3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics

Networking Tutorials
Cisco ISE Identity Services Engine Tutorial
The rst question I am going to answer is What is Cisco ISE and what does Cisco ISE do?

What is Cisco ISE?

2
Share

Cisco Identity Services Engine (ISE) is a server based product, either a Cisco ISE appliance or
Virtual Machine that enables the creation and enforcement of access polices for endpoint
devices connected to a companies network.

What does Cisco ISE do?

In simple terms you can control who can access your network and when they do what they can
get access to. It can authenticate wired, wireless and vpn users and can scale to millions of
endpoints. Based on many factors including the validity of a certicate, mac address or device
proling you can identify a machine and determine which vlan that machine is placed into. Any

http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 1/16
 3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics

proling you can identify a machine and determine which vlan that machine is placed into. Any
devices that do not pass authorisation will be placed into a guest vlan or denied access to the
network.

All this information is logged and you can instantly get a view of what is connected to your
network at any time.

ISE Nodes
The ISE solution is made up of a deployment of nodes with three different personas:

Policy Administration Node (PAN) 2

Share
Monitoring Node (MnT)
Policy Services Node (PAN)
1
pxGrid

1
Depending on the size of your deployment all three personas can be run on the same device or
spread across multiple devices for redundancy and scalability. Lets go through each persona
and explain their function.

Policy Administration Node (PAN)

The Policy Administration Node is where the administrator logs into to congure policies and
make changes to the entire ISE system. Once congured on the PAN the changes are pushed

out to the policy services nodes. It handles all system related congurations and can be
congured as standalone, primary or secondary.

Monitoring Node (MnT)

http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 2/16
 3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics

Monitoring Node (MnT)

TheMonitoring Node is where all the logs are collected and where report generation occurs.
Every event that occurs within the ISE topology is logged to the monitoring node you can then
generate reports showing the current status of connected devices and unknown devices on 2
Share
your network.

Policy Services Node (PSN)

1

ThePolicy Services Nodeis the contact point into the network. Each switch is congured to
query a radius server to get the policy decision to apply to the network port the radius server is
the PSN. In larger deployments you use multiple PSNs to spread the load of all the network
requests. The PSN providesnetwork access, posture, guest access, client provisioning, and
proling services. There must be at least one PSN in a distributed setup.

pxGrid Node

The pxGrid framework is used to exchange context-sensitive information from the CISCO ISE
session directory. It allows the ISE system to pass data to other Cisco platforms and third
party vendors. This information can then be used to invoke actions to quarantine users or
block access in response to network security events.

http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 3/16
 3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics

block access in response to network security events.

ISE Hardware
The Cisco Secure Network Server is based on the Cisco UCS C220 Rack Server and is
congured specically to support the Cisco Identity Services Engine.

Note:The 3415 and 3495 secure network servers are now end of life (eol) and the last date for
order for these appliances was October 7 2016. This post will be covering the latest hardware
now available which is the 3515 and the 3595 the 3595 appliance is shown below.

2
Share

Secure Network Server 3595

There are two versions of the hardware:

Secure Network Server 3515 (For small and medium sized deployments)
Secure Network Server 3595 (For large deployments includes redundant hard disks and
power supplies)

Hardware details taken fromcisco data sheet

(http://www.cisco.com/c/en/us/products/collateral/security/identity-services-
engine/data_sheet_c78-726524.html)

Secure Network Server 351

Product Name Secure Network Server 3595
5

http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 4/16
 3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics

1 Intel Xeon 2.40 GHz E5-26

Processor 1 Intel Xeon 2.60 GHz E5-2640
20

Cores per Proce

6 8
ssor

Memory 16 GB (2 x 8 GB) 64 GB (4 x 16 GB)

1 - 2.5-in. 600-GB 6Gb SAS 10

Hard Disk 4 - 2.5-in. 600-GB 6Gb SAS 10K RPM
K RPM
2
Share
Level 10 Cisco 12G SAS Modular RAID C
Hardware RAID No
ontroller 1

Network Interfa 1
6 x 1GB 6 x 1GB
ces

Power Supplies 1 x 770W 2 x 770W

Endpoints supported for different platforms

3515 3595

Endpoints supported in a standalone conguration 7,500 20,000

Endpoints supported per Policy Services Node 7,500 40,000

How Cisco ISE Works

ISE hastwo different deployment options Standalone and Distributed

Standalone Deployment

http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 5/16
 3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics

This consists of one node which runs all three personas. This is suitable for a small
deployment or lab solution.

If you ran a standalone solution on your production network you have no redundancy.

Distributed Deployment
Small Network Deployments
Medium Network Deployments
Large Network Deployments

Small Network Deployment 2

Share

The smallest distributed ISE deployment consists of two Cisco ISE nodes with one node
functioning as the primary. 1

1
The primary node provides all the conguration, authentication and policy functions and the
secondary node functions as a backup. The secondary supports the primary in the event of a
loss of connectivity between the network devices and the primary.

http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 6/16
 3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics

2
Share

Medium Network Deployment 1

As the size of your network grows or you want to expand your ISE topology you need to start
adding more nodes and with a medium sized deployment start dedicating nodes to logging 1
and administration. The medium sized deployment consists of a primary and secondary
administration node and a primary and secondary monitoring node, alongside separate policy
service nodes.

http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 7/16
 3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics

2
Share

Large Network Deployment

With a large network deployment you dedicate each node to a separate persona. So a separate
node (secure network server) for administration, monitoring and policy service. You should
also consider using load balancers in front of the PSN nodes.

As the number of PSN nodes increases it becomes more of an administrative overhead to

ensure even distribution of AAAclient conguration. i.e if you have 1000 switches each of
them will be congured to point to a specic primary and secondary radius server. If all
switches point to one radius server (a single PSN node then this single node will take all the
load and the other nodes will not be used. Putting a load balancer in front of the PSNs and
creating a Radius VIP will ensure all switches can be congured with a single Radius server

and the load balancer will balance the radius requests between all the PSNs. This is also very
benecial when performing software upgrades as a single PSN node can be removed from
service without any fear of a switch being congured to have it as its primary radius server.

http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 8/16
 3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics

Having a single load balancer does introduce a potential single point of failure so it is highly
recommended to deploy two load balancers.

The large network deploymentalso uses a centralised dedicated logging server. One node
setup specically for logging. This would typically be an appliance with a lot of disk space. A
secondary logging appliance would also be congured but in the rst instance all logging
information will go to a central point.

2
Share

With the large network deployment you have a dedicated Primary PAN and dedicated
secondary PAN. A Primary and Secondary MnT. All logging goes to the primary monitoring
appliance. The number of PSN nodes is scaled out depending on the number of devices on the
network. Typically allow 7,500 devices per PSN plus 2 more for redundancy.

Due the standard conguration on switches where most radius servers will be congured as
primary / secondary there is a big potential for all devices to only talk to a single PSN loading it
very heavily. To overcome this it is a best practice to introduce a load balancer and ideally a
redundant pair which will provide a single virtual IP for the Radius Server.

http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 9/16
 3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics

redundant pair which will provide a single virtual IP for the Radius Server.

The load balancers will load balance the requests to all the PSN nodes. This also is very
benecial for software updates on the PSN nodes which do happen quite frequently. For a
software update you just take a single PSN node out of the cluster and perform the upgrade.

All administration is handled on the primary PAN and in the event of a failure would move over
to the secondary which contains a replicated database.

Cisco ISE 2.2 is the current version at the time of writing and will be used for all information
below.
2
Share

Cisco ISE Licensing

1
I will try to simplify the license model below but all the information from Cisco can be found
here in the 2.1 admin guide license section
1
(http://www.cisco.com/c/en/us/td/docs/security/ise/2-
1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_0110.html)

The Cisco ISE licensing model allows you to purchase licenee based on your enterprise needs.
There are two ways of consuming licenses. Traditional or Smart.

Traditional licensing is where you import a license onto the appliance

Smart licensing is where you manage a cisco account that holds all the information on
the license purchased for your deployment.

Licenses are counted against concurrent, active sessions. An active session is one for which a
RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.

The valid license options are:

ISE Base only

ISE Base and Plus
ISE Base and Apex
ISE Base, Plus, and Apex

http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 10/16
 3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics

ISE Base, Plus, and Apex

ISE Base, Plus, Apex and AnyConnect Apex

Base License
The base license is a perpetual license and is the only requirement for AAA and IEEE802.1x
and also covers guest services and Trustsec. A base license is consumed for every active
device on the network.

Base and Plus

A plus license is required for Bring Your Own Device (BYOD), Proling, Adaptive Network
2
Control (ANC) and PxGrid. A base license is required to install the plus license and the plusShare
license is a subscription for 1,3 or 5 years.
1

Base and Apex

1
The Apex license is the same as the plus license in that it is a 1,3,5 year subscription, requires
the base license but is used for Third Party Mobile Device Management & Posture Compliance.

Device Administration
There is a device administration license required for TACACS which is a perpetual license, a
base license is required to install the device administration license and you only require one
license per deployment.

Evaluation
An evaluation license covers 100 nodes and provide full Cisco ISE functionality for 90 days. All
Cisco ISE appliances are supplied with an evaluation license.

Cisco ISE Questions

WHAT IS TRUSTSEC?
The ultimate goal in idea of Trustec is to assign a TAG or Security Group Tag SGT to the users
or devices trafc at the ingress point to the network. And then to apply restrictions or permit
the trafc at other parts of the network based on this tag.

http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 11/16
 3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics

the trafc at other parts of the network based on this tag.

Simplify Network Segmentation with Cisco TrustSec

2
Share

DOES CISCO ISE SUPPORT TACACS?

As of version 2.0 (http://www.cisco.com/c/en/us/td/docs/security/ise/2-
0/release_notes/ise20_rn.html)Cisco ISE now supports TACACS+

Up until this point the defacto TACACs+ server was ACS, but with this feature now available in
ISEthe migration of TACACS+ services has enabled network engineers to centralise all
network authentications within one framework.

Device admin is not enabled by default, to enable it go to:

Administration / Deployment / Node Name / Enable Device Admin Service

This service should be enabled on the PSNs

http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 12/16
 3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics

WHAT IS CISCO ISE PROFILING?

The proling service allows the identity services engine to prole devices connected to the
network and give them an identity based on numerous factors. These devices can then be
granted access or denied access to the network based on the security policies. A typical
network deployment would start by putting ISE into monitor mode. In monitor mode no
enforcement takes place but the ISE administrator can start to see what devices are
connecting to the network and what identity it has been given.

During this phase a lot of devices are normally discovered that the network administrator did
not even know were connected to the network. 2
Share

That is though the whole point of NAC to have a complete picture of all devices that are
connected to your network and to be in complete control of their access. 1

1
What is Mac Authentication Bypass?
MAC Authentication Bypass (MAB) is a way to give a whitelist to certain network devices. If
you know the MAC address of a certain device you know should get access to your network
you can grant it access purely by its MAC address. This is used for devices that cannot have
certicates loaded on them or are hard to prole.

CISCO ISE VS ACS

I get a lot of questions about the differences between ISE and ACS. In simple terms ISE is the
next generation of network authentication and is so much more powerful than ACS. ACS is
used to authenticate users to network devices and for VPN sessions but it is not a NAC
solution. If you want to implement full network access control you need ISE.

The ofcial Cisco ISE pages on cisco.com

(http://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html)

I hope this information has been a benet to starting to learn the concepts of the Cisco Identity
Services Engine. For more in depth posts on conguring and deploying ISE Check out my
Cisco ISE Training pages.

http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 13/16
 3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics

Cisco ISE Ordering Guide

There is a very good PDF document entitled the Cisco ISE Ordering guide which can be
downloaded here (http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-
services-engine/guide_c07-656177.pdf)this steps you through all the appliances, licenses and
numbers required for placing an order for an ISE appliance.

There is a also a lot of learning material on this .Learning resources on cisco.com

(http://www.rogerperkin.co.uk/security/ise/cisco-ise-identity-services-engine-tutorial/)

2
Share

Roger Perkin - CCIE #50038 is based in the UK.

Read about Rogers' CCIE Journey here "My CCIE Journey."
(http://www.rogerperkin.co.uk/ccie/my-ccie-journey/)

You can read more about who Roger is here About Roger.
(http://www.rogerperkin.co.uk/about/)

Feel free to Send Roger a message here (http://www.rogerperkin.co.uk/contact/)

Follow Roger on Twitter (https://twitter.com/rogernperkin) -- Google Plus

(https://plus.google.com/u/0/+RogerPerkin/posts) and on Linkedin
(http://www.linkedin.com/in/rogerperkin)

http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 14/16
 3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics

Comments

Ayele says
March 29, 2017 at 7:54 am (http://www.rogerperkin.co.uk/security/ise/cisco-ise-identity-services-
engine-tutorial/#comment-39315)

It is really interesting and helpful. Thank you for taking the time to publish this

Reply (http://www.rogerperkin.co.uk/security/ise/cisco-ise-identity-services-engine-tutorial/?
replytocom=39315#respond) 2
Share

(http://www.rogerperkin.co.uk/ccie/the-ccie-blueprint-ebook/)

(http://www.rogerperkin.co.uk/ccie/the-ccie-blueprint-ebook/)

NETWORK ANSIBLE CCIE

ENGINEER
RESOURCES Cisco Router Backup with Are CCIE Bootcamps
Ansible Worth it?
Software Upgrade Guides (http://www.rogerperkin.c (http://www.rogerperkin.c
(http://www.rogerperkin.c o.uk/network- o.uk/ccie/are-ccie-
o.uk/software-upgrade- automation/ansible- bootcamps-worth-it/)
guides/) tutorial-network- Hi! My name is Roger and
Bluetooth Console Cable engineers/) Im the guy behind
(http://www.rogerperkin.c rogerperkin.co.uk. I
passed my CCIE in

http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 15/16
 3/30/2017 CiscoISE>IdentityServicesEngineTutorial>StartingwiththeBasics

o.uk/network- Routing & Switching in

tools/airconsole-2-0- August 2015 and this blog
bluetooth-console-cable/) was setup to aid my
study. It is now the home
to my ramblings on all
things networking. More
About Roger
(http://www.rogerperkin.c
o.uk/about)

Disclaimer (http://www.rogerperkin.co.uk/disclaimer/) | Privacy Policy (http://www.rogerperkin.co.uk/privacy-policy/) |

Copyright rogerperkin.co.uk 2015 2
Share

http://www.rogerperkin.co.uk/security/ise/ciscoiseidentityservicesenginetutorial/ 16/16