cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

Tips for New ISE administrators

1427
Views
20
Helpful
0
Comments

These are few tips that will help you with your first deployment of ISE. For advanced tips, please read Advanced ISE tips to make your deployment easier

 

Don’t get locked out of the system

During the ISE installation you are asked to enter a username and a password for the super user account. Once entered, the ISE installation script adds an account for the ISE GUI and the CLI. However, these two accounts are not the same account, the installation script is merely creating one of each with same credential during the installation. Once added, you will have to manage them independently. Another difference between the accounts is that the CLI account is specific to each node, whereas the GUI admin account is replicated to the secondary nodes (Non primary admin node) in a distributed deployment. One frequent issue new ISE administrators run into is with password expiry and the lock out policy. The default password expiry is set to 45 days and the lock out timeout is for 15 minutes for both the CLI and the GUI. Imagine you are trying to troubleshoot the access issue and you can’t login to the UI due to lock out policy. To avoid surprises, adjust these settings as needed. Here are the default settings as of ISE 2.6 on the CLI:

ise26/admin# show running-config
Generating configuration...
!
...
!
password-policy
lower-case-required
upper-case-required
digit-required
no-username
no-previous-password
password-expiration-enabled
password-expiration-days 45
password-expiration-warning 30
min-password-length 4
password-lock-enabled
password-lock-timeout 15
password-lock-retry-count 3
!
...

Matching GUI admin settings can be located at Administration > System > Admin Access:

  • Authentication > Password Policy
  • Authentication > Account Disable Policy
  • Authentication > Lock/Suspend Settings

Few suggestions depending on your security policy:

  • Create alternate super admin account for both CLI and GUI
  • Use longer password expiry period than default
  • Use shorter lock out period than default

Lastly, in case you get locked out and need to reset the password for the admin account.

  • GUI: run 'application reset-passwd ise admin' from the exec mode CLI
  • CLI: Use ISE install ISO disk or image to boot the system and select option 3 or 4 which reads 'System Utilities' or 'Recover administrator password' depending on the version of the boot image and follow the steps.

For more information please read ISE Password Recovery Mechanisms

 

Enable full visibility

ISE is shipped with most of best practices settings turned on by default. These settings ensure that ISE deployments can scale up to the specification. Some of the settings that are turned on by default are for suppressing repeated failed and repeated successful RADIUS requests. It is important to leave these settings on for any sizable deployment, but these settings could hamper visibility into the issues when you are trying to troubleshoot the initial ISE setup. For initial install, follow these steps so you have visibility into all the authentication requests that reaches ISE regardless of their status:

  1. Go to Administration > System > Settings
  2. On the left-hand-side of the screen, click Protocols > RADIUS
  3. Uncheck ‘Suppress repeated failed clients
  4. Uncheck ‘Suppress repeated successful authentications
  5. Check 'Disclose invalid usernames' (This setting reveals username for bad password events. Depending on the version of ISE and patch it may only be set temporarily)

Screen Shot 2019-07-17 at 7.14.03 AM.png

Note: Once the initial pilot stage is complete and ISE policies have been validated, make sure to turn these settings back to default

 

Creating first policy set

Best policy is one that is easy to read. Don’t put all policy rules into single or default policy set, it will make the policy conditions complex and hard to read. Use following table as template and customize it for your environment.

Policy Set Name Description Condition Identity Store
WLAN_Employee Employee SSID, match with SSID Name RADIUS:Called-Station-ID(30) ENDS_WITH Employee & Wireless_802.1X All_User_ID_Store
WLAN_Guest Guest SSID, match with SSID Name RADIUS:Called-Station-ID(30) ENDS_WITH Guest Internal Endpoints
WLAN_PSK PSK SSID, match with SSID Name RADIUS:Called-Station-ID(30) ENDS_WITH PSK Internal Endpoints
Wired_MAB Wired MAB Wired_MAB Internal Endpoints
Wired_DOT1X Wired 802.1X Wired_802.1X All_User_ID_Store
VPN_Employee Remote Access VPN for Employee RADIUS:NAS-Port-Type(61) EQUALS Virtual & Cisco-VPN3000:CVPN/ASA/PIX7x-Tunnel-Group-Name(146) EQUALS Employee All_User_ID_Store
VPN_Vendor Remote Access VPN for Vendor RADIUS:NAS-Port-Type(61) EQUALS Virtual & Cisco-VPN3000:CVPN/ASA/PIX7x-Tunnel-Group-Name(146) EQUALS Vendor All_User_ID_Store
EST Enrollment over Secure Transport authentication for Android BYOD flow Network Access: Device IP address EQUALS 127.0.0.1 All_User_ID_Store

Note: I am listing wireless access first as wireless endpoints tend to be chatty in terms of authentication compared to wired access. For more information on the policy construct please read ISE Authentication and Authorization Policy Reference

 

Understanding ISE Live Logs status

Operations > RADIUS > Live Logs

Screen Shot 2019-07-18 at 5.30.39 PM.png

ISE Live Logs page is where you will be spending most of your time within the ISE GUI. This is where all authentication events are presented in real time. There are 3 distinct status; Auth Passed, Auth Failed, and Session. 

Auth Passed (Green check) Some examples of such status: ISE sent back RADIUS ACCESS-ACCEPT as result of the policy, successful ISE WebAuth, successful CoA, successful PAC provisioning.
Auth Failed (Red X) Some examples of such status: ISE sent back RADIUS ACCESS-REJECT as result of policy, failed ISE WebAuth, failed CoA, failed PAC provisioning, due to suppression settings, unknown NAD.
Session (Blue i) Accompanied by ‘Auth Passed’ and it means in addition to Auth Passed, ISE received RADIUS Accounting Start. As ISE receives RADIUS accounting update for the session, the time for the session is updated via interim accounting update and the line item balloons up to the top of the Live Log.

 

Understanding ISE Live Sessions status

Operations > RADIUS > Live Sessions

Screen Shot 2019-07-18 at 5.07.10 PM.png

While ISE Live Logs page provide events in real time, Live Sessions page can be used to view sessions that ISE is maintaining at given point in time. As noted in the ISE Live Logs section above, sessions are successful authentication event that ISE received RADIUS accounting Start for. You may be wondering what happens if ISE doesn’t receive RADIUS accounting start from the network device for a give session? Even if ISE doesn’t receive RADIUS accounting start, ISE will maintain it, but for shorter duration. ‘Started’ status means ISE received accompanying RADIUS accounting start whereas ‘Authenticated’ status means ISE received RADIUS authentication request that was successfully authenticated, but there was no RADIUS accounting start. For authentications with missing RADIUS accounting start, ISE only maintains session for 1 hour. When ISE isn’t maintaining the session, you end up with endpoints on the network but is not visible to ISE as connected endpoint as such ISE cannot send CoA which may break many of the advanced ISE use cases. Another case of ‘Authenticated’ is where ISE is configured with passive ID and/or Easy Connect. In these cases, ISE learned that a AD domain user was authenticated via WMI or AD agent but there were no RADIUS accounting received related to the same endpoint IP address. There are additional session status and following table summarizes the different session status:

Authenticated ISE accepted the session, but did not receive accounting start. Aside from misconfiguration, typical reason to see Authenticated status is for RADIUS keepalive requests or passive ID without matching MAB/802.1X sessions. If no accounting start message is received, the session will be removed after 1 hour.
Started ISE received RADIUS accounting start. Unless posture is used, most of the sessions should show up as Started. ISE requires interim accounting message to be sent within 5 days, if not the session will be removed.
Postured The endpoint has been posture checked and compliant using the AnyConnect posture module. This status is not applicable for temporal agent which shows up as 'Started' even when compliant.
Authenticating & Authorized These are legacy status and should not show up on a properly configured ISE deployment.
Terminated ISE received RADIUS accounting stop. Terminated session will be removed from the table after 15 minutes.