Текториал по тематике информационной безопасности

Plus What’s New in ISE 1.4

Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Introduction

1.3 Best Practices

ATP Update

ISE Services / Champions

Licensing / ISE Express

What’s New in ISE 1.4

ISE Roadmap

Summary

Agenda

• Authentication • Profiling • Wireless/Wired • Cisco IT Case Study • Microsoft AD • Internal CA and Certificates • Guest • Posture • pxGrid • Serviceability • Virtual Appliance Deployments


Why we are here today

Identity Services Engine (ISE) is a core component of Cisco’s Identity and Policy Management solution to secure access for everything that connects to the network.

The Focus of this session is to review ISE 1.3 deployment best practices and lessons learned and to provide an update on major feature enhancements in ISE 1.4. Session culminates in a roadmap briefing.

This session is targeted towards Systems and Field Engineers that have current experience in ISE configuration and deployment.

REQUIRED


At the end of the session, you should be able to:

Implement ISE using best practices and leverage new techniques to optimize and manage its deployment.

Design and Deploy ISE for optimal scale, performance, and redundancy.

List the new capabilities in ISE 1.4 and articulate their technical benefits to customers

Know where to go for more information and get help on ISE

Key Takeaways REQUIRED


Differentiators

In a world where any device, user, or application can connect to the network from any where at any time, customer’s a faced with the challenge of detecting all connections and applying business compliance policies that monitor and secure access to their organization’s critical resources and data. ISE collects data from multiple sources to deliver on this requirement while sharing this rich content with other systems to enhance overall visibility and security.

REQUIRED

Differentiator Major Technical Outcome Major Business Outcome

Endpoint visibility and access control across Wired, Wireless, VPN

Single policy to manage all network access

Simplify operations while meeting organization compliance requirements.

Policy Enforcement embedded into network

Security is enacted across existing traffic channels where most beneficial

Customers leverage the intelligence and investment in existing infrastructure

Context Sharing Higher levels of security is gained through the sharing of rich contextual data across entire system.

Customers gain significant benefit from leveraging the capabilities of existing IT spend.


What role do these differentiators play in a "Threat-centric Security Model”

REQUIRED

BEFORE Discover

Enforce

Harden

AFTER Scope

Contain

Remediate

Attack Continuum

Detect

Block

Defend

DURING

Description: How does your solution address Threats for our customers? Before: Identify and apply secure access policies to all connecting devices. During: Validate ongoing compliance and increase SIEM intel through context. After: Quarantine and remediation of offending and non-compliant users/devices.


Top ISE Deep Dive Resources

Partner

• Tech Talks / Voice of Engineer – Security Deep Dive Series: https://communities.cisco.com/docs/DOC-30977

• Cisco Live Online (Session Content and Vods): https://www.ciscolive.com/online/

Customer

• ISE Design Guides: http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html

https://communities.cisco.com/docs/DOC-30977



https://www.ciscolive.com/online/

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html














Cisco Confidential 9 © 2013-2014 Cisco and/or its affiliates. All rights reserved. 9

Scaling Guest Authentications Using 802.1X

• Guests auth with 802.1X using EAP methods like PEAP-MSCHAPv2 / EAP-GTC

• 802.1X auth performance generally much higher than web auth

• ISE 1.2 Guest Role

• ISE 1.3 Guest Type

“Activated Guest” allows guest accounts to be used without ISE web auth portal

Note: AUP and PW change cannot be enforced since guest bypasses portal flow.

Optional: Redirect user to Hotspot for AUP only.


Scaling Web Authentication (ISE 1.3)

• Device/user logs in to hotspot or credentialed portal

• MAC address automatically registered into GuestEndpoint group

• Authz policy for GuestEndpoint ID Group grants access until device purged

“Remember Me” Guest Flows

10

For ISE 1.2, can “chain” CWA+DRW or NSP to auto-register web auth users, but no auto-purge


Automated Device Registration and Purge

11

• Web Authenticated users can be auto-registered and endpoints auto-purged.

• Allows re-auth to be reduced to one day, multiple days, weeks, etc.

• Improves Web Scaling and User Experience

New in ISE 1.3

For Your Reference


Endpoint Purging

Matching Conditions Purge by: # Days After

Creation # Days Inactive Specified Date

For Your Reference


Endpoint Purging Examples

On Demand Purge

Matching Conditions Purge by: # Days After

Creation # Days Inactive Specified Date

For Your Reference



ISE Profiling Best Practices Whenever Possible…

• Use Device Sensor on Cisco switches & Wireless Controllers to optimize data collection.

• Ensure profile data for a given endpoint is sent to a single PSN (or maximum of 2) • Sending same profile data to multiple PSNs increases inter-PSN traffic and contention for endpoint ownership.

• For redundancy, consider Load Balancing and Anycast to support a single IP target for RADIUS or Profiling using… • DHCP IP Helpers • SNMP Traps • DHCP/HTTP with ERSPAN (Requires validation)

• Ensure profile data for a given endpoint is sent to the same PSN • Same issue as above, but not always possible across different probes

• Use node groups and ensure profile data for a given endpoint is sent to same node group. • Node Groups reduce inter-PSN communications and need to replicate endpoint changes outside of node group.

• Avoid probes that collect the same endpoint attributes

• Example: Device Sensor + SNMP Query/IP Helper

• Enable Profiler Attribute Filter

For Your Reference

15


ISE Profiling Best Practices General Guidelines for Probes

• HTTP Probe:

• Use URL Redirects instead of SPAN to centralize collection and reduce traffic load related to SPAN/RSPAN.

• Avoid SPAN. If used, look for key traffic chokepoints such as Internet edge or WLC connection; use intelligent SPAN/tap options or VACL Capture to limit amount of data sent to ISE. Also difficult to provide HA for SPAN.

• DHCP Probe:

• Use IP Helpers when possible—be aware that L3 device serving DHCP will not relay DHCP for same!

• Avoid DHCP SPAN. If used, make sure probe captures traffic to central DHCP Server. HA challenges.

• SNMP Probe:

• Be careful of high SNMP traffic due to triggered RADIUS Accounting updates as a result of high re-auth (low session/re-auth timers) or frequent interim accounting updates.

• For polled SNMP queries, avoid short polling intervals. Be sure to set optimal PSN for polling in ISE NAD config.

• SNMP Traps primarily useful for non-RADIUS deployments like NAC Appliance—Avoid SNMP Traps w/RADIUS auth.

• NetFlow Probe:

Use only for specific use cases in centralized deployments—Potential for high load on network devices and ISE.

For Your Reference

16


Profiler Tuning for Polled SNMP Query Probe

• Set specific PSNs to periodically poll access devices for SNMP data.

• Choose PSN closest to access device.

17

PSN

PSN

SNMP Polling (Auto)

RADIUS

PSN1 (Amer)

PSN2 (Asia)

Switch


Profiler Tuning for Polled SNMP Query Probe

18

Disable/uncheck SNMP Settings: Disables all SNMP polling options [CSCur95329] • Polling Interval

1.2 Default: 3600 sec (1 hour)

1.3 Default: 28,800 sec (8 hours) *Recommend minimum

• Setting of “0”: Disables periodic poll but allows triggered & NMAP queries [CSCur95329]

• Triggered query auto-suppressed for 24 hrs per endpoint

Polled Mode = “Catch All”


Profiling Redundancy – Duplicating Profile Data

• Common config is to duplicate IP helper data at each NAD to two different PSNs or PSN LB Clusters

• Different PSNs receive data and may contend for ownership—increases replication

Sending Profile Data for the Same Endpoint to the Same Node Group / PSN

PSN3 (10.1.99.7)

PSN2 (10.1.99.6)

PSN1 (10.1.99.5)

User

PSN

PSN

PSN

interface Vlan10

ip helper-address <real_DHCP_Server

ip helper-address 10.1.98.8


PSN3 (10.2.101.7)

PSN2 (10.2.101.6)

PSN1 (10.2.101.5) PSN

PSN

PSN

PSN-CLUSTER2 (10.2.100.2)


DC #2

DC #1

int Vlan10 DHCP Request

19

Load Balancer

Load Balancer


Scaling Profiling and Replication

• Load Balancer VIPs host same target IP for DHCP profile data

• Routing metrics determine which VIP receives DHCP from NAD

Using Anycast to Limit Profile Data to a Single PSN and Node Group

PSN3 (10.1.99.7)

PSN2 (10.1.99.6)

PSN1 (10.1.99.5)

User

PSN

PSN

PSN

interface Vlan10

ip helper-address <real_DHCP_Server>


PSN3 (10.2.101.7)

PSN2 (10.2.101.6)

PSN1 (10.2.101.5) PSN

PSN

PSN



DC #2

DC #1

DHCP Request int Vlan10

20

Load Balancer

Load Balancer



VLAN 99

(10.1.99.0/24

)

VLAN 98

(10.1.98.0/24)

High-Level Load Balancing Diagram

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

End User/Device

VIP: 10.1.98.8

10.1.99.5

10.1.99.6

10.1.99.7

Network Access

Device

22

NAS IP: 10.1.50.2

ISE-PAN-1 ISE-MNT-1

LB: 10.1.99.1

ISE-PAN-2 ISE-MNT-2

External

Logger AD/LDAP

DNS

NTP

SMTP

MDM

Load

Balancer

For Your Reference


• Load Balancer is directly inline between PSNs and rest of network.

• All traffic flows through Load Balancer including RADIUS, PAN/MnT,Profiling, Web Services, Management, Feed Services, MDM, AD, LDAP… VLAN 99

(Internal) VLAN 98

(External)

Traffic Flow—Fully Inline: Physical Separation Physical Network Separation Using Separate LB Interfaces

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

End User/Device

Network Access

Device

ISE-PAN ISE-MNT External

Logger

AD

LDAP

MDM

DNS

NTP

SMTP

Network

Switch

Load

Balancer

10.1.98.1 10.1.98.2 10.1.99.1

10.1.99.5

10.1.99.6

10.1.99.7

NAS IP: 10.1.50.2

Fully Inline Traffic Flow

recommended—

physical or logical


• LB is directly inline between ISE PSNs and rest of network.

• All traffic flows through LB including RADIUS, PAN/MnT, Profiling, Web Services, Management, Feed Services, MDM, AD, LDAP…

Load Balancer

10.1.98.1

10.1.98.2 10.1.99.1

VLAN 99

(Internal) VLAN 98

(External)

Traffic Flow—Fully Inline: VLAN Separation Logical Network Separation Using Single LB Interface and VLAN Trunking

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

VIP: 10.1.98.8

10.1.99.5

10.1.99.6

10.1.99.7

Network

Switch End User/Device

Network Access

Device

NAS IP: 10.1.50.2


Logger

AD

LDAP

MDM

DNS

NTP

SMTP


• All inbound LB traffic such RADIUS, Profiling, and directed Web Services sent to LB VIP.

• Other inbound non-LB traffic bypasses LB including redirected Web Services, PAN/MnT, Management, Feed Services, MDM, AD, LDAP…

• All outbound traffic from PSNs sent to LB as DFGW.

• LB must be configured to allow Asymmetric traffic


Logger

AD

LDAP

MDM

DNS

NTP

SMTP

Load Balancer

Partially Inline: Layer 2/Same VLAN (One PSN Interface) Direct PSN Connections to LB and Rest of Network

ISE-PSN-2

ISE-PSN-1

End User/Device

Network Access

Device

L3

Switch

VLAN 98

10.1.98.2

VIP: 10.1.98.8

10.1.98.1

10.1.98.7

10.1.98.5

10.1.98.6

NAS IP: 10.1.50.2

Generally NOT RECOMMENDED due to

traffic flow complexity—must fully

understand path of each flow to ensure

proper handling by routing, LB, and

end stations.

ISE-PSN-3


Load Balancer


Logger

AD

LDAP

MDM

DNS

NTP

SMTP

Partially Inline: Layer 3/Different VLANs (One PSN Interface) Direct PSN Connections to LB and Rest of Network

• All inbound LB traffic such RADIUS, Profiling, and directed Web Services sent to LB VIP

• Other inbound non-LB traffic bypasses LB including redirected Web Services, PAN/MnT, Management, Feed Services, MDM, AD, LDAP…

• All outbound traffic from PSNs sent to LB as DFGW.

• LB must be configured to allow Asymmetric traffic ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

End User/Device

Network Access

Device

L3

Switch

VLAN 99

(Internal)

VLAN 98

(External)

10.1.98.2

10.1.99.2

10.1.98.1

VIP: 10.1.98.8

10.1.99.1 10.1.99.7

10.1.99.5

10.1.99.6

NAS IP:

10.1.50.2

Generally NOT RECOMMENDED due to

traffic flow complexity—must fully

understand path of each flow to ensure

proper handling by routing, LB, and

end stations.

For Your Reference


10.1.99.2

Load Balancer

• All LB traffic sent to LB VIP including RADIUS, Profiling (except SPAN data), and directed Web Services

• All traffic initiated by PSNs sent to LB as global default gateway

• Redirected Web Services traffic bypasses LB

• For ISE 1.2, recommend SNAT redirected HTTPS traffic at L3 switch

• ISE 1.3+ supports symmetric traffic responses (set default gateway per interface)


Logger

AD

LDAP

MDM

DNS

NTP

SMTP

10.1.91.7

10.1.91.5

10.1.91.6

10.1.99.7

10.1.98.2

10.1.98.1

VIP:

10.1.98.8

10.1.91.1

Partially Inline: Multiple PSN Interfaces Separate PSN Connections to LB and Rest of Network

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

End User/Device

Network Access

Device

L3

Switch

VLAN 99

(Internal) VLAN 98

(External)

VLAN 91

(Web Portals)

10.1.99.5

10.1.99.6

NAS IP:

10.1.50.2

For Your Reference



Logger

AD

LDAP

MDM

DNS

NTP

SMTP

Load

Balance

r

Fully Inline – Multiple PSN Interfaces Network Separation Using Separate LB Interfaces

• All traffic sent to LB including RADIUS, Profiling (except SPAN data), and directed Web Services

• All traffic initiated by PSNs sent to LB as global default gateway

• LB sends Web Services traffic on separate PSN interface.

• For ISE 1.2 (and optionally 1.3), SNAT Web Services at LB

• ISE 1.3+ supports symmetric traffic responses (set default gateway per interface)

28

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

End User/Device

Network Access

Device

L3

Switch

VLAN 99

(Internal) VLAN 98

(External)

10.1.98.2 10.1.99.1

10.1.98.1

VIP: 10.1.98.8

10.1.99.7

10.1.99.5

10.1.99.6

10.1.91.7

10.1.91.5

10.1.91.6

VLAN 91

(Web Portals)

10.1.91.1

NAS IP:

10.1.50.2

For Your Reference


Request for service at single host ‘psn-cluster’

PSN Load Balancing Sample Topology and Flow

PSN

PSN

PSN

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

User

Load Balancer

Response from ise-psn-3.company.com

DNS Lookup = psn-cluster.company.com

DNS Response = 10.1.98.8

Request to psn-cluster.company.com

VIP: 10.1.98.8

PSN-CLUSTER

10.1.99.5

10.1.99.6

10.1.99.7

DNS

Server

VLAN 99 (10.1.99.0/24) VLAN 98 (10.1.98.0/24)

Access

Device

DNS request sent to resolve psn.cluster FQDN

Request sent to Virtual IP Address (VIP) 10.1.98.8 Response received from real server ise-psn-3 @ 10.1.99.7

For Your Reference

29


Load Balancing Policy Services

• RADIUS AAA Services

Packets sent to LB virtual IP are load-balanced to real PSN based on configured algorithm. Sticky algorithm determines method to ensure same Policy Service node services same endpoint.

• Web URL-Redirected Services: Posture (CPP) / Central WebAuth (CWA) / Native Supplicant Provisioning (NSP) / Hotspot / Device Registration WebAuth (DRW), Partner MDM.

No LB Required! PSN that terminates RADIUS returns URL Redirect with its own certificate CN name substituted for ‘ip’ variable in URL.

Exception cases: Want to obfuscate node names/IPs, use different cert, LB inspection, DMZ interfaces. Note: Since ISE requires HTTPS for web access, offload does not provide actual SSL perf increase.

• Web Direct HTTP/S Services: Local WebAuth (LWA) / Sponsor / MyDevices Portal, OCSP

Single web portal domain name should resolve to LB virtual IP for http/s load balancing.

• Profiling Services: DHCP Helper / SNMP Traps / Netflow / RADIUS

LB VIP is the target for one-way Profile Data (no response required). VIP can be same or different than one used by RADIUS LB; Real server interface can be same or different than one used by RADIUS

30

Cisco and F5 Deployment Guide: ISE Load Balancing using BIG-IP: http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-95-Cisco_and_F5_Deployment_Guide-ISE_Load_Balancing_Using_BIG-IP_DF.pdf

ISE How-To and Design Guides: http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html

Linked from F5 under Cisco Alliance page > White Papers: https://f5.com/solutions/technology-alliances/cisco

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-95-Cisco_and_F5_Deployment_Guide-ISE_Load_Balancing_Using_BIG-IP_DF.pdf

























https://f5.com/solutions/technology-alliances/cisco






Sample Redirect ACLs for CWA Review from 2012 VT!

• ISE URL Redirect ACL: Cisco:cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT

• 2k/3k/4k Example:

ip access-list extended ACL-WEBAUTH-REDIRECT

deny udp any eq bootpc any eq bootpc

deny udp any any eq domain

deny tcp any host <PSN1> eq 8443

permit ip any any

Redirect ACL must be preconfigured and exist on the Catalyst switch or WLC.

Cisco WLC

HTTP Only Redirection

HTTP and HTTPS Redirection

Catalyst Switch: deny = Bypass Redirection permit = Allow Redirection

Catalyst Switch

Cisco WLC: deny = Deny / Redirect if HTTP permit = Allow / Bypass Redirection

WLC Example:

Update: HTTPS Redirect support added in 8.0MR1


Authorization Profiles for BYOD Review from 2012 VT! Single SSID: 802.1X Redirect to NSP Example

34

Redirect ACL must be defined on WLC

dACL only applies to wired users.

Airespace ACL not required for URL redirected (Web Auth state) on WLC.


FlexConnect Configuration

• ACL Redirection:

When need to configure redirection for Flex config, do not send Airespace ACL—only send redirect ACL.

• In a standard non-Flex config, Airespace ACL is noise, but with Flex AP config, the Airspace ACL will cause redirect to fail. If sent in RADIUS authorization, AP will apply Airespace ACL, not redirect ACL.

• ACL Enforcement:

When need to send Flex AP ACL, be sure to set Airespace ACL and NOT set redirection/redirect ACL.

Alternatively, set VLAN ACL on AP gateway rather than apply to AP itself.

• Reference: Airespace ACLs in WLC 7.5+ http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/ACL_WLC76.html

URL Redirection and ACLs

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/ACL_WLC76.html




Tune NAD Configuration

Rate Limiting at Wireless Source

36

Wireless (WLC)

• RADIUS Server Timeout: Increase from default of 2 to 5 sec

• RADIUS Aggressive-Failover: Disable aggressive failover

• RADIUS Interim Accounting: v7.6: Disable; v8.0: Enable with interval of 0. (Update auto-sent on DHCP lease or Device Sensor)

• Idle Timer: Increase to 1 hour (3600 sec)

• Session Timeout: Increase to 2+ hours (7200+ sec)

• Client Exclusion: Enable and set exclusion timeout to 180+ sec

• Roaming: Enable CCKM / SKC / 802.11r (when feasible)

• Bugfixes: Upgrade WLC software to address critical defects

Reauth period Quiet-period 5 min Held-period / Exclusion 5 min

Misbehaving supplicant

Roaming supplicant

Unknown users

Reauth phones

WLC

Client Exclusion

Quiet Period

Noise Suppression: NAD


Wireless Best Practices

• RADIUS Accounting with Anchor Controllers

• Guest Anchors: Disable RADIUS Accounting on Guest Anchor WLAN (Enable on Foreign Only)

• Campus Anchors: In campus roaming scenario where all controllers need to be “primary” for same SSID, cannot disable RADIUS Accounting.

• Open SSIDs will always issue new session ID with RADIUS accounting update with new ID, so disconnects original connection and user is re-authenticated.

• CSCul83594 Sev6 - Session-id is not synchronized across mobility if the network is open

• CSCue50944 Sev6 - CWA Mobility Roam Fails to Foreign with MAC Filtering BYOD

Anchor Configurations

For Your Reference

http://cdets.cisco.com/apps/dumpcr?&content=summary&format=html&identifier=CSCul83594

http://cdets.cisco.com/apps/dumpcr?&content=summary&format=html&identifier=CSCue50944


Wireless Best Practices

• Session IDs can change when roam between controllers (L2 or L3 roaming); Going between APs to same controller should fine.

• Secure SSIDs (802.1X): L2/L3 roaming between controllers should handle without reauth—all roams are basically symmetric with tunnel back to foreign controller

• Open SSIDs (MAB, WebAuth):

• Avoid multiple controllers with open SSIDs – otherwise, will get new session ID (reauth) regardless if L2 or L3 roam.

• Reauth any time change IP. For open SSID, it will always issue new SSID.

• Options:

• Stateful Controller Switchover

• Deploy higher-capacity controllers instead of many smaller ones.

• 802.11r will work with 7.6 or 8.0 and can be applied to entire WLAN—simply not tested under 7.6 so warning provided.

Roaming Considerations

For Your Reference


RADIUS Accounting Update Behavior in WLC v7.x

• WLC 7.6:

• Recommended setting: Disabled

• Behavior: Only send update on IP address change

• Ensures we get critical IP updates (Framed-IP-Address) and Device Sensor updates.

• Device Sensor updates not impacted

Interim Update


RADIUS Accounting Update Behavior in WLC v8.x

• WLC 7.6:

• Recommended setting: Disabled



• WLC 8.0:

• Recommended setting: Enabled with Interval set to 0



• Settings mapped correctly on upgrades

Interim Update


Techzone Articles

• ISE/WLC Version, Caveat and Timer Guide https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/ISE-WLC-Version-Caveat-and-Timer-Guide/ta-p/608346

• Prevent Large-Scale Wireless RADIUS Network Melt Downs https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/Prevent-Large-Scale-Wireless-RADIUS-Network-Melt-Downs/ta-p/712713#anc7

https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/ISE-WLC-Version-Caveat-and-Timer-Guide/ta-p/608346























https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/Prevent-Large-Scale-Wireless-RADIUS-Network-Melt-Downs/ta-p/712713

























Public Articles

• Prevent Large-Scale Wireless RADIUS Network Melt Downs http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html















Which WLC Software Should My Customers Deploy?

• 7.6.130.0 (7.6 MR3) – Currently the most mature and reliable feature release for ISE.

• 8.0.110.0 (8.0 MR1) – Less mature but includes new feature support + some additional fixes.

• Key Defects Fixed in AireOS 7.6

43

CDETS Title

CSCuh03648 WLC sends different Framed-IP-Address in accounting updates

CSCui38627 BYOD Dual SSID flow broken: WLC sends session ID not created on that ISE

CSCuh20269 WLC sends accupdates too frequently, indicates user roams to itself

CSCue94442 WLC starts three authentications simultaneously for the same endpoint

CSCue37405 Rate limit radius request when Radius server is overloaded

CSCug36414 McAllen: PreAuth DNS based ACL enhancements - EDCS: 1241322

CSCun62368 Radius NAC Client auth issues for 7.6

CSCuo39416 1131/1242 not forwading CWA redirects on 7.6

CSCug14713 WLC sends acct-update twice in the same millisecond

CSCue37405 Rate limit radius request when Radius server is overloaded

CSCue49527 WLC should delete the session ID from PMK cache when client is removed

CSCud12582 Processing AAA Error 'Out of Memory'

Be aware of CSCur20154 HA SSO pair memory leak


TAC Recommended AireOS 7.6 and 8.0 - 2Q CY15

In order to provide our customers with the most reliable Wireless LAN Controller software available, Cisco Wireless TAC is now offering TAC Recommended AireOS builds for 7.6 and 8.0. These "escalation" builds have several important bugfixes (beyond what is now available in CCO code) and have been operating in production at customer sites for several weeks. See the release notes for bugfix details.

At present, the TAC Recommended AireOS builds are:

• For AireOS 7.6 customers, 7.6.130.26 Release Notes

• For AireOS 8.0 customers, 8.0.110.11. (Note that this build has many bugfixes beyond what the CCO 8.0.115.0 release has) Release Notes

The TAC Recommended AireOS builds may be updated every week or two.

The migration plan, from the TAC Recommended AireOS builds to CCO code, will be to the 8.0 MR2 release, planned for later this year. (Cisco does not plan to release another 7.6 maintenance build to CCO.) 8.0 MR2 is in beta now (see https://supportforums.cisco.com/document/12492986/80mr2-beta-availability), but does not yet have all of the applicable fixes.

Cisco does not at present plan to post these builds to CCO. To request AireOS 7.6.130.26 and/or 8.0.110.11, open a Cisco TAC case on your Wireless LAN Controller contract.

https://supportforums.cisco.com/document/12481821/tac-recommended-aireos-76-and-80-2q-cy15

https://supportforums.cisco.com/sites/default/files/attachments/document/release_notes_7_6_130_26.pdf




https://supportforums.cisco.com/document/12492986/80mr2-beta-availability























Tune NAD Configuration

Rate Limiting at Wired Source

46

Wired (IOS / IOS-XE)

• RADIUS Interim Accounting: Use newinfo parameter with long interval (for example, 24-48 hrs), if available. Otherwise, set 15 mins

• 802.1X Timeouts

• held-period: Increase to 300+ sec

• quiet-period: Increase to 300+ sec

• ratelimit-period: Increase to 300+ sec

• Inactivity Timer: Disable or increase to 1+ hours (3600+ sec)

• Session Timeout: Disable or increase to 2+ hours (7200+ sec)

• Reauth Timer: Disable or increase to 2+ hours (7200+ sec)

• Bugfixes: Upgrade software to address critical defects.

Reauth period Quiet-period 5 min Held-period / Exclusion 5 min

Misbehaving supplicant

Roaming supplicant

Unknown users

Reauth phones

Switch

Quiet Period

Noise Suppression: NAD


PSN Filtering and Noise Suppression

Flag misbehaving supplicants when fail auth more than once per interval

– Send Alarm with failure stats every interval.

– Stop sending logs for repeat auth failures for same endpoint during rejection interval.

– Successful auth clears flag

Reject matching requests during interval

– Match these attributes:

– Excludes CoA messages / bad credentials

– Next request after interval is fully processed.

Misconfigured Client Dynamic Detection and Suppression

47

• Supplicant (Calling-Station-ID) • NAS (NAS-IP-Address) • Failure reason

Administration > System > Settings > Protocols > RADIUS

CSCuj03131 Lower "Request Rejection Interval" minimum to 5 minutes (from 30 minutes)

For Your Reference


MnT Noise Suppression Suppress Successful Auths and Accounting

Original Range 1 – 30 seconds

New Range 1 sec – 1 day

Do not save repeated successful auth events to DB (Events will not display in Live Auth log).

Stop sending Accounting logs for same session during interval.

Detect and log NAS retransmission timeouts for auth steps that exceed threshold. (Step latency is visible in Detailed Live Logs)

Noise Suppression: MnT

Administration > System > Settings > Protocols > RADIUS

48

CSCur42723

Allow 2 updates, then suppress if get more updates in interval up to 24hrs



Current Cisco IT ISE Production Deployment Metrics

Infrastructure (Production) Guest Services ISE 1.2, P13 9 VM servers in one dedicated deployment

Production ISE 1.2, P13 29 VM servers in one global deployment

Pre-Production ISE 1.3, P1 24 VM servers in one global deployment

(migration ongoing)

Services Guest services (ION) (440 sites, potential 136K users & 14K guests per week)

802.1X Wire Monitor Mode (192 devices, 83 sites)

802.1X Wireless Auth Mode (400 wlan sites, 90K+ end-users, All IT owned WLCs except couple sites)

802.1X Wireless Auth CVO* (~15K CVO sites, ~15K global users – 60% completion)

Wireless Policy Enforcement (2 Extranet Partner sites in BGL; Pilot mode)

Total of ~600K+ Profiled Endpoints in database; Max of 60K+ Concurrent Endpoints Globally

*CVO is Cisco Virtual Office, or small office/home office

Correct as of 08 March 2015


Significant progress has been made in stabilizing ISE 1.2

Replication is now working across the deployment w RADIUS probing and SNMP polling enabled

Next steps (*after shutdown):

Apply ISE SNMP fixes and enable SNMP polling – reduce traffic from CVO sites*

Cisco IT to continue update network devices and endpoints to reduce “traffic”

Resume production rollout (CVOs and wired devices)

Post mortem to review lessons learned and “product enhancements” *

Executive Summary

Item Owner Impact Status

Configure ACE for accounting “stickiness”

Cisco IT High – reduced accounting traffic from 6M to 3M txns per day

Done

Implement eng fix to enable accounting suppression

SAMPG High – further reduction in accounting traffic

Done

Remove “IP” as a significant attribute

SAMPG (design change)

High – removed traffic from “noisy” endpoints

Done

Implement WLC OS updates to fix duplicate accounting issue

Cisco IT High – reduce traffic from wireless network accounting txns

90% complete (12/17)

Implement eng fix for SNMP polling

SAMPG High – reduce # of SNMP traffic to enable CVO

TBD after shutdown


Impact of Config Changes and Engineering Fixes Reduction of Transaction load on ISE IT Deployment


Cisco IT and the Identity Services Engine

• WhitePaper: http://www.cisco.com/c/en/us/solutions/collateral/enterprise/cisco-on-cisco/wp-en-02092015-identity-services-engine.html

• Attend Cisco on Cisco session on Friday by Bassem Khalife

• Look for Cisco IT Deployment Case Study session at Live San Diego!

PSOSEC 2001

A multiyear deployment journey

http://www.cisco.com/c/en/us/solutions/collateral/enterprise/cisco-on-cisco/wp-en-02092015-identity-services-engine.html

















Enable EAP Session Resume / Fast Reconnect Major performance boost, but not a complete auth so avoid excessive timeout value

55

Skip inner method

Cache TLS session

Cache TLS (TLS Handshake Only/Skip Cert)

For Your Reference


Scaling AD Integration w/ Sites & Services

How do I ensure Local PSN is connecting to Local AD controller?

56

Without Site & Services

AD ‘X’

AD ‘Y’

Site ‘X’

Site ‘Y’

Which AD server should I connect to?

Which AD server should I connect to?

Properly Configured

AD ‘X’

AD ‘Y’

Site ‘X’

Site ‘Y’

I will connect with local AD

server X!

I will connect with local AD

server Y

For Your Reference


AD Sites and Services

Links AD Domain Controllers to Client IP Networks

DNS and DC Locator Service work together to return list of “closest” Domain Controllers based on client Site (IP address)

57


Multi–Forest Active Directory Support

Join up to 50 Forests or Domains without mutual trusts

No need for 2-way trust relationship between domains

Advanced algorithms for dealing with identical usernames

SID-Based Group Mapping

PAP via MS-RPC

Support for disjointed DNS namespace

Scales AD Integration through Multiple Join Points and Optimized Lookups

58

domain-1.com domain-2.com domain-n.com

ISE

New in ISE 1.3 For Your

Reference


AD Authentication Flow

AuthC

Policy to

AD

Scope (Optional)

AD Instance

Domain List (Optional)

Identity

Rewrite

(Optional)

Target AD

59

For Your Reference


AD Authentication Flow

AuthC

Policy to

AD

Scope (Optional)

AD Instance

Domain List (Optional)

Identity

Rewrite

(Optional)

Target AD

60

For Your Reference


Authentication Domains (Whitelisting)

61

Enable r1.dom

And disable the rest

• “Whitelist” only the domains of interest—those used for authentication!

• In this example, the join point can see many trusted domains but we only care about r1.dom


Authentication Domains – Unusable Domains

62

• Domains that are unusable, e.g. 1-way trusts, are hidden automatically

• There’s an option to reveal these and see the reason


Run the AD Diagnostic Tool

Check AD Joins Upon Install and Periodically to Verify Potential AD Connectivity Issues

• The DNS SRV errors can actually mean something else

• The response was too big…and retried with TCP, etc.

• A sniffer can confirm

• AD Sites or DNS configuration changes are required to get that optimized


Validating DNS from ISE node CLI

• Checking SRV records for Global Controllers (GC)

psn/admin# nslookup _ldap._tcp.gc._msdcs.myADdomain.com querytype SRV

• Checking SRV records for Domain Controllers (DC)

psn/admin# nslookup _ldap._tcp.dc._msdcs.myADdomain.com querytype SRV

• More details on Microsoft AD DNS queries: https://technet.microsoft.com/en-us/library/cc959323.aspx

For Your Reference

https://technet.microsoft.com/en-us/library/cc959323.aspx





Debug Active Directory Log Elevate to DEBUG log level (TRACE is overkill)

65

For Your Reference


Getting AD Captures – Using Advanced Tuning This will disable AD encryption temporarily

66

We do not publish the available Advanced Tuning parameters as expect to be used only under TAC guidance for exceptional issues.


AD Integration Best Practices

• DNS servers in ISE nodes must have all relevant AD records (A, PTR, SRV)

• Ensure NTP configured for all ISE nodes and AD servers

• Configure AD Sites and Services

(with ISE machine accounts configured for relevant Sites)

• Configure Authentication Domains (Whitelist domains needed) (ISE 1.3)

• Use UPN/fully qualified usernames when possible to expedite use lookups

• Use AD indexed attributes* when possible to expedite attribute lookups

• Run Diagnostics from ISE Admin interface to check for issues.

* Microsoft AD Indexed Attributes: http://msdn.microsoft.com/en-us/library/ms675095%28v=vs.85%29.aspx http://technet.microsoft.com/en-gb/library/aa995762%28v=exchg.65%29.aspx

Cisco Live Online: www.ciscolive.com/online

BRKSEC-2132 - What's New in ISE Active Directory

Connector presented by Chris Murray

http://msdn.microsoft.com/en-us/library/ms675095(v=vs.85).aspx




http://technet.microsoft.com/en-gb/library/aa995762(v=exchg.65).aspx




http://www.ciscolive.com/online

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=81921









Internal Certificate Authority

• Microsoft Public Key Infrastructure via a 2003/2008 Enterprise Server can add significant complexity and expense to an ISE deployment.

Benefits of internal CA:

• Internal CA simplifies ISE deployment

• ISE can deliver certificates directly to endpoints

• No need to rely on integrating ISE to PKI for BYOD Cert provisioning

• Internal CA can still work with existing PKI Infrastructure

• Closed Loop BYOD Solution

• Focused on BYOD and MDM use-cases only, not a general purpose CA

Why use ISE as a Certificate Authority?

Certificate Authority

69

For Your Reference


Configuring the Native Certificate Authority

• Yes, that’s really it!

So easy

Enabled by Default


70

For Your Reference


Certificate sent to ISE

NSP Flow – Internal CA

Employee PSN

SSID = CORP

CSR sent to ISE PSN (RA) via SCEP

CSR is Generated on iOS

Password = SessionID + Random Key (from ISE)

RA

PSN

CA

User Certificate Issued: CN = AD UserName

SAN = Values from Template

Sent to Internal CA

Signing Certificate + User Certificate:

Wi-Fi Profile with EAP-TLS configured

ISE sends Certificate to Endpoint

ISE sends Profile to Endpoint

Signing Certificate + User Certificate: Wi-Fi Profile with EAP-TLS configured SCEP Password = SessionID + Random

EAP-TLS: User Cert

CoA: ReAuth

RADIUS Access-Accept

RADIUS Access-Request

CA Selection

CPP Certificate Template = Internal

Validate Password Challenge

(session + random key)


For Your Reference


Certificate sent to ISE

NSP Flow – External CA

Employee PSN

SSID = CORP

CSR sent to ISE PSN (RA) via SCEP

CSR is Generated on iOS

Password = SessionID + Random Key (from ISE)

RA

PSN

CA

User Certificate Issued: CN = AD UserName

SAN = Values from Template

SCEP Proxy to External Cert Authority

Signing Certificate + User Certificate:

Wi-Fi Profile with EAP-TLS configured

ISE sends Certificate to Endpoint

ISE sends Profile to Endpoint

Signing Certificate + User Certificate: Wi-Fi Profile with EAP-TLS configured SCEP Password = SessionID + Random

EAP-TLS: User Cert

CoA: ReAuth

RADIUS Access-Accept

RADIUS Access-Request

CA Selection

CPP Certificate Template = External

Validate Password Challenge

(session + random key)


72

For Your Reference


ISE CA: Multiple Personalities/Identities

Root CA

OCSP Server

Subordinate CA

Registration Authority


73


PSN PSN PSN PSN

Primary ISE CA

PAN

Subordinate CA SCEP RA




ISE Certificate Authority Architecture

Standby PAN Root CA

Root CA is Used to Sign the certificates for the Subordinate CAs. Subordinate CA signs the actual Endpoint Certs Secondary PAN is another Root CA! Ensure you export Primary PAN and import on Secondary


74

OCSP Server OCSP Server OCSP Server OCSP Server


Node Registration Process Overview

PAN PSN

3x CSR’s sent to Root CA

CSR’s are Generated on PSN

OCSP, Sub_CA_Endpoint, Registration Authority

PSN is Joined to ISE Deployment

PAN tells PSN to Generate 3x CSR’s (OCSP, Sub_CA_Endpoint, RA)

3x Certificates: OCSP > Root; Sub_CA_EP > Root; RA > Root

All PSNs are instructed by PAN to Generate the CSRs PAN (Root CA) signs all three certs per-node Secondary PAN does not generate CSRs to Root CA MnT does not generate any CSRs to Root CA

Each PSN will get three certificates for CA functions: • Subordinate CA – To sign endpoint certificates • OCSP – To identify node with OCSP service • Registration Authority (RA) – To identify sub-ca when

requesting certificates for endpoints.


75

For Your Reference


Issue & Revoke Endpoint Certificates

Lists all the endpoint certificates issued by the Internal CA.

Status – Active, Revoked, Expired

Quick Overview of certificate details, Including the Template Used

Automatically Revoked when an Endpoint is marked as “Stolen”

Certificates may be Manually Revoked


76

For Your Reference


View Endpoint Certificate contents Certificate Authority

77

For Your Reference


Revoke certificates Certificate Authority

78

For Your Reference


Certificate Operations Administration > System > Certificates > Certificate Signing Requests

• Re-gen Root CA

• Make ISE a subordinate CA

• Renew OCSP Responder Certs

• Generate CSRs for Certs used for …

• Portals

• Admin

• pxGrid

• EAP


Re-generate the Root CA

• The Entire certificate chain can be re-generated if needed.

• Old CA certificates remain in the Trust store to ensure authentication of previously provisioned endpoints work successfully.


80

For Your Reference


ISE as an Intermediate CA

• ISE’s internal CA can work seamlessly with an existing CA in your deployment.

• Just make it an intermediate CA (sub-ordinate CA) to your existing CA.

• Create a CSR for the ISE node and get a certificate issued by the existing CA.


81

For Your Reference


ISE as an Intermediate (Subordinate) CA

Ensure that you get a certificate from your existing CA with Key Certificate signing capabilities (Sub_CA Template) Ensure the Existing Root CA has a Tree Size >= 3 (ISE is 2-tiers)


82


Certificate Revocation

• Online Certificate Status Protocol (OCSP)

• Certificate Revocation List (CRL)


83

For Your Reference


• Preferred method

• Provides near real-time updates

• Allows near real-time request

• Think: Policeman checking from laptop in squad-car, with live query into DMV Database.

• A signed document published on website

• Periodically downloaded and stored locally

• The server examines the CRL to see if the client’s cert was revoked already.

• Think: Policeman having a list of suspended drivers in his squad car.

Note: ISE does not use the CRL field in the cert, only the local configuration.


84

For Your Reference


Default Internal OCSP Configuration Certificate Authority

85

For Your Reference


OCSP Check Certificate Authority

86

For Your Reference


CA Server status Certificate Authority

87

For Your Reference


Native Supplicant Profile Certificate Authority

TLS-template

TLS-template

BYOD-NSP

88

For Your Reference


Certificate Template(s)

• Define Internal or External CA

• Set the Key Sizes

• SAN Field Options:

• MAC Address

• No Free-Form Adds..

• Set length of validity


89

TLS-template

For Your Reference


ISE CA: Dual Root Phenomenon

PSN PSN PSN

P-PAN PAN

S-PAN





Promoted

• The 4th PSN added to deployment while S-PAN temporarily the root.

• Now is a different chain of trust!

Different Chain of Trust


90


ISE CA: Dual Root Phenomenon

91

PSN PSN PSN

P-PAN PAN

S-PAN

PSN





Promoted

• Export Root CA & Import into S-PAN

• The 4th PSN added to deployment while S-PAN temporarily the root.

• S-PAN has same Chain of Trust

lab-ise/admin# application configure ise Selection ISE configuration option <Snip> [7]Export Internal CA Store [8]Import Internal CA Store </Snip> [12]Exit

Single Chain of Trust



Exporting the CA Certs to a Repository Will be an Encrypted GPG Bundle Four Key Pairs

Export CA Certs Certificate Authority

Ise-pan1/admin# application configure ise Selection ISE configuration option <SNIP> [7]Export Internal CA Store [8]Import Internal CA Store </SNIP> [12]Exit 7 Export Repository Name: NAS Enter encryption-key for export: ########## Export on progress............... The following 4 CA key pairs were exported to repository 'NAS' at 'ise_ca_key_pairs_of_atw-lab-ise': Subject:CN=Certificate Services Root CA - atw-lab-ise Issuer:CN=Certificate Services Root CA - atw-lab-ise Serial#:0x6012831a-16794f11-b1248b9b-c7e199ef Subject:CN=Certificate Services Endpoint Sub CA - atw-lab-ise Issuer:CN=Certificate Services Root CA - atw-lab-ise Serial#:0x3e4d9644-934843af-b5167e76-cc0256e0 Subject:CN=Certificate Services Endpoint RA - atw-lab-ise Issuer:CN=Certificate Services Endpoint Sub CA - atw-lab-ise Serial#:0x13511480-9650401a-8461d9d7-5b8dbe17 Subject:CN=Certificate Services OCSP Responder - atw-lab-ise Issuer:CN=Certificate Services Root CA - atw-lab-ise Serial#:0x10d18efb-92614084-895097f2-9885313b ISE CA keys export completed successfully

Root CA

Sub CA

RA

OCSP

92


Always perform the certificate import to the secondary PAN Ensures that the same PKI Tree is always used

Import of CA Certs Certificate Authority

ise-pan1/admin# application configure ise Selection ISE configuration option <SNIP> [7]Export Internal CA Store [8]Import Internal CA Store </SNIP> [12]Exit 8 Import Repository Name: NAS Enter CA keys file name to import: ise_ca_key_pairs_of_atw-lab-ise Enter encryption-key: ######## Import on progress............... The following 4 CA key pairs were imported: Subject:CN=Certificate Services Root CA - atw-lab-ise Issuer:CN=Certificate Services Root CA - atw-lab-ise Serial#:0x6012831a-16794f11-b1248b9b-c7e199ef Subject:CN=Certificate Services Endpoint Sub CA - atw-lab-ise Issuer:CN=Certificate Services Root CA - atw-lab-ise Serial#:0x3e4d9644-934843af-b5167e76-cc0256e0 Subject:CN=Certificate Services Endpoint RA - atw-lab-ise Issuer:CN=Certificate Services Endpoint Sub CA - atw-lab-ise Serial#:0x13511480-9650401a-8461d9d7-5b8dbe17 Subject:CN=Certificate Services OCSP Responder - atw-lab-ise Issuer:CN=Certificate Services Root CA - atw-lab-ise Serial#:0x10d18efb-92614084-895097f2-9885313b Stopping ISE Certificate Authority Service... Starting ISE Certificate Authority Service... ISE CA keys import completed successfully

93

• After an upgrade, immediately Export/Import CA certs.

• If want original PPAN to stay Primary after upgrade, promote Secondary after CA certs imported.

• Or… Promote Secondary before upgrade, upgrade ISE, and then export/import CA certs



Deleting ISE CA Certs

• Under ISE 1.3, Delete will Revoke the Certificate from CA

• All Endpoint Certificates will now be Invalid & Rejected

• Cannot Undo

• Under ISE 1.4, separate options for Delete and Delete+Revoke.

94

For Your Reference


For Your Reference


What is an X.509 Certificate

• A Certificate is a signed document…

• Think of it like a government form of identity

96

X.509

username

organization

location

Certificates

For Your Reference


Provides an Identity

Who is user

What is endpoint

WebSite Identity

…

What is the Purpose of an X.509 Certificate?

97

Acts as a seed value for encryption

Certificates

For Your Reference


ISE and Certificates: Multiple Identities

Secure Web Server

Internal Communications

Root CA

Supplicant Authenticator Authentication

Server

Layer 2

Link

Layer 3

Link

EAPoL Start

EAP-Request/Identity Start

EAP-Response/Identity RADIUS Access Request

EAP-Request/PEAP

EAP-Response/PEAP

RADIUS Access-Challenge

[AVP: EAP-Request PEAP]

RADIUS Access Request

[AVP: EAP-Response: PEAP]

Multiple

Challenge-

Request

Exchanges

Possible

Middle

Port Unauthorized

Authentication Server

Certificates

98

For Your Reference


Certificates and Web Portals

All Web Portals (Admin, WebAuth, MyDevices, Sponsor, CPP, etc.)

Client/Browser

SSID

NAD ISE

Step 1: Initiate Request to Establish HTTPS Tunnel with Portal (https://ISE/admin)

Step 2: Certificate sent to Browser

Step 3: User is Prompted to Accept Certificate.

Once accepted, it is Stored in Browser, KeyChain, or Trusted Store

Step 4: SSL Tunnel is Formed, Encrypting the HTTP Communications (HTTPS)

Certificates

99

For Your Reference

https://ISE/admin


Certificates and EAP Communication

EAP Connections (PEAP, FAST, EAP-TLS)

Client/Supplicant

SSID

NAD ISE

Step 1: Initiate Request to Establish TLS Tunnel with Authenticator

Step 2: Certificate sent to Supplicant

Step 3: User is Prompted to Accept Certificate.

If accepted, it is Stored in WiFi Profile

Step 4: TLS Tunnel is Formed, EAP happens next

Certificates

100

For Your Reference


ISE Admin/EAP/Portal Certificate Examination Certificates

Purpose is for Client and Server Auth

SAN includes Wildcard and the CN

Publically Signed Certificate

Used for Admin, Portal and EAP. Any Portal using Portal-Tag uses Cert.

*.company.com

ise.company.com

ise.company.com

ise.company.com

ise.company.com Portal-TAG ISE Wildcard Cert

ise-lab.company.com ise-lab.company.com

101

For Your Reference


ISE Root Certificate Examination Certificates

Self Signed Certificate (It’s a Root Cert)

Purpose is for Cert Signing / It is a CA

ise/admin# application configure ise Selection ISE configuration option <Snip> [7]Export Internal CA Store [8]Import Internal CA Store </Snip> [12]Exit

Only way to Access The Root Certificate

ise-ca

ise-ca

ise-ca

ise-ca-#0002

ise-ca-#00002

ise-ca-#0002

102

For Your Reference


Endpoint Certificate Examination Certificates

Purpose is for Client Auth

SAN includes MAC Address

Signed by ISE Sub-CA

employee1

CN=employee1 employee1

ise-ca

ise-ca

ise-ca

employee1

103

For Your Reference


Certificate Provisioning User Experience in ISE 1.0 – 1.2

Primary PAN

PSN #1

PSN #20

PSN #40

• Generate CSR for PSN #40 • Bind CA-signed cert for PSN #40



• Generate CSR for Primary PAN

• Bind CA-signed cert for Primary PAN

Certificates

104

For Your Reference


Centralized Certificate Management in 1.3

Primary PAN

PSN #1

• Generate CSRs for ALL NODES at Primary PAN

• Bind CA-signed certs for ALL NODES at Primary PAN

• Manage System (Local) certs for ALL NODES at primary PAN

PSN #20

PSN #40

Certificates

105


Manage System Certificates

• Certificates used by: Admin, HTTPS Portals, pxGrid, EAP • These are Private/Public Key Pairs – i.e. they Identify ISE Personalities

Certificates

ise.company.com Portal-Tag ISE Wildcard Cert

ise-lab.company.com ise-lab.company.com

106


Certificates your ISE Deployment will “Trust”

• Trust for EAP, MDM, etc. • These are copies of their Public Certs. i.e.: They Identify Other Systems

Certificates


Trusted Certificates

• In 1.3, trusted certificates have a new “Trusted For” attribute.

Security Goal: To prevent the public certificates used for Cisco Services from being used internally.

• When importing a trust certificate, the user must specify what the certificate is trusted for.

• It is important to select at least one category, or the cert will not be used in any trust store.

Certificates

108

For Your Reference


System Certificate Roles – ISE 1.3

1.2 Role Name 1.3 Role Name How Many May Use Wildcard (*) in Subject

May use Wildcard (*) in SAN

HTTPS Admin 1 Yes Yes

EAP EAP Authentication 1 No1 Yes

- pxGrid 1 No No

- Portal Many Yes Yes

• Admin cert is the server cert for the Admin Console

• pxGrid cert is the server cert for authenticating the ISE node to pxGrid clients

• Portal cert is a server cert associated with a particular ISE portal (Guest, Sponsor, My Devices, …)

• In a freshly installed node, the default self-signed cert has all four roles

Certificates for all roles are managed from the Primary PAN node.

Certificates

1 While ISE technically allows wildcard in the CN, Microsoft supplicants will reject, so never recommended


ISE 1.3: Multiple Web Portals

• Each Portal Exists on ALL PSN’s

• Each Portal Requires a Certificate

• One Certificate per Interface > IP:Port

• Each PSN Could Have Unique Certificates (Identity)

Each Portal Could Use A Different Certificate

110

ISE PSN-1

ISE PSN-2

ISE PSN-3

Certificates


Problem: Assign Certificate on All PSNs to Portal?

• New UI Paradigm with ISE 1.3 is to Keep All Portal Configuration Together.

• Options:

• Add complexity to the Portal Configuration Page by Choosing Certificates on Each Node?

• What about Large Deployments (40 PSNs)?

• Configure it entirely outside of the Portal Configuration screen?

• Some way to combine?

How To Assign “At Scale”

PSN-1: Cert1

PSN-2: Cert2

PSN-3: Cert3

Certificates

X

Hotspot-DRW

111


Solution: Portal (Certificate) Group Tag

• Portal Group Tag provides a solution to configure node-specific certificates for Portal configuration by associating node certificates to a logical name.

Referred to as Certificate Group Tag in 1.3 Portal Group Tag in 1.4

Certificates

Portal Group Tag

(Grouping Certificates to a Logical Name)

GuestPortalCerts Node 2 – Sec Admin, MNT and PSN

Node 3 - PSN

Node 1 – Pri Admin, MNT and PSN Portal Configuration


ISE 1.4 Enhancement – Portal Tag “Where Used”


Certificate Chains • For Scalability, X.509 Certificate Authorities

may have hierarchy

• ISE will present full signing chain to client during authentication

• Client must trust each CA within the chain

Root CA

Subordinate CA

Cert

Root Sub ISE

Certificates

ise.company.com

ise.company.com

ise.company.com


ise.company.com

Always Add the Root and Subordinate CAs Import All Certificates in Chain, One at-a-Time (Individually—not as a single file), in PEM format !!!

Root CA

Subordinate CA

ISE Cert

If you must use a PKCS chain, it needs to be in PEM format (not DER)

Subordinate CA

Certificates


Joining an ISE Deployment

• In order to join an ISE node to an existing ISE deployment:

• You must trust the PAN certificate on the Secondary node(s)

• Secondary nodes must trust PAN certs

Mutual Trust Required

PAN PSN1

PSN2

Trusted Certs Trusted Certs

PAN PSN PSN

Certificates

For Your Reference






• Then you upgrade all certs

• Delete the old Self-Signed Certificates from the System Certs

• Delete the old Self-Signed Certs from the Trusted Cert Store


PAN PSN1

PSN2

Certificates

Trusted Certs

PSN PSN X X 117

For Your Reference






• Then you upgrade all certs

• Delete the old Self-Signed Certificates from the System Certs

• Delete the old Self-Signed Certs from the Trusted Cert Store

• So, it is often easier to upgrade to a CA-Signed & Trusted Cert before Joining the deployment.


PAN PSN1

PSN2

Certificates

118

For Your Reference


Simple URL for My Devices & Sponsor Portals

• In 1.3: Sponsor Portal and My Devices Portal accessed via a user-friendly URL and selectable port.

• Ex: http://mydevices.company.com

Automatic redirect to https://fqdn:port

• FQDN for URL must be added to DNS and resolve to the Policy Service node(s) used for Guest Services.

• Recommend populating Subject Alternative Name (SAN) field of PSN local cert with this alternative FQDN or Wildcard to avoid SSL cert warnings due to name mismatch.

Certificates

mydevices.company.com

119

http://sponsor.abc.com/


ISE Certificate without SAN Certificate Warning - Name Mismatch

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

SPONSOR

Load Balancer

http://sponsor.company.com

https://sponsor.company.com:8443/sponsorportal

DNS Lookup = sponsor.company.com



100.1.98.8

100.1.99.5

100.1.99.6

100.1.99.7

Name Mismatch! Requested URL = sponsor.company.com

Certificate Subject = ise-psn-3.company.com

DNS

Server

Certificates

For Your Reference


ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

100.1.99.5

100.1.99.6

100.1.99.7

ISE Certificate with SAN No Certificate Warning

121

Load Balancer


https://sponsor.company.com:8443/sponsorportal

DNS Lookup = sponsor.company.com



100.1.99.8

Certificate OK! Requested URL = sponsor.company.com Certificate SAN = sponsor.company.com

DNS

Server

SPONSOR

Certificates

For Your Reference


ISE Certificate with SAN – “Universal Certs”

CN must also exist in SAN

Other FQDNs or wildcard as “DNS Names”

IP Address is also option

Certificates

ise-psn.company.com

mydevices.company.com

sponsor.company.com

ise-psn/Admin ise-psn

Universal Cert options: • UCC / Multi-SAN • Wildcard SAN


“Traditional” Wildcard Certificates

• Wildcard Certificates are used to identify any secure web site that is part of the domain:

• Ex: *.domain.com works for:

• www.domain.com

• mydevices.domain.com

• sponsor.domain.com

• AnyThingIWant.domain.com

Certificates

!= psn.[ise].domain.com

Position in FQDN is fixed

*.company.com

*.company.com

*.company.com

https://ise-psn-1.company.com/admin/login.jsp

123

For Your Reference


Wildcard Certificates – Why use with ISE?

Use of all portals & friendly URL’s without Certificate Match Errors.

Most Importantly: Ability to host the exact same certificate on all ISE PSNs for EAP authentications

• Why, you ask?.......

Certificates

124

For Your Reference


Clients Misbehave!

• Example education customer:

• ONLY 6,000 Endpoints (all BYOD style)

• 10M Auths / 9M Failures in a 24 hours!

• 42 Different Failure Scenarios – all related to clients dropping TLS (both PEAP & EAP-TLS).

• Supplicant List:

• Kyocera, Asustek, Murata, Huawei, Motorola, HTC, Samsung, ZTE, RIM, SonyEric, ChiMeiCo, Apple, Intel, Cybertan, Liteon, Nokia, HonHaiPr, Palm, Pantech, LgElectr, TaiyoYud, Barnes&N

• 5411 No response received during 120 seconds on last EAP message sent to the client

• This error has been seen at a number of Escalation customers

• Typically the result of a misconfigured or misbehaving supplicant not completing the EAP process.

125

Certificates

For Your Reference


Clients Misbehave: Apple Example

Apple iOS & MacOS

SSID

NAD

ISE-1 ISE-2

1

WiFi Profile

5

• Multiple PSNs • Each Cert signed by Trusted Root • Apple Requires Accept on all certs!

• Results in 5411 / 30sec retry

1. Authentication goes to ISE-1 2. ISE-1 sends certificate 3. Client trusts ISE-1 4. Client Roams 5. Authentication goes to ISE-2 6. Client Prompts for Accept

Cert Authority ise-psn-1.domain.com ise-psn-2.domain.com

Certificates

ise-psn-1.domain.com

126


Solution: Common Cert, Wildcard in SAN Certificates

Wildcard allows anything ending with the Domain Name. Same EXACT Private / Pub Key may be installed on all PSNs

127


Solution: Common Cert, Wildcard in SAN

Apple iOS & MacOS

SSID

NAD

ISE-1 ISE-2

1

WiFi Profile

5

• CN = ise-psn.domain.com • SAN contains

• ise-psn.domain.com • *.domain.com, or • all PSN FQDNs

• Wildcard SAN support: comodo.com CA SSL.com CA Digicert.com CA Symantec/Verisign CA Microsoft 2008 CA

• Failed with GoDaddy CA Do not support * in SAN Only support * in CN

1. Authentication goes to PSN-1 2. PSN-1 sends certificate 3. Client trusts PSN-1 4. Client Roams 5. Authentication goes to PSN-2 6. Client Already Trusts Cert

Cert Authority

Already Trusted

Certificates

ise-psn.domain.com

ise-psn-1.domain.com ise-psn-2.domain.com

128


SSL Certificates for Internal Server Names

After November 1, 2015 Certificates for Internal Names Will No Longer Be Trusted

In November 2011, the CA/Browser Forum (CA/B) adopted Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates that took effect on July 1, 2012. These requirements state:

CAs should notify applicants prior to issuance that use of certificates with a Subject Alternative Name (SAN) extension or a Subject Common Name field containing a reserved IP address or internal server name has been deprecated by the CA/B

CAs should not issue a certificate with an expiration date later than November 1, 2015 with a SAN or Subject Common Name field containing a reserved IP address or internal server Name

Source: Digicert – https://www.digicert.com/internal-names.htm

Certificates

129

https://www.digicert.com/internal-names.htm




Use Publicly-Signed Certs for Guest Portals!

• In 1.3, HTTPS cert for Admin can be different from web portals

• Guest portals can use a different, public certificate

• Admin and internal employee portals (or EAP) can still use certs signed by private CA.

c Certs assigned to this group signed by 3rd-party CA

Redirection based on first service-enabled interface; if eth0, return host FQDN; else return interface IP. c

Public Portal Certificate Group

Certificates

130


CWA Example

• CWA Guest Portal access for ISE-PSN1 configured for eth1

• IP Address for eth1 on ISE-PSN1 is 10.1.91.5

• Resulting URL Redirect = ???

DNS and Port Settings – Single Interface Enabled for Guest Portal

ISE Node IP Address Interface

ISE-PSN1 10.1.99.5 # eth0

ISE-PSN1 10.1.91.5 # eth1

ISE-PSN1 10.1.92.5 # eth2

ISE-PSN1 10.1.93.5 # eth3

Certificates

https://10.1.91.5:8443/...

I have a feeling this is going to end badly!

131


CWA Example with FQDNs in SAN URL Redirection Uses First Guest-Enabled Interface (eth1)

User

RADIUS authorization: URL redirect =

https://10.1.91.5:8443/...

RADIUS request to ise-psn1 @ 10.1.99.5

Switch Access

Device

1. RADIUS Authentication requests sent to ise-psn1 @ 10.1.99.5. 2. RADIUS Authorization received from ise-psn1 @ 10.1.99.5 with

URL Redirect to https://10.1.91.5:8443/... 3. User sends web request directly to ise-psn1 @ 10.1.99.5. 4. User receives cert name mismatch warning.

ISE Certificate

Subject= ise-psn1.company.com SAN = ise-psn1.company.com sponsor.company.com mydevices.company.com

https://10.1.91.5:8443/...

HTTPS response from 10.1.91.5

1

2

3

PSN

ISE-PSN1

Guest eth1: 10.1.91.5

MyDevices eth2: 10.1.92.5

Sponsor eth3: 10.1.93.5

Admin/RADIUS: eth0: 10.1.99.5

Name Mismatch! Requested URL = 10.1.91.5

Certificate SAN = ise-psn1.comany.com = sponsor.company.com

= mydevices.company.com 4

Certificates

132


Interface Aliases

• Aliases assigned to interfaces using ip host global config command in ADE-OS:

(config)# ip host <interface_ip_address> <hostname|FQDN> <hostname|FQDN>

• Up to two values can be specified—hostname and/or FQDN; if specify hostname, then globally configured ip domain-name appended for use in URL redirection. FQDN can have different domain than global domain!!!

• GigabitEthernet1 (GE1) Example:

ise-psn1/admin(config)# ip host 10.1.91.5 ise-psn1-guest ise-psn1-guest.company.com

• Host entry for Gigabit Ethernet 0 (eth0) cannot be modified

• Use show run to view entries; Use no ip host <ip_address> to remove entry.

• Change in interface IP address or alias requires application server restart.

Specify alternate hostname/FQDN for URL redirection

Certificates

Available in ISE 1.2

133


Interface Alias Example

• Interface eth1 enabled for Guest Portal

• ip host 10.1.91.5 ise-psn1-guest.company.com

• URL redirect = https://ise-psn1-guest.company.com:8443/...

• Guest DNS resolves FQDN to correct IP address

DNS and Port Settings – Single Interface Enabled for Guest

134

DNS SERVER DOMAIN = COMPANY.LOCAL

ISE-PSN1 IN A 10.1.99.5 # eth0

ISE-PSN1-MDP IN A 10.1.92.5 # eth2

ISE-PSN1-SPONSOR IN A 10.1.93.5 # eth3







DNS SERVER DOMAIN = COMPANY.COM

ISE-PSN1-GUEST IN A 10.1.91.5 # eth1



Certificates


CWA Example using Interface Alias URL Redirection Uses First Guest-Enabled Interface (eth1)

User

RADIUS authorization: URL redirect =

https://ise-psn1-guest.company.com:8443/...

RADIUS request to ise-psn1 @ 10.1.99.5

Switch Access

Device https://ise-psn1-guest.company.com:8443/...

HTTPS response from 10.1.91.5

1

2

3

PSN

ISE-PSN1

All Web Portals eth1: 10.1.91.5



Certificate OK! Requested URL = ise-psn1-guest.company.com Certificate SAN = ise-psn1-guest.company.com

ISE Certificate

Subject =

ise-psn1.company.com

SAN= ise-psn1-guest.company.com

1. RADIUS Authentication requests sent to ise-psn1 @ 10.1.99.5. 2. RADIUS Authorization received from ise-psn1 @ 10.1.99.5 with

URL Redirect to https://ise-psn1-guest:8443/... 3. DNS resolves alias FQDN ise-psn1-guest to 10.1.91.5 and sends

web request to ise-psn1-guest @ 10.1.99.5. 4. No cert warning received since SAN contains interface alias FQDN.

4

Admin/RADIUS: eth0: 10.1.99.5

Could also use wilcard SAN or UCC cert

Certificates

135


BYOD Fails if Admin & Portal Certs Different

• Problem Statement:

CSCut36534 ISE 1.3 in BYOD provisions Admin cert instead of BYOD portal Cert

CSCut30037 ISE should use portal certificate for provisioning (duplicate)

• Background:

ISE Admin (HTTPS) certificate of the PSN is used for:

1. Responding to requests on HTTPS provisioning

2. Signing the configuration profile for Apple iOS during BYOD onboarding

• Workaround:

Configure PSNs to use same certificate for Admin and Provisioning Portals

https://cdetsng.cisco.com/webui/



BYOD Fails For “Unsupported Device”

• Problem Statement:

ISE relies on Posture Feed to update information on Client OS support based on browser user agent strings

• Solution:

Update Posture Feed information under Administration > System > Settings > Posture > Updates

• Notes:

BYOD is Plus feature, but access to Posture updates is available without Apex License.

Devices not supported for Supplicant/Cert provisioning can still be registered using BYOD if “Allow Network Access” under Settings > Client Provisioning page.



Original URL Redirect and HTTPS Redirection Support

WLC Status Update

• Both HTTPS Redirection and Original URL Redirect fixed in WLC 8.0MR1, but for HTTPS only.

Open defect for Original URL Redirect using HTTP.

• CSCur13703 Central Webauth with HTTPS redirect fails

Fixes support for HTTPS redirection AND fixes URL Redirect for Original URL but for HTTPS only.

• CSCur13713 CWA Original URL feature not working

Outstanding defect for HTTP Original URL Redirect support.

ISE Guest Portal Setting



http://wwwin.cisco.com/ops/infra/pds/cbms/cdets/legend.shtml



Which Portals Are Customizable? All except the Admin portal

Customization of portals is available for all end-user portals. Another way to say this is any portal other than the administration portal can be customized with the concepts I’m about to show you. But wait! There’s more! Along with the customization of portals you’ll be able to customize notifications in email print at SMS format that are sent from ISE.

1. Guest 2. Sponsor 3. BYOD (Device Registration) 4. My Devices 5. Client Provisioning (Desktop Posture) 6. MDM (Mobile Device Management) 7. Blacklist

Your credentials username: trex42 password: littlearms

Customized notifications

For Your Reference


Guest/Sponsor Portals configured under Guest Workcenter

Other Portals configured here:

Blacklist

BYOD (NSP)

Client Provisioning (Posture)

Partner MDM

My Devices

Portal Customization for Guest & Other User-Facing Pages

Note: Admin Portal is NOT customizable


Portal Customization

• Portal changes immediately reflected in ISE Admin UI including theme changes, logos, custom HTML, fields selected for use or display…

Desktop and Mobile Preview Options

Don’t Forget about the Settings option! It includes page specific customization settings


The context of specific settings that effect sponsor users in the flow of the Sponsor portal are better set from the specific pages in Customization. Therefore, the admin must drill into Customization to locate certain important settings, such as: • Required fields for

creating users • SMS providers available

to sponsors • Separate notifications for

Username and Password

Settings Option in Customization Sponsor Portal Example


Test Portal URLs Launch portal in new window for testing

https://server.company.com:8443/sponsorportal/PortalSetup.action?portal=44d99ef0-ef7d-11e3-bc94-005056bf2f0a


Logos, Banners, Titles, and Languages Export/Import Properties File for Each Language

Banners/Icons/Logos

For Your Reference


Customize Using Themes

Select Existing Theme

For Your Reference


Portal Customization via Export/Import Theme CSS

Advanced Customization by editing CSS Themes using JQuery Mobile tools

For Your Reference


The Mini Editor

The mini editor is a field available on almost every customizable page. It looks like a text area with basic word processing buttons at the top. It allows the administrator to create WYSIWYG text by typing and using the editor buttons at the top of the editor.

The editor has the ability to change the font, font size, color, and add bold, italic, underline, bullets and links as if you were using a word processor.

Most pages will have “Optional content" section at the top and the bottom of the page. This means that in addition to being able to edit everything that's already visible on the page they have the ability to add content at the top and bottom with full WYSIWYG markup.

These sections are often used to provide custom instructional text to guests or sponsors right in their pages and can dramatically reduce training costs by eliminating the need for a separate training effort.

For Your Reference


The Mini Editor - Variables

Customers will often want to add variable information to portal pages. Variables are text that looks like $some_variable_name$

in the mini editor and is replaced with an actual value when the page or notification is rendered to the end-user.

You can pick from a list of available variables using the X button in the mini editor. Different variables are available on different pages. (You don’t know the first name of the user if they haven’t logged in yet.) In the depicted example, the text: Welcome back $ui_first_name$! You have $ui_time_left$ before your

network access is revoked and we unleash a giant serpent to chase you out of the building. would be rendered for Harry Potter as: Welcome back Harry! You have 7 hours, 24 minutes before your network access is revoked and we unleash a giant serpent to chase you out of the building.

For Your Reference


The Mini Editor - HTML Source Mode

In addition to WYSIWYG editing capabilities the mini editor also supports the ability to view and edit the HTML source of that content area.

This is a powerful tool for Coders because they can enter in their own CSS, JavaScript, HTML directly into content areas on any given page to do just about anything you’ve seen on the internet.

Clicking on the source button will toggle back and forth between the WYSIWYG and HTML source versions.

Using CSS it is possible to create conditional display logic on a portal page. For example you can show a Boston skyline banner when a guest logs in form Boston and a Chicago skyline banner when a guest logs in from Chicago. While this is an advanced concept it's pretty concise CSS that makes it work. Details and examples are being added to the Guest Admin documentation.

• Make sure you click out of the HTML mode after you paste in your code, otherwise it will not save.

• Save portal for changes to be seen in portal test url • Not all Javascript changes are shown in mini-preview.

For Your Reference


Enabling Javascript for Portal Customization

Administration > System > Admin Access > Settings > Portal Customization

For Your Reference


Portal Customization Examples

Partner/Public

• ISE How-To Guides: http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html

For Your Reference

















Initial Auth Examples: NDG Type

NDG Location

Access/Auth Method

WLAN

NAD

Source IP

Profile

Post Auth Examples: Above + other session

attributes (for example, identity, AD group, guest role)

How Can Different Users Be Redirected to Different Portals?

https://supportforums.cisco.com/document/12215996/ise-and-location-based-web-authentication-portals


https://isepb.cisco.com


ISE Portal Builder - Online Tool isepb.cisco.com For Your Reference


ISE Portal Builder - Multiple Prebuilt Templates


ISE Portal Builder – Customize > Export > Import > Done!


ISE Portal Builder Usage Notes

• 100% Online Web-based Tool

• Allows saving and sharing portal and portal content in web.

• Available to Cisco, Partners, and Customers (Requires Registration)

• Extremely easy to use with Online Help, FAQ, and Blog, Demos, Contact link

• Not TAC supported--Support provided on best-effort basis using above tools.

• Firefox Uploader Plugin simplifies import into ISE.

• With plugin loaded, Portal Builder automatically pops small window to import content when add portal in ISE admin UI.

• Currently uses Posture File Remediation to store portal content. (Requires Adv/Apex to view)

• Do NOT click Save on portal else lose custom portal settings—the upload takes care of this.

• Do NOT make changes to these portals in ISE Admin UI. Make changes in PB and re-import. If need to make changes like FQDN or cert, then edit in ISE, Save, and reimport PB portal.


Migrating Custom Portals from ISE 1.2 to 1.3

On ISE Upgrade…

Previous customized HTML pages are copied in as an existing portal

Pages that are migrated are not accessible for further edits

No tools to export/import old HTML pages.

To edit a custom portal that has been migrated will require the portal to be rebuilt.

Portal Builder 1.2 files are not compatible with PB 1.3. No PB portal migration.



Sponsor Groups - Define Privileges for Using Guest Type & Location

• Select Guest Types and Locations that can be used by this group of sponsors

• New pill box selector


Guest Locations and SSIDs

Type to search time zone list

Locations = Usable Time Zones

TZs impact Guest Start/End times

SET THESE UP FIRST !!!

SSIDs are simply for Sponsor/Guest reference Can include SSID info in guest notifications.


Select and Edit to replace

Location Details For Your

Reference


Sponsor Groups: Permissions

• Determine group permissions

• Limit bulk creation up to 10,000

• Sending SMS and API user are OFF by default

• Viewing Passwords also affects sending credentials


Prior to ISE 1.3, Sponsor Group Policy used to assign users to Sponsor Groups and assign sponsor privileges

Multiple conditions supported in addition to group membership.

Pre-ISE 1.3 Sponsor Auth


Sponsor Groups: Membership

• No more Sponsor Group Policy, now just pick you member groups

• IDG that map to AD/LDAP

• In ISE 1.3, Sponsor Group configuration is greatly simplified but limits assignment to group membership only.


Solution: Configure ISE as an Authentication Source for Sponsors and define custom conditions that will either permit or deny sponsor access.

Configuration Steps:

Define Local ISE PSN(s) as RADIUS Token Server

Add ISE RADIUS Server to Sponsor Auth Sequence

Add ISE PSN(s) as RADIUS Clients

Add Authorization Policy Rules for Sponsor Auth

Challenge #1: How Limit Sponsor Access Based on Secondary Attributes?


Define Local ISE PSN(s) as RADIUS Token Server For Your

Reference


Add ISE RADIUS Server to Sponsor Auth Sequence For Your

Reference


Add ISE PSN(s) as RADIUS Clients For Your

Reference


Define specific conditions to allow / deny sponsor access.

Permit_Access authorization will allow sponsor to successfully authenticate to Sponsor Portal

Deny_Access authorization will return Access-Reject and cause sponsor to fail portal authentication

Policy example matches requests where:

ISE is the RADIUS client

AD locale attribute matches City location defined under AD user properties.

Add Authorization Policy Rules for Sponsor Auth For Your

Reference


Employee1 is AD user where City = Cleveland

Employee2 is AD user where City = San Jose

Live Authentications Log For Your

Reference


Employee1 is allowed access to Sponsor Portal

Employee2 receives error regarding invalid credentials for portal access

Sponsor Portal User Experience For Your

Reference


Solution: Configure a separate LDAP ID Store that maps Group Names to secondary attributes rather than AD/LDAP Group membership.

Configuration Steps:

Define new LDAP Identity Store in ISE with Custom Schema

Add new Groups in ISE LDAP Store as “Pointer” objects

Update AD/LDAP user accounts with custom attribute values that map to new group pointer objects

Add New LDAP Store Pointer groups to ISE Sponsor Group configuration

Challenge #2: How to Map Sponsor Groups Based on Secondary Attributes?


Set New Group Attribute Values under AD/LDAP User


Add New Group Attribute Values under AD/LDAP User


Verify New User Attributes in AD/LDAP from LDAP Browser

employee1 mapped to Cleveland employee2 mapped to San Jose

For Your Reference


Create New LDAP Identity Store for Sponsor Auth in ISE

Group Map Attribute is user attribute which contains group reference,

l = locale in this example


Manually enter names (not fetch) to match desired user attribute values

Groups do NOT need to exist in AD/LDAP—They are “pointers” only!

Add New LDAP “Pointer” Groups to ISE LDAP Store


Add/Edit Sponsor Groups using New LDAP Group Names

For Your Reference


Guest Access > Configure > Sponsor Groups

Add the LDAP “Pointer” Groups as Members


Add the LDAP “Pointer” Groups as Members (configured under the Sponsor Group settings)

Value Matches any AD/LDAP user with city/locale attribute set to

“San Jose” in their user record.


Add the LDAP “Pointer” Groups as Members

Value Matches any AD/LDAP user with city/locale attribute set to

“Cleveland” in their user record.

For Your Reference


Employee1 (mapped to Cleveland) only sees Guests they created (Currently 0)


Reference


Employee2 (mapped to San Jose) is able to manage ALL Accounts including those created by other Sponsors


Reference



NAC 4.9 Discovery Sequence: 1. http discovery probe on port 80 to discovery host (ISE with HTTP Redirect)

2. https discovery probe on port 8905 to discovery host (if configured)(ISE & NAC Appliance)

3. http discovery probe on port 80 to default gateway(ISE with HTTP Redirect)

4. https discovery probe on port 8905 to default gateway (NAC Appliance)

5. L2 UDP Swiss discovery probe port 8905 to default gateway (NAC Appliance)

6. L3 UDP Swiss discovery probe port 8906 to discovery host (if configured)(NAC Appliance)

7. https reconnect probe on port 8905 to previously contacted FQDN: ISE PSN / NAC Server (ISE & NAC)

8. GoTo 1

NAC Agent Discovery Sequence as it pertains to ISE only: 1. http discovery probe on port 80 to discovery host, if configured (via HTTP Redirect)

2. https discovery probe on port 8905 to discovery host, if configured

3. http discovery probe on port 80 to default gateway (via HTTP Redirect)

4. https reconnect probe on port 8905 to previously contacted ISE Policy Services node

5. GoTo 1

NAC Agent Discovery – Sequential Probing

Most common way Posture Agent discovers PSN is via URL Redirection


AnyConnect Discovery – Parallel Probing

Default Gateway of primary interface. Such as 10.86.116.1, (/auth/discovery, redirection expected.

Discovery Host If it was set in the agent profile ISEPostureCFG.xml /auth/discovery, redirection expected

enroll.cisco.com hard coded /auth/discovery, redirection expected

Previously connected headends From ConnectionData.xml No redirection expected

Is the endpoint on the ISE network?

[acise][debug][SwiftHttpRunner::startHttpDiscovery] [MSG_NS_INTERFACE_CHANGE(0x90a0004)], Start HTTP Discovery [acise][debug][SwiftHttpRunner::addPreviouslyConnectedHeadendsToTargetList] Probe previous connected headend jiajlu-ise-nat.chaos.test. [acise][debug][SwiftHttpRunner::collectTargets] Probe targets: 192.168.1.1 enroll.cisco.com 10.0.0.10 - Default route 192.168.1.1, #wifi=0, #nonWifi=2, wlanDot1x=-1, bestDefaultRouteIsWifi=0, #targets=4 [acise][debug][SwiftHttpRunner::probeTarget] Target 10.0.0.10, status is 1. failure [acise][debug][SwiftHttpRunner::probeTarget] Target enroll.cisco.com, status is 0. success

Redirection is the ONLY supported method for initial discovery!


Discovery Host

• ISE Posture REQUIRES URL redirection for Client Provisioning and for posture agent discovery

• The Discovery Host (DH) is a single target host/IP where discovery packets are sent.

• Cases where Discovery Host is needed or helpful to facilitate URL Redirection process

IPN deployments

NAD (Default GW unable to redirect). DH packet are redirected by IPN when packet hits IPN

Split Tunnel RA VPN

With ASA 9.2.1+ deployments, ASA can redirect when it is the default gateway. In split tunnel, gateway discovery may fail and DH required for interception by ASA.

Minimize Redirection Impact

Redirect DH only to limit redirect to CP / Posture only, not general access.

Browser Proxy Workaround

When Do I Need to Configure the Discovery Host?


Discovery Host for IPN Deployments

Internet

PSN IPN

Internal Network

ASA VPN User

IPN PSN

Server Farm

Protected Net/DMZ

Posture Discovery to Default Gateway

No URL Redirection, so packet dropped

IPN in packet path to internal host, so packet redirected

before reaches host Posture Discovery to

Discovery Host

Potential DH targets for IPN

deployment


Discovery Host for Split Tunnel VPN ASA 9.2.1+ Example

Internet

PSN

Internal Network

ASA VPN User

PSN

Server Farm

Protected Net/DMZ

Posture Discovery to Default Gateway (No Split Tunnel)

ASA Redirects Discovery Packet to Default GW

ASA in packet path to internal host, so packet redirected

before reaches host

Posture Discovery to Discovery Host

Potential DH targets for ASA

deployment

Posture Discovery to Default Gateway

(Split Tunnel)

Redirection Fails from remote router


Discovery Host “Open Mode”

• Redirect ACL Example

ip access-list extended ACL-POSTURE-REDIRECT

permit ip any host X.X.X.X

(deny ip any any)

• Endpoint with NAC Agent pre-installed

• Set Discovery Host to universal DNS entry (Ex: dh.company.com) that resolves to X.X.X.X

• Endpoint with without agent pre-installed

• Create universal DNS entry (Ex: getagent.company.com) that resolves to X.X.X.X

Minimize Redirection Impact

For Your Reference


By default NAC Agent discovery on port 80 (or 8905 for DH), but possible to override using syntax DH:port

Proxy Application on Wired Switches: Exclude PSN targets from Proxy config.

Set HTTP port on switch to proxy port. For example 8080, instead of default port 80: (config)# ip port-map http port 8080

For NAC Agent, Set DH port to the proxy port. Note: For AnyConnect, all discovery on port 80 including DH; port option needs validation.

Switch now redirects on HTTP traffic sent to proxy port.

Proxy now works with CWA but Posture agent does not use browser proxy settings(CSCuj65787), so need to change DH port to allow redirection for both CWA and Posture discovery packets.

Discovery Host with Proxies For Your

Reference


Redirect ACL Best Practice (Wired)

• Defines Traffic to be Redirected or to Bypass redirection

• Configured on Switch, referenced from ISE Authorization Profile


deny udp any eq bootpc any eq bootps

deny udp any any eq domain

deny tcp any host <PSN_IP> eq 8443

deny udp any host <PSN_IP> eq 8905

deny tcp any host <PSN_IP> eq 8905

deny tcp any host <Remediation_Server> eq www

permit ip any any

• NOTE: You may often see ACLs that simply permit or deny all ip access to PSN. This method will work, although less restrictive.

• Recommended Redirect ACL (Wired Switch) - Allows remediation and redirects ALL HTTP/S


deny tcp any host <Remediation_Server> eq www

permit tcp any any eq www

permit tcp any any eq 443

Posture Example, but applies to all Wired Redirection

All remaining traffic gets punted for redirection, not just HTTP/S

Can cause high CPU, especially in entry level switches

Redirect only HTTP/S not destined for remediation servers

Implicit Deny All at end of ACL



HA for pxGrid

Steady State Primary

PAN Secondary

PAN

Secondary MnT

Active pxGrid

Controller

pxGrid Client

(Subscriber)

Primary MnT

PAN PAN MnT MnT

PXG PXG

TCP/5222

TCP/5222

Standby pxGrid

Controller

197

pxGrid Clients

(Publishers)

• pxGrid clients can be configured with up to 2 servers.

• Clients connect to single active controller

• Maximum two pxGrid nodes per deployment

• Active / Standby

TCP/5222

TCP/12001

PAN Publisher Topics: • Controller Admin • TrustSec/SGA • Endpoint Profile

MnT Publisher Topics: • Session Directory • Identity Group • ANC (EPS)


HA for pxGrid

Failover and Recovery Primary

PAN Secondary

PAN

Secondary MnT

Active pxGrid

Controller

pxGrid Client

(Subscriber)

Primary MnT

PAN PAN MnT MnT

PXG PXG

PAN Publisher Topics: • Controller Admin • TrustSec/SGA • Endpoint Profile

Standby pxGrid

Controller

TCP/5222

MnT Publisher Topics: • Session Directory • Identity Group • ANC (EPS)

If active pxGrid Controller fails, clients automatically attempt connection to standby controller.

198

pxGrid Clients

(Publishers)

TCP/5222

TCP/12001 TCP/5222


Important pxGrid Setup Notes

Certificates

• ISE 1.3: If using self-signed certificates (default ISE-issued cert for pxGrid/Admin), then PPAN does not trust its own cert. So need to export its self-signed cert and import into ISE trust store--fixed in ISE 1.4 If using CA-signed certs for pxGrid, then import CA cert into Trust store.

• ISE 1.4: Should only need to import CA trust cert, or the self-signed for other nodes into the PPAN. Trust certs replicated to other nodes (pxGrid and PAN).

• Wildcard certs not supported for pxGrid.

WSA Integration

• WSA 8.7: pxGrid persona must be on same node as MnT so it can use REST API for initial connection, then uses pxGrid. Target fix 8.8 or sooner.



Right Click in Live Log & Live Sessions Adds Right-Click > Copy for the Endpoint ID & Identity Fields in Live Log

201

Serviceability


Debug Endpoint

• Creates debug file of all activity for all services related to that specific endpoint

• Executes and stored per PSN

• Can be downloaded as separate files per-PSN

• Or Merged as a single file

202

Serviceability

For Your Reference


Off-Line Examination of Configuration

Exportable Policy

203

Quick Link to Export Page

Serviceability

For Your Reference


Per-Endpoint Time-Constrained Suppression

204

Right Click



Sizing Production VMs to Physical Appliances Summary

206

Appliance used for sizing comparison

CPU Memory (GB)

Physical Disk

(GB)* # Cores Clock Rate

SNS Large (ISE-3495)

8 2.4 32 600

SNS Small (ISE-3415)

4 2.4 16 600

ISE Large (ISE-3395)

8 2.0 4 600

ISE Medium (ISE-3355)

4 2.0 4 600

ISE Small (ACS-1121/ISE-3315)

4 2.66 4 500

* Actual disk requirement is dependent on persona(s) deployed and other factors. See slide on Disk Sizing.

For Your Reference


Configuring CPUs in VMware

• ESXi 4.1 Example

• ESXi 5.x Example Configure CPU based on cores. If HT enabled, logical CPUs effectively doubled, but # cores is same.

207

For Your Reference


Setting CPU and Memory Allocations in VMware

Guest VM Resource Reservations and Limits

• CPU Example

Optionally set CPU allocation limit >= Min ISE VM specs to prevent over-allocation when actual CPU assigned exceeds ISE VM requirements.

Set Reservation to Minimum VM appliance specs to ensure required CPU resources available and not shared with other VMs.

Similar settings apply to Max Allocation and Min Reservations for Memory.

Memory Example

208

For Your Reference


ISE 1.3 VMware OVA Templates

• OVA Templates map to Small and Large hardware appliances

• EVAL (Evaluation / Lab testing)

• SNS-3415 (Small)

• SNS-3495 (Large)

• Simplifies VM deployment

• Ensures proper VMware settings

Presets:

• vCPU cores

• Memory

• Disk Storage

• Network Interfaces

ISE-1.3.x.x-Eval-100-endpoint.ova: • 2 CPU cores

• 4 GB RAM

• 200 GB disk

• 4 NICs

ISE-1.3.x.x-Virtual-SNS-3415.ova: • 4 CPU cores

• 16 GB RAM

• 600 GB disk

• 4 NICs

ISE-1.3.x.x-Virtual-SNS-3495.ova: • 8 CPU cores

• 32 GB RAM

• 600 GB disk

• 4 NICs

With Reservations


ISE Virtual OS and NIC Support

• ISE 1.3

• VMware ESX 4.x

• VMware ESX 5.x

• ISE 1.4

• VMware ESX 5.x only

• ISE 2.0

• VMware ESX 5.x

• VMware ESX 6.x

• KVM

Today and Tomorrow

Notes for ISO installs using VMware Virtual Appliance:

• Choose Redhat Linux 6 (64-bit)

• Manually enter resource reservations

• Choose either E1000 or VMXNET3 (default)

• ESX Adapter Ordering Based on NIC Selection

ADE-OS ISE E1000 VMXNET3

eth0 GE0 1 4

eth1 GE1 2 1

eth2 GE2 3 2

eth3 GE3 4 3

* Note: Issue not seen with < 4 VM NICs. This is why we are using E1000 NICs in OVAs.


ISE VM Production Disk Size Requirements by Persona

* Upper range sets #days MnT log retention; 500GB min recommended for production. Max hardware appliance disk size = 600GB—Max VM disk size = 2TB

** Variations depend on where backups saved or upgrade files staged (local or repository), debug, local logging, and data retention requirements.

Persona Disk (GB)

Standalone 200+*

Administration Only 200-300**

Monitoring Only 200+*

Policy Service Only 200

Admin + MnT 200+*

Admin + MnT + PSN 200+*

211

For Your Reference


MnT Node Log Storage Requirements

Days Retention Based on # Endpoints and Disk Size

200 GB 400 GB 600 GB 1024 GB 2048 GB

10,000 126 252 378 645 1,289

20,000 63 126 189 323 645

30,000 42 84 126 215 430

40,000 32 63 95 162 323

50,000 26 51 76 129 258

100,000 13 26 38 65 129

150,000 9 17 26 43 86

200,000 7 13 19 33 65

250,000 6 11 16 26 52

Tota

l Endpoin

ts

Total Disk Space Allocated to MnT Node

For Your Reference

212


VM Appliance Resource Validation Before Install

Validate VM Readiness BEFORE Install & Deploy

For Your Reference


VM Appliance Resource Validation During Install

• ISE 1.3 install will not even proceed without:

• 4GB RAM

• 2 CPU Cores

• 100GB Disk

(EVAL settings)

For Your Reference


ise-psn2/admin# show tech | begin "disk IO perf" Measuring disk IO performance ***************************************** Average I/O bandwidth writing to disk device: 194 MB/second Average I/O bandwidth reading from disk device: over 1024 MB/second I/O bandwidth performance within supported guidelines Disk I/O bandwidth filesystem test, writing 300 MB to /opt: 314572800 bytes (315 MB) copied, 1.47342 s, 213 MB/s Disk I/O bandwidth filesystem read test, reading 300 MB from /opt: 314572800 bytes (315 MB) copied, 0.0504592 s, 6.2 GB/s

VM Appliance Resource Validation After Install

• ISE continues to test I/O read/write performance on intervals

Alarm generated if 24-hr average below requirements

For Your Reference


ise-psn2/admin# show tech | begin "disk IO perf" Measuring disk IO performance ***************************************** Average I/O bandwidth writing to disk device: 194 MB/second Average I/O bandwidth reading from disk device: over 1024 MB/second I/O bandwidth performance within supported guidelines Disk I/O bandwidth filesystem test, writing 300 MB to /opt: 314572800 bytes (315 MB) copied, 1.47342 s, 213 MB/s Disk I/O bandwidth filesystem read test, reading 300 MB from /opt: 314572800 bytes (315 MB) copied, 0.0504592 s, 6.2 GB/s

VM Appliance Resource Validation After Install

• ISE continues to test I/O read/write performance on intervals

Alarm generated if 24-hr average below requirements

For Your Reference


Current ISE VM Deployment Guidance

• Thin Provisioning officially supported in ISE 1.3

• Hyper-Threading not required, but can TPS

• IO Performance Requirements:

Read 300+ MB/sec

Write 50+ MB/sec

• Recommended disk/controller:

10k RPM+ disk drives

Caching RAID Controller

RAID mirroring (RAID 5 slower writes)

RAID perf levels: http://www.datarecovery.net/articles/raid-level-comparison.html

217

• ISE 1.4 removes storage restrictions. This means, for example, that VMFS is not required and NFS is allowed provided storage is supported by VMware and meets ISE IO performance requirements.

• Customers with VMware expertise may choose to disable resource reservations and over-subscribe, but do so at own risk

http://www.datarecovery.net/articles/raid-level-comparison.html






General ISE VM Configuration Guidelines

• Oversubscription of CPU, Memory, or Disk storage NOT recommended – All VMs should have 1:1 mapping between virtual hardware and physical hardware.

• CPU: Map 1 VM vCPU core to 1 physical CPU core.

• Total CPU allocation should be based on physical CPU cores, not logical cores. if HT enabled, then basis of vCPU allocation is based on physical cores, not logical cores.

• Memory: Sum of VM vRAM may not exceed total physical memory on the physical server.

• Additional 1 GB+ of physical RAM must be provisioned for VMware ESXi itself (this is to cover ESXi overhead to run VMs) *See Notes Page for details.

• Disk: Map 1 GB of VM vDisk to 1 GB of physical storage.

• Additional disk space may be required for VMware operations including snapshots.

218

For Your Reference



What’s the Core Message to the Field?

ISE Express offers the same dynamic Guest features of the market-leading Cisco ISE in an entry-level bundle at an aggressive 70-80%

discount over the competition.


Features / Capabilities?

ATP Required for Initial Sale?*

Platform Included w/Licensing?

List Price?

Cisco ISE Base vs. Cisco ISE Express

Same

NO

YES – Bundle includes 1 ISE VM + 150 Licenses

$2,500 US

Cisco ISE Express

Guest Access; RADIUS/AAA

YES

NO – Purchase HW or VM and licensing

$6,990 US (ISE VM:$5,990 + Base: $1,000, for 200 licenses)

Cisco ISE Base

* NOTE: ATP certification or partner involvement is needed for additional ISE license sales


Easy, Affordable Guest Services Now Available: Entry-Level Bundle for the Market-Leading Cisco ISE

The Offer: One (1) ISE VM with ISE Base Licenses for 150 Endpoints for Single Site Deployment (non-distributed, no HA)

The Features: Guest, RADIUS/AAA, Unlimited Custom Portals with ISE Portal Builder

The Price: $2,500 US

Cisco ISE Express Enterprise Guest for Less



ISE 1.4 Feature List

• Automatic Admin Node Switchover

• Certificate Management Enhancements

• FIPS Support

• Posture Enhancements

• AnyConnect AMP Enabler

• Multi-MDM Phase 1

• Off-Prem MDM On-boarding

• Guest Enhancements

• SAML SSO for Portals with OAM

• KPM Scripts


Automatic PAN Switchover

• Primary PAN (PAN-1) down or network link down.

• If Health Monitor unable to reach PAN-1 but can reach PAN-2, then triggers failover

• Secondary PAN (PAN-2) is promoted by Health Monitor

• PAN-2 becomes Primary and takes over PSN replication.

PAN

PSN

MnT

WAN

PSN PSN

PSN

PAN-2 Secondary

MNT-2 Secondary

DC-1 DC-2

PAN MnT

PAN-1 Primary

MNT-1 Primary

X 1

PAN Health Monitor

Direct failover detection

PAN Health Monitor

2

Note: Switchover is NOT immediate. Total time based on polling intervals and promotion time. Expect ~ 30 minutes.

Don’t forget, after switchover admin must connect to PAN-2 for ISE management!


ISE Admin Failover (Automated Promotion/Switchover)

• Primary PAN and secondary PAN can be in different subnets/locations

• Secondary nodes close to the respective PANs act as their health monitors

• Health Monitors • Maximum 2; Could be same node (recommend 2 if available)

• Requires distributed deployment.

• Can be any node—other than Admin node (or same node where Admin persona present)

• Recommend node(s) close to PAN to be monitored to differentiate between local versus broader network outage, but should not be on SAME server if virtual appliance.

• Monitor Process:

• Secondary node monitoring the health of the Primary PAN node is the Active monitor

• On Failure detection, Health Monitor for Primary PAN node initiates switchover by sending request to the Secondary PAN to become new primary PAN

For Your Reference


PAN Failover Scenario Scenario 1

• Primary PAN (PAN-1) down

• Secondary PAN (PAN-2) takes over

PAN

PSN

MnT

WAN

PSN PSN

PSN

PAN-2 Secondary

MNT-2 Secondary

DC-1 DC-2

PAN MnT

PAN-1 Primary

MNT-1 Primary

X 1

PAN Health Monitor


PAN Health Monitor

2

For Your Reference



• Connection between Primary PAN and Secondary PAN is down.

• Connection between PAN and Health Monitor is up

• Direct Failover detection between PANs will cause false switchover and data out of sync

• Using an external monitor can avoid false switchover

PAN

PSN

MnT

WAN

PSN PSN

PSN

PAN-2 Secondary

MNT-2 Secondary

DC-1 DC-2

PAN MnT

PAN-1 Primary

MNT-1 Primary

X

PAN Health Monitor


PAN Health Monitor

For Your Reference



• Connectivity between the data centers is down

Complete network split

Cannot be handled by PAN Failover

Local WAN survivability required

PAN

PSN

MnT

WAN

PSN PSN

PSN

PAN-2 Secondary

MNT-2 Secondary

DC-1 DC-2

PAN MnT

PAN-1 Primary

MNT-1 Primary

X PAN Health Monitor


PAN Health Monitor

For Your Reference


PAN Failover Configuration

Configuration using GUI only under Administration > System > Deployment > PAN Failover


Alarms in PAN Auto-Failover

Critical Alarms

Health check node finds primary PAN down

Health check node makes a promotion call to secondary PAN

Health check node is not able to make promotion request to secondary PAN

Secondary PAN rejects the promotion request made by the health check node

Warning Alarms

Invalid auto-failover monitoring

Mostly because health check node is out of sync

PAN Auto-failover is disabled but primary PAN is receiving health check probes

Primary PAN receives health probes from invalid health check node

Secondary PAN info with the health check node is not correct

Node receiving the health probe says it is not the correct primary PAN node

No health-check probes received

Primary PAN does not receive the health check probes though it is configured

Promotion of secondary PAN is called by the health check node


PAN Auto-Failover Alarm Details

Drill down on specific alarm to get Detailed Alarm information in a new page

For Your Reference


Certificate Management Enhancements

• Multiple certificate management enhancements to help simplify operations including:

• Certificate to portal correlation for admins

• Simplifying the deletion and replacement of certificates

• New “Multi-Use” certificate type (Admin, pxGrid, Portal, EAP)

• API for manual certificate provisioning for non-NSP supported BYOD devices (e.g. Linux PC).


System Certificate Showing Portals and Nodes details

• Info ‘i’ icon is added next to the portal tag on system certificates listing page.

• Hovering over the ‘i’ icon will show the portals and nodes information, if the tag is assigned to one or more portals.

• ‘none’ will be shown when the tag is not associated with any portals

For Your Reference


CSR Generation: ‘Multi-Use’ usage

‘Multi-Use’ is a new usage that is added in CSR page. This option will be used for the following:

• Single Certificate may be used for multiple services

• User may not know at the time of generating CSR that what service(s) the certificate would be used for.

Note: Default option is ‘Multi-Use’


Certificate Bind Page: Ability to deselect Usage

An usage is selected in CSR generation. However that can be deselected at the time of binding, in case, there is something changed between the time of CSR Generation and Certificate Binding.

When the earlier selected usage is deselected during bind, the certificate will be bound with ‘Not in use’ usage. User may edit the certificate later to add the usage(s).

‘Allow Wildcard Certificate’ is selected in CSR generation for the Wildcard certificates. Hence it is not required to select this option again in binding page. ‘Allow Wildcard Certificate’ selection is removed from binding page.

‘Allow Wildcard Certificate’ selection removed

For Your Reference


Portal Tag Re-Assignment

• User is allowed to choose an existing and/or in use portal group tag to a portal certificate that is being added to the system by CSR & Bind, Import or Generate Self-Signed Certificate.

• In Edit, user is allowed to assign an existing and/or in use portal group tag to a portal certificate, only when the portal tag of the certificate that is being edited is not in use by any portal.

• When tag re-assignment is submitted, a confirmation dialog with certificate name shown to user to confirm the change

• Once confirmed, the portals will be restarted with changed certificates

For Your Reference


Wildcard Certificate: Changes Replicated to All Copies

For Your Reference


ERS API for Issuing Endpoint Certificates

• Supports devices that cannot go through BYOD flow.

• REST API used to manually generate certificates

• Enable ERS for Read/Write under Administration > System > Settings

• Leverage ERS SDK for usage.

• Don’t forget the “Accept” header!


Authentication

• Basic Access Authentication

• RFC 2617

• https://www.base64encode.org/

• In: “bob:Lab123”

• Out: “YWRtaW46TGFiMTIz”

• *NOTE: Most other ERS resources only allow operations by an ERS Admin or ERS Operator. The ERS API for certificate provisioning is open to ALL internal users, ALL AD users, and ALL LDAP users. The difference is that only ERS Admin’s can request a certificate for any CN. All other users must request a certificate with the CN equal to his/her username. This is also true for Guest users.

For Your Reference

https://www.base64encode.org/


Authentication – ERS Admin vs Normal User

• Putting any value into the CN is a security concern.

• CN MUST equal the requester’s username.

• Users with “ERS Admin” role can request a certificate for Any CN.

• “Validation Error - Illegal values: [The provided CN MUST match your User Name. Only ERS Admins can create certificates for any CN.]”

For Your Reference


Payload

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ns3:endpointcert description="Created in ERS" xmlns:ns2="ers.ise.cisco.com" xmlns:ns3="cisco.com"> <certTemplateName>EAP_Authentication_Certificate_Template</certTemplateName> <certificateRequest> <entry> <key>san</key> <value>11-22-33-44-55-66</value> </entry> <entry> <key>cn</key> <value>bob</value> </entry> </certificateRequest> <format>PKCS12_CHAIN</format> <password>Cisco123</password> </ns3:endpointcert>

For Your Reference


REST Call (curl command)

• curl -X PUT -H "Authorization: Basic Ym9iOkxhYjEyMw=="

-H "Accept: application/vnd.com.cisco.ise.ca.endpointcert.1.0+xml; charset=utf-8"

-H "Content-Type: application/vnd.com.cisco.ise.ca.endpointcert.1.0+xml; charset=utf-8"

--data @payload -v https://172.21.77.91:9060/ers/config/endpointcert/certRequest >

result.zip

• -X: This option specifies the HTTP method to use, this needs to be PUT.

• -H: This option specifies a header. You need Authorization, Accept, and Content-Type headers.

• --data: This option specifies the payload file to use. @ specifies filename to follow

• -v: This option specifies to give extra details in the output (verbose).

• result.zip: File containing the results. This should be a zip file with the certificates and keys, but it can also contain error messages if the request wasn’t successful.

For Your Reference


• User is allowed to select and delete multiple CSRs in CSR page, and Certificates in Trust and System Certificate pages.

• ‘Delete’ button is enabled when multiples of CSRs or Certificates are selected.

• Delete submit checks for certificates that are in-use, before deleting them.

• If one or more selected certificates is in-use, an error message will be displayed, will not delete any certificate.

• In case of a wildcard certificate, if any one copy wildcard certificate in any one node selected to delete as part of multi delete will delete copies of the same wildcard certificate in all nodes in the deployment.

• There will be a confirmation dialog for wildcard certificate delete. User needs to confirm it.

• Audit log will be generated for deletion of certificates as part of the multi delete.

CSR, Trust and System Certificate page: Multi-Delete

For Your Reference


FIPS 140-2 Level 1 Support: Federal Information Processing Standard 140-2 is a United States government computer security standard for the use of cryptographic modules to collect, store, transfer, share and disseminate sensitive but unclassified information in government deployments (as well as regulated industries such as finance and health care)

USGv6 Certification: USGv6 is a US National Institute of Standards and Technology (NIST) developed technical standards profile for US Government(USG) acquisition of IPv6 hosts and routers, and a specification for network protection devices. This certification carries forward from ISE 1.3

Common Criteria and Unified Capabilities Approved Product List (UC APL): Cisco intends to pursue these certifications with June submission of first patch release to the Joint Interoperability Test Command (JITC) – (stretch for June)

Government Certification Support


Posture Enhancements Mac OS Support Added for Custom Checks: File / Service / Application

• File, Service (daemon), and

Application (process) checks now available for Mac OS.

• When Mac OSX selected…

• File condition, file path can have home or root follow with path.

• Service condition, service operator change to loaded/unloaded.

• Operating system policy selector can select specific Mac OS versions.


Posture Enhancements

• File integrity check, already supported by AC and ASA hostscan.

• Supported for both Windows and Mac OS X.

• Add file type named CRC32

• Add “File CRC Data” text to enter the CRC data.

CRC data inside File Condition


Adds patch management conditions and remediation similar to AV/AS.

Supported for Windows and Mac OS

Remediation currently supported for Windows only.

Uses OPSWAT technology (like AV/AS posture) to allow AnyConnect to communicate with local agent.

ISE does NOT communicate to Patch Manager directly

Do not confuse with MDM Partner support where ISE uses API to talk to external servers.

The full list of supported applications of OPSWAT OESIS can be found at: https://www.opswat.com/products/oesis-framework/supported-applications#!product=patch-management

ISE Posture - Patch Management Support For Your

Reference

https://www.opswat.com/products/oesis-framework/supported-applications









ISE Posture – Patch Management Windows OS Example

Product Name and Version

Install is default support for all Optionally may support checks for “Enabled” or “Up to Date”

Min Version of compliance module that provides support


ISE Posture – Patch Management Mac OS Example


Patch Management

Windows and MAC OSX supported.

List of vendors is loaded from the OPSWAT update. Selected list is updated according to selected operating system.

• Is this patch installed? • Is this patch enabled on the client? • Is this patch up to date?

• Installed is always supported, • Enabled and Up-to-date not supported by all

products.

For Your Reference


Patch Management Remediation

Remediation type – same as AV and AS remediation.

Operation System –Windows only supported.

Vendor Name – List is loaded from the OPSWAT update.

Remediation options:

Enabled

Install missing patches

Activate patch management software GUI

Product list is updated according to selected vendor and Remediation option. Product can be selected only if supported for related option.


AnyConnect Configuration Profile for AMP Enabler Client Provisioning CP Resource Configuration with AnyConnect

• Facilitates Client Provisioning of AMP client module.

• When adding new AnyConnect configuration, you will be able to select AMP Enabler module and select the AMP Enabler profile to use.

AMP Enabler


AMP Enabler Profile Page

ISE Posture services now supports the download and provisioning of the AMP client module

AMP Enabler profile is added under: “Policy -> Policy Elements -> Results -> CP -> Resources”

Supported on Windows and OSX. Installation location URLs should be updated with location of external hosting server.

Provide URLs should be trustd by ISE. Related certificate should be install in ISE Administration->Certificates->Trusted Certificates.


AMP Enabler Profile Page

AMP Enabler FA will be installed via AnyConnect

To configure AMP Enabler on ISE 1.4, add AMP Enabler Profile in “Policy -> Policy Elements -> Results -> CP -> Resources”

User can select install or uninstall.

AMP Enabler profile can be configure from ISE 1.4 or from local xml file. Both generate xml will load with AnyConnect to the client.

If install was selected, provide URLs for Windows and Mac OS installation

Provided URLs should be trusted by ISE. Related certificate should be installed in ISE under Administration->Certificates->Trusted Certificates.

3 checkboxes for installation configuration on the client.

More info about the AMP Enabler use case, please contact AnyConnect.

For Your Reference


Multiple MDM Support

Multiple Partner MDM servers can be made active on ISE

Different MDM portals can be created for different MDM servers

Authorization profiles are used to route traffic to different portals.

One Authorization policy for un-enrolled devices required per MDM server

New MDM dictionary attributes are available – UDID, MEID, MDM Server Name

Note: In a brown field environment where the devices are already enrolled in to multiple MDM’s and then ISE is deployed for network enforcement. ISE 1.4 does not have support for automatically detecting which MDM endpoint belongs to and may result in a re-enrollment process for the user. There are multiple workarounds e.g. exporting MAC addresses from MDM and importing in to ISE etc …

This is not an issue for Green Field Deployments.


Multiple MDM Support

Multiple MDM vendors can be added to ISE and used simultaneously in policy


MDM Authorization Profiles

Redirection authorization profile example for MobileIron and Meraki

MDM Server

Selection added to

Authorization Profile


MDM enrollment and compliance example using multiple MDMs

Meraki policies shown

Multi MDM Policy Example


New MDM dictionary attributes

UDID

MEID

MDM Server Name

MDM Dictionary Attributes For Your

Reference


Multiple MDM – Runtime

Periodic Jobs run for each active MDM server on PAP and PSNs

Heartbeat runs every 5 minutes

Compliance Check Verifier runs as per admin user configuration

Device Enrollment

Enrollment page redirecting to specific MDM server

Device query job every 2 minutes

API version switching

API v2 supporting MDM vendors switch from API v1 to API v2 on ISE

Endpoint Devices switched between vendors

Reports include LiveLogs, External MDM Report, RADIUS Authentications, Endpoints GUI

For Your Reference


In General

• Serviceability feature to test APIs – Test Connection button on MDM Settings tests Get MDM Info API

– Refresh MDM Partner on Endpoints gui page tests Get Device Info API

• MDM server Info and device attributes data logged at Trace level in ise-psc.log

• The heartbeat periodic job constantly monitors and reports MDM servers’ availability

• Endpoints GUI and other reports show MDM servers associated with the endpoints

• For endpoint enrollment issues:

– check the MDM vendor’s portal page for device status

– check if the ISE application has a valid session for this user

For Your Reference


MDM Serviceability - Get Device Info API

For Your Reference


MDM Onboarding Off-Premise Devices

Allows onboarding of mobile devices to partner MDM with AnyConnect VPN

Leverages AnyConnect Identity Extensions (ACIDEX) data sent to ASA from AC VPN then forwarded to ISE in RADIUS Accounting

Requires ASA 9.3.2 and AnyConnect 4.1 and above

AnyConnect 4.1 adds support for UDID, MEID, IMEI

AnyConnect 4.1 supports only a minimum Android version 4.0+ and iOS v7.0+.

MDM Server needs to support MDM API version 2

Currently (as of 1.4 release time) supported only by Meraki

AirWatch, MobileIron to add support soon


Support onboarding of clients to partner MDM when connecting over remote access VPN.

Requires AnyConnect and ASA to collect and transmit AnyConnect Identity Extensions (ACIDEX) attributes via RADIUS to ISE.

In absence of MAC address, ISE is able to now use UDID (Apple iOS) or IMEI / MEID data (Android) to query partner MDM server for enrollment and compliance status.

Windows, MacOS, and Android (connected over WiFi) can already be correlated using MAC address with ISE 1.2 Patch 5, ASA 9.2.1, and AnyConnect 3.1MR5 (and above).

Additional iOS and Android support requires ASA 9.3.2 and AbyConnect 4.1.

AnyConnect 4.1 adds support for Apple iOS and Android (connected over Broadband wireless)

Off-Prem Partner MDM Onboarding

For Your Reference


Sample ACIDEX Attributes Received by ISE from AC via ASA

Android

iOS

Windows

For Your Reference


Use case

Personal Device is BYOD registered and using EAP-TLS Administrator requires an AUP every 72 hours for legal Redirected to hotspot portal to accept and update LastAUPAcceptanceHours Hotspot registers device into RegisteredDevices Group

Guest Enhancements Require an AUP every X hours


Use Case A device is redirected to an error page after exceeding maximum simultaneous logins Authorization policy keyed off attribute SessionsLimitExceeded required for redirection Redirected to same portal as initial webauth. portal has intelligence to show error page as this device has exceeded the count This only works for webauth flow and won’t work for authorization of endpoint only as they are not required to go through portal. ISE only counts with webauth flow.

Guest Enhancements Error on maximum connections exceeded


Use Case Need to change the guest type after the accounts has been created This can be done by any sponsor, there is no setting under the sponsor group that restricts this Sponsor Group can be restricted on what guest types a sponsor can use

Guest Enhancements Change guest type after account created


Oracle Access Manager SAML SSO User Login for Sponsor, Guest, and Device Registration Portals

• ISE is the Service Provider. OAM is the ID Provider (IDP)

• User connects to any end-user portal served by the IDP (Ex: Oracle Weblogic) interface and then can access any portal again using SSO. SAML session stored in cookie on end-user device

• When accessing ISE portals set with SAML, built-in logic checks for session cookie.

• If cookie exists then SSO!

• If no cookie exists then redirected to IDP for auth. After SSO, user flow continues as normal

• Supported with ISE Sponsored Guest, Sponsor, BYOD, and My Devices portals

• Supported Providers for ISE 1.4:

• Oracle Access Manager (OAM)

• Oracle Identity Federation (OIF)


SAML Flow

• In diagram,

• ISE is Service Provider for different portal access.

• Oracle OAM is the IDP

• Request sent to portal.

• If no cookie (SAML assertion) in request, then user redirected to IDP for authentication

• After successful auth to IDP, user redirected back to original portal with assertion.

• ISE uses ‘username’ assertion value for authorization against AD/LDAP stores.

For Your Reference


SAML Flow

ISE 1.4 as a SAML Service Provider

For Your Reference


ISE SAML Configuration Configuration Checklist (1 of 2)

• Import IDP’s cert or its CA signing certificate into ISE for mutual trust

• Export the IDP Metadata file from IDP

• Import IDP Provier Config (Metadata) file into ISE

• Update logout settings if needed, but typically leave the IDP defaults

• Add IDP as the portal ID store (cannot be part of ID sequence)

For Your Reference


ISE SAML Configuration Configuration Checklist (2 of 2)

• Export ISE Provider Metadata Info

• Import into IDP

• Must re-export and re-import this metadata for any of the following updates:

• Node is registered to deployment

• IP address change of one of the nodes in deployment

• Host name change of one to the nodes in deployment

• Portal FQDN is set or modified

• Make sure ‘username’ assertion is defined in external IDP

• Username required for ISE AuthZ

For Your Reference


‘username’ Attribute Assertion

As part of the SAML Assertion (which is return back as a response from the IDP) ISE expects to get ‘username’ attribute assertion ‘username’ attribute assertion should provide the user name which made the authentication and will be shown at ISE logs ‘username’ attribute assertion is mandatory and should be returned by the IDP

For Your Reference


Oracle Access Manager SAML SSO

Portal Settings choose IDP as Authentication Method

Authz Policy using SAML IDP & LDAP

For Your Reference


Oracle Access Manager SAML SSO Sponsored Guest Portal flow using test URL

1

2

Reflected at Authentication logs

For Your Reference


Key Performance Metrics (KPM)

• Generate performance metrics:

• Endpoints Onboarding

• Endpoints Transactional Load

• Saves to local disk

• Can copy to repository for viewing

• Reports are suffixed with date parameter

• If run in same day, will overwrite

• Can be resource intensive on CPU/Memory, so advised to run during non-peak hours

# application configure ise (Option 12 and 13)


KPM in a Nutshell

What is KPM?

• KPM stands for Key Performance Metrics. These are the metrics collected from the MNT nodes about the Endpoints and its artifacts

Benefits of KPM:

• There are two flavors captured in two separate spreadsheets.

• Endpoints Onboarding data: Measure key performance metrics about Endpoints, like Total, Active, Successful, Failures, Endpoints on-boarded/day

• Endpoints Transactional Load data: # radius requests at a PSN level/hr, Radius requests to # Active EP ratio, How much of these data was persisted in the MNT table and how many of them were suppressed to determine the suppression ratio, what was the Avg and Max load on the PSN during that hour, what was the latency and Avg TPS.

For Your Reference


KPM Attributes

KPM OnBoarding Results:

• Total Endpoints : Total number of endpoints in the deployment

• Successful Endpoints : How many of them were on boarded successfully

• Failed Endpoints : How many failed to on board

• New EP/day : New endpoints seen in the deployment for a given day

• Total Onboarded/day : Total endpoints on-boarded for a given day

• KPM Trx Load

• Timestamp: Date/Time, This is an hourly window, extrapolated from the syslogs sent by the PSNs

• PSN name : Hostname of the PSN sending syslogs to the MNT collector

• Total Endpoints: Total number of endpoints in the deployment

• Active Endpoints: Active number of endpoints in the deployment for that hour.

• Radius Requests : Number of Radius requests sent by the PSNs for that hour.

• RR_AEP_ratio : Ratio of Radius Requests to the number of Active endpoints on an hourly basis. This will give the number of radius request an Active EP makes on an average.

• Logged_to_MNT/hr : Number of Radius Request persisted in the DB

• Noise/hr : Number of Radius Request suppressed, only the counter increases but the data is not persisted in the DB.

• Supression_hr % : % of suppression

• Avg_Load (avg) : Average load of the PSNs during that hourly window

• Max Load (avg): Max load of the PSNs during that hourly window

• Latency_per_request: Latency per radius request (average)

• Avg TPS : Average number of transactions per second on that PSN.

For Your Reference


Sample KPM Stats Output

• KPM_TRX_LOAD_<DATE>.xls

• KPM_ONBOARDING_RESULTS_<DATE>.xls

For Your Reference


But Wait! There’s More!

Other ISE 1.4 Enhancements

• MDM: Test Connection Button (MDM page)

• MDM: Refresh Endpoint Button (Endpoints page)

• MDM: Which Authorization Profiles use this server (MDM page)

• Profiler: Feed Test Button (Profiler Feed Services page)

• EPS is now rebranded as ANC


EPS is Now ANC

• Under ISE 1.3, Endpoint Protection Service (EPS) is used to quarantine endpoints based on MAC or IP address. System also supports partner APIs to perform remote quarantine actions.

• Under ISE 1.4, EPS is now Adaptive Network Control (ANC) to better reflect the broader application of services which may be applied to endpoints by ISE and partners via pxGrid.

For Your Reference


Profile Feed Test Button

• Used to test connection to feed service

• May require a proxy server to be set up

• Provides an error message if connection fails

• Error message provided by feed server

• Provides a success message when successful

• Administration > Feed Service > Profiler

For Your Reference



Differentiators Summary REQUIRED

Differentiator Major Technical Outcome Major Business Outcome

Endpoint visibility and access control across Wired, Wireless, VPN

Single policy to manage all network access

Simplify operations while meeting organization compliance requirements.

Policy Enforcement embedded into network

Security is enacted across existing traffic channels where most beneficial

Customers leverage the intelligence and investment in existing infrastructure

Context Sharing Higher levels of security is gained through the sharing of rich contextual data across entire system.

Customers gain significant benefit from leveraging the capabilities of existing IT spend.

In a world where any device, user, or application can connect to the network from any where at any time, customer’s a faced with the challenge of detecting all connections and applying business compliance policies that monitor and secure access to their organization’s critical resources and data. ISE collects data from multiple sources to deliver on this requirement while sharing this rich content with other systems to enhance overall visibility and security.


ISE/TrustSec Demonstration Options

Partners:

• ATP Resource Center: http://www.ciscosecurityatp.com

>> Includes links to dCloud Demo, POD Links for ISE Training, ISE NFR Download Links, ISE Configured Limited Deployment (COLD) Program, ISE ATP Lab demo equipment

Public

• Video On Demand Demos: http://www.cisco.com/c/en/us/products/security/identity-services-engine/ise_demos.html

• QuickStart Demo Series on YouTube “CiscoISE” channel: https://www.youtube.com/user/CiscoISE

http://www.ciscosecurityatp.com/

http://www.ciscosecurityatp.com/filedownloader.asp?ID=80



http://www.ciscosecurityatp.com/news.asp?id=27










http://www.cisco.com/web/partners/partner_with_cisco/channel_partner_program/resale/atp/ise_demo.html

http://www.cisco.com/c/en/us/products/security/identity-services-engine/ise_demos.html





https://www.youtube.com/user/CiscoISE


Partner

Tech Talks / Voice of Engineer – Security Deep Dive Series: https://communities.cisco.com/docs/DOC-30977

ATP Resource Center: http://www.ciscosecurityatp.com

Customer

ISE Design Guides: http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-

design-guides-list.html

ISE Collateral, Links to Docs, Software, Support options: http://www.cisco.com/go/ise

Where To Go for Self Help





http://www.ciscosecurityatp.com/
















http://www.cisco.com/go/ise


Where To Go for Interactive Help

Partner

• Your local Channel SE or Cisco account SE team for specific customer

• Cisco Communities > Partners > Security: https://communities.cisco.com/community/partner/security

• UNTIL Conversion to TSN….Sales Assistance Center (SAC) -- 24 x 7 All countries, All timezones

Email: [email protected]

Phone: +1-408-902-4872 (International) 800-225-0905 (US Toll Free ) Live Chat: http://tinyurl.com/sacise Website: sac.cisco.com (Cisco Internal)

Customer:

• Their local Cisco or ATP Partner SE team

• Cisco Support Communities: supportforums.cisco.com

• TrustSec: cs-trustsec

• ACS: cs-ciscosecure

• Switch Identity Features: cs-ibns

• Wireless Features: cs-wlan

https://communities.cisco.com/community/partner/security

https://communities.cisco.com/community/partner/security

http://supportforums.cisco.com/

Thank You !

Date post:	26-Jul-2015
Category:	Technology
Upload:	cisco-russia
View:	234 times
Download:	9 times