Category: Security

Cisco ISE Part 10: Profiling and posture

11 comments

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, the last post in the Cisco ISE blog post series: Profiling and posture. For both features is the Cisco ISE advanced license required.
Profiler is a functionality for discovering, locating and determing the capabilities of the attached endpoints. It will detect the network type and will authorize it.
A sensor in the network captures network packets by quering the NADs, it forwards the attributes to the analyzer. The analyzer checks the attributes using policies and identity groups. The results is stored in the ISE database with the corresponding device profile. The MAC address of the device will be linked to a existing endpoint identity group.
There are 9 availabled probes:

  • Netflow
  • DHCP
  • DHCP SPAN
  • HTTP
  • RADIUS
  • NMAP
  • DNS
  • SNMPQUERY
  • SNMPTRAP

Profiling uses CoA (change of authorization). There are 3 options:

  • No CoA: CoA is disabled
  • Port bounce: use this only of there is a single session on a switchport
  • Reauth: enforce reauthentication of a currently authenticated endpoint when it’s profiled

ISE creates three identity groups by default and two identity groups that are specific for Cisco IP phones. Creation of extra groups is optional.
An endpoint profiling policy contains a simple condition or a set of conditions (compound).
Configuring
Probe configuration
First, make sure the ISE appliance can SNMP to the switches (SNMPv2 or 3) with a read only community string. Also, configure a snmp trap destination to Cisco ISE policy node.

Switch(config)# snmp-server host 172.20.12.5 version 3 priv ISE
Switch(config)# snmp-server enable traps snmp linkdown linkup
Switch(config)# snmp-server enable traps mac-notification change move
On all interfaces:
Switch(config-if)# snmp trap mac-notification change added

For DHCP probing, configure an additional IP helper on the SVI to the policy node:

Switch(config-if)# ip helper-address 172.20.12.5

Cisco ISE configuration
Click Administration – System – Settings, click Profiling and configure the CoA.
profile5
Read more

Cisco ISE Part 9: Guest and web authentication

5 comments

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 9: Guest and web authentication
Webauthentication can be used for guest access. It can also being used for a last resort for authentication of normal users if the 802.1x supplicant is not working. Access to this portal can be done by a remediation VLAN with limited access to resources. The portal is using HTTP and HTTPS,  because of limited access, the NAD (or WLC) will intercept the HTTP request and redirects it to the web portal.
There are two portals: Guest user portal is a portal the guest is using for logging in. The Sponsor portal is a portal being used by company employees for creating and managing guest accounts. The guest portal is customizable in available options for guest users.
To manage the RADIUS requests, the portal is installed on all required policy nodes. The configuration of the portal (and users) are replicated to all nodes. So, there is a central deployment.
You can configure multiple authorization sources in one rule. So, you can use one SSID for all used: internal production use, BYOD, Guest, etc. This is a nice feature of Cisco ISE.
Configuration
Click Administration – Guest management – Settings, click the arrow and click Multi-portal configurations.
Edit the DefaultGuestPortal to your needs:

  • Password policies
  • Need of posture client
  • self service
  • device registration
  • DHCP settings
  • Policies
  • etc

guestportal1
guestportal2
Read more

Cisco ISE Part 8: Inline posture and VPN

Leave a comment

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 8: Inline posture and VPN
The fourth ISE node role is inline posture. This appliance can be placed in your network for devices which don’t support CoA (Change of authority). Cisco ASA doesn’t support CoA yet (but will come in the near future). This role is hardware appliance only, the VM is not supported.
This node is a gatekeeper that can enforce policies and handles CoA. After initial authentication of a client, the client still must go through posture assessment.
There are 3 possible modes:

  • Router mode: This is a L3 hop in your network. This node is default gateway for clients. Only static routes are available!
  • Bridge mode: is transparant in your network
  • Maintenance mode: takes node offline, traffic should be uninterupted, this is de default mode

Read more

Cisco ISE Part 7: Configuring wireless network devices

6 comments

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 7: Configuring wireless network devices
Configuration
First, add the WLC as a radius client.
Click: Administration – Network Resources – Network Devices. Click Add and create a network device object.
Click Select Existing condition from library, select condition, navigate to Compound condition and select wireless_802.1x.
Click Select Network Access, Allowed Protocols – Default network access. Make sure PEAP is available in this network access rule.
For the authorization profiles, click Policy – Policy Elements – Results
Make sure you select the correct Airespace ACL name.
authprofile
Create an authorization policy that assigns the authorization profile. Click Policy – Authorization. Insert a new row.
Create a new rule, select the “wireless_802.1X” compound condition from the library. To check if the user is also a domain member, add another attribute. Click Select Attribute – <domain> – <usergroup>
 
Browse to the WLC webinterface.
Read more

Cisco ISE Part 6: Policy enforcement and MAB

9 comments

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 6: Policy enforcement and MAB
Policy enforcement in Cisco ISE is based on authentication en authorization.
Some authentication protocols:

  • pap
  • chap
  • ms-chapv1/2
  • eap-md5
  • eap-tls
  • leap
  • peap
  • eap-fast

Authorization can exist of:

  • DACL
  • VLAN
  • webauth
  • smartport
  • MACsec
  • WLC ACL
  • NEAT
  • Filter-ID
  • reauth timer

Authentication policy: defines to protocols ISE is using to communicate with network devices
Policy: set of conditions
Condition: a rule with true of false as response
The result of an authentication policy is the identity method. It can be any one of the following:
Read more

Cisco ISE Part 5: Configuring wired network devices

10 comments

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 5: Configuring wired network devices
First some terminology and guidelines:
Single host mode / Multi host mode. This defines 1 or multiple hosts on the switchport. Only the first device needs authentication.
Ports are authenticated first before any other traffic can pass.
802.1x is disabled in a SPAN port configuration, trunk ports, dynamic ports, dynamic access ports and etherchannels.
The windows client configuration can be pushed by a GPO. Configuration of this GPO is out of scope for this blog.
Configuration
First, add the RADIUS clients in the ISE deployment.
Click: Administration – Network Resources – Network Devices and click Add. Enter the requested information:
Radius client1
Radius client2
Read more

Cisco ISE Part 4: High availability

8 comments

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, a short part post, part 4: High Availability
The admin and monitoring nodes are only available in Active/Standby
All configuration is done on the primary Admin node. All other nodes are managed by this node. In case  of a failure, the secondary admin node has the be manually promoted to primary (ISE 1.X).
Policy nodes can be clustered. Switches can use the cluster IP as radius server. The cluster will act like a load balancer.
Switches (NADs) can sent syslog messages (UDP 20514) to the monitor nodes. All logging is sent / replicated to both HA monitoring nodes.
First, a nodes has to get registered with the admin node. Requirement for this is a useraccount on the new node and prepared the trust list. Changing the secondary administration role is only possible by deregistering.
Registering of a node is certificate based:

  • Self signed
  • CA signed

Read more

Cisco ISE Part 3: Active directory

10 comments

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 3: Active Directory
Microsoft Active directory is the mostly used directory. Cisco ISE can get membership in only 1 AD forest in ISE 1.1.x.
Check the following requirements:

  • Correctly configured NTP
  • Firewall ports: tcp: 389, 636, 445, 88, 3268, 3289, 464
  • Firewall ports: udp: 389, 123
  • All firewall ports are needed for the policy nodes
  • NAT is not supported!!

A local identity store is desired as a fallback in the event that the external identity store cannot be contacted. This is optional.
Local Identity
Click Administration – Identity management – Groups and click Add to add a new group. (Bulk import is available)
newidentitygroup
Under Administration – Identity management – identities – users, users can be created and linked to the usergroup.
Read more

Cisco ISE Part 2: Installation

3 comments

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:

  • Part 1: introduction
  • Part 2: installation
  • Part 3: Active Directory
  • Part 4: High Availability
  • Part 5: Configuring wired network devices
  • Part 6: Policy enforcement and MAB
  • Part 7: Configuring wireless network devices
  • Part 8: Inline posture and VPN
  • Part 9: Guest and web authentication
  • Part 10: Profiling and posture

This week, part 2: installation.
Cisco ISE installation
After installation of the software, type “setup” in the username field on the console.
A wizard appears, complete this wizard with the following information:

  • Hostname
  • IP adress
  • Netmask
  • Default Gateway
  • DNS domain
  • Nameservers
  • NTP server
  • Timezone (try to use UTC)
  • Enter a useraccount for the first admin user
  • Enter the password for this user

Make sure the NTP server is correct and reachable, NTP is important for the ISE deployment.
During the wizard proces, enter a database password and a database user password.
After the wizard, it can take up to 30 minutes before the setup completes. So, grab a coffee or something.
Read more

Cisco ISE Part 1: introduction

6 comments

Cisco ISE is a identity management product of Cisco. In the upcoming weeks more blogposts about the configuration and implementation of Cisco ISE. See the Cisco website for more information about the use of this awesome product. Also, watch this youtube movie for a great introduction about the functionality.
The blogpost Agenda:

  • Part 1: introduction
  • Part 2: installation
  • Part 3: Active Directory
  • Part 4: High Availability
  • Part 5: Configuring wired network devices
  • Part 6: Policy enforcement and MAB
  • Part 7: Configuring wireless network devices
  • Part 8: Inline posture and VPN
  • Part 9: Guest and web authentication
  • Part 10: Profiling and posture

This week, part 1: a basic product introduction to ISE.
Introduction 
This information could be outdated, Cisco released new appliances!
There are 3 appliances available and a virtual machine based on VMware 4.x or 5.x.

  • Cisco ISE 3315
  • Cisco ISE 3355
  • Cisco ISE 3395
  • VM (specs based on physical hardware)

The ISE deployment is based on node roles. There are 4 node roles available:

  • Admin
  • Monitoring
  • Policy
  • Inline posture

The admin node is for central management of the ISE deployment. Most of the configuration will be done on this node.
The monitoring node collects all monitoring events about all authentication and authorization attempts.
The policy node is the node which communicates with the endpoints and makes decisions about authentication and authorization. This is your radius server.
The inline role is used with devices which don’t have support for CoA (change of authority). Most of the recent Cisco switches do have support for CoA. The inline appliance can only be a physical appliance and can be in routed or bridged mode. The table below shows the device compatibility:

Access switch Minimum OS MAB 802.1X Web auth CoA VLAN dACL
Catalyst 2940 IOS v12.1(22)EA1 Y Y Y
Catalyst 2950 IOS v12.1(22)EA1 Y Y
Catalyst 2955 IOS v12.2(22)EA1 Y Y
Catalyst 2960 IOS v12.2(52)EA1 Y Y Y Y Y Y
Catalyst 2970 IOS v12.2(25)EA1 Y Y Y
Catalyst 2975 IOS v12.2(52)SE Y Y Y Y Y Y
Catalyst 3550 IOS v12.2(44)SE Y Y Y Y
Catalyst 3560-E IOS v12.2(52)SE Y Y Y Y Y Y
Catalyst 3560-X IOS v12.2(52)SE Y Y Y Y Y Y
Catalyst 3750 IOS v12.2(52)SE Y Y Y Y Y Y
Catalyst 3750-E IOS v12.2(52)SE Y Y Y Y Y Y
Catalyst 3750-Metro IOS v12.2(52)SE Y Y Y Y Y Y
Catalyst 3750-X IOS v12.2(52)SE Y Y Y Y Y Y
Catalyst 4500 IOS v12.2(54)SG Y Y Y Y Y Y
Catalyst 6500 IOS v12.2(33)SXJ Y Y Y Y Y Y
Catalust 4900 IOS v12.1(54)SG Y Y Y Y Y Y
Nexus 7000 NX-OS 5.0(2) Y
WLAN Controller  WLC 2100, 4400, 5500 7.0.116.0 Y Y Y Y Y
WISM 7.0.116.0 Y Y Y Y Y
WLC for ISR 7.0.116.0 Y Y Y Y Y
WLC for 3759 7.0.116.0 Y Y Y Y Y

Most features of Cisco ISE require CoA!
Cisco ISE appliance roles can be combined or used on a single appliance. This depends on the ISE design. More policy nodes in your network means bigger an more administrations and montoring nodes. See this chart. In de left colomn the amount of endpoints, in the top colomn the amount of policy nodes.
distribution
There is a maximum of 2 admin nodes (active/standby, not hot-standby)
There is a maximum of 2 monitoring nodes (active/standby or HA)
Licensing is based on concurrent endpoints and on features.
The wireless license contains base + advanced features but for wireless only!
ise license
Design
Some considerations for a ISE design:

  • Only 1 Microsoft Active Directory membership per ISE deployment (at this point, version 1.1.x)
  • Licensing is based on concurrent amount of endpoints
  • Endpoint is a authenticated device, like a PC, Phone, Printer, iPad, etc
  • Authentication of Microsoft AD, LDAP, EAP-TLS, Webbased authentication can be mixed.
  • Profiling (detecting device type) and posture (health of an endpoint) is advanced license only
  • Maximum of 2000 endpoints if you’re using 1 ISE appliance with all roles
  • Maximum of 4000 endpoints (non-redundant) if you’re using 2 ISE appliances with all roles

If you’re using seperate nodes for the policy role, this are the maximum supported endpoints:

  • 3315: 3000 endpoints
  • 3355: 6000 endpoints
  • 3395: 10.000 endpoints

When colocating admin and monitoring roles together, only 5 policy nodes in your deployment are supported!
When you’re using seperate admin and monitoring roles, both redundant, maximum 40 policy nodes are supported with a maximum of 100.000 endpoints.
These are some more limitations:

  • 100.000 endpoints per ISE domain (deployment)
  • Max 5 or 40 policy nodes
  • Unlimited inline posture nodes

Performance
Performance of the deployment according Cisco, in authentications per second:

  • PAP: 1431
  • EAP-MD5: 600
  • EAP-TLS: 335 internal, 124 LDAP
  • LEAP: 455
  • MSCHAPv1: 1064 internal, 361 AD
  • MSCHAPv2: 1316 internal, 277 AD
  • PEAP-MSCHAPv2: 181
  • PEAP-GTC: 196 AD, 188 LDAP
  • FAST-MSCHAPv2: 192
  • GAST-GTC: 222
  • Guest (Web auth): 17

Bandwidth requirements:

  • Policy services and monitoring: 1Mb/s
  • Admin and monitoring: 256Kb/s
  • Endpoints and policy: 125 Kb/s per endpoint
  • Redundant monitoring pair: 256 Kb/s
  • Admin and policy: 256Kb/s

I’ll start with the basic installation of the ISE software in part 2 of this Cisco ISE blog series.

1 2