Brksec 2660

ISE Planning, Staging and
Deployment
Francesca Martucci
Technical Solutions Architect, Cybersecurity EMEA
BRKSEC-2660
“A goal without a plan
is just a wish”
Antoine de Saint-Exupéry
BRKSEC-2660 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Deploying any network access
control solution is crucial
but it isn’t easy….
What needs to be included in my planning?
Posture policies
Policy sets Custom profiles
CMDB
Password or Management NAD OS integration
Certificates support upgrade
AD groups
…
Business Other teams
802.1x objectives point of contacts Segmentation
configuration method
Test
Use cases Network Devices
environment capabilities
…
Growth plan Endpoint

Backup plan Supplicant
End user discovery
configuration
involvement
Architecture
…
…
Proper planning is essential

to a successful deployment.
Who am I?
Technical Solutions Architect
Cyber Security EMEA
In Cisco since 24 years...

... And 3 countries
Main interest on
• Policy and Access
• Segmentation
• Industrial Security
Cisco ISE High Level Design
Business Objectives
Environment
(Network Device vendor, supplicants, PKI)
Scenarios & Use Cases

( Posture, BYOD, Device Administration)
Policy Details
( External Identity Sources, what type of posture
what type of BYOD
Operations & Management

Scale & High Availability
• Where To Start: planning
• ISE Deployment Options
• Certificates
• Network Devices
• Supplicants
Agenda • Profiling
• Policies optimization
• Create your own lab
• 802.1x Deployment Modes
What not to expect:
• Specific ISE use cases and their implementation

• Detailed configuration guidelines
• Troubleshooting information
• Licensing
• Certificates
• Network Devices
• Supplicants
What are your business priorities?
Device Administration
What is the business trying
Secure Access to accomplish with ISE?
Guest Access
Profiling is critical with today
Asset Visibility
IoT proliferation
Compliance & Posture
From where do you want to
ISE Context Exchange
start?
Segmentation
Cisco SDA/DNAC Do you need a BYOD policy?
BYOD
Which use cases could be
Threat Containment considered for the future?
© 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Defining your Security Policy
What is an IT security policy?

“It identifies the rules and procedures for all
the individuals accessing and using an
organization’s IT assets and resources.”
Everyone Has Different Needs
Government Financials Healthcare Retail Education
Transportation Services Utilities Technology Manufacturing
Example of your ISE policy planning
Endpoint Type Authentication Identity Store Network Access Enforcement Staging / Provisioning
Corp PC 802.1X – Cert ISE Cert Store Full Access VLAN CORP Physical Staging Port
Guests Manual Connect

WebAuth ISE Guest DB Internet-Only VLAN Guest
Sponsored account
Access Point 802.1X – User/Pass ISE User DB Trunk Trunk AP Provisioning
AP Provisioning MAB ISE MAC Whitelist WLC-Only VLAN AP ISE Profiling
Printers MAB ISE MAC Whitelist Print Servers-Only VLAN Printers ISE Profiling
Endpoint Team Network Team Security Team
Remember: do not think only at positive outcome.

What if a corporate PC certificate is expired?
Interoperation with other teams
• Management buy in is critical to have support of your decisions

• Get the right contacts in the other teams ahead of time
• Monitor and update polices with your IT Security Policy
Get
Implement Monitor
management Write policies
policies policies
support
Understand Your Needs and Use cases
Objectives / Risk / Priorities Environment

• Brand Trust • Wired / Wireless / VPN
• Customer/Patient Data • Multi-Vendor
• Hospitality: Fast & Easy • Hardware & Software
• IT/OT Segmentation • Network Device Capabilities
• Protect Intellectual Property
Scaling Management & Operations

• Concurrent Active Endpoints • Top Down / Bottom Up?
• Scale Horizontally • Org(s) / Regions / Departments
• Scale Vertically • Collaboration or Siloes
• Geography • Scheduling Config Changes
• Tooling & Automation
• Certificates
• Network Devices
• Supplicants
ISE Personas
Policy Administration Node (PAN) Monitoring & Troubleshooting Node
• Administrative GUI (MNT)
• Policy configuration • Receives logs from all nodes
• Policy replication • Handles remote logging targets
• Centralized Guest database • Generates summary Dashboard Views
• Centralized BYOD database • Performs scheduled reports
• Configuration REST APIs • Handles reporting and API queries
ISE
Policy Service Node (PSN)
• TACACS requests Platform Exchange Grid Node (PXG)
• RADIUS requests • Runs pxGrid controller
• Endpoint profiling probes • Authorizes pxGrid Pubs/Subs
• Identity store queries • Publishes pxGrid topics to subscribers
• Hosts Guest/BYOD portals • Handles ANC/EPS requests
• MDM/Posture queries • REST APIs
• TC-NAC & SXP services
ISE Node Personas… Explained Partner Eco System
SIEM, MDM, NBA, IPS, IPAM, etc.
ISE PSN IP address* =
Admin
AAA RADIUS server SIEM
Configure
Context (pxGrid)
RADIUS, TACACS+,
Profiling, etc.,
Config Sync Context

Optional
PSN PXG
PAN
Authorization Policy UI Exchange Topics
If Employee then VLAN-100 TrustSecMetaData

Logs Context SGT Name: Employee = SGT-10
SGT Name: Contractor = SGT-20
If Contractor then SGT-20
MNT ...
SessionDirectory
If Things then ACL-300
Bob with Win10 on CorpSSID
*PSNs can optionally be behind a load-balancer and can be accessed via Load Balancer Virtual IP address (VIPs)
ANC = Adaptive Network Control
ISE Architecture
Distributed ISE
Policy Administration Node (PAN)
Standalone ISE
• Max 2 in a deployment
Monitoring & Troubleshooting Node (MnT)

Network
Policy Services Node (PSN)
pxGrid Controller
• Max 4 in deployment
3.0+
<=50: PSNs + <= 4 PXGs
ISE Distributed Deployment Scale
Same for physical and virtual deployments
Compatible with load balancers
Standalone Small HA Medium Multi-node Large Deployment

(for Lab and Deployment Deployment 2 PAN, 2 MNT, <=50: PSNs
Evaluation) 2 x (PAN+MNT+PSN) 2 x (PAN+MNT+PXG), <= 6 PSN + <= 4 PXGs
100 Endpoints Up to 50,000 Endpoints Up to 150,000 Endpoints Up to 2,000,000 Endpoints 3700

100 Endpoints Up to 50,000 Endpoints Up to 2,000,000 Endpoints 3600
http://cs.co/ise-scale
ISE Fully Distributed Architecture
Centralize in DCs…or Distribute PSNs across Geographies
Primary PAN & MNT Secondary PAN &

MNT
DC1 DC2
• Latency should be 300ms round trip between

PAN and PSN
• Bandwidth most critical between:
• PSNs and Primary PAN (DB Replication)
• PSNs and MnT (Audit Logging)
• Co-locate PSNs with AD
Maximum Concurrent Active Endpoints
• One endpoint is a unique MAC address
• ISE Licensing is counted by active endpoint
sessions
• RADIUS Accounting defines session Start &

Stop events
• Sessions Start upon RADIUS Authorization
ISE • Sessions Stop upon :
• Disconnect
• Session Expiration
• Idle Timeout
ISE Nodes – Mix and Match
Physical Appliances Virtual Machines Cloud Instances
SNS-3715
SNS-3755
SNS-3795
SNS-3615
SNS-3655
SNS-3695
Reminders
ISE platforms
SNS 3515 EOL
SNS 3595
SNS 3615
SNS 3655 EOL
SNS 3695
SNS 3715
SNS 3755
SNS 3795
Traditional VM
AWS
Azure & OCI
2.7 3.0 3.1 3.2 3.3

ISE Performance & Scale
• Deployment Architectures: S / M / L Concurrent active Concurrent active
endpoints supported endpoints supported
• Maximum Concurrent Active Sessions Platform by a dedicated PSN by a shared PSN
(Cisco ISE node has (Cisco ISE node has
• Deployment Scale Limits only PSN persona) multiple personas)
Extra Small
• Protocol Performance (VM only)
12.000 unsupported
• Scenario Performance SNS 3615 25,000 12.500
SNS 3715 50,000 25.000

• PxGrid and SXP scaling
SNS 3655 50,000 25.000
• Network Device maximum numbers
SNS 3755 100,000 50,000
cs.co/ise-scale SNS 3695 100,000 50,000
Go to page to check for current numbers SNS 3795 100,000 50,000
TACACS+ Deployment Models
Separating RADIUS & TACACS+ ISE Cubes?
There are three different options:
RADIUS TACACS+ RADIUS TACACS+ RADIUS TACACS+
Separate ISE cubes Mixed ISE cube with Mixed ISE cube with
separate PSNs shared PSNs
• Scalability is transactions per second (TPS)
• Authentication or also Commands Authorization?
• Do you use scripts?
• Certificates
• Network Devices
• Supplicants
ISE Certificates ❑ System Certificates
• Identifies a cisco ISE node & services
• Specific to the node
• Can manage all node’s system certs from PPAN
❑ Trusted Certificates
List of CAs
• Trusts for the identities of entities interacting with ISE
• Replicated to all the nodes in deployment
❑ ISE Issued Certificates

• Internal CA service
• Issues and manages certificates for endpoints,
pxGrid and ISE messaging
Different ISE System certificates
Endpoint Network Device AAA Server Identity and
(Supplicant/Client) (Authenticator) (Authentication Server) Security Services
802.1X ✅ pxGrid
RADIUS
VPN HTTPS / TLS
ISE
✅ EAP Authentication ✅ SCEP
✅ BYOD EAP Tunnel HTTPS / TLS
CA
✅ RADIUS DTLS TLS Tunnel
✅ ISE Admin (GUI plus Node communication)

HTTPS / TLS
✅ Portals
<SAML>
HTTPS / TLS ✅ SAML HTTPS / TLS
Systems and Trusted Certificates
Which ISE role is using Self signed certificate

the certificate
Each ISE node has its

own System Certificate
Store
Systems and Trusted Certificates
Which ISE role is using Self signed certificate

the certificate
To install certificate
Each ISE node has its

own System Certificate
Store
ISE 3.3.0
Controlled Application Restart
Up to ISE 3.2 a new ISE admin certificate requires
reboot of all the nodes without any control.
From ISE 3.3, the reboot can be scheduled

for each node.
Reboot must take place

within 15 days
PxGrid Certificate
PxGrid certificate is built with both

Client Authentication and Server
Authentication extension
Need to create your template and

use it for the Signing Request
• Certificates
• Network Devices
• Supplicants
Network Device discovery/capabilities
• Hardware model
• IOS version
• Count
• OS Version and capabilities
• Hardware limitations
√ : Fully supported
X : Not supported
! : Limited support, some
functionalities are not
supported
cs.co/nad-capabilities
2
Refer to Cisco Compatibility Matrix
Does ISE Support my third-party Network device?
Does my third-party Network Device Supports ISE?
Check for Advanced capabilities support: Might need to:
• CoA (RADIUS or SNMP) • Import a Vendor Specific Dictionary

• URL Redirection • Create Network Device Profile
From the Network Component Compatibility, Release 3.3

https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/compatibility_doc/b_ise_sdt_33.html
Third party Device support
Default Network Device Groups (NDGs)
Type of Location
access
Use Organi
Case zation
Vendor
Maximum 6 Levels
Default NDGs
Create Your Own Root NDGs
Additional Tips
• Always Test before implementing!
• Standardize! Standardize! Standardize!

▪ IOS versions
▪ AAA configuration
▪ Wireless configuration
▪ Profiling configuration
• 3rd party device documentation
• Certificates
• Network Devices
• Supplicants
Endpoints: Native 802.1X Supplicants
wpa_supplicant
NAME
wpa_supplicant - Wi-Fi Protected Access client and IEEE
802.1X supplicant
SYNOPSIS
wpa_supplicant [ -BddfhKLqqsTtuvW ] [ -iifname ] [ -cconfig
file ] [ -Ddriver ] [ -PPID_file ] [ -foutput file ]
OVERVIEW
Wireless networks do not require physical access to the
network equipment in the same way as wired networks.
This makes it easier for unauthorized users to passively
monitor a network and capture all transmitted frames.
In addition, unauthorized use of the network is much
Windows 7, 8/8.1, and 10 – Native Supplicant
• Now you can do TEAP directly in Windows for Chaining

(Windows 10 build 2004 and ISE 2.7 Patch 2)
• Involve the Active Directory Team
• Group Policy for:

o Supplicant configuration
o Pushing certificates
o Pre-configure SSIDs – better user experience
• Certificates
• Network Devices
• Supplicants
Endpoints: Everything Else
Endpoint Profiling
Identifies dynamically the devices that connect to your network
ISE Data Collection Methods for Device Profiling

Active Probes: Netflow | DHCP | DNS | HTTP | RADIUS | NMAP | SNMP | AD
DS Device Sensor: CDP| LLDP | DHCP | HTTP | H323 | SIP | MDNS
Cisco Secure Client (formerly AnyConnect): ACIDex

Endpoints send
interesting data,
that reveal their
Feed Service
device type
(Online/Offline)
DS ISE
ACIDex
Effect of RADIUS Probe
OUI = Vendor ID, IP = xx.xx.xx.xx
vendor
OUI = Cisco, IP = xx.xx.xx.xx
Cisco Device
OUI = HP, IP = xx.xx.xx.xx
HP Device
OUI = Apple, IP = xx.xx.xx.xx
Apple Device
Effect of SNMP Probe
OUI = Random, IP = xx.xx.xx.xx
Unknown
OUI = Cisco, IP = xx.xx.xx.xx, CDP:cdpCachePlatform = Cisco IP Phone 9971
Cisco
Cisco Device
IP Phone 9971
OUI = HP, IP = xx.xx.xx.xx
HP Device
OUI = Apple, IP = xx.xx.xx.xx
Apple Device
Effect of DHCP Probe
OUI = Random, IP = xx.xx.xx.xx, dhcp-class-identifier CONTAINS MSFT
Unknown
Microsoft Workstation
OUI = Cisco, IP = xx.xx.xx.xx, CDP:cdpCachePlatform = Cisco IP Phone 9971,

DHCP:dhcp-class-identifier CONTAINS CP-9971
Cisco IP Phone 9971
OUI = HP, IP = xx.xx.xx.xx, DHCP:dhcp-class-identifier CONTAINS LaserJet
Unknown
HP Printer
OUI = Apple, IP = xx.xx.xx.xx,
DHCP:dhcp-DHCP:dhcp-parameter-request-list EQUALS 1, 3, 6, 15, 119, 252
Apple iDevice
Device
Effect of DHCP Probe
OUI = Random, IP = xx.xx.xx.xx, dhcp-class-identifier CONTAINS MSFT

Cisco IP Phone 9971
HP Printer
Apple Device
Effect of HTTP Probe
OUI = Random, IP = xx.xx.xx.xx, dhcp-class-identifier CONTAINS MSFT,
IP:User-Agent CONTAINS Windows NT 10.0
Windows10-Workstation
Cisco IP Phone 9971
HP Printer

Apple iDevice IP:User-Agent contains iPad
Effect of NMAP Probe
OUI = Random, IP = xx.xx.xx.xx, dhcp-class-identifier CONTAINS MSFT, IP:User-
Agent CONTAINS Windows NT 10.0, FQDN=test-laptop1.zero0k.org,
NMAP:SMB.operating-system CONTAINS Windows 10

DHCP:dhcp-class-identifier CONTAINS CP-9971, FQDN=test-
phone1.zero0k.org
Cisco IP Phone 9971
OUI = HP, IP = xx.xx.xx.xx, DHCP:dhcp-class-identifier CONTAINS LaserJet,

FQDN=test-printer1.zero0k.org,
NMAP:hrDeviceDescr CONTAINS HP LaserJet P4015
HP Printer
OUI = Apple, IP = xx.xx.xx.xx, IP:User-Agent contains iPad, FQDN=test-i-

pad1.zero0k.org
Apple IPad
Effect of AD Probe
OUI = Random, IP = xx.xx.xx.xx, dhcp-class-identifier CONTAINS MSFT, IP:User-
Agent CONTAINS Windows NT 10.0, FQDN=test-laptop1.zero0k.org,
NMAP:SMB.operating-system CONTAINS Windows 10, AD-OS = Windows 10

DHCP:dhcp-class-identifier CONTAINS CP-9971, FQDN=test-
phone1.zero0k.org
Cisco IP Phone 9971
OUI = HP, IP = xx.xx.xx.xx, DHCP:dhcp-class-identifier CONTAINS LaserJet,

FQDN=test-printer1.zero0k.org, SNMP:hrDeviceDescr CONTAINS HP LaserJet
P4015
HP LaserJet P4015
OUI = Apple, IP = xx.xx.xx.xx, IP:User-Agent contains iPad, FQDN=test-i-

pad1.zero0k.org
Apple IPad
PxGrid Probe Context-in
CyberVision
PROFINET Modbus PxGrid

CIP …..
PLC IO DRIVE CONTROLL

ER
1. Profiling tool classifies the devices.

2. The attributes are then sent to ISE via pxGrid
3. ISE populates the custom attributes with the ones received
via profiling pxGrid probe
Cisco EA
CyberVision
Device Sensor to scale attribute collection
Network devices send attributes via
RADIUS RADIUS to ISE to optimize collection:
accounting
CDP Attributes used:
LLDP
DHCP ISE • MAC OUI
MAC
• CDP/LLDP
CDP
LLDP
• DHCP
DHCP
• HTTP (WLC only)
ISE
MAC
• mDNS,
HTTP
• H323,
DHCP
MAC • MSI-Proxy (4k only)
Meraki MS390
From IOS From
15.0(2)SE MS Switches only AirOS 7.2
CDP+LLDP
ISE 3.3
Wi-Fi Edge Analytics

Model = Galaxy S1 Model = iPad Model = MacBook
OUI = Samsung OUI = Apple OUI = Apple
Apple, Samsung, and Intel = Samsung

Galaxy S1
= Apple iPad = Apple MacBook
devices are sharing rich

data with the WLCs.
ISE
With Catalyst 9800 WLCs
(IOS-XE 17.10) you can RADIUS Acct
now pass those attributes to

ISE within RADIUS
accounting.
Disable the ISE Profiling Endpoint Attribute Filter to use

WiFi Device Analytics attributes in policies
ISE profiles definition
Certainty
Factor
DHCP Class-ID: MSFT
+10
HTTP User Agent: Windows
+10
ISE
Endpoint NMAP OS: Microsoft Windows
+10
DHCP:dhcp-class-identifier CONTAINS MSFT
DHCP:dhcp-class-identifier CONTAINS MS-UC-Client
IP:User-Agent CONTAINS Windows
NMAP:operating-system CONTAINS Microsoft Windows
ISE 3.3
Multi-Factor Classification on ISE
Profiles are now made up of four factors:
• MFC-Manufacturer ISE
Feed Service
• MFC-Endpoint Type (Online/Offline)
• MFC-Model
• MFC-OS
MFC-Manufacturer MFC-EndpointType MFC-Model MFC-OS
Cisco Arlo IP-Phone Camera IP Phone 7980 Pro Wireless Cam IOS Linux
MacBook macOS Windows

Apple Lenovo Laptop Laptop Thinkpad 540
Pro 12.0.1 Enterprise
ISE 3.3
AI Proposed Profiling Policies
Data Forwarded to Cloud ML Groups Endpoints Labels Assigned
All data on endpoints ML groups endpoints into Users assign labels to
(profiled & unknown) clusters of identical of unknown clusters or
forwarded to ML engine based on attribute data accept recommendations
These are Meraki

ML Cloud cameras
ML Cloud
•Must forward endpoint attributes to ML Bosch Coffee
cloud (available 3.2p1)
•Air gapped environments not supported
Machine ?
ISE Feed service Updates
• Feed service updates MAC OUIs
• Feed service provides new and updated profiles
• Be careful when applying profile updates, check they do not interfere with
the profiles you have been using and your policies
• You will still have unknowns For everything else: custom profiles
Create custom profiles
• Gather more information
▪ Create more traffic from the device
▪ Run an NMAP scan
▪ Enable more probes
• Find attributes or combinations of
attributes unique to device type
• Focus on:
▪ Attributes found every time the endpoint
connects
▪ Attributes found very early after the
endpoint connects
Profiles Precedence
Cisco Provided Custom
Profile Profile
Custom profiles CF should

be higher than the ones
Existing Cisco Profile New Customer Profile provided by Cisco. (in
CF = 30
CF CF
>==?30 general low number).
Try put custom profiles

above 100
Using device profiles and logical profiles in ISE
Turning Probes Into Profiles, Profiles Into Protection
Examples: DHCP-Class-Identifier | MAC OUI | ACIDEX Device

Attributes Platform | User Agent
Profiles ISE
AI Proposed Admin Integrations
Cisco provided Wifi edge analytics created
AuthZ ISE Authorization Policies
Segmentation
Behavioral vs Organizational Endpoint Information
Organizational
Behavioral
Common Uses
• Endpoint Custom Attributes Attribute Name Type
• Probes and profiling • Context Visibility Input (GUI/CSV) Created Date
• Custom Attributes and endpoint Expires Date
REST API (JSON)
• Device Sensor Owner String
Department String
• External Databases (CMDBs) iPSK String
• pxGrid Context-In • Active Directory / LDAP
• pxGrid Direct (ServiceNow, etc.)
Cisco ISE pxGrid Direct for CMDBs ISE 3.2
{
"result": [
External Database {
(E.g., ServiceNow CMDB) "sys_import_state_comment": "",
"template_import_log": "",
"sys_updated_on": "2022-05-17 10:53:53",
"sys_class_name": "EDDA_Demo",
"sys_target_sys_id": "",
"sys_id": "00021059db6b01101f0f174b13961900",
"sys_updated_by": "aacook",
"sys_created_on": "2022-05-17 10:53:53",
{ "sys_import_set": "ISET0011307",
GET "sys_transform_map": "",
"sys_created_by": "aacook",
"sys_import_row": "34,285",
} REST API Request "u_account_name": "Holly.Allen@example.org",
(Admin can specify APIs to "u_macaddress": "05:0e:33:f3:2b:03",
Server Response (JSON) any REST compatible "sys_row_error": "",
server) "group_tag": "cts:security-group-tag=2774-000",
3.2 "sys_target_table": "",

"sys_mod_count": "0",
"u_hostname": "black.williams.com",
ISE Endpoint DB ISE Auth Policy "import_set_run": "",
Cisco ISE "sys_tags": "",
"u_community_group": "Administration",
If
"sys_import_state": "Pending",
"u_config_item": "SNtoDataMartHolly.Allen",
"u_sync": "",
Then, "u_ci_status": "Operational",
VLAN: "u_host_name": "black.williams.com"
},{ ⋯ }
]
}
• Certificates
• Network Devices
• Supplicants
Make use of Policy Sets
Organizations
Type
Location
Vendor/Model
Medium
Wireless
RADIUS
Conditions simplification
Pre-sets Dictionary
Condition are easy to
read and intuitive
Custom created
Conditions often are
not as intuitive
Use Compound
Conditions and
for custom ones
Dynamic Variable Substitution
• Match conditions to unique values stored per- User/Endpoint in
internal or external ID stores (AD, LDAP, SQL, etc.)
• ISE supports custom User and Endpoint attributes
ID Store Attribute
Speed Test
Is the image matching the condition set?
• Total stars = 10
• Total Green stars = 4
• Total red stars = 2
• Outer shape = Red triangle
Auth Policy Optimization
1. AD Groups
Policy Logic:
o First Match, Top Down
o Skip Rule on first negative
2. AD Attributes
condition match
3. MDM
4. Certificate
5. ID Group
6. SQL Attributes
😩 7. Auth Method
8. Endpoint Profile
9. Location
Auth Policy Optimization
Block 1 1. Location
• Local conditions 2. Auth Method

should be put
before external Block 2 3. Endpoint Profile
• External lookup
should go at the
end as take more
time 4. AD Groups
Block 3
5. AD Attributes
😁 Block 4
6. ID Group
7. Certificate
8. SQL Attributes
9. MDM
AD Policy rule optimization example
AD1·ExternalGroups EQUALS
domain.com/users/IT AND
domain.com/users/Domain Power Users AND
domain.com/users/Leadership AND
Most Specific
domain.com/users/ELT CxO
• Granular policies (most
AD1·ExternalGroups EQUALS restrictive and with higher level
domain.com/users/IT AND
IT Staff of access) should go first.
domain.com/users/Domain Power Users
• Default/high-level policies go
Human bottom.
domain.com/users/HR Resources
AD1·ExternalGroups EQUALS Everyone Else Least Specific

domain.com/users/Domain Users
• Certificates
• Network Devices
• Supplicants
Who Needs an ISE Lab? You do!
Partners Customers With everyStandalone

Standalone installation :
• 90-day Evaluation license

• For 100 endpoints
• All Cisco ISE features
• 1 TACACS+ license
You can set up a limited deployment and test

all the required features in your environment
ISE Lifecycle Orchestration & Policy Management
Zero Touch Patch License Certificate Configuration Policy Operations

Deployment Installation Management Management Management Management Automation
#YAML
network_device:
- name: lab-mr46-1
description: ’’
profileName: Cisco
ISE 3.1 authenticationSettings:
dtlsRequired: false
Patch 1 or later Python Ansible VSCode

enableKeyWrap: false
enableMultiSecret: 'false'
keyEncryptionKey: ''
keyInputFormat: ASCII
github.com/CiscoISE
ISE Deployment and Operational Lifecycle
VPC
DNS
ISE
{⋯}
ISE ISE GUEST
ISE
Provision Deploy Configure Operate Extend

Destroy
VPC(s) Enable APIs Identity Stores Manage Endpoints Terminate
Networks Repositories Network Devices Reporting …
VPNs Roles Policy Sets Performance
ISE Nodes Services Endpoints pxGrid / Events
Patch + Hotpatches Certificates Portals Backup/Restore
Load Balancers Licensing 😁 … Patch
… … …
ISE Eternal Evaluation
https://github.com/1homas/ISE_Ansible_Sandbox
Cisco ISE playbooks and roles for ISE automated deployment and configuration in labs and
demos, beginning with the ISE Eternal Evaluation (ISEEE)
iseee.yaml
• iseee.ssh.yaml
• iseee.provision.yaml
• iseee.facts.yaml
• iseee.patch.yaml
• iseee.deploy.yaml
• iseee.certificates.yaml
• iseee.licensing.yaml
• iseee.configure.yaml
• iseee.backup.yaml
• iseee.restore.yaml
• iseee.extend.yaml
• iseee.password_reset.yaml
• iseee.destroy.yaml
How to test your lab?
Using real devices (the one you will use in

production) is always best (expecially if
you test use cases like posture/profiling)
BUT…
Sometimes simulation tools are useful

(policy match or simulating large number
of devices).
Try the Session Trace Test tool in ISE
• Certificates
• Network Devices
• Supplicants
Deployment Modes
Low-Impact Mode
Monitor Mode ( Visibility) (Visibility and Control) Closed Mode
File ISE DHCP DNS ISE File (Visibility and Control)
Servers Servers File
Servers ISE
Servers
Campus Network
Campus Network
Campus Network
PREAUTH ACL PERMIT ACL
Port Open permit eap dhcp dns permit ip any any
Unconditionally deny any Only EAP
Allowed
Pass / Failed Before After

Authentication Authentication Before After
Authentication
Authentication Authentication
• Not everyone needs Closed Mode

No impact to existing network Begin to control and • No access at all before
differentiate access authentication
Utilizing Policy Sets with Modes
• When deploying leverage Network Device Groups
• Move devices in and out while the deployment progresses
Day 2
Operations
User involvement
User Communication before
and after ISE rollout
Supporting ISE After Deployment
• Train Your Support with A Playbook for

common issues
• Document as much as possible!

✓ Policy Configuration
✓ Supplicant Configuration
✓ Network Access Devices
• Many document templates available on ISE Communities
Wrap up
Proper planning is essential to

any successful development.
ISE learning map
Learn how Cisco ISE will

help you implement
Network access Control in
your campus.
Sessions will cover how to
plan and deploy, how to
leverage the new cloud
capabilities, best practices
and other topics
Cisco ISE Resources
• Consolidated list of resources

cs.co/ise-resources
• Community Q&A
cs.co/ise-community
• Recorded webinars and other
videos
cs.co/ise-videos
• Integration Guides
cs.co/ise-guides
• Licensing Guide
cs.co/ise-licensing
Ask The Community
cs.co/ise-community
How to Ask the Community for Help
• The Community is Not TAC

• No Comment on Roadmaps or Fixes
• New Features and Feedback
• Provide Details
• Goal/Scenario?
• NAD Hardware & Software?
• Endpoint OS(es)?
• Browser(s)?
• Reproducibility (expected vs actual)
• Pictures and Video!
Thank you

Brksec 2660

Uploaded by

Copyright:

Available Formats

Brksec 2660

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec 2660

Uploaded by

Copyright:

Available Formats

ISE Planning, Staging and

Growth plan Endpoint

Proper planning is essential

In Cisco since 24 years...

Scenarios & Use Cases

Operations & Management

• Specific ISE use cases and their implementation

Cisco SDA/DNAC Do you need a BYOD policy?

What is an IT security policy?

Transportation Services Utilities Technology Manufacturing

Guests Manual Connect

AP Provisioning MAB ISE MAC Whitelist WLC-Only VLAN AP ISE Profiling

Endpoint Team Network Team Security Team

Remember: do not think only at positive outcome.

• Management buy in is critical to have support of your decisions

Objectives / Risk / Priorities Environment

Scaling Management & Operations

Config Sync Context

Authorization Policy UI Exchange Topics

If Employee then VLAN-100 TrustSecMetaData

Monitoring & Troubleshooting Node (MnT)

Standalone Small HA Medium Multi-node Large Deployment

100 Endpoints Up to 50,000 Endpoints Up to 150,000 Endpoints Up to 2,000,000 Endpoints 3700

Primary PAN & MNT Secondary PAN &

• Latency should be 300ms round trip between

• RADIUS Accounting defines session Start &

2.7 3.0 3.1 3.2 3.3

• Scenario Performance SNS 3615 25,000 12.500

SNS 3715 50,000 25.000

cs.co/ise-scale SNS 3695 100,000 50,000

Go to page to check for current numbers SNS 3795 100,000 50,000

There are three different options:

RADIUS TACACS+ RADIUS TACACS+ RADIUS TACACS+

❑ ISE Issued Certificates

✅ ISE Admin (GUI plus Node communication)

Which ISE role is using Self signed certificate

Each ISE node has its

Which ISE role is using Self signed certificate

Each ISE node has its

From ISE 3.3, the reboot can be scheduled

Reboot must take place

PxGrid certificate is built with both

Need to create your template and

Check for Advanced capabilities support: Might need to:

• CoA (RADIUS or SNMP) • Import a Vendor Specific Dictionary

From the Network Component Compatibility, Release 3.3

Create Your Own Root NDGs

• Standardize! Standardize! Standardize!

• 3rd party device documentation

• Now you can do TEAP directly in Windows for Chaining

• Involve the Active Directory Team

• Group Policy for:

ISE Data Collection Methods for Device Profiling

Cisco Secure Client (formerly AnyConnect): ACIDex

OUI = HP, IP = xx.xx.xx.xx

OUI = HP, IP = xx.xx.xx.xx

OUI = Cisco, IP = xx.xx.xx.xx, CDP:cdpCachePlatform = Cisco IP Phone 9971,

Cisco IP Phone 9971

OUI = HP, IP = xx.xx.xx.xx, DHCP:dhcp-class-identifier CONTAINS LaserJet