ISE

  1. Personas
    1. PAN
    2. PSN
    3. MNT
    4. pxGrid
  2. Policy set
    1. Authentication policy
    2. Authorization policy
  3. Identity
    1. Identity sources
      1. Active Directory
  4. Profiling
  5. CoA
  6. Guest service
  7. Probes
  8. Wireless
    1. Mobility services engine (MSE)
  9. EAP chaining
  10. Certificate
  11. Posture
  12. Machine access restrictions (MAR)
  13. TC-NAC
  14. Passive authentication
  15. BYOD
  16. TACACS+

Personas

  • types
    1. PAN: administration
    2. PSN: policy service
    3. MNT: monitoring
    4. pxGrid
  • requreirements: DNS A, DNS PTR, certificates, NTP
  • roles
    1. standalone: all personas
    2. primary
    3. secondary
  • mode
    1. ISE node
    2. inline posture mode

PAN

  • manual failover only
  • automatic failover – after signal from non-PAN health monitor unit
  • 2 units
  • root CA for self-signed certificates
  • syncronizes DB between other modes
  • registers changes and certificates

PSN

  • profiling, WebAuth, Posture, TC-NAC, SXP, pxGrid
  • redundancy
    • different PSN: different IPs in IOS config
    • load-balancing, anycast
    • node group
      • exchange keepalives
      • on failover – CoA for reauthC
      • direct DB replication
      • same georegion
  • issuing CA
  • up to 50 nodes in ISE cube

MNT

  • 2 units
  • logs are sent to both nodes
  • autofailover, no DB sync

pxGrid

  • 2 units
  • requirements: PKI, FQDN for every node, NTP
  • components
    • subscriber: watches topic
    • publisher
    • controller: ISE
  • REST, Websockets2 (legacy – XMPP), JSON

Policy set

  • authC + authZ
  • protocol-based filtering: CHAP, EAP-FAST, …

Authentication policy

  • identity source sequence: several DBs (e.g. AD + loca)
  • failure: authC failed, user not found, process failed
  • actions on fail: reject, drop (silent), continue (for WebAuth)

Authorization policy

  • types
    • standard: permanent
    • exceptions: temporary
      • global: to whole policy set
      • local: to parent only
  • enforcement:
    • dACL
    • VLAN
    • WebAuth
    • SGT
    • RADIUS VSA AV (e.g. MACsec)
  • uses RADIUS Accounting to track session activity
(config)# aaa accounting update newinfo periodic <minutes>

Identity

  • can be only in onde identity group

Identity sources

  1. Microsoft Active Directory:
    • up to 50 domains
    • uses connector that emulates Windows host
  2. LDAP
  3. ODBC
  4. RADIUS token
  5. RSA SecurID
  6. SAML
    • service provider only (e.g. WebAuth), not IdP

Active Directory

  • requires time match (e.g. NTP), super user account
  • manual group import
  • AD probe
    • alternative to EAP-chaining
    • Windows, MacOS
    • hostname-based (FQDN)
  • up to 50 domains
  • AD runtime connector (ADRT) emulates Windows host
    • AD-Host-Exists
    • AD-Join-Point
    • AD-Operating-System
    • AD-OS-Version
    • AD-Service-Pack

Profiling

  • based on policy and probe: data from endpoint DB (MAC – key, probe needed for IP-MAC mapping)
  • used in authZ
  • certainty factor (CF)
    • number
    • at least min CF must be met for profile to match
  • default: “unknown” in authZ
  • actions
    • increase CF
    • nmap (network scan)
    • exception action
      • disables engine-based check
      • static assignment
      • no reprofiling
  • Cisco Provided profile does not overwrite Administrator modified

CoA

  • events
    1. for endpoint that is profiled for the first time
    2. endpoint removal
    3. authZ changed
  • off default
  • UDP 3799
  • actions:
    • port bounce
      • not performed if several MACs are known through the port
    • reauth
      • same session ID
      • for IP phone when second MAC appears

Guest service

  • web
    • LWA: local WebAuth
    • CWA: central WebAuth
    • requires HTTP(S) server to be enabled on switch to redirect
    • CWA vs LWA: central cnfig, CoA, dACL, dynamic VLAN
  • portals
    • sponsor: sponsored account
    • self-registration
    • hotspot: no authC
  • authZ rule → profile → redirection ACL + guest portal URL
  • after authC – reauth and condition Network Access:UseCase = GuestFlow
  • groups: needed for HotSpot
    • GuestEndPoints
    • GuestType_Daily
    • GuestType_Weekly
  • redirect ACL
    • must exclude DHCP, DNS, IP to ISE
    • IOS: permit ≡ redirect
    • WLC: deny ≡ redirect
  • Android
    • must have access to Google Play: via DNS-based ACL
  • iOS
    • requires Captive Network Assistant bypass: pretends that there is Internet access

Probes

  • types
    • RADIUS
      • AV: Calling-Station-ID, Framed-IP-Addr
      • SNMPQUERY probe
    • device sensor
      • via RADIUS Accounting
      • CDP, LLDP, DHCP (DHCP snooping DB)
    • SNMP sensor
      • trap: link up/down event
      • query: mandatory for trap
    • DHCP probe
      • determines OS using User-Agent field
      • SPAN (more performance) or ip helper-address (tune ip forward-protocol)
    • HTTP
      • OS discovery
      • packet-based (e.g. captive portal) or SPAN (ideally filtered)
    • DNS
      • FQDN by IP
    • AD
      • whether under corporate management
      • ADRT on hostname (received from DHCP or DNS probe)
    • NetFlow
      • v9 only
      • IoT
    • nmap
      • the only active probe
      • SMB protocol via McAfee ePolicy Orchestrator
      • SNMPQUERY probe
    • endpoint probe
      • uses WMI to check whether user is active
      • logoff detection
  • endpoint DB uses MAC as primary key
(config)# device-sensor accounting
(config)# device-sensor notify all-changes
; which fields to include
(config)# device-sensor filter-list dhcp | cdp | lldp <LST>
(config)# device-sensor filter-spec dhcp | cdp | lldp include <LST>

Wireless

  • MAC filtering for MAC and WebAuth
  • disable DHCP proxy on WLC if DHCP probe is used (ip helper-address on gateway on switch)

Mobility services engine (MSE)

  • tracks Wi-Fi client location to use it for authZ

EAP chaining

  • EAP-FAST + PAC (protected access credential, ~PSK)
  • device + user authC
  • Windows + AnyConnect NAM
  • phases
    1. auto PAC provision: anonymous (DH) or authenticated (PKI)
    2. TLS tunnel using certificate that is received and encrypted with PAC
    3. inner authC: EAP-GTC, TLS, MS-CHAP
  • condition: Network Access:EAP-ChainingResult – authC result (Network Access:EAPTunnel = EAP-FAST)

Certificate

  • functions: tied to single certificate, 1:n
    1. admin: mgmt
    2. EAP: TLS
    3. portal: BYOD
    4. pxGrid
    5. SAML: SSO with external provider
  • PAN ≡ CA, PSN ≡ subordinate CA
  • ISE CA supports ECC

Posture

  • Apex license
  • HostScan: VPN only
    • verifies AV, Service Pack, patch, services, watermark (≡ corporate asset)
  • posture trigger – reference to posture status in authZ policy
  • redirect URL
    • created by PSN that processes the request
    • switch intercepts TCP SYN, establishes session and replies with HTTP 302 Redirect
    • requires HTTP(S) server on switch to redirect traffic from agent
  • posture flow
    1. host connects to network
    2. host matches “posture-unknown” authZ policy
    3. host is allowed basic connectivity
    4. Posture agent sends Posture data to ISE, TLS port 8905
    5. ISE issues CoA, if necessary
  • ISE discovery by AnyConnect:
    • CallHomeList option in AC profile
    • provisioned along with AC profile after URL redirect to Client Provisioning portal
    • PSN list
    • discovery flow:
      1. HTTP GET /auth/ng-discovery to CallHomeList (profile option)
      2. HTTP GET /auth/ng-discovery to ConnectionData.xml
      3. HTTP GET /auth/discovery to default gateway
      4. HTTP GET /auth/discovery to enroll.cisco.com
        • in case of VPN FQDN must be routable through tunnel
      5. HTTP GET /auth/discovery to DiscoveryHost
        • option in AC profile
        • any IP/FQDN beyond default gateway to trigger URL redirection to Provisioning portal
        • not PSN
      6. HTTP GET /auth/status to previously known PSN
  • Posture profile has to be downloaded from ISE, not created manually, because of PublicKey within profile
  • Posture requirement: stitch condition and remediation
  • Posture policy:
    • all policy entries that match are processed (not first-match)
    • marks requirements as mandatory or optional

Machine access restrictions (MAR)

  • combines user authC and device authC for authZ
  • tracks host MACs that passed authC, compares to this list on authZ (condition WasMachineAuthenticated)
  • cache persistence ≡ survives reload
  • cache distribution ≡ cache replica to other PSN in node group

TC-NAC

  • vulnerability scan with Tenable, Qualys, Rapid7

Passive authentication

  • AD integration using WMI to receive user IP: publisher/subscriber
  • EasyConnect
    • authZ without 802.1x supplicant
    • MAB + passive identity
    • only for AD-joined hosts
    • user-login based (not device-login)
  • passive identity tracking in authZ profile
  • config WMI process
    1. Registry change
    2. DCOM permit
    3. WMI can be used remotely
    4. add AD user to groups Event Log Reader and Distributed COM Users
    5. FW settings to access ISE
  • logoff detection
    • sequence
      1. endpoint probe
      2. if WMI does not respond, ISE tries to login with AD admin credentials and enable WMI
      3. if endpoint is not in the network or another user is active – clear session
    • detects stale sessions (e.g. sleep in lieu of logoff)
    • refreshes reverse DNS every 4h

BYOD

  • OS:
    • Windows, OS X
      • agent-based provision (agent received from portal)
    • iOS
      • over-the-air (OTA) provision
      • detects Internet connection if captive.apple.com is reachable; if not – launch captive network assistant (CNA), limited
    • Android
      • Cisco Network Setup Assistant from Google Play
  • provisioning
    • certificate installation
    • supplicant setup
    • native supplicant profile (NSP)
  • SCEP registration authority profile → certificate template → NSP → client provisioning rule ← provisioning agent

TACACS+

  • requires at least 100 Base licenses + 1 Admin license per PSN with TACACS+