Version 4.1 - 5.6 Cisco Identity Services Engine (ISE) Part 1
INE has an "ISE Primer" course along with multiple videos on ISE and its configuration. However, nothing compares to actually sitting down and reading the "Cisco ISE for BYOD and Secure Unified Access" book. Yes, it's about 700 pages - but there's no better way to really wrap your head around this material.
At a high level, the three product component groups that make up the ISE solution:
* Infrastructure components - switches, WLCs, routers and firewalls
* Policy components - on ISE itself
* Endpoint components - 802.1x Supplicant/Agent, Cisco NAC Agent
ISE Personas
+ Administration - only one (or HA pair) [PAN]
+ Policy Service - one or more [PSN]
+ Monitoring - max two [MnT]
ISE also has two node types: ISE node and Inline Posture Node (IPN). Only the ISE node type can be configured with the above personas. The IPN must be a dedicated node and cannot assume any of the personas.
Licensing is Base, Advanced and Wireless only. Base includes Authentication/Authorization, Guest Provisioning and MACSec Link Encryption Policies. Everything else requires the Advanced license.
ISE is based on policies. The following policy rule types can be called within an ISE policy set:
- Authentication Policy
- Authorization Policy
- Profiling Policy
- Device Posture Policy
- Client Provisioning Policy
- Security Group Access Policy
- Guest Policy
Monitor Mode allows authentication to occur, but allows all access (even to endpoints that fail authentication). This allows an audit period where you can address issues before actually implementing Low-Impact Mode or Closed Mode (High-Security mode).
Probes are configured on the PSN where appropriate. There are 8 different probes:
HTTP Probe
DHCP
NetFlow
RADIUS
Network Scan (NMAP)
DNS
SNMP
IOS Device - Sensor
Through the process of profiling, an endpoint transitions from the unknown group to a more specific profile. When the profile changes, the CoA allows it to affect a new authorization.
CoA Message Types
# CoA-DM (Disconnect Message)
# CoA-Reauth
# CoA-Terminate
# CoA-PortBounce
You have to enable the HTTP/S server on the switches so that it can perform Centralized Web Auth or Device Registration Portal redirects. It is also used for redirecting the Posture agent's traffic to the PSN. Now this is going to freak out Network Engineers and your InfoSec teams. To decouple the HTTP/S server from the management of the switch (and lower everyone's blood pressure), you need to issue two commands:
ip http active-session-modules none
ip http secure-active-session-modules none
I found this to be a very important point - not sure if it will be important to test question makers.
NAD syslog messages collected and used by ISE:
.