Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Networking Tutorials
Cisco ISE Identity Services Engine Tutorial
The rst question I am going to answer is What is Cisco ISE and what does Cisco ISE do?
2
Share
Cisco Identity Services Engine (ISE) is a server based product, either a Cisco ISE appliance or
Virtual Machine that enables the creation and enforcement of access polices for endpoint
devices connected to a companies network.
In simple terms you can control who can access your network and when they do what they can
get access to. It can authenticate wired, wireless and vpn users and can scale to millions of
endpoints. Based on many factors including the validity of a certicate, mac address or device
proling you can identify a machine and determine which vlan that machine is placed into. Any
http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 1/16
3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics
proling you can identify a machine and determine which vlan that machine is placed into. Any
devices that do not pass authorisation will be placed into a guest vlan or denied access to the
network.
All this information is logged and you can instantly get a view of what is connected to your
network at any time.
ISE Nodes
The ISE solution is made up of a deployment of nodes with three different personas:
1
Depending on the size of your deployment all three personas can be run on the same device or
spread across multiple devices for redundancy and scalability. Lets go through each persona
and explain their function.
The Policy Administration Node is where the administrator logs into to congure policies and
make changes to the entire ISE system. Once congured on the PAN the changes are pushed
out to the policy services nodes. It handles all system related congurations and can be
congured as standalone, primary or secondary.
TheMonitoring Node is where all the logs are collected and where report generation occurs.
Every event that occurs within the ISE topology is logged to the monitoring node you can then
generate reports showing the current status of connected devices and unknown devices on 2
Share
your network.
ThePolicy Services Nodeis the contact point into the network. Each switch is congured to
query a radius server to get the policy decision to apply to the network port the radius server is
the PSN. In larger deployments you use multiple PSNs to spread the load of all the network
requests. The PSN providesnetwork access, posture, guest access, client provisioning, and
proling services. There must be at least one PSN in a distributed setup.
pxGrid Node
The pxGrid framework is used to exchange context-sensitive information from the CISCO ISE
session directory. It allows the ISE system to pass data to other Cisco platforms and third
party vendors. This information can then be used to invoke actions to quarantine users or
block access in response to network security events.
http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 3/16
3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics
ISE Hardware
The Cisco Secure Network Server is based on the Cisco UCS C220 Rack Server and is
congured specically to support the Cisco Identity Services Engine.
Note:The 3415 and 3495 secure network servers are now end of life (eol) and the last date for
order for these appliances was October 7 2016. This post will be covering the latest hardware
now available which is the 3515 and the 3595 the 3595 appliance is shown below.
2
Share
Secure Network Server 3515 (For small and medium sized deployments)
Secure Network Server 3595 (For large deployments includes redundant hard disks and
power supplies)
http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 4/16
3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics
Network Interfa 1
6 x 1GB 6 x 1GB
ces
3515 3595
Standalone Deployment
http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 5/16
3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics
This consists of one node which runs all three personas. This is suitable for a small
deployment or lab solution.
If you ran a standalone solution on your production network you have no redundancy.
Distributed Deployment
Small Network Deployments
Medium Network Deployments
Large Network Deployments
The smallest distributed ISE deployment consists of two Cisco ISE nodes with one node
functioning as the primary. 1
1
The primary node provides all the conguration, authentication and policy functions and the
secondary node functions as a backup. The secondary supports the primary in the event of a
loss of connectivity between the network devices and the primary.
http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 6/16
3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics
2
Share
As the size of your network grows or you want to expand your ISE topology you need to start
adding more nodes and with a medium sized deployment start dedicating nodes to logging 1
and administration. The medium sized deployment consists of a primary and secondary
administration node and a primary and secondary monitoring node, alongside separate policy
service nodes.
http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 7/16
3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics
2
Share
and the load balancer will balance the radius requests between all the PSNs. This is also very
benecial when performing software upgrades as a single PSN node can be removed from
service without any fear of a switch being congured to have it as its primary radius server.
http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 8/16
3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics
Having a single load balancer does introduce a potential single point of failure so it is highly
recommended to deploy two load balancers.
The large network deploymentalso uses a centralised dedicated logging server. One node
setup specically for logging. This would typically be an appliance with a lot of disk space. A
secondary logging appliance would also be congured but in the rst instance all logging
information will go to a central point.
2
Share
With the large network deployment you have a dedicated Primary PAN and dedicated
secondary PAN. A Primary and Secondary MnT. All logging goes to the primary monitoring
appliance. The number of PSN nodes is scaled out depending on the number of devices on the
network. Typically allow 7,500 devices per PSN plus 2 more for redundancy.
Due the standard conguration on switches where most radius servers will be congured as
primary / secondary there is a big potential for all devices to only talk to a single PSN loading it
very heavily. To overcome this it is a best practice to introduce a load balancer and ideally a
redundant pair which will provide a single virtual IP for the Radius Server.
http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 9/16
3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics
redundant pair which will provide a single virtual IP for the Radius Server.
The load balancers will load balance the requests to all the PSN nodes. This also is very
benecial for software updates on the PSN nodes which do happen quite frequently. For a
software update you just take a single PSN node out of the cluster and perform the upgrade.
All administration is handled on the primary PAN and in the event of a failure would move over
to the secondary which contains a replicated database.
Cisco ISE 2.2 is the current version at the time of writing and will be used for all information
below.
2
Share
The Cisco ISE licensing model allows you to purchase licenee based on your enterprise needs.
There are two ways of consuming licenses. Traditional or Smart.
Licenses are counted against concurrent, active sessions. An active session is one for which a
RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.
http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 10/16
3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics
Base License
The base license is a perpetual license and is the only requirement for AAA and IEEE802.1x
and also covers guest services and Trustsec. A base license is consumed for every active
device on the network.
Device Administration
There is a device administration license required for TACACS which is a perpetual license, a
base license is required to install the device administration license and you only require one
license per deployment.
Evaluation
An evaluation license covers 100 nodes and provide full Cisco ISE functionality for 90 days. All
Cisco ISE appliances are supplied with an evaluation license.
WHAT IS TRUSTSEC?
The ultimate goal in idea of Trustec is to assign a TAG or Security Group Tag SGT to the users
or devices trafc at the ingress point to the network. And then to apply restrictions or permit
the trafc at other parts of the network based on this tag.
http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 11/16
3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics
2
Share
Up until this point the defacto TACACs+ server was ACS, but with this feature now available in
ISEthe migration of TACACS+ services has enabled network engineers to centralise all
network authentications within one framework.
http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 12/16
3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics
During this phase a lot of devices are normally discovered that the network administrator did
not even know were connected to the network. 2
Share
That is though the whole point of NAC to have a complete picture of all devices that are
connected to your network and to be in complete control of their access. 1
1
What is Mac Authentication Bypass?
MAC Authentication Bypass (MAB) is a way to give a whitelist to certain network devices. If
you know the MAC address of a certain device you know should get access to your network
you can grant it access purely by its MAC address. This is used for devices that cannot have
certicates loaded on them or are hard to prole.
I hope this information has been a benet to starting to learn the concepts of the Cisco Identity
Services Engine. For more in depth posts on conguring and deploying ISE Check out my
Cisco ISE Training pages.
http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 13/16
3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics
2
Share
You can read more about who Roger is here About Roger.
(http://www.rogerperkin.co.uk/about/)
http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 14/16
3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics
Comments
Ayele says
March 29, 2017 at 7:54 am (http://www.rogerperkin.co.uk/security/ise/cisco-ise-identity-services-
engine-tutorial/#comment-39315)
It is really interesting and helpful. Thank you for taking the time to publish this
Reply (http://www.rogerperkin.co.uk/security/ise/cisco-ise-identity-services-engine-tutorial/?
replytocom=39315#respond) 2
Share
(http://www.rogerperkin.co.uk/ccie/the-ccie-blueprint-ebook/)
(http://www.rogerperkin.co.uk/ccie/the-ccie-blueprint-ebook/)
http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 15/16
3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics
http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 16/16