such controls.  I will not attempt to answer that for your organization here, but will try to shed light on other facets of your query.

I do not have exact counts, but in my years working with both NAC Appliance and ISE, I would say most NAC customers deploy posture.  I would say less than half deploy posture with ISE, but realize that many have migrated from a AAA-only deployment, say CiscoSecure ACS, and many are green-field deployments where customer starts with basic authentication and access enforcement and then builds upon that foundation with more advanced functions of profiling and endpoint compliance.

Higher education is a unique vertical and the decision to perform posture or not is often rooted in the university's culture--some have the mantra that students shall have free access to all resources and do not mandate installation of any client software on student PCs; others treat the network as a privilege that is governed by specific terms of use including the installation of posture agent and software to help ensure the connected device is not a threat to other PCs or to the security and productivity of university as a whole. Depending on which camp your organization sits will often dictate whether posture is deployed.

With the growing popularity of Bring Your Own Device (BYOD) in the broader market, endpoint compliance is becoming a more prominent requirement. Endpoint compliance incorporates both the traditional posture assessment functions attributed to PC desktops/laptops as well as the more recent Mobile Device Management (MDM) solutions with a primary focus on mobile devices. With users connecting from personal devices where they have admin controls versus a managed endpoint that has been locked down with a corporate image, customers want to make sure there is a way to validate that the BYOD device meets some minimal compliance level.

Interestingly, Higher Ed has been a BYOD environment many years before the term became popularized in corporate networks. However, the same security concerns exist and the university culture and IT policy will dictate whether endpoint compliance is more important than unfettered student access from their personal devices.  

Moving forward I see MDM usage increasing and general endpoint compliance treated simply as a super-set of these device assessment and remediation options.  In my opinion, basic posture/MDM makes perfect sense to improve the general security of network and connected devices. I also agree that its use not significantly impact user productivity. ISE 1.3 targeted for end of this month adds support for AnyConnect 4.0 as the posture agent.  This is a major step forward to integrate endpoint compliance and security functions into single client and to improve on the end user experience and administration across the entire organization.

I hope this answered your questions.

Regards,

Craig

Cisco ise 1.2.1 patch 2

 

I'm using sponsor portal and wondering if I can either eliminate the help link on the sponsor portal or modify the hyperlink to point to another document and not the default sponsor portal user guide that Cisco provides.
 

Under ISE 1.2.x, you can only change the label under the Sponsor Language Template.  This option is intended to serve as a basic online user guide for the sponsor portal.

Sponsor Portal customization is very limited under ISE 1.2 and earlier versions.  However, under ISE 1.3 targeted to be released in latter part of November 2014, you will have the ability to fully customize the Sponsor portal as well as other user-facing portals (except Admin web interface).

By default, you will still have the Help button which will link to the online documentation, but you can simply remove that label from Admin UI and it will no longer appear.  By default, we will additionally display a Contact Support link next to the Help link.  This is fully customizable and provides a simple option to collect and report end user details to aid in troubleshooting.  Again, you will decide if you want this label/link to display in the portal, which support info is displayed, and other options such as custom links.  ISE 1.3 also supports multiple sponsor portals so more than one portal can be created to serve different geographies or groups of sponsors.

Hope this helps.

Regards,

Craig

Can you change the sponsor portal default timeout value in 1.3?  In 1.2 it is 20mins but doesn't seem to be configurable.
 

Yes, it is configurable in 1.3.  This is covered in the ISE 1.3 Admin Guide documentation.  If not aware, ISE 1.3 was released on 11/01/14 and documentation posted to Cisco.com.

Portal Settings for Sponsor Portals

Idle timeout

Enter the time in minutes that you want Cisco ISE to wait before it logs out the user if there is no activity in the portal. The valid range is from 1 to 30 minutes.

 

Regards,

Craig

This command works without any issues with ISE version 1.1 and 1.2:

ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1

 

However, it does NOT work in ISE version 1.3.  See below:

ciscoisedev/admin(config)# ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1
% Warning: Could not find outgoing interface for gateway 127.0.0.1 while trying to add the route.

% Error: Error adding static route.
ciscoisedev/admin(config)#

 

Any ideas why it is not working with version 1.3?

I am not really sure the purpose of your static route to a loopback address in ISE 1.2. To answer the question on static route changes between ISE 1.2 and 1.3, the answer is YES. 

Brief background on situation...

With ISE 1.2 we added support for web services on different interfaces. This was great option for customers that want to segregate user traffic from RADIUS and management traffic, but created a challenge for path symmetry since the routing table was interface specific.  In other words, traffic received on a specific interface was not sent out same interface by default and trying to create subnet-specific routes is not feasible for most customers. 

For reference, I touch on this use case in a Cisco Live session (BRKSEC-3699: Designing ISE for Scale & High Availability) posted here.
The workaround I propose is to source NAT traffic to the web-portal interface so that client https requests always exit the same interface on which received.

With ISE 1.3 we allow a default route per interface or subnet-specific routes for specific interfaces. As part of these enhancements, we verify the next-hop address is in a valid subnet for one or more local interfaces. This would explain the error that you are seeing.

Hopefully this enhanced functionality addresses your requirements and the purpose for your original static route to a loopback address.

Regards,
Craig

huangedmc
Level 3
Level 3

hi Craig,
Thank you for the reply to my previous question.

As a higher education operator, we allow any anti-virus software, as part of our posture assessment check.
So on our current Cisco NAC manager, under User Management / User Roles / Temporary

Role / Host, there's a long list of URL's as "Allowed Host", where users can go, to get their AV software installed/patched to be complianed.
For example: .mcafee.com, .symantec.com, .trendmicro.com, etc.

How can we migrate this function to ISE?
A few more recent platforms support DNS based ACL, but most of our Cat2K switches don't.
There are ~50 entries on that list.
Any way to support it on ISE w/o having to manage an ACL that's based on IP's?

Ditto for allowing access to Google Play to onboard Android devices.

Thx,
Kevin

Kevin,

NAC Appliance relies on being an inline enforcement device to perform the DNS snooping function that allows the domain-based ACL policy enforcement.

ISE leverages the existing infrastructure to perform policy enforcement. This keeps your policy server or other overlay appliance out of the data path but consequently requires the access device or other upstream device to perform this function.

As you noted, the WLC 7.6 added support for DNS ACLs to support this requirement for wireless clients during the URL redirection state when BYOD, MDM, and Posture integration are triggered. It is also possible to integrate with web security solutions like the WSA with transparent login such that specific networks can have access controlled based on domain name.  There are other options that rely on DNS tricks or other security devices that support host-based policies including ASA, but the best solutions are those like WLC that dynamically allows access based on specific client DNS responses (similar in concept to what NAC Appliance Server is doing).

For the 2960 switch that does not currently support DNS ACLs, I would consider an upstream web security solution that applies transparent proxy with URL-based policy controls to users in a pre-compliance/quarantine VLAN/source network.

I double-checked with switching product team and support for DNS ACLs is being considered but not yet committed, so be sure to work with local Cisco sales team to add your name and business requirement to raise feature prioritization.

Regards,

Craig

sdoherty
Level 1
Level 1

Hello Craig,

 

We are using ISE 1.2 for guest, and byod with a certificate from an internal MS CA using NDES. We provide access to the corporate network via a standard ssid on our WLC using WPA2 enterprise using an AD back-end.

We would like to move our corporate  ssid over to ISE using some kind of certificate.  How would we differentiate the CERT issued for the byod from the one for our new network.  We would not want someone with an byod CERT to gain access to our corporate network.  

Thank you

 

 

 

 

S Doherty,

ISE 1.2 exposes a number of certificate attributes to the Authentication and Authorization Policy to validate that the issued certificate matches or does not match the specified criteria.  For example, you may wish to use Issuer CN or Issuer OU to distinguish between your BYOD certs and other corporate certs.

ISE 1.2.1 added a couple new attributes to validate expiry.  The just released ISE 1.3 version exposes additional certificate attributes to the Auth Policy such as Key Usage/EKU.  ISE 1.3 attributes include the following:

  • Serial Number
  • Template Name
  • Is Expired
  • Days to Expiry
  • Key Usage
  • Extended Key Usage - Name
  • Extended Key Usage - OID
  • Issuer
  • Issuer - Common Name
  • Issuer - Country
  • Issuer - Domain Component
  • Issuer - Email
  • Issuer - Location
  • Issuer - Organization
  • Issuer - Organization Unit
  • Issuer - Serial Number
  • Issuer - State or Province
  • Issuer - Street Address
  • Issuer - User ID
  • Subject
  • Subject - Common Name
  • Subject - Country
  • Subject - Domain Component
  • Subject - Email
  • Subject - Location
  • Subject - Organization
  • Subject - Organization Unit
  • Subject - Serial Number
  • Subject - State or Province
  • Subject - Street Address
  • Subject - User ID
  • Subject Alternative Name
  • Subject Alternative Name - DNS
  • Subject Alternative Name - EMail
  • Subject Alternative Name - Other Name

Note that ISE 1.3 also includes an embedded CA in case you want ISE to manage certs for BYOD.  It will allow BYOD certs to be issued by embedded CA or by your private CA using SCEP based on matching conditions.

Regards,

Craig

Hello again Craig and thank you for your answers!

To continue the discussion on using certificates and their fields whether the Subject Name or SAN.  I read on another post you mentioned byod and using the 'SAN radius:Calling-Station-ID' id field to authorize clients - this is how we do byod as well.  The client sends this information in the radius flow - this is the documented method.

Now lets say you want to differentiate certs between byod and corporate. If you use another Certificate field lets say AD/email,  each users email is different so how do you set this up in an authorization policy.  I guess I do not understand how the certificate actually functions.  In this case would ISE do a call to AD to verify what is being presented by the client certificate matches what is on the clients AD account?  Does it just check to see if the certificate has an email address or does it check the clients certificate against the CA certificate to see if that email addresses match?

 

Thank you!

 

 

 

 

For certificate-based auth client will send certificate to ISE via RADIUS. In both Authentication and Authorization phase, ISE can look at the certificate fields listed previously and match on specific values such as Issuer.

During Authorization, ISE can perform lookups based on the Identity specified in the Certificate Authentication Profile. For example, if Identity based on Subject CN and client certificate has CN set to 'user_xyz', then PSN performs lookup to specified ID store using that identity.  So if you have populated one of the supported fields for ISE policy matching, you could compare that field to the one configured in the users AD account. 

Example:

   Authorization Policy Rule = AD_User_Email_Match

   if CERTIFICATE:Subject - Email EQUALS AD1:mail then Permit_Access

In this example, the Certificate Auth Profile listed Subject CN as the field to use for Identity and that field was employee1. During authorization, PSN looks up employee1 in AD1 and will compare the value in actual certificate presented by client to the mail attribute for this user in AD.

Hope that clarifies how certificate authorization is performed.

Regards,

Craig