Web Resources
- Cisco ISE resources - ISE Resources on Cisco's site
- ISE Getting Started page - Every resouce needed to deploy ISE!
- Cisco Identity Services Engine (ISE) Set Up
- Cisco ISE 3rd party RADIUS Dictinaries - Dictionaries for 3rd party RADIUS servers
- Cisco ISE community - The Cisco ISE Community Homepage
- Cisco ISE Webinars - Upcoming and Recorded Webinars & Training Videos
- Cisco ISE Youtube Channel - ISE YouTube Channel
- Cisco ISE Product Information - Cisco Identity Services Engine (ISE) homepage
- On-Demand Library Guest talks - ISE videos for Cisco Live Events
- ISE Portal Builder - An online portal builder for ISE
- ISE Performance Scaling - Performance and Scalability Guide for Cisco Identity Services Engine
- Cisco ISE Guest & Web Authentication - Landing page for all things guest related
- ISE Security Ecosystem Integration Guides
- ISE Compatibility Guides
- ISE Design and Integration Guides
- ISE Licensiing Guide
- Free 90 day ISE Evaluations
- ISE End of Life Notices
- ISE NAC Forum
Cisco ISE Webinars and Training Videos - 59 hours of ISE training!
Platforms
- AireOS
- Switching
- IOS-XE
- Meraki
- ISE Guest Access Prescriptive Deployment Guide
- How To: Integrate Meraki Networks with ISE
- ISE and Catalyst 9800 Series Integration Guide
- Does ISE Support My Network Access Device?
- Up to ~100 concurrent logins/web page requests per second per psn
- 600 portals maximum
- Supports [location based portals](ISE and Location-Based Web Authentication Portals)
ISE Guest & Web Authentication
- Guest - Auto Login on Sponsor Approval
- Guest - Phone Number as a User ID with number validation
- Guest - Password Recovery
- Guest - Grace Access for sponsor approval. Up to 30 minute access BEFORE sponsor approves.
- Secure SMTP Support
Under Settings, Profiling,
You can run NMAP scans from the profiling service
NMAP
for NMAP, comma separated of subnets or IPs.
Field will be cleared on successful, saved change
- AMP - Advanced Malware Protection
- ANC - Adaptive Network Control (replacement for EPS)
- CTA - Cisco Threat Analytics
- iDP - identity Provider Okta for example.
- RTC - Rapid Threat Containment
- SGT - Scalable (Security) Group Tag
- VA - Vulnerability Assessment (Qualys)
- WSA - Cisco Web Security Appliance - Context based Web Filtering
- Self Signed pxGrid Client and pxGrid ISE Node certificates
- CA Signed pxGrid Client and pxGrid ISE Node certificates
pxGrid is based on the ieee XMPP protocol. You can develop your own in house applications using the developer tools.
Developer tools
ISE & Infoblox - Use Adaptive Network Contro (ANC) to share info with Infoblox
ISE & Checkpoint - Use ISE identity/device & TrustSec context
* Firewall
* Application control
* DLP
* URL Filtering
* antivirus
ISE & Stealthwatch - provides context to Stealwatch using pxGrid API. Not an automated response.
ISE & Splunk - uses syslog to provide contextual threat mitigation
- Industry Time to Detection (TTD) 100 - 200 days.
Rapid Threat Containment Overview
- Context Exchange (pxGrid / API / Syslog )
- ANC/EPS Mitigation - pxGrid gets policy from subscriber
- Threat Centric NAC - ISE has the policy, gets data from subscriber
EPS / ANC Mitigation actions
- Apply ANC with pxGrid reduce TTD to minutes not 100 days.
- Automated Respnse
- Deeper Analysis
- Sensors - AMP / NGIPS / ASA w Firepower
Threat Centric NAC
Requires ISE Apex License. Runs on PSN.
Collect contextual information and then make a descision.
Supported Products
- Tenable
- Qualys
- Cisco Threat Analytics
- Rapid7
- Cisco AMP
What does it do?
- Creates ISE authorization policies based on threat and vulnerability attributes.
- Use some solution to detect that an endpoint is vulnerable. Let ISE know of the vulnerabilty. Rapid7, Cisco AMP, Qualys, etc. for detecting vulnerabilities.
- Will show comprimised and vulnerable endpoints in ISE
In SDA it server two broad features:
- User/Device authentication
- Imposing Security Group Tags and enforcement policies (SGACLs)
TrustSec Troubleshooting Guide
DNA Center (DNAC) uses pxGrid to integrate with ISE. DNSC is a subscriber.
Licensing
- ISE Base
- ISE Plus
Requires External RESTful Services (ERS) on ISE Go to "administration, System, settings, ERS Settings"
- ERS Setting for Primary administration Node - Enable ERS for Read/Write
- ERS SEttings for All Other Nodes - Enable ERS for Read
Go to "administration, System, Deployment"
- Enable pxGrid
Go to "administration, pxGrid Serivces"
- Verify that pxGrid show connected at the bottom
Instructions for seting up postman to invoke ERS:
Certificate requirements between ISE/DNAC
Cisco PKI
On the right side of the DNAC system360 page select Tools, Log Explorer. Kibana will open, then enter the following into the search field.
kubernetes.labels.serviceName:
network-design-service OR kubernets.labels.serviceName:idenitity-mamager-pxgrid-service
Use these commands to display pxGrid and Network-Design Logs from the DNAC cli:
- $ magctl service logs -rf network-design
tails the netowork-desing logs - $ magctl service logs -rf pxgrid
tails the pxGrid logs - $ magctl service logs -rf -t 500 network-design
Shows last 500 lines of the network-design logs - $ magctl service logs -rf -t 500 pxgrid
Shows last 500 lines of the pxGrid logs
Go to Administration, System, Certificates, Trusted Certificates
- Verify that the DNAC certificate is listed and enabled.
Enable logs on primary admin node and pxgrid node Go to Administration, System, Logging, Debug Log Configuration
- REST API: ERS (Debug)
- Certificate Exchange Process: Infrastructure )Debug)
- Cerficates -admin-ca (Debug) and ca-service (Debug)
- PxGrid Communication -pxgrid (Trace)
Go to Operatons, Torubleshoot, Download logs
- ise-psc.log
- THe intergration goes offline since the ERS calls start to fail
- One of the fixes being put in placec is to have a cerificate based authentication on TCP port 9062. Please make sure port 9062 is reachable from DNAC.
- THe work around for now is to go into DNAC > System Settings > Check the Radio Button for ISE > Edit. Update the password and apply.
NOTE: Make sure the ISE CLI and GUI passwords are the same!
In order to download the new certificates from ISE, we need to initiate the update workflow usiing the below process:
- DNAC > Sytem Settings > Settings > Check the Radio button for ISE > edit. Input the ISE password and apply.
Got to ISE Administration, pxGrid Services, All Clients
- Delete the dna-sub
- restart the pxgrid service from DNAC
magctl service restart pxgrid
ISE gathers context from devices.
- Who
- WHat
- When
- Where
- How
- Application
- Threat
- Vulnerability
Context is used to populate scalable groups to be used for segmentation.
Data is communitcated using:
- pxGrid
- REST API
- Syslog
between ISE and:
- DNA Center
- StealthWatch
- FirepowerServices
-
- 3rd party like Checkpoint, Rapid7, Qualys, etc.
Endpoints send interesting data, that reveal their device identitiy. Need to subscribe to the profiling feed service to get updates from Cisco.
Discovery protocols
- Netflow
- DHCP
- DNS
- HTTP
- RADIUS
- NMAP
- SNMP
- AD
Device Sensors
- CDP
- LLDP
- DHCP
- HTTP
- H323
- SIP
- MDNS
Anyconnect
- ACIDEX
- Turn on RADIUS Accounting
- Do not turn on SNMP traps
- Use AD - A high fidelity probe for OS, Service Pack and Version
- Lerverage HTTP probe fro gathering OS specific or Platform information in Mobile Devices and Laptops
- With Anyconnect, use ACIDEX to gather hardware, Software information.
Platform Exchange Grid (pxGrid)
Publisher/Subscriber model
Cisco ISE - Publisher and Subscriber Eco-Partner - Publisher and Subscriber
Cisco Indusrial Network Director - IND
- Industrial Protocol support for automation asset discovery
- Security platform integration to proect the industrial network
- Plug and play server for zero touch switch commissioning
- Comprehensive network monitoring and lifecycle management
Protocols
- CIP
- Profinet
- Modbus
- OPC Unified Architecture (OPC-UA)
- BACnet
- Siemens S7
- Others
Cisco Industrial Network Director
IND uses pxGrid 2.0 - Web sockets over STOMP
Best Practices
-
Probes on (2) PSNs for HA
-
Each PSN becomes a pxGrid subsciber to the Endpoint Profile MetaData Topic.
-
Requires RADIUS probefor MAC to IP Binding
-
Deploying Cisco Industrial Network Director (IND) with Cisco ISE using pxGrid
Option 1 Device Registration Portal
- Endpoint group - Up to 999 devices
- 600 portals Supported
- Admin/User can register device
- Can use a custom portal on an external server E.I Medical Device Registation Portal.
- Custom Portal uses REST API to communicate
Option 2
- Add Endpoints using File, LDAP, and REST API
- 10,000 devices per import
- No restrictions on Identity Group, Profile, Custom Attribures, etc.
For unknown devices
Context Visibility, Endpoints, Endpoint classification
Use the "Endpoint Profile" filter with "Unknown"
Option 3
- Create a custom Profile
ISE End Point Analysis Tool (EAT)
- Profile Creation and Management - Options to create & share profiles created by EAT
- Create, Open, and Customize reports
- Purge/Delete - Remove data locally stored on teh client desktop
- Export CSV Report
- Download the EAT - Account creation required!
Review - How to profile Unknown Endpoints
- Whitelist (adding MAC addresses to Endpoint Groups)
- Register the devices using Context visibilyt UI
- Import the Endpoints - CSV, LDAP, REST API
- Use Device Registration Portal
- Custom Profiles
Impact of Endpoint PRofiling Ownership Changes Device moves on the network, you end up with ownership contention.
What are we solving (ISE 2.7+)
Multiple PSNs receive endpoint information from teh network causing endpoint onwership changes leading to contention.
How
- PSN becomes an owner and announces ownesip to other PSNs. Probe updates are received from PSNs using secure APIs.
- Using RabbitMQ that enhances reliability and scale (10K to 200K)
- Block profile cahnges for manually updated endponts.
Both are enabled by default!
Stopped at lesson 5 of visiblity and Profiling