Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
BRKSEC-2695 - Building an Enterprise Access Control Architecture using ISE and TrustSec
(Mon 10:00 am + Thur 8:00 am)
BRKSEC-2203
BRKCRS-2891 - BRKSEC-3690
Deploying TrustSec BRKSEC-2026 -
Enterprise Network Advanced Security
Security Group Network as a Sensor
Segmentation with Group Tags: The
Tagging and Enforcer
Cisco TrustSec Detailed Walk Through
(Wed 3:30pm) (Mon 1:00pm)
(Mon 8:00am) (Thur 10:00am)
Important: Hidden Slide Alert
“Hear me now,
believe me later”
*400 +/- Slides in Reference PDF
Agenda
Identity
Context Cisco® ISE
Business-Relevant
Policies
Wired Wireless VPN
MnT
Monitoring & Troubleshooting Node (MnT)
– Interface to reporting and logging
– Destination for syslog from other ISE nodes and NADs
PXG pxGrid Controller
– Facilitates sharing of information between network elements
IPN
Inline Posture Node (IPN)
– Enforces posture policy for legacy or 3rd-party NADs
ISE Policy Architecture For Your
Reference
Policy Administration Node (PAN) For Your
Reference
Writeable Access to the Database
• Interface to configure and view
PAN
policies External
ID
• Responsible for policy sync across Administration AD/LDAP Store
• WebAuth
• Posture/MDM
• Client Provisioning
AD/LDAP
/RADIUS External
ID
Store
RADIUS/Profiling
PSN
NAD
Policy Synchronization For Your
Reference
PSN
Policy Sync
PSN
Network Access Device (NAD) For Your
Reference
Also Known as the ‘RADIUS Client’
• Major Secure Access component that enforces network policies.
• NAD sends request to the PSN for implementing authorization decisions for
resources.
• Common enforcement mechanisms:
NADs
• VLAN Assignment
• dACLs
• Security Group Access (SGA)
• Inline Enforcement:
• Only needed in POSTURE use cases for NADs without RADIUS Change of
Authorization and Sessionized URL Redirect support
• Acts as a RADIUS Proxy in Bridged or Routed Gateway mode
Syslog
Syslog from access devices are PSN
correlated with user/device session
MnT
IPN
Syslog from firewall is correlated Syslog from other ISE nodes are
with guest access session sent to monitoring node for reporting
For Your
Reference
ISE Platforms
• Single ISE node (Appliance or VM)
can run PAN, MnT, PSN, and pxGrid
roles simultaneously ESXi Virtual
ESX Host
Dashboard
PAN
MnT
Monitoring and Troubleshooting Node For Your
Reference
Monitoring and Troubleshooting Tools For Your
Reference
……..0101111010000…
…..
Download debugs and support package Provide API for 3rd party applications
Session
Troubleshooting
Management
Change of
CRUD
Authorization
ISE Reporting For Your
Reference
Putting It All Together… For Your
Reference
Policy Sync
RADIUS from NAD to PSN
syslog syslog
Deployment Models and
Sizing
Node Types
Policy Service Node (PSN)
PSN
– Makes policy decisions
Can run in a single host
– RADIUS server & provides endpoint/user services
Policy Administration Node (PAN)
PAN
– Interface to configure policies and manage ISE deployment
– Replication hub for all database config changes
Monitoring & Troubleshooting Node (MnT)
MnT
– Interface to reporting and logging
– Destination for syslog from other ISE nodes and NADs
PXG pxGrid Controller
– Facilitates sharing of information between network elements
PXG
pxGrid Node
For Your
Reference
ISE Design and Deployment Terms
• Persona Deployment
Standalone = All personas (Admin/MnT/Policy Service) located on same node
Distributed = Separation of one or more personas on different nodes
• Topological Deployment
Centralized = All nodes located in the same LAN/campus network
Distributed = One or more nodes located in different LANs/campus networks separated
by a WAN
Basic 2-Node ISE Deployment (Redundant)
• Maximum endpoints – 10,000 (platform dependent—same as standalone)
• Redundant sizing – 10,000 (platform dependent—same as standalone)
ISE Node ISE Node
PSN PSN
PXG PXG
Basic 2-Node ISE Deployment (Redundant)
Maximum Endpoints = 10,000 (Platform dependent)
Branch A Branch B
Switch Switch
AP 802.1X AP 802.1X
Distributed Persona Deployment
Admin + MnT on Same Appliance; Policy Service on Dedicated Appliance
PAN PAN
MnT MnT
• 2 x Admin+Monitor
• Max 5 PSNs
PSN
• Max endpoints – Platform dependent PSN
5,000 for 3355 or 3415 as PAN+MnT
PSN
10,000 for 3395 or 3495 as PAN+MnT
PSN
PSN
Basic Distributed Deployment
Maximum Endpoints = 10,000 / Maximum 5 PSNs
Admin (P) Admin (S) Policy Services
MnT (P) MnT (S) Cluster Distributed
Policy Services
PSN PSN
PSN PSN
HA Inline AD/LDAP
Posture Nodes (External ID/ AD/LDAP
Attribute Store) (External ID/
IPN
Data DC B Attribute Store)
IPN
Center A
WLC
Non-CoA 802.1X
ASA VPN
Switch
802.1X AP
WLC
802.1X Switch
AP 802.1X •Dedicated Management Appliances
•Primary Admin / Primary MnT
Branch B •Secondary MnT / Secondary Admin
Branch A
•Dedicated Policy Service Nodes—Up to 5 PSNs
Switch
802.1X
Switch •No more than 10,000 Endpoints Supported
802.1X
AP AP •3355/3415 as Admin/MnT = Max 5k endpoints
•3395/3495 as Admin/MnT = Max 10k endpoints
Distributed Persona Deployment
Dedicated Appliance for Each Persona: Administration, Monitoring, Policy Service
• 2 x Admin
• 2 x Monitoring PAN PAN
• Max 40 PSNs
• Max endpoints (Platform dependent) MnT MnT
HA Inline AD/LDAP
Posture Nodes (External ID/ AD/LDAP
Attribute Store) (External ID/
IPN
Data DC B Attribute Store)
IPN
Center A
WLC
Non-CoA 802.1X
ASA VPN
Switch
802.1X AP
WLC
802.1X Switch
802.1X
AP
•Redundant, dedicated Administration and Monitoring nodes split
across data centers (P=Primary / S=Secondary)
Branch A Branch B •Policy Service cluster for Wired/Wireless services at main campus
•Distributed Policy Service clusters for DR sites or larger campuses
with higher-bandwidth, lower-latency interconnects.
AP
Switch
802.1X AP
Switch •Centralized PSN clusters for remote Wired/Wireless branch devices
802.1X
•VPN/Wireless (non-CoA) at main campus via HA Inline Posture nodes
Multi-Interface Routing
AD/LDAP
(External ID/ AD/LDAP
Attribute Store) (External ID/
Data DC B Attribute Store)
DNS NTP SMTP
Center A DNS NTP SMTP
WLC
802.1X
Switch
802.1X AP
WLC
802.1X Switch
AP 802.1X
Branch A Branch B
Switch Switch
AP 802.1X AP
802.1X
Sizing Guidance for ISE
Nodes
Determining Minimum Appliance Quantity and
Platform Type
PAN PAN PSN PAN MnT PSN
MnT MnT
PSN
Persona • All Personas running • Administration and Monitoring • Dedicated Administration node(s)
Deployment on single or co-located on single or • Dedicated Monitoring node(s)
redundant nodes redundant nodes • Dedicated Policy Service nodes
• Dedicated Policy Service nodes
Max Nodes by • 2 Admin+MnT+PSN • 2 Admin+MnT nodes • 2 Admin nodes
Type nodes • 5 Policy Service nodes • 2 MnT nodes
• 40 Policy Service nodes
Max • 2k with ISE-33x5 • 5k with ISE-3355 or SNS-3415 • 100k with ISE-3395 for PAN and MnT
Endpoints for • 5k with SNS-3415 for PAN+MnT • 250k with SNS-3495 for PAN and MnT
Entire • 10k with SNS-3495 • 10k with ISE-3395 or SNS-3495
Deployment for PAN+MnT
Scaling by Deployment, Platform, and Persona
Max Concurrent Endpoint Counts by Deployment Model and Platform For Your
Reference
Max # Dedicated
Deployment Model Platform Max # Endpoints per Deployment
PSNs
Standalone (all personas on 33xx 2,000 0
same node) 3415 5,000 0
(2 nodes redundant) 3495 10,000 0
3355 as Admin+MNT 5,000 5
Admin + MnT on same node;
3395 as Admin+MNT 10,000 5
Dedicated PSN
(Minimum 4 nodes redundant) 3415 as Admin+MNT 5,000 5
3495 as Admin+MNT 10,000 5
Dedicated Admin and MnT nodes 3395 as Admin and MNT 100,000 40
(Minimum 6 nodes redundant) 3495 as Admin and MNT 250,000 40
Ethernet 4x Integrated Gigabit NICs 4 x Integrated Gigabit NICs VMs can be configured with 1-4
NICs
Redundant No Yes
NICs. Recommend allow for 2
Power? or more NICs.
Sizing Production VMs to Physical Appliances
Summary
Set Reservation to
Minimum VM appliance Optionally set CPU allocation limit Similar settings apply to Max
specs to ensure required >= Min ISE VM specs to prevent Allocation and Min Reservations
CPU resources available over-allocation when actual CPU for Memory.
and not shared with assigned exceeds ISE VM
other VMs. requirements.
VMware OVA Templates New in ISE 1.3
• Upper range sets #days MnT log retention Persona Disk (GB)
• Min recommended disk for MnT = 600GB Standalone 200+*
• Max hardware appliance disk size = 600GB Administration Only 200-300**
Monitoring Only 200+*
• Max virtual appliance disk size = 2TB
Policy Service Only 200
Admin + MnT 200+*
** Variations depend on where backups saved
or upgrade files staged (local or repository), Admin + MnT + PSN 200+*
debug, local logging, and data retention
requirements.
For Your
Reference
For Your
MnT Node Log Storage Requirements Reference
• Caching Disabled
• Average Write ~ 25 MB/s
• Caching Enabled
• Average Write ~ 300 MB/s
• > 10x increase
ISE Disk IO Performance Testing For Your
Reference
Sample Tests Using Different RAID Config and Provisioning Options
Read Performance roughly the same Write Performance impact by RAID config
VM Appliance Resource Validation Before Install
For Your
Reference
Validate VM
Readiness BEFORE
Install & Deploy
VM Appliance Resource Validation During Install
• ISE 1.3 install will
For Your
not even proceed Reference
without:
• 4GB RAM
• 2 CPU Cores
• 100GB Disk
• (EVAL settings)
VM Appliance Resource Validation After Install
For Your
• ISE continues to test I/O read/write performance on intervals Reference
For Your
Reference
Large Deployments – Bandwidth and Latency
• Bandwidth most critical between:
• PSNs and Primary PAN (DB Replication)
• PSNs and MnT (Audit Logging)
• Latency most critical between PSNs and Primary PAN.
PSN PSN
PSN PSN PSN PSN
PSN PSN PSN PSN
PSN PSN PSN PSN
200ms RADIUS
Max round-trip
(RT) latency PSN PSN
PSN
WLC Switch PSN
between any
two nodes in • RADIUS generally requires much less bandwidth and is more
tolerant of higher latencies – Actual requirements based on
ISE 1.2-1.4 many factors including # endpoints, auth rate and protocols
What if Distributed PSNs > 200ms RTT Latency?
< 200 ms
> 200 ms
Option #1: Deploy Separate ISE Instances
(Per-Instance Latency < 200ms)
RADIUS
PAN MnT
PSN PSN
< 200 ms PSN PSN
> 200 ms WLC Switch
WLC Switch
Option #2: Centralize PSNs Where Latency < 200ms
RADIUS
Switch
RADIUS
< 200 ms
> 200 ms
Deploy Local Standalone ISE Nodes as “Standby”
Local Standalone nodes can be deployed to
remote locations to serve as local backups in
case of WAN failure, but will not be synced to
centralized deployment.
PSN
Switch
PSN
Access Devices Fallback to Local PSNs on WAN Failure
• Access Devices point to local ISE
nodes as tertiary RADIUS Servers.
• Backup nodes only used if WAN fails
• Standalone ISE Nodes can still log to
centralized MNT nodes.
-- Use TCP Syslog to Buffer logs
PSN
PSN
For Your
Reference
ISE 1.2 Bandwidth Calculator Assumptions For Your
Reference
• ISE Auth Suppression enabled
• Max round-trip latency between any two ISE
• Profiling Whitelist Filter enabled
1.2/1.3/1.4 nodes is currently set at 200ms
• One node group per location
• For Single-Site calculation, primary PAN and MnT nodes are deployed in primary DC to which
bandwidth is calculated; For Multi-Site calculation, primary PAN is deployed in primary DC.
• Mobile endpoints authenticate/reauthenticate as frequently as 10/hr and refresh IP 1/hr
• Non-Mobile endpoints authenticate/reauthenticate no more than once per Reauth Interval and
refresh IP address no more than once per DHCP renewal (1/2 Lease Period)
• Bandwidth required for NAD or Guest Activity logging is not included. These logging activities
are highly variable and should be treated separately based on deployment requirements.
• Bandwidth required for general RADIUS auth and accounting traffic is not included. RADIUS
traffic is generally less significant but actual requirement is highly contingent on multiple factors
including total active endpoints, reauth intervals, and the authentication protocols used.
• Deployments where all ISE nodes are deployed in one location are not considered by this
calculator. All nodes deployed in the same location are assumed to be connected by high-speed
LAN links (Gigabit Ethernet or higher)
Scaling ISE Services
Scaling ISE Services Agenda
PSNs
PSN
PSN PSN PSN PSN PSN PSN PSN PSN
(RADIUS
Servers)
Network
Access
Devices
Auth Policy Optimization
Leverage Policy Sets to Organize and Scale Policy Processing
Policy Set
Condition
Authentication
Authorization
Policy
Sets
Administration > System > Settings > Policy Sets
Search Speed Test
• Find the object where…
• Total stars = 10
• Total green stars = 4
• Total red stars = 2
• Outer shape = Red Circle
Auth Policy Optimization • Policy Logic:
Avoid Unnecessary External Store Lookups o First Match, Top Down
o Skip Rule on first negative
condition match
• More specific rules generally at top
• Try to place more “popular” rules
before less used rules.
Which AD
server should
I connect to?
I will connect
Which AD with local AD
server should server X!
AD ‘X’ AD ‘X’
I connect to?
Identity
Scope AD
Rewrite
AuthC (Optional) Instance (Optional)
Policy to
AD Domain List Target
(Optional) AD
AD Authentication Flow
For Your
Reference
Identity
Scope AD
Rewrite
AuthC (Optional) Instance (Optional)
Policy to
AD Domain List Target
(Optional) AD
Authentication Domains (Whitelisting)
Enable r1.dom
And disable the rest
Authentication Domains – Unusable Domains For Your
Reference
• Domains that are unusable, e.g. 1-way trusts, are hidden automatically
• There’s an option to reveal these and see the reason
Run the AD Diagnostic Tool For Your
Reference
Check AD Joins at Install & Periodically to Verify Potential AD Connectivity Issues
• DNS servers in ISE nodes must have all relevant AD records (A, PTR, SRV)
• Ensure NTP configured for all ISE nodes and AD servers
• Configure AD Sites and Services
(with ISE machine accounts configured for relevant Sites)
Load Balancing simplifies and scales ISE Web Portal Services 10.3.0.100
Scaling Global Sponsor / MyDevices DNS SERVER: DOMAIN =
COMPANY.COM
MnT MnT
DNS Servers ISE-PSN-1 10.1.1.1
PAN PAN
ISE-PSN-2 10.1.1.2
ISE-PSN-3 10.1.1.3
ISE-PSN-4 10.2.1.4
ISE-PSN-5 10.2.1.5
ISE-PSN-6 10.2.1.6
PSN PSN PSN ISE-PSN-7 10.3.1.7
PSN PSN PSN
ISE-PSN-8 10.3.1.8
ISE-PSN-9 10.3.1.9
• Guests auth with 802.1X using EAP methods like PEAP-MSCHAPv2 / EAP-GTC
• 802.1X auth performance generally much higher than web auth
3
CoA for DRW Success
2
CoA for CWA Success
1
3
2
1
CWA + DRW (1.2) For Your
Reference
+ Fully customizable portal per user group
User Experience
+ Auto-population of MAC address in ID group
+ Selectable ID Group assignment per DRW policy
+ Portal customization allows device registration success and
redirect to predefined URL in one step; User automatically
redirected to pre-defined URL.
- No association of user to endpoint after initial authentication
- No automatic purge of registered device without ERS API.
CWA
• Administration > System > Settings > Client Provisioning 1 CWA unknown endpoint
2 Staff users redirected to NSP
3 Registered device gains access
If No matching
policy, then continue
with regular flow.
3
2
Each Authorization Profile can
1 reference a different customized
web portal per group
CWA + NSP Device Registration 1 CWA unknown endpoint
Live Log Output 2 Staff users redirected to NSP
For Your
Reference 3 Registered device gains access
3
CoA for NSP Success
2
CoA for CWA Success
3
2
1
CWA + NSP Device Registration (ISE 1.2) For Your
Reference
User Experience
+ Custom portal per group
+ Option to limit devices per user
+ Auto-population of MAC address
+ Maps User to Endpoint and supports self-service
- NSP customization limited to portal themes (1.2 only)
- All devices mapped to one group (RegisteredDevices)
CWA
(Optional AUP) - User must manually navigate to original web page
- No automatic purge of registered device (ERS API)
Device
Registration
Registration Success
Scaling Web Authentication (ISE 1.3) For ISE 1.2, can “chain”
“Remember Me” Guest Flows CWA+DRW or NSP to
auto-register web auth
• Device/user logs in to hotspot or credentialed portal users, but no auto-purge
Matching Conditions
Purge by:
# Days After
Creation
# Days Inactive
Specified Date
Endpoint Purging Examples
Matching Conditions
Purge by:
# Days After
Creation
# Days Inactive
Specified Date
On Demand Purge
Scaling Posture & MDM
Posture Lease
Once Compliant, user may leave/reconnect multiple times before re-posture
7
MDM Scalability and Survivability
What Happens When the MDM Server is Unreachable?
• All attributes retrieved & reachability determined by single API call on each new session.
• Endpoint Attribute Filter – aka “Whitelist filter” (ISE 1.1.2 and above)
• Disabled by default. If enabled, only these attributes are collected or replicated.
Administration > System Settings > Profiling
PSN1 4 9 PSN2
Global Replication
1. First profile attributes (RADIUS) received for an endpoint by PSN1 and saved in local DB.
2. New endpoint so PSN1 declares ownership to local node group over local cluster channel.
3. PSN1 syncs all attributes for endpoint to PAN; PAN creates endpoint in DB.
4. PAN replicates all attributes for the endpoint to all other nodes via Global Replication channel.
5. New profile attributes (DHCP) for same endpoint received by PSN2 in same node group.
6. PSN2 communicates with PSN1 over local cluster channel to determine if change to white list attribute. In this case,
yes, so PSN2 requests all attributes for endpoint from PSN1.
7. PSN2 declares ownership change to local node group.
8. PSN2—did significant attribute change? Yes, since profile updated. PSN2 syncs all attributes to PAN.
9. PAN saves to central DB and replicates all attributes to all other secondary nodes in deployment over global channel.
JGroups Overview For Your
Reference
• Replication Cluster is a group with all nodes in the ISE deployment, i.e. PANs,
MnTs, and PSNs
• Mainly used for the replication of configuration and runtime data from Primary
PAN to all other nodes
• Also used by Profiler for fetching attributes from current owner and updating
endpoint ownership changes; for example, when node is not a node group
member or loses connection to its local node group.
• Uses TCP Hub and Spoke (Gossip Router) transport with Primary PAN as the
hub over port TCP/12001
• All nodes should have connectivity to TCP/12001 on both Primary and
Secondary PAN
ISE 1.2 Node Group/Local Cluster For Your
Reference
• Node Groups use the following JGroup transports—all SSLv3 over TCP:
o TCP/7800 – TCPPING for JGroup Member Discovery
o TCP/7800 – JGroup Responses/Status, Ownership Changes, Endpoint Profile Attribute
Retrieval.
o TCP/7802 – Fast node failure detection.
• TCP connection is persistent but no data transferred in a ring configuration—PSN1 to PSN2, PSN2 to
PSN3, etc.
• When failure detected, JGroup Controller for Node Group communicates to MnT over HTTPS (TCP/443)
to relay node statuses (Up/Down). Also uses HTTP (TCP/443) to retrieve Posture Pending sessions from
MnT for failed node group member.
PSN
PSN3
Inter-Node Communications
JGroup Connections – Global Cluster TCP/12001 JGroups Tunneled
PSN3
*JGroups: Java toolkit for reliable multicast
communications between group/cluster members.
ISE 1.3 Inter-Node Communications For Your
Reference
Consolidated View for Database Operations
MnT (P) MnT (S)
PSN PSN
PSN1 PSN2
NODE GROUP A
(JGROUP A)
PSN
PSN3
Inter-Node Communications TCP/7800 JGroup Peer Communication
TCP/7802 JGroup Failure Detection
Local JGroups and Node Groups For Your
TCP/12001 JGroups Tunneled
Reference
• General classification data for given endpoint should stay
local to node group = whitelist attributes • Node groups continue to provide original
• Only certain critical data needs to be shared across entire function of session recovery for failed PSN.
deployment = significant attributes • Profiling sync leverages JGroup channel
• Each LB cluster should be a node group,
LB is NOT a
Load but LB is NOT required for node groups.
requirement for
Balancer
Node Group
NODE GROUP A • Node group members should have GE LAN
(JGROUP A) connectivity (L2 or L3)
• ISE 1.3 no longer uses UDP multicast
for Jgroup—uses SSL only.
PSN1
PSN PSN
PSN2 • ISE 1.2 uses multicast with TTL=2;
max 1 hop)
L2 or L3 LAN
Switching • Reduces sync updates even if different
PSNs receive data – expect few whitelist
PSN changes and even fewer critical attribute
changes.
PSN3
Inter-Node Communications TCP/7800 JGroup Peer Communication
TCP/7802 JGroup Failure Detection
Local JGroups and Node Groups TCP/12001 JGroups Tunneled
MnT MnT
PAN PAN
PSN PSN
PSN3 PSN6
Inter-Node Communications TCP/7800 JGroup Peer Communication
TCP/7802 JGroup Failure Detection
Local JGroups and Node Groups TCP/12001 JGroups Tunneled
MnT MnT
PAN PAN
For Your
Reference
PSN PSN
PSN3 PSN6
Configuring Node Groups – ISE 1.2 Example For Your
Reference
Recommended for ALL local PSNs! 2) Assign name and available multicast address
• Administration > System > Deployment
•
DO send profile data to single and same PSN or Node
Ensure profile data for a given endpoint is sent to the same PSN
• Group ! above, but not always possible across different probes
Same issue as
• Use node groups and ensure profile data for a given endpoint is sent to same node
DO use Device Sensor !
group.
• Node Groups reduce inter-PSN communications and need to replicate endpoint changes outside of node group.
• DO probes
Avoid enable
thatthe Profiler
collect the same Attribute Filter
endpoint attributes !
• Example: Device Sensor + SNMP Query/IP Helper
• Enable Profiler Attribute Filter
ISE Profiling Best Practices For Your
Reference
Whenever Possible…
• Use Device Sensor on Cisco switches & Wireless Controllers to optimize data collection.
• Ensure profile data for a given endpoint is sent to a single PSN (or maximum of 2)
• Sending same profile data to multiple PSNs increases inter-PSN traffic and contention for endpoint ownership.
• For redundancy, consider Load Balancing and Anycast to support a single IP target for RADIUS or Profiling using…
• DHCP IP Helpers
• SNMP Traps
• DHCP/HTTP with ERSPAN (Requires validation)
• Ensure profile data for a given endpoint is sent to the same PSN
• Same issue as above, but not always possible across different probes
• Use node groups and ensure profile data for a given endpoint is sent to same node
group.
• Node Groups reduce inter-PSN communications and need to replicate endpoint changes outside of node group.
• Avoid probes that collect the same endpoint attributes
• Example: Device Sensor + SNMP Query/IP Helper
• Enable Profiler Attribute Filter
ISE Profiling Best Practices
General Guidelines for Probes
• HTTP Probe:
• Use URL Redirects instead of SPAN to centralize collection and reduce traffic load related to SPAN/RSPAN.
• Avoid SPAN. If used, look for key traffic chokepoints such as Internet edge or WLC connection; use intelligent
SPAN/tap options or VACL Capture to limit amount of data sent to ISE. Also difficult to provide HA for SPAN.
• DHCP Probe:
• Use IP Helpers when possible—be aware that L3 device serving DHCP will not relay DHCP for same!
•
Do NOT enable all probes by default !
Avoid DHCP SPAN. If used, make sure probe captures traffic to central DHCP Server. HA challenges.
• Avoid
SNMP SPAN,
Probe: SNMP Traps, and NetFlow probes !
• Be careful of high SNMP traffic due to triggered RADIUS Accounting updates as a result of high re-auth (low
session/re-auth timers) or frequent interim accounting updates.
• For polled SNMP queries, avoid short polling intervals. Be sure to set optimal PSN for polling in ISE NAD config.
• SNMP Traps primarily useful for non-RADIUS deployments like NAC Appliance—Avoid SNMP Traps w/RADIUS auth.
• NetFlow Probe:
Use only for specific use cases in centralized deployments—Potential for high load on network devices and ISE.
ISE Profiling Best Practices For Your
Reference
General Guidelines for Probes
• HTTP Probe:
• Use URL Redirects instead of SPAN to centralize collection and reduce traffic load related to SPAN/RSPAN.
• Avoid SPAN. If used, look for key traffic chokepoints such as Internet edge or WLC connection; use intelligent
SPAN/tap options or VACL Capture to limit amount of data sent to ISE. Also difficult to provide HA for SPAN.
• DHCP Probe:
• Use IP Helpers when possible—be aware that L3 device serving DHCP will not relay DHCP for same!
• Avoid DHCP SPAN. If used, make sure probe captures traffic to central DHCP Server. HA challenges.
• SNMP Probe:
• Be careful of high SNMP traffic due to triggered RADIUS Accounting updates as a result of high re-auth (low
session/re-auth timers) or frequent interim accounting updates.
• For polled SNMP queries, avoid short polling intervals. Be sure to set optimal PSN for polling in ISE NAD config.
• SNMP Traps primarily useful for non-RADIUS deployments like NAC Appliance—Avoid SNMP Traps w/RADIUS auth.
• NetFlow Probe:
Use only for specific use cases in centralized deployments—Potential for high load on network devices and ISE.
ISE 1.1.1“I Patch
applied2 the
initially
latest
helped,
patch but…
across all nodes (Admins,
Profiling Case Study Never applied
Monitors,
otherPSNs).
best practice
The VMrecommendations.
portal page is now showing
DB eventually
the cpufilled
at about
and purge
5% andissues
the network
resultedusage
in DBsfrom
falling out
of sync /~50MB
disconnects.
down to under a 1MB.”
Problem:
Single core
Two cores
• Running ISE 1.1.1 allocated to ISE
• High node CPU and BW VMs
to Primary PAN
• Short-term Fix = Disable Allocate Eight
Profiling cores to ISE
VMs
Interim Solution:
802.1X Devices CoA • Send profile data (traps, IP
• Added 2nd core and CPU ACE
w/CoA (C6500, C3750,
helper,…) to VIP address.
dropped 33% WLC) VIP
• Enable Whitelist Filter
• Applied 1.1.1 Patch 2 and
CPU dropped 85+% and
BW 98+%
ISE Policy
Solution: Node Groups
(x2) (N+1)
• Increase VM to specs
• LB profile data to single IP All profile data (traps,
IP helper,…) sent to
• Enable whitelist filter Profiling Probes: Gig0: Profiling Probes: Gig0:
DHCP, RADIUS, DNS, SNMPQUERY,
every PSN! DHCP, RADIUS, DNS, SNMPQUERY,
• Upgrade to 1.2.1/1.3 SNMPTRAP, HTTP, DHCPSPAN SNMPTRAP, HTTP, DHCPSPAN
Profiling Redundancy – Duplicating Profile Data
Different DHCP Addresses
- Provides Redundancy but Leads to Contention for Ownership = Replication
• Common config is to duplicate IP helper
PSN
data at each NAD to two different PSNs or PSN-CLUSTER1 PSN1 (10.1.99.5)
PSN LB Clusters (10.1.98.8)
DC #1 PSN
PSN2 (10.1.99.6)
• Different PSNs receive data
Load PSN PSN3 (10.1.99.7)
Balancer
int Vlan10
DHCP Request PSN
PSN1 (10.2.101.5)
PSN-CLUSTER2
User (10.2.100.2)
PSN PSN2 (10.2.101.6)
DC #2
interface Vlan10 Load PSN PSN3 (10.2.101.7)
ip helper-address <real_DHCP_Server Balancer
ip helper-address 10.1.98.8
ip helper-address 10.2.100.2
Scaling Profiling and Replication
Single DHCP VIP Address using Anycast
- Limit Profile Data to a Single PSN and Node Group
• Different PSNs or Load Balancer VIPs host
PSN
same target IP for DHCP profile data PSN-CLUSTER1 PSN1 (10.1.99.5)
(10.1.98.8)
• Routing metrics determine which PSN DC #1 PSN
PSN2 (10.1.99.6)
or LB VIP receives DHCP from NAD
Load PSN PSN3 (10.1.99.7)
Balancer
int Vlan10
DHCP Request PSN
PSN1 (10.2.101.5)
User PSN-CLUSTER2
(10.1.98.8)
PSN PSN2 (10.2.101.6)
DC #2
interface Vlan10 Load PSN PSN3 (10.2.101.7)
ip helper-address <real_DHCP_Server> Balancer
ip helper-address 10.1.98.8
Profiler Tuning for Polled SNMP Query Probe
• Set specific PSNs to
periodically poll
access devices for
SNMP data.
• Choose PSN closest
to access device.
PSN PSN2
(Asia)
PSN1 SNMP Polling
(Amer) (Auto) PSN
RADIUS
Switch
Profiler Tuning for Polled SNMP Query Probe
Disable/uncheck SNMP Settings: Disables
all SNMP polling options [CSCur95329]
• Polling Interval
1.2 Default: 3600 sec
(1 hour)
1.3 Default: 28,800 sec
(8 hours) *Recommend
minimum for all releases
PSN
SSID
30 seconds
30 seconds
First EAP Timeout 120sec
30 Seconds Later
No Response Received From Client For Your
Reference
• Supplicant List:
• Kyocera, Asustek, Murata, Huawei, Motorola, HTC, Samsung, ZTE, RIM, SonyEric, ChiMeiCo,
Apple, Intel, Cybertan, Liteon, Nokia, HonHaiPr, Palm, Pantech, LgElectr, TaiyoYud, Barnes&N
• 5411 No response received during 120 seconds on last EAP message sent to the client
• This error has been seen at a number of Escalation customers
• Typically the result of a misconfigured or misbehaving supplicant not completing the EAP process.
Challenge: How to reduce
the flood of log messages
while increasing PSN and
MNT capacity and tolerance
PSN
MnT
Getting More Information With Less Data
Scaling to Meet Current and Next Generation Logging Demands
Rate Limiting at Source Filtering at Receiving Chain
Reauth period Heartbeat Detect and reject Count and discard
Quiet-period 5 min frequency misbehaving clients repeated events
Held-period / Exclusion 5 min
Log Filter Count and discard
Switch untrusted events
Reauth phones
Quiet LB PSN MNT
period
Unknown users
Quiet WLC LB Health
Period probes Filter health
Reject
bad probes from
Roaming Client supplicant logging
supplicant Exclusion Count and
discard
repeats and
unknown NAD
events
Misbehaving
supplicant
Tune NAD Configuration
Rate Limiting at Wireless Source
For Your
Reference
WLC – RADIUS Server Settings For Your
Reference
• RADIUS Aggressive-Failover
• (Cisco Controller)>config radius aggressive-failover
disable
• If this is set to 'enable‘ (default), the WLC will failover to
next server after 5 retransmissions for a given client.
• Recommend disable to prevent single misbehaving client
from failing over and disrupting other client sessions
unless there are 3 consecutive tries for 3 different users
(i.e. the radius-server is unresponsive for multiple users).
• In order to provide our customers with the most reliable Wireless LAN Controller software available,
Cisco Wireless TAC is now offering TAC Recommended AireOS builds for 7.6 and 8.0. These
"escalation" builds have several important bugfixes (beyond what is now available in CCO code) and
have been operating in production at customer sites for several weeks. See the release notes for
bugfix details.
• At present, the TAC Recommended AireOS builds are:
• For AireOS 7.6 customers, 7.6.130.26 Release Notes
• For AireOS 8.0 customers, 8.0.110.11. (Note that this build has many bugfixes beyond what the CCO
8.0.115.0 release has) Release Notes
• The TAC Recommended AireOS builds may be updated every week or two.
• The migration plan, from the TAC Recommended AireOS builds to CCO code, will be to the 8.0 MR2
release, planned for later this year. (Cisco does not plan to release another 7.6 maintenance build to
CCO.) 8.0 MR2 is in beta now (see https://supportforums.cisco.com/document/12492986/80mr2-beta-
availability), but does not yet have all of the applicable fixes.
• Cisco does not at present plan to post these builds to CCO. To request AireOS 7.6.130.26 and/or
8.0.110.11, open a Cisco TAC case on your Wireless LAN Controller contract.
Wireless Controllers Under Extreme Load (WLC 8.1)
• 5508 and WISM2
• 8 queues per server (max 17 servers configurable) Server 1 Server2
Queue 1 src port 1 src port 1
• 8510/7510 Queue 2 src port 2 src port 2
• 16 queues per server (max 17 servers configurable) Queue 3 src port 3 src port 3
Queue 4 src port 4 src port 4
• For all platforms, each queue = 0-255 unique IDs. Queue 5 src port 5 src port 5
So total 256*8 = 2048 requests/server. Queue 6 src port 6 src port 6
• Example using 5508/WISM2 : Queue 7 src port 7 src port 7
Queue 8 src port 8 src port 8
• We will have unique source port per queue.
• Total 8 unique source ports. Related defects:
CSCus51456,CSCur33085
• Queue is selected based on MAC address Hashing. CSCue37368, CSCuj88508
• Before 8.1, separate queues added for Auth and Accounting, but all servers share same
two queues. (CSCud12582, CSCul96254)
Q: 5508/WISM2 will have 8 queues per server. Are the 8 queues divided into 4 auth and 4 accounting?
A: It is not shared but separate 8 queues for accounting for 5508/WISM2
For Your
Wireless Best Practices Reference
Anchor Configurations
• RADIUS Accounting with Anchor Controllers
• Guest Anchors: Disable RADIUS Accounting on Guest Anchor WLAN (Enable on
Foreign Only)
• Campus Anchors: In campus roaming scenario where all controllers need to be
“primary” for same SSID, cannot disable RADIUS Accounting.
• Open SSIDs will always issue new session ID with RADIUS accounting update with new
ID, so disconnects original connection and user is re-authenticated.
• CSCul83594 Sev6 - Session-id is not synchronized across mobility if the network is open
• CSCue50944 Sev6 - CWA Mobility Roam Fails to Foreign with MAC Filtering BYOD
Wireless Best Practices For Your
Reference
Roaming Considerations
• Session IDs can change when roam between controllers (L2 or L3 roaming); Going
between APs to same controller should fine.
• Secure SSIDs (802.1X): L2/L3 roaming between controllers should handle without
reauth—all roams are basically symmetric with tunnel back to foreign controller
• Open SSIDs (MAB, WebAuth):
• Avoid multiple controllers with open SSIDs – otherwise, will get new session ID (reauth) regardless if
L2 or L3 roam.
• Reauth any time change IP. For open SSID, it will always issue new SSID.
• Options:
• Stateful Controller Switchover
• Deploy higher-capacity controllers instead of many smaller ones.
• 802.11r will work with 7.6 or 8.0 and can be applied to entire WLAN—simply not tested
under 7.6 so warning provided.
Tune NAD Configuration
Rate Limiting at Wired Source
Reauth period
Wired (IOS / IOS-XE)
Quiet-period 5 min • RADIUS Interim Accounting: Use newinfo parameter with long
Held-period / Exclusion 5 min interval (for example, 24-48 hrs), if available. Otherwise, set 15
Switch mins.
Reauth phones • 802.1X Timeouts
Quiet • held-period: Increase to 300+ sec
Period • quiet-period: Increase to 300+ sec
Unknown
users • ratelimit-period: Increase to 300+ sec
• Recommendation:
switch(config)# aaa accounting update [newinfo periodic 14400 | periodic 15]
• Reference:
• When the aaa accounting update command is activated, the Cisco IOS software issues interim
accounting records for all users on the system. If the keyword newinfo is used, interim accounting
records will be sent to the accounting server every time there is new accounting information to report.
• When used with the keyword periodic, interim accounting records are sent periodically as defined by
the argument number (in minutes). The interim accounting record contains all of the accounting
information recorded for that user up to the time the interim accounting record is sent.
• Jitter is used to provide an interval of time between records so that the AAA server does not get
overwhelmed by a constant stream of records. If certain applications require that periodic records be
sent at exact intervals, you should disable jitter by setting it to 0.
Caution: Using the aaa accounting update periodic command can cause heavy congestion when
many users are logged in to the network
Wired - 802.1X Timeout Settings For Your
Reference
All IOS and IOS-XE Platforms
held-period seconds Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the
length of time it will wait before trying to send the credentials again after a failed attempt).
• The range is from 1 to 65535. The default is 60.
quiet-period seconds Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
following a failed authentication exchange before trying to reauthenticate the client.
• For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535.
The default is 120.
• For the Cisco 7600 series Switch, the range is from 0 to 65535. The default is 60.
ratelimit-period seconds Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs
that send EAP-START packets that result in the wasting of switch processing power).
• The authenticator ignores EAPOL-Start packets from clients that have successfully
authenticated for the rate-limit period duration.
• The range is from 1 to 65535. By default, rate limiting is disabled.
Wired – Authentication Settings For Your
Reference
Reduce the # Auths and ReAuths
• By default, IOS Switches and WLC validate health through active authentications.
• Optional: IOS can send separate RADIUS test probes via idle-time setting.
• Recommendation: Keep default interval = 60 minutes
• Older command syntax :
radius-server host 10.1.98.8 auth-port 1812 acct-port 1813 test
username radtest ignore-acct-port idle-time 120 key cisco123
Policy > Policy Elements > Results Authentication > Allowed Protocols
MnT Log Suppression and Smarter Logging
Drop and Count Duplicates / Provide Better Monitoring Tools
• Drop duplicates and increment counter in Live Log for “matching”
passed authentications Count and discard
repeated events
• Display repeat counter to Live Sessions entries.
• Update session, but do not log RADIUS Accounting Interim Count and discard
Updates untrusted events
• Log RADIUS Drops and EAP timeouts to separate table for
reporting purposes and display as counters on Live Log Dashboard MNT
along with Misconfigured Supplicants and NADs
• Alarm enhancements
• Revised guidance to limit syslog at the source.
• MnT storage allocation and data retention limits Count and discard
repeats and unknown
• More aggressive purging
NAD events
• Support larger VM disks to increase logging capacity and retention.
MnT Noise Suppression
Suppress Successful Auths and Accounting
Administration > System > Settings > Protocols > RADIUS
CSCur42723
Original Range
1 – 30 seconds
New Range
1 sec – 1 day
• “Discard duplicate” logic not applicable to failed auths as these are not cached in session
• RADIUS Accounting (Interim) updates are dropped from storage, but do update session
Live Authentications and Sessions
Blue entry = Most current Live Sessions entry with repeated successful auth counter
Authentication Suppression
Enable/Disable
• Global Suppression Settings: Administration > System > Settings > Protocols >
RADIUS
Failed Auth Suppression Successful Auth Suppression
Caution: Do not disable suppression in deployments with very high auth rates.
It is highly recommended to keep Auth Suppression enabled to reduce MnT logging
• Selective Suppression using Collection Filters: Administration > System > Logging >
Collection Filters
Configure specific traffic to bypass
Successful Auth Suppression
Useful for troubleshooting authentication for a
specific endpoint or group of endpoints, especially
in high auth environments where global suppression
is always required.
Per-Endpoint Time-Constrained Suppression New in ISE 1.3
Right
Click
Per-Endpoint Time-Constrained Suppression New in ISE 1.3
• Sessions can have one of 6 states as shown in the Live Sessions drop-down.
• NAD START --> Authenticating
• NAD SUCCESS --> Authorized
• NAD FAIL / ACCT STOP / AUTH FAIL --> Terminated
• POSTURED --> Postured
• AUTH PASS --> Authenticated
• ACCT START / UPDATE --> Started
• Automatic Purge: A purge job runs approximately every 5 minutes to clear sessions that
meet any of the following criterion:
1. Endpoint disconnected (Ex: failed authentication) in the last 15 minutes (grace time
allotted in case of authentication retries)
2. Endpoint authenticated in last hour but no accounting start or update received
• Manual Purge via REST API: HTTP DELETE API can manually delete inactive sessions.
An example web utility that supports HTTP DELETE operation is cURL. It is a free 3rd-party
command line tool for transferring data with HTTP/HTTPS:
http://www.cisco.com/en/US/docs/security/ise/1.2/api_ref_guide/ise_api_ref_ch2.html#wp1072950
For Your
Live Authentications Log Reference
Dashboard Counters
Unknown users
wlc
Roaming
supplicant Syslog
Forwarder
* Filter at Relay
epm logging
logging origin-id # where origin-id = IP address A.B.C.D
logging source-interface <interface-id> # where interface-id IP address = A.B.C.D
logging host <MNT1> transport udp port 20514
logging host <MNT2> transport udp port 20514 # Optional for redundancy, but not
required for troubleshooting purposes
Guest Activity Logging For Your
Reference
• Enable with purpose—only send logs of interest that will apply to guest
sessions.
• ISE only parses log messages that include IP address of active guest account
ASA Example:
• Create Service Policy to inspect
HTTP traffic for guest subnet
• Filter messages ID # 304001:
accessed URLs
• Log Filtering:
• If NAD supports, configure filters to limit logs only to those needed/usable by MnT.
• If unable to filter at NAD, use Syslog Relay to filter and forward desired messages.
MnT
• Total ~600K+ Profiled Endpoints in database; Max 60K+ Concurrent Endpoints Globally
* CVO is Cisco Virtual Office, or small office/home office
Correct as of 08 March 2015
Executive Summary
• Significant progress has been made in Item Owner Impact
stabilizing ISE 1.2
Configure ACE for Cisco IT High – reduced
• Replication is now working across the accounting accounting traffic from
deployment w RADIUS probing and “stickiness” 6M to 3M txns per day
SNMP polling enabled
• Next steps: Implement eng fix to BU High – further
enable accounting reduction in accounting
• Apply ISE SNMP fixes and enable suppression traffic
SNMP polling – reduce traffic from CVO
sites* Remove “IP” as a BU (design High – removed traffic
• Cisco IT to continue update network significant attribute change) from “noisy” endpoints
devices and endpoints to reduce “traffic”
• Resume production rollout (CVOs and Implement WLC OS Cisco IT High – reduce traffic
wired devices) updates to fix from wireless network
duplicate accounting accounting txns
• Post mortem to review lessons learned
issue
and “product enhancements” *
Implement eng fix for BU High – reduce # of
SNMP polling SNMP traffic to enable
CVO
Impact of Config Changes and Engineering Fixes
Reduction of Transaction load on ISE IT Deployment
Cisco IT and the Identity Services Engine
A multiyear deployment journey
• WhitePaper: http://www.cisco.com/c/en/us/solutions/collateral/enterprise/cisco-on-
cisco/wp-en-02092015-identity-services-engine.html
• Attend CCSSEC-2002
Cisco IT – Identity
Services Engine (ISE)
Deployment and
Best Practices
• Friday (6/11/15)
12:30 – 1:30 pm
• Presented by Bassem
Khalifé, Cisco IT
High Availability
High Availability Agenda
• ISE Node Redundancy
• Administration Nodes
• Monitoring Nodes
• pxGrid Nodes
• Inline Posture Nodes
Admin
PSN
User Policy Policy Service Node
Logging
Sync
MnT MnT
Note: Switchover is NOT immediate. Total time based on polling intervals and promotion time.
Expect ~ 30 minutes.
ISE Admin Failover For Your
Reference
“Automated Promotion/Switchover”
• Monitor Process:
• Secondary node monitoring the health of the Primary PAN node is the Active monitor
• On Failure detection, Health Monitor for Primary PAN node initiates switchover by
sending request to the Secondary PAN to become new primary PAN
PAN Failover Scenario For Your
Reference
Scenario 1
DC-1 DC-2
PAN-2 MNT-2
MNT-1 PAN-1 Secondary
Secondary
Primary Primary
MnT PAN MnT
X
PAN
1
• Primary PAN (PAN-1) Direct 2
down failover
detection
WAN
• Secondary PAN
(PAN-2) takes over
PSN
PSN PAN PAN PSN
PSN Health Health
Monitor Monitor
PAN Failover Scenario For Your
Reference
Scenario 2
PSN
PSN PAN PAN PSN
PSN
Health Health
Monitor Monitor
PAN Failover
Configuration
Configuration using GUI only under Administration > System > Deployment > PAN Failover
Alarms in PAN Auto-Failover For Your
Reference
HTTP SPAN,
DHCP
SPAN/Helper/Proxy Syslog Alarm-triggered
(UDP/20514) Syslog
NetFlow,
SNMP Traps,
RADIUS
(Not Buffered)
External Log Targets: Syslog (UDP/20514)
Syslog (UDP/20514)
HA for Monitoring and Troubleshooting • Maximum two MnT
nodes per deployment
Steady State Operation • Active / Active
• MnT nodes concurrently receive logging from PAN, PSN, IPN*, NAD, and ASA
• PAN retrieves log/report data from Primary MnT node when available
Monitoring
Node (Primary) PAN MnT data
Admin
MnT
User
Monitoring
Node (Secondary) IPN
• Upon MnT node failure, PAN, PSN, NAD, and ASA continue to send logs to remaining MnT node;
IPN must be reconfigured to send logs to active MnT (only supports one log target).
• PAN auto-detects failure (down for > 5 min) and retrieves log/report data from Secondary MnT node.
• Default UDP-based
audit logging does not
buffer data when MnT
is unavailable.
• TCP and Secure
Syslog options can be
used to buffer logs
locally
• Note: Overall log
performance will
decrease if use these
acknowledged options.
• Maximum two pxGrid
pxGrid
HA for pxGrid Clients nodes per deployment
(Publishers) • Active / Standby
Steady State
Primary Primary Secondary Secondary
PAN MnT PAN MnT
PAN Publisher Topics: PAN MnT PAN MnT
• Controller Admin
• TrustSec/SGA
• Endpoint Profile
TCP/12001
TCP/5222
TCP/5222
MnT Publisher Topics:
• Session Directory
• Identity Group Active PXG
Standby
PXG
• ANC (EPS) pxGrid pxGrid
Controller Controller
If active pxGrid
Controller fails, clients
automatically attempt
connection to standby TCP/5222
pxGrid
controller. Client
(Subscriber)
pxGrid HA For Your
Reference
Design Considerations
• Download Identity certs from the Primary and Secondary MnT nodes to pxGrid
clients and import both into the keystore.
• Specify the hostname of both pxGrid nodes in the pxGrid API.
Example:
./register.sh –keystoreFilename isekeyfile.jks –keystorePassword cisco123
–truststoreFilename rootfile.jks –truststorePassword cisco123
–hostname 10.0.1.33 10.0.2.79
• The pxGrid clients will register to both pxGrid nodes.
• If the pxGrid node registered to the primary goes down, the pxGrid client will
continue communication with the pxGrid registered to the secondary node.
HA for Inline Posture Node VLANS
• VLAN 11: (ASA VPN; Inline
ISE Inline node untrusted)
VPN Example ACTIVE • VLAN 12: (Inline node trusted)
• VLAN 13: (Inline Heartbeat Link)
IPN
ASA HA: A/S VLAN 11
• VLAN 14: (ASA Inside)
eth2 (HB Link)
or VPN Cluster • VLAN 15: (Internal Network)
eth1 eth0
VPN Client HA: VLAN 12
VPN to single Internet External ASA
vpn VLAN 13
ASA HA IP or Router Switch
outside
VPN Cluster IP
inside VLAN 15
ISP A VLAN 14 L3 Switch
Inline Inline
FO State Service Trunk: Service Internal
Internet Link IP VLANs PSN
Link IP Network
VPN
eth1 11-15 eth0 New
User ISP B
ASA 9.2.1 supports native
outside inside
CoA and URL Redirection
vpn for ISE Posture Services
Internet External L3 Switch
Router Switch ASA VLAN 12
—Inline Posture Node no
eth1 eth0 longer a required for
• Maximum two IPNs eth2 (HB Link) remote access ASA VPN.
VLAN 11 IPN
per instance; multiple VLAN 13
ASA Redundant
instances supported Links ISE Inline
• Active / Standby STANDBY
Inline Posture Node For Your
Reference
Considerations
• HA link is used to exchange heartbeat messages to check the status of mutual peer
• Appliance eth2 and eth3 ports used for HA link
• Multiple HA links can be configured; as long as heartbeat messages are received over at least on HA
link, then peer is considered healthy.
• HA link is a dedicated, highly reliable Layer 2 connection between failover pairs; can be a LAN cable or
dedicated VLAN connection. (Ethernet ports auto-detect MDI/MDI-X, so crossover cable optional.)
• Inline Posture Node HA supports link detection to allow failover to occur if active Inline Posture Node
detects loss of network connectivity while Standby does not; prevent traffic black hole due to other
network failures.
• In case of failure, Standby Inline Posture Node assumes “ownership” of service IP and sends gratuitous
ARPs out each interface to notify gateways of change.
• HA failover is stateless, so all active sessions need to be re-authorized upon FO. Standby Inline
Posture Node will auto-fetch session state/policy as needed.
HA for Internal Certificate Authority
• Primary PAN is Root CA for ISE deployment
• May be Subordinate to external Root CA or Standalone Root.
Secondary after CA certs imported. The following 4 CA key pairs were imported:
Subject:CN=Certificate Services Root CA - cisco-lab-ise
Issuer:CN=Certificate Services Root CA - cisco-lab-ise
• Or… Promote Secondary before Serial#:0x6012831a-16794f11-b1248b9b-c7e199ef
• System Certificates for all nodes can be centrally exported with private key pairs
from Primary PAN in case needed fro Disaster Recovery.
OCSP Responder HA
• Each PSN runs OCSP responder.
• OCSP DB replicated so can point to any PSN, or LB PSN cluster for OCSP HA.
http://ocsp.company.com ISE-PSN-1
PSN
1. Authenticator resolves ocsp.company.com to VIP @ 10.1.98.8 10.1.99.7
3
2. OCSP request sent to http://ocsp.company.com:2560/ocsp @ 10.1.98.8
ISE-PSN-3
3. Load balancer forwards request to PSN-3 (OCSP Responder) @ 10.1.99.7
4. Authentication receives OCSP response from PSN-3
SCEP Load Balancing for BYOD/NSP (ISE 1.2)
If Multiple SCEP CA Servers Defined…
ISE PSNs
PSN
PSN PSN PSN PSN PSN PSN PSN PSN
(RADIUS
Servers)
Network
Access
Devices
Configure Node Groups for LB Cluster
All PSNs in LB Cluster in Same Node Group
• Administration > System > Deployment
2) Assign name (and multicast address if ISE 1.2)
1) Create node group
10.1.99.7
ISE-PSN-3
ISE-PAN-2 ISE-MNT-2
Traffic Flow—Fully Inline: Physical Separation
Physical Network Separation Using Separate LB Interfaces Fully Inline Traffic Flow
recommended—
• Load Balancer is directly inline between PSNs and rest of network. physical or logical
• All traffic flows through Load Balancer including RADIUS,
PAN/MnT,Profiling, Web Services, Management, 10.1.99.5
Feed Services, MDM, AD, LDAP… VLAN 98 VLAN 99
(External) (Internal) ISE-PSN-1
Network
Switch
NAS IP: 10.1.50.2
10.1.98.1 10.1.98.2 10.1.99.1
10.1.99.6
Network Access ISE-PSN-2
Device Load
End User/Device
Balancer
DNS AD 10.1.99.7
External NTP LDAP
ISE-PAN ISE-MNT Logger SMTP ISE-PSN-3
MDM
Traffic Flow—Fully Inline: VLAN Separation
Logical Network Separation Using Single LB Interface and VLAN Trunking
Load Balancer
• LB is directly inline between ISE PSNs
and rest of network. VIP: 10.1.98.8
10.1.98.2 10.1.99.1
• All traffic flows through LB including RADIUS, 10.1.99.5
VLAN 98 VLAN 99
PAN/MnT, Profiling, Web Services, Management, (External) (Internal)
ISE-PSN-1
Feed Services, MDM, AD, LDAP… 10.1.98.1
NAS IP: 10.1.50.2
10.1.99.6
Network Access ISE-PSN-2
End User/Device Device Network
Switch
DNS AD 10.1.99.7
External NTP LDAP
ISE-PAN ISE-MNT Logger ISE-PSN-3
SMTP MDM
Partially Inline: Layer 2/Same VLAN (One PSN Interface)
Direct PSN Connections to LB and Rest of Network
Load Balancer
10.1.98.2
• All inbound LB traffic such RADIUS, Profiling,
and directed Web Services sent to LB VIP. 10.1.98.5
VIP: 10.1.98.8
• Other inbound non-LB traffic bypasses LB ISE-PSN-1
including redirected Web Services, PAN/MnT, VLAN 98
Management, Feed Services, MDM, AD, LDAP… 10.1.98.6
• All outbound traffic from PSNs NAS IP: 10.1.50.2 10.1.98.1 ISE-PSN-2
sent to LB as DFGW. 10.1.98.7
Request
DNS for
request
service
sent at
to resolve DNS Lookup = psn-cluster.company.com
single host
psn-cluster DNS PSN
DNS Response = 10.1.98.8 Server 10.1.99.5
‘psn-cluster’
FQDN
ISE-PSN-1
Request to psn-cluster.company.com Load Balancer
PSN
10.1.99.6
Response from ise-psn-3.company.com
Access VIP: 10.1.98.8 ISE-PSN-2
Device PSN-CLUSTER
User
PSN
Request sent to Virtual IP Address 10.1.99.7
(VIP) 10.1.98.8
ISE-PSN-3
Response received from real server
ise-psn-3 @ 10.1.99.7
Load Balancing Policy Services
• RADIUS AAA Services
Packets sent to LB virtual IP are load-balanced to real PSN based on configured algorithm. Sticky algorithm determines
method to ensure same Policy Service node services same endpoint.
• Web Direct HTTP/S Services: Local WebAuth (LWA) / Sponsor / MyDevices Portal, OCSP
Single web portal domain name should resolve to LB virtual IP for http/s load balancing.
PSN
10.1.99.5
1 radius-server host 10.1.98.8
ISE-PSN-1
2 AUTH request
RADIUS ACCTG requesttoto10.1.98.8
10.1.98.8 Load Balancer
PSN
10.1.99.6
AUTH response
RADIUS ACCTG from
response 10.1.99.7
from 10.1.99.7
Access VIP: 10.1.98.8 ISE-PSN-2
User
4 5
Device PSN-CLUSTER
PSN
10.1.99.7
1. NAD has single RADIUS Server defined (10.1.98.8)
2. RADIUS Auth requests sent to VIP 10.1.98.8
ISE-PSN-3
3
3. Requests for same endpoint load balanced to same PSN via sticky based
on RADIUS Calling-Station-ID and Framed-IP-Address
4. RADIUS Response received from real server ise-psn-3 @ 10.1.99.7
5. RADIUS Accounting sent to/from same PSN based on sticky
Load Balancer General RADIUS Guidelines For Your
Reference
RADIUS Servers and Clients – Where Defined PSNs are RADIUS Servers for
Health Probes
ISE Admin Node > Network Devices Name PSN-Probe
(RADIUS Clients) Type RADIUS
Interval 15
ISE-PAN-1 ISE-MNT-1
Timeout 46
PAN MnT
User Name radprobe
Password cisco123
Alias Service Port 1812
PSN
ISE-PSN-1
VIP: 10.1.98.8
NAS IP: 10.1.50.2 10.1.99.1
PSN
Access Device
ISE-PSN-2
F5 LTM
User Load Balancer
PSN
Load Balancer VIP is RADIUS Server
radius-server host 10.1.98.8 auth-port 1812 acct-port
1813 test username radtest ignore-acct-port key cisco123 ISE-PSN-3
Add LB as NAD for RADIUS Health Monitoring For Your
Reference
Administration > Network Resources > Network Devices
ISE-PSN-1
10.1.99.1
PSN
ISE-PSN-2
F5 LTM
Load Balancer
PSN
ISE-PSN-3
Load Balancer Persistence (Stickiness) Guidelines
Persistence Attributes
• Common RADIUS Sticky Attributes
o Client Address
Calling-Station-ID MAC Address=00:C0:FF:1A:2B:3C
IP Address=10.1.10.101 PSN
Framed-IP-Address Device
o NAD Address ISE-PSN-1
10.1.50.2 VIP: 10.1.98.8
NAS-IP-Address
Session: 00aa…99ff
Source IP Address PSN
• Before: • After
PSN
10.1.99.5
VLAN 98 VLAN 99
(10.1.98.0/24) (10.1.99.0/24)
ISE-PSN-1
ISE-PSN-1
Load Balancer
1 RADIUS request to psn-cluster.company.com
PSN
10.1.99.6
RADIUS response from ise-psn-3.company.com
3
Access VIP: 10.1.98.8 ISE-PSN-2
Device https://ise-psn-3.company.com:8443/... PSN-CLUSTER
User
2
5 HTTPS response from ise-psn-3.company.com PSN
10.1.99.7
https://sponsor.company.com ISE-PSN-1
PSN
10.1.99.7
DNS
http://sponsor.company.com DNS Lookup = sponsor.company.com Server
PSN
DNS Response = 10.1.98.8 10.1.99.5
ISE-PSN-1
10.1.98.8
SPONSOR http://sponsor.company.com
PSN
10.1.99.6
https://sponsor.company.com:8443/sponsorportal
ISE Certificate Load ISE-PSN-2
Balancer
Subject =
ise-psn-3.company.com
PSN
Name Mismatch! 10.1.99.7
Requested URL = sponsor.company.com
Certificate Subject = ise-psn-3.company.com ISE-PSN-3
ISE Certificate with SAN
No Certificate Warning
DNS
http://sponsor.company.com DNS Lookup = sponsor.company.com Server
PSN
DNS Response = 10.1.98.8 10.1.99.5
ISE-PSN-1
10.1.98.8
SPONSOR http://sponsor.company.com
PSN
10.1.99.6
https://sponsor.company.com:8443/sponsorportal
Load ISE-PSN-2
ISE Certificate
Balancer
Subject =
ise-psn.company.com
PSN
SAN= Certificate OK! 10.1.99.7
ise-psn-1.company.com Requested URL = sponsor.company.com
ise-psn-2.company.com Certificate SAN = sponsor.company.com ISE-PSN-3
ise-psn-3.company.com
sponsor.company.com
Load Balancing Preparation
Configure DNS and Certificates
• Configure DNS entry for PSN cluster(s) and assign VIP IP address.
Example: psn-cluster.company.com
DNS SERVER: DOMAIN = COMPANY.COM
PSN-CLUSTER IN A 10.1.98.8
SPONSOR IN A 10.1.98.8
MYDEVICES IN A 10.1.98.8
ISE-PSN-1 IN A 10.1.99.5
ISE-PSN-2 IN A 10.1.99.6
ISE-PSN-3 IN A 10.1.99.7
ise-psn.company.com
10.1.98.0/24
.5 .6 .7 .x
.1 .8 .1
PSN PSN PSN PSN
10.1.10.0/24
Load Balancer ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X
User
L3 Switch
10.1.98.0/24 .5 .6 .7 .x
.1 .8 .1
PSN PSN PSN PSN
User
10.1.91.0/24
RADIUS session load-balanced to PSN @ 10.1.99.6 Guest Portals
URL Redirect automatically includes FQDN/Interface IP of Web Portal interface for same PSN @
10.1.91.6: https://ise-psn-2-guest.company.com:8443/guestportal/Login...
Source NAT web traffic from user networks destined to PSN web interfaces @ 10.1.91.x; translate to 10.1.91.x
(or any address block that can be statically added to PSN route table)
Ensures all Web requests received by PSN web interface are returned out same interface.
SNAT on LB for Dedicated Web Interfaces (ISE 1.2)
Direct Access and URL-Redirected Traffic with Dedicated PSN Web Interfaces
10.1.11.0/24 Load
.1 Balancer ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X
.1
User B .5 .6 .7 .x
10.1.12.0/24
10.1.91.0/24
Direct-Access Portals:
User C Enable SNAT on Virtual Servers for ISE Sponsor, My Devices, and LWA portals.
VPN NAD
10.1.11.0/24 Load
.1 Balancer ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X
.1
User B .5 .6 .7 .x
10.1.12.0/24
10.1.91.0/24
267
CWA Example
DNS and Port Settings–Single Interface Enabled for Guest Portal
4 PSN
10.1.99.7
1. Client OS sends DHCP Request
2. Next hop router with IP Helper configured forwards DHCP request to ISE-PSN-3
real DHCP server and to secondary entry = LB VIP
3. Real DHCP server responds and provide client a valid IP address
4. DHCP request to VIP is load balanced to PSN @ 10.1.99.7 based on
source IP stick (L3 gateway) or DHCP field parsed from request.
Load Balancing Simplifies Device Configuration
L3 Switch Example for DHCP Relay
• Before !
interface Vlan10
description EMPLOYEE
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.100 <--- Real DHCP Server
ip helper-address 10.1.99.5 <--- ISE-PSN-1
ip helper-address 10.1.99.6 <--- ISE-PSN-2
Settings
! apply to each
L3 interface
servicing
• After !
DHCP
interface Vlan10
description EMPLOYEE endpoints
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.100 <--- Real DHCP Server
ip helper-address 10.1.98.8 <--- LB VIP
!
Load Balancing Simplifies Device Configuration
Switch Example for SNMP Traps For Your
Reference
• Before !
snmp-server trap-source GigabitEthernet1/0/24
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 10.1.99.5 version 2c public mac-notification snmp
snmp-server host 10.1.99.6 version 2c public mac-notification snmp
snmp-server host 10.1.99.7 version 2c public mac-notification snmp
!
!
• After
snmp-server trap-source GigabitEthernet1/0/24
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 10.1.98.8 version 2c public mac-notification snmp
!
Profiling Services using Load Balancers For Your
Reference
Which PSN Services Processes Profile Data?
• Profiling Probes
The following profile data can be load balanced to PSN VIP but may not be processed by same PSN that
terminated RADIUS:
• DHCP IP Helper to DHCP probe
• NetFlow export to NetFlow Probe Option to leverage Anycast to reduce
• SNMP Traps log targets and facilitate HA
• DNS Probe
Submitted by same PSN which obtains IP data for endpoint. Typically the same PSN that processes RADIUS,
DHCP, or SNMP Query Probe data.
• NMAP Probe
Submitted by same PSN which obtains data which matches profile rule condition.
Persistence Cache:
11:22:33:44:55:66 -> PSN-3 PSN
10.1.99.5
Requests evenly
distributed across
real servers:
ise-psn-1
ise-psn-2
ise-psn-3
Live Log Output for Load Balanced Sessions For Your
Reference
Real Transactions
3• CoA is sent from same PSN that is handling the auth session.
• dACL downloads are sent from switch itself without a Calling-Station-Id or Framed-IP-Address. Request can be
4 load balanced to any PSN. Not required to pull dACL from same PSN as auth.
3
4 2
1
ISE and Load Balancers For Your
Reference
Failure Scenarios
• The VIP is the RADIUS Server, so if the entire VIP is down, then the NAD should fail over
to the secondary Data Center VIP (listed as the secondary RADIUS server on the NAD).
• Probes on the load balancers should ensure that RADIUS is responding as well as
HTTPS, at a minimum.
• Validate that RADIUS responds, not just that UDP/1812 & UDP/1813 are open
• Validate that HTTPS responds, not just that TCP/8443 is open
• Upon detection of failed node using probes (or node taken out of service), new requests
will be serviced by remaining nodes Minimum N+1 redundancy recommended for node
groups.
• Configure LB cluster as a node group.
• If node group member fails, then another node-group member will issue CoA-reauth for Posture
Pending sessions, forcing the sessions to begin again and not be hung.
• Note: Node groups do not require load balancers, but nodes still must meet IP multicast
requirements.
ISE and Load Balancers For Your
Reference
General Guidelines
• Do not use Source NAT(SNAT) from access layer for RADIUS; SNAT Optional for HTTP/S:
• ISE uses Layer 3 address to identify NAD, not NAS-IP-Address in RADIUS packet, so CoA fails.
• Each PSN must be reachable by the PAN / MNT directly without NAT.
• Each PSN must be reachable directly from client network for URL redirects (*Note sticky exception)
• Perform sticky (aka: persistence) based on Calling-Station-ID.
• Some load balancers support RADIUS Session ID; Others may be limited to Source IP (NAD IP).
• Optional “sticky buddies” (secondary attributes that persist different traffic to same PSN)
• *Framed-IP-Address if URL redirects must be sent through LB and not bypass LB.
• DHCP Requested IP Address to ensure DHCP Profile data hits same PSN that terminated RADIUS.
• VIP for PSNs gets listed as the RADIUS server on each NAD for all RADIUS AAA.
• Each PSN gets listed individually in the NAD CoA list by real IP address (not VIP).
• If source NAT PSN-initiated CoA traffic, then can list single VIP in NAD CoA list.
• Load Balancers get listed as NADs in ISE so their test authentications may be answered.
For Your
Reference
Sample ACE
Configuration
Sample ACE Configuration… For Your
Reference
Health Probes and Real Servers probe tcp 8443-PROBE
port 8443 Simple example;
• Define TCP or HTTP/S probe to verify web interval 30 HTTP/S probe
services active on configured HTTPS ports. passdetect interval 90 recommended
connection term forced
open 1
probe radius PSN-PROBE
port 1812
interval 10
passdetect interval 90
credentials radprobe cisco123 secret cisco123
nas ip address 10.1.99.2
probe icmp ping
interval 15 Sample ping probe
passdetect interval 60
• Optional ACL to define traffic permitted access-list ALL line 1 extended permit ip any any
to/from each interface
interface vlan 98
description ACE
• Client-facing interface—includes general ip address 10.1.98.2 255.255.255.0
service policy for LB services access-group input ALL
service-policy input RAD-L4-POLICY
no shutdown
interface vlan 99
description CLUSTER
ip address 10.1.99.1 255.255.255.0
alias 10.1.99.2 255.255.255.0
• Server-facing interface
mac-sticky enable
no icmp-guard
access-group input ALL
no shutdown
• Default route pointing to upstream L3 switch. ip route 10.1.0.0 255.255.0.0 10.1.98.1
Sample ACE Configuration… For Your
Reference
Allow NAT of PSN CoA Requests
• Match traffic from PSNs to UDP/1700 (RADIUS CoA) and translate to PSN cluster VIP.
access-list NAT-COA line 5 extended permit udp 10.1.99.0
255.255.255.248 any eq 1700
PSN
CoA SRC=10.1.99.5 10.1.99.5
class-map match-any NAT-CLASS
ISE-PSN-1 2 match access-list NAT-COA
CoA SRC=10.1.98.10
policy-map multi-match NAT-POLICY
PSN
10.1.99.6 class NAT-CLASS
10.1.98.10 nat dynamic 1 vlan 98
ACE LB ISE-PSN-2
Interface vlan 98
PSN nat-pool 1 10.1.98.10 10.1.98.10 netmask 255.255.255.255 pat
Before 10.1.99.7
aaa server radius dynamic-author interface vlan 99
ISE-PSN-3
client 10.1.99.5 server-key cisco123 service-policy input NAT-POLICY
client 10.1.99.6 server-key cisco123
PSN
client 10.1.99.7 server-key cisco123 10.1.99.x
client 10.1.99.8 server-key cisco123 After
client 10.1.99.9 server-key cisco123 ISE-PSN-X aaa server radius dynamic-author
client 10.1.99.10 server-key cisco123 client 10.1.98.10 server-key cisco123
<…one entry per PSN…>
Sample ACE Configuration… For Your
Reference
Allow Ping for ISE PSNs / UDP Connection Timer
• Allow ISE nodes to ping default gateway. class-map type management match-any remote_access
Otherwise, install fails! 2 match protocol icmp any
Sample F5 LTM
Config
For Your
Reference
Forwarding Non-LB
Traffic
High-Level Load Balancing Diagram For Your
Reference
DNS
NTP
External SMTP
ISE-PAN-1 ISE-MNT-1 Logger MDM AD/LDAP
10.1.99.7
ISE-PSN-3
ISE-PAN-2 ISE-MNT-2
Non-LB Traffic that Requires IP Forwarding For Your
Reference
Inter-node/Management/Repository/ID Stores/Feeds/Profiling/Redirected Web/RADIUS CoA
For Your
Reference
Member Nodes
RADIUS Health Monitors For Your
Reference
Load Balancer Probes Determine RADIUS Server Health Status
when CLIENT_DATA {
# 0: No Debug Logging 1: Debug Logging
set debug 0 • Optional debug logging
• Enable for troubleshooting only to
reduce processing load
# Persist timeout (seconds)
set nas_port_type [RADIUS::avp 61 "integer"]
if {$nas_port_type equals "19"}{
set persist_ttl 3600 • Configurable persistence timeout
if {$debug} {set access_media "Wireless"} based on media type
} else { oWireless Default = 1 hour
set persist_ttl 28800 oWired Default = 8 hours
if {$debug} {set access_media "Wired"}
}
RADIUS Persistence iRule Based on MAC (cont.)
if {[RADIUS::avp 31] ne "" }{
set mac [RADIUS::avp 31 "string"] For Your
Reference
# Normalize MAC address to upper case
set mac_up [string toupper $mac]
persist uie $mac_up $persist_ttl
if {$debug} {
set target [persist lookup uie $mac_up]
log local0.alert "Username=[RADIUS::avp 1] MAC=$mac Normal
MAC=$mac_up MEDIA=$access_media TARGET=$target"
}
} else {
set nas_ip [RADIUS::avp 4 ip4]
persist uie $nas_ip $persist_ttl
if {$debug} {
set target [persist lookup uie $nas_ip]
log local0.alert "No MAC Address found - Using NAS IP as persist
id. Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target"
}
}
}
Configure Persistence Profile for RADIUS For Your
Reference
Local Traffic > Profiles > Persistence
• Load Balancing
Method options:
• Least Connections
(node)
• Least Connections
(member)
• Server Port:
1812 or 1645
Configure Server Pool for RADIUS Accounting For Your
Reference
Local Traffic > Pools > Pool List
• Load Balancing
Method options:
• Least Connections
(node)
• Least Connections
(member)
• Fastest
(application)
• Server Port:
1813 or 1646
Configure Virtual Server for RADIUS Auth (Properties)
Local Traffic > Virtual Servers > Virtual Server List
• Type = Standard
• Source = 0.0.0.0/0 (all hosts) or
specific network address.
• Destination = RADIUS Virtual IP
• Service Port = 1812 or 1645
RADIUS VIP
For Your
Reference
Configure Virtual Server for RADIUS Auth (Advanced)
Local Traffic > Virtual Servers
• Protocol = UDP
• Protocol Profile = udp or
custom UDP profile
• RADIUS Profile = radiusLB or
custom RADIUS profile
• Optional: Limit traffic to specific
VLAN(s)
• SNAT = None
For Your
Reference
Configure Virtual Server RADIUS Auth (Resources)
Local Traffic > Virtual Servers > Virtual Server List > Resources For Your
Reference
RADIUS VIP
For Your
Reference
Configure SNAT Pool List for RADIUS CoA For Your
Reference
Local Traffic > Address Translation > SNAT Pool List
For Your
Reference
Configure Virtual Server to SNAT RADIUS CoA (Advanced)
Local Traffic > Virtual Servers For Your
Reference
• Protocol = UDP
• Optional: Limit traffic to specific
VLAN(s)
• Source Address Translation = SNAT
• SNAT Pool = CoA SNAT Pool List
• Resources = None
For Your
Reference
iRule Persistence
(Persistence) Profile
Virtual Server
Pool List
Member Nodes
Configure UDP Profile for Profiling For Your
Reference
Local Traffic > Profiles > Protocol > UDP
For Your
• Alternative to basic Source Reference
Address-based persistence
• Sample iRule based on
client MAC address parsed
from DHCP Request
packets
• Allows DHCP for given
endpoint to persist to same
PSN serving RADIUS for
same endpoint
• Recommend copy and
paste working iRule into
text area.
Optional: Configure Persistence Profile for Profiling
Local Traffic > Profiles > Persistence
For Your
Reference
Configure Member Nodes in DHCP Profiling Pool
Local Traffic > Pools > Members For Your
Reference
• Load Balancing
Method = Round
Robin
• Server Port = 67
(DHCP Server)
Configure Server Pool for SNMP Trap Profiling
Local Traffic > Pools For Your
Reference
• Same settings as
DHCP Profiling Pool
except members
configured for UDP
Port 162.
Configure Virtual Server for DHCP Profiling (Properties)
Local Traffic > Virtual Servers > Virtual Server List
• Type = Standard
• Source = 0.0.0.0/0 (all hosts) or
specific network address.
• Destination = Can be same as
RADIUS Virtual IP or unique IP.
For Your
Reference
Configure Virtual Server for DHCP Profiling (Advanced)
Local Traffic > Virtual Servers
• Protocol = UDP
• Protocol Profile = udp or
custom UDP profile
• Optional: Limit traffic to specific
VLAN(s)
For Your
Reference
Configure Virtual Server for DHCP Profiling (Resources)
Local Traffic > Virtual Servers > Resources
• Default Pool = DHCP Profiling Pool
• Default Persistence Profile = Persistence
Profile based on Source Address Affinity, OR
DHCP persistence profile
• Fallback Persistence Profile:
o DHCP iRule setting overrides value set
here.
o If not configured in iRule, set optional value
here. Example: profiling_source_addr
• If persistence profile based on Source
Address Affinity (source_addr),
recommend create new profile to allow
custom timers and “Match Across” settings.
For Your
Reference
Configure Virtual Server for SNMP Trap Profiling
Local Traffic > Virtual Servers For Your
Reference
Persistence
Profile
Virtual Server
Member Nodes
Configure HTTPS Health Monitor
Local Traffic > Monitors For Your
Reference
For Your
Reference
Configure Persistence Profile for HTTPS
Local Traffic > Profiles > Persistence
For Your
Reference
Configure Member Nodes in Web Services Pool
Local Traffic > Pools > Pool List > Members For Your
Reference
• Load Balancing
Method options:
• Least Connections
(node)
• Least Connections
(member)
• Fastest
(application)
• Server Port = 0
(all ports)
Configure Virtual Server for Web Portals (Properties) For Your
Reference
Local Traffic > Virtual Servers > Virtual Server List
• Type = Standard
• Source = 0.0.0.0/0 (all hosts) or specific
network address.
• Destination = Web Portal Virtual IP
• Service Port = Web Portal Port
configured in ISE (default 8443)
Configure Virtual Server for HTTPS Portals (Advanced) For Your
Reference
Local Traffic > Virtual Servers
• Protocol = TCP
• Protocol Profile = tcp or custom TCP
profile
• Optional: Limit traffic to specific
VLAN(s)
• Source Address Translation (SNAT)
• Single PSN interface: None
• Dedicated PSN interface (ISE 1.2):
Auto Map
• Dedicated PSN interface (ISE 1.3):
None or Auto Map
Configure Virtual Server HTTPS Portals (Resources) For Your
Reference
Local Traffic > Virtual Servers > Virtual Server List > Resources
Provided dedicated
User interface or LB VIPs
used, Anycast may
be used for Profiling,
PSN
Web Portals
(Sponsor, Guest
LWA, and MDP) and
ISE-PSN-1
RADIUS AAA!
Ex: 10.10.10.10
ISE Configuration for Anycast
On each PSN that will participate in Anycast…
1. Configure PSN probes to profile
DHCP (IP Helper), SNMP Traps, or NetFlow
on dedicated interface
2. From CLI, configure dedicated interface with
same IP address on each PSN node.
ISE-PSN-1 Example:
#ise-psn-1/admin# config t
#ise-psn-1/admin (config)# int GigabitEthernet1
#ise-psn-1/admin (config-GigabitEthernet)# ip address 10.10.10.10 255.255.255.0
ISE-PSN-2 Example:
#ise-psn-1/admin# config t
#ise-psn-1/admin (config)# int GigabitEthernet1
#ise-psn-1/admin (config-GigabitEthernet)# ip address 10.10.10.10 255.255.255.0
Routing Configuration for Anycast For Your
Reference
Sample Configuration
PSN
PSN2 (10.4.5.6)
User
PSN
PSN3 (10.7.8.9)
PSN
RADIUS PSN1 (10.1.2.3)
NAD controls the load
User 1 distribution of AAA
PSN
PSN2 (10.4.5.6) requests to all PSNs
in RADIUS group
without dedicated LB.
PSN
PSN3 (10.7.8.9)
User 2
Reasonable load
distribution across all PSNs
cat3750x# test aaa group radius radtest cisco123 new users 4 count 50
AAA/SG/TEST: Sending 50 Access-Requests @ 10/sec, 0 Accounting-Requests @ 10/sec
NAD-Based RADIUS Redundancy (WLC)
Wireless LAN Controller
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008098987e.shtml
HA/LB Summary Table For
For Your
Your
Reference
Reference
Comparison of Various HA/LB Methods
HA/LB Where Primary Pros Cons
Method Configured? USE Cases
Local Load Centrally using RADIUS Large scaling, Fast failover, Higher cost and
Balancers LB near PSN HTTP/S better load distribution, in/out complexity
cluster Profiling servicing, single IP
DNS/Global Centrally using LWA / Large scaling, better load Somewhat higher
LB DNS Sponsor / distribution, in/out servicing, cost and complexity
MDP Portals single URL
Anycast Centrally using Web Portals, Lower cost, supports simple Higher complexity
routing Profiling route-based distribution, in/out
service, single IP
NAD RADIUS Distributed in RADIUS Low cost and complexity, Management of
Server List local NAD config deterministic distribution distributed lists, poor
load distribution
IOS RADIUS Distributed in RADIUS Low cost and complexity, better Management of
LB local NAD config per-NAD load distribution distributed lists
NAD Fallback and
Recovery
For Your
NAD Fallback and Recovery Reference
Common Questions
Q: How does NAD detect failed RADIUS servers?
A: Test Probes and Test User accounts
Q: What is the default behavior when ALL RADIUS servers down?
A: Unless using ‘authentication open’ no access is granted for unauthorized ports.
Q: Which fallback methods are available?
A: Critical Authentication VLAN for Data and Voice; Critical ACLs; EEM controls
Q: What is the impact of using VLAN-based fallback methods?
A: Users may still be blocked by port ACLs or may not get IP if VLAN changes
Q: Which recovery methods are available?
A: Reinitialize ports when RADIUS server available
In example, servers are marked “dead” if no response in 60
NAD Fallback and Recovery seconds (1 transmit + 3 retransmits w/15 second timeout).
radius-server dead-criteria time 15 tries 3 Conditions to mark server as “dead” (Ex: 60 sec.)
radius-server deadtime 2 Minutes before retrying server marked as “dead”
authentication critical recovery delay 1000 Throttle requests for critical ports once server “alive”
dot1x critical eapol Send EAPOL-Success when auth critical port
epm access-control open Permit access if no dACL returned with successful auth
radius-server host 10.1.98.8 auth-port 1812 acct-port 1813 test RADIUS server definition including periodic test to detect
username radtest ignore-acct-port key cisco123 server dead/alive:
username ‘radtest’: Locally defined test user to auth
radius-server host 10.2.101.3 auth-port 1812 acct-port 1813 test idle-time: default = 60 = “Send test probe 1 per hour”
username radtest ignore-acct-port key cisco123 ignore-acct-port : Test auth-port on
Fallback RADIUS server if primary server fails
NAD Fallback and Recovery For Your
Reference
‘aaa radius group’ Example
Retry
15 sec, Auth-Timeout
radius-server dead-criteria 15 tries 3
Dead
15 sec, Auth-Timeout
SERVER DEAD
60 minute Idle-Time
Traffic permitted per RADIUS authorization
Recovery
• IOS Example: If goal is to validate backend ID store, then Auth Fail may not detect external ID store
failure.
Solution: Drop authentication requests when external ID store is down.
• Identity Server Sequence > Advanced Settings:
Authentication Policy >
ID Source custom
processing based on
authentication results
• If valid user account used, how prevent unauthorized access using probe account?
If Auth Fail treated as probe failure, then need valid account in ISE db or external store.
• Match auth from probes to specific source/NDG, Service Type, or User Name.
• Allow AuthN to succeed, but return AuthZ that denies access.
Access-Accept
dACL = deny ip any any
Inaccessible Authentication Bypass (IAB)
Also Known As “Critical Auth VLAN” for Data
Access VLAN
Critical VLAN WAN or PSN Down
PSN
WAN / Internet
Sample Configuration
radius-server 10.1.10.50 test username KeepAliveUser key cisco
radius-server dead-criteria time 15 tries 3
radius-server deadtime 1
interface GigabitEthernet1/13
switchport access vlan 2
switchport mode access
switchport voice vlan 200
authentication event fail action next-method
authentication event server dead action authorize vlan 100
authentication event server alive action reinitialize
authentication order dot1x mab
dot1x pae authenticator
authentication port-control auto
dot1x timeout tx-period 10
dot1x max-req 2
mab
spanning-tree portfast
For Your
Reference
Critical Auth for Data
PSN
• Multi-Auth:
Router(config-if)# authentication event server dead action reinitialize vlan 10
Router(config-if)# authentication event server dead action authorize voice
Behavior: All existing data sessions re-authorized to VLAN 10; New sessions are authorized to VLAN 10
• Catalyst Switch Support: Series Multi-Auth w/VLAN Critical Auth for Voice
2k/3k 12.2(55)SE 15.0(1)SE
4k 15.0(2)SG 15.0(2)SG
IOS XE 3.2.0SG IOS XE 3.2.0SG
6k 12.2(33)SXJ 12.2(33)SXJ1
Default Port ACL Issues with No dACL Authorization
Limited Access If ISE Policy Fails to Return dACL! For Your
Reference
• User authentications successful, but authorization profile does not include dACL to permit
access, so endpoint access still restricted by existing port ACL!
Auth Success
EAP Request RADIUS Access-Request
EAP Success RADIUS Access-Accept Authorization Profile
= Employee
PSN
Access Type
= Access-Accept
ALL traffic allowed ! NO dACL!
Insert at top of port ACL:
permit ip any any
epm access control open 2k/3k: 12.2(55)SE
ip access-list extended ACL-DEFAULT 4k: 12.2(54)G
interface GigabitEthernet1/0/2 permit udp any eq bootpc any eq bootps 6k: 15.2(1)SY
switchport access vlan 10 permit udp any any eq domain
switchport voice vlan 13 permit icmp any any
ip access-group ACL-DEFAULT in permit udp any any eq tftp
Default Port ACL Issues with Critical VLAN
Limited Access Even After Authorization to New VLAN!
• Data VLAN reassigned to critical auth VLAN, but new (or reinitialized) connections are still
restricted by existing port ACL!
Access
Critical VLAN Voice VLAN WAN or PSN Down
Gi1/0/2
PSN
Default ACL
Only DHCP/DNS/PING/TFTP allowed !
• One solution to dACL + Critical Auth VLAN issue is to simply remove the port ACL!
• No static port ACL required for dACLs in current 2k/3k/4k. 2k/3k: 12.2(55)SE
4k: 12.2(54)G
• Low Impact Mode Use Case: 6k: 15.2(1)SY
• Initial access permits all traffic
• Pro: Immediately allows access to critical services for all endpoints including PXE and WoL devices
• Con: Temporary window which allows any unauthenticated endpoint to get full access
●
Only DHCP/DNS/PING/TFTP
All user traffic allowed allowed
● ACL-DEFAULT
●
• EEM detects syslog message %RADIUS-3- • EEM detects syslog message %RADIUS-6-
ALLDEADSERVER: Group radius: No active SERVERALIVE: Group radius: Radius server
radius servers found and removes ACL- 10.1.98.8:1812,1813 is responding again
DEFAULT. (previously dead)and adds ACL-DEFAULT.
event manager applet remove-default-acl event manager applet add-default-acl
event syslog pattern "%RADIUS-4-RADIUS_DEAD" maxrun 5 event syslog pattern "%RADIUS-4-RADIUS_ALIVE" maxrun 5
action 1.0 cli command "enable" action 1.0 cli command "enable"
action 1.1 cli command "conf t" pattern "CNTL/Z." action 1.1 cli command "conf t" pattern "CNTL/Z."
action 2.0 cli command "interface range gigabitEthernet 1/0/1 - 24" action 2.0 cli command "interface range gigabitEthernet 1/0/1 - 24"
action 3.0 cli command "no ip access-group ACL-DEFAULT in" action 3.0 cli command "ip access-group ACL-DEFAULT in"
action 4.0 cli command "end" action 4.0 cli command "end"
EEM Example 2 For Your
Reference
Modify Port ACL Based on Route Tracking
Access
Critical VLAN Voice VLAN WAN or PSN Down
Gi1/0/2
PSN
Default ACL
Only DHCP/DNS/PING/TFTP allowed !
Access
Critical VLAN Voice VLAN WAN or PSN Down
Gi1/0/2
PSN
Critical
Default ACL
Deny PCI networks; Permit Everything
Only DHCP/DNS/PING/TFTP allowed ! Else !
policy-map type control subscriber ACCESS-POLICY
event authentication-failure match-first ACL-DEFAULT
ip access-list extended ACL-CRITICAL
10 class AAA_SVR_DOWN_UNAUTHD do-until-failure
permit udp
remark any
Deny eq bootpc
access to PCI any eq bootps
zone scopes
10 activate service-template CRITICAL_AUTH_VLAN
20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE permittcp
deny udp any
any any eq domain
172.16.8.0 255.255.240.0
30 activate service-template CRITICAL-ACCESS permitudp
deny icmp any
any any
172.16.8.0 255.255.240.0
service-template CRITICAL-ACCESS permitipudp
deny anyany any eq tftp
192.168.0.0 255.255.0.0
access-group ACL-CRITICAL permit ip any any
!
service-template CRITICAL_AUTH_VLAN
vlan 10
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
username 000c293c8dca password 0 000c293c8dca
For Your
Critical MAB Reference
username 000c293c8dca aaa attribute list mab-local
!
aaa local authentication default authorization mab-local
aaa authorization credential-download mab-local local
Local Authentication during Server failure !
aaa attribute list mab-local
attribute type tunnel-medium-type all-802
attribute type tunnel-private-group-id "150"
000c.293c.8dca attribute type tunnel-type vlan
attribute type inacl "CRITICAL-V4"
!
policy-map type control subscriber ACCESS-POL
...
event authentication-failure match-first
WAN 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-↵
until-failure
10 terminate mab
? 20 terminate dot1x
30 authenticate using mab aaa authc-↵
list mab-local authz-list mab-local
000c.293c.331e
...
• Profiling
Is distributed Profiling required to support specific collection methods?
Some profiling techniques like SPAN assume a specific PSN connection. If that particular PSN is not available, will need
to move SPAN to another PSN or else consider duplication of profiling data to more than one node
SNMP Poll Probe not automatically reassigned; must deregister failed PSN
• LWA
Access devices like WLC typically support the entry of only a single URL for LWA to external server. DNS LB or Anycast
may be an option. If not using LB, then may need to change WLC URL if target PSN down.
Key Performance Metrics
(KPM)
KPM in a Nutshell For Your
Reference
What is KPM?
• KPM stands for Key Performance Metrics. These are the metrics collected from the
MNT nodes about the Endpoints and its artifacts
Benefits of KPM:
• There are two flavors captured in two separate spreadsheets.
• Endpoints Onboarding data: Measure key performance metrics about Endpoints, like
Total, Active, Successful, Failures, Endpoints on-boarded/day
• Endpoints Transactional Load data: # radius requests at a PSN level/hr, Radius
requests to # Active EP ratio, How much of these data was persisted in the MNT table
and how many of them were suppressed to determine the suppression ratio, what was
the Avg and Max load on the PSN during that hour, what was the latency and Avg TPS.
Key Performance Metrics (KPM) New in ISE 1.4
# application configure ise (Option 12 and 13)
• Generate performance
metrics:
• Endpoints Onboarding
• Endpoints Transactional Load
• KPM_TRX_LOAD_<DATE>.xls
• KPM_ONBOARDING_RESULTS_<DATE>.xls
Exiting Large Scale / HA Design Matrix…
Okay to Unplug
ISE Scalability and High Availability
Summary Review
• Appliance selection and persona allocation impacts deployment size.
• VM appliances need to be configured per physical appliance sizing specs.
• Profiling scalability tied to DB replication—deploy node groups and optimize PSN
collection.
• Leverage ISE 1.2 noise suppression to increase auth capacity and reduce storage reqs.
• ISE 1.3 further enhances scalability with multi-AD and auto-device registration & purge.
• Admin, MnT, pxGrid, and IPN HA based on a Primary to Secondary node failover.
• Load balancers can offer higher scaling and redundancy for PSN clusters.
• Non-LB options include “smart” DNS, AnyCast, multiple RADIUS server definitions in the
access devices, and IOS RADIUS LB.
• Special consideration must be given to NAD fallback and recovery options when no
RADIUS servers are available including Critical Auth VLANs for data and voice.
• IBNS 2.0 and EEM offer advanced local intelligence in failover scenarios.
Solution Validation
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
• Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Questions ?
Thank you