This post is going to be focused on the rest of the initial configurations that I like to tweak on ISE as I'm setting it up and that don't warrant their own post. I'll go through some of the optimizations and configurations I like to set as well as try to explain why I do so.
In my lab, I have only one ISE node so it also acts as my Policy Services Node (PSN) in my deployment. In production or in a network, you would typically want to configure what kind of profiling your PSNs will accept. ISE will give you the option to configure one or any of the following probes:
Each probe will provide additional information about an endpoint. In a production deployment, you probably won't have every probe turned on depending on how large it is and how distributed your ISE deployment is due to the fact that you don't want to send a lot of profiling traffic over the WAN if it's not needed.
To enable an interface of your ISE PSN to accept probes, navigate to Administration>System>Deployment and click on the hostname of your PSN. Under the Edit Node window, navigate to the the Profiling Configuration tab. Here you can check a box next to each probe type and choose an interface and port to accept these probes. Typically, I like to configure the following probes:
For more details about each type of probe and to determine which ones would be beneficial to your environment, click here.
After you have completed your profiling configuration on your nodes, click Save.
The next thing that you should be aware of is how to add patches to ISE. ISE patches are cumulative so the latest patch should include the fixes in previous patches. If there is a patch that you need to install from Cisco.com, navigate to Administration>System>Maintenance>Patch Management and install the patch. After a successful installation, ISE should restart its services and you should be able to re-login without issue.
If you would like to create or schedule regular backups with ISE, you first need to create a Repository. In the Administration>System>Maintenance>Repository page, click Add to create a new Repository. After you have created the Repository, you may create either an operational or configuration backup of ISE by navigating to Administration>System>Backup & Restore.
While it might not be important in a lab environment, most prefer to be able to login to the ISE admin portal using AD credentials instead of local credentials. In order to configure this, navigate toAdministration>System>Admin Access>Authentication and in the Identity Source drop-down, choose your AD server and click Save
Then navigate to Administration>System>Admin Access>Administrators>Admin Groups and choose to create a new group. Check the box for External and in the External Groups drop-down, choose the Domain Admins group (or whatever other group you prefer). Click Submit.
Navigate to Administrator>System>Admin Access>Authorization>Policy and click the gear sign next to any policy and choose Insert Policy. Name the policy a friendly name. Under the Admin Group field, choose the policy you just created and the appropriate permissions under the Permissions field. In my case, I'm giving the Domain Admins group access as a Super-Admin to give anyone part of that AD group full access to ISE:
After saving this RBAC policy, you can test it out by signing out of your ISE Admin portal and logging back in using the identity source. In the event that you AD server is not reachable, you can still login using the local login credentials by change the identity source in the new Identity Source drop-down on the login page:
Another good thing to note is that there is a default Help-Desk Menu Access permission that gives read-only access to certain menus in ISE. To reduce the administrative overhead of ISE, I would consider it a best practice to have your help desk staff have this permission and trained on how to read the RADIUS Livelog. That way your help desk could resolve issues like incorrect passwords or EAP timeouts without escalating it to your network or security team thinking there is an issue with ISE. It makes the day-to-day management of ISE easier and more seamless as well as creating a better user experience for all.
The next setting I would adjust in ISE is the Profiler setting. Navigate to Administration>System>Settings>Profiling and make sure that the CoA Type drop-down is set toReauth. The profiler will implement the CoA in the following cases:
- Static assignment of an endpoint
- An exception action is configured (important for remediation tasks later)
- An endpoint is profiled for the first time
- An endpoint is deleted
- Profiles updated for the endpoint
One thing to note: You don't have to change this if you don't want to. You might not want this in a large environment.
I would also recommend changing the SNMP strings to something that makes more sense to you since the default is public which I assume no one is using in production (I hope!).
For the purposes of this lab, we won't enable the Endpoint Attribute Filter because it's not needed for a lab this small. In a production environment, you might want to filter certain attributes to save on performance:
Next, navigate to Administration>System>Settings>Protocols>RADIUS and uncheck the Suppress Anomalous Clients box. This option is useful for troubleshooting if needed later on:
For the sake of making it easier to build my policy sets and making it more logical, I like to enable Policy Sets. By default, this is disabled. Without it enabled, you have a page for Authentication Policy and another for Authorization Policy. You would have to create your rules for each in both those places and the logic to create policies gets a little trickier. With Policy Sets enabled, it gives you the ability to logically group authentication and authorization policies within the same logical identity. It also makes reading and troubleshooting the policy much much easier. In this blog, I will be using Policy Sets. To enable this feature so you can follow along with my policy creation easier, navigate to Administration>System>Settings>Policy Sets and choose the radio button for Enabled:
If you have a proxy server in your environment and ISE will need to pass through it to get to the internet, configure it by navigating to Administration>System>Settings>Proxy
If you would like to configure ISE to send mail, configure the SMTP server by navigating to Administration>System>Settings>SMTP Server. ISE can use SMTP to send text and emails to guests to give them their credentials as well as sending alerts to the administrator.
To enable automatic updates for posture updates in ISE, navigate to Administration>System>Settings>Posture>Updates and check the box next to Automatically check for updates starting from initial delay and click Save. Optionally, you may manually start a download as well:
Optionally, if you would like to add an MSE instance to your ISE deployment so you can create policies based on location services, you may navigate to Administration>Network Resources>Location Services and click Add:
In order to continuously get updated profiles, I like to enable the Profiler Feed Service so I can regularly get downloads to any new profiles. To enable this service, navigate to Administration>Feed Service and check the box next to Enable Profiler Feed Service. Click Save when done:
Before I finish up this post, one awesome page I really like in ISE 2.0 that I would like to call attention to is the Endpoints page. This page will be really useful down the road while profiling or just checking what's on your network. In ISE 2.1, it's been replaced by Context Visibility which I have to admit is even better. In ISE 2.0, you can navigate there by going to Administration>Identity Management>Endpoints:
On the Endpoints page, you can click on the host to drill down to view the attribute information that was collected by ISE for this particular endpoint. Depending on the probes configured, this list could provide a lot of detail. If this is a endpoint that doesn't match a profile and you would like to create a profile, you would use the information from this attribute list to create a custom profile. We will drill down into profile configuration in a later post but I wanted to call attention to it here:
With that, I'm going to wrap up this blog post. Thanks for checking this page out and feel free to leave any comments!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.