07-17-2019 05:15 AM - edited 03-02-2021 02:47 PM
These are few tips that will help you with your first deployment of ISE. For advanced tips, please read Advanced ISE tips to make your deployment easier
During the ISE installation you are asked to enter a username and a password for the super user account. Once entered, the ISE installation script adds an account for the ISE GUI and the CLI. However, these two accounts are not the same account, the installation script is merely creating one of each with same credential during the installation. Once added, you will have to manage them independently. Another difference between the accounts is that the CLI account is specific to each node, whereas the GUI admin account is replicated to the secondary nodes (Non primary admin node) in a distributed deployment. One frequent issue new ISE administrators run into is with password expiry and the lock out policy. The default password expiry is set to 45 days and the lock out timeout is for 15 minutes for both the CLI and the GUI. Imagine you are trying to troubleshoot the access issue and you can’t login to the UI due to lock out policy. To avoid surprises, adjust these settings as needed. Here are the default settings as of ISE 2.6 on the CLI:
ise26/admin# show running-config Generating configuration... ! ... ! password-policy lower-case-required upper-case-required digit-required no-username no-previous-password password-expiration-enabled password-expiration-days 45 password-expiration-warning 30 min-password-length 4 password-lock-enabled password-lock-timeout 15 password-lock-retry-count 3 ! ... |
Matching GUI admin settings can be located at Administration > System > Admin Access:
Few suggestions depending on your security policy:
Lastly, in case you get locked out and need to reset the password for the admin account.
For more information please read ISE Password Recovery Mechanisms
The browser problem can manifest itself in many different ways, but typical issues may be:
Make sure to check out the compatibility documents and confirm the browser is supported for admin GUI
ISE is shipped with most of best practices settings turned on by default. These settings ensure that ISE deployments can scale up to the specification. Some of the settings that are turned on by default are for suppressing repeated failed and repeated successful RADIUS requests. It is important to leave these settings on for any sizable deployment, but these settings could hamper visibility into the issues when you are trying to troubleshoot the initial ISE setup. For initial install, follow these steps so you have visibility into all the authentication requests that reaches ISE regardless of their status:
Note: Once the initial pilot stage is complete and ISE policies have been validated, make sure to turn these settings back to default
ISE releases or patches doesn’t come with latest profiler feed update. What this means is that newly introduced end points such as new iOS, Android devices or even Cisco AP may not get profiled properly upon installation. Now, ISE profiler feed is enabled by default to get updates around 1AM per configured timezone on the admin node so should help reduce unknown endpoints provided that ISE can reach Cisco services through the Internet. Make sure to allow ISE get access to the Internet so it can get latest feed updates. Aside from the feed update, ISE also relies on posture update for profiling when it comes to web browser user agent strings. Unlike feed service, posture update is not enabled by default. To configure the posture update behavior:
Best policy is one that is easy to read. Don’t put all policy rules into single or default policy set, it will make the policy conditions complex and hard to read. Use following table as template and customize it for your environment.
Policy Set Name | Description | Condition | Identity Store |
WLAN_Employee | Employee SSID, match with SSID Name | RADIUS:Called-Station-ID(30) ENDS_WITH Employee & Wireless_802.1X | All_User_ID_Store |
WLAN_Guest | Guest SSID, match with SSID Name | RADIUS:Called-Station-ID(30) ENDS_WITH Guest | Internal Endpoints |
WLAN_PSK | PSK SSID, match with SSID Name | RADIUS:Called-Station-ID(30) ENDS_WITH PSK | Internal Endpoints |
Wired_MAB | Wired MAB | Wired_MAB | Internal Endpoints |
Wired_DOT1X | Wired 802.1X | Wired_802.1X | All_User_ID_Store |
VPN_Employee | Remote Access VPN for Employee | RADIUS:NAS-Port-Type(61) EQUALS Virtual & Cisco-VPN3000:CVPN/ASA/PIX7x-Tunnel-Group-Name(146) EQUALS Employee | All_User_ID_Store |
VPN_Vendor | Remote Access VPN for Vendor | RADIUS:NAS-Port-Type(61) EQUALS Virtual & Cisco-VPN3000:CVPN/ASA/PIX7x-Tunnel-Group-Name(146) EQUALS Vendor | All_User_ID_Store |
EST | Enrollment over Secure Transport authentication for Android BYOD flow | Network Access: Device IP address EQUALS 127.0.0.1 | All_User_ID_Store |
Note: I am listing wireless access first as wireless endpoints tend to be chatty in terms of authentication compared to wired access. For more information on the policy construct please read ISE Authentication and Authorization Policy Reference
Operations > RADIUS > Live Logs
ISE Live Logs page is where you will be spending most of your time within the ISE GUI. This is where all authentication events are presented in real time. There are 3 distinct status; Auth Passed, Auth Failed, and Session.
Auth Passed (Green check) | Some examples of such status: ISE sent back RADIUS ACCESS-ACCEPT as result of the policy, successful ISE WebAuth, successful CoA, successful PAC provisioning. |
Auth Failed (Red X) | Some examples of such status: ISE sent back RADIUS ACCESS-REJECT as result of policy, failed ISE WebAuth, failed CoA, failed PAC provisioning, due to suppression settings, unknown NAD. |
Session (Blue i) | Accompanied by ‘Auth Passed’ and it means in addition to Auth Passed, ISE received RADIUS Accounting Start. As ISE receives RADIUS accounting update for the session, the time for the session is updated via interim accounting update and the line item balloons up to the top of the Live Log. |
Operations > RADIUS > Live Sessions
While ISE Live Logs page provide events in real time, Live Sessions page can be used to view sessions that ISE is maintaining at given point in time. As noted in the ISE Live Logs section above, sessions are successful authentication event that ISE received RADIUS accounting Start for. You may be wondering what happens if ISE doesn’t receive RADIUS accounting start from the network device for a give session? Even if ISE doesn’t receive RADIUS accounting start, ISE will maintain it, but for shorter duration. ‘Started’ status means ISE received accompanying RADIUS accounting start whereas ‘Authenticated’ status means ISE received RADIUS authentication request that was successfully authenticated, but there was no RADIUS accounting start. For authentications with missing RADIUS accounting start, ISE only maintains session for 1 hour. When ISE isn’t maintaining the session, you end up with endpoints on the network but is not visible to ISE as connected endpoint as such ISE cannot send CoA which may break many of the advanced ISE use cases. Another case of ‘Authenticated’ is where ISE is configured with passive ID and/or Easy Connect. In these cases, ISE learned that a AD domain user was authenticated via WMI or AD agent but there were no RADIUS accounting received related to the same endpoint IP address. There are additional session status and following table summarizes the different session status:
Authenticated | ISE accepted the session, but did not receive accounting start. Aside from misconfiguration, typical reason to see Authenticated status is for RADIUS keepalive requests or passive ID without matching MAB/802.1X sessions. If no accounting start message is received, the session will be removed after 1 hour. |
Started | ISE received RADIUS accounting start. Unless posture is used, most of the sessions should show up as Started. ISE requires interim accounting message to be sent within 5 days, if not the session will be removed. |
Postured | The endpoint has been posture checked and compliant using the AnyConnect posture module. This status is not applicable for temporal agent which shows up as 'Started' even when compliant. |
Authenticating & Authorized | These are legacy status and should not show up on a properly configured ISE deployment. |
Terminated | ISE received RADIUS accounting stop. Terminated session will be removed from the table after 15 minutes. |
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: