Cisco Identity Services Engine (ISE)

Balancing Business Objectives and Providing Protection with

Zero-Trust in The Workplace
Mohamed RAHMOUNI
Cisco Systems Engineer
25 May 2021
Cisco Secure Zero Trust
A comprehensive approach to securing all access across your people,
applications, and environments.

Workforce Workplace Workloads

Ensure only the right users and secure devices Secure all user and device connections Secure all connections within your apps,
can access applications. across your network, including IoT. across multi-cloud.

2
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Foundations of Zero Trust in Your Workplace

Visibility Segmentation Containment

Grant the right level of Shrink zones of trust and grant Automate containment of
network access to users across access based on least privilege infected endpoints and revoke
domains network access

3
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE Provides Zero Trust for the Workplace
Enterprise Security

Endpoints Network Devices Cisco ISE Identity Services Security Services

• Users • Switches • Standalone ISE • Azure/AD/LDAP • Cloud Analytics
• Devices • WLCs / APs • Multi-node ISE • MDM • Secure Firewall
• Things • VPN • VM/Appliance • SAML/MFA • Partners

ISE
Cisco DNA Center

4
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE Secure Access Control Options
Native Supplicants | Cisco AnyConnect SAML IdPs Single Sign-On

Certificate based Auth

Azure Active Directory
Passwords/Tokens
802.1X APIs
Up to 100K Certificate
2,000,000 concurrent sessions

Network Devices Authorities External Identity Stores

SCEP/CRL
Azure Active Directory
WebAuth
Enterprise LDAP/SQL Active Directory
Network
VPN
ISE OAuth:ROPC
SQL Server
Built-in CA

300K Internal Users

PostgreSQL
MAB

Authentication Methods Authorization Options

• MAC Authentication Bypass • Downloadable / Named ACL

Passive Identity
Active Identity
• Easy Connect ® • Air Space ACL Up to 50 distinct AD domain support
• VLAN Assignment
• IEEE 802.1X
• Web Authentication • Security Group Tags
– Central WebAuth • URL-Redirection
– Local WebAuth • Port Configuration :
ASP Macro / Interface-Template

5
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why Customers Buy ISE
TACACS+ Migrating from Cisco Secure ACS or building a new Device Administration Policy Server, this allows for
Device Administration secure, identity-based access to the network devices

Allow wired, wireless, or VPN access to network resources based upon the identity of the
Secure Access user and/or endpoint. Use RADIUS with 802.1X, MAB, Easy Connect, or Passive ID

Differentiate between Corporate and Guest users and devices. Choose from Hotspot, Self-Registered Guest, and
Guest Access Sponsored Guest access options

Use the probes in ISE and Cisco network devices to classify endpoints and authorize them
Asset Visibility appropriately with Device Profiling. Automate access for many different IoT devices

Use agentless posture, AnyConnect, MDM, or EMM to check endpoints to verify

Compliance & Posture compliance with policies (Patches, AV, AM, USB, etc.) before allowing network access
ISE pxGrid is an ecosystem that allows any application or vendor to integrate with ISE for endpoint identity and context
Context Exchange to increase Network Visibility and facilitate automated Enforcement.

Group-based Policy allows for segmentation of the network through the use of Scalable Group Tags (SGT) and
Segmentation Scalable Group ACLs (SGACL) instead of VLAN/ACL segmentation.

ISE integrates with DNA Center to automate the network fabric and enforces the policies throughout the entire
Cisco SDA/DNAC network infrastructure using Software-Defined Access (SDA)

Allow employees to use their own devices to access network resources by registering their device and downloading
BYOD certificates for authentication through a simple onboarding process

Using a Threat Analysis tool, such as Cisco Cognitive Threat Analytics, to grade an endpoints threat score and allow
Threat Containment network access based upon the results

6
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Device Administration with TACACS+

Network Admin

SSH, Telnet, Serial

Help desk Admin

7
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE and Duo Integration for MFA

Contractors Duo Auth Proxy 2nd Factor Auth

John On-premise

Guest
Bob
ISE
Employees
Alice Duo Cloud Service

John connected via Switch-SJC01 Microsoft

Active Directory
Bob connected via ”CORP” AP-SJC03

Alice connected via SJC-VPN-2

8
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
A Typical Customer Journey
Not a standard or recommended approach
Each use case may be the end goal

Use Case
Visibility Visibility

Wireless Guest Wired Posture Segmentation RTC

Customer Corporate
Start with Secure Wired See Apps & HW Use SGTs for Integrate with
Wireless Access inventory segmentation eco-system
partners
Non-disruptive 802.1X / MAB Enforce system Enforce Group
due to SSIDs (with Profiling) compliance based policies Contain threats
BYOD

9
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Guest Solution Overview

1
million API

EMAIL PRINT SMS

# of supported Portal language Social Media Manage guest
Guest accounts Guest account notification options customization Login support accounts via REST

The 3 types of guest access

Hotspot Self Registered Sponsored Guest Access

Immediate, un-credentialed Self-registration by guests, Sponsors may Authorized sponsors create account and
Internet access approve access share credentials

10
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE BYOD Solution
Public
Device Support EMM/MDM Integrations

Single / Dual SSID Access based on

iDevice provisioning MDM policy

Android
Resources
✕✓✕✓✓✓

Devices
macOS ✓✓✕✓✕✕
✕✓✓✕✕✕

Windows

Native supplicant ISE internal CA for

ChromeOS & cert provisioning BYOD certificates

Corporate

EMM: Enterprise Mobility Management | MDM: Mobile Device Management

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://cisco.com/go/csta 11
Endpoint Profiling
The profiling service in Cisco ISE identifies the devices that connect to your network

ISE Data Collection Methods for Device Profiling

Active Probes: Netflow | DHCP | DNS | HTTP | RADIUS | NMAP | SNMP | AD
DS Device Sensor: CDP| LLDP | DHCP | HTTP | H323 | SIP | MDNS

AnyConnect: ACIDex
Endpoints send
interesting data,
that reveal their
device type Feed Service
(Online/Offline)
DS ISE

ACIDex

AnyConnect Identity Extensions (ACIDex) | Device Sensor (DS)

12
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Profiling Packages and Integrations
Medical Devices IOT Building & Automation
Library

X p X s1

250+ Medical
Hospital device profiles

pxGrid ISE

IND
Factory
Cisco Industrial
Network Director Cisco AI Endpoint Analytics
Industrial Devices
Profiles IOT devices and sends endpoint labels via pxGrid to ISE for authorization

https://community.cisco.com/t5/tag/ise-endpoint-profile/tg-p/board-id/4561-docs-security 13
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco AI Endpoint Analytics and ISE
Cisco ISE
Web Interface Cisco DNAC+EA

Context

Classifications ISE
Policy
Endpoint Analytics shows
device classification results
associated with endpoints Distribution Layer
SPAN

Wireless LAN
NBAR Telemetry Traffic Appliance Controller
(SD-AVC Agent) (TTA)

Catalyst 9000

Legacy Cisco Switches / 3rd party devices

14
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Create ISE Custom profile using EA attributes
ISE UI: WorkCentre> Profiler > Profiling Policies

Warning

If you do not include MAC address. ISE will

cause change to all IP Phones
Do not enable the policy until you test it in
production. Add IP Phones behind Network
Devices by adding specific Network Devices or
Network Device Groups in Authorization policy

15
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Active versus Passive Identity
3 DOMAIN\Jim (AD Login)

5 Full Access
1 MAB
Jim

Passive Identity 2 Limited 4 Jim Logged in

Active Identity ISE Alice?

Yes Active
Directory
2
Auth Req

1 802.1X
3 Full Access

Alice

Active Identity Passive Identity

IP to User mapping between ISE and the client via 802.1X, Web IP to User mapping via passive means like AD Eventing API, WMI
authentication, Remote access VPN, etc. with RADIUS events, AD Agents, Syslog, SPAN sessions and more.

16
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Make it easy with ‘Easy Connect’
Identity based network access without 802.1X
AD Domain Controller

DOMAIN\bob
Bob logged in

DHCP DNS
NTP AD ISE retrieves user-ID and user’s AD membership

Limited Access

UNKNOWN LIMITED ACCESS

CoA: Full Access
Limited Access
MAB ISE EMPLOYEES FULL ACCESS

Enterprise
No 802.1X Network

Immediate value Increased visibility Flexible deployment

Leverage existing infrastructure into active network sessions Co-operates with other auth methods

17
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Group Based Policy Simplifies Segmentation
Traditional Segmentation TrustSec DC Servers

Enterprise Micro/Macro Segmentation Enterprise

Static ACL
Routing
Backbone Central Policy Provisioning
No Topology Change
Backbone
ISE
Redundancy Aggregation No VLAN Change
VACL
Layer
DHCP Scope
Address
ISE Employee Tag
Policy

VLAN Supplier Tag

Access Layer Non-Compliant Tag Access Layer

Non-Compliant Voice Employee Supplier BYOD Voice Non-Compliant Employee Supplier BYOD

Quarantine Voice Data Guest BYOD Voice Data

VLAN VLAN VLAN VLAN VLAN VLAN VLAN

Security Policy based on Topology Use existing topology and automate security
High cost and complex maintenance policy to reduce OpEx

18
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Non-Fabric Group-Based Policy Enforcement

deny icmp
deny udp src dst eq domain
deny tcp src dst eq 3389
deny tcp src dst eq 1433
deny tcp src dst eq 1521
deny tcp src dst eq 445
deny tcp src dst eq 137
deny tcp src dst eq 138
deny tcp src dst eq 139
deny udp src dst eq snmp
deny tcp src dst eq telnet

19
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Context Build, Summarize, Exchange
Visibility and Access Control Context Reuse
ISE builds context and applies access control restrictions to users and devices by eco-system partners for analysis & control

Threat Intelligence Mobility Services Engine

System managers Mobile Device Managers Who

Directory Services Vulnerability Scanners What
When Secure Network Analytics
pxGrid
How
REST API Secure Firewall
Where
ISE Posture
Syslog
DNAC

Threat + 3rd Party Partners

Vulnerability

Scalable Group
Endpoints

20
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Context Sharing with pxGrid
Eco system partnership to enrich, exchange context and enact

Context to Partner Enrich ISE Context Threat Mitigation Context Brokerage

Cisco ISE Eco-Partner Cisco ISE Eco-Partner Cisco ISE Eco-Partner Cisco ISE

CONTEXT CONTEXT ACTION Eco-Partner

MITIGATE
ISE 2.2+

ISE makes Customer Enrich ISE context. Make ISE a Enforce dynamic policies into ISE brokers Customer’s IT
IT Platforms User/Identity, better Policy Enforcement the network based on Partner’s platforms to share data
Device and Network Aware Platform request amongst themselves

21
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Posture & Compliance MDM Attributes
ActivityType
AdminAction
AdminActionUUID
AnyConnectVersion
DaysSinceLastCheckin
DetailedInfo
DeviceID
DeviceName
DeviceType
DiskEncryption
Agentless EndPointMatchedProfile
FailureReason
IdentityGroup
IMEI
Authorization Policy IpAddress
JailBroken
AnyConnect IF JailBroken is No LastCheckInTimeStamp
ISE AND PinLock is Yes
THEN Compliant
MacAddress
Manufacturer
MDMCompliantStatus
MDMFailureReason
MDMServerName
EMM/MDM MEID
Model
OperatingSystem
PhoneNumber
PinLock
PolicyMatched
RegisterStatus
SerialNumber

https://cisco.com/go/csta ServerType
SessionId
UDID
UserName
UserNotified 22
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco AnyConnect
A Suite of Security Service Enablement Modules

VPN Module (Core)

Network Access Manager (NAM)

Web Security (CWS))

Posture

Umbrella Module
HostScan (aka: ASA posture) (No UI)
Network Visibility Module (NVM) (No UI)

AMP Enabler Module

Diagnostics and Reporting Tool (DART)
23
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agentless Posture 3.0

Employee
802.1X / MAB
Compliant
Unknown
PowerShell / SSH

Posture Status

24
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Endpoint Scripts 3.0

ISE .ps1 .sh

PowerShell / SSH+cURL+Bash

25
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Threat Visibility Rapid Threat Containment (RTC)
1 2 AMP on Endpoint notifies the cloud

Jim 5
Qu
a ra
nti
ne
Ful
l Ac
ces
s 3
Threat from Jim’s
Harry device

Cisco ISE

Alice

26
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Vulnerability Assessment (Threat-Centric NAC)
On-prem Scanner
3 Scans Scan report 4

Jim 1 6
Qu
a ra 2 Scan Jim’s Endpoint
nti
ne
Ful
l Ac
ces
s 5
CVSS=10
Harry

Cisco ISE

Alice
Authorization Policy
If CVSS is Greater than 5 = true, then Quarantine
CVSS: Common Vulnerability Scoring System

27
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Security Technical Alliance Partners
September 2020

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://www.cisco.com/go/csta 28
ISE REST APIs
http://cs.co/ise-api

29
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE Architecture
Distributed ISE
Standalone ISE Policy Administration Node (PAN)
• Single plane of glass for ISE admin
• Replication hub for all config changes

Monitoring & Troubleshooting Node (MnT)

• Reporting and logging node
• Syslog collector from ISE Nodes
Network
Policy Services Node (PSN)
• Makes policy decisions
• RADIUS / TACACS+ Servers

pxGrid Controller
• Facilitates sharing of context

Single Node (Virtual/Appliance) Multiple Nodes (Virtual/Appliance)

Up to 20,000 concurrent endpoints 3500 Up to 500,000 concurrent endpoints

Up to 50,000 concurrent endpoints 3600 Up to 2,000,000 concurrent endpoints

30
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential http://cs.co/ise-scale
ISE Node Personas… Explained
SIEM, MDM, NBA, IPS, IPAM,
etc.
ISE PSN IP address* = AAA
Admin
ANC action PAN
RADIUS server
SIEM

Operates

Context (pxGrid)
DNAC Automation REST
Partner Eco System
Context (pxGrid)
RADIUS, TACACS+,
Profiling, etc.,

Config Sync Context

Optional
PSN PAN

ISE-PXG
Authorization Policy Exchange Topics

If Employee then VLAN-100 TrustSecMetaData

Logs Context SGT Name: Employee = SGT-10
SGT Name: Contractor = SGT-20
If Contractor then SGT-20 MNT ...
SessionDirectory
If Things then ACL-300 Bob with Win10 on CorpSSID

*PSNs can optionally be behind a load-balancer and can be accessed via Load Balancer Virtual IP address (VIPs)
31
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE Deployment Scale 2.6+
<=50: PSNs + <= 4 PXGs)
Same for physical and virtual deployments
Compatible with load balancers

Lab and Evaluation Small HA Deployment Medium Multi-node Deployment Large Deployment
2 x (PAN+MNT+PSN) 2 x (PAN+MNT+PXG), <= 6 PSN 2 PAN, 2 MNT, <=50: PSNs + <= 4 PXGs

100 Endpoints Up to 20,000 Endpoints Up to 500,000 Endpoints 3500

100 Endpoints Up to 50,000 Endpoints Up to 2,000,000 Endpoints 3600

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential http://cs.co/ise-scale 32
ISE Fully Distributed Architecture
• Centralize in DCs…or Distribute PSNs across Geographies

DC1 DC2
Primary PAN & MNT Secondary PAN & MNT

• Greater than 5 PSN’s

• Separate PAN and MNTs
• 50 PSN max per deployment
• 300ms delay between PAN and
other ISE nodes
• Co-locate PSNs with AD

33
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 ISE 3.0 Supported Platforms

Cisco ISE Cisco ISE Cisco ISE Cisco ISE Cisco ISE

Cisco SNS Hyper-V

Any Server Any Server Any Server AWS | Azure

Standalone
Appliances Sessions PSN Sessions Processor Cores Memory Disk RAID Network Interfaces
32 GB 2x10Gbase-T
SNS-3615 10,000 10,000 1- intel Xeon 2.10 GHz 4110 8 1 (600GB) No
(2 x 16 GB) 4x1GBase-T
96 GB 2x10Gbase-T
SNS-3655 25,000 50,000 1 – Intel Xeon 2.10 GHz 4116 12 4 (600 GB) 10
(6 x 16 GB) 4x1GBase-T
256 GB 2x10Gbase-T
SNS-3695 50,000 100,000 1 – Intel Xeon 2.10 GHz 4116 12 8 (600 GB) 10
(8 x 32 GB) 4x1GBase-T
16 GB
SNS-3515 7500 7500 1 – Intel Xeon 2.40GHz E5-2620 6 1 (600 GB) NO 6x1GBase-
(2 x 8 GB)
EOL
64 GB
SNS-3595 20,000 40,000 1 – Intel Xeon 2.60 GHz E5-2640 8 4 (600 GB) 10 6x1GBase-T
(4 x 16 GB)

34
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 • Platform Support • Make a Wish
• New Interface Look • PassiveID
and Feel with Windows
Eventing APIs
• SAML SSO with
Azure AD • Device Identifier
• 802.1X with Changes for Windows
Devices
Azure AD
• ODBC Multiple • Baselines Policies with

ISE 3.0 Features Attributes Lookup

• Debug Wizard by
Microsoft SCCM
• Posture AV/AM
Function Minimum Version
• Posture Session Status
• TCP Dump
Sharing
Look at the ISE 3.0 What’s New presentation for Improvements
further details! • Certificate Pinning for • Windows & macOS
Agentless Posture
Multiple CAs
• Open TAC Cases • Endpoint Visibility with
from ISE Custom Scripts
• License Changes
• Health Checks
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 • Resources
ISE Customer http://cs.co/ise-resources

Resources • Community
http://cs.co/ise-community
• YouTube Channel
http://cs.co/ise-videos
• Evaluations
http://cs.co/ise-eval
• Integration Guides
http://cs.co/ise-guides
• Compatibility Guides
http://cs.co/ise-compatibility
• Licensing Guide
http://cs.co/ise-licensing
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Next steps
‣ Schedule a full demo

‣ Visit cisco.com/go/ise

‣ Book time dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential