cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cisco ISE overview and integration with Cisco DNA

1093
Views
20
Helpful
2
Comments
7o8X.gif

I'm going to talk today about cisco ISE ( identity service engine), and why cisco ISE is an important element that must run with cisco DNAC solution and how to integrate with DNA and retrieve the Policy and Security group tags.

-What is the Cisco ise? Cisco Ise is the centralization point to the policy engine that simplifies the delivery of highly secure to the network, The Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices.

NOTE: If you have a good context, then you can absolutely go give the right kind of role-based access policies on to the network.

network-security.jpg

 

-Cisco ISE performs the following functions (AAA)

        1- (A) Authentication: who are you

        2- (A) Authorization: what are you allowed to do

        3- (A) Accounting: what you have done in the network

 

NOTE: The role could be interacting with the network resources to know what is happening, Location tracking, time, ETC..., Role working through your active directory, your LDAP, anything else that could make up this role.

- Cisco ISE has four  personas:

         1- PAN (Policy administrator node) to provide the administrative services and manage the database.

         2- PSN (Policy service node) to carry the configuration that is pushed from the PANs and perform PassiveID, SXP, Device Admin, etc... 

         3- Pxgrid to integrate between ISE and third-party vendors, and other policy network system (ASA, FMC, DNAC,...

         4- MNT (Monitoring and troubleshooting) This is the log collector of the ISE deployment and stores all the log messages from your individual PAN and PSNs. The advanced monitoring and troubleshooting tools are built into it.

 

( ISE Deployment Models )

1- Standalone node: All services including PAN, PSN, MNT, Pxgrid Etc... run on the same node.

2- Distributed Node: Distribute the service PAN, PSN, MNT within multiple nodes.

3-Hybrid: share the administrator node or services node with the cloud solution.

 

( Cisco Secure Network Server. )

  • Cisco SNS 3415
  • Cisco SNS 3495
  • Cisco SNS 3515
  • Cisco SNS 3595
  • Cisco SNS-3615
  • Cisco SNS-3655

   Product specifications

Product Name

Secure Network Server 3615

Secure Network Server 3655

Secure Network Server 3695

Processor

1 – Intel Xeon

2.10 GHz 4110

1 – Intel Xeon

2.10 GHz 4116

1 – Intel Xeon

2.10 GHz 4116

Cores per processor

8

12

12

Memory

32 GB (2 x 16 GB)

96 GB (6 x 16 GB)

256 GB (8 x 32 GB)

Hard Disk

1 - 2.5-in.

600-GB 6Gb SAS 10K RPM

4 - 2.5-in.

600-GB 6Gb SAS 10K RPM

8 - 2.5-in.

600-GB 6Gb SAS 10K RPM

Hardware RAID

No

Level 10

Cisco 12G SAS Modular RAID Controller

Level 10

Cisco 12G SAS Modular RAID Controller

Network Interfaces

2 X 10Gbase-T

4 x 1GBase-T

2 X 10Gbase-T

4 x 1GBase-T

2 X 10Gbase-T

4 x 1GBase-T

Power Supplies

1 x 770W

2 x 770W

2 x 770W

 

Cisco ISE deployment steps  :

 

-Power up SNS and choose ( Cisco ISE installation keyboard / Monitor )

11.png

 

- Type “setup” at the login prompt and press Enter.


Hostname: Cisco ISE-Node01
IP Address: 192.168.100.100
Netmask: 255.255.255.0
Default Gateway: 192.168.100.1
DNS Domain: local study.com
Primary Name Server:100.100.100.50
Primary NTP Server:100.100.100.30
Time Zone: S
Default Username: admin
Password: xxxxxxxxxx      NOTE: It must not contain a Cisco character

after setup is done, you can start access through GUI with a default ise certificate.

12.png

NOTE: Through this command # show application status ise you can check the process of services such as ( Database listener, Database server, Application server, AD connector, EST services, Pxgrid Publisher, Passive ID Syslog services, Etc....

 

Cisco Ise certificates :

1- System certificate: which is associate with each individual node.

2- trust certificate: Which has authorized by cisco ise node.

3- OSCP certificate: This to check the certificate has been revoked.

4-Certificate periodic check: To check the certificate revocation.

5-CSR: Templet to creat signing request with the CA.

 

Integrate Cisco ISE with Active Directory  and retrieve the Groups :

Active1DD.jpg

Administrator---> Identity ---> external identity Group ---> choose AD from right list ---> connection ---> fill the name of domain controller ---> authentiacate through administrator username with fully priviledge ---> Join .

 

-Once the Active directory has successfully integrated,  start to retrieve the groups of the active directory with below steps :

Administrator---> Identity ---> external identity Group ---> choose AD from right list --->Group --->ADD ---> write domain name ---> write special group or ( * )to retrieve all AD groups ---> choose groups ---> OK

ADRet20202.JPG

NOTE: The groups are there a way to combine my AD groups with all the visibility information that I have from ISE? The location, the time, the date, and many other elements that ISE was known for in terms of visibility.

 

A quick overview of our network and how ISE fits in the enterprise network is where I have all my enterprise networks. My routers, my switches, my wireless LAN controller, anything that can authenticate or onboard our device on to the network. And with that said, on a real live network, you have multiple protocols that you work with.

 

For example,
You could use the map as authentication for devices that do not have any supplicant on them or maybe some old phones and some of this.
Or you could also use Dot1x, which is the most recommended and secure way to authenticate on the network.

Or you could use a combination of these.
For example, one of the things that are out in the field is called easy connect, what easy connect does is that it uses your MAC address for the authentication of devices onto the network, but after that, it uses ISE and the integration with the Active Directory to pull user identity.

Let's Jump to Our legend Cisco DNA-Center and how to integrate with cisco ISE, how ise will enforce the policy and  security group tag which is a key role of the game:

MICROSEGMENTATION-2.png

when the traffic comes into my network through my access infrastructure, goes anywhere in the network, I have a way to tag this traffic which is already pass authenticated level So when traffic comes in from Financial team, we're going to tag it Yellow, If traffic comes from a technical team, I'm going to tag it Green, If traffic comes from management, I'm going to tag it blue right?

And then, anywhere in the network within the SD-Access architecture, I have the ability to create that policy. So I can say, hey, My Financial team should not be talking to my technical team, but the Management team should talking to Financial team and technical team And that could be enforced on east/west on an access switch, north/south on any other element, you name it.

 

Integrate ISE and DNAC:

Connectivity-e1585326621811.jpgHow ISE and DNAC are integrated is via ERS and pxGrid. So how this works is the pxGrid functionality is used to read all of the data. The REST APIs, which is ERS, is being used to write all the data, So the reading of the data is DNAC reading these groups and policies from ISE, and DNAC can write those policies also to ISE and this will achieve through ERS, we can say It's a unidirectional relationship.

 

( Important notes )


NOTE-1: Should enable SSH services, when DNA Center and ISE are integrated there's an SSH session that's established. That SSH session is used to share the certificates. So ISE shares the certificates to DNA Center. DNA Center shares its certificate with ISE, So during their initial installation, you are able to enable SSH. So if you do not enable SSH during the initial installation, you will have to go to the CLI, to the command line, and type in "service sshd enable".

 

NOTE -2: There are multiple ports, and there's no way of configuring which specific port or choosing which specific port can be used. So just be sure that between ISE and DNAC that you allow these ports here.

 
NOTE -3:  The fully qualified domain name. That is the name that you need to use when you do the integration. So you cannot use just the hostname. It needs to be the fully qualified domain name and the reason is that this is actually the hostname that's in that certificate.

So the other services that you need to enable on ISE-- these are done after the installation is done, these are done in the GUI-- is you need to have policy service enabled. So you can have a standalone deployment that has your policy service, it has your administration, it has your pxGrid as well as SXP, or you can have multiple nodes.

 

113.JPG

 Few Steps to add cisco ISE  :

ISE01.JPG

System settings page in DNAC where we will add the AAA server. We click on an add AAA server and then we provide this information.

ISE02.JPG

 

ISE03.JPG
 

After This go to cisco ISE ---- > administrator ---> Pxgrid services ---- > All Clients ---- > check the pending request ( which is DNAC ) press approve .

 

pxGrid_ISE_and_FMC0028.jpg

wave me if you have any kind of comment and let's discuss ☺☺

Stay tuned for part ||

***** I hope that has been informative for you and thank you *****
Mohamed Alhenawy
CCIE#60453

Comments
Beginner

Thanks for sharing, It's great Post and great stuff for learning, Keep it up !!!

Thanks for sharing Mohamed. 

Content for Community-Ad