- Personas
- PAN
- PSN
- MNT
- pxGrid
- Policy set
- Authentication policy
- Authorization policy
- Identity
- Identity sources
- Active Directory
- Profiling
- CoA
- Guest service
- Probes
- Wireless
- Mobility services engine (MSE)
- EAP chaining
- Certificate
- Posture
- Machine access restrictions (MAR)
- TC-NAC
- Passive authentication
- BYOD
- TACACS+
Personas
- types
- PAN: administration
- PSN: policy service
- MNT: monitoring
- pxGrid
- requreirements: DNS A, DNS PTR, certificates, NTP
- roles
- standalone: all personas
- primary
- secondary
- mode
- ISE node
- inline posture mode
PAN
- manual failover only
- automatic failover – after signal from non-PAN health monitor unit
- 2 units
- root CA for self-signed certificates
- syncronizes DB between other modes
- registers changes and certificates
PSN
- profiling, WebAuth, Posture, TC-NAC, SXP, pxGrid
- redundancy
- different PSN: different IPs in IOS config
- load-balancing, anycast
- node group
- exchange keepalives
- on failover – CoA for reauthC
- direct DB replication
- same georegion
- issuing CA
- up to 50 nodes in ISE cube
MNT
- 2 units
- logs are sent to both nodes
- autofailover, no DB sync
pxGrid
- 2 units
- requirements: PKI, FQDN for every node, NTP
- components
- subscriber: watches topic
- publisher
- controller: ISE
- REST, Websockets2 (legacy – XMPP), JSON
Policy set
- authC + authZ
- protocol-based filtering: CHAP, EAP-FAST, …
Authentication policy
- identity source sequence: several DBs (e.g. AD + loca)
- failure: authC failed, user not found, process failed
- actions on fail: reject, drop (silent), continue (for WebAuth)
Authorization policy
- types
- standard: permanent
- exceptions: temporary
- global: to whole policy set
- local: to parent only
- enforcement:
- dACL
- VLAN
- WebAuth
- SGT
- RADIUS VSA AV (e.g. MACsec)
- uses RADIUS Accounting to track session activity
(config)# aaa accounting update newinfo periodic <minutes>
Identity
- can be only in onde identity group
Identity sources
- Microsoft Active Directory:
- up to 50 domains
- uses connector that emulates Windows host
- LDAP
- ODBC
- RADIUS token
- RSA SecurID
- SAML
- service provider only (e.g. WebAuth), not IdP
Active Directory
- requires time match (e.g. NTP), super user account
- manual group import
- AD probe
- alternative to EAP-chaining
- Windows, MacOS
- hostname-based (FQDN)
- up to 50 domains
- AD runtime connector (ADRT) emulates Windows host
- AD-Host-Exists
- AD-Join-Point
- AD-Operating-System
- AD-OS-Version
- AD-Service-Pack
Profiling
- based on policy and probe: data from endpoint DB (MAC – key, probe needed for IP-MAC mapping)
- used in authZ
- certainty factor (CF)
- number
- at least min CF must be met for profile to match
- default: “unknown” in authZ
- actions
- increase CF
- nmap (network scan)
- exception action
- disables engine-based check
- static assignment
- no reprofiling
- Cisco Provided profile does not overwrite Administrator modified
CoA
- events
- for endpoint that is profiled for the first time
- endpoint removal
- authZ changed
- off default
- UDP 3799
- actions:
- port bounce
- not performed if several MACs are known through the port
- reauth
- same session ID
- for IP phone when second MAC appears
Guest service
- web
- LWA: local WebAuth
- CWA: central WebAuth
- requires HTTP(S) server to be enabled on switch to redirect
- CWA vs LWA: central cnfig, CoA, dACL, dynamic VLAN
- portals
- sponsor: sponsored account
- self-registration
- hotspot: no authC
- authZ rule → profile → redirection ACL + guest portal URL
- after authC – reauth and condition Network Access:UseCase = GuestFlow
- groups: needed for HotSpot
- GuestEndPoints
- GuestType_Daily
- GuestType_Weekly
- redirect ACL
- must exclude DHCP, DNS, IP to ISE
- IOS: permit ≡ redirect
- WLC: deny ≡ redirect
- Android
- must have access to Google Play: via DNS-based ACL
- iOS
- requires Captive Network Assistant bypass: pretends that there is Internet access
Probes
- types
- RADIUS
- AV: Calling-Station-ID, Framed-IP-Addr
- SNMPQUERY probe
- device sensor
- via RADIUS Accounting
- CDP, LLDP, DHCP (DHCP snooping DB)
- SNMP sensor
- trap: link up/down event
- query: mandatory for trap
- DHCP probe
- determines OS using User-Agent field
- SPAN (more performance) or ip helper-address (tune ip forward-protocol)
- HTTP
- OS discovery
- packet-based (e.g. captive portal) or SPAN (ideally filtered)
- DNS
- AD
- whether under corporate management
- ADRT on hostname (received from DHCP or DNS probe)
- NetFlow
- nmap
- the only active probe
- SMB protocol via McAfee ePolicy Orchestrator
- SNMPQUERY probe
- endpoint probe
- uses WMI to check whether user is active
- logoff detection
- endpoint DB uses MAC as primary key
(config)# device-sensor accounting
(config)# device-sensor notify all-changes
; which fields to include
(config)# device-sensor filter-list dhcp | cdp | lldp <LST>
(config)# device-sensor filter-spec dhcp | cdp | lldp include <LST>
Wireless
- MAC filtering for MAC and WebAuth
- disable DHCP proxy on WLC if DHCP probe is used (ip helper-address on gateway on switch)
Mobility services engine (MSE)
- tracks Wi-Fi client location to use it for authZ
EAP chaining
- EAP-FAST + PAC (protected access credential, ~PSK)
- device + user authC
- Windows + AnyConnect NAM
- phases
- auto PAC provision: anonymous (DH) or authenticated (PKI)
- TLS tunnel using certificate that is received and encrypted with PAC
- inner authC: EAP-GTC, TLS, MS-CHAP
- condition: Network Access:EAP-ChainingResult – authC result (Network Access:EAPTunnel = EAP-FAST)
Certificate
- functions: tied to single certificate, 1:n
- admin: mgmt
- EAP: TLS
- portal: BYOD
- pxGrid
- SAML: SSO with external provider
- PAN ≡ CA, PSN ≡ subordinate CA
- ISE CA supports ECC
Posture
- Apex license
- HostScan: VPN only
- verifies AV, Service Pack, patch, services, watermark (≡ corporate asset)
- posture trigger – reference to posture status in authZ policy
- redirect URL
- created by PSN that processes the request
- switch intercepts TCP SYN, establishes session and replies with HTTP 302 Redirect
- requires HTTP(S) server on switch to redirect traffic from agent
- posture flow
- host connects to network
- host matches “posture-unknown” authZ policy
- host is allowed basic connectivity
- Posture agent sends Posture data to ISE, TLS port 8905
- ISE issues CoA, if necessary
- ISE discovery by AnyConnect:
- CallHomeList option in AC profile
- provisioned along with AC profile after URL redirect to Client Provisioning portal
- PSN list
- discovery flow:
- HTTP GET /auth/ng-discovery to CallHomeList (profile option)
- HTTP GET /auth/ng-discovery to ConnectionData.xml
- HTTP GET /auth/discovery to default gateway
- HTTP GET /auth/discovery to enroll.cisco.com
- in case of VPN FQDN must be routable through tunnel
- HTTP GET /auth/discovery to DiscoveryHost
- option in AC profile
- any IP/FQDN beyond default gateway to trigger URL redirection to Provisioning portal
- not PSN
- HTTP GET /auth/status to previously known PSN
- Posture profile has to be downloaded from ISE, not created manually, because of PublicKey within profile
- Posture requirement: stitch condition and remediation
- Posture policy:
- all policy entries that match are processed (not first-match)
- marks requirements as mandatory or optional
Machine access restrictions (MAR)
- combines user authC and device authC for authZ
- tracks host MACs that passed authC, compares to this list on authZ (condition WasMachineAuthenticated)
- cache persistence ≡ survives reload
- cache distribution ≡ cache replica to other PSN in node group
TC-NAC
- vulnerability scan with Tenable, Qualys, Rapid7
Passive authentication
- AD integration using WMI to receive user IP: publisher/subscriber
- EasyConnect
- authZ without 802.1x supplicant
- MAB + passive identity
- only for AD-joined hosts
- user-login based (not device-login)
- passive identity tracking in authZ profile
- config WMI process
- Registry change
- DCOM permit
- WMI can be used remotely
- add AD user to groups Event Log Reader and Distributed COM Users
- FW settings to access ISE
- logoff detection
- sequence
- endpoint probe
- if WMI does not respond, ISE tries to login with AD admin credentials and enable WMI
- if endpoint is not in the network or another user is active – clear session
- detects stale sessions (e.g. sleep in lieu of logoff)
- refreshes reverse DNS every 4h
BYOD
- OS:
- Windows, OS X
- agent-based provision (agent received from portal)
- iOS
- over-the-air (OTA) provision
- detects Internet connection if captive.apple.com is reachable; if not – launch captive network assistant (CNA), limited
- Android
- Cisco Network Setup Assistant from Google Play
- provisioning
- certificate installation
- supplicant setup
- native supplicant profile (NSP)
- SCEP registration authority profile → certificate template → NSP → client provisioning rule ← provisioning agent
TACACS+
- requires at least 100 Base licenses + 1 Admin license per PSN with TACACS+