You are here
Cisco ISE Video Guide to Installation and Configuration
Submitted by admin on Wed, 09/25/2013 - 22:23
Cisco Identity Services Engine (ISE) has been drawing a lot of attention in the recent years. It is the product released by Cisco to promote identity-based network access security. The product is, by no mean, a standalone solution but merely a component of an architecture that requires collaboration of multiple network entities as a whole.
Since you are reading this article, I assume you either start taking an interest on ISE, or already have embarked upon an ISE implementation whether it is in a lab or production. Learning ISE web interfaces and configuration is certainly not enough to be successful with this product. You will also need to be familiar with other enabling technologies that work closely with Cisco ISE to produce a solution. This includes switch and wireless LAN controller, RADIUS, Active Directory, digital certificate and PKI, and your client devices such as Windows, Macintosh, and supported smartphones, to name a few. Unless you possess all such skills, it is likely that multiple engineers would be engaged on a project. This is not to mention that any one of these moving parts can break and bring the whole system down. Attempting to troubleshoot the issue can be that much more challenging.
Lab Minutes has produced an extensive video library on Cisco ISE with intention to assist all of our audience in making their ISE implementation process smoother. Whether you are studying for certification or wanting to learn as part of your job, our videos can provide you with enough information to at least get you started on the technology, if not more. These videos are basically an elaborate Cisco ISE training course where you can watch step-by-step configuration as they are demonstrated in each lab.
This article serves as a guide to your journey of learning and configuring Cisco Identity Services Engine. We will guide you on how you can best utilize the videos that have been made available on our website to maximize your learning experience. Links to relevant videos are provided under each section. All of our videos are created primarily on Cisco ISE version 1.1.2. For additional licensing information, please consult Cisco ISE licensing, and ordering guide, and Cisco ISE datasheet.
Before you can begin the installation, you want to make sure that you are in possession of all the hardware you need. A basic setup usually includes a Cisco switch, Wireless LAN Controller, Windows Domain Controller or LDAP Server, DNS server, and Certificate Authority Server with SCEP capability. Do not forget to check all of these components against ISE hardware capability matrix and make sure they are supported. You should also have an ESXi server if you plan to use a VM version, or otherwise, ISE appliances.
Our first video shows you how to install ISE on a VM. The process is very much applicable if you own an appliance. You just skip the VM creation steps.
With a fresh install of ISE node(s), if you plan to only deploy a single standalone node, you can skip this step. Otherwise, you will need to register all secondary nodes to the primary and adjust each node persona according to your distributed deployment design. Here you have options of using self-signed or CA-signed certificate, with CA-signed certificate being preferred for scalability.
- SEC0030 - ISE 1.1 Node Registration with Self-Signed Certificate
- SEC0031 - ISE 1.1 Node Registration with CA-Signed Certificate
Now, let’s familiarize ourselves with ISE GUI, and perform basic configuration along the way with this video.
All authentication system requires user database and unless you plan to exclusively use ISE local identity store, you need to integrate ISE with an external identity store of your choice. The two most popular options are Microsoft Active Directory and LDAP, although ISE can also authenticate against a RSA token server and another RADIUS server.
- SEC0033 - ISE 1.1 AD Integration and Identity Source Sequence
- SEC0034 - ISE 1.1 LDAP Integration and Identity Source Sequence
Identity-based 802.1X authentication system heavily relies on participation of Network Access Devices (NAD), aka authenticator, to pass on authentication information between user requesting network access, aka supplicant, and ISE, aka authentication server, as well as enforcing network access restriction as part of the authorization result. Having NAD configured appropriately is one of the crucial steps that helps eliminate a lot of issues you might run into later on otherwise. Here we show recommended configurations on a Cisco switch and WLC.
- SEC0038 - ISE 1.1 802.1X Switch & WLC Recommended Config (Part 1)
- SEC0039 - ISE 1.1 802.1X Switch & WLC Recommended Config (Part 2)
Another essential component in an ISE solution is a Certificate Authority (CA) server. Many organizations prefer to have the server in-house for manageability and cost reasons. One of the most popular CA servers is Windows, specifically Windows 2008 that is shown in the videos. To clarify, this server is primarily used to issue client-based certificate as part of EAP-TLS authentication, whether it is for corporate 802.1X or BYOD device onboarding, which we will look at later. Here are videos that would help you get your Windows 2008 Enterprise CA up and running.
- SEC0009 - Windows 2008 Enterprise CA SCEP Installation
- SEC0011 - Windows 2008 CA SCEP Auto-Enrollment Options
- SEC0029 - Windows 2008 CA User and Computer Certificate Auto-Enrollment
Important!! Although, you can use the internal CA server to sign ISE certificate, it is recommended to have it signed by a trusted third-party CA. By doing this, you can ensure that ISE certificate will always be trusted by all client devices and avoid the whole problem with authentication failure due to client rejecting the server certificate, especially when you deal with non-corporate and guest devices that you have no control over.
Now that you have the system prepped, from this point on, we will look at ISE configuration focusing on each supported feature and use case. You can skip to the section that contains feature you plan to implement.
1. Device Administration
Unlike Cisco Secure Access Control System (ACS), as of ISE 1.2, TACACS+ is still not supported. The only option available, in case you have decided to replace your existing ACS server with ISE, is to use RADIUS. Here we show AAA configuration on network devices as well as configuration on ISE to support device admin authentication and return user privilege level.
- SEC0035 - ISE 1.1 Device Admin RADIUS Authentication
- SEC0036 - ISE 1.1 Device Admin RADIUS Authorization
2. Device Profiling
One of ISE selling points is its ability to identify the type of client devices, whose information you can use to build policies and enforce network access restriction. This is done through series of probes. With combination of MAC Authentication Bypass (MAB) and profiling policies, you will be able to allow devices incapable of 802.1X access to the network as shown in these videos.
- SEC0040 - ISE 1.1 Profiling, Probing, and MAC Authentication Bypass (Part 1)
- SEC0041 - ISE 1.1 Profiling, Probing, and MAC Authentication Bypass (Part 2)
3. Corporate Wired and Wireless 802.1X (Native Supplicant)
One of the most common features implemented on ISE is 802.1X authentication for corporate devices. Here we discuss two most popular authentication protocols: PEAP (username/password based) and EAP-TLS (certificate based). Our demonstrations are only applicable to Windows computer but you can make it work on Macintosh. As a side notes, this feature can also be implemented on Cisco ACS so this is nothing unique to ISE.
- SEC0043 - ISE 1.1 Wired 802.1X and Machine Authentication with PEAP
- SEC0044 - ISE 1.1 Wireless 802.1X and Machine Authentication with PEAP
- SEC0045 - ISE 1.1 Wired 802.1X and Machine Authentication with EAP-TLS
- SEC0046 - ISE 1.1 Wireless 802.1X and Machine Authentication with EAP-TLS
We also have included here how to use GPO to distribute network settings to the Windows client for those network engineers out there that may not know too much about GPO. :-)
4. Corporate Wired and Wireless 802.1X (Cisco AnyConnect)
As discussed in the videos, if you want to enforce Machine Access Restriction (MAR), or in other words, you want to make sure users can access corporate network only from a corporate-owned (ie. domain-joined) computer, there is major flaw using Windows native supplicant with user and computer authentication occur independently and potential for losing machine cache on ISE. Cisco AnyConnect with EAP-Chaining solves this issue and these video will show you how.
- SEC0048 - ISE 1.1 User and Machine Authentication with EAP Chaining (Part 1)
- SEC0049 - ISE 1.1 User and Machine Authentication with EAP Chaining (Part 2)
5. Corporate iPhone
Unlike Windows computer that you can identify as a corporate-owned device by checking its membership to a domain, iPhone requires a different strategy. Here we offer a possible solution by installing an identity certificate on an iPhone using iPhone Configuration Utilities and SCEP. The same concept can be applied to other mobile devices. The only difference is the process of getting a certificate into those devices.
6. Bring Your Own Device (BYOD)
Another ISE selling point is its ability to support BYOD. These videos show you different device onboarding scenarios for both wired and wireless with two different options; single and dual SSID, for wireless covering Windows computer, iPhone and Android. You will get watch the whole configuration steps as well as start-to-finish onboarding process.
- SEC0050 - ISE 1.1 BYOD (Part 1) - Wired 802.1X Onboarding
- SEC0051 - ISE 1.1 BYOD (Part 2) - Wireless Onboarding Single SSID
- SEC0052 - ISE 1.1 BYOD (Part 3) - Wireless Onboarding Single SSID Testing
- SEC0053 - ISE 1.1 BYOD (Part 4) - Wireless Onboarding Dual SSID
- SEC0054 - ISE 1.1 BYOD (Part 5) - Wireless Onboarding Dual SSID Testing
7. Posture Assessment
This is one of the most desired features in IT security for many organizations, but yet, often overlooked on its high impact to direct user experience. Not only users will have to wait a few seconds after login for the NAC agent to complete an assessment before getting full network access, the users potentially have to deal with remediation process if their computers are found to be out of compliant. If you are considering this feature, you would want to review these videos thoroughly and make sure you understand the whole process and ramification to user experience. Here we discuss both versions of agent; NAC agent for corporate-owned computer, and Web agent for guest access.
- SEC0055 - ISE 1.1 Posture Assessment with NAC Agent (Part 1)
- SEC0056 - ISE 1.1 Posture Assessment with NAC Agent (Part 2)
- SEC0057 - ISE 1.1 Posture Assessment with Web Agent
8. Guest Access
Similar to guest portal on Cisco wireless LAN controller, ISE can be used to host a guest login page that can support both default Cisco portal or full custom portal. ISE also introduces a concept of a sponsor that allows anyone with appropriate privilege, controlled by sponsor policy, to create a guest account. It is also possible to allow guests to create their own account given required information is gathered. All of these features for guest access are discussed in these videos.
9. Security Group Access (SGA)
ISE plays a major role in Cisco TrustSec architecture in the authentication front for both users and network devices joining a TrustSec domain. It controls dynamic assignment of Security Group Tag (SGT) as well as determines level of access based on SGACL. These videos although do not deal with complete TrustSec domain, they demonstrate a use of SXP protocol to exchange SGT and IP mapping information between devices across network that is incapable of TrustSec, and to enforce access policy on an ASA. Nevertheless, this should give you enough information to get your feet wet in the technology.
- SEC0062 - ISE 1.1 Security Group Access (SGA) with ASA 9.1 TrustSec (Part 1)
- SEC0063 - ISE 1.1 Security Group Access (SGA) with ASA 9.1 TrustSec (Part 2)
If you are not familiar with Cisco TrustSec, we have an introduction video that will help you obtain basic understanding.
Finally, the last two videos show you maintenance tasks that you most likely need to perform during the lifetime of your ISE implementation. Regular configuration and report backup are always recommended so you can be prepared for any disasters. From time to time, you might also need to perform patch install when you run into documented issues so it is helpful to know how it is done as well.
Hopefully after reviewing these videos, you have, more or less, become familiar and feel more comfortable working on Cisco Identity Services Engine. If you have any question, feel free to post them under the corresponding video page or Lab Minutes forum. We will be releasing similar article on Cisco ISE 1.2 so keep your eyes on our website or sign up on our newsletter to be the first to know.
Update: Cisco ISE 1.2 Video Guide to Installation and Configuration is posted.