Walking on solid ISE

Advanced use cases and deployment best

practices
Fay-Ann Lee, Technical Marketing Engineer
Nicolas Darchis, Technical Leader Customer Delivery
Tue Frei Noergaard, Technical Solutions Architect
Eugene Korneychuk, Technical Leader Customer Delivery
Manfred Brabec, Technical Solutions Architect

TECSEC-3416
Cisco Webex Teams

Questions?
Use Cisco Webex Teams to chat
with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Introducing Cisco Identity Services Engine (ISE)

A centralized security solution that automates context-aware access to

network resources and shares contextual data

Physical Identity Profiling Role-Based Policy Access Network Resources

or VM and Posture
Traditional Cisco TrustSec®
Who

Network What Guest Access

Door
When
BYOD Access
Where
Role-Based Access
How
ISE pxGrid
 Compliant Controller
Secure Access
Context

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Your Team

Fay-Ann Nicolas Tue Frei Eugene Manfred

Lee Darchis Noergaard Korneychuk Brabec
Technical Technical Leader Technical Technical Leader Technical
Marketing Engineer Customer Delivery Solutions Architect Customer Delivery Solutions Architect

CCIE Wireless #25344 CCIE Security #42039 CCIE Security #43253 CCIE Security #13180
CCDE #20130028

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda
• Morning:
• Introduction
• Designing ISE Architectures – Manfred
• Deploying Visibility with Profiling - Tue
• Coffee Break (10:30 – 10:45)
• ISE in Wired Networks - Tue
• ISE in VPN Networks - Eugene

• Lunch Break (12:45 – 14:15)

• Afternoon:
• ISE in Wireless Networks - Nicolas
• Endpoint and corporate device Compliance - Eugene
• Teatime (16:15 – 16:30)
• RADIUS Optimizations - Nicolas
• IDFW/SGFW with FTD/FMC – Manfred
• Group-based Policies/Microsegmentation Everywhere – Fay-Ann
• Conclusion

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Disclaimer(s)

• Thanks to feedback from past years, we changed approach this time…

• This is not a presentation on every ISE feature
• This is a technical seminar on use cases and best practices for ISE deployments
• It includes ISE features, but also configuration examples for other network
components (load balancers, switches, WLC, FTD, Cisco DNA Center, etc.)
• We are assuming that you already know the basics on ISE and where to navigate for
menus

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
For your reference For your
reference

• There are slides in your PDF that will not be presented, or quickly presented
• They are valuable, but included only “For your reference”

For your
reference

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
And as every year at
Cisco Live…

…we may keep hoping for a

better lunch break

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Use case: ISE-Cream, Inc.

• Cool worldwide company

• HQ in Reykjavik, on Iceland
• 3 major icecold datacenters in EMEAR, US, and APJC
• 183 stores - all connected with high speed, low latency
MPLS
• 5 factory sites with ice makers and robots for packaging
• Warehouses with pick-by-voice headset for factory
employees
• 35.000 Icelanders (aka users)
• Approx. 100.000 devices

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Designing ISE Architectures

Manfred Brabec
Technical Solutions Architect Cybersecurity (EMEAR)
CCIE Security #13180, CCDE #2013::28

TECSEC-3416
Use case: ISE-Cream, Inc. -
Design of a NAC solution
• ISE-Cream, Inc. tried to implement a NAC solution 10 years
ago – and they failed
• A real NAC solution based on 802.1X is required – every
solution based on sensors only is ruled out
• The solution needs to be highly scalable, because they plan
major acquisitions and want to expand to UGC 2885
• They want to understand the requirements and how to best
deploy the solution in their production environment
• Help is needed on solution sizing and how to best get started

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Node Types

▪ Policy Service Node (PSN) Can run on a single host

– Makes policy decisions
– RADIUS/TACACS+ server & provides endpoint/user services
▪ Policy Administration Node (PAN)
– Interface to configure policies and manage ISE deployment
– Replication hub for all database config changes
▪ Monitoring & Troubleshooting Node (MnT)
– Interface to reporting and logging
– Destination for syslog from other ISE nodes and optionally NADs
▪ pxGrid Controller (PXG)
– Facilitates sharing of information between network elements

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Standalone Deployment
All Personas on a Single Node: PAN, PSN, MnT, PXG

Maximum sessions - ISE Node

platform dependent:
3515 = Max. 7.5k sessions Policy Administration Node
3615 = Max. 10k sessions
3595 = Max. 20k sessions
3655 = Max. 25k sessions Monitoring and Troubleshooting Node
3695 = Max. 50k sessions
Policy Service Node

pxGrid Node

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
 Basic 2-Node ISE Deployment (Redundant)
• Maximum sessions – 50,000 (platform dependent — same as standalone)
• Redundant sizing – 50,000 (platform dependent — same as standalone)

ISE Node ISE Node

Primary Secondary
Admin Admin

Primary Secondary
Monitoring Monitoring

Primary Secondary
pxGrid pxGrid
Controller Controller

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Hybrid-Distributed Deployment
PAN + MnT on Same Appliances; PSNs on Dedicated Appliances

• 2 x (Admin + Monitoring + pxGrid)

• Max. 5 Policy Service Nodes
PAN PAN
• Optional: Dedicate 2 of the 5 for pxGrid MnT MnT
PXG PXG
• Max. sessions – Platform dependent
➢ 7,500 for 3515 as PAN+MnT
➢ 10,000 for 3615 as PAN+MnT
➢ 20,000 for 3595 as PAN+MnT
➢ 25,000 for 3655 as PAN+MnT PSN PSN PSN PSN PSN

➢ 50,000 for 3695 as PAN+MnT

Max. 5 PSNs
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
 Dedicated-Distributed Persona Deployment
Dedicated Appliances for Each Persona: PAN, MnT, PXG, PSN
• 2 x Admin and 2 x Monitoring and up to 4 x pxGrid
Optional
• Max. PSNs (Platform dependent)
➢ 50 using 3595/3655/3695 as PAN and MnT
• Max. sessions (Platform dependent) PAN MnT PXG
➢ 500k using 3595/3655/3695 as PAN and MnT
➢ 2M using 3695 as PAN and MnT (802.1X/MAB only)

PSNs

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
PSN Node Variations
▪ TACACS+ (T+PSN)
– TACACS+ server only
– Heavy usage of scripts or NMS
▪ TC-NAC (TCNPSN)
– Higher number of TC-NAC adapters
– More IRF TPS / VAF TPM
▪ Guest (GPSN)
– Guest Portal only
– Large Scale Guest Deployment
▪ Cisco TrustSec (CTSPSN)
– RADIUS server, but used for TrustSec functions only
– Avoid overwhelming RADIUS PSN when pushing policies
▪ Security Group eXchange Protocol (SXPSN)
– Max. 4 pairs
– 200 peers / pair
▪ PassiveID (PIDPSN)
– IDFW operations
– Min. 2 for redundancy
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
ISE Licensing
2.4+

Base/Plus/ Band
Apex

Device
Node
Admin

Multiple Sizes S M L
Virtual
Machine
License key based

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Base License consumption
Concurrent/Active sessions

• MnT receives:

RADIUS RADIUS RADIUS

Authentication Accounting Accounting Session cleared after
passed Start Stop
Y Y Y Accounting Stop*
Y Y N 120 hours (5 days)
Y N N 1 hour
N N N N/A

* Actual clearance might take up to 15 mins. after terminated

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Sizing Guidance
and VM
Preparation
 Scaling by Deployment/Platform/Persona
Max. Concurrent Session Counts by Deployment Model/Platform (36XX)

• By Deployment
Max. Active Sessions Max. # Dedicated Min. # Nodes (no HA) /
Deployment Model Platform
per Deployment PSNs / PXGs Max. # Nodes (w/ HA)
3615 10,000 0 1/2
Stand- All personas on
alone same node 3655 25,000 0 1/2
3695 50,000 0 1/2
PAN+MnT+PXG 3615 as PAN+MnT 10,000 5 / 2* 2/7
Hybrid on same node; 3655 as PAN+MnT 25,000 5 / 2* 2/7
Dedicated PSN 3695 as PAN+MnT 50,000 5 / 4* 2/7
Dedicated PAN 3655 as PAN and MnT 500,000 50 / 4 3 / 58
Dedicated
and MnT nodes 3695 as PAN & MnT 500k (2M RAD ONLY) 50 / 4 3 / 58

• By PSN Max. Active Sessions != Max. Endpoints; ISE supports 2M Endpoints (802.1X/MAB ONLY)
Max. Active Sessions
Scaling per PSN Platform per PSN
Dedicated Policy nodes SNS-3615 10,000 * Each dedicated pxGrid node
(Max. Sessions gated by SNS-3655 50,000 reduces PSN count by 1
Total Deployment Size) SNS-3695 100,000 (Medium deployment only)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Sizing Production VMs to Physical Appliances
Summary

Appliance used for CPU Memory Physical Disk

sizing comparison # Cores Clock Rate* (GB) (GB) **
SNS-3515 6 2.4 16 600
SNS-3595 8 2.6 64 1,200
SNS-3615 8 2.1 32 600
SNS-3655 12 2.1 96 1,200
SNS-3695 12 2.1 256 1,200/2,400
* Minimum VM processor clock rate = 2.0GHz per core (same as OVA)
** Actual disk requirement is dependent on persona(s) deployed and other factors - See slide on
Disk Sizing
Warning:
# Cores not always = # Logical processors / vCPUs due to Hyper-Threading (HT) *REQUIRED*

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
ISE Platform Properties
Minimum VM Resource Allocation for SNS35xx/36xx
Minimum Minimum Minimum Least Common
Platform Profile Denominator used to
CPUs RAM Disk
set platform;
2 16GB 200GB EVAL e.g.:
12 16GB 200GB SNS_3515 4 cores
16 GB RAM
16 64GB 200GB SNS_3595 = EVAL
16 256GB 200GB “Large MnT” <custom>
16 32GB 200GB SNS_3615
24 96GB 200GB SNS_3655
24 256GB 200GB SNS_3695 Small - 3615 & 3515
Medium - 3655 & 3595
Large - 3695
SNS35xx/36xx platforms require HT!
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
 Because memory,
max. sessions, and
other table spaces are
Why Do I Care? based on Persona and
Platform Profile

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
ISE Platform Sizing
Verify what ISE is seeing

ise-cream/admin# show cpu

• CPU: processor : 0
model : Intel Core i7 (Nehalem Class Core i7)
# show cpu
speed(MHz): 3600.000
cache size: 4096 KB

processor : 1
model : Intel Core i7 (Nehalem Class Core i7)
speed(MHz): 3600.000
cache size: 4096 KB

processor : 2

• Memory: ise-cream/admin# show mem

total memory: 16266056 kB
# show mem free memory: 507652 kB
cached: 2205732 kB
swap-cached: 8856 kB

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
ISE Platform Detection
Verify if ISE detects proper VM resource allocation

• From CLI:
ise-cream/admin# show tech | begin "ISE Profile" Small
Displaying ISE Profile ...
*****************************************
Profile : ucsSmall

*****************************************

• From Admin UI:

Operations > Reports >
Diagnostics > ISE Counters > [node]
(Under ISE Profile column)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
ISE VM Disk Storage Requirements
Minimum Disk Space by Persona for Production

• Upper range sets #days MnT log retention Persona Disk (GB)
• Hardware appliance disk size: Standalone 600
1.2TB (3595/3655) PAN only 600*
MnT only 600
2.4TB (3695)
PSN only 200
• Max. virtual appliance disk size:
PXG only 200
1.99TB (<2.6)
PAN+MnT (+PXG) 600
2.4TB (2.6+) PAN+MnT+PSN (+PXG) 600

* Additional disk space is required to store local debug logs, staging files, and to handle log data during upgrade,
when the Primary Administration Node temporarily becomes a Monitoring Node

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
VM Disk Allocation
CSCvc57684 - Incorrect MnT allocations if setup with VM disk resized to
larger without ISO re-image
• ISE installed with OVA sized to
200GB is often sufficient for PSNs or
pxGrid nodes, but not MnT
• No auto-resize of ISE partitions when Add Accessible to
disk space added after initial 400GB VM, but not ISE
software install VM disk
• Requires re-image using .iso
ISE Total ISE disk
• Alternatively: Start with a larger OVA 200GB size = 200GB
OVA
Misconception: Just get bigger
tank and ISE will grow into it!
MnT

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
 MnT Node Log Storage Requirements for RADIUS
Days Retention Based on # Endpoints and Disk Size For your
reference

Total Disk Space Allocated to MnT Node

200 GB 400 GB 600 GB 1024 GB 2048 GB
5,000 504 1007 1510 2577 5154
10,000 252 504 755 1289 2577
Total Endpoints

25,000 101 202 302 516 1031

50,000 51 101 151 258 516
100,000 26 51 76 129 258
17 34 51 86 172 Assumptions:
150,000
• 10+ auths/day
200,000 13 26 38 65 129 per endpoint
250,000 11 21 31 52 104 • Log suppression
500,000 6 11 16 26 52 enabled

Based on 60% allocation of MnT disk to RADIUS logging

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
 RADIUS and TACACS+
MnT Log Allocation

• Administration > System > Maintenance > Operational Data Purging

Total Log Allocation • 60% of total disk allocated to both
RADIUS and TACACS+ for logging
RADIUS T+ 80% Purge • Purge @ 80% (First In-First Out)
• Optional archive of CSV to
isev.ise-cream.inc
repository

M&T_PRIMARY
RADIUS : 217 GB
Days : 24

Default Retention 30 days

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
 ISE VM Disk Provisioning Guidance
• Please - No Snapshots!
• Snapshots NOT supported; no option
to pause database prior to snapshot
• VMotion supported but storage
motion not QA tested
• Recommend avoid VMotion due to
snapshot restrictions I/O Performance Requirements:
• Thin Provisioning supported ➢ Read 300+ MB/sec
• Thick Provisioning highly recommended ➢ Write 50+ MB/sec
(especially for PAN and MnT)
Recommended disk/controller:
• No specific storage media and file system
restrictions ➢ 10k+ RPM disk drives
• For example, VMFS is not required and NFS ➢ Supercharge with SSDs!
allowed provided storage is supported by VMware ➢ Caching RAID Controller
and meets ISE I/O performance requirements ➢ RAID mirroring
Slower writes using RAID 5

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
ISE VM Provisioning Guidance

• Use resource reservations (built into OVAs)

• Do NOT oversubscribe!

Customers with VMware expertise may

choose to disable resource reservations and
over-subscribe, but do so at own risk

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
VM Appliance Resource Validation Before Install

Validate VM Readiness
BEFORE Install & Deploy

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
VM Appliance Resource Validation After Install
ISE continues to test I/O read/write performance on 3-hour intervals

ise-cream/admin# show tech | begin "disk IO perf"

Measuring disk IO performance
*****************************************
Average I/O bandwidth writing to disk device: 194 MB/second
Average I/O bandwidth reading from disk device: over 1024 MB/second
I/O bandwidth performance within supported guidelines
Disk I/O bandwidth filesystem test, writing 300 MB to /opt:
314572800 bytes (315 MB) copied, 1.47342 s, 213 MB/s
Disk I/O bandwidth filesystem read test, reading 300 MB from /opt:
314572800 bytes (315 MB) copied, 0.0504592 s, 6.2 GB/s

Alarm generated if 24-hr

average below requirements

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Large MnT - Fast Access to Logs and Reports

Live Logs / Live Sessions

Reports

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Large MnT
For Any Deployment where High-Perf MnT Operations Required

• Virtual Appliance Only option MnT

• Requires Large VM License
• 3695 appliance specs VM
• 12 cores @ 2GHz min (24000+ MHz)
= 24 logical processors
• 256GB RAM
• Up to 2.4TB* disk w/ fast I/O
• Fast I/O Recommendations:
• Disk Drives (10k/15k RPM or SSD)
* CSCvb75235 - DOC ISE VM installation
• Fast RAID w/Caching (ex: RAID 10) can't be done if disk is greater than or
• More disks (ex: 8 vs 4) equals to 2048 GB or 2 TB, fixed in 2.6

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Bandwidth and
Latency
 Bandwidth and Latency
• Bandwidth most critical between:
• PSNs and Primary PAN (DB Replication)
• PSNs and MnT (Audit Logging)
• Latency most critical between PSNs and Primary PAN

PAN MnT PAN MnT PSN PSN

PSN PSN
PSN PSN PSN PSN
PSN PSN PSN PSN
PSN PSN
` PSN PSN

RADIUS

Max. 300ms PSN PSN

round-trip (RT) WLC Switch PSN PSN

latency RADIUS generally requires much less bandwidth and is more tolerant of higher
latencies – Actual requirements based on many factors including # endpoints,
auth rate and protocols
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
What if Distributed PSNs > 300ms RT Latency?

< 300 ms
> 300 ms

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Option #1: Deploy Separate ISE Instances
Per-Instance Latency < 300ms

PAN MnT PAN M

PAN MnT PAN MnT PSN PSN WLC

PSN
PSN PSN PSN P
PSN PSN PSN
PSN PSN PSN PSN PSN PSN Switch PSN
PSN PSN PSN PSN
PSN PSN PSN PSN

PAN MnT P

RADIUS
PSN
PSN PSN P
PSN PSN PSN PSN
< 300 ms PSN PSN
> 300 ms WLC Switch
WLC Switch

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Option #2: Centralize PSNs
Where Latency < 300ms

RADIUS

Switch
RADIUS

< 300 ms
> 300 ms

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
 ISE Bandwidth Calculator
ISE 2.x

Note:
Bandwidth
required for
RADIUS
traffic is not
included.
Calculator is
focused on
inter-ISE
node
bandwidth
requirements

Available to customers @ https://communities.cisco.com/docs/DOC-64317

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
High Availability
(HA) & Scaling
 • ISE Appliance Redundancy
• ISE Node Redundancy

High-Availability

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Appliance Redundancy
In-Box High Availability
SNS-3615 SNS-3655 SNS-3695
Platform
(36x5 Small) (36x5 Medium) (36x5 Large)
Drive No Yes Yes
Redundancy (1) 600GB disk (4) 600-GB (8) 600-GB
Yes Yes
Controller Level 10 Level 10
Redundancy
No
Cisco 12G SAS Cisco 12G SAS
Modular RAID Modular RAID
Yes* Yes* Yes*
Ethernet 2 X 10Gbase-T 2 X 10Gbase-T 2 X 10Gbase-T
Redundancy 4 x 1GBase-T 4 x 1GBase-T 4 x 1GBase-T
Up to 3 bonded NICs Up to 3 bonded NICs Up to 3 bonded NICs

Redundant
No
Power
(2nd
PSU optional) Yes Yes
UCSC-PSU1-770W

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
NIC Teaming
Network Card Redundancy

• For Redundancy only – NOT

GE0 Primary for increasing bandwidth
• Up to (3) bonds
Bond 0
GE1 Backup • Bonded Interfaces Preset
(Non-configurable)

GE2 Primary GE4

Bond 1 Bond 2
GE3 Backup GE5

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Teamed Interfaces for Redundancy
When GE0 is down, GE1 takes over

• Both interfaces assume the

same L2 address
• When GE0 fails, GE1 assumes
the IP address and keeps the
communications alive
GE0 GE1
• Based on Link State of the
Primary Interface
• Every 100 milliseconds the link
Same MAC Address state of the Primary is
inspected

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
NIC Teaming
NIC Teaming / Interface Bonding
• Configured using CLI only!
• GE0 + GE1 Bonding Example:
admin(config-GigabitEthernet0)# backup interface GigabitEthernet 1

• Requires service restart - after restart, ISE recognizes bonded interfaces for
Deployment and Profiling; Guest requires manual config of eligible interfaces

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
 • ISE Appliance Redundancy
• ISE Node Redundancy

High-Availability

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Admin Node HA and Synchronization
PAN Steady State Operation

• Changes made to Primary Administration DB are automatically synced to all nodes

Admin
User
Admin Node Admin Node
(Primary) (Secondary)

Maximum two Policy

PSN
PAN nodes per Policy Sync Sync
deployment
Policy
PSN
Active / Standby Sync

PSN
Monitoring Node Monitoring Node
(Primary) (Secondary)
PXG

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
 Admin Node HA and Synchronization
Primary PAN Outage and Recovery
• Upon Primary PAN failure, admin user can connect to Secondary PAN and manually promote
Secondary to Primary; new Primary syncs all new changes
• PSNs buffer endpoint Admin
User
updates if Primary PAN
unavailable; buffered Admin Node Policy Admin Node
updates sent once PAN (Primary) Sync (Secondary)
available
PSN
Policy Sync
Promoting Secondary Admin may take 10-
15 minutes before process is complete Policy
PSN Sync
New Guest Users or
Registered Endpoints cannot
PSN
be added/connect to network Monitoring Node Monitoring Node
when Primary Administration (Primary) (Secondary)
node is unavailable!
PXG

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
 Policy Service Survivability when Admin Down/Unreachable
For your
Which User Services Are Available if Primary Admin Node Is Unavailable? reference

Service Use case Works (Y / N)

RADIUS Auth Generally all RADIUS auth should continue provided access to ID stores Y
All existing guests can be authenticated, but new guests, self-registered guests,
Guest N
or guest flows relying on device registration will fail
Previously profiled endpoints can be authenticated with existing profile. New
Profiler endpoints or updates to existing profile attributes received by owner should apply, Y
but not profile data received by PSN in foreign node group
Posture Provisioning/Assessment works, but Posture Lease unable to fetch timer Y
Device Reg Device Registration fails if unable to update endpoint record in central DB N
BYOD/NSP relies on device registration. Additionally, any provisioned certificate
BYOD/NSP N
cannot be saved to database
MDM MDM fails on update of endpoint record N
CA/Cert See BYOD/NSP use case; certificates can be issued but will not be saved and
N
Services thus fail. OCSP functions using last replicated version of database
Clients that are already authorized for a topic and connected to controller will
pxGrid N
continue to operate, but new registrations and connections will fail
TACACS+ TACACS+ requests can be locally processed per ID store availability Y
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Automatic PAN Switchover Don’t forget, after switchover
admin must connect to PAN-2
Health Check Node for ISE management!

DC-1 DC-2
• Primary PAN (PAN-1)
down or network link down MnT-1 PAN-1 PAN-2 MnT-2
Primary Primary Secondary Secondary
• If Health Check Node
unable to reach PAN-1 but
1
can reach PAN-2 2
→ triggers failover
• Secondary PAN (PAN-2) WAN
is promoted by Health
Check Node
• PAN-2 becomes Primary Primary Secondary
PAN Health PAN Health
and takes over PSN Check Node Check Node
replication

Note: Switchover is NOT immediate - total time based on polling intervals and promotion time;
Expect ~15 - 30 minutes
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
PAN Failover
Health Check Node Configuration
• Configuration using GUI only under Administration > System > Deployment > PAN Failover

Health Check Node Requires Minimum of

CANNOT be a PAN !! 3 nodes – 3rd node is
independent observer

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
 HA for Monitoring and Troubleshooting
Steady State Operation

• MnT nodes concurrently receive logging from PAN, PSN, NAD, and ASA/FTD
• PAN retrieves log/report data from Primary MnT node when available
Monitoring
NADs Node (Primary) MnT data
Admin
User
PAN

Syslog from access Syslog 20514 Syslog from ISE nodes

PSN are sent for session
devices are correlated
with user/device session tracking and reporting

Monitoring
FW
Node (Secondary)
PXG

Syslog from firewall • Maximum two MnT

(or other user logging device) nodes per deployment
is correlated with guest • Active / Active
session for activity logging TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
 HA for Monitoring and Troubleshooting
Primary MnT Outage and Recovery
• Upon MnT node failure, PAN, PSN, NAD, and ASA/FTD continue to send logs to remaining
MnT node
• PAN auto-detects Active MnT failure and retrieves log/report data from Secondary MnT node
• Full failover to Secondary MnT may take from 5-15 min depending on type of failure
NADs Monitoring Node (Primary)
MnT data Admin
User
PAN

Syslog from access Syslog from ISE nodes

Syslog 20514 PSN
devices are correlated are sent for session
with user/device session tracking and reporting

Monitoring Node
FW (Secondary)
PXG

Syslog from firewall
(or other user logging device)
is correlated with guest
session for activity logging
• PSN logs are not locally buffered when MnT down unless use TCP/Secure Syslog
• Log DB is not synced between MnT nodes
• Upon return to service, recovered MnT node will not include data logged during outage
• Backup/Restore required to re-sync MnT database
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
 Log Buffering
TCP and Secure Syslog Targets <2.6

• Default UDP-based audit

logging does not buffer data
when MnT is unavailable
• TCP and Secure Syslog options
can be used to buffer logs
locally
• Note: Overall log performance
will decrease if you use these
acknowledged options

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
RabbitMQ
A new type of architecture for ISE messaging services

• Move forward in terms of robustness, reliability, scalability and code quality

• Introduced in 2.6 for Secure Syslog (WAN survivability)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Syslogs over ISE Messaging
WAN survivability and securing Syslog using RabbitMQ

• Syslogs can use secure ISE Messaging

instead of UDP
• Messages buffered on PSN while MnT is down
• MnT WAN Survivability period is ~2.5 hours
(4GB queue limit)
• Disabled by default in ISE 2.6
• Enabled by default in ISE 2.7 (2.6p2)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
 • Max. two pxGrid v1
HA for pxGrid v1
pxGrid
Clients nodes per deployment
(Publishers) (Active/Standby)
Steady State
Primary Primary Secondary Secondary
PAN MnT PAN MnT

PAN Publisher Topics:

• TrustSec/SGA
• Endpoint Profile
• ANC (EPS) TCP/12001
TCP/5222
TCP/5222
MnT Publisher Topics:
• Session Directory
• Identity Group Active Standby
pxGrid pxGrid
Controller Controller

• pxGrid clients can be

configured with up to 2
servers for redundancy TCP/5222
• Clients connect to pxGrid
single active controller Client
for given domain (Subscriber)
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
 • Max. two pxGrid v1
HA for pxGrid v1
pxGrid
Clients nodes per deployment
(Publishers) (Active/Standby)
Failover and Recovery
Primary Primary Secondary Secondary
PAN MnT PAN MnT

PAN Publisher Topics:

• TrustSec/SGA
• Endpoint Profile
• ANC (EPS) TCP/12001
TCP/5222
TCP/5222
MnT Publisher Topics:
• Session Directory
• Identity Group Active Standby
pxGrid pxGrid
Controller Controller

If active pxGrid
Controller fails,
clients automatically
attempt connection TCP/5222
pxGrid
to standby controller Client
(Subscriber)
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
 HA for pxGrid v2
pxGrid • Max. four pxGrid v2 nodes per
Clients
(Publishers)
deployment (All Active)
Steady State
Primary Primary Secondary Secondary
PAN MnT PAN MnT

PAN Publisher Topics:

• TrustSec/SGA
• Endpoint Profile
• ANC (EPS) TCP/12001
TCP/5222
TCP/5222
MnT Publisher Topics:
• Session Directory
• Identity Group Active pxGrid Active pxGrid
Controller #1 Controller #2

• pxGrid clients can be

configured with multiple
servers for redundancy
• Clients connect to TCP/8910 pxGrid pxGrid TCP/8910
single active controller Client #1 Client #2
for given domain (Subscriber) (Subscriber)
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
pxGrid scaling numbers
pxGrid Scaling per Dedicated pxGrid Node

Platform Max. pxGrid v1 Max. pxGrid v2

Subscribers Subscribers
per pxGrid node per pxGrid node
3515 15 200
3595 25 200
3615 15* 220
3655 25* 230
3695 25* 250

Max. publish rate is dependent on total deployment type

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
 • Policy and Service Scale
• MnT - Optimize Logging and
Noise Suppression
• Load Balancing – Why and how?
• Load balancing with a load balancer

Scaling ISE
• Load balancing without load balancer

Services

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
ISE Personas and Services Session Services include base
user services such as RADIUS,
Enable Only What Is Needed !! Guest, Posture, MDM, BYOD/CA

• ISE Personas:
• PAN
• MnT
• PSN
• PXG

• PSN Services • Avoid unnecessary

• Session
overload of PSN
• Profiling
• TC-NAC services
• ISE SXP • Some services should
• Device Admin be dedicated to one
(TACACS+) or more PSNs
• Passive Identity
(Easy Connect)

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Search Speed Test

• Find the object where…

• Total stars = 10
• Total green stars = 4
• Total red stars = 2
• Outer shape = Red Triangle

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
 • Policy Logic:
Auth Policy Optimization o First Match, Top Down
o Skip Rule on first negative condition match
Bad Example • More specific rules generally at top
• Try to place more “popular” rules before less used rules

1. AD Groups

2. AD Attributes

3. MDM

4. Certificate

5. ID Group
6. SQL Attributes
7. Auth Method

8. Endpoint Profile

9. Location
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Auth Policy Optimization
Better Example!
Block 1 1. Location
2. Auth Method

Block 2 3. Endpoint Profile

4. AD Groups
Block 3
5. AD Attributes

6. ID Group

7. Certificate
Block 4
8. SQL Attributes
9. MDM
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Dynamic Variable Substitution
Rule Reduction
• Authorization Policy Conditions
• Match conditions to unique values stored per-
User/Endpoint in internal or external ID stores
(AD, LDAP, SQL, etc.)
• ISE supports custom User and Endpoint
attributes

• Authorization Profile Conditions ID Store Attribute

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Auth Policy Scale

• Max. Policy Sets = 200

• Max. Authentication Rules = 1000
• Max. Authorization Rules = 3000
• Max. Authorization Profiles = 3200
• Max. User Identity Groups = 1000

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
TrustSec Scaling

• Max. Security Groups (SGs) = 10000

• Max. SGACLs = 1000
• Max. IP-SGT Static Bindings (over SSH) = 10000
• Max. NADs with TrustSec CoA (Standalone Deployment) = 100

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
ISE SXP HA
• ISE supports pairs of SXP PSNs (SXPSNs) where both nodes are configured for
same mappings and peers
• Each SXPSN in a pair processes and “speaks” the same bindings to the same peers
- SXP Listeners receive duplicate bindings (not an issue)
• ISE supports four pairs of SXPSNs with bindings to different peers (which can be
controlled via SXP Domains)
• SXP Domains provide horizontal scaling as well as control which nodes get bindings.
If not match specific domain, it hits default. If nodes not mapped to domain, they will
be dropped
• Configure SXP under PSN services. Total of 8 PSNs can be configured with SXP
(four pairs)
• No validation or hard limit on # PSNs configured for ISE SXP

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
 SXPSN Scaling
Deployment Max. SXP Max. ISE SXP
SXPSN Pairs
Type Peers Bindings

Standalone
0 (shared) 30 10,000
(Small)
Maximum SXP bindings -
platform dependent:
0 (shared) 200 10,000
Hybrid
3515 = Max. 200k bindings (Medium)
3615 = Max. 200k bindings
1 (dedicated) 220 20,000
3595 = Max. 350k bindings
3655 = Max. 350k bindings 1 200 350,000

Distributed 2 400 700,000

(Large) 3 600 1,050,000
4 800 1,400,000
• SXP Domains allow the splitting of bindings across multiple SXPSNs
• Max. dynamic bindings limited by max. RADIUS session scale
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Cisco Community Page on Sizing and Scalability
https://communities.cisco.com/docs/DOC-68347

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
 • Policy and Service Scale
• MnT - Optimize Logging and
Noise Suppression
• Load Balancing – Why and how?
• Load balancing with a load balancer

Scaling ISE
• Load balancing without load balancer

Services

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
 The Fall-out from the Mobile Explosion and IoT
▪ Explosion in number and type of endpoints on the network
▪ High auth rates from mobile devices — many personal (unmanaged)
– Short-lived connections: Continuous sleep/hibernation to conserve battery power, roaming, …

▪ Misbehaving supplicants: Unmanaged endpoints from numerous mobile vendors may be

misconfigured, missing root CA certificates, or running less-than-optimal OS versions
▪ Misconfigured NADs — often timeouts too low & misbehaving clients go unchecked/not throttled
▪ Misconfigured Load Balancers — Suboptimal persistence and excessive RADIUS health probes
▪ Increased logging from Authentication, Profiling,
NADs, Guest Activity, …
▪ End user behavior when above issues occur
▪ Bugs in client, NAD, or ISE

“5411 No response received during 120 seconds on last EAP message sent to the client”

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Challenge: How to reduce the
flood of log messages while
increasing PSN and MnT MnT
capacity and tolerance

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
 Getting More Information With Less Data
Scaling to Meet Current and Next Generation Logging Demands
Rate Limiting at Source Filtering at Receiving Chain
Reauth period Heartbeat Detect and reject Count and discard
Quiet-period 5 min frequency misbehaving clients repeated events
Held-period / Exclusion 5 min
Switch Log Filter Count and discard
untrusted events
Reauth phones Load
Balancer PSN MnT
Quiet period

Unknown users WLC

Quiet
Period LB Health Filter health
Reject
probes bad probes from
Roaming
supplicant logging
supplicant Client Exclusion Count and discard
repeats and unknown
NAD events

Misbehaving supplicant
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ways to improve scaling at NADs
Covered in the Wireless and RADIUS sections

• Timers
• EAP Session Resume
• Fast Reconnect
• Stateless Session Resume

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
PSN Noise Suppression and Smarter Logging
How can PSN help out with better MnT logging & scaling?

Detect and reject

• PSN Collection Filters misbehaving clients
• PSN Misconfigured Client Dynamic Detection
Log Filter
and Suppression
• PSN Accounting Flood Suppression
PSN
• Detect Slow Authentications PSN

• Enhanced Handling for EAP sessions dropped

by supplicant or Network Access Server (NAS)
Reject Filter health
• Failure Reason Message and Classification bad probes
supplicant from
• Identify RADIUS Request from Session Started logging
on another PSN

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
 MnT Log Suppression and Smarter Logging
What could I do to improve MnT logging?
• Drop duplicates and increment counter in Live Log for “matching” passed
authentications Count and discard
• Display repeat counter to Live Sessions entries repeated events

• Update session, but do not log RADIUS Accounting Interim Updates Count and discard
untrusted events
• Log RADIUS Drops and EAP timeouts to separate table for reporting
purposes and display as counters on Live Log Dashboard along with
MnT
Misconfigured Supplicants and NADs
• Alarm enhancements
• Revised guidance to limit syslog at the source
• MnT storage allocation and data retention limits
• More aggressive purging Count and discard
repeats and unknown
• Allocate larger VM disks to increase logging capacity and retention NAD events

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
PSN Collection Filters
Static Client Suppression

• PSN static filter based on

single attribute
• Filter Messages Based on • User Name
• Polic Set Name
Auth Result • NAS IP Address
• Device IP Address
• Select Messages to • MAC Address

Bypass Suppression
for failed auth @PSN and
successful auth @MnT • Filter All
• Filter Passed
• Filter Failed
• Bypass Suppression

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
 PSN Filtering and Noise Suppression
Dynamic Client Suppression
Administration > System > Settings > Protocols > RADIUS

Flag misconfigured supplicants for

same auth failure within specified Suppression Time Interval (Ts)
interval and stop logging to MnT

Send alarm with failure statistics

Report Time Interval (Tr) Valid time ranges

Each endpoint tracked by:

• Calling-Station-ID (MAC Address)
• NAS-IP-Address (NAD address)
• Failure reason

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
 PSN Filtering and Noise Suppression
Dynamic Client Suppression
Administration > System > Settings > Protocols > RADIUS

Flag misconfigured supplicants for

same auth failure within specified
interval and stop logging to MnT

Send alarm with failure statistics

Including 2 failures above
(repeated failed client)
Send immediate Access-Reject
(do not even process request) IF:
1) Flagged for suppression
2) Fail auth total X times for Rejection Time Interval (Tx)
same failure reason

Fully process next request after

rejection period expires
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
 Client Suppression and Reject Timers
Endpoint Access Device PSN MnT
Detection

t = T0 802.1X Request (12321 Cert Rejected) Failed Auth Log

Failure

t = T1 MAB Request (22056 Subject not found) Failed Auth Log Ts Ts =

Suppression
t = T2 802.1X Request (12321 Cert Rejected) Failed Auth Log T2 < Ts Time Interval
2 failures!

t = T3 MAB Request Suppression Report 5434

Suppression

t = T4 802.1X Request Tr
t = T5 MAB Request
Report 5434 Tr = Report
Time Interval

t = T6 802.1X Request
Tr
t = T7 802.1X Request Total 5 failures Reject Report 5449
of same type!
t = T8 Auth Request
Rejection

Access-Reject Tr
t = T9 Auth Request Report 5449
Access-Reject Tx
t = T10 Auth Request Tx =
Tr Rejection
Access-Reject Report 5449 Time Interval

Auth Request Successful Auth Log

Release © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
 PSN Noise Suppression
Drop Excessive RADIUS Accounting Updates from “Misconfigured NADs”
Administration > System > Settings > Protocols > RADIUS

Allow 2 RADIUS Accounting

Updates for same session in
specified interval, then drop

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
 MnT Noise Suppression
Suppress Storage of Repeated Successful Auth Events
Administration > System > Settings > Protocols > RADIUS

Suppress Successful Reports

= Do not save repeated successful
auth events (last 24 hours) for the
same session to MnT DB

These events will not display in

Live Authentications Log, but do
increment Repeat Counter

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
 MnT Noise Suppression Step latency is visible in
Live Logs details
Suppress Storage of Repeated Successful Auth Events
12304 Extracted EAP-Response containing
Administration > SystemPEAP challenge-response
> Settings > Protocols > RADIUS
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-
response for inner method
15041 Evaluating Identity Policy (Step latency=1048 ms)
15006 Matched Default Rule
15013 Selected Identity Source - Internal Users
24430 Authenticating user against Active Directory
24454 User authentication against Active Directory failed because of a
timeout error (Step latency=30031 ms)
24210 Looking up User in Internal Users IDStore - test1
24212 Found User in Internal Users IDStore
22037 Authentication Passed
11824 EAP-MSCHAP authentication attempt passed
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
5411 Supplicant stopped responding to ISE (Step latency=120001 ms)

Detect NAD retransmission timeouts

and Log auth steps > threshold

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
ISE Log Suppression
“Good”-put Versus “Bad”-put

“Good” Auth Requests

Incomplete Auth
PSN MnT
Requests

“Bad” Auth Requests

RADIUS
Accounting
RADIUS Accounting updates (not
Rejected IP change) Successful
Auth
Suppressed
Accounting
RADIUS Failed Auth
Updates
Drops Suppressed
Suppressed

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Visibility into Reject Endpoints!

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Releasing Rejected Endpoints

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Releasing Rejected Endpoints

Query/Release Rejected
also available via ERS API!
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
No Log Suppression With Log Suppression

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
 • Policy and Service Scale
• MnT - Optimize Logging and
Noise Suppression
• Load Balancing – Why and how?
• Load balancing with a load balancer

Scaling ISE
• Load balancing without load balancer

Services

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
 Load Balancing RADIUS, Web, and Profiling Services
• Policy Service nodes can be configured in a cluster behind a load balancer (LB)

• Access Devices send RADIUS and TACACS+ AAA requests to LB virtual IP

PSNs
(User Services)

• N+1 node redundancy

assumed to support total
endpoints during:
– Unexpected server outage
Load
– Scheduled maintenance Balancers
– Scaling buffer
Virtual IP
• HA for LB itself assumed

Network Access Devices VPN

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
 • Policy and Service Scale
• MnT - Optimize Logging and
Noise Suppression
• Load Balancing – Why and how?
• Load balancing with a load balancer

Scaling ISE
• Load balancing without load balancer

Services

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
 Configure Node Groups for LB Cluster
Place all PSNs in LB Cluster in Same Node Group
• Administration > System > Deployment
2) Assign name
1) Create node group

3) Add individual PSNs to node group

• Node group members can be L2 (recommended) or L3

• Node group members should assume high-speed (GE)
LAN connectivity with minimal latency
• Multicast not required

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
 High-Level Load Balancing Diagram
DNS AD
External NTP LDAP
ISE-PAN-1 ISE-MnT-1 Logger SMTP MDM

10.1.99.5
VLAN 98 VLAN 99
(10.1.98.0/24) (10.1.99.0/24)
ISE-PSN-1
NAS IP: 10.1.50.2
VIP: 10.1.98.8 LB: 10.1.99.1
10.1.99.6

End User/Device Access Device Load Balancer ISE-PSN-2

10.1.99.7

ISE-PSN-3

ISE-PAN-2 ISE-MnT-2

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Load Balancing RADIUS
Sample Flow
VLAN 98 (10.1.98.0/24) VLAN 99 (10.1.99.0/24)

10.1.99.5
1 radius-server host 10.1.98.8
ISE-PSN-1
Load Balancer
2 AUTH request
RADIUS ACCTG requesttoto10.1.98.8
10.1.98.8
10.1.99.6
RADIUS ACCTG
AUTH response
responsefrom
from10.1.98.8
10.1.98.8
VIP: 10.1.98.8
User 4 5
Access Device
PSN-CLUSTER
ISE-PSN-2

1. NAD has single RADIUS Server defined (10.1.98.8) 10.1.99.7

2. RADIUS Auth requests sent to VIP @ 10.1.98.8
3. Requests for same endpoint load balanced to same PSN via sticky based on
3
ISE-PSN-3
RADIUS Calling-Station-ID and optionally Framed-IP-Address
4. RADIUS response received from VIP @ 10.1.98.8
(originated by real server ise-psn-3 @ 10.1.99.7 and source translated by LB)
5. RADIUS Accounting sent to/from same PSN based on sticky
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Allow Source NAT for PSN CoA Requests
Simplifying Switch CoA Configuration

• Match traffic from PSNs to UDP/1700 or UDP/3799 (RADIUS CoA) and translate to
PSN cluster VIP CoA SRC=10.1.99.5
10.1.99.5
• Access switch config:
CoA SRC=10.1.98.8 ISE-PSN-1
• Before:
aaa server radius dynamic-author 10.1.99.6
client 10.1.99.5 server-key cisco123 10.1.98.8
client 10.1.99.6 server-key cisco123 Access Load ISE-PSN-2
client 10.1.99.7 server-key cisco123 Switch Balancer
client 10.1.99.8 server-key cisco123
10.1.99.7
client 10.1.99.9 server-key cisco123
client 10.1.99.10 server-key cisco123
ISE-PSN-3
<…one entry per PSN…>

• After: 10.1.99.x
aaa server radius dynamic-author
ISE-PSN-X
client 10.1.98.8 server-key cisco123

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Load Balancer Persistence (Stickiness) Guidelines
Persistence Attributes
• Common RADIUS Sticky Attributes
o Client Address
➢ Calling-Station-ID MAC Address=00:C0:FF:1A:2B:3C
➢ Framed-IP-Address IP Address=10.1.10.101
Device
o NAD Address 10.1.50.2 VIP: ISE-PSN-1
➢ NAS-IP-Address Session: 00aa…99ff 10.1.98.8
➢ Source IP Address
o Session ID
➢ RADIUS Session ID
Access Device Load Balancer ISE-PSN-2
➢ Cisco Audit Session ID
o Username User [email protected]

• Best Practice Recommendations (depends on LB support and design)

1. Calling-Station-ID for persistence across NADs and sessions ISE-PSN-3
2. Source IP or NAS-IP-Address for persistence for all endpoints connected to same NAD
3. Audit Session ID for persistence across re-authentications
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
 LB Fragmentation and Reassembly
Be aware of load balancers that do not reassemble RADIUS fragments!
Also watch for fragmented packets that are too small. LBs have min allowed frag size and will drop !!!

• Example: EAP-TLS with large certificates LB on Call-ID

IP RADIUS Frag1
• Need to address path fragmentation or persist on source IP

IP RADIUS w/BigCert IP Fragment #1 IP Fragment #2

Calling-Station-ID + Certificate Part 1 Certificate Part 2

IP RADIUS Frag2
• ACE reassembles RADIUS packet
LB on Source IP
• F5 LTM reassembles packets by default except for FastL4 Protocol (No Calling ID in
• Must be manually enabled under the FastL4 Protocol Profile RADIUS packet)

• Citrix NetScaler fragmentation defect — Resolved in NetScaler 10.5 Build 50.10

• Issue ID 429415 addresses fragmentation and the reassembly of large/jumbo frames

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Vendor-Specific LB Configurations

• Cisco ACE
• Citrix NetScaler https://communities.cisco.com/docs/DOC-64434
• F5 LTM
• Cisco ITD (Note)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
 • Policy and Service Scale
• MnT - Optimize Logging and
Noise Suppression
• Load Balancing – Why and how?
• Load balancing with a load balancer

Scaling ISE
• Load balancing without load balancer

Services

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Load Balancing Web Requests Using DNS
Client-Based Load Balancing/Distribution Based on DNS Response
• Examples:
• Cisco Global Site Selector (GSS) / F5 BIG-IP GTM / Microsoft’s DNS Round-Robin feature
• Useful for web services that use static URLs including LWA, Sponsor, My Devices, OCSP

10.1.99.5 10.1.99.6 10.2.100.7 10.2.100.8

sponsor IN A 10.1.99.5
sponsor IN A 10.1.99.6
What is IP address for sponsor IN A 10.2.100.7 What is IP address for
sponsor.company.com? sponsor IN A 10.2.100.8 sponsor.company.com?
DNS SOA for company.com

10.1.60.105 10.1.99.5 10.2.100.8 10.2.5.221

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Using Anycast for ISE Redundancy
Profiling Example

Provided dedicated
User interface or LB VIPs
used, Anycast may
be used for Profiling,
Web Portals
(Sponsor, Guest
LWA, and MDP) and
ACCESS1 RADIUS AAA!
ISE-PSN-1
ACCESS3
NADs are
configured with
single Anycast
ACCESS2 IP address.
ISE-PSN-2
e.g.:
10.10.10.10
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
 Anycast address should only be
ISE Configuration for Anycast applied to ISE secondary interfaces, or
LB VIP, but never to ISE GE0
management interface
On each PSN that will participate in Anycast…
1. Configure PSN probes to profile
DHCP (IP Helper), SNMP Traps, or
NetFlow on dedicated interface
2. From CLI, configure dedicated interface
with same IP address on each PSN node
ISE-PSN-1 Example:
#ise-psn-1/admin# config t
#ise-psn-1/admin (config)# int GigabitEthernet1
#ise-psn-1/admin (config-GigabitEthernet)# ip address 10.10.10.10 255.255.255.0

ISE-PSN-2 Example:
#ise-psn-1/admin# config t
#ise-psn-1/admin (config)# int GigabitEthernet1
#ise-psn-1/admin (config-GigabitEthernet)# ip address 10.10.10.10 255.255.255.0

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
 NAD-Based RADIUS Server Redundancy (IOS)
Multiple RADIUS Servers Defined in Access Device

• Configure Access Devices with multiple RADIUS Servers

• Fallback to secondary servers if primary fails

RADIUS Auth PSN1 (10.1.2.3)

PSN2 (10.4.5.6)

User
PSN3 (10.7.8.9)

radius-server host 10.1.2.3 auth-port 1812 acct-port 1813

radius-server host 10.4.5.6 auth-port 1812 acct-port 1813
radius-server host 10.7.8.9 auth-port 1812 acct-port 1813

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
 NAD-Based TACACS+ Server Redundancy (IOS)
Multiple TACACS+ Servers Defined in Access Device

• Configure Access Devices with multiple TACACS+ Servers

• Fallback to secondary servers if primary fails

T+ Auth PSN1 (10.1.2.3)

PSN2 (10.4.5.6)

User
PSN3 (10.7.8.9)

tacacs-server host 10.1.2.3

tacacs-server host 10.4.5.6
tacacs-server host 10.7.8.9

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
 IOS-Based RADIUS Server Load Balancing
Switch Dynamically Distributes Requests to Multiple RADIUS Servers

• RADIUS LB feature distributes batches of AAA transactions to servers within a group

• Each batch assigned to server with least number of outstanding transactions

RADIUS PSN1 (10.1.2.3)

NAD controls the load
User 1 distribution of AAA
PSN2 (10.4.5.6) requests to all PSNs
in RADIUS group
without dedicated LB
PSN3 (10.7.8.9)
User 2

radius-server host 10.1.2.3 auth-port 1812 acct-port 1813

radius-server host 10.4.5.6 auth-port 1812 acct-port 1813
radius-server host 10.7.8.9 auth-port 1812 acct-port 1813
radius-server load-balance method least-outstanding batch-size 5
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
 • Posture & MDM Scaling
• TACACS+ Scaling
• Guest and Web Auth Scaling
• Easy Connect
Scaling AD
More info about
•

scaling ?
BRKSEC-3432 Advanced ISE – Architect, Design
and Scale ISE for your production networks
Thursday 8:30 -10:30

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
And remember…

• Choose the most appropriate ISE Deployment type

• Check ISE Virtual Appliances for proper resources and platform detection!
• Consider bandwidth and latency before designing your architecture
• Avoid excessive auth activity through proper NAD / supplicant tuning and Log
Suppression
• Leverage load balancers for scale, high availability, and simplifying network config
changes
• Be sure to have a local fallback plan on your network access devices

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
Deploying Visibility with
Profiling

Tue Frei Noergaard

Technical Solutions Architect
CCIE Security #42039
Agenda

• What is profiling?
• Probes, probes and probes
• Profile policies
• Authorization profiles using Profiling
• Built-in Profiles and Feed Service

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 184
Use Case: ISE-Cream, Inc.
Profiling and Visibility
• Corporate devices – mainly laptops
• Factory devices – Siemens and Rockwell + misc.
• iPads used by management
• HP-printers
• Cisco IP-phones
GOALS:
• Choose the right profiling probes
• Use device type in authorization profiles

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 185
 Profiling and probes
ACTIVE PROBES NetFlow DHCP DNS HTTP RADIUS NMAP SNMP AD

DEVICE SENSOR CDP LLDP DHCP HTTP H323 SIP MDNS

ANYCONNECT ACIDex ISE data collection methods for Device profiling

Endpoints send DS
interesting
data, that DS
Feed Service
reveal their Cisco ISE (Online/Offline)
device identity

ACIDex

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 186
Profiling Probes
RADIUS Probe
Common RADIUS Attributes

IP-MAC Bindings

User-Name Calling-Station-Id Called-Station-Id Framed-IP-Address

NAS-IP-Address NAS-Port-Type NAS-Port-Id NAS-Identifier
Device Type (NAD) Location (NAD) Authentication Policy Authorization Policy

NDG’s

• MAC address -> OUI for NIC vendor classification

• RADIUS Accounting provides MAC:IP binding to support other probes that rely on IP
address (DNS, NMAP, and HTTP)
• When using device sensor, profile information is sent via RADIUS from NAD

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 188
 RADIUS Probe For your
reference
Configuration
ISE

aaa authentication dot1x default group radius

aaa authorization network default group radius
Access Switch
aaa accounting dot1x default start-stop group radius
ip radius source-interface xxx
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server host @PSN auth-port 1812 acct-port 1813 key xxx
radius-server vsa send accounting WLC
radius-server vsa send authentication

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 189
RADIUS Probe
Example output

RADIUS Probe

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
 SNMP Probe
SNMP Trap Probe
▪ Alert ISE Profiling Services to the presence (connection or
disconnection) of a network endpoint
▪ Trigger an SNMP Query probe
▪ Key attributes highlighted include EndPointSource, MACAddress, and
OUI.
Interface Query
SNMP Query Probe

▪ This probe collects details from network devices such as

Interface, CDP, LLDP and ARP
▪ ’Network devices’ in ISE must be configured for SNMP
RADIUS SNMP Query
▪ System Query (Polled) [Default 8 hours] Accounting Probe
Start
▪ Interface Query (Triggered) OR Phone ‘Vendor’
SNMP , ‘Model’ on
▪ RADIUS Accounting Start also triggers the SNMP Query probe
LinkUp/MAC Switch-1, Gi
Notification trap 0/1

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 191
 SNMP Probe For your
reference
Configuration WLC

SNMP

CDP / LLDP
ISE
Sample access switch configuration for SNMP
interface GigabitEthernet2/46
Queries following MIBs:
snmp trap mac-notification added - system
snmp trap mac-notification removed - cdpCacheEntry
- cLApEntry (If device is WLC)
mac address-table notification change - lldpLocalSystemData
mac address-table notification mac-move - lldpRemoteSystemsData
- cldcClientEntry (If device is WLC)
snmp-server community xxxxxx RW
snmp-server host @IP_ISE version 2x xxxxx LinkUp/Mac Notification/RADIUS Acct Start event queries:
snmp-server trap-source <Management_Interface> - interface data (ifIndex, ifDesc, etc)
- Port and Vlan data
snmp-server enable traps snmp linkdown linkup
- Session Data (if interface type is Ethernet)
snmp-server enable traps mac-notification change - CDP data (if device is Cisco)
move - LLDP data
snmp-server host @PSN version 2c ciscoro

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 192
SNMP Probe
Example output

Device
classification

SNMP Probe

CDP cache data

on ISE

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 193
DHCP Probe

• Simple method of getting DHCP traffic to ISE

DHCP DHCP REQ
Server
• Requires configuration of NADs to relay DHCP
packets to ISE (IP helper-address)

• DHCP probe in ISE will collect DHCP data to use in

profiling policy

• For WLCs disable DHCP proxy

Can be customized on OS MAC Address

dhcp-class-identifier dhcp-user-class-id dhcp-client-identifier dhcp-message-type

dhcp-parameters-request-list dhcp-requested-address host-name domain-name

Very specific for OS Endpoint IP Address

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 194
 DHCP Probe
Configuration ISE PSN
Preferred Method

DHCP
Server

interface Vlan100
ip helper-address @IP DHCP server
DHCP-REQ ip helper-address @IP_PSN1
ip helper-address @IP_PSN2

WLC

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 195
 DHCP Probe
Example output

DHCP Probe

DHCP:dhcp-class-identifier CONTAINS
Cisco Systems, Inc. IP Phone

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 196
 HTTP Probe
Using URL redirection Pre-Req: Need IP to MAC binding

• User-agent is an HTTP request header that is sent from

web browsers to web servers

• It includes application, vendor, and OS information

• User-agent attributes can be collected from web browser

sessions redirected to ISE for existing services, such as: Endpoint
Redirection
̶ Central WebAuth (CWA) (TCP/8443)

̶ Device Registration WebAuth (DRW)

̶ Native Supplicant Provisioning (NSP)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 197
HTTP Probe For your
reference
Configuration – URL redirection on switch / WLC

Configuration Commands:
ip http server
ip http secure-server
ip access-list extended REDIRECT-ACL
deny tcp any any <PSN_IP_address>
permit tcp any any eq http
permit tcp any any eq https

Switch configuration Enable CoA support on WLC

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 198
HTTP Probe
Example output

HTTP Probe

User-Agent
CONTAINS iPad

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 199
SPAN: DHCP and HTTP Probe
• Traffic is mirrored to an Interface on the ISE PSN
DHCP
• Both SPAN and remote SPAN are supported Server

• Not an optimal way to send traffic to ISE

• DHCP SPAN probe can capture DHCP traffic from
local subnet broadcasts.
• Captures HTTP User Agent and other HTTP attributes
for packets on TCP/80 and TCP/8080 DHCP
HTTP

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 200
DNS Probe
Pre-Req: Need IP to MAC binding

• DNS probe in the profiler does a reverse DNS lookup for

IP addresses learnt by other means
DNS FQDN?
• Before a DNS lookup can be performed, one of the Server

following probes must be started along with the DNS

probe: DHCP, HTTP, RADIUS, or SNMP
• DNS Probe requires DNS reverse PTR records! DHCP
clients will require DDNS to be configured and enabled
on Servers

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 201
 NMAP Probe
• Detects new endpoints through a subnet scan
• Is can classify based on the operating system,
Trigger scan OS version, and services
for endpoints
Subnet Scan • Is the only “active” probe as it communicates
with
OUI = Apple
(On demand) directly with the endpoint

The scan can trigger

manually or dynamically
based on policy

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 203
NMAP Probe For your
reference
Configuration Scan Options

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 204
 NMAP Probe For your
reference
Manual Scan Results

• I just ran a Manual NMAP scan. Now what?

Active Scan Indicator

• What should I expect to see in the scan results?

Endpoints included in last completed scan where one or more attributes are added or changed and
can be correlated to endpoint in ISE database based on its MAC address

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 206
NMAP Probe For your
reference
Automating Scans

Active scan is triggered by policy.

If an Apple device is detected, then
scan and report the OS version

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 207
Active Directory Probe

• Increases OS fidelity via info extracted from AD.

• Leverages AD Runtime Connector
AD
• Attempts to fetch AD attributes once computer Attributes
hostname learned from DHCP Probe and DNS Probe
DHCP / DNS
• AD queries gated by: Domain
Controller

• Rescan interval (default 1 day)

• Profiler activity for endpoint

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 208
NetFlow Probe
Collect NetFlow Export Data from NetFlow-Capable Device
• Key use cases for NetFlow Probe:
• Capture flows to match traffic = SRC/DST IP/Port/Protocol
• Classify general purpose hw/sw devices
(e.g. healthcare equipment, devices w/embedded Linux)

• Potentially high volumes of data—limit use / filter when possible

• Recommend dedicated ISE interface
• Flexible NetFlow v9
ip flow-cache timeout active 1
mls netflow interface
mls flow ip interface-full
ip flow-export source Loopback0
ip flow-export version 9
ip flow-export template timeout-rate 1
ip flow-export destination @ISE-PSN 9996
interface X (Routed port or VLAN interface)
ip flow ingress

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 211
Device Sensor
Making profiling easier - raw data to ISE via RADIUS

RADIUS
accounting Profiling based on
• MAC OUI
CDP
LLDP
DHCP ISE • CDP/LLDP
MAC
• DHCP
From
• HTTP (WLC only)
CDP 15.0(2)SE
LLDP
DHCP • mDNS,
MAC

• H323, device-sensor accounting

device-sensor notify all-changes
• MSI-Proxy (4k only)
HTTP
DHCP
MAC

From
AireOS 7.2
Data From
Device Sensor + Profile Conditions = PROFILED
Example: If DHCP Class ID It’s a Lexmark
MAC OUI + Lexmark Contains E260dn E260n Printer
WLANs > (SSID) > Advanced

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 212
 Device Sensor
Configuration on wired devices
RADIUS Accounting
MAB or EAP-OL CDP
LLDP
DHCP
1) Filter DHCP, CDP, and LLDP options/TLVs
2) Enable sensor data to be sent in RADIUS
Accounting including all changes
device-sensor accounting
device-sensor notify all-changes
3) Disable local analyzer if sending sensor
updates to ISE (central analyzer)
no macro auto monitor
access-session template monitor
For your
reference
ISE
ISE: Enable RADIUS probe
device-sensor filter-list cdp list my_cdp_list
tlv name device-name
tlv name platform-type
device-sensor filter-spec cdp include list my_cdp_list
device-sensor filter-list lldp list my_lldp_list
tlv name system-name
tlv name system-description
device-sensor filter-spec lldp include list my_lldp_list
device-sensor filter-list dhcp list my_dhcp_list
option name host-name
option name class-identifier
option name client-identifier
device-sensor filter-spec dhcp include list my_dhcp_list
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 213
Device Sensor For your
reference
Supported switches/wireless controllers

Device Sensor Support

• 9000 family running 16.5.1a (min. Network Essentials license)
• 2960X, -XR running IOS Release 15.0(2)EX1
• 3560/3750 running 15.0(1)SE1 (excludes LAN Base)
• 3560C/CG running 15.0(2)SE (excludes LAN Base)
• 3650, 3850 running 3.6.0E
• 4500, 4900 running 15.1(1)SG (excludes LAN Base)
• 4500 running IOS-XE 3.3.0SG (excludes LAN Base)
• 6500/6800 SUP2T running 15.2(1)SY
• Wireless Controllers running 7.2.110.0 (DHCP only)
• Wireless Controllers running 7.3.101.0 (DHCP/HTTP)
• WLC 5760 running 3.6 + (OUI/DHCP/HTTP)

Device Sensor not supported

2960, 2960SF, 6500 SUP720
Check Release Notes!

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 214
 Verify Device Attributes

Navigate to
Attributes

Verify Endpoint
Source

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 216
Probe Selection
Probe Selection at ISE-Cream, Inc.

RADIUS + DNS + Active Directory

MAC Address FQDN Windows version
Windows Laptops

RADIUS
Vendor ID
+ NMAP
Printer model
Printers

RADIUS + HTTP
iPad Vendor ID OS version / device Model

RADIUS with device sensors

IP phone Vendor ID + CDP

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 220
Profiling Policies
Profiler Policy Overview
Profiling
Probes Rules
Profiling Conditions Profiling Policies
CF + Exceptions + SCAN’s
CDP
LLDP
DHCP ISE Example: It’s a Lexmark
MAC MAC OUI + Lexmark E260n Printer

CDP
LLDP
DHCP
MAC

HTTP
DHCP
MAC

Logical Profiles Endpoint ID Groups Authz Policy

Example: If DHCP Class ID

MAC OUI + Lexmark Contains E260dn

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 223
Profiler Policies

Parent Policy

Optional: Select this option

to create a matching
Identity group

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 224
Builtin Profiles & Feed
Industrial and medical devices (IoT)

250+ Medical
device profiles

UPLOAD

HOSPITAL MEDICAL DEVICES

IND

Cisco Industrial
Network Director

FACTORY INDUSTRIAL DEVICES Cisco Cyber Vision

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 228
How many profiles can ISE handle ?

• ISE supports a maximum of 2000 profiles

• Let’s Do the Math…
• ~600 Base Profiles
• ~600 New Feed Profiles (2.4)
• ~275 Medical NAC Profiles
• ~625 Automation & Control Profiles
---------------------------------------------
~2100 Profiles

No restrictions on profile import, so must check # profiles in library

before import large batch of new profiles
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 229
 How do I get more profiles into ISE ?
Profiler Feed Best Practices

https://ise.cisco.com/partner/

• Test updates in lab or other pre-staging environment

before apply updates to production.
• Setup email
notifications
to be alerted
for new OUI ISE 2.7
and Profile
updates

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 230
Nobody knows my ISE-Cream making device ?
Custom Profiles

What can I do when Cisco® ISE can’t

recognize and profile a specific type of
endpoint (example: APC UPS)?

ISE does learn the OUI and possibly

other information, which can be used to
write a custom profile.

Attribute that can be used for writing

custom profiling conditions

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 231
Creating Custom Profiling Policies

Profile policy creation and endpoint assignment

Custom profiles created by customer

Profile will be distributed to all
Cisco® ISE nodes; APC devices and Cisco partners can be shared
on the network will be profiled correctly. after publishing to Cisco Feed Cisco Feed
Services. Services

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 232
Authorization profiles
w/ Profiling
Authorization based on device profile
It´s that easy

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 234
Example: Identifying the Machine & User
• Objective:
Use profiling to differentiate between Corporate laptop and non-corporate laptop
• User only authentication will not allow a differentiated policy like the following:

Corp laptop Personal laptop

(Full Access) (Limited Access)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 235
 Identifying the Machine AND the User
• Real Customer
Modify Example:
the DHCP ClassID Profiling Based on a Custom DHCP Attribute
on their Domain
Computers
• Provided a unique way to profile the
device as a Corporate Asset.
• Manual Configuration Example:

C:\>ipconfig /setclassid "Local Area Connection" CorpXYZ

• DHCP ClassId successfully modified for adapter "Local Area
Connection"
• http://technet.microsoft.com/en-
us/library/cc783756(WS.10).aspx
Condition value must be expressed in hex or dec.
• GPO Script Configuration Example:
1 - Create a GPO which has the necessary IPCONFIG command in a startup script
2 - Create a Domain Local group called something like 'Laptop Computer Accounts' and add all the laptop computer accounts
3 - Modify the GPO by removing the 'Authenticated Users' from the permissions list
4 - Add the 'Laptop Computer Accounts' group to the permissions list and assign 'Read' and 'Apply Group Policy' permissions.
5 - Link the GPO to the domain root (or the highest level OU which will encompass all computer accounts)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 236
ISE profiling Best Practices

• Avoid SPAN probes

• Enable only required probes
• Create custom profiles when needed – IT’S FUN
• Use Device Sensor

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 240
Coffee Break

We’ll start back

at 10:45

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 241
ISE in wired networks

Tue Frei Noergaard

Technical Solutions Architect
CCIE Security #42039
Agenda
• AAA/RADIUS Overview Less
Authentication/Authorization complex
Change of Authorization (CoA)
MAB
• 802.1X
Deploying 802.1X in phases
Active Directory integration
EAP Chaining
• Identity Based Networking Services 2.0 (IBNS2) More
ISE config on switches – “New Style” complex

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 243
Use Case: ISE-Cream, Inc.
Wired infrastructure
• User and machine authentication
- needs both credentials for identity firewalling and logging
• Phased approach for wired 802.1X deployment
• 802.1X enabled devices
• Non 802.1X devices (MAB)
• Needs ”New Style” switch config to prepare for failure
scenarios (IBNS2)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 244
AAA/RADIUS
Overview
Authentication, Authorization and Accounting

It tells who/what
the endpoint is

802.1X / MAB / WebAuth Accounting

Log who and/or what

It defines what the user or logged in where
endpoint has access to

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 246
 RADIUS

• RFC 2865, Accounting RFC 2866

• UDP Ports: Authentication 1812, Accounting 1813
• Cisco Legacy 1645/1646
• Information transmitted via Attribute/Value Pairs
Access-Request
NAD ISE
Access-Challenge
Access-Request
Access-Accept/Access-Reject
Accounting-Request
Accounting-Response

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 247
Sample RADIUS Packet

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 248
Authentication
Authentication Rules Overview
Policy > (Policy Set) > Authentication
Identity Source

Identity Source
Options

802.1X / MAB / WebAuth Accounting

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication Rule
Advanced options

• Reject: Send ‘Access-Reject’ back to

the NAD
• Continue: Continue to authorization
regardless of authentication outcome
• Drop: Do not respond to the NAD –
NAD will treat as if RADIUS server is
dead
• Not all EAP types support the
‘Continue’ option
• Why would we want to ‘Drop’ when
process fails?
• Why would we want to ‘Continue’ when
user is not found?

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 252
Authentication Rule Option: Drop
When to drop RADIUS request
I will pretend I am not
available!

1.1.1.1 is down, let

me try 2.2.2.2 RADIUS

1.1.1.1

RADIUS
Global Config
radius-server host 1.1.1.1 key cisco123
radius-server host 2.2.2.2 key cisco123
radius-server dead time ….
2.2.2.2

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 253
 Identity Store option: Continue Only works for
PAP/ASCII, EAP-
When to send ‘Access-Accept’ for unknown MAB authentication? TLS, EAP-MD5.
Other requests
are rejected!

ACCESS-REJECT ACCESS-ACCEPT

• NAD controlled • RADIUS controlled

• ISE sends Access-Reject to the NAD
• No-response VLAN (Guest VLAN)
• Lack of visibility from ISE
• CoA is not supported
• ACL for enforcement
• ISE sends Access-Accept to the NAD
• Can assign dynamic VLAN, ACL or SGT
• User access visible from ISE
• Supports CoA operation
• Gather more information about the user/device
• Can redirect to a captive portal!

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 254
 Identity Sources Overview
Which identity database do we use?
RADIUS
Token
Internal

Internal RSA
DB SecurID
ODBC

ACS Parity AD
External
RADIUS
Supports Prefix/Suffix removal
from User ID
Eduroam etc… LDAP

Certificate
RADIUS Profile
Server
Identity
Sequence
Source
Sequence
- Can lookup AD/LDAP
- Can lookup CRL or OCSP

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 255
Enhanced SAML

• Cisco ISE is SAMLv2 compliant and supports all SAMLv2 compliant IdPs. The IdPs listed
below have been tested with Cisco ISE:
• Oracle Access Manager (OAM)
• Oracle Identity Federation (OIF)
• SecureAuth
• PingOne
• PingFederate
• Azure Active Directory
• Cisco DUO

• SAML SSO supported in Guest, Sponsor, My devices, and Certificate Provisioning portal

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 256
Authorization
Authorization
Policy > (Policy Set) > Authorization

802.1X / MAB / WebAuth Accounting

It defines what the user or

endpoint has access to.

Conditions Results
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 258
Authorization Conditions
External
Identity
Groups

RADIUS &
Directory
Session
Attributes
Attributes
AuthZ
Condition

Posture Profiled
State Groups

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 259
Authorization Best Practices

• Order conditions so internal attributes are matched before external attributes

• Do not authorize MAC addresses against Active Directory

• Why would this be a bad idea?
• Use Network Access:AuthenticationIdentityStore to reduce external ID store lookups
• Order rules from most used to least used

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 260
Policy Sets

• Group Like Rules:

Authentication type (dot1x/MAB)
NAD type (Wired/Wireless/3rd party)
Device dictionary (Device type/Location/sw)
• Improves rule readability

• Reduces configuration mistakes

• Improves rule processing

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 261
Authorization
Profiles
Authorization Profiles
Policy > Policy Elements > Results > Authorization
Often used
attributes
• With ACCESS-ACCEPT, NAD applies additional attributes

• With ACCESS-REJECT, NO attributes can be set

Any custom
attributes
Preview

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 263
 Useful RADIUS Attributes

Dynamic VLAN &

Downloadable ACL

Voice VSA

Switch VSA

URL Redirect

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 264
ISE Downloadable ACL
Downloadable Access Control List (dACL) Downloadable ACL

ACL Syntax Validation!

RADIUS

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 265
ISE downloadable ACL
Multi-auth on older Catalyst platforms (29xx, 3k)

SWITCH#sh authentication sessions interface gigabitEthernet 2/18 details

Interface: GigabitEthernet2/18
MAC Address: 0080.64c5.7514
Interface: GigabitEthernet2/18
IPv6 Address: Unknown
MAC Address: 80e8.6f23.dbbc
IPv4 Address: 10.45.133.26
IPv6 Address: Unknown
User-Name: ISE-Cream\G.SVC.WYSE.Dot1x
IPv4 Address: 10.45.134.251
Status: Authorized
User-Name: 80-E8-6F-23-DB-BC
Domain: DATA
Status: Authorized
Oper host mode: multi-auth
Domain: VOICE
Oper control dir: both
Oper host mode: multi-auth
Session timeout: 43200s (server), Remaining: 26414s
Oper control dir: both
Timeout action: Reauthenticate
Session timeout: 43200s (server), Remaining: 42667s
Restart timeout: N/A
Timeout action: Reauthenticate
Session Uptime: 16803s
Restart timeout: N/A
Common Session ID: 0A2D800B00064D0D9940C540
Session Uptime: 566s
SWITCH#show ip access-lists interface Acct Session2/18
gigabitEthernet ID: 0x000B161A
Common Session ID: 0A2D800B0006058467510AC0
Handle: 0x96000B45
Acct Session ID: 0x000ABA02
permit ip host 10.45.134.251 any Current Policy: POLICY_Gi2/18
Handle: 0x430009DB
permit ip host 10.45.133.26 any
Current Policy: POLICY_Gi2/18
Local Policies:
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Policy: Should Secue
Security Status: Link Unsecure
Security Status: Link Unsecure
Server Policies:
Server Policies: ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-508adc03
ACS ACL: xACSACLx-IP-DSV_Wired_DOT1x-5698999a

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 266
ISE downloadable ACL
Multi–auth on Catalyst 9k
SWITCH#show authentication sessions interface gigabitEthernet 1/0/1 details
Interface: GigabitEthernet1/0/1
Interface: GigabitEthernet1/0/1
IIF-ID: 0x198876D7
IIF-ID: 0x1A078851
MAC Address: d481.d7f7.d016
MAC Address: e0d1.73e5.30d6
IPv6 Address: Unknown
IPv6 Address: Unknown
IPv4 Address: 10.45.134.251
IPv4 Address: 10.45.155.43
User-Name: host/W-B8105H2
User-Name: E0-D1-73-E5-30-D6
Status: Authorized
Status: Authorized
Domain: DATA
Domain: VOICE
Oper host mode: multi-auth
SWITCH#show ip access-lists xACSACLx-IP-PERMIT_TEST_SJE-5dfcaeef
Oper host mode: multi-auth
Oper control dir: both
Extended
Session timeout: IP access
43200s (server), list42172s
Remaining: xACSACLx-IP-PERMIT_TEST_SJE-5dfcaeef
Oper control dir: both
Session timeout: 43200s (server), Remaining: 32357s
1 deny ip any host 80.344.69.193
Timeout action: Reauthenticate
Timeout action: Reauthenticate
Common Session ID: 32802D0A0000001B2393726D
2 deny icmp any host 80.344.69.193
Acct Session ID: 0x00000013
Common Session ID: 32802D0A0000001022FD39F0
3 permit tcp any host 10.46.100.20 eq ftp Acct Session
Handle: 0x1c000011
ID: 0x00000009
Handle: 0x4e000006
Current Policy: POLICY_Gi1/0/1
4 permit ip any any Current Policy: POLICY_Gi1/0/1

SWITCH#show ip access-lists xACSACLx-IP-PERMIT_ALL_TRAFFIC-508adc03

Local Policies:
Local Policies: Extended IP access list xACSACLx-IP-PERMIT_ALL_TRAFFIC-508adc03 Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority
150)
Service Template: 1DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
permit ip any any (priority 150)
Security Policy: Should Secure
Security Policy: Should Secure
Server Policies:
Session-Timeout: 43200 sec
Server Policies:
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-508adc03
Session-Timeout: 43200 sec
ACS ACL: xACSACLx-IP-PERMIT_TEST_SJE-5dfcaeef

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 267
Authorization
Dynamic VLAN Assignment

VLAN ID

MAB

RADIUS

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 268
Security Group Access
Cisco TrustSec

Production Development
Servers Servers
Employee
PERMIT PERMIT
(Managed asset)
Employee
PERMIT DENY
(Registered BYOD)

SGT = 100

I am using a BYOD
device
Development server
(SGT=4)

Production server
(SGT=10)
802.1X/MAB/WebAuth

BYOD SGACL
SGT = 100 ISE

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 271
TrustSec
Assigning a Security Group TAG

TrustSec is part of the ISE Base

License

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 272
Authorization Policy Examples
Policy > (Policy Set) > Authorization

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 273
Accounting
Accounting
Session
Keepalive

802.1X / MAB / WebAuth Accounting

Who or what logged in when? Session

Teardown

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 275
Accounting Best Practices

• Ensure that start and stop accounting is configured

• Keep interim accounting to a minimum
• CSCvg79644 – Use 16.9.3+

Cisco Switches

Secure Wired Access Prescriptive Deployment Guide

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-
deployment-guide/ta-p/3641515

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 276
Change of
Authorization
(CoA)
 RADIUS Change of Authorization (CoA)

• RADIUS protocol is initiated by the network devices (NAD)

• No way to change authorization from ISE Now I can control
ports when I want
(config)#aaa server radius dynamic-author to!
client {PSN} server-key {RADIUS_KEY}

RADIUS

CoA (UDP:1700/3799)
Authenticator

• Re-authenticate session
• Terminate session
• Terminate session with port bounce
• Now the network device listens to CoA requests from ISE • Disable host port

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 278
Example of RADIUS CoA followed by 802.1X For your
reference

Layer 2 Point-to-(Multi)Point Layer 3 Link

EAP over LAN RADIUS

Supplicant (EAPoL) Authenticator AuthC Server

RADIUS CoA-Request
[VSA: subscriber: reauthenticate]
Change of
Authorization RADIUS CoA-Ack

EAPoL Request Identity

EAP-Response Identity: Alice

RADIUS Access Request
[AVP: EAP-Response: Alice]
RADIUS Access-Challenge
Re- EAP-Request: PEAP Multiple
[AVP: EAP-Request PEAP]
Authentication Challenge-
EAP-Response: PEAP Request
RADIUS Access Request Exchanges
[AVP: EAP-Response: PEAP] Possible

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 280
MAB
Authentication Basics – MAC Authentication Bypass
Non-802.1X capable devices and no “user intelligence” behind

00.0a.95.7f.de.06 Authenticator
EAPoL: EAP Request-Identity
EAPoL: EAP Request-Identity
EAPoL: EAP Request-Identity
Time until endpoint sends
first packet after IEEE
802.1X timeout
RADIUS Server
No defined standard for MAB
Variants:
• Service-Type = login
• Username = MAC
• Password = MAC / other
• IEEE 802.1X Times Out • Calling-Station-Id = MAC
• MAB Starts

Any Packet
RADIUS Access-Request
[AVP: 00.0a.95.7f.de.06]
RADIUS Access-Accept
Network Access Granted

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 282
RADIUS Attributes
Example for Cisco MAB

MAB as PAP
• still in use by some switches
• password = username

Differentiates MAB request

MAB as “Host Lookup”
• ISE optimization
• No need for fake passwords

NAS-Port-Type = Ethernet

802.1X RADIUS

Endpoints

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 283
Managing MAB Endpoints
Context Visibility -> Endpoints

Manual Input
Manual Import
- File format: .CSV
- LDAP

Profiling (Dynamic discovery)

ERS API (REST over HTTPs)
• CRUD (Create, Read, Update, Delete) operations on ISE resources including Internal Users,
Internal Endpoints and Identity Groups (User and Endpoint)
• Software Development Kit available: https://ISE:9060/ers/sdk
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 286
802.1X
Authentication Basics – 802.1X

Layer 2 Point-to-(Multi)Point Layer 3 Link

Supplicant EAP over LAN Authenticator RADIUS AuthC Server
(EAPoL)

EAPoL Start
Beginning
EAPoL Request Identity

EAP-Response Identity: Alice

RADIUS Access Request
[AVP: EAP-Response: Alice]

EAP-Request: PEAP RADIUS Access-Challenge

Multiple
Middle [AVP: EAP-Request PEAP] Challenge-
EAP-Response: PEAP Request
RADIUS Access Request Exchanges
Possible
[AVP: EAP-Response: PEAP]

RADIUS Access-Accept
EAP Success
End [AVP: EAP Success]
[AVP: VLAN 10, dACL-n]

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 288
RADIUS Attributes
Example for 802.1X

Username

Service-Type = Framed

NAS-Port-Type = Ethernet

802.1X RADIUS

Users
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 290
Supported EAP Methods

• Choose best method based on security

policy and device support
• Windows Native Supplicant Supports
PEAP w/ EAP-MS-CHAPv2 and EAP-
TLS
• Apple supports PEAP, EAP-FAST and
EAP-TLS
• Android supports PEAP and EAP-TLS
with some EAP-FAST support
• LEAP and MD5 included for legacy
purposes
• TEAP support in ISE 2.7

Support clients that do not support EAP-NAK

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 291
Choosing Credentials for 802.1X
alice Certificate
c1sC0L1v Authority

Token
Server

Username/Pwd
Directory

Common Types Deciding Factors

Passwords Security Policy

Certificates Validation

Tokens Distribution & Maintenance

Deployment Best Practices

Reuse Existing Credentials
Understand the Limitations of Existing Systems

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 292
Deploying 802.1X
802.1X in Phases

Monitor Mode Low-Impact Mode Closed Mode

File ISE ISE File ISE File

Servers DHCP DNS
Servers Servers
Servers

Campus Network Campus Network Campus Network

PREAUTH ACL PERMIT ACL

Port Open permit eap dhcp dns permit ip any any Only EAP
Unconditionally deny any Allowed

Pass / Failed Before After Before After

Authentication Authentication Authentication Authentication Authentication

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 294
Monitor Mode
Before Authentication
Traffic always allowed irrespective of authentication status
MONITOR MODE: GOALS
▪ No impact to existing network access
▪ See - What is on the network
- Who has a supplicant
- Who has good credentials
- Who has bad credentials
▪ Deterrence through accountability
interface GigabitEthernet1/0/1
switchport access vlan 100
switchport mode access
switchport voice vlan 10
authentication host-mode multi-auth Monitor
authentication open Mode
authentication port-control auto
After Authentication Basic
mab
dot1x pae authenticator
.1X/MAB
authentication violation restrict
MONITOR MODE: CONFIGURATION
▪ Enable 802.1X and MAB
▪ Enable Open Access
All traffic in addition to EAP is allowed
Like not having 802.1X enabled except
authentications still occur
▪ Enable Multi-Auth host mode
▪ No Authorization
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 295
Monitor Mode
Next steps
MONITOR MODE: NEXT STEPS
▪ Improve Accuracy
▪ Evaluate Remaining Risk
▪ Leverage Information
▪ Prepare for Access Control
ISE Known Unknown
Authenticator MAC
MAC

.1X
Failures
.1X-Pass

• RADIUS Authentication & Accounting Logs

• Passed / Failed 802.1X
(Who has bad credentials? Misconfigurations?)
• Passed / Failed MAB attempts
(What don’t I know?)
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 296
Low Impact Mode
interface GigabitEthernet1/0/1
switchport access vlan 100
switchport mode access
switchport voice vlan 10
authentication host-mode multi-auth Low-
ip access-group PRE-AUTH in Impact
authentication open Mode
Before Authentication After Authentication authentication port-control auto From
mab Monitor
Pre-Auth and Post-Auth Access controlled by IP ACLs dot1x pae authenticator Mode
authentication violation restrict
LOW-IMPACT MODE: GOALS
▪ Begin to control/differentiate network LOW-IMPACT MODE: CONFIGURATION
access
▪ Minimize Impact to Existing Network Access ▪ Start from Monitor Mode
▪ Retain Visibility of Monitor Mode ▪ Add ACLs, dACLs and flex-auth
▪ “Low Impact” == no need to re-architect ▪ Limit number of devices connecting to port
your network
▪ Authorize phones with dACLs and Voice
▪ Keep existing VLAN design
VSA
▪ Minimize changes

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 297
Closed Mode
interface GigabitEthernet1/0/1
switchport access vlan 100
switchport mode access
switchport voice vlan 10
no authentication open
authentication event fail authorize vlan 101
authentication event no-resp authorize vlan 101
Before Authentication After Authentication authentication event server dead action \
authorize vlan 101
No access prior authentication, Specific access on Auth-success authentication port-control auto
mab
CLOSED MODE: GOALS dot1x pae authenticator
dot1x timer tx-period 10
▪ As per IEEE specification for 802.1X
▪ No access before authentication CLOSED MODE: CONFIGURATION

▪ Rapid access for non-802.1X-capable ▪ Return to default “closed” access

corporate assets
▪ Timers or authentication order change
▪ Logical isolation of traffic at the access
▪ Implement identity-based VLAN
edge (VLAN segmentation)
assignment

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 298
Deployments Modes For your
reference
Summary

Monitor Mode Low-Impact Mode Closed Mode

- Authentication without - Default Open + Pre-Auth - Default closed

Authorization
- No Access Control
- Extensive Network Visibility
- No Impact to Endpoints or
Network
- Monitor the Network
- Evaluate Risks, Prepare for
Access Control
ACL
- Differentiated access
control using dynamic IPv4
ACLs
- No Layer-2 Isolation
(Dynamic VLANs)
- Use downloadable ACLs if
you have ACS / ISE
- Differentiated access control
using dynamic VLANs
- Logical Isolation at L2
- No Access for Unauthorized
Endpoints
- Impacts to Network and
Endpoints
- Use fewest VLANs possible

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 299
External Databases
(Identity Sources)
RADIUS Proxy
Administration > Network Resources > External RADIUS Servers > RADIUS
Server Sequences

• Attributes can be added/removed/substituted prior to being sent to upstream RADIUS

server
• Attributes can be added/removed/substituted prior to being sent back to the NAD

• Can also go through normal Authorization rules before the final response
RADIUS RADIUS

RADIUS RADIUS

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 301
Certificate Authentication Profile

Domain suffix may

be needed to
differentiate for
further AD/LDAP
lookup
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 302
Certificate Authentication Profile

Use this Identity Store

(AD/LDAP) to find the User
Identity and, if configured, for
the binary matching

Pick any certificate attribute

for matching a user in the
selected (AD) Identity Store

Binary comparison

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 303
Certificate Authentication Profile For your
reference
Example for “Certificate Attribute”

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 304
Certificate Authentication Profile For your
reference
Example for “Any Subject or Alternative Name Attributes”

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 305
Certificate Expiration Management

Windows

Everything Else

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 306
Active Directory
Active Directory Integration
Domain
Computers

PAN
AD

PSN01

PSN02

PSN03
PAN Policy Service
Nodes
Each ISE Node will join and Query AD separately,
and have its own Computer Account in AD

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 308
Multi–Forest Active Directory Support
Scales AD Integration through Multiple Join Points and Optimized Lookups

✓ Join up to 50 Forests or Domains without mutual trusts

✓ No need for 2-way trust relationship between domains

✓ Advanced algorithms for dealing with identical usernames

ISE
✓ SID-Based Group Mapping

✓ PAP via MS-RPC

✓ Support for disjointed DNS namespace

*All domains must be resolvable via

single DNS server by using forwarders or
authoritative zones

domain-1.com domain-2.com domain-n.com

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 309
AD Join Point

This is the (main) domain of your forest, from where we start

The Scope Mode enables “groups” of Join Points to be used in AuthC policies

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 310
Active Directory Integration Demo
 MS AD Sites

DC2
PSN 6, 7
PSN 1, 2, 3 DC3 DC4
DC5
US
DC1
APAC
DC0
PSN 4, 5
EMEA

• http://technet.microsoft.com/en-us/library/cc782048%28v=ws.10%29.aspx

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 313
AD Groups

Security Identifier (SID):

• New internal reference for groups to allow for faster
lookup
• Need to be updated in case of group name
swap/recreate and after an upgrade from 1.2

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 315
Identity Rewrite

1. Rewrite the identity

2. Use the rewritten identity as account name
3. Authenticate the user/machine against the selected domains
4. Supported for EAP-TLS too
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 316
 Putting it all together
Identity
Resolution

AuthC Identity
Policy Scope AD Join Target
Rewrite
(optional) Point AD
(optional)

Domain List
(optional)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 319
User & machine
Authentication
User and Machine Policies
I Know Who You Are, but Are You Logging in from a Corporate Device?

• User identity Hi, I am jsmith

• Username/password credentials (802.1X or WebAuth) and my password
is *******
• User certificate (802.1X)
User
• Machine “identity” User

• MAC Address? Corporate User or Guest

(non-Employee)?
• Machine certificate?
• AD Machine Pwd? 00:11:22:AA:BB:CC

• How do I tie the two together in a single policy? Machine Machine

Corporate or Personal
Device
User + Machine = Access
Policy

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 322
EAP Chaining
Background
With 802.1X there is no
way to enforce a
corporate user to use a
corporate asset to
connect to the network
User authentication overrides
machine authentication
RFC 7170
AnyConnect allows to TEAP is the industry
correlate a corporate standard that allows the
users authentication same functionally and
with a corporate more
machine authentication
Supported in ISE 2.7
Involves AnyConnect licensing,
Only Windows is supported,
lifecycle management and
OR
overhead
USE ISE EAP-FAST
TODAY
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 325
TEAP Overview
TEAP RFC 7170 is a STANDARD for tunnelled EAP authentication method

So far Cisco supports:

• A full TLS handshake to build the tunnel
• User/machine authentication during tunnel building or inside the tunnel via client
certificate without running an inner method
• User/machine authentication in the inner method via username/password or
certificate
• Inner methods EAP-MSCHAPv2, EAP-TLS
• Crypto-Binding

NO supplicant support today. Microsoft will in a future Release*

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 326
TEAP Flow For your
reference

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 327
 EAP Chaining with EAP-FAST
With AnyConnect and ISE
Rule Name Conditions Permissions

1. Machine Authenticates IP Phones if Cisco-IP-Phone then Cisco_IP_Phone

2. ISE Issues Machine AuthZ PAC MachineAuth if Domain Computers then MachineAuth
Employee &
Network
Switch Employee if then Employee
Access:EAPChainingResult =
SWITCHPORT
User and machine succeeded

GUEST if GUEST then GUEST

Default If no matches, then WEBAUTH

EAPoL Start
RADIUS Access-Request
[EAP-Tunnel = FAST]
EAP-Request:TLV RADIUS Access-Challenge
[EAP-TLV = “Machine”]
EAP-Response RADIUS Access-Request
TLV = “Machine” [EAP-TLV= “Machine”]
[EAP-ID=Corp-Win7-1] PAC

RADIUS Access-Accept
EAP Success

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-82_Deploy_EAP_Chaining.pdf

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 328
EAP Chaining
With AnyConnect and ISE Rule Name Conditions Permissions

IP Phones if Cisco-IP-Phone then Cisco_IP_Phone

3. User Authenticates MachineAuth if Domain Computers then MachineAuth

4. ISE receives Machine PAC Employee &

Network
5. ISE issues User AuthZ PAC Employee if
Access:EAPChainingResult =
then Employee
User and machine succeeded

GUEST if GUEST then GUEST

Default If no matches, then WEBAUTH

NAD
SWITCHPORT

PAC

EAPoL Start
RADIUS Access-Request
[EAP-Tunnel = FAST]
EAP-Request:TLV RADIUS Access-Challenge
PAC
[EAP-TLV = “Machine”]
EAP-Response RADIUS Access-Request
TLV = “User” [EAP-TLV= “User”]
[EAP-ID=Employee1] PAC

RADIUS Access-Accept
EAP Success

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 329
EAP Chaining Configuration
On Cisco ISE

Policy > Policy Elements > Results > Authentication > Allowed Protocols
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 330
EAP Chaining Configuration
On Cisco AnyConnect Secure Mobility Client 4.x

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 331
EAP Chaining Configuration
On Cisco AnyConnect Secure Mobility Client 4.x

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 332
EAP Chaining Configuration
On Cisco AnyConnect Secure Mobility Client 4.x

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 333
Dual-Authentication – Why?
What Identifies the Actual User?

• Today only Windows can perform Machine AND the User

• Chain together 802.1X with Centralized Web Authentication (CWA)
• Authorize Based on BOTH Authentications:
• Use Attributes from the 802.1X Session
• Use Windows AD / LDAP Groups from the CWA Session
• Authorization Rule can Refer to 802.1X, CWA or Both

Mobile Device
w/ Certificate

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 334
802.1X and CWA Chaining
Rule Name Conditions Permissions

IP Phones if Cisco-IP-Phone then Cisco_IP_Phone

AD:ExternalGroup=Employees
AND Employee &
1. EAP-TLS Authentication Employee_CWA if
CWA:CWA_ExternalGroup=
then
SGT
Employees
2. ISE Sends Access- Employee &
Accept w/ URL-Redirect Employee_1X if Network Access:
EAPAuthentication = EAP-TLS
then CWAchain

Default If no matches, then WEBAUTH

NAD
SWITCHPORT CN=employee1 || Cert is Valid

EAP-ID Response RADIUS Access-Request Session Data

[EAP-Protocol= “TLS”]
User Identity = employee1
RADIUS Access-Accept
[AVP:url-redirect, dacl]
User Group = employees

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 335
802.1X and CWA Chaining
Rule Name Conditions Permissions

IP Phones if Cisco-IP-Phone then Cisco_IP_Phone

AD:ExternalGroup=Employees
AND
3. User Enters Uname/PWD Employee_CWA if
CWA:CWA_ExternalGroup=
then Employee & SGT
Employees
4. ISE Sends CoA-reauth
Employee &
Employee_1X if Network Access: then CWAchain
EAPAuthentication = EAP-TLS

Default If no matches, then WEBAUTH

NAD
SWITCHPORT

Session Data
User Identity = employee1
RADIUS CoA
EAP-ID Req
[AVP:reauth]
User Group = employees

CWA Identity = JoeUser

CWA Group = employees

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 336
802.1X and CWA Chaining Rule Name Conditions Permissions

IP Phones if Cisco-IP-Phone then Cisco_IP_Phone

AD:ExternalGroup=Employees
AND
3. User Enters Uname/PWD Employee_CWA Employee & SGT
if then
CWA:CWA_ExternalGroup=
Employees
4. ISE Sends CoA-reauth Employee &
5. Supplicant Responds with Cert Employee_1X if Network Access:
EAPAuthentication = EAP-TLS
then CWAchain

6. ISE sends Accept, dACL & SGT Default If no matches, then WEBAUTH
SWITCHPORT
NAD
CN=employee1 || Cert is Valid

EAP-ID Response RADIUS Access-Request Session Data

[EAP-Protocol= “TLS”]
User Identity = employee1
RADIUS Access-Accept
[AVP: dacl + SGT]
User Group = employees

Access-Granted
CWA Identity = JoeUser
Optional: RADIUS:User-Name == CWA Group = employees
CWA_Username
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 337
IBNS2
IBNS 2.0 Overview
Any Authentication with Any Authorization on Any media (Wired / Wireless)
Access Session
Manager

Class- Parameter Service RADIUS

maps Map Templates Authenticator Server

802.1X
Authentication

VLAN
Policy-map (Identity Control Policy)
Manager RADIUS

MAB
Interface Template(s)
LAN
Modular Configurations

IBNS 2.0 Features

Critical Intelligent Critical Enhanced IPv6

ACL Aging MAB CoA WebAuth

Concurrent Enhanced Template

Common IPv6 Differentiated AuthZ based
Authentication CoA
Identity Authentication
Session-ID templates NEAT

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 339
Configuring IBNS (old style) Global AAA & RADIUS

Per port configurations Configurations

switchport
...
dot1x pae
authentication
switchport auth host-mode switchport
... auth port-control ...
dot1x pae auth event fail dot1x pae
authentication auth event server authentication
auth host-mode auth periodic auth host-mode
switchport auth port-control auth port-control switchport
... ... ...
auth event fail auth event fail
dot1x pae auth event server auth event server dot1x pae
authentication auth periodic Interface Config auth periodic authentication
auth host-mode ... ... auth host-mode
auth port-control auth port-control
auth event fail auth event fail
auth event server Interface Config Interface Config auth event server
auth periodic auth periodic
... ...

Interface Config Interface Config

Physical Interfaces
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 340
Configuring IBNS 2.0 Global AAA & RADIUS

Templates and Policies Configurations

EVENT
CLASS
ACTION Defined under
Access VLAN

ACTIVATE
Voice VLAN ‘class-map’
Access Control List EVENT
CLASS command
Service Template ACTION
Defined under
Identity Control Policy ‘policy-map’ command
Configured with
‘service-template’ Policy applied with
command ‘service-policy’ command
switchport...
service-policy...
access-session... Configured with
Interface Template ‘template’ command

Template applied to ports with

‘source template’ command

Physical / CAPWAP Interfaces

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 341
Understanding Events, Classes and Action
Your Everyday E-mail Policy Management

E-Mail Policy (aka Inbox Filtering)

• Event: E-Mail arrives

• Class: additional Attributes

• Sender is Wife
• Mail is Spam
• Mail is addressed to Mail List
• Action: Result, based on Class
• Wife: 1) Mark Urgent 2) Put in Inbox
• Spam: 1) Mark as Spam 2) Delete
• Marketing 1) Put in Marketing Folder

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 342
 From E-mail policy to Identity Control Policy
The concept still applies

Event Class Action IDENTITY CONTROL POLICY

policy-map type control subscriber POLICY-A

event session-started match-all
session-started always authenticate via 802.1X 10 class always do-until-failure
10 authenticate using dot1x
event authentication-failure match-first
Terminate 802.1X 10 class AAA-DOWN do-all
AAA-DOWN ALL
10 terminate dot1x
authorize port
20 authorize
20 class DOT1X_NO_RESP do-until-failure
authentication-
failure FIRST NO-RESPONSE Assign Guest VLAN 10 activate service-template GUEST_VLAN
30 class 1X-FAIL do-all
DOT1X-FAIL Assign Guest VLAN 10 activate service-template GUEST_VLAN
...

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 343
Templates
Dynamic Configuration Done the Right way

Configuration by Reference:
• Service templates
- will be dynamical assigned to a session
- can be locally defines – or – Gi1/0/1 User Port
- downloaded by RADIUS

Gi1/0/2 User Port

• Interface templates
- Cure for configuration bloat
- Generic tool, not restricted to Session / Identity Gi1/0/3 User Port
- Like Port Profiles on NX-OX
Gi1/0/4 Access Point

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 344
Service Template Example
Using a Critical Auth Example
service-template CRITICAL
description allow all traffic
access-group PERMIT-IPV4-ANY
access-group PERMIT-IPV6-ANY
! access-group
Example
and
Available
Commands
switch(config)#service-template CRITICAL
switch(config-service-template)#?
service-template configuration commands:
absolute-timer Absolute timeout value in seconds
Access list to be applied
description Enter a description
exit Exit identity policy configuration submode
inactivity-timer Inactivity timeout value in seconds
no Negate a command or set its defaults
redirect Redirect clients to a particular location
tag tag name
tunnel
vlan
tunnel for wired client access
Vlan to be applied
voice Voice feature

switch(config-service-template)#
• Can be defined locally on the switch
• Can also be defined on the RADIUS server and downloaded dynamically as needed per
authorization or during CoA
• Used as one of the Actions per Control-Policy or as part of the RADIUS Authorization (AV Pair)
• Templates via AAA can contain arbitrary AV Pairs

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 345
Applying a template
Similar to Applying a PORT ACL via filter-id

Endpoint RADIUS Server

Switch

• Can also be
triggered via
EAPoL Access-Request
username=jdoe RADIUS CoA
• Service-Templates
activation can be a
local Control Policy
Enforce
Access-Accept action
AV-Pair “subscriber:service-name=TEMPLATE”
• If it doesn’t exist, it
DEFINED ON SWITCH
can be downloaded
service-template TEMPLATE like an dACL
access-group PERMIT-ANY
vlan 100
inactivity-timer 360

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 346
Service Template Download from AAA

ACS / any RADIUS Server

• Incoming request tagged with cisco-
ACS av-pair=“download-request=service-
template”
• Template-Name = Username

• Trivially Pass Authentication

(username is the template name)
• Template Content is defined by AV
ISE pairs returned in authorization rules
• Template support is built-in

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 347
 Interface Templates
Interface configuration container
Switch(config)#template Corp-Default-Access
Switch(config-template)#?
Template configuration commands:
aaa Authentication, Authorization and Accounting.
access-session Access Session specific Interface Configuration Commands
authentication Auth Manager Interface Configuration Commands
carrier-delay
dampening
Specify delay for interface transitions
Enable event dampening
• Interface level commands available
default
description
Set a command to its defaults
Interface specific description
for templates in 15.2(2)E / 3.6.0.E
dot1x Interface Config Commands for IEEE 802.1X
exit Exit from template configuration mode
hold-queue
ip
Set hold queue depth
IP template config
• Only these commands can be
keepalive
load-interval
Enable keepalive
Specify interval for load calculation for an interface
used in Interface Templates
mab MAC Authentication Bypass Interface Config Commands
mls mls interface commands
no
peer
Negate a command or set its defaults
Peer parameters for point to point interfaces
• Other interface level commands
priority-queue Priority Queue
queue-set Choose a queue set for this queue
configured “the usual” way
radius-server Modify RADIUS query parameters
service-policy Configure CPL Service Policy
source Get config from another source
spanning-tree Spanning Tree Subsystem
srr-queue Configure shaped round-robin transmit queues
storm-control storm configuration
subscriber Subscriber inactivity timeout value.
switchport Set switching mode characteristics

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 348
 Interface Template Example
Define and Source Templates • All interface level configuration can be
contained within the interface template
template Corp-Default-Access
dot1x pae authenticator
spanning-tree portfast • Applied on physical ports with “source
switchport access vlan 100
switchport mode access template” interface config command
mab
access-session port-control auto
service-policy type control subscriber ACCESS-POLICY • Running configuration doesn’t show all
interface configs, use “show derived-
interface GigabitEthernet0/1
source template Corp-Default-Access
config” exec command
! Switch#show derived-config interface Gi 0/1
interface GigabitEthernet0/2 Building configuration...
source template Corp-Default-Access
! Derived configuration : 234 bytes
interface GigabitEthernet0/3 !
source template Corp-Default-Access interface GigabitEthernet0/1
! switchport access vlan 100
. switchport mode access
. access-session port-control auto
interface GigabitEthernet0/46 mab
source template Corp-Default-Access dot1x pae authenticator
! spanning-tree portfast
service-policy type control subscriber ACCESS-POLICY

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 349
 Built-in Interface templates
Similar to AutoSmart Ports with added efficiency

• 11 Built-in Templates based on

switch#show template interface brief
common end devices
Template-Name Source Bound-to-Interface
------------- ------ ------------------
AP_INTERFACE_TEMPLATE Built-in No • Similar to ASP built-in Macros
Corp-Default-Access User Yes
DMP_INTERFACE_TEMPLATE Built-in No
IP_CAMERA_INTERFACE_TEMPLATE Modified-Built-in Yes
Modified • Can be modified
IP_PHONE_INTERFACE_TEMPLATE Built-in No template
LAP_INTERFACE_TEMPLATE Built-in No
MSP_CAMERA_INTERFACE_TEMPLATE Built-in No Advantages over Auto Smart Ports
switch#show template interface source built-in AP_INTERFACE_TEMPLATE
MSP_VC_INTERFACE_TEMPLATE
Building configuration...
PRINTER_INTERFACE_TEMPLATE
Built-in
Built-in
No
No
• No changes to the running-
ROUTER_INTERFACE_TEMPLATE
Template Name
Built-in
: AP_INTERFACE_TEMPLATE
No config
SWITCH_INTERFACE_TEMPLATE Built-in No
Modified
TP_INTERFACE_TEMPLATE
Template Definition :
: No Built-in No • Compatible with Session
switchport trunk encapsulation dot1q Manager (PA-IBNS)
switchport mode trunk
switchport nonegotiate • Templates apply per port or per
mls qos trust cos
srr-queue bandwidth share 1 30 35 5 session
priority-queue out
! • Complete rollback and
end
precedence management
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 350
Interface-template Authorization from RADIUS
“cisco-av-pair = interface-template-name=<template>”

• The template must be configured locally

ACS
on the switch

• Works similar to “Filter-ID” RADIUS

ISE attribute for authorizing set of interface
commands for a session

• On session termination, the interface

configuration reset to static template
sourced on the interface
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 351
Putting the Pieces Together
Policy Configuration Elements

aaa […] • Global Configuration (AAA, 802.1X,

radius […]
dot1x system-auth-control CoA, ACLs, etc.)
ip access-list […] • Service Template Configuration
ipv6 access-list […]
(optional)
service-template […]
service-template […]
• Global Policy Configuration (policy-
class-map […]
class-map […]
map referencing class-maps)
policy-map […]
• Interface-template Configuration
template […]
mab
access-session port-control […] • Per-Interface Configuration
service-policy type control subscriber […]

interface range Gi 1/0/1 – 48

• References to other Policy Elements
source template […] (static or dynamic)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 352
IBNS (old-style) vs IBNS 2.0 (new-style)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 353
 Configuration Mode Display
Bridging the Gap between ‘Old World’ and ‘New World’

• Existing configurations ‘simply work’ Tip: Start with known good

configuration and see how
• Converting in the background to new Policy Mode changes in ‘legacy mode’
change the new configuration!
• Use CLI to change how configuration is shown:

switch# authentication display ?

legacy Legacy configuration
new-style New style (c3pl) configuration

• If Policy Mode configuration is changed or rebooted in Policy Mode, the change is non-
reversible
• No IPv6 capable WebAuth in Old Style Mode
• This is transient and ‘Exec mode’ only (does not appear in configuration)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 354
IBNS 2.0 features
IBNS 2.0 Features
Any Authentication with Any Authorization on Any media (Wired / Wireless)
Access Session
Manager

Class- Parameter Service RADIUS

maps Map Templates Authenticator Server

802.1X
Authentication

VLAN
Policy-map (Identity Control Policy)
Manager RADIUS

MAB
Interface Template(s)
LAN
Modular Configurations

IBNS 2.0 Features

Critical Intelligent Critical Enhanced IPv6

ACL Aging MAB CoA WebAuth

Concurrent Enhanced Template

Common IPv6 Differentiated AuthZ based
Authentication CoA
Identity Authentication
Session-ID templates NEAT

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 356
Critical ACL
Scenarios today with Low Impact Mode
Before Authentication Authentication Success AAA Server Unreachable
PRE-AUTH-ACL PRE-AUTH-ACL + dACL PRE-AUTH-ACL
Infra Servers Infra Servers Infra Servers
Permit any (DHCP, DNS) Permit ip host
(DHCP, DNS) Permit any (DHCP, DNS)
DHCP - 10.1.1.1 any
DHCP
Permit any DNS Permit any DHCP
Permit any DNS
Deny any any Permit any DNS
RADIUS Deny any any
Deny any any RADIUS RADIUS
Server Server Server

10.1.1.1 10.1.1.1 10.1.1.1

Default Default /
Dynamic Critical
VLAN VLAN VLAN
Protected Protected Protected
Servers Servers Servers

Before authentication success, the On authentication success, the The endpoint may be authorized to
endpoint has limited access to the RADIUS server authorizes the a critical VLAN, but the PRE-AUTH-
network resources, defined by the endpoint with a dACL (permit ip any ACL on the port would still block
PRE-AUTH-ACL on the port any) granting full access the access during AAA outage*

* Critical authorization won’t apply to endpoints that were authorized by AAA server when it was reachable
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 357
 Critical ACL
Configuration Example
service-template CRITICAL
Event Class Action access-group CRITICAL-V4
access-group CRITICAL-V6
!
!
session-started always authenticate via 802.1X
policy-map type control subscriber DOT1X
event session-started match-all
10 class always do-until-failure
violation always restrict 10 authenticate using dot1x
event violation match-all
agent-found always authenticate via 802.1X 10 class always do-all
10 restrict
activate service-template event agent-found match-all
10 class always do-all
10 authenticate using dot1x
AAA-DOWN Do
All authorize port event authentication-failure match-first
10 class AAA-DOWN do-all
authentication-failure Match
First Terminate 1X & MAB 10 activate service-template CRITICAL
20 authorize
DOT1X-FAIL authenticate via MAB 30 terminate dot1x
40 terminate mab
20 class 1X-FAIL do-all
10 authenticate using mab
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 358
 Critical MAB username 000c293c8dca password 0 000c293c8dca
username 000c293c8dca aaa attribute list mab-local

Local Authentication during Server Failure !

aaa local authentication default authorization mab-local
aaa authorization credential-download mab-local local
!
aaa attribute list mab-local
attribute type tunnel-medium-type all-802
attribute type tunnel-private-group-id "150"
000c.293c.8dca attribute type tunnel-type vlan
attribute type inacl "CRITICAL-V4"
!
policy-map type control subscriber ACCESS-POL
...
event authentication-failure match-first
WAN 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-↵
until-failure
10 terminate mab
? 20 terminate dot1x
30 authenticate using mab aaa authc-↵
list mab-local authz-list mab-local
000c.293c.331e
...

▪ Additional level of check to authorize hosts during a critical condition

▪ EEM Scripts could be used for dynamic update of whitelist MAC addresses
▪ Sessions re-initialize once the server connectivity resumes.

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 359
Concurrent Authentication
Faster on-boarding of endpoints in to the network
Sequential Authentication
authentication order dot1x mab • Faster on-boarding, good for
delay sensitive endpoints
.1x EAP

CDP/DHCP
Campus LAN • An endpoint may be
EAP RADIUS
authenticated by both
methods, but priority
Concurrent Authentication determines the ultimate
event session-started match-all
10 class always do-until-failure
authorization
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
• Additional load to RADIUS
Server. Multiple Authentication
.1x EAP requests hit the server for
Campus LAN
CDP/DHCP same client
EAP RADIUS

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 360
Differentiated Authentication
Authenticate different methods with different servers
aaa group server radius mab-servers
ISE server name ise01
!
aaa group server radius 1x-servers
server name ise02
!
aaa authentication dot1x 1x-servers group 1x-servers
aaa authentication dot1x mab-servers group mab-servers
.1x Gi1/0/1
!
aaa authorization network 1x-servers group 1x-servers
aaa authorization network mab-servers group mab-servers
!
NAC radius server ise02
address ipv4 172.20.254.8 auth-port 1645 acct-port 1646
key xxxxxx
!
radius server ise01
address ipv4 172.20.254.4 auth-port 1645 acct-port 1646
key xxxxxx

policy-map type control subscriber ent-access-pol

Requirement: Authenticate 802,1X end-

event session-started match-all
10 class always do-until-failure

points with new RADIUS Server (ISE) and

10 authenticate using dot1x aaa authc-list 1x-servers authz-list
1x-servers

authenticate non-802.1X (MAB) devices

event authentication-failure match-first
10 class DOT1X_NO_RESP do-until-failure

with legacy NAC infra

10 terminate dot1x
20 authenticate using mab aaa authc-list mab-servers authz-list
mab-servers
......

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 361
 Intelligent Aging
Disconnect Indirectly connected endpoint sessions
IP Device Tracking Table
----------------------------------------------
IP Address MAC Address VLAN Intf
Switch(config-if)subscriber aging ----------------------------------------------
10.1.1.1 000A.0001.0001 100 G1/1
inactivity-timer 30 probe 10.1.2.1 0001.0001.0002 101 G1/2
Or Printer 10.1.3.1 000B.0001.000A 201 G1/2
10.1.2.2 0001.0001.0003 101 G1/3
service-template IA-TIMER
The inactivity timer60is probe
▪inactivity-timer an indirect mechanism
! the switch uses to infer that an endpoint has
disconnected.
policy-map type control sub ACCESS-POL
Indirectly 000A.0001.0001 RADIUS
... Connected Server
An expired
▪event inactivity timer cannot
authentication-success guarantee
match-all Host 3rd Party Phone Gi1/1
10 class always do-until-failure
that an endpoint has disconnected. Gi1/2 RADIUS
10 activate service-template IA-TIMER
▪event inactivity-timeout match-all
Devices such as a network printer that
10 class always do-until-failure 0001.0001.0002 000B.0001.000A Gi1/3
services occasional requests but is
10 unauthorize
otherwise
... silent, may have its session Hub

cleared, even though it is still connected. Indirectly

Idle-Timeout (28) = 30
Connected Termination-Action (29) = 0
IBNS 2.0 enhances ‘inactivity timer’ with ARP Host
(Optional
probes to ensure that an endpoint is indeed )
disconnected. ARP probes are sent based on ‘ip
device tracking table’ data.
0001.0001.0003 3rd Party IP Phones do not have EAPoL Proxy Logoff capabilities

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 362
 IPv6 Identity
With Identity-Policy, both IPv4 & IPv6 endpoints can be on-boarded
consistently
! interface GigabitEthernet1/0/1
ipv6 snooping policy v6-snoop switchport access vlan 100
trusted-port switchport mode access
! access-session port-control auto
vlan configuration 100-180 ipv6 traffic-filter IPV6-PRE-AUTH-ACL in
ipv6 nd suppress dot1x pae authenticator
ipv6 snooping spanning-tree portfast
! service-policy type control subscriber ACCESS-POL
interface TenGig1/1/1 !
description *** Uplink *** service-template CRITICAL
[ ... ] description allow all traffic
ipv6 snooping attach-policy v6-snoop access-group PERMIT-IPV4-ANY
! access-group PERMIT-IPV6-ANY
!

▪ IPv6 Pre-auth-acl limits IPv6 traffic prior to authentication

▪ Enable IPv6 Device Tracking
▪ Same identity control policy apply for both IPv4 & IPv6
▪ Make Identity Policy IPv6 aware
clients
▪ Note: Define which VLANs to apply and also trust
▪ Service-template provisions for IPv6 ACL for Post-Auth /
the uplink port
Critical authorization purposes

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 363
Why use IBNS 2.0 ?

• IBNS 2.0 is flexible and extensible

• Service templates offer consistent on box and centralized authorizations
• Interface templates keeps your running-config light and clean
• It´s ready, backward compatible and offers seamless migration to ‘new-style’
• SDA configuration is based on IBNS 2.0 – be ready for the future

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 367
ISE-Cream, Inc.
Next steps…
I love ISE-Cream.

I want some more

• 802.1X for corporate laptops
• MAB for printers, factory devices etc.
• EAP Chaining for laptops – combine user & machine authentication
• Use IBNS2 for ISE configuration on switches

My son :)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 389
ISE in VPN Networks

Eugene Korneychuk
CX Technical Leader (EMEA TAC)
CCIE Security #43253

TECSEC-3416
Use-Case : ISE-Cream, Inc -
VPN
• Firepower firewall running FTD 6.5
• Phase 1. Remote access users to be able to work from home,
administrators should have an ability to disconnect the user at
any point of time
• Phase 2. CISO requires MFA access for all remote use cases
• Phase 3. Compliance check of connected devices

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 403
Remote Access VPN

A remote-access VPN connection allows an individual user to connect to a

private network from a remote location using a laptop or desktop computer
connected to the Internet

VPN

VPN

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 404
ISE-Cream Remote Access VPN Topology Phase 1
AnyConnect VPN Client FTD ISE

AnyConnect VPN connection initiated

RADIUS Authentication, Access-Request

RADIUS Authentication, Access-Accept

dACL Request, Access-Request

AnyConnect VPN connection established dACL Request, Access-Accept

RADIUS Accounting, Accounting-Request

RADIUS Authentication, Accounting-Response

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 405
ISE-Cream RA VPN Phase 1. Requirements

Dedicated IP address assignment based on user AD Attribute

Permissions assignment based on Active Directory Group (dACL)

Ability to block the user at any point of time from Remote Access VPN

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 408
DEMO VPN Phase 1
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect MFA with Duo. Native MFA
AnyConnect VPN Client Network Access Device ISE Duo Cloud

User is prompted with Username and 2

AnyConnect VPN connection initiated
password fields (first factor and second
factor authentication)

Primary RADIUS Authentication,

Access-Request

Primary RADIUS Authentication,

Access-Accept

Secondary Password window can be Secondary Authentication will be invoked only if primary is Successful
populated with “sms”, “phone”, “push” Connection is using LDAPs tcp port 636

During LDAP authentication the following is seen:

• Device (ASA) authentication (LDAP bind) with the login dn and login
password taken from Duo settings (integration_key, secret_key)
• LDAP search with cn=username filter
• User authentication (LDAP bind), at this point Duo with parse the
password and perform API call to invoke requested second factor

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 411
AnyConnect MFA with Duo. Native MFA
Duo Cloud
AnyConnect VPN Client NAD

Duo services contacting mobile device to

confirm second factor authentication

Depending on secondary password, Duo cloud will contact the phone:

• “sms”. Behaviour is that initial connection will fail, SMS will be sent to
the phone. And upon reconnecting new code from SMS should be
entered;
• “phone”. Behaviour is that connection will freeze till you receive a call
and press any button on the call;
• “push”. Behaviour is that connection will freeze till you receive a push
notification on the Duo application and accept it
• Alternatively you can provide one time password from Duo application

Mobile device replies to second factor

authentication request

Upon Successful second factor authentication Duo Cloud replies to the AC client
AnyConnect VPN connection (LDAP response). Connection is using LDAPs tcp port 636
established
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 412
ISE-Cream RA VPN Phase 2. Requirements

Users should be prompted with single username and password

2 Factor Authentication, with Push as a Second Factor

Permissions assignment based on Active Directory Group (dACL)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 413
AnyConnect MFA with Duo
AnyConnect
Network Device ISE Duo Authentication Proxy AD Duo Cloud
VPN Client

AnyConnect VPN
connection initiated

RADIUS Authentication,
Access-Request

RADIUS Proxy Authentication,

Access-Request

Primary Authentication,
LDAP
Depending on authentication proxy server configuration from
authproxy.cfg primary authentication can be one of the following
types:

ad_client - Active Directory Server (Using LDAP protocol for Primary Authentication,
authentication) LDAP
radius_client – RADIUS Server using RADIUS as a protocol

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 414
AnyConnect MFA with Duo
AnyConnect Phone
Network Device ISE Duo Authentication Proxy Duo Cloud
VPN Client

Secondary Authentication,
Connection is using tcp port 443

Duo services contacting mobile device to

confirm second factor authentication

Mobile device replies to second

factor authentication request

Upon successful second factor authentication Duo Cloud

replies to the Duo Proxy. Connection is using tcp port 443
RADIUS Proxy Authentication,
RADIUS Authentication, Access-Accept
AnyConnect VPN
Access-Accept
connection established

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 415
DEMO VPN Phase 2
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE-Cream RA VPN Phase 3. Requirements

Users should be able to access corporate resources only if they are

Compliant. For the remote users Firewall should be always enabled

Keep 2 Factor Authentication, with Push as a

Second Factor

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 418
What is Posture?

Posture defines the state of

compliance with the
company’s security policy File USB? Latest
Condition? Patch?

Anti-Virus Anti-Spyware
Software? Software?

Firewall Disk
Registry
Software? Encryption?
Entry?

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 419
DEMO VPN Phase 3
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE and RA VPN. CoA Push

4
3
2
1

Original Authentication, Compliance State is Unknown.

1 Cisco-AVPair coa-push=true is sent in Access-Request

2 Live Session is created. Endpoint Profile is updated

CoA Push with Attributes included based on new

3 Authorization Profile is sent

4 dACL download

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 422
ISE and RA VPN. Profiling based on ACIDex attributes

2
1

Original Profile is Unknown. Endpoint is seen for the first

1 time

2 Profile is changed to Windows10-Workstation

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 423
ISE and IPsec
vs IPsec

Q1. Does ISE terminate IPsec tunnels?

Q2. Why do we need IPsec tunnels on ISE?

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 424
Use-Case : ISE-Cream, Inc. -
VPN
• Firepower firewall running FTD 6.5
• Phase 1. Remote access users to be able to work from home,
administrators should have an ability to disconnect the user at
any point of time
• Phase 2. CISO requires MFA access for all remote use cases
• Phase 3. Compliance checking of connected devices
• Phase 4. Protect RADIUS Links with IPsec

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 425
ISE and IPsec
vs IPsec

RADIUS TACACS+

Encryption Encrypts only the Encrypts the entire

Password Field payload

RADIUS, TACACS+

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 426
ISE and IPsec
vs IPsec

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 427
ISE and IPsec
vs IPsec

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 428
ISE and IPsec
vs IPsec

ISE
GE-0
Application
Tap-0 Network Access Device
A IPsec Tunnel
D
RADIUS/TACACS+
E
Eth0/1
-
Eth0/0 GE-1
O
ESR S • Once encrypted packets are received by GE-1 ISE interface ESR
(5921) intercepts them on Eth0/0 interface.
• ESR decrypts them and according to preconfigured NAT rules performs
Eth0/2 GE-2
address translation. Outgoing (towards NAD) RADIUS/TACACS+ packets
are translated to Ethernet0/0 interface address and encrypted afterwards.

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 429
ISE and IPsec
vs IPsec
ISE Configuration
Administration > System > Settings > Protocols > IPsec

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 430
 ISE and IPsec
vs IPsec
ISE Verification
ISE22-2ek/admin# esr
% Entering ESR 5921 shell
% Cisco IOS Software, C5921 Software (C5921_I86-UNIVERSALK9-M), Version 15.5(2)T2, RELEASE SOFTWARE (fc3)
% Technical Support: http://www.cisco.com/techsupport
% Copyright (c) 1986-2015 Cisco Systems, Inc.
Press RETURN to get started, <CTRL-C> to exit
ise-esr5921>en
ise-esr5921#show crypto session
Crypto session current status

Interface: Virtual-Access2
Profile: defaultSession status: UP-ACTIVE
Peer: 10.48.23.68 port 500
Session ID: 105
IKEv2 SA: local 10.48.17.87/500 remote 10.48.23.68/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 431
 ISE and IPsec
vs IPsec
ISE Verification
ise-esr5921#sh crypto ipsec sa

interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 10.48.17.87
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.48.23.68 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 41, #pkts encrypt: 41, #pkts digest: 41
#pkts decaps: 35, #pkts decrypt: 35, #pkts verify: 35
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.48.17.87, remote crypto endpt.: 10.48.23.68
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0xB5153632(3038066226)
PFS (Y/N): N, DH group: none

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 432
ISE and IPsec
vs IPsec
ISE Verification

RADIUS, TACACS+

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 433
Lunch Break

We’ll start back

at 14:15

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 434
ISE in Wireless Networks

Nicolas Darchis
CX Technical Leader (EMEA TAC)
CCIE Wireless #25344

TECSEC-3416
Use Case: ISE-Cream, Inc. -
Wireless
• Customer needs fast roaming – for users and warehouse
devices
• Many different factory devices = non 802.1X needs to be
connected
Specific PSK for each device
Based on factory plant, device type or AP location…
• Using Meraki MDM for mobile device management. Their
CISO requires them to check compliance status before giving
access to network
• Guest solution

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 436
“It’s the Wi-fi” problem #1

• Problem definition: ISE is getting a ton of authentication

requests from wireless clients !

• Probable cause: “It’s the Wi-fi” according to 90% of the IT

team

• We’re going to look at: roaming

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 437
802.1X Roaming
Wireless roaming: PSK concept

Connecting to a WPA2 PSK SSID is an 8-frame exchange (before actual data can be sent),
every time the client moves to another Access Point

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 439
Wireless roaming: 802.1X concept
Connecting to a WPA2 dot1x SSID means a lot more frames (and a RADIUS auth), every
time you roam, in most cases (i.e. when there is no fast roaming)

0.4s to 1.5s

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 440
 Wireless roaming: concept

WPA2-dot1x roaming in an
industrial/warehouse environment:
• Let’s say 1000 clients

• ISE can easily handle that right ? What’s

the max. a PSN can take ?

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 441
Wireless roaming: concept

But those warehouse robots /employees on forklifts don’t have time to lose
What if those clients authenticate every 10 seconds ? That’s 6000 authentications per
minute. 360 000 authentications per hour

• ISE last words:

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 442
Wireless Fast Secure roaming
The options

The ”everyone does their own thing”:

• WPA Sticky Key Caching (SKC)
• WPA Opportunistic Key Caching (OKC)
The standard :
• Fast Transition (FT/802.11r)

The tricks
The ”let’s not talk about it too much anymore”:
• CCKM

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 443
Wireless Fast Secure roaming
Sticky key caching

• Optional part of WPA2 certification. Implemented mostly by Apple iPhones

• 802.1X authentication occurs on initial connection, and upon further roamings
except when client roams BACK to an AP it previously connected to. It then skips the
802.1X and can derive a new encryption key based on the old one

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 444
Wireless Fast Secure roaming
Sticky key caching

• No FlexConnect support. No support on Wave 2 and wifi 6 APs (AP COS)

• Not enabled by default. Config wlan security wpa wpa2 cache sticky enable <wlan_id>
• Does not scale. Only the 8 last APs of a client are kept

Conclusion: SKC is like a phone directory in 2019, you have to

tell your kids what they were for because it’s not obvious
to them
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 445
Wireless Fast Secure roaming
Opportunistic Key Caching

• Optional part of WPA2 certification. Implemented mostly by laptops.

• Caches one PMK
• Derive new keys out of it using the new AP mac address
• Only 802.1X on the initial connection and then WPA 4-way handshakes from then on

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 446
Wireless Fast Secure roaming
Opportunistic Key Caching

• Automatically supported on WLC

• Flex and standalone mode supported

• Client support varies and is typically poorly documented

• Fast enough roaming, but not the fastest

• Conclusion: OKC is a free bonus. You don’t need to do anything

and if it happens, you win a bit

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 447
Wireless Fast Secure roaming: early verdict ?

• Not a single widely supported standard for years

• Smartphones (and MacBooks) don’t have a proper fast roaming mechanism on WPA2/3

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 448
Wireless Fast Secure roaming
11r/ Fast Transition

• 802.11r (Fast Transition) has been standardized for years but didn’t get traction due
to lack of Wi-Fi Alliance certification. Things are slowly changing
• Goes further than CCKM and piggybacks the 4-way key handshake on the existing
802.11 authentication and association frame. Virtually no overhead
• 802.1X upon initial connection but then 802.1X is skipped upon every roaming event
(unless session times out)
• FT is available even for PSK SSID, in order to skip the 4-way handshake upon
roaming

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 449
Wireless Fast Secure roaming
11r/ Fast Transition (over-the-air)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 450
Wireless Fast Secure roaming
over the DS Fast Transition

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 451
Wireless Fast Secure roaming
FT compatibility with clients ?

An SSID can offer both regular WPA2 and WPA2 with FT

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 452
Wireless Fast Secure roaming
FT: enabled + WPA2 dot1x

Non-FT clients can connect too. FT clients will benefit from fast roaming

Some older and poorly coded clients (IoT ?) might freak out to see 2 key management
methods

Conclusion: FT + dot1x is the best option …

If your devices are OK with it

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 453
Wireless Fast Secure roaming
FT compatibility with clients ? Adaptive FT

Cisco also offers Adaptive FT for maximum compatibility

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 454
Wireless Fast Secure roaming
Adaptive FT

Apple IOS devices will benefit from FT on this SSID

Only IOS devices will benefit from FT. A Samsung phone supporting FT will believe the
SSID does not support FT and will not use it

Adaptive FT is like a new Star Wars movie. It makes Star Wars

fans happy while others just ignore it

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 455
Wireless Fast Secure roaming
Any band-aid when you can’t afford proper a fast roaming method ?

• EAP session resume

• Fast reconnect
• ISE stateless session resume (i.e. TLS session tickets)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 456
Wireless Fast Secure roaming
TLS (1.2) regular handshake parenthesis

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 457
Wireless Fast Secure roaming
TLS 1.2 session resumption (through session ID)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 458
Wireless Fast Secure roaming
Any band-aid when you can’t afford proper a fast roaming method?

Cache TLS (TLS Handshake Only/Skip Cert)

Cache TLS session
Note: Both Server
and Client must
be configured for
Fast Reconnect

Skip inner method Win 7 Supplicant

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Wireless Fast Secure roaming
Any band-aid when you can’t afford proper a fast roaming method?
• Session ticket extension per RFC 5077
[Transport Layer Security (TLS) Session Resumption without Server-Side State]
• ISE issues TLS client a session ticket that can be presented to any PSN to
shortcut reauth process (Default = Disabled)
Allows resume with
Load Balancers

Time until session

ticket expires

Policy > Policy Elements > Results > Authentication > Allowed Protocols

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 461
Wireless Fast Secure roaming
What about WPA3 ?

• Let’s add 2 more frames to the mix !

• Here is a PSK (SAE) exchange:
• No FT as of now

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 462
Wireless Fast Secure roaming
What about WPA3 Enterprise ?

• WPA3 Enterprise is exactly the same as WPA2 Enterprise !

• Except that PMF is required … and that the certification process is improved … and
that weak ciphers are not allowed
• Optional new AKM (192 bits / AES-GCMP256) for which FT is not supported at this
time. Strong security Vs fast roaming 

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 463
Wireless Fast Secure roaming
Other possibilities ?

• Easy Connect is a kind of replacement of WPS for IoT devices. Adoption yet to be
seen
• Enhanced Open is encryption on open authentication, so privacy but not security.
Definitely the future of guest SSIDs. No key hassle and all the privacy possible (no
one can find out your key and decrypt your traffic)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 464
Wireless Fast Secure roaming
Roaming security key takeaways

• 11r / Fast Transition is the way to go, but adoption is not fully there yet
• Go for a regular dot1x and FT WPA2/WPA3 network at this time. Implement the
tricks to speed up EAP authentications. Adaptive is there in case of client issues
• Security goes through a solid infrastructure, PKI and password management. WPA2
is still fine at this time (add PMF to it !)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 465
ISE-Cream, Inc. conclusion
So, what do we do ?
• Requirements are different per location: roaming is not as bad in
enterprise/office/shop environment compared to warehouses and factory
• We will go for dual SSID solution for dot1x
• ”ISE Cream” 5ghz only – WPA2/3 FT+dot1x. 802.11k/v. bold optimized settings
• “ISE Cream legacy” 2.4ghz only – Adaptive FT, regular dot1x. Conservative settings
• “ISE Cream IoT” PSK, dual band

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 466
ISE-Cream, Inc. conclusion
Supplicant choice
• AnyConnect NAM does not support any fast roaming method
• AnyConnect NAM does not support PMF at this point and therefore not WPA3

• Native supplicant will do a better job with 802.11 amendments (11r,11k,11v, …) due
to closer interaction with drivers

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 467
PSK and IoT devices
“It’s the Wi-fi” problem #2

• Problem definition: A large amount of industrial devices do

not support dot1x

• Probable cause: industrial devices are programmed by old

Unix hipsters from the 80s with no budget for the software
part

• We’re going to look at: How to stay moderately secure while

still using PSK

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 470
The best solution
WPA3 Easy Connect
WPA3 Easy Connect
The future is planned years ahead
• WPA Easy Connect (nothing to do with ISE Easy Connect) means every device will
use a different encryption key
• A variety of onboarding mechanism exist (QR code, Bluetooth provisioning,...)
• Most secure method
• If you plan to purchase devices, make sure to look for this feature or push it with the
vendors

• But that’s not going to help you right now …

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 472
MPSK
MPSK
Multiple PSK, no verification of identity
• 5 PSKs supported per SSID
• Anyone can use any of the 5 keys
• Local authentication not supported
• Can scale if you can multiply the SSIDs

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 474
iPSK
Basically I have to enter all my
IoT devices MAC addresses in
ISE right ?
Skeptical network admin

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 476
 IPSK by OUI
As of AireOS 8.5

[30] Called-Station-Id = AP-Group-1

SSID “ISE Cream-IOT” [31] Calling-Station-Id = aa:bb:cc:dd:ee:ff
PSK = Std_Key [32] NAS-Identifier = Cisco Live ISE
PSK = ISEISEBaby
...

AP

cisco-av-pair = psk-mode=ascii
cisco-av-pair = psk=ISEISEBaby
...

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 477
Ok, but I’m stuck using MAC
addresses still ?
Skeptical network admin

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 478
 IPSK by profiled device type
As of AireOS 8.5

[30] Called-Station-Id = AP-Group-2

[31] Calling-Station-Id = 00:11:22:33:44:55
[32] NAS-Identifier = Cisco Live ISE
PSK = ISEISEBaby
...

SSID “ISE Cream-IOT”

PSK = Std_Key

AP
PSK = LoveISEcream cisco-av-pair = psk-mode=ascii
cisco-av-pair = psk=LoveISEcream
...

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 479
So MACs and profiled device
type, that’s it ?
Skeptical network admin

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 480
 IPSK by AP location
As of AireOS 8.5

SSID “ISE Cream-IOT”

PSK = Std_Key ISE
PSK = ISEISEBaby cisco-av-pair = psk-mode=ascii
cisco-av-pair = psk=StraciatellISE
...

AP (group1)
PSK = LoveICEcream

SSID “ISE Cream-IOT” [30] Called-Station-Id = AP-Group-3

PSK = Std_Key [31] Calling-Station-Id = de:ad:be:ef:de:ad
[32] NAS-Identifier = Cisco Live
...
PSK = StraciatellISE AP (group3)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 481
Is that it ? What about a use case ?
Nicolas Darchis

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 482
IPSK: use case
Your creativity (and requirements) are the limit

• By using mac address ranges or profiling data, you can assign an iPSK per type of industrial
device
• By using profiling data, you can assign an onboarding SSID key for iPads and make them go
through a BYOD+MDM process to onboard them on the dot1x SSID
• APs in the IT provisioning office, are assigned a dedicated key allowing them to connect
something to the network to test it out before provisioning it with the correct key

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 483
ISE Cream Inc. conclusion
So, what do we do the WLC?
• ”ISE Cream” 5ghz only – WPA2/3 FT+dot1x. 802.11k/v. bold optimized settings
• “ISE Cream legacy” 2.4ghz only – Adaptive FT, regular dot1x. Conservative settings
• “ISE Cream IoT” PSK+MACfiltering, dual band. Can turn into CWA for BYOD
provisioning or guest login

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 484
ISE Cream Inc. conclusion
So, what do we do on ISE ?

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 485
ISE Cream Inc. conclusion
So, what do we do on ISE ?

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 486
ISE Cream Inc. conclusion
So, what do we do on ISE ?

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 487
ISE Cream Inc. conclusion
So, what do we do on ISE ?

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 488
ISE Cream Inc. conclusion
So, what do we do on ISE ?

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 489
ISE Cream Inc. conclusion
So, what do we do on ISE ?

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 490
ISE Cream Inc. conclusion
So, what do we do on ISE ?

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 491
Certificate side note
IOS always asks trust confirmation even for valid certificate

ISEcream.inc

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 492
“It’s the Wi-fi” problem #3

• Problem definition: We’ve heard web authentication SSID

bringing a whole controller down

• Probable cause: HTTPS redirection

• We’re going to look at: Misunderstandings behind web

authentication

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 493
 But it’s
What’s up always
with unencrypted
captive right ?
bypass ?

Webauth
Why is HTTPS
redirection
killing my
WLC ?
To PSK or not to PSK?
If you don’t believe in Enhanced Open Transition mode

• Q: Can I deploy PSK on top of web authentication?

A: Yes…
• PSK + Local Web Authentication (LWA) has always been supported
PSK + Central Web Authentication (CWA) is supported starting from AireOS 8.3
Note: with PSK + CWA the WLC disconnects the client, irrespective of the CoA type (CSCvb10807)
• Always supported on C9800
• It is not much more secure than Open, since all users will share the same key
• The way forward is Enhanced Open. But not all clients support it yet

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 495
To PSK or not to PSK?
Enhanced Open

• Enhanced Open transition mode creates 2 SSID:

• A hidden Enhanced Open SSID
• A regularly broadcasted Open SSID in which there is a IE information EO-supporting clients of the EO hidden SSID name

• Compatibility should be maximal. Only drawback is no encryption for older clients

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 496
 Local Web Authentication (LWA)
RADIUS Server
Additionally: AP-WLC DHCP/DNS
L2 0 • PSK / 802.1X

L3 1 • SSID with
WebAuth

PSK / 2 Pre-webauth
802.1X ACL

Host Acquires IP Address, Triggers Session State

L3 3

Local Host Opens Browser

L7
Web Auth
LOCAL because the redirection URL
and the pre-webauth ACL are locally
configured on the WLC
4 Login Page
Host Sends Login to VIP
WLC Queries AAA Server (or Int. DB) Server
5 authorizes
AAA Server Returns Policy
user

6 WLC Applies New WebAuth Policy (L3)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 497
 LWA for passthrough

Additionally: AP-WLC DHCP/DNS

0 • PSK

1 • SSID with
WebAuth

PSK 2 Pre-webauth
ACL

Host Acquires IP Address, Triggers Session State

3

Local Host Opens Browser

Web Auth 4 AUP Page

Host Accepts
LOCAL because the redirection URL
and the pre-webauth ACL are locally 6 WLC lets traffic through
configured on the WLC

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 498
 LWA and certificates
WLC’s internal portal

HTTPS request
WLC

redirection
AP

Certificates for the Controller Web Authentication:

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#anc20

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 499
 Central Web Authentication (CWA)
AP-WLC DHCP/DNS ISE Server

• Open SSID with

1 MAC Filtering
enabled

L2 2
First authentication session
Central AuthC success; AuthZ for unknown MAC returned:
L2 3 Redirect/filter ACL, portal URL
Web Auth
Host Acquires IP Address, Triggers Session State
L3
CENTRAL because the 4

redirection URL and the Host Opens Browser – WLC redirects browser to ISE web page
pre-webauth ACL are
centrally configured on ISE
L7 5
Login / AUP Page

Host Sends Username/Password or Accepts AUP

and communicated to the
WLC via RADIUS
6 Web Auth Success results in CoA

MAB re-auth Session lookup – policy matched Server

L2 7 Authorization ACL/SGT/timeout returned.
authorizes
user
MAB Success

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 500
Central Web Authentication (CWA)

Note: Portal bypass when you remember the

MAC address is a convenience/performance
thing, not a security measure. MACs can be
easily impersonated !

Exhibit A: impersonation in action

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 501
CWA and certificates

AVP’s:
url-redirect-acl
url-redirect

HTTPS
request
WLC ISE

redirection

AP

Central Web Authentication on the WLC and ISE Configuration Example:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 503
LWA vs. CWA: main differences

• LWA happens at L3 • CWA happens at L2 and L3, and then

L2 again
• LWA needs to rely on IP/DNS high
availability options • CWA can rely on RADIUS / ISE high
availability options
PSN 1

WLC WLC
PSN 2

Redirect to RADIUS

...
myPortal.com ... servers list
(10.0.0.200)
PSN N

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 504
The 9800 side note on WebAuth
• 9800s don’t require a virtual IP to be configured, but it’s way better to have one

Without Virtual IP, c9800 will

spoof whatever IP the client was
requesting. This will cause trouble
for external redirect as well as
certificate validation

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 505
The 9800 side note on WebAuth
• 9800s have IOS-XE style of redirect ACLs, i.e. the opposite of AireOS
• They are punt ACLs which determine traffic to be sent to the WLC CPU (For redirection) on
permits. Denies allow the traffic through unredirected

Deny tcp any <ISE ip> eq port 8443

Permit any any eq www
(implicity deny)

But on APs, redirect ACLs are inverted

like on AireOS …

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 506
HTTPS webauth redirection
i.e. Redirecting the client when it asks for an https website

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 507
HTTPS WebAuth redirection
i.e. Redirecting the client when it asks for an https website

Why is the whole concept a complete violation of the purpose of HTTPS ?

Not the certificate

I was expecting !
TCP SYN. DST= social network server ip

Client TCP SYN-ACK. SRC= social network ip (spoofed)

WLC

Server certificate (WLC certificate)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 508
HTTPS WebAuth redirection
i.e. Redirecting the client when it asks for an https website

• On top of being a security non-sense, redirecting a lot of HTTPs sessions is a huge

burden to the WLC CPU
• Before AireOS 8.7, we are talking about 5 to 7 HTTPS redirection per second taking
the CPU to 100%
• Since AireOS 8.7, over a hundred HTTPs redirection per second is supported (175
on 5520)
• 9800 appliances will do from around 100 client redirection per second
• Note: a smartphone doesn’t just send HTTPs requests from the browser. A lot of
applications send HTTPs which the WLC has to redirect (even for “nothing”)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 509
HTTPS WebAuth redirection
What’s the solution then ?

• Modern OS (Windows 10, macOS, Android, iOS) all have a portal detection system
• It sends an HTTP test packet to a given test server and checks if the answer is a 200
OK or a 302 redirect (to a portal)

HTTP: can I reach this proprietary test URL?

HTTP 302: check the login page instead

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 510
HTTPS WebAuth redirection
The captive portal bypass story

• config network web-auth captive-bypass enable is made to force Iphone/Ipad users to

use a real browser instead of Apple CNA. This is when CNA won’t work with your
BYOD/registration login page

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 511
HTTPS WebAuth redirection
In detail: Windows 10

• Opens up your default browser for you

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 512
HTTPS WebAuth redirection
In detail: macOS

• Not Safari
• No particular issues

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 513
HTTPS WebAuth redirection
In detail

• iOS

• Can be worked around by clicking cancel a few times

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 514
HTTPS WebAuth redirection
In detail: Android

• Click yourself window

• Can be worked around
• No particular issues

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 515
HTTPS WebAuth redirection
In detail: Firefox

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 516
HTTPS WebAuth redirection
In detail: Chrome

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 517
Guest portal conclusion

• No point in doing HTTPS redirection

• Rely on the pop-up !
• IoS are still reporting pop-up not showing up in recent IoS release. Very intermittent
and hard to troubleshoot

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 518
Endpoints and corporate
devices Compliance

Eugene Korneychuk
CX Technical Leader (EMEA TAC)
CCIE Security #43253

TECSEC-3416
ISE Posture Components ISE Node

PAN
Posture Service allows Cisco ISE to identify the state of
clients as they authenticate to the network and to enforce
compliance with policy
MnT

PSN
Network Access Devices
enforce security policies on noncompliant endpoints by
blocking network access to your protected network

The Posture Agents, which are installed on the clients,

interact with the Posture Service to collect and forward
client state information

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 522
How to deploy?
Posture Services can be deployed in 3 different modes:

Audit User is not notified of any failure results based on posture assessment policy

Optional User is notified of failure results and given the option to continue in order to
bypass the posture assessment policy
Mandatory User is notified of failure results and given a remediation timer to make
corrective action to comply with the posture assessment policy

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 523
Posture Assessment with ISE – Simplified Flow
Client Network Access Device ISE

Authentication/Authorization, Access-Accept with Redirect ACL and URL

Client opens a
web page Client is Redirected to ISE

SSL connection to Redirect URL port 8443

Connection is protected by Portal Certificate User downloads Network Setup Assistant

Network Setup Assistant Discovers ISE

AnyConnect Agent Download and installation

AnyConnect Discovers ISE

Compliance Check
SSL Exchange on port 8905

CoA-Request, CoA-Ack

Authentication/Authorization, Access-Accept

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 525
 Warning!
Technical Deep Dive
on Posture Flow in the hidden slides

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 526
 Disk Encryption Check ISE 2.0 AnyConnect 4.2

• Added in ISE 2.0

• Supported for both Windows
and macOS Operating
systems
• Message Only Remediation

Encryption State Option supported

for some Windows Vendors
(Symantec, BitLocker)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 538
 Firewall Check ISE 2.2 AnyConnect 4.4

• Added in ISE 2.2

• Supported for both Windows
and macOS Operating
systems
• Enable Firewall Remediation

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 539
 File Check
• Supported for both Windows
and macOS Operating
systems
• Predefined Conditions
• File Remediation

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 540
USB Check and Block ISE 2.1 AnyConnect 4.3

USB Checks are “Dynamic” a.k.a real time enforced, although USB check could be configured at initial posture check or Passive
Reassessment checks (PRA)

Pre-Canned
Policy

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 541
USB Block
USB Check and Block supported for Windows only

Client will still be compliant but the USB port will be blocked

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 543
 Patch Management Check ISE 2.0 AnyConnect 4.2

• Supported for both Windows and Check if Installed, Enabled and

if latest Patches are installed
macOS Operating systems
• Uses OPSWAT, ISE doesn’t talk
to Patch Manager directly
• Remediation supported for
Windows only

Installation is supported for all Vendors

May support checks Enabled and “Up to Date” checks

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 544
 Patch Management Remediation ISE 2.0 AnyConnect 4.2

Product List will be updated based

on selected Remediation Option

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 545
Windows Server Update Service (WSUS) Remediation

The pr_WSUSRule can be used as a placeholder condition

(a dummy condition) in the posture requirement that
specifies a WSUS remediation

Cisco Rules – Pre-configured Rules from Cisco (via Posture

Update)
Severity Level – ISE instructs AC to check if selected
Severity Level updates are installed

Microsoft Server – Microsoft Managed Server

Managed Server – Locally administered WSUS Server

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 546
Application Visibility ISE 2.2 AnyConnect 4.4

Monitor Installed and Running

applications and display data
in context directory

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 547
Application Visibility Facts ISE 2.2 AnyConnect 4.4

Continuous Monitoring
ISE is collecting endpoint data on Initial Posture
Assessment and every 5 minutes by default

Application Data
ISE collects the following information about the endpoint:
• Application Name
• Version
• Vendor
• Processes (if running)
• Category
• Install Path

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 548
Application Visibility ISE 2.2 AnyConnect 4.4

Enforcement

Enforcement policy can be created to Uninstall or

terminate all the processes of particular Application

Application Enforcement
• At Initial Posture Assessment
• At Periodic Re-Assessment time

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 549
 Use-Case : ISE-Cream, Inc -
Endpoint and corporate device Compliance
For finance department users the following should be
checked:
• Drive with Financial Data should be encrypted
• Windows Firewall should be enabled
• No Video Players are allowed at work
For guest users:
• Windows Firewall should be enabled

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 550
Demo
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Posture Types
AnyConnect in Temporal Agent
AnyConnect with
Stealth Mode
Posture Module

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 553
 AnyConnect Stealth mode ISE 2.2 AnyConnect 4.4

No Posture module, no popups are shown, no user

intervention, but still compliant!

• Create Anti-Malware Remediation • Manual Remediation

• Create Launch Program Remediation
• Create Patch Management Remediation •
• Create USB Remediation
• Create Windows Server Update Services
Remediation
• Create Windows Update Remediation
• Link Remediation
File Remediation
• Windows Server Update Services (WSUS)
Remediation (Remediation Type and
Installation Wizard Interface Setting)
• Patch Management Remediation—Activate
Patch Management Software GUI (Remediation
Option)
• AUP Policy

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 554
AnyConnect Temporal Agent ISE 2.3

• Replaces NAC Web agent

• No Java / ActiveX
• Runs once then uninstalls
• Does not require admin privileges
• Same rich posture checks as
AnyConnect
• Only manual remediation
• Downloaded via portal via URL re-direct
so options to integrate with Guest,
BYOD, CWA, etc.

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 555
Demo
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Configuring Provisioning and Posture
Add AnyConnect Add AnyConnect Configure Posture Configure Posture
Agent resources to ISE Configuration Condition & Remediation Policy

Configure AnyConnect Configure Client Configure Posture Configure

Posture Profile Provisioning Policy Requirements Authorization Rules

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 558
Posture Miscellaneous. Default Policies
Work Centers > Posture > Client Provisioning > Resources
Work Centers > Posture > Client Provisioning

Posture Resources available on ISE by default

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 571
Posture Miscellaneous. Default Policies
Work Centers > Posture > Client Provisioning > Resources
Work Centers > Posture > Client Provisioning

Default Client Provisioning Policy

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 572
Posture Miscellaneous. Default Policies ISE 2.3

Work Centers > Posture > Posture Policy

Default policies added for:

• Anti-Malware
Default policies added for:
• Firewall
• macOS, Windows All
• Application Visibility
• AnyConnect, Temporal Agent
• Hardware Attributes
• USB Block

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 573
Posture Miscellaneous. Default Policies
Work Centers > Posture > Policy Sets

Redirect to Client Provisioning Portal

Redirect after NonCompliance is detected Final Permit Rule

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 574
Posture Miscellaneous. Posture Lease
Work Centers > Posture > Settings > Posture > Posture General Settings

After posture is compliant once, there will be no posture

assessment performed during the configured time

Posture Lease is giving a benefits of faster network reconnect and enhanced user experience

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 575
Posture Miscellaneous. Posture Lease
Context Visibility > Endpoints

The posture expiration time is stored in end point DB

table
Posture expiry time can be viewed in UI

EPOCH TIME: Number of milliseconds elapsed since January 1, 1970 (midnight UTC/GMT)
Epoch Time Converter: http://www.epochconverter.com/

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 576
Posture Miscellaneous. PRA
Work Centers > Posture > Settings > Reassessment Configurations

Configure Periodic Reassessment Interval

Configure PRA for specific groups

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 577
Posture Miscellaneous. Grace Period
ISE 2.4 AnyConnect 4.6
Work Centers > Posture > Posture Policy
Work Centers > Posture > Settings > Posture General Settings

Configure Grace period

From 5 minutes to 30 days

Configure Last Known Good State Period

From 1 hour to 30 days

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 578
Posture Miscellaneous. Grace Period/Re-Scan
ISE 2.4 AnyConnect 4.6
Work Centers > Posture > Posture Policy
Work Centers > Posture > Settings > Posture General Settings

Cisco ISE caches the results of posture assessment for a configurable

amount of time. If a device is found to be noncompliant, Cisco ISE looks
for the previously known good state in its cache and provides grace
time for the device, during which the device is granted access to the
network

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 579
Posture Miscellaneous. Posture Updates
Work Centers > Posture > Settings > Software Updates > Posture Updates
• Includes predefined
• Posture Conditions
• Compound Posture Conditions
• AV, AS and Anti-Malware
for Windows and macOS

• Online or Offline Update

Information from the last successful update

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 580
Threat Centric NAC
Threat Centric Network Access Control (TC-NAC) feature
enables you to create Authorization Policies based on the
threat and vulnerability attributes from adapters.

• Vulnerability assessment
Who • Detected Threats
• Detected Threats
What • Vulnerability Scores
When
TC-NAC vendor of your choice

Where
How
 Posture
Access Policy
Threat Decision

Vulnerability
Cisco ISE

Endpoints

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 582
Key Questions
What is threat (malware)?

Any software used to disrupt computer or mobile operations, gather

sensitive information, gain access to private computer systems, or display
unwanted advertising

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 583
Key Questions
What is vulnerability?

A weakness which allows an attacker to reduce a system's information

assurance

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 584
Key Questions
Why ISE?

ISE has the knowledge of endpoints across the network. ISE can change the
privilege and context of an endpoint dynamically, notifying the network and
other applications of the change so that access to resources can be
restricted

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 585
Eco-partner of your choice – what is supported

Vulnerability Assessment Threat Detection

AMP for
ISE 2.1 Endpoints

Cisco
ISE 2.2 Cognitive Threat
Analytics (CTA)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 586
Key Questions
Threat Centric NAC – How to deploy?

Administration > System > Deployment > Edit Node

• TC-NAC requires Apex License

• One TC-NAC node per deployment
• One instance of VA adapter per vendor, multiple
instances of FireAMP adapter

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 587
Threat Centric NAC with Qualys
Simplified Flow

Endpoint Network Access Device Admin Node MnT Node PSN with TC-NAC Qualys Cloud Qualys Guard

Client connects
Authentication/Authorization Request
to the network

Authorization Policy is assigned by ISE

Syslog message with VA Scan attribute

MnT submits scan to TC-NAC node

ISE Requests VA Scan

Qualys Guard scans the Endpoint

for Vulnerabilities

Qualys Guard reports the results

to Qualys Cloud

Qualys reports the CVSS score to ISE

PAN is updated with MAC, CVSS, QID

CoA is done based on scan results

(Full Access / Quarantine)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 588
Threat Centric NAC with Qualys
Visibility

MAC Address
Username
IP Address
QID
Source
Score

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 589
How to Configure TC-NAC with Qualys

See hidden slides with step by step instruction with

screenshots from both ISE and Qualys

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 590
Threat Centric NAC with AMP – Simplified Flow
Endpoint with AMP
connector installed
Network Access Device Admin Node MnT Node PSN with TC-NAC

Client connects
Authentication/Authorization Request
to the network

Authorization Policy is assigned by ISE

AMP connector establishes connection to AMP cloud

Malware detected on the endpoint. AMP connector reports the event to AMP Cloud

AMP Cloud reports an incident

to ISE

PAN is updated with an Incident

CoA can be issued by ISE Administrator

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 607
Threat Centric NAC with AMP – Visibility

Mac Address
Username
IP Address
Threat Source
Threat Severity

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 608
How to Configure TC-NAC with AMP

See hidden slides with step by step instruction with

screenshots from both ISE and AMP

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 609
Teatime

We’ll start back

at 16:30

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 637
RADIUS Optimizations

Nicolas Darchis
CX Technical Leader (EMEA TAC)
CCIE Wireless #25344

TECSEC-3416
“It’s the Wi-fi” problem #4

• Problem definition: We have a lot of traffic on ISE coming

from the WLC and a lot of failed authentication with retries

• Probable cause: We probably haven’t optimized the radius

settings

• We’re going to look at: radius best practices and differences

between controllers

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 639
RADIUS attributes :
AireOS Vs 9800
RADIUS attributes: assigning “vlans”
AireOS Vs 9800

Tunnel-Private-Group-ID = 1:<vlan id> Tunnel-Private-Group-ID = 1:<vlan id or name>

Tunnel-Type = 1:13 Tunnel-Type = 1:13

Tunnel-Medium-Type = 1:6 Tunnel-Medium-Type = 1:6

Airespace:Airespace-Interface-Name = <name of Airespace:Airespace-Interface-Name = <name of vlan (group)

interface (group) on WLC> on WLC>

Fabric VNID: Fabric VNID:

Airespace:Airespace-Interface-Name = <name of Airespace:Airespace-Interface-Name = <name of fabric

fabric interface on WLC> interface on WLC>

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 641
RADIUS attributes: assigning ACLs
AireOS Vs 9800

Redirect ACL Redirect ACL

cisco-av-pair = url-redirect-acl=<acl name> cisco-av-pair = url-redirect-acl=<acl name>

cisco-av-pair = url-redirect=<url> cisco-av-pair = url-redirect=<url>

ACL Override ACL Override

Airespace-ACL-Name = <acl name> Airespace-ACL-Name = <acl name>

Downloadable ACL Downloadable ACL

N/A dACL = <name of ISE ACL>

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 642
9800 RADIUS /
TACACS+
Gotchas and did-you-knows
TACACS+
Admin management

• TACACS+ authorization works like for other IOS-XE platforms

• Web UI uses CLI commands in the background, so it’s an all-or-nothing privilege level question.
No possibility to restrict the view to certain menus
• LobbyAdmin user can be authenticated via TACACS+

• Automatic fallback in TACACS+, each request is attempted again on the primary server

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 644
RADIUS
Is RADIUS on 9800 the same as other IOS-XE platforms ?

• 9800 has mostly the same radius configuration (handled by common IOSd)
• However, the dot1x code was taken from IOSd and placed in the controller process. Each
controller process does dot1x for its own clients

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 645
Use Case: ISE-Cream, Inc. -
RADIUS
• 802.1X must not introduce additional delay for users
• RADIUS optimizations

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 646
RADIUS optimizations: AireOS stats

show radius auth statistics

Look for:
(GUI:Monitor>Statistics>RADIUS Servers)
High retry/first requests ratio (10%)
Server Index..................................... 2
Server Address................................... 192.168.88.1 High reject/accept ratio
Msg Round Trip Time.............................. 3 (msec)
First Requests................................... 1256 High timeout/first requests ratio (5%)
Retry Requests................................... 5688
Accept Responses................................. 22
Reject Responses................................. 1
Challenge Responses.............................. 96
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 1
Timeout Requests................................. 6824
Unknowntype Msgs................................. 0
Other Drops...................................... 0

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 647
RADIUS optimizations: 9800 stats (1/3)

show radius statistics

(auth) (acct) (all) Look for:
Maximum inQ length: NA NA 1
Maximum waitQ length: NA NA 1
Maximum doneQ length: NA NA 0 High reject/accept ratio
Total responses seen: 435 0 435
Packets with responses: 435 0 435 High response delay
Packets without responses: 0 0 0
Access Rejects : 435
Average response delay(ms): 10 0 10 RADIUS timeouts
Maximum response delay(ms): 414 0 414
Number of Radius timeouts: 0 0 0
Duplicate ID detects: 0 0 0
Buffer Allocation Failures: 0 0 0
Maximum Buffer Size (bytes): 133 0 133
Malformed Responses : 0 0 0
Bad Authenticators : 0 0 0
Unknown Responses : 0 0 0

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 648
RADIUS optimizations: 9800 (2/3)

show aaa servers

RADIUS: id 1, priority 1, host 10.48.39.28, auth-port 1812, acct-port 1813, hostname nicoise
State: current UP, duration 1748417s, previous duration 0s
Dead: total time 0s, count 0
Platform State from SMD: current UP, duration 1748417s, previous duration 0s
SMD Platform Dead: total time 0s, count 0
Platform State from WNCD (1) : current UP
Platform State from WNCD (2) : current UP
Platform State from WNCD (3) : current UP
Platform State from WNCD (4) : current UP
Platform State from WNCD (5) : current UP
Platform State from WNCD (6) : current UP
Platform State from WNCD (7) : current UP
Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s
Platform Dead: total time 0s, count 0
Quarantined: No

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 649
RADIUS optimizations: 9800 (3/3)
Authen: request 435, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 435, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 10ms
Transaction: success 435, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Author: (…)
Account: (…)
Elapsed time since counters last cleared: 2w6d5h40m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Consecutive Response Failures: total 0
SMD Platform : max 0, current 0 total 0
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 0, current 0 total 0
Consecutive Timeouts: total 0
SMD Platform : max 0, current 0 total 0
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 0, current 0 total 0
Requests per minute past 24 hours:
high - 5 hours, 39 minutes ago: 0
low - 5 hours, 39 minutes ago: 0
average: 0

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 650
RADIUS optimizations
Server not responding on a regular basis

• RADIUS server flapping means it is not responding to certain requests

• It is not necessarily about packet drops !
(AireOS)Trap logs :
0 Wed Aug 20 15:30:40 2014
1 Wed Aug 20 15:30:40 2014
2 Wed Aug 20 15:30:40 2014
3 Wed Aug 20 15:30:40 2014
4 Wed Aug 20 15:30:40 2014
5 Wed Aug 20 15:30:40 2014
request
(ID 22) for client
RADIUS auth-server x.x.x.x:1812 available
RADIUS auth-server x.x.x.x:1812 available
RADIUS server x.x.x.x:1812 activated on WLAN 6
RADIUS server x.x.x.x:1812 deactivated on WLAN 6
RADIUS auth-server x.x.x.x:1812 unavailable
RADIUS server x.x.x.x:1812 failed to respond to

(9800) show log:

2019-09-14 11:20:54 Local1.Warning xx.xx.xx.xx: 6w4d: %RADIUS-4-RADIUS_DEAD:
RADIUS server xx.xx.xx.xx:1812,1813 is not responding.

2019-09-14 11:20:54 Local1.Warning xx.xx.xx.xx 18897: 6w4d: %RADIUS-4-

RADIUS_ALIVE: RADIUS server xx.xx.xx.xx:1812,1813 has returned

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 651
RADIUS optimizations
Timeouts: RADIUS timeout

RADIUS server timeout >5 seconds

9800(config)#radius server RASERV-1

9800(conf-rad-server)#address ipv4 172.20.254.4

auth-port 1645 acct-port 1646

9800(conf-rad-server)#key cisco

9800(conf-rad-server)#timeout 5

9800(conf-rad-server)#retransmit 53

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 652
RADIUS optimizations
Timeouts: WLAN session timeout

WLAN session timeout in hours

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 653
RADIUS optimizations
Timeouts: Idle timeout

Idle timeout at 300 seconds, can be increased for dot1x WLANs

Idle timeout = Hey I haven’t heard you speak, so I’m gonna ignore you until
you say hi again
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 654
RADIUS optimizations
Exclusion on WLC

WLAN client exclusion > 120 s

Security->WPP-> Client exclusion

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 655
RADIUS optimizations
Exclusion on ISE

• Try to not send MAC authentications to AD

• Enable PEAP session resume and fast reconnect
• Disable Unused EAP protocols
• Disable PEAP password retries
• Ensure latency to the backend authentication database is small

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 656
 RADIUS optimizations
WLC EAP timers

People typically tweak these timers without having a clue

In all honesty, this even comes from TAC cases too …

AireOS 9800

config advanced eap identity-request-timeout 3 (config)#wireless security dot1x (…)

config advanced eap identity-request-retries 10
config advanced eap request-timeout 3
config advanced eap request-retries 10

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 657
RADIUS optimizations
WLC RADIUS accounting

RADIUS accounting to be disabled on anchor WLC before 8.7 otherwise

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 658
RADIUS optimizations
WLC RADIUS accounting

Avoid configuring RADIUS interim update unless really needed. If so, set a timer of 0
second

9800(config)#aaa accounting update ?

newinfo Only send accounting update
records when we have new acct info.
periodic Send accounting update
records at regular intervals.

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 659
RADIUS optimizations
WLC RADIUS AireOS Fallback behavior

Fallback means falling back to primary server after having used a backup server due to
whatever issue
Passive: will regularly try the primary with the next user authentication
Active: Will actively probe with a test authentication

config radius aggressive-failover disable means the WLC will wait to have no answers
from RADIUS for 3 clients before declaring it dead

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 660
RADIUS optimizations
WLC 9800 RADIUS Fallback behavior

Passive mode is achieved through configured dead time and criterias :

Radius-server dead-criteria time <seconds> tries <number>
Radius-server deadtime <minutes>
You can verify with “show aaa dead-criteria radius <ip>”

You can also configure active probing with automate-tester username user in the
radius server configuration
Load balancing is also possible with radius-server load-balance method least-
outstanding or load-balance method least-outstanding in the radius server group

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 661
RADIUS optimizations
WLC 9800 RADIUS profiling

Use RADIUS profiling to piggyback profiling data onto accounting

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 665
RADIUS optimizations
WLC AireOS RADIUS profiling

Use RADIUS profiling to piggyback profiling data onto accounting

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 666
IDFW/SGFW using FTD/FMC
Passive Identity (PassiveID)
Manfred Brabec
Technical Solutions Architect Cybersecurity (EMEAR)
CCIE Security #13180, CCDE #2013::28

TECSEC-3416
Use Case: ISE-Cream, Inc. -
Rules based on Identities and Groups
• Need to be able to build policies based on identities
• Their 802.1X project is delayed, but they still want to start
NOW
• There are concerns about the scalability of the solution which
need to be addressed
• Even when using identities, their rule table will still be hard to
manage, and the number of rules is much too high – a
solution for this problem is expected
• Just more or less static usernames or groups are not enough
– they want to replicate their business security policies within
their Firewall- and Intrusion Policies

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 669
Context Sharing
using
Platform Exchange
Grid (pxGrid)
 pxGrid Advantages

• Single scalable framework – develop once instead of multiple APIs

• Bi-directional and secure – share and consume context

• Customize what gets shared and with whom

• Publisher and subscriber method

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 672
pxGrid is a Proposed Standard
RFC8600 (XMPP-Grid)

https://datatracker.ietf.org/doc/rfc8600/

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 673
pxGrid: Three Basic Components
pxGrid Client
ISE ISE (XMPP or REST-WS)
pxGrid Publisher pxGrid Controller TCP/5222 pxGrid Subscriber
TCP/8910

pxGrid Controller - responsible for pxGrid Clients (Eco-Partner) -

Control Plane: responsible for:
✓ Establishing the “grid” ✓ Communicate with the Controller

✓ Authenticating clients ✓ Subscribes to an appropriate “topic”

✓ Authorizing what clients can do ✓ Ad-hoc query to “topics”

✓ Maintaining directory of context ✓ Filtering “topics” to exclude unwanted information

information “topics” available ✓ Publishes information to a “topic” (if sharing)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 674
 pxGrid Scenarios

Context to Partner Enrich ISE Context Threat Mitigation Context Brokerage

Cisco Eco- Cisco Eco- Cisco Eco- Cisco

ISE Partner ISE Partner ISE Partner ISE

CONTEXT CONTEXT ACTION pxGrid Eco-

Partners

pxGrid 2.0
MITIGATE

ISE makes Customer IT Enrich ISE context. Make Enforce dynamic policies in ISE brokers Customer’s IT
Platforms User/Identity, ISE a better Policy to the network based on platforms to share data
Device and Network Aware Enforcement Platform Partner’s request amongst themselves

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 675
 pxGrid Publisher / Subscriber
• PAN and MnT node publish and subscribe topics of information
• Authenticates and authorizes pxGrid clients

pxGrid Pub/Sub
Publish/Subscribe
topics

Topics being published /

subscribed by pxGrid node

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 677
Why Cisco pxGrid 2.0?

• No client SDK or language dependency (like Java and C libraries) ➔ Ease of

adoption and less integration effort (clientless approach)
• More scalable, uses WebSockets (pub/sub), and REST API (for
AuthC/AuthZ/control) over Simple Text Oriented Messaging Protocol (STOMP) 1.2
• Horizontal scalability of ISE pxGrid nodes (All Active)
• Provides the ability for ecosystem partners to publish attributes into ISE
• pxGrid 1.0 support and backward compatibility

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 680
Identity Firewall (IDFW) /
Security Group Firewall
(SGFW)
Firepower Identity Sources
Firepower Management Center (FMC)

• ISE
• ISE Passive Identity Connector (PIC)
• Terminal Services (TS) Agent

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 692
Firepower User Agent

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 693
ISE-PIC overview

• The Cisco ISE Passive Identity Connector (PIC) is a subset of functionality offered
with Cisco Identity Service Engine
• Supports only PassiveID functionality (Cisco subscribers only)
• ISE-PIC provides 2 license models:
• 3,000 bindings (PassiveID sessions)
• 300,000 bindings (PassiveID sessions)

• Supports up to 100 DCs

• FMC allows 1 ISE-PIC connection that is HA-capable
• Upgradable to Full ISE when required

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 694
PassiveID Preparation
Obvious, but still a root cause for most issues with pxGrid

• make sure pxGrid and FMC name resolution is correct (DNS)

• make sure that there is a PTR entry for the DNS server
• use NTP
• check availability of required and correct Root Certificates
• check firewall rules between FMC and pxGrid Node
• make sure that there are no pending approvals in ISE pxGrid services
• make sure that ISE 2.6 Patch 1 or higher is installed (CSCvo75376, CSCvo66575)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 696
ISE-PIC installation

• Supports virtual machines only (based on the physical appliance specifications)

• Setup similar to ISE deployment (same hypervisors)
• up to two ISE-PIC nodes
• Includes 90 days eval license

Don’t forget resource reservations!

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 697
ISE-PIC Standalone Deployment

• Uses internal CA by default

• No service modification
ISE-PIC
Presentation

Node

Maximum bindings -
platform dependent:
3515 = Max. 100k bindings
3615 = Max. 100k bindings
3595 = Max. 300k bindings
3655 = Max. 300k bindings
3695 = Max. 300k bindings

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 698
ISE-PIC High Availability (HA) Deployment

• Second node adds HA only (manual P-PAN promotion)

• No distributed deployment
ISE-PIC ISE-PIC
Presentation Presentation

Node Node
Primary Secondary
Admin Admin

HA

Primary Secondary
pxGrid pxGrid
Controller Controller

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 699
 ISE Passive Identity Service

Maximum bindings -
platform dependent:
3515 = Max. 100k bindings
3615 = Max. 100k bindings
3595 = Max. 500k bindings
3655 = Max. 500k bindings
3695 = Max. 500k bindings

* max. 1M PassiveID
sessions per Deployment

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 700
Identity Mapping Capabilities
ISE vs. ISE-PIC
Capability
User via PassiveID
User via 802.1X/MAB/WebAuth
Device Type (Endpoint Profile)
Location IP (Endpoint Location)
TrustSec SGT (SXP Topic)
ISE-PIC ISE
√ √
- √
- √
- √
- √
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 701
Identity Mapping Capabilities
FMC Realms

• A realm is required to support IDFW functions

• AD or LDAP are the only supported identity stores for a realm
• OpenLDAP not supported for ISE/ISE-PIC data retrieval - supported for captive portal data retrieval only

• Multiple Realms in Identity Policy (passive) supported using different network matching criteria
• Realms with no distinguish factor, always match first rule in Identity Policy
• SXP topic pxGrid subscription does NOT require a realm (i.e. no AD dependency)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 702
Identity Mapping Capabilities
FMC/FTD

• Firepower maintains tables of network addresses to users/SGTs, and users to groups used in
policy
• If a user’s network or group is not in those tables, we will not match that user or group in traffic

• Identity is shared across all devices connected to the same FMC

• FMC currently supports up to 64,000 active user sessions across all devices
• Limited by device memory - higher scales on larger platforms planned for future releases

• User sessions and other metadata bindings from ISE (SGT, endpoint profile, location) all apply
towards the same limit
• A maximum of 2000 SGs is currently supported by FMC
• FTD reads SGTs inline, directly from network without lookup (i.e. you can insert FTD anywhere in
TrustSec designs)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 703
Destination Security Group Tags (DGTs)

• Access Control Policy rules can use both Source SGTs and Destination SGTs as rule
matching criteria
• Unlike source SGTs, DGTs are never embedded in frames
• DGTs can be learned out of band - FMC uses pxGrid to learn IP-to-SGT mappings from ISE
via Security Group Tag eXchange Protocol (SXP) Topic

DMAC SMAC 802.1Q CMD ETYPE PAYLOAD CRC Ethernet Frame

Cisco MetaData (0x8909)

CMD EtherType Version Length SGT Opt Type SGT Value Other CMD Options 16 bit Source SGT value

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 704
SGT Classification
FTD Binding Source Priority

1. RA VPN via AAA

2. Trusted SGT value from inline SGT (CMD) in the tagged packet
3. Host SXP Mapping via pxGrid
4. Subnet SXP Mapping via pxGrid

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 705
FMC pxGrid Connection Overview
pxGrid 1.0
TCP/135
TSA
Read Security Event Log
(WMI/RPC)
VDI
TCP/443
TCP/389(636) REST (HTTPS)
TCP/8905
PSN PassiveID Agent
User and Group
Download - LDAP(S)
AD API
Provider
GCL ADI

TCP/5222 Consumer
Subscribe/Notify (XMPP) GCL

PAN FMC

TCP/8910 TCP/8305
Provider
GCL
PXG Bulk Downloads RabbitMQ
(sftunnel)

Subscribed Topics: Network

MnT AdaptiveNetworkControl Traffic-based detection
Core
EndpointProfileMetaData
EndpointProtectionService
FTD
SessionDirectory
TrustSecMetaData TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 706
ISE Components
PassiveID & SXP

pxGrid Pub/Sub Bus

TCP/445 ISE Incremental Update

Same User?
Still there?
o Normalization Bulk Download
Endpoint MnT
o Group Lookups
Probe o Merging
o Publishing FMC
o Verification

Kerberos Input to ISE / ISE-PIC

SPAN
TCP/8305
Network
PIC-Agent REST
WMI Syslog TCP/64999
API
AD (WinRM)

SXP
Identity Peers
Providers FTD

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 708
Direct DC monitoring
WMI

WMI
DC1

WMI

DC2
ISE / ISE-PIC WMI

DC3

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 709
DC monitoring using agents
PIC Agent

Agent Notification
DC1

Agent Notification

DC2
ISE / ISE-PIC WMI
DC3
Agent Notification
WMI

Member

DC4
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 710
Event Forwarding to a designated DC
Windows Event Collector (WEC)

WEF Push
DC1

DC5
Agent
Notification DC3

DC101 Odd DCs

(WEC1)

ISE / ISE-PIC
Agent
Notification
WEF Push DC2

DC6

DC102 DC4
(WEC2) Even DCs
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 711
FMC pxGrid Configuration

Primary pxGrid node

Root CA Certificate of
pxGrid nodes*
(CA Trusted by ISE)

Root CA Certificate of
MnT nodes*
(CA Trusted by FMC)

FMC Certificate
(w/o EKU values, or
w/ clientAuth EKU) for
pxGrid Authentication
for user sessions (Cert must be trusted
on ISE)
contains just SXP
mappings * You may use the same Root CA for
the pxGrid Server & MnT Server CA

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 712
pxGrid Test Success

With two configured

pxGrid nodes on FMC,
one would display Failure

FMC Subscription Test

(test button)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 713
FMC has subscribed to pxGrid Topics
• Authenticates to ISE pxGrid node using Certificates (self-signed or CA-signed)

FMC ISE Agent

Topics FMC has

subscribed to

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 714
Publish SXP bindings
ISE

Required to publish
static IP SGT mappings

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 715
Add SXP Device
ISE requires at least one SXP device to publish mappings
Not a real SXP connection
(dummy) – can be any IP

ISE is the SPEAKER

No password required
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 716
User Session Timeout
ISE

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 718
User Session Timeout
FMC

Set to same Timeout

as configured on ISE

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 719
Mapping Filter
ISE

• Incoming from AD
• Based on blacklisting
• Username or IPv4
(CIDR)
• Username accepts
the asterisk (*)
wildcard character

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 720
Network Filter
FMC

• Incoming from pxGrid

• Based on whitelisting
• IPv4 (CIDR) only
• Comma separated
• Session Directory only
(not applicable for SXP
topic)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 721
PassiveID Live Sessions
ISE

• Shows PassiveID service components that are not filtered out by Mapping Filters

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 722
Obtain Session Information via pxGrid
FMC User Activity

• ISE User Session Information

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 723
 Create Access Control Rules with ISE Criteria
FMC

Add an SGT
to Source or
Select SGT from Destination
Available Metadata

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 724
FMC Health Modules
ISE Connection Status Monitor

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 725
FMC Health Modules
ISE Connection Status Monitor

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 726
FMC Health Modules
Realm

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 727
ISE-Cream Recommendations for IDFW/SGFW
FMC

• Set a network filter for Session Directory subscription from ISE

• Lower the number of user groups used in policies
• Segment devices to different FMCs for higher scaling
• Leverage SXP Topic for full TrustSec Source/Destination SGT enforcement
• Disable SXP or Session Directory subscription from ISE if not needed

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 728
Group-Based Policies
TrustSec

Fay-Ann Lee
Technical Marketing Engineer

TECSEC-3416
Use Case: ISE-Cream, Inc. -
TrustSec
• Policies on Infrastructure and Firewalls should reflect the
business security policy
• Audits always take too much time, and are very cost intensive
– the solution should help reduce audit time as well as audit
costs
• Current network is too flat – need to be able to microsegment
everywhere
• OT environment needs to be segmented as well

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 783
Agenda

• Introduction
• Group-Based Policy Fundamentals
• Classification
• Enforcement
• Propagation

• One Little Tag, so Many Uses

• Getting Started With Policies
• Managing Policies and Changes

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 784
Presentation Decode

• SGT = Security Group Tag, Scalable Group Tag or Stiff Gin & Tonic
5 Security Group 5 Scalable Group

• Group-Based Policy Enforcement

• ISE SXP

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 785
Why: Simplifying Security Policy

ip access-list
ip access-list
ip access-list ip access-list
ip access-list ip access-list
ip access-list
ip access-list
ip access-list ip access-list ip access-list
ip access-list
ip access-list

ip access-list ip access-list
ip access-list ip access-list
ip access-list
ip access-list
ip access-list

ip access-list ip access-list ip access-list

ip access-list

ip access-list
ip access-list
ip access-list

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 786
Can you see the business intent here?

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 787
Using Context to Show Intent

Poor context awareness Rich context awareness

IP ADDRESS: 192.168.2.101 WHO Bob (Employee)

Unknown WHAT Apple iPad/iOS/11.0.1

Unknown WHEN 10:30 AM PST

Unknown WHERE Floor-1, San Jose, Building 19

UNKNOWN Unknown HOW Wireless KNOWN

Without ISE Unknown APPS Firefox, MS Word, AnyConnect With ISE

Unknown SPEC Serial number, CPU, memory

Access to any device/user Authorized network access

? ? ? RESULT

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 788
Logical Groupings to Denote Segmentation Goals
Abstracts individual network-element configuration
SGT_Contractor SGT_Building SGT_Employee
Management

50
° Employee 1 Employee 2

Temperature Employee 3
Contractor 1
Device 1
50
°
Temperature
Employee 4
Device 2
Contractor 2 50
Surveillance °
Device 1
Temperature
Device 3

Contractor 3
Surveillance Surveillance
Contractor 5 Device 2 Device 3
Contractor 4

SGT_FinanceServer SGT_Printers

Fin 4
Fin 1 Fin 2 Fin 3 Printer 1 Printer 2 Printer 3

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 789
Sample Policies for ISE-Cream, Inc.

Internet Guests

Internal IoT
Services Devices

Employees

Intent-Based Segmentation
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 790
Intent-Based Segmentation
Articulating Intent with SGTs

Corporate Policy: Employees have web access to Production Servers

Traditional Segmentation Policy

Switch-1#show ip access-list
Extended IP access list CorpPolicy
10 permit tcp 10.1.100.0 0.0.0.255 172.16.100.0 0.0.0.255 eq 80
20 permit tcp 10.1.100.0 0.0.0.255 172.16.100.0 0.0.0.255 eq 443
30 permit tcp 10.2.101.0 0.0.0.255 172.16.100.0 0.0.0.255 eq 80
Group-Based Segmentation
40 permit Policy
tcp 10.2.101.0 0.0.0.255 172.16.100.0 0.0.0.255 eq 443
Switch-1# show cts role-based permissions
IPv4…Role-based permissions from 10:Employees to 100:ProdServers: Web_Only-10

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 791
Enabling Consistent Policies Across the
Enterprise
Identity Services Engine / Cisco DNA Center Security APIC-DC, Controller for ACI

APIC

Common Policy Groups

Campus & Branch Networks Security Apps ACI DC/Cloud

ASA
ASA FTD

WSA

Intent-Based Segmentation
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 792
 1. Simplify Policy
Simplify policy management of access control
Consistent policy results from end to end

2. Reduce Opex
Minimize time to deploy & implement changes

Group-Based Policies
Decrease complexity leading to fewer errors

Benefits 3. Regulatory Compliance

Segmentation for scope reduction
Protect sensitive information from other
connected devices

4. Monitoring and Troubleshooting

Analyze with business relevance
Troubleshoot based on Intent
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 793
Agenda

• Introduction
• Group-Based Policy Fundamentals
• Classification
• Enforcement
• Propagation

• One Little Tag, so Many Uses

• Getting Started With Policies
• Managing Policies and Changes

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 794
 Group-Based Segmentation Concepts
Classification
(Destination)
Classification Directory
ISE
(Source)
Users, Devices Enforcement

Switch DC Switch

Sharing Group Information (Propagation)

• Classify systems/users based on context (user role, device, location etc.)

• Context or role expressed as a Security Group

• Firewalls, routers and switches use Security Groups to make filtering decisions

• Classify once – reuse Security Group anywhere on network

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 795
 Groups in ISE

• 17 Pre-defined groups

• “Learn” new groups via

REST or pxGrid
integration
(e.g. Cisco DNA
Center, Cisco APIC-
DC, etc.)

• Create groups locally

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 796
Getting Group Information to Network Devices

Cisco Switches, Routers, Wireless LAN Controller

• Network device authentication (NDAC) to establish a PAC
Secure file for secure communication
RADIUS
• Request via secured RADIUS to retrieve environment-data
(SGTs & associated timers)
Secure • Request via secured RADIUS to retrieve SGACLs
RADIUS

Cisco Adaptive Services Appliance (ASA)

ASA • Pre-shared key to create PAC file for secure
communication
• Request environment-data via secured RADIUS

Cisco Firepower Threat Defense (FTD), Security Appliance

• pxGrid integration
WSA FTD

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 797
 Getting Group Info to Network Devices (New)
Pre-ISE 2.7 ISE 2.7+

RADIUS (UDP)
based policy TLS 1.2 Server with
request/policy REST/JSON API
download

TLS 1.2 Client

JSON Parsing

IOS XE 17.1.1
(16.12.2)

• Large numbers of responses from devices • Reliable transport

• Bulk changes fragmented over multiple • No PAC requirement
packets • Future versions to provide additional
• Uses PAC process with TLS 1.0 assurance capabilities

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 798
Group Information in Devices

• Group info appears in network

devices as “Environment Data”

IOS#show cts environment-data

CTS Environment Data
====================
Security Group Name Table:
0001-85 :
0-01:Unknown
2-00:TrustSec_Devices
4-01:Employees
5-01:Contractors
6-01:CUCM_Servers
8-01:Developers
10-de:Production_Users
11-01:Prod_Svrs

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 804
 Classifying Endpoints and Networks

Dynamic Classification Static Classification

L3 Interface (SVI) to SGT

Campus
Access Distribution Core DC Core DC Access

MAB
Enterprise
Backbone

WLC Firewall Hypervisor SW

VLAN to SGT Subnet to SGT

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 805
 Static Classifications
Can use ISE or CLI for these

• IP to SGT mapping cts role-based sgt-map <ip address> sgt <SGT_value>

• Subnet to SGT mapping cts role-based sgt-map <ip address/nn> sgt <SGT_value>

• VLAN to SGT mapping cts role-based sgt-map vlan-list <VLAN> sgt <SGT_value>

• Often used when AAA unreachable – ‘critical vlan’ + VLAN-SGT

• Method relies on IP Device Tracking

• Port to SGT mapping (config-if-cts-manual)# policy static sgt <SGT_value>

• Method relies on IP Device Tracking

Service templates can also assign a static SGT in fallback conditions

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 806
Static Classifications

Mappings propagated over

SXP from ISE to SXP
devices (covered later)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 807
FQDN Classifications

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 808
Dynamic Classification and SGT Assignment via ISE

Context
=> Security Group

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 809
 Dynamic Classification with 802.1X
Supplicant Switch RADIUS (Any)
Layer 2 Layer 3
00:00:00:AB:CD:EF
EAPoL Transaction RADIUS Transaction
EAP Transaction
Authentication

1 SGT 0Evaluation
Policy

Authorised MAC: Authorization Authorized

00:00:00:AB:CD:EF
SGT = 5
cisco-av-pair=cts:security-group-tag=0005-01

2
DHCP
DHCP Lease:
10.1.10.100/24

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 810
Dynamic Classification with 802.1X (continued)
Supplicant Switch RADIUS (Any)
3
ARP Probe IP Device Binding:
Tracking 00:00:00:AB:CD:EF = 10.1.10.100/24

SRC: 10.1.10.100 = SGT 5

Switch#show cts role-based sgt-map all details

Active IP-SGT Bindings Information

IP Address Security Group Source

=============================================
10.1.10.1 3:TrustSec_Devices INTERNAL
10.1.10.100 5:Employee LOCAL

Local policy defines fallback SGT assignment

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 811
 Classifying Extranet Connections
• Route Prefix Monitoring on a specific Layer 3 interface mapping to an SGT
• Can apply to Layer 3 interfaces regardless of the underlying physical interface:
Routed port, SVI (VLAN interface), Tunnel interface

VSS-1#show cts role-based sgt-map all

Active IP-SGT Bindings Information
cts role-based sgt-map interface GigabitEthernet 3/0/1 sgt 8 IP Address SGT Source
========================================
cts role-based sgt-map interface GigabitEthernet 3/0/2 sgt 9 11.1.1.2 2 INTERNAL
12.1.1.2 2 INTERNAL
13.1.1.2 2 INTERNAL
Route Updates 17.1.1.0/24 8 L3IF
17.1.1.0/24 43.1.1.0/24 9 L3IF
Joint 49.1.1.0/24 9 L3IF
g3/0/1
Ventures DC Access

Business g3/0/2
Partners
Route Updates
43.1.1.0/24
49.1.1.0/24

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 812
Static and Dynamic Classification in Action

5000 branches with up to 4 subnets each = 20,000 subnets defined in FW rules

Branch Office Data Center

Voice

Enterprise
WAN

BYOD Existing network has 4 subnets/VLANs per Extensive IP-based rules

branch. No use of 802.1X in DC Firewalls

Policy Goal: Simplify Filter branch traffic to Data Center resources

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 813
Simplified Firewall Rules and Policies

Data Center
Branch Office

Database
10.1.200.100
Voice
Enterprise
WAN

App Svr
Comm Svr
10.2.200.100
10.3.200.100

Destination Classification
Database: SGT 20
BYOD App Svr: SGT 30
L3 Interface-SGT Maps Comm Svr: SGT 40

VLAN:servers SGT:servers
VLAN:voice
WAN
SGT:voice
VLAN:data SGT:data
VLAN:byod SGT:byod Same SGTs in every branch office

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 814
 Overlaying Dynamic Classification

Branch Office Data Center

Database
Voice
10.1.200.100
SGT 20

Enterprise
WAN

Employee App Svr

Comm Svr
10.2.200.100
10.3.200.100
SGT 30 SGT 40
BYOD

L3 Interface-SGT maps still in place. Coarse-grained roles from VLAN

Enable 802.1X, MAB, or Web
Bindings from SXP take priority over mappings AND Fine-grained roles from
Authentication
static SGTs ‘Longest Match’ authentication

Net Result: 10-20 groups instead of 20,000 subnets, add/remove branches w/o FW changes
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 815
Agenda

• Introduction
• Group-Based Policy Fundamentals
• Classification
• Enforcement
• Propagation

• One Little Tag, so Many Uses

• Getting Started With Policies
• Managing Policies and Changes

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 818
 SGACL Policy Enforcement

Destination Classification
Web_Dir: SGT 20
User authenticated CRM: SGT 30
Classified as Employee (5) FIB Lookup
Destination MAC/Port SGT 20

Web_Dir
Enterprise DST: 10.1.100.52
5 Backbone SGT: 20
SRC:10.1.10.220
SRC: 10.1.10.220 DST: 10.1.100.52 CRM
SGT: 5 DST: 10.1.200.100
SGT: 30

Web_Dir
SRC\DST CRM (30)
(20)
Employee
SGACL-A SGACL-B
(5)
BYOD (7) Deny Deny
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 819
ISE Policy Matrix (SGACL)
Centralized policy for switches, routers, WLCs and APs

permit tcp dst eq 6970 log

permit tcp dst eq 6972 log
permit tcp dst eq 3804 log
permit tcp dst eq 8443 log
permit tcp dst eq 8191 log
permit tcp dst eq 5222 log
permit tcp dst eq 37200 log
permit tcp dst eq 443 log
permit tcp dst eq 2748 log
permit tcp dst eq 5060 log
permit tcp dst eq 5061 log
permit tcp dst range 30000 39999 log
permit udp dst range 5070 6070 log
deny ip log

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 820
 Dynamic Policy Download

• New User/Device/Server provisioned Prod_Server Dev_Server

Switches pull down
• Switch requests policies for assets they only the policies
they need
protect
• Policies downloaded & applied dynamically

• Result: All controls centrally managed

• Security policies de-coupled from
network topology
• No switch-specific security configs
needed
• One place to audit network-wide policies

Switches request
Prod_Server Dev_Server policies for assets
(SGT=7) (SGT=10) they protect

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 821
CoA Push from PSN

• From ISE 2.4+ network

administrator can push
(CoA) changes from PSN
• Provides an option to
pick the PSN from which
the network device can
receive the updates
• Improves the
performance in large
scale deployments

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 822
CTS Server List for SGACL Download
• Server List needed to be defined in ISE in case of multiple PSNs
• Switch requests the policy from the first server (PSN) for the SGT it protects
• Fallbacks to the next server when the first one goes down
• Default server list will only have Primary PAN name and address

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 823
Verify SGACL Policy on IOS Switch
Switch#show cts role-based permissions
IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 3 to group 5:
Deny IP-00
IPv4 Role-based permissions from group 4 to group 5: SGACL policies could be
ALLOW_HTTP_HTTPS-20 statically defined on NAD
IPv4 Role-based permissions from group 3 to group 20:
Deny IP-00
IPv4 Role-based permissions from group 4 to group 6:
Deny IP-00 SGACL Mapping Policy should
IPv4 Role-based permissions from group 3 to group 7:
Deny IP-00 match to one on ISE
IPv4 Role-based permissions from group 4 to group 7:
Permit IP-00

SGACL policies coming from

ISE have precedence over static

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 824
Verifying SGACL Drops

• Use show cts role-based counter to show traffic drop by SGACL

Switch#show cts role-based counters
Role-based IPv4 counters
From To SW-Denied HW-Denied SW-Permitted HW_Paermitted
* * 0 0 48002 369314
3 20 53499 53471 0 0
4 5 0 0 0 3777
3 6 0 0 0 53350
4 6 3773 3773 0 0
3 7 0 0 0 0
4 7 0 0 0 0

• This show command displays the content stats of RBACL enforcement. Separate
counters are displayed for both HW and SW switched packets. The user can
specify the source SGT using the “from” clause and the destination SGT using the
“to” clause
• Mostly SGACL filtering is done in HW. Only if the packet needs to be punted to
SW (e.g. TCAM is full, marked to be logged) , SW counter increments

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 825
Agenda

• Introduction
• Group-Based Policy Fundamentals
• Classification
• Enforcement
• Propagation

• One Little Tag, so Many Uses

• Getting Started With Policies
• Managing Policies and Changes

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 830
 Propagation Methods
Inline Methods SGT Exchange Protocol (SXP)
• Ethernet Inline Tagging: (EtherType:0x8909) 16-Bit SGT • IP-to-SGT binding exchange over
encapsulated within Cisco Meta Data (CMD) payload 64999/TCP
• IPsec / L3 Crypto: Cisco Meta Data (CMD) uses protocol 99, and • Cisco ISE can be an SXP speaker / Listener
is inserted to the beginning of the ESP/AH payload

• LISP: SGT (16 bit) insertion in the Nonce field (24 bit) Routers
• VXLAN: SGT (16 bit) inserted into Segment ID of VXLAN Header (SXP Aggregation)
IP Address SGT
ASA
Switches Routers 10.1.10.220 5

ETHERNET IPsec

Switches IP Address SGT

Speaker Listener
10.1.10.220 5
10.2.15.220 5

IP Address SGT
10.2.15.220 5

Switches

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 831
 Branch Example with Inline WAN

ISRG2/4000
Voice
BYOD 5
Corporate
Laptop Data Center
SGT over
BYOD GET-VPN, DM-
ISRG2/4000
VPN,
Voice
IPsec VPN
BYOD 5 OTP
Corporate
Laptop ASR1000

BYOD

Voice BYOD 5

Corporate ISRG2/4000
Laptop

BYOD

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 832
Branch Example with SXP
North-South Enforcement

Voice

Corporate SXP
Laptop Data Center

BYOD
172.16.101.10
SXP ASR1000
Voice
Enterprise
WAN
Corporate
Laptop SXP
BYOD IP Address SGT
172.16.102.10
172.16.101.10 BYOD
Voice
172.16.102.10 BYOD

Corporate 172.16.103.10 BYOD

Laptop

BYOD Mappings from branches stored in memory

172.16.103.10

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 833
 Branch Example with SXP
East-West Enforcement
SXP Hierarchical Model
Wired Deploy Advertisers Wireless Deploy

Collectors

F5 F5
Virtual IP Virtual IP
RADIUS

RADIUS
Distribution Distribution
1 2

Access Access

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 834
 Generating SGT Bindings Directly from ISE

• RADIUS-based classifications will

create IP-SGT mappings to SXP peers
• IP-SGT generated with 3rd party
access-layer with RADIUS accounting
• Share IP-SGT over SXP

RADIUS
• ISE “Session” info available via pxGrid
SXP pxGrid • pxGrid clients can subscribe for SGT info/bindings
• Bindings received over SXP can also be published
via pxGrid

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 835
ISE SXP

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 836
Segmentation with ISE SXP Domains
Branch1 SXP Mappings
IP Address SGT Learned By SXP Domain

Voice 172.16.102.10 5 Session Branch1

172.16.103.10 5 Session Branch2
Corporate
Laptop 1.1.1.1

BYOD
172.16.102.10 SXP Devices
Name IP Address Peer Role SXP Domain

Branch1 1.1.1.1 Listener Branch2

Branch2 2.2.2.2 Listener Branch1

Branch2

Voice

Corporate
Laptop
2.2.2.2

BYOD
172.16.103.10

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 837
 Branch Example Revisited

Branch Office Data Center

Database
Voice
10.1.200.100
3 SGT 20

Enterprise
WAN
Employee App Svr
Comm Svr
10.1.10.100 SXP 10.2.200.100
10.3.200.100
2
SGT 5 SGT 30 SGT 40
1
BYOD IP Address SGT
Enable authentication 10.1.10.100 5
(802.1X, Easy
Connect, Web
Authentication)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 842
 Branch Example with SXP
• East-West Enforcement

Wired Deploy Wireless Deploy

F5 F5
Virtual IP Virtual IP
RADIUS

RADIUS
Distribution Distribution
1 2

Access Access

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 844
 Branch Example with SXP (Option 1)
• East-West Enforcement
SXP Hierarchical Model
Wired Deploy Advertisers Wireless Deploy

Collectors

F5 F5
Virtual IP Virtual IP
RADIUS

RADIUS
Distribution Distribution
1 2

Access Access

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 845
 Branch Example with SXP (Option 2)
• East-West Enforcement

Wired Deploy Wireless Deploy

Bidirecional
SXP sharing
Dedicated SXP Dedicated SXP
PSN Nodes PSN Nodes
F5 F5
Virtual IP Virtual IP
RADIUS

RADIUS
Distribution Distribution
1 2

Access Access

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 846
Agenda

• Introduction
• Group-Based Policy Fundamentals
• Classification
• Enforcement
• Propagation

• One Little Tag, so Many Uses

• Getting Started With Policies
• Managing Policies and Changes

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 847
Centralized SSID Switch Based Enforcement
Apply user-user policies as defined in ISE on traffic from the WLC

Any AP and 2500, 5500, WiSM2, 8500 Controllers

interface Vlan2
ip local-proxy-arp
ip route-cache same-interface
!
SXP cts role-based enforcement
cts role-based enforcement vlan-list 2

Vlan 2

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 848
Dynamic Segmentation on Access Points
• Needs WLC 8540 or 5520 Version 8.4

• AP Models: 2800, 3700, 3800, 1850,1830, 1700, 2700 Destination Employees

Source (4)
(AKA Wave 1 and Wave 2 APs)
Employees (4) Anti_Malware
• Works for centrally switched SSIDs and FlexConnect SSIDs

• Can use inline tagging and SXPv4 for propagation to upstream

devices

SGACL SGACL

Employee Employee
(SGT=4) (SGT=4)

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 849
Micro-Segmentation-Blocking Lateral Movement
Non
Employee Compliant
Employee  
• SGT dynamically
assigned or statically
Block Lateral Movement SGACL mapped to a VLAN
deny icmp
deny udp src dst eq domain
deny tcp src dst eq 3389
deny tcp src dst eq 1433 • SGACL applied
deny tcp src dst eq 1521
deny tcp src dst eq 445
statically via CLI or
deny tcp src dst eq 137 dynamically
downloaded from ISE
deny tcp src dst eq 138
deny tcp src dst eq 139
deny udp src dst eq snmp
deny tcp src dst eq telnet
deny tcp src dst eq www
deny tcp src dst eq 443
• Lateral Movement and
deny tcp src dst eq 22 Privilege Escalation
deny tcp src dst eq pop3
deny tcp src dst eq 123 Blocked

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 850
Path Selection Based on SGT
Available in ASR1000, CSR1000v, ISR4000, ASA

Security Example
✓ Redirect traffic from malware-infected Enterprise
hosts WAN
• Contain threats
• Pass traffic through centralized analysis
and inspection functions
SGT-based VRF
Policy-based Selection
Routing based
Other Examples on SGT
VRF-GUEST
✓ To map different user groups to different
WAN service
• Segment in a site with TrustSec
User B User A User C
• SGT routes traffic to correct WAN/VRF
Suspicious Employee Guest

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 851
 Quality of Service Based on SGT
ASR1000, ISR4000 Link Rate
WAN-1 CIR Level

SGT:
• Provides QoS service levels on a per user-group basis Guest
{Platinum users, Gold users, Silver users}
SGT: Gig 0/1
• User-groups can be defined based upon contextual Partners
information, e.g.:

100 Mbps
Employee with Corporate Premium Group (Employee)
device
Best Effort
Partners Gold Group (Partners) SGT:
Employee

Guest users Silver Group (Guests)

Video

Office
• Prioritizes applications within each user-
groups for allocation of bandwidth and Voice
other QoS policies

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 852
 Simplifying WSA Policies with SGTs
Who: Doctor
What: Laptop
Where: Office Doctor
pxGrid
Internet
Enterprise
Who: Doctor Backbone
What: iPad
Where: Office BYOD Web
Security
Appliance

Who: Guest Policies

What: iPad
Where: Office Guest Order Group
Protocols and
User Agents
URL
Filtering
Application
s
Objects Anti-Malware and Reputation

Block: 10
(global policy) Block: 1
1 Doctors Monitor: (global policy) (global policy)
Monitor: 78
367

2 BYOD (global policy) Block: 1 Block: 10 (global policy) (global policy)

Monitor: 78 Monitor:
367

3 Guests (global policy) Block: 1 Block: 10 (global policy) (global policy)

Monitor: 78 Monitor:
367

Global Policies No blocked items Monitor: 79 Monitor: No Blocked Items Web Reputation: Enabled
367 Anti-Malware Scanning: Enabled

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 856
 Rapid Threat Containment: FTD
Business Data
App / Storage

Threat from
Joe’s
device

Corp Network

Quarantine

Assign SGT for quarantine or additional inspection

– based on indicators of compromise Joe Mary
Invoke different segmentation, firewall and IPS
policies
Employee Finance
SGT SGT

Corporate VN © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Rapid Threat Containment: Stealthwatch
Business Data
App / Storage Stealthwatch

Flow anomaly
detected from
Mary’s device

INET

Corp Network

ISE

• Assign SGT for quarantine or additional

inspection using behaviour-modelling
Joe Mary
• Invoke different segmentation, firewall Quarantine
and IPS policies
Employee Finance
SGT SGT

Corporate VN
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 867
Security Groups Provisioned in ACI

Group-Based Policy ACI

ISE Dynamically provisions Security APIC

Groups in ACI Fabric

Security Groups represented as

Security Groups
External EPGs

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 868
 SGT Info Used in ACI Policies
TrustSec Policy Domain ISE
ACI Policy Domain
APIC
ISE Retrieves:
ISE Exchanges:

Controller Layer
Controller Layer

EPG Name:
SGT PCI EPGAuditor
Name:
EPG Binding = 10.1.100.52 PCI EPG
SGT Binding = 10.1.10.220
10.1.100.52

EPG Name = Auditor

Groups= 10.1.10.220

Network Layer
Network Layer

ACI Spine (N9K)

x
SRC:10.1.10.220 Enterprise SRC:10.1.10.220
DST: 10.1.100.52 Backbone DST: 10.1.100.52
ACIEPG
Border ACI Border PCI
Auditor Leaf (N9K) Leaf (N9K) 10.1.100.52
10.1.10.220
TrustSec Groups available in ACI Policies

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 869
Sharing Application Context to Group-Based
Policies
Group-Based Policy ACI
ISE dynamically learns internal EPGs
and APIC
VM Bindings from ACI fabric

VM1
SGT Domain

VM1000
Group-Based Policies Controlling
Access to ACI Data Centers ACI Fabric

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 870
 ACI EPG Info Used in Group-Based Policies

TrustSec Policy Domain ISE

ACI Policy Domain
APIC

Controller Layer
Controller Layer

ISE Retrieves:
EPG Name: PCI EPG PCI EPG
Endpoint= 10.1.100.52 Endpoint = 10.1.100.52

Propagated with SXP:

Auditor = 10.1.10.220
PCI EPG = 10.1.100.52

Retrieved Groups:
Auditor, PCI EPG

Network Layer
Network Layer

Plain ACI Spine (N9K)

SRC:10.1.10.220
Enterprise Ethernet
Backbone
DST: 10.1.100.52 (no CMD) ACI Border
SGT (Optional) ACI Border PCI
Auditor Leaf (N9K)
Leaf (N9K) 10.1.100.52
10.1.10.220
Endpoint Groups available in TrustSec Policies

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 871
Agenda

• Introduction
• Group-Based Policy Fundamentals
• Classification
• Enforcement
• Propagation

• One Little Tag, so Many Uses

• Getting Started With Policies
• Managing Policies and Changes

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 872
Getting Started

Identify assets to protect Map assets to policy groups Policy Enforcement

e.g., your Crown Jewels: Users/Devices: Define dynamic • DC segmentation (DC
Cardholder data SGT classification based on • Define
virtual/ how groups
physical
Medical records context can or
switches interact
Intellectual Property • Enforcement on
virtual/physical
Firewalls)
automatically on Edge
Prod vs Dev Separation Protected Apps/Resources:
• User Nodes
to DC access
for E-W
Vulnerable systems • Define DC resources control
• Learn from ACI DC • Choose other
• (Identify capable
Protect employees from • Learn from Cloud enforcement
switches or firewalls points
lateral movement of threats in thebased
path) on the use case

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 873
 Typical Policy Starting Points / Use-Cases

Start Small → Select 1 use-case → prove value & provide operational understanding

Use-case examples Value or operation understanding

Reducing IP access list complexity Reduce errors & human resource impact

Reducing and simplifying Firewall rules Reduce errors & human resource impact

Segregating user groups Reduce lateral movement

Segregating IOT devices Protecting vulnerable systems

Reducing compliance scope PCI, HIPAA

Control Access to Crown Jewels IP protection, export controls, Prod / Dev segregation, etc

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 874
 Understanding Traffic Flows
Policy Modeling Options:
• SGACL Monitor Mode Users
User1 User2
App1 App2 Admin
• Log Permit SGACLs
Device1
App2
• Cisco Stealthwatch (NetFlow)
• SGT included in flow Devices
records Device2 Device1 Device 3
App1 App1 App1 Billing
• 7.0 consumes SGT from
pxGrid
Apps/Services
AD Network
App1 App2 Services
Server

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 875
Modelling Policies with Syslog

Destination Classification
Web_Dir: SGT 20
User authenticated CRM: SGT 30
Classified as Employee (5)

5 Web_Dir
SRC:10.1.10.220 DST: 10.1.100.52
DST: 10.1.100.52 SGT: 20
SGT: 5 CRM
DST: 10.1.200.100
SRC: 10.1.10.220 SGT: 30

Web_Dir
SRC\DST CRM (30)
(20)

Employee (5) Permit IP log Permit IP log

BYOD (7) Permit IP log Permit IP log

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 876
Visibility Through NetFlow
10.1.8.3 172.168.134.2

NetFlow provides
Flow Information Packets
• Trace of every conversation in your
SOURCE ADDRESS 10.1.8.3
network
DESTINATION ADDRESS 172.168.134.2
• An ability to collect record everywhere in SOURCE PORT 47321
your network (switch, router, or firewall) DESTINATION PORT 443
• Network usage measurement INTERFACE Gi0/0/0
• An ability to find north-south as well as IP TOS 0x00

east-west communication FLOW CTS SOURCE

41
GROUP TAG
• Light weight visibility compared to SPAN IP PROTOCOL 6
based traffic analysis NEXT HOP 172.168.25.1
• Indications of Compromise (IOC) TCP FLAGS 0x1A
: :
APPLICATION NAME NBAR SECURE-HTTP

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 877
Policy Traffic Monitoring in Stealthwatch

Where

What
Who
When Who

• Highly scalable (enterprise class) collection

• High compression => long term storage
• Months of data retention

More Context

Security Group

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 878
Model Policy in Stealthwatch

Generate a security event

when a flow condition based
on the SGT value is seen

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 879
 Enabling Policies
Egress Enforcement
▪ Security Group ACL

PCI Server

Campus Production
Network Server
Users,
Endpoints Development
Server
Monitor Mode
SRC \ DST PCI Server (111) Dev Server (222)
authentication port-control auto Dev User(8) Deny all Permit all
authentication open
PCI User (10) Permit all Permit all
dot1x pae authenticator
Unknown (0) Deny all Permit all

• Users connect to network, authorised passively, SGT assigned

• Traffic traverses network to Data center enforcement points

• Enforcement may be enabled gradually per Source, Destination Pair

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 880
 Policy Management Functions in ISE

Apply changes

Can show policy in simpler tabular view for adds,

moves and changes

Anything without an
SGT assignment treated
with the Unknown SGT

Blank cells get the ’Default SGACL’

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 881
Advanced Policy Management in ISE

• Default setting

• Up to 5 separate
matrices

Or

• A single staging
matrix merged with
production matrix
upon approval

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 883
Advanced Policy Management in ISE
• Change approval
before deploy is
possible
• Can discard changes
at anytime
• Choose where you
want to apply changes
• View delta

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 884
 Using Multiple Policy Matrices

• Different policy matrices for different

purposes
• Geographic operations
• Different types of site
• Different policies for different threat
states

• Move network devices from one policy

matrix to another as required

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 885
Policy Deployment Validation

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 886
TrustSec Verification Details Report

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 887
TrustSec Policy Download Report

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 888
Walking on solid ISE
Advanced use cases and deployment best
practices

TECSEC-3416
 Endpoint
Solid ISE Compliance
ISE in Wired
TrustSec ISE in VPN
Networks
(Group-based Networks
Policies)

IDFW/SGFW
using
Deploying FMC/FTD
Visibility

Designing ISE
Architectures
ISE in Wireless
Networks RADIUS
Optimizations
TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 890
 ISE Diagonal Learning Map BRKSEC-3229 / Friday - 9h00
ISE under magnifying glass.
How to troubleshoot ISE

BRKSEC-3690 / Thursday – 11h15

Advanced Security Group Tags: The Detailed Walk
Through

BRKSEC-1003 / Wednesday – 16h45

Cisco Platform Exchange Grid (pxGrid) Inside Out

BRKSEC-2140 / Friday - 9h00

BRKSEC-2025 / Wednesday – 8h30 2 birds with 1 stone: Duo
Integrating Security Solutions with Software integration with Cisco ISE and
Defined Access Campus Networks Firewall solutions

BRKSEC-3432 / Thursday – 8h30

TECSEC-3416 / Monday – 8h30
Advanced ISE Architect, Design and
Walking on solid ISE: advanced use
Scale ISE for your production networks
cases and deployment best practices

BRKSEC-2111 / Wednesday – 14h45

Visibility and Segmentation: First steps
to secure Industrial Networks

BRKSEC-2430 / Tuesday – 14h30

ISE Deployment Staging and Planning

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 891
 Firepower Diagonal Learning Map Thursday BRKSEC-2034 -14h45
Cloud Management of Firepower
and ASA with Cisco Defense
BRKSEC 3629 – 14h45 Orchestrator
Designing IPsec VPNs with Firepower Threat
Monday – 8h30 Defense integration for Scale and High Availability
TECSEC-2600 – for beginners
Next Generation Firewall Platforms and
Integrations
BRKSEC-2056 – 9h45 Friday
TECSEC-3004 – for existing customers Threat Centric Network
Troubleshooting Firepower Threat Security
PSOSEC-4905 - 13h30
Defense like a TAC Engineer
The Future of the
Firewall BRKSEC-3035 – 8h30
Firepower Platforms Deep Dive

BRKSEC-3093 - 14h45
BRKSEC-3328 – 11h00 ARM yourself using
Making Firepower Management NGFWv in Azure
Center (FMC) Do More
BRKSEC-3300 – 9h00
Thursday
Advanced IPS Deployment
BRKSEC 2348 – 17h00 with Firepower NGFW
Deploying AC with FP – posture & MFA
BRKSEC-2140 – 9h00
2 birds with 1 stone: Duo
Wednesday integration with Cisco ISE and
BRKSEC 2020 – 11h00 Firewall solutions
Deploying FP Tips and Tricks BRKSEC-3455 – 11h15
Dissecting Firepower NGFW:
Architecture and Troubleshooting
Tuesday
BRKSEC 2494 – 8h30 BRKSEC-3032 – 11h30
Maximizing Threat Efficacy & Perf Firepower NGFW
BRKSEC-2663 -16h45 Clustering Deep Dive
BRKSEC 3063 - 14h30 DDoS Mitigation: Introducing Radware Deployment
Decrypting the Internet with Firepower!

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 892
ISE Support Options
Public Partner/Sales
http://cs.co/ise-resources http://cs.co/selling-ise
http://cs.co/ise-community
http://cs.co/spa-community

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 893
It’s never too late for some reference guides
Set Up Cisco ISE in a Distributed Environment (v2.7)
https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_admin_guide_27/b_ise_admin_guide_27_chapter_011.html
ISE Profiling Design Guide
https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456
Configuring IEEE 802.1X Port-Based Authentication (Cisco Catalyst Switches)
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/sec/b_169_sec_9300_cg/configuring_ieee_802_1x_port_based_authentication.html

Central Web Authentication on the WLC and ISE Configuration Example

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
ISE and Catalyst 9800 series integration guide
https://community.cisco.com/t5/security-documents/ise-and-catalyst-9800-series-integration-guide/ta-p/3753060
Cisco ISE BYOD Prescriptive Deployment Guide
https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867
Cisco TrustSec Design Guides
https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/design-guide-listing.html
Software-Defined Access for Distributed Campus Deployment Guide
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/SD-Access-Distributed-Campus-Deployment-Guide-2019JUL.html
Cisco Wireless LAN Controller Software Technical References
https://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/products-technical-reference-list.html
Cisco Meraki EMM Integration with Cisco Identity Service Engine
https://community.cisco.com/kxiwq67737/attachments/kxiwq67737/4561-docs-security/6189/1/How-To_68_MDM_Meraki.pdf
ISE Posture Prescriptive Deployment Guide
https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273
ISE Security Ecosystem Integration Guides
https://community.cisco.com/t5/security-documents/ise-security-ecosystem-integration-guides/ta-p/3621164

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 894
 It’s never too late to read a book
http://www.ciscopress.com/store/ccie-wireless-v3-study-guide-9781587206207

http://www.ciscopress.com/store/cisco-ise-for-byod-and-secure-unified-access-9780134586663

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 895
And for some other additional “education”
Paella: • Bodega La Puntual
https://goo.gl/maps/BDoDFAgyAaw

• El Xampanyet
https://goo.gl/maps/TCkrTvUafz12

• Bodega La Tinaja
https://goo.gl/maps/ruCiByNBZ1U2

• Flax&Kale
https://goo.gl/maps/BeGdzCQfQ1J2

• Bilbao Berria
https://goo.gl/maps/JKh5bMNp8Zw

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 896
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.

Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 897
Continue your education

Demos in the
Walk-In Labs
Cisco Showcase

Meet the Engineer

Related sessions
1:1 meetings

TECSEC-3416 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 898
Thank you