1 / 16

Cisco Identity Services Engine (ISE) End-to-End Training

Cisco Identity Services Engine (ISE) End-to-End Training. Kevin Sheahan, CCIE # 41349. ISE Concepts AAA Radius Use Cases / Restrictions ISE Authentication Flow Network Access Device (NAD) Configuration AAA Radius Interface Configuration WLC ISE Configuration

koren
Download Presentation

Cisco Identity Services Engine (ISE) End-to-End Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cisco Identity Services Engine (ISE) End-to-End Training Kevin Sheahan, CCIE # 41349

  2. ISE Concepts • AAA • Radius • Use Cases / Restrictions • ISE Authentication Flow • Network Access Device (NAD) Configuration • AAA • Radius • Interface Configuration • WLC • ISE Configuration • Initialization/Preparation • Join ISE to Active Directory • Dynamic Profiling • Authentication • Authorization • Troubleshooting with ISE Reports (Other methods covered in demonstration) *Great resource for learning Cisco ISE

  3. AAA (Authentication, Authorization, Accounting) Security architecture by which an administrator may configure network access policies and a means to export session information. Radius (Remote Authentication Dial In User Service) Client/Server protocol which has authentication/authorization mechanisms to meet security posture requirements in granular fashion. ISE can utilize Cisco VSAs (Vendor Specific Attributes) to achieve proprietary capabilities when the NAD is a sufficient Cisco device. Use Cases Popular BYOD (Bring Your Own Device) solution but is capable of much more. Not currently capable of TACACS+ (on road map). Product is completely different depending on license purchased. ISE concepts

  4. From this graphic, you see that endpoints typically do not communicate directly with ISE. The main exception to that rule is when CWA (Central Web Authentication) is being utilized as an authentication portal. ISE then acts as a web server to provide the user an input method for their credentials. Other cases see the endpoint and authenticator (NAD) having an EAPOL (Extensible Authentication Protocol Over LAN) conversation. The Authenticator will translate appropriate information to RADIUS and communicate the specifics with the ISE server. Depending on the method of authentication, ISE will consult internal and/or external identity sources to validate authentication credentials. Most devices are capable of more than one authentication method. You will configure the NAD to prioritize authentication methods to ensure that endpoints/users are authenticating in the most secure and reliable manner. ISE Authentication flow

  5. Authentication, Authorization, Accounting aaanew-model ! !Creates an 802.1X port-based authentication method list aaa authentication dot1x default group radius ! !Required for VLAN/ACL assignment aaa authorization network default group radius ! !Authentication & authorization for webauth transactions aaa authorization auth-proxy default group radius ! !Enables accounting for 802.1X and MAB authentications aaa accounting dot1x default start-stop group radius ! aaa session-id common ! !Update AAA accounting periodically every 5 minutes aaa accounting update periodic 5 ! aaa accounting system default start-stop group radius ! !Configure switch for ISE CoA (Change of Authorization) aaa server radius dynamic-author client 10.1.1.150 server-key cisco Remote Access Dial In User Service ! Include VSAs in access requests radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include ! Wait 3 x 30 seconds before marking server as dead radius-server dead-criteria time 30 tries 3 ! ! Use RFC-standard ports (1812/1813) radius-server host 10.1.1.150 auth-port 1812 acct-port 1813 test username test-radius key 0 cisco ! radius-server vsa send accounting radius-server vsa send authentication ! ! send RADIUS requests from a specific VLAN ip radius source-interface 100 Interface Configuration Interface GigabitEthernet 1/0/x switchport mode access switchport access vlan <data> switchport voice vlan <voice> spanning-tree portfast ip access-group DEFAULT_ACL in authentication open authentication host-mode <IMPORTANT> authentication periodic authentication event fail action next-method authentication order mab dot1x authentication priority dot1x mab authentication violation restrict mab authentication port-control auto dot1x pae authenticator dot1x timeout tx-period 10 NAD Configuration (IOS) Other Configurations for Typical Install ip device tracking ip device tracking probe use-svi dot1x system-auth-control ipdhcp snooping <!! BE CAREFUL> Interface Vlan <id>ip helper-address <Cisco ISE IP> Important Notes There are too many configuration options for interfacing ISE with a Cisco IOS device for this to be a comprehensive training session. It is important to know the capabilities and how to configure them. Everything on this slide could be considered a requirement for the typical ISE deployment. To learn about the many optional features and how to configure them, refer to the book as well as this Cisco Configuration Guide. There are troubleshooting tools within ISE that will check a switch for the appropriate configuration and tell you what is missing. The main tool for this function is located within Operations  Troubleshoot Diagnostic Tools  General Tools  Evaluate Configuration Validator.

  6. AAA/RADIUS (Security Tab Configuration) ^ Don’t forget to add ISE as a RADIUS Accounting Server. WLAN Config (802.1x) NAD Configuration (WLC)

  7. wACL (Wireless Access Control List) wACLs are tedious and unnecessarily complicated to configure correctly. As you may notice, the “inbound” or “outbound” direction is required whenever the access rule identifies anything specific in either the source/destination IP fields or source/destination port fields. The direction can be confusing until you get used to it. Imagine yourself as the WLC and you are facing the wireless client. So the “inbound” direction is traffic from the wireless client, and the “outbound” direction is traffic to the wireless client. The WLC does not inspect, or keep a dynamic connections table, so it is necessary to explicitly allow traffic in both directions. If the access rule specifies “Any” in all fields, the “Any” direction may be used. NAD Configuration (WLC) Continued

  8. ADE-OS CLI Configuration The CLI is very straight forward. Like many other Cisco products, ISE is just an application that runs in ADE-OS. The OS configuration via CLI is what you see below. There aren’t very many CLI considerations other than IP connectivity. ISE Application Status One of the more common on-going uses of the CLI is to check on the status of the ISE application. The application is known to take a very long time to start under certain conditions and many times will stall indefinitely, requiring administer intervention to recover. ISE Initialization & preparation

  9. Adding ISE to Microsoft Active Directory Adding ISE to AD requires time synchronization. It is common practice to simply utilize the AD Server as the NTP server to ensure that ISE has the same time as AD. This is due to the time sensitive Kerberos method of the authentication with Microsoft AD. If utilizing a different time source, the time may difference may grow past the threshold and will result in authentication failures regardless of proper credentials. Once ISE is successfully connect to the AD Server, you can then choose whichever groups and attributes are necessary to build authorization policies. ISE Initialization & preparation (contd.)

  10. ISE Initialization & preparation (contd.) Dynamic Profiling (Advanced License Req’d for Mixed Deployment, Wireless License Req’d for Wireless-Only Deployment) Probes can be enabled to give ISE the ability to dynamically maintain a list of endpoints as well as important endpoint information such as type, model, location, address, etc. Each probe requires a corresponding NAD configuration in order to function. Enabling the probe on ISE will simply tell the ISE application to listen on a specific port. The configuration on the NAD is what actually forwards the appropriate information to the ISE Server. The only exception to this is the SNMP Query Probe, which will be requested by the ISE Server. Some probes have more ISE configuration options than others. All probes will allow you to choose the interface that ISE should be listening for that specific probe’s traffic on. As well, some probes will let you change the listening port from the default. Or, like you see below with the SNMPTRAP probe, there are a couple of sub-functions which may be enabled/disabled per the informational requirements. Again, the NAD must be configured to send SNMP Traps to ISE for any of the probes to function properly.

  11. ISE Authentication Authentication Policy Under the “Policy” tab in the ISE menu, you will find authentication and authorization policies as well as the very important “Policy Elements” section. The authentication policy is typically configured as a rule-based top-down structure which allows specific authentication protocols and forwards the received credentials to the configured identity store(s). We will dig into this during the video demonstration, there is too much here to be able to include in the PPT.

  12. ISE Authorization Authorization Policy The authorization policy is typically configured as a rule-based top-down structure which will stop processing the request when the first rule is matched and forwards the resulting authorization profile to the NAD. The NAD will apply the authorization profile the the host/user session. We will dig into this during the video demonstration, there is too much here to be able to include in the PPT. As you can see in the “Policy Elements  Results  Authorization” menu, Authorization is much more granular in its policies than authentication.

  13. Troubleshooting Utilizing ISE Reports for Troubleshooting One of the most robust troubleshooting tools within ISE is actually not purposed for troubleshooting. The ISE Reports engine allows an administrator to gain visibility on virtually any authentication/authorization scenario with verbose results available for each distinct session. ISE can be configured to summarize sessions of the same type/result to lessen the logging/storage burden. Depending on the scenario, this may adversely affect troubleshooting. The Reports Selector can be found via “Operations  Reports”. The best report for troubleshooting failed authentications and/or authorizations is under “ISE Reports  Auth Services Status  RADIUS Authentications”. There are many filters that you may employ to ensure that you’re able to find specifically what you are looking for without having to sort through pages of irrelevant results. If you were to click on the image under the “Details” column, a separate browsing tab will load with the details of this particular session.

  14. Troubleshooting (Contd.) Reviewing Details of Authentication Failure Once you load the details page, you will see several sections which contain the detailed processing that has been completed for this failed authentication attempt. For this slide, I’m unable to even scratch the surface of the details within this page. This will be covered in great detail in the video demonstration.

  15. Troubleshooting (Contd.) For your reference, I have included one of the delivered ISE documents from a recent project which outlines the steps necessary to use the ISE reports engine for troubleshooting purposes. There are many possible scenarios and conditions which may cause authentication and/or authorization to fail, so it is important to be able to understand the vast amount of technical data on the details page. If you understand the technologies, and how they interoperate within the many functions of Cisco ISE, the details page can be your one-stop-shop for break/fix tickets.

  16. Thank you for taking the time to participate in this Cisco ISE End-to-End Training. While I hesitate to create a PowerPoint for any topic, it is necessary to understand what ISE is and how it brings in multiple separate technologies to perform its function(s). The book referenced on the second slide is an outstanding resource which will cover all appropriate technologies in sufficient depth to be ISE proficient. For your reference, demonstration videos will be created and posted online. Please do not hesitate to contact me directly in the future with any technical questions or clarifications. Kevin Sheahan, CCIE # 41349

More Related