Cisco ISE Part 10: Profiling and posture
This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, the last post in the Cisco ISE blog post series: Profiling and posture. For both features is the Cisco ISE advanced license required.
Profiler is a functionality for discovering, locating and determing the capabilities of the attached endpoints. It will detect the network type and will authorize it.
A sensor in the network captures network packets by quering the NADs, it forwards the attributes to the analyzer. The analyzer checks the attributes using policies and identity groups. The results is stored in the ISE database with the corresponding device profile. The MAC address of the device will be linked to a existing endpoint identity group.
There are 9 availabled probes:
- Netflow
- DHCP
- DHCP SPAN
- HTTP
- RADIUS
- NMAP
- DNS
- SNMPQUERY
- SNMPTRAP
Profiling uses CoA (change of authorization). There are 3 options:
- No CoA: CoA is disabled
- Port bounce: use this only of there is a single session on a switchport
- Reauth: enforce reauthentication of a currently authenticated endpoint when it’s profiled
ISE creates three identity groups by default and two identity groups that are specific for Cisco IP phones. Creation of extra groups is optional.
An endpoint profiling policy contains a simple condition or a set of conditions (compound).
Configuring
Probe configuration
First, make sure the ISE appliance can SNMP to the switches (SNMPv2 or 3) with a read only community string. Also, configure a snmp trap destination to Cisco ISE policy node.
Switch(config)# snmp-server host 172.20.12.5 version 3 priv ISE Switch(config)# snmp-server enable traps snmp linkdown linkup Switch(config)# snmp-server enable traps mac-notification change move On all interfaces: Switch(config-if)# snmp trap mac-notification change added
For DHCP probing, configure an additional IP helper on the SVI to the policy node:
Switch(config-if)# ip helper-address 172.20.12.5
Cisco ISE configuration
Click Administration – System – Settings, click Profiling and configure the CoA.
Click Administration – System – Deployment – Deployment. Choose the node and click edit. Select the Profiling configuration tab. Enable and configure the probes as needed.
Next, click: Administration – Network resources – Network devices and edit your switch. Scroll down and check/edit the SNMP settings.
To create a new policy: Click Policy – Profiling, choose Profiling policies and click Create.
Enter a name, a minimum certaincy factor and a exception action. Apply the needed rules with the certaincy factors.
To check the discovered endpoints, click Administration – Identity management – identities – endpoints.
Monitor the authentication by clicking Monitor – Authentications.
Appendix
If you want to use IOS probing with a switch on IOS 15.0 or newer, use the following configuration:
Switch(config)#device-sen Switch(config)#device-sensor filter-list dhcp list dhcp-list Switch(config-sensor-dhcplist)#option name host-name Switch(config-sensor-dhcplist)#option name all-subnets-local Switch(config-sensor-dhcplist)#option name trailer-enca Switch(config-sensor-dhcplist)#option name trailer-encapsulation Switch(config-sensor-dhcplist)#! Switch(config-sensor-dhcplist)#device-sen Switch(config-sensor-dhcplist)#device-senso Switch(config-sensor-dhcplist)#device-sensor Switch(config-sensor-dhcplist)#device-sensor filter Switch(config-sensor-dhcplist)#device-sensor filter-li Switch(config-sensor-dhcplist)#device-sensor filter-list cdp list CDP_LIST Switch(config-sensor-cdplist)#tlv name device-name Switch(config-sensor-cdplist)#tlv name address-type Switch(config-sensor-cdplist)#tlv name platform-type Switch(config-sensor-cdplist)#tlv name power-type Switch(config-sensor-cdplist)#tlv name external-port-id-type Switch(config-sensor-cdplist)#device-sensor filter-sepc cdp include list CDP_LIST Switch(config)#device-sensor filter-spec cdp include list CDP_LIST Switch(config)#device-sen Switch(config)#device-sensor accounting Switch(config)#device- Switch(config)#device-sensor not- Switch(config)#device-sensor not Switch(config)#device-sensor notify all Switch(config)#device-sensor notify all-changes
Posture
To check inside a host for available antivirus, firewall, registry keys etc, posture is being used. A NAC agent is needed for this.
There are 3 modes:
- Audit (audit only)
- Optional (client can ignore the result)
- Mandatory
The most common conditions:
- Windows update
- Virus application
- Virus definition
- Windows screensaver password
- Registry entry
The NAP client is using the SWISS protocol (UDP/8905). Make sure the client can connect to the policy node on UDP/8905. A client can download the NAC client (it’s read-only software). There are againts for Windows, MAC OS-X and a web agent.
The provisioning flow:
- Client provisioning
- Posture subscription and policy
- Authorization policy
Make sure the ISE appliance is up to date with the latest posture files. You can download those from the Cisco website with a CCO account. These updates are a set of predefined checks, rules and antivirus support charts. These updates can be downloaded automatically. Check this by clicking Administration – System – Settings – Posture – updates
This was a 10 series blog post about Cisco ISE. Hope you’ll liked it!
I have 4 PSNs running, Should I have an IP Helper entry for each one on the SVI?
1 IP helper is enough, but for redundancy are 2 IP helpers recommended.
Hello Rob, Thanks for posting such a nice details. I want to deploy guest access in my network hence looking for some design guide for the same. Do you have any idea if we can do some hands on lab about this ? I have cisco partner level access . Do you think its available there ? can you please advise? I want to now get some hands on skills please.
Thanks!
If you have partner access on the Cisco website, you also have access to dCloud (dcloud.cisco.com). There is an ISE 2.0 for BYOD and Guest management lab.
thanks mate! I did look into dcloud lab, there is nothing much for us to configure, its more about pre-configured lab made for demo purpose. I am thinking a way where we can create our own setup , or u know if we can tune the dcloud lab ? have u don’t this lab in the past and have lab manual with you? thanks!
You can completely rebuild the dcloud lab to fit your needs. It’s not required to follow the labguide.
Try to get your hands on an 90 day evaluation license if you want to create your own lab. See: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_d_man_license.html
sorry mate! do you know how we can rebuild the cloud lab please? let say I want to test the Byod feature , how we can achieve that? thanks for your help
Just reconfigure ISE in dCloud to fit your needs. The dCloud lab is yours and you can reconfigure, click on anything and change everything you want.
hey mate, do you know how to configure end point router in the dcloud please ? I want to test some features , I did go through the dcloud docs however ddint get much information. Thanks
I suggest to open a support ticket at dCloud for these kind of questions. That is what they are for 🙂
I meant to ask you how to
get user devices for the testing, like a test machine ?