Solved: Cisco ISE Whitelists

mark373737 · ‎12-04-2015

Hi All,

I have to move from Monitor Mode for wired devices quicker than anticipated. I have policies tested/prepared for standard DOT1x laptops/desktops etc but not for all other legacy/non-standard MAB devices yet. So I have been asked to enable the policies I have tested, and below those but above the Default Policy create a catch-all policy to use a whitelist of all mac addresses currently known to the network.

The rationale is that it will prevent any new unauthorised device access and we will then get time to sort out proper policies for those currently connnected. There is NO wired guest access service (Wireless is not under ISE control yet) and there is acceptance that this list might currently contain illegal devices. Here are the questions:

1. You can export from Administration\Identity Management\Identities\Endpoints all the MAC addresses ever known to ISE. This is a massive list in my case.

2. I cant see anywhere how to import them into a new whitelist other than individually per MAC address. Is there no way to do this?

3. If I get over that issue, can ISE Policy handle a whitelist of many thousands of devices?

4. We accept that in this interim period, management of that whitelist will be a royal pain in the neck!!

Many thanks in advance

Aaron Castro Sanchez · ‎12-11-2015

Unfortunately I don't have any ISE older than 1.3 in production nor lab. I recall endpoint purge like we have in 1.3 was available in the 1.2 roadmap. But I don't remember the patch version it was.

Regarding the Import, attached screenshot for your reference. You have the option to import endpoints from a .csv file. Inside the file, one of the rows sets up the endpoint group it will have. You weren't looking in the right place imho.

View solution in original post

Aaron Castro Sanchez · ‎12-05-2015

Hi,

Yes, you can export all the MAC addresses ever known by your ISE, as long as you didn't purge, if so you'll only get the ones currently in the database.

I don't get your "new whitelist". If you import a bunch of mac addresses, all will go to the only endpoints database. If you want to separate the new ones from the old ones, then you'll have to play with endpoint groups. And of course, update your authorization rules accordingly.

For each ISE server, more than 2k authenticatios at the same time starts to be a problem, of course it will depend on the resources of each server. For the lenght of the endpoint database, I've seen only one ISE handling more than 20k endpoints without problem.

Cheers,

mark373737 · ‎12-07-2015

Thanks for the response Aaron,

I understand most of your replies and it is good news. However I am not clear on the Endpoints database. This is not a group in itself that I can refer to in a policy is it?

And if I could refer to all the devices in the Endpoint database in a policy, I ONLY want those mac address that are currently in there now.....so for example I wouldnt want any new devices allowed if they connected tomorrow.

I preusme all new devices would join that endpoint database so I expected I would need to export all the current devices from the Endpoint database and import them into a newly created Whitelist and then refer to that Whitelist in a policy. Does that make sense?

Lastly my endpoint database has over 50K entries! It is an 8 node deployment with 4 x PSN's. If I wanted to purge the Endpoint database and re-populate it again over a shorted period, how would I do that and what is the effect in Monitor mode of doing that?

Thanks

M

Aaron Castro Sanchez · ‎12-07-2015

I meant that the endpoint database you have, can be exported, purged and then you can create a new endpoint group and import the old entries into it, using the csv template ISE provides. Then you can set a rule to match this endpoint group and authorize these as you want.

Once you have this done, you can then set a deny entry for anything new. You'll be locking out everything connected to the network and yet unknown for ISE.

50k endpoints for an 8 node deployment is not that much, so I would not expect any performance issues there. If you purge and settle the database in monitor mode, you'll have all the endpoints in the database anyways. I don't think the mode affects it. Endpoint gets populated with all the endpoints ever seen by ISE, no matter authorized or not.

Probably I'm not explaining very well this. In general terms you should be adding all your old endpoints to an endpoint group that will be referenced by a rule that will allow these. Then create a default rule denying access, so eveything new will be locked out. All the new unallowed endpoints will appear in the endpoint database (but being denied), that's something we cannot change, at least on my experience.

mark373737 · ‎12-10-2015

Thanks again Aaron,

This make sense but I have few other questions. In 1.2 there is no purge option. Saw how to do it in 1.3 and that does not exist in 1.2. That should be resolved when we upgrade to 1.4 this week.

However there is also no way to import these MAC addresses into a whitelist except one at a time. I'm hoping that is also a 1.2 restriction. I can bulk export them from the endpoint table, but when I create my new whitelist, it only allows me to add them one at a time. It shows me a drop down list of every MAC address but you can tick one address at a time and you cannot do shift/select all. There is no import option.

I'm either looking in the wrong place of it does not exist as an option in 1.2.

Last point is that I think purging the endpoints would be a good idea, and letting it learn from scratch for a week to reduce the need for a 55K whitelist. If I do this during the working day is there any effect on the users if they are all running in Monitor mode?

Thanks

M

Aaron Castro Sanchez · ‎12-10-2015

Maybe you are looking at the weong place. There is purge since 1.2 as far as I can remember. Same for the endpoints import. Both options are there. I have no access right now to my ISEs so I cannot make a screenshot.

Only thing would be the endpoint profiling. ISE will have to do it again for every device.

mark373737 · ‎12-11-2015

Thanks Aaron,

Very odd. I have looked at endpoint purge documentation for 1.3 and I do not have the same option in 1.2. Perhaps something needs enabling first?

I do not have the following option in 1.2 (as mentioned in 1.3)

Administration > Identity Management > Settings > Endpoint Purge

Likewise I do not have any Import option under Administration > Groups > Endpoint Identity Groups. I have added two screenshots of where I am looking...hopefully just in the wrong place!

Thanks

M

Aaron Castro Sanchez · ‎12-11-2015

Unfortunately I don't have any ISE older than 1.3 in production nor lab. I recall endpoint purge like we have in 1.3 was available in the 1.2 roadmap. But I don't remember the patch version it was.

Regarding the Import, attached screenshot for your reference. You have the option to import endpoints from a .csv file. Inside the file, one of the rows sets up the endpoint group it will have. You weren't looking in the right place imho.

mark373737 · ‎12-11-2015

Thanks Aaron,

Upgrading to 1.4 this weekend so will hopefully see the endpoint purge.

I think I get the import now. I export from the endpoint table to a .csv file. Edit that file to add the whitelist group column and then reimport it to the endpoint table, presumably getting the "overwrite existing entries" warning like you get with the Network Device import.

Thanks for your patience and advice. Much appreciated

M