Published by Cisco Press (June 16, 2017) © 2017
Aaron Woland | Jamey HearyProduct Information
Fully updated: The complete guide to Cisco Identity Services Engine solutions
Using Cisco Secure Access Architecture and Cisco Identity Services Engine, you can secure and gain control of access to your networks in a Bring Your Own Device (BYOD) world.
This second edition of Cisco ISE for BYOD and Secure Unified Accesscontains more than eight brand-new chapters as well as extensively updated coverage of all the previous topics in the first edition book to reflect the latest technologies, features, and best practices of the ISE solution. It begins by reviewing today’s business case for identity solutions. Next, you walk through ISE foundational topics and ISE design. Then you explore how to build an access security policy using the building blocks of ISE. Next are the in-depth and advanced ISE configuration sections, followed by the troubleshooting and monitoring chapters. Finally, we go in depth on the new TACACS+ device administration solution that is new to ISE and to this second edition.
With this book, you will gain an understanding of ISE configuration, such as identifying users, devices, and security posture; learn about Cisco Secure Access solutions; and master advanced techniques for securing access to networks, from dynamic segmentation to guest access and everything in between.
Drawing on their cutting-edge experience supporting Cisco enterprise customers, the authors offer in-depth coverage of the complete lifecycle for all relevant ISE solutions, making this book a cornerstone resource whether you’re an architect, engineer, operator, or IT manager.
· Review evolving security challenges associated with borderless networks, ubiquitous mobility, and consumerized IT
· Understand Cisco Secure Access, the Identity Services Engine (ISE), and the building blocks of complete solutions
· Design an ISE-enabled network, plan/distribute ISE functions, and prepare for rollout
· Build context-aware security policies for network access, devices, accounting, and audit
· Configure device profiles, visibility, endpoint posture assessments, and guest services
· Implement secure guest lifecycle management, from WebAuth to sponsored guest access
· Configure ISE, network access devices, and supplicants, step by step
· Apply best practices to avoid the pitfalls of BYOD secure access
· Set up efficient distributed ISE deployments
· Provide remote access VPNs with ASA and Cisco ISE
· Simplify administration with self-service onboarding and registration
· Deploy security group access with Cisco TrustSec
· Prepare for high availability and disaster scenarios
· Implement passive identities via ISE-PIC and EZ Connect
· Implement TACACS+ using ISE
· Monitor, maintain, and troubleshoot ISE and your entire Secure Access system
· Administer device AAA with Cisco IOS, WLC, and Nexus
Introduction xxix
Part I Identity-Enabled Network: Unite!
Chapter 1 Regain Control of Your IT Security 1
Security: Still a Weakest-Link Problem 2
Cisco Identity Services Engine 3
Sources for Providing Identity and Context Awareness 5
Unleash the Power of Centralized Policy 6
Summary 8
Chapter 2 Fundamentals of AAA 9
Triple-A 10
Compare and Select AAA Options 10
Device Administration 11
Network Access 12
TACACS+ 13
TACACS+ Authentication Messages 14
TACACS+ Authorization and Accounting Messages 15
RADIUS 17
AV Pairs 20
Change of Authorization 20
Comparing RADIUS and TACACS+ 21
Summary 21
Chapter 3 Introducing Cisco Identity Services Engine 23
Architecture Approach to Centralized and Dynamic Network Security Policy Enforcement 23
Cisco Identity Services Engine Features and Benefits 26
ISE Platform Support and Compatibility 30
Cisco Identity Services Engine Policy Construct 30
ISE Authorization Rules 33
Summary 34
Part II The Blueprint, Designing an ISE-Enabled Network
Chapter 4 The Building Blocks in an Identity Services Engine Design 35
ISE Solution Components Explained 35
Infrastructure Components 36
Policy Components 42
Endpoint Components 42
ISE Personas 43
ISE Licensing, Requirements, and Performance 45
ISE Licensing 45
ISE Requirements 46
ISE Performance 47
ISE Policy-Based Structure Explained 48
Summary 49
Chapter 5 Making Sense of the ISE Deployment Design Options 51
Centralized Versus Distributed Deployment 52
Centralized Deployment 52
Distributed Deployment 55
Summary 58
Chapter 6 Quick Setup of an ISE Proof of Concept 59
Deploy ISE for Wireless in 15 Minutes 59
Wireless Setup Wizard Configuration 60
Guest Self-Registration Wizard 61
Secure Access Wizard 65
Bring Your Own Device (BYOD) Wizard 67
Deploy ISE to Gain Visibility in 15 Minutes 69
Visibility Setup Wizard 69
Configuring Cisco Switches to Send ISE Profiling Data 73
Summary 75
Part III The Foundation, Building a Context-Aware Security Policy
Chapter 7 Building a Cisco ISE Network Access Security Policy 77
Components of a Cisco ISE Network Access Security Policy 78
Network Access Security Policy Checklist 79
Involving the Right People in the Creation of the Network Access Security Policy 79
Determining the High-Level Goals for Network Access Security 81
Common High-Level Network Access Security Goals 82
Network Access Security Policy Decision Matrix 84
Defining the Security Domains 85
Understanding and Defining ISE Authorization Rules 87
Commonly Configured Rules and Their Purpose 88
Establishing Acceptable Use Policies 89
Host Security Posture Assessment Rules to Consider 91
Sample NASP Format for Documenting ISE Posture Requirements 96
Common Checks, Rules, and Requirements 97
Method for Adding Posture Policy Rules 98
Research and Information 98
Establishing Criteria to Determine the Validity of a Security Posture Check, Rule, or Requirement in Your Organization 99
Method for Determining What Posture Policy Rules a Particular Security Requirement Should Be Applied To 100
Method for Deploying and Enforcing Security Requirements 101
Defining Dynamic Network Access Privileges 102
Enforcement Methods Available with ISE 102
Commonly Used Network Access Policies 103
Summary 105
Chapter 8 Building a Device Security Policy 107
ISE Device Profiling 107
ISE Profiling Policies 109
ISE Profiler Data Sources 110
Using Device Profiles in Authorization Rules 111
Threat-Centric NAC 111
Using TC-NAC as Part of Your Incident Response Process 113
Summary 116
Chapter 9 Building an ISE Accounting and Auditing Policy 117
Why You Need Accounting and Auditing for ISE 117
Using PCI DSS as Your ISE Auditing Framework 118
ISE Policy for PCI 10.1: Ensuring Unique Usernames and Passwords 126
ISE Policy for PCI 10.2 and 10.3: Audit Log Collection 128
ISE Policy for PCI 10.5.3, 10.5.4, and 10.7: Ensure the Integrity and Confidentiality of Audit Log Data 129
ISE Policy for PCI 10.6: Review Audit Data Regularly 130
Cisco ISE User Accounting 131
Summary 132
Part IV Let’s Configure!
Chapter 10 Profiling Basics and Visibility 133
Understanding Profiling Concepts 133
ISE Profiler Work Center 137
ISE Profiling Probes 137
Probe Configuration 138
DHCP and DHCPSPAN Probes 140
RADIUS Probe 142
Network Scan (NMAP) Probe 143
DNS Probe 147
SNMPQUERY and SNMPTRAP Probes 148
Active Directory Probe 149
HTTP Probe 150
HTTP Profiling Without Probes 152
NetFlow Probe 152
Infrastructure Configuration 153
DHCP Helper 153
SPAN Configuration 156
VLAN ACL Captures 157
Device Sensor 157
VMware Configurations to Allow Promiscuous Mode 159
Profiling Policies 160
Profiler Feed Service 160
Configuring the Profiler Feed Service 160
Verifying the Profiler Feed Service 162
Offline Manual Update 164
Endpoint Profile Policies 167
Context Visibility 169
Logical Profiles 178
ISE Profiler and CoA 179
Global CoA 180
Per-Profile CoA 181
Global Profiler Settings 182
Configure SNMP Settings for Probes 182
Endpoint Attribute Filtering 182
NMAP Scan Subnet Exclusions 183
Profiles in Authorization Policies 183
Endpoint Identity Groups 183
EndPointPolicy 187
Importing Profiles 187
Verifying Profiling 189
The Dashboard 189
Endpoints Dashboard 189
Context Visibility 190
Device Sensor Show Commands 191
Triggered NetFlow: A Woland-Santuka Pro Tip 191
Summary 194
Chapter 11 Bootstrapping Network Access Devices 195
Cisco Catalyst Switches 195
Global Configuration Settings for Classic IOS and IOS 15.x Switches 196
Configure Certificates on a Switch 196
Enable the Switch HTTP/HTTPS Server 197
Global AAA Commands 198
Global RADIUS Commands 199
Create Local Access Control Lists for Classic IOS and IOS 15.x 202
Global 802.1X Commands 204
Global Logging Commands (Optional) 204
Global Profiling Commands 205
Interface Configuration Settings for Classic IOS and IOS 15.x Switches 207
Configure Interfaces as Switch Ports 208
Configure Flexible Authentication and High Availability 208
Configure Authentication Settings 211
Configure Authentication Timers 212
Apply the Initial ACL to the Port and Enable Authentication 213
Configuration Settings for C3PL Switches 213
Why Use C3PL? 213
Global Configuration for C3PL 216
Global RADIUS Commands for C3PL 217
Configure Local ACLs and Local Service Templates 219
Global 802.1X Commands 220
C3PL Fundamentals 221
Configure the C3PL Policies 222
Cisco Wireless LAN Controllers 225
AireOS Features and Version History 225
Configure the AAA Servers 226
Add the RADIUS Authentication Servers 226
Add the RADIUS Accounting Servers 227
Configure RADIUS Fallback (High Availability) 229
Configure the Airespace ACLs 229
Create the Web Authentication Redirection ACL 230
Add Google URLs for ACL Bypass 231
Create the Dynamic Interfaces for the Client VLANs 232
Create the Employee Dynamic Interface 233
Create the Guest Dynamic Interface 234
Create the Wireless LANs 236
Create the Guest WLAN 236
Create the Corporate SSID 240
Summary 245
Chapter 12 Network Authorization Policy Elements 247
ISE Authorization Policy Elements 247
Authorization Results 251
Configuring Authorization Downloadable ACLs 251
Configuring Authorization Profiles 253
Summary 256
Chapter 13 Authentication and Authorization Policies 257
Relationship Between Authentication and Authorization 257
Enable Policy Sets 258
Authentication Policy Goals 261
Accept Only Allowed Protocols 261
Route to the Correct Identity Store 261
Validate the Identity 261
Pass the Request to the Authorization Policy 262
Understanding Authentication Policies 262
Conditions 263
Allowed Protocols 266
Authentication Protocol Primer 268
Identity Store 271
Options 272
Common Authentication Policy Examples 272
Using the Wireless SSID 272
Remote-Access VPN 277
Alternative ID Stores Based on EAP Type 278
Authorization Policies 280
Goals of Authorization Policies 280
Understanding Authorization Policies 280
Role-Specific Authorization Rules 286
Authorization Policy Example 286
Employee and Corporate Machine Full-Access Rule 286
Internet Only for Mobile Devices 288
Employee Limited Access Rule 292
Saving Attributes for Reuse 295
Summary 297
Chapter 14 Guest Lifecycle Management 299
Overview of ISE Guest Services 301
Hotspot Guest Portal Configuration 302
Sponsored Guest Portal Configuration 304
Create an Active Directory Identity Store 304
Create ISE Guest Types 305
Create Guest Sponsor Groups 307
Authentication and Authorization Guest Policies 310
Guest Pre-Authentication Authorization Policy 310
Guest Post-Authentication Authorization Policy 312
Guest Sponsor Portal Configuration 313
Guest Portal Interface and IP Configuration 313
Sponsor and Guest Portal Customization 313
Sponsor Portal Behavior and Flow Settings 313
Sponsor Portal Page Customization 315
Guest Portal Behavior and Flow Settings 316
Guest Portal Page Customization 317
Creating Multiple Guest Portals 318
Guest Sponsor Portal Usage 318
Sponsor Portal Layout 319
Creating Guest Accounts 320
Managing Guest Accounts 320
Configuration of Network Devices for Guest CWA 321
Wired Switches 321
Wireless LAN Controllers 322
Summary 325
Chapter 15 Client Posture Assessment 327
ISE Posture Assessment Flow 329
Configure Global Posture and Client Provisioning Settings 331
Posture Client Provisioning Global Setup 331
Posture Global Setup 335
Posture General Settings 335
Posture Reassessments 336
Posture Updates 337
Acceptable Use Policy Enforcement 338
Configure the AnyConnect and NAC Client Provisioning Rules 339
AnyConnect Agent with ISE Compliance Module 339
AnyConnect Posture Profile Creation 340
AnyConnect Configuration File Creation 341
AnyConnect Client Provisioning Policy 343
Configure the Client Provisioning Portal 343
Configure Posture Elements 345
Configure Posture Conditions 345
Configure Posture Remediations 349
Configure Posture Requirements 353
Configure Posture Policy 355
Configure Host Application Visibility and Context Collection (Optional) 357
Enable Posture Client Provisioning and Assessment in Your ISE Authorization Policies 359
Posture Client Provisioning 359
Authorization Based On Posture Compliance 360
Posture Reports and Troubleshooting 361
Enable Posture Assessment in the Network 362
Summary 363
Chapter 16 Supplicant Configuration 365
Comparison of Popular Supplicants 366
Configuring Common Supplicants 367
Mac OS X 10.8.2 Native Supplicant Configuration 367
Windows GPO Configuration for Wired Supplicant 369
Windows 7, 8/8.1, and 10 Native Supplicant Configuration 373
Cisco AnyConnect Secure Mobility Client NAM 377
Summary 382
Chapter 17 BYOD: Self-Service Onboarding and Registration 383
BYOD Challenges 384
Onboarding Process 386
BYOD Onboarding 386
Dual SSID 387
Single SSID 387
Configuring NADs for Onboarding 388
ISE Configuration for Onboarding 392
End-User Experience 393
Configuring ISE for Onboarding 408
BYOD Onboarding Process Detailed 423
MDM Onboarding 429
Integration Points 430
Configuring MDM Integration 431
Configuring MDM Onboarding Policies 433
The Opposite of BYOD: Identify Corporate Systems 435
EAP Chaining 436
Summary 437
Chapter 18 Setting Up and Maintaining a Distributed ISE Deployment 439
Configuring ISE Nodes in a Distributed Environment 439
Make the Policy Administration Node a Primary Device 440
Register an ISE Node to the Deployment 442
Ensure the Persona of All Nodes Is Accurate 445
Understanding the HA Options Available 446
Primary and Secondary Nodes 446
Monitoring & Troubleshooting Nodes 446
Policy Administration Nodes 448
Policy Service Nodes and Node Groups 450
Create a Node Group 451
Add the Policy Service Nodes to the Node Group 452
Using Load Balancers 453
General Guidelines 454
Failure Scenarios 455
Anycast HA for ISE PSNs 456
Cisco IOS Load Balancing 459
Maintaining ISE Deployments 460
Patching ISE 460
Backup and Restore 462
Summary 463
Chapter 19 Remote Access VPN and Cisco ISE 465
Introduction to VPNs 465
Client-Based Remote Access VPN 468
Configuring a Client-Based RA-VPN on the Cisco ASA 469
Download the Latest AnyConnect Headend Packages 470
Prepare the Headend 471
Add an AnyConnect Connection Profile 473
Add the ISE PSNs to the AAA Server Group 478
Add a Client Address Pool 481
Perform Network Reachability Tasks 484
Configure ISE for the ASA VPN 487
Testing the Configuration 488
Perform a Basic AAA Test 488
Log In to the ASA Web Portal 490
Connect to the VPN via AnyConnect 492
Remote Access VPN and Posture 494
RA-VPN with Posture Flows 495
Adding the Access Control Lists to ISE and the ASA 496
Adding Posture Policies to the VPN Policy Set 499
Watching It Work 501
Extending the ASA Remote Access VPN Capabilities 507
Double Authentication 507
Certificate-Based Authentication 509
Provisioning Certificates 509
Authenticating the VPN with Certificates 515
Connecting to the VPN via CertProfile 518
Summary 519
Chapter 20 Deployment Phases 521
Why Use a Phased Approach? 521
A Phased Approach 523
Authentication Open Versus Standard 802.1X 524
Monitor Mode 526
Prepare ISE for a Staged Deployment 527
Create the Network Device Groups 528
Create the Policy Sets 529
Low-Impact Mode 530
Closed Mode 532
Transitioning from Monitor Mode to Your End State 534
Wireless Networks 535
Summary 535
Part V Advanced Secure Access Features
Chapter 21 Advanced Profiling Configuration 537
Profiler Work Center 537
Creating Custom Profiles for Unknown Endpoints 538
Identifying Unique Values for an Unknown Device 539
Collecting Information for Custom Profiles 541
Creating Custom Profiler Conditions 542
Creating Custom Profiler Policies 543
Advanced NetFlow Probe Configuration 544
Commonly Used NetFlow Attributes 546
Example Profiler Policy Using NetFlow 546
Designing for Efficient Collection of NetFlow Data 547
Configuration of NetFlow on Cisco Devices 548
Profiler CoA and Exceptions 550
Types of CoA 551
Creating Exceptions Actions 552
Configuring CoA and Exceptions in Profiler Policies 552
Profiler Monitoring and Reporting 553
Summary 556
Chapter 22 Cisco TrustSec AKA Security Group Access 557
Ingress Access Control Challenges 558
VLAN Assignment 558
Ingress Access Control Lists 560
What Is TrustSec? 562
So, What Is a Security Group Tag? 562
Defining the SGTs 564
Classification 565
Dynamically Assigning an SGT via 802.1X 566
Manually Assigning an SGT at the Port 567
Manually Binding IP Addresses to SGTs 568
Access Layer Devices That Do Not Support SGTs 569
Transport: SGT eXchange Protocol (SXP) 569
SXP Design 570
Configuring SXP on IOS Devices 572
Configuring SXP on Wireless LAN Controllers 573
Configuring SXP on Cisco ASA 576
Configuring SXP on ISE 578
Transport: pxGrid 579
Transport: Native Tagging 580
Configuring Native SGT Propagation (Tagging) 581
Configuring SGT Propagation on Cisco IOS Switches 582
Configuring SGT Propagation on a Catalyst 6500 584
Configuring SGT Propagation on a Nexus Series Switch 586
Enforcement 587
Traffic Enforcement with SGACLs 588
Creating TrustSec Matrices in ISE 590
Traffic Enforcement with Security Group Firewalls 591
Security Group Firewall on the ASA 591
Security Group Firewall on the ISR and ASR 592
Summary 592
Chapter 23 Passive Identities, ISE-PIC, and EasyConnect 593
Passive Authentication 594
Identity Sharing 596
Tenet 1: Learn 598
Active Directory 598
Syslog Sources 611
REST API Sources 614
Learning More Is Critical 615
Tenet 2: Share 615
pxGrid 616
CDA-RADIUS 617
Tenet 3: Use 617
Integration Details 618
Integration Summary 623
Tenet 4: Update 623
Logoff Detection with the Endpoint Probe 623
WMI Update Events 625
Session Timeouts 625
ISE Passive Identity Connector 626
EasyConnect 628
Summary 630
Chapter 24 ISE Ecosystems: The Platform eXchange Grid (pxGrid) 631
The Many Integration Types of the Ecosystem 632
MDM Integration 632
Rapid Threat Containment 632
Platform Exchange Grid 635
pxGrid in Action 637
Configuring ISE for pxGrid 639
Configuring pxGrid Participants 642
Configuring Firepower Management Center for pxGrid 642
Configuring the Web Security Appliance for pxGrid 649
Configuring Stealthwatch for pxGrid 652
Summary 658
Part VI Monitoring, Maintenance, and Troubleshooting for Network Access AAA
Chapter 25 Understanding Monitoring, Reporting, and Alerting 659
ISE Monitoring 660
Cisco ISE Home Page 660
Context Visibility Views 663
RADIUS Live Logs and Live Sessions 666
Global Search 667
Monitoring Node in a Distributed Deployment 669
Device Configuration for Monitoring 669
ISE Reporting 670
Data Repository Setup 671
ISE Alarms 672
Summary 672
Chapter 26 Troubleshooting 673
Diagnostic Tools 674
RADIUS Authentication Troubleshooting 674
Evaluate Configuration Validator 675
TCP Dump 678
Endpoint Debug 680
Session Trace 682
Troubleshooting Methodology 685
Troubleshooting Authentication and Authorization 685
Log Deduplication 686
Active Troubleshooting 688
Option 1: No Live Logs Entry Exists 689
Option 2: An Entry Exists in the Live Logs 694
General High-Level Troubleshooting Flowchart 697
Troubleshooting WebAuth and URL Redirection 697
Debug Situations: ISE Logs 701
The Support Bundle 702
Summary 703
Chapter 27 Upgrading ISE 705
The Upgrade Process 705
Repositories 708
Configuring a Repository 708
Repository Types and Configuration 708
Performing the Upgrade 714
Command-Line Upgrade 718
Summary 720
Part VII Device Administration
Chapter 28 Device Administration Fundamentals 721
Device Administration in ISE 723
Large Deployments 724
Medium Deployments 725
Small Deployments 726
Enabling TACACS+ in ISE 726
Network Devices 727
Device Administration Global Settings 728
Connection Settings 729
Password Change Control 729
Session Key Assignment 729
Device Administration Work Center 730
Overview 730
Identities 731
Network Resources 733
Policy Elements 733
Device Admin Policy Sets 736
Reports 738
Summary 738
Chapter 29 Configuring Device Admin AAA with Cisco IOS 739
Preparing ISE for Incoming AAA Requests 739
Preparing the Policy Results 739
Create the Authorization Results for Network Administrators 740
Create the Authorization Results for Network Operators 742
Create the Authorization Results for Security Administrators 743
Create the Authorization Results for the Helpdesk 745
Preparing the Policy Set 747
Configuring the Network Access Device 749
Time to Test 752
Summary 758
Chapter 30 Configuring Device Admin AAA with Cisco WLC 759
Overview of WLC Device Admin AAA 759
Configuring ISE and the WLC for Device Admin AAA 761
Preparing ISE for WLC Device Admin AAA 761
Prepare the Network Device 761
Prepare the Policy Results 762
Configure the Policy Set 766
Adding ISE to the WLC TACACS+ Servers 768
Testing and Troubleshooting 770
Summary 775
Chapter 31 Configuring Device Admin AAA with Cisco Nexus Switches 777
Overview of NX-OS Device Admin AAA 777
Configuring ISE and the Nexus for Device Admin AAA 778
Preparing ISE for Nexus Device Admin AAA 778
Prepare the Network Device 778
Prepare the Policy Results 779
Configure the Policy Set 782
Preparing the Nexus Switch for TACACS+ with ISE 783
Enable TACACS+ and Add ISE to NX-OS 784
Summary 784
Part VIII Appendixes
Appendix A Sample User Community Deployment Messaging Material 785
Sample Identity Services Engine Requirement Change Notification Email 785
Sample Identity Services Engine Notice for a Bulletin Board or Poster 786
Sample Identity Services Engine Letter to Students 788
Appendix B Sample ISE Deployment Questionnaire 789
Appendix C Sample Switch Configurations 793
Catalyst 3000 Series, 12.2(55)SE 793
Catalyst 3000 Series, 15.0(2)SE 796
Catalyst 4500 Series, IOS-XE 3.3.0 / 15.1(1)SG 800
Catalyst 6500 Series, 12.2(33)SXJ 804
Appendix D The ISE CA and How Cert-Based Auth Works 807
Certificate-Based Authentication 808
Has the Digital Certificate Been Signed by a Trusted CA? 808
Has the Certificate Expired? 810
Has the Certificate Been Revoked? 811
Has the Client Provided Proof of Possession? 813
So, What Does Any of This Have to Do with Active Directory? 814
ISE’s Internal Certificate Authority 815
Why Put a CA into ISE? 815
ISE CA PKI Hierarchy 815
The Endpoint CA 818
Reissuing CA Certificates 819
Configuring ISE to be a Subordinate CA to an Existing PKI 820
Backing Up the Certificates 823
Issuing Certificates from the ISE CA 826
9781587144738 TOC 5/26/2017