You are here
Cisco ISE 1.2 Video Guide to Installation and Configuration
Submitted by admin on Tue, 03/04/2014 - 22:18
Since the release of Cisco Identity Services Engine (ISE) version 1.0 and 1.1, many early adopters have been looking forward to ISE 1.2 especially for enhancements and introduction of new features. Now that it is here, ISE 1.2 certainly shows a big improvement from its predecessors in terms of scalability (max 250,000 endpoints in a 44 node deployment), functionalities, and reliability, not to mention the support of 64-bit operating system and the new SNS-3400 hardware appliances.
If you are reading this article, you probably have had some experiences with the previous version of ISE and wondering what ISE 1.2 has to offer. If not, we recommend that you review our Cisco ISE 1.1 Video Guide to Installation and Configuration to get up to speed on the fundamental of this product. Since ISE 1.2 primarily have additional features and functionalities, while the majority of configuration concepts remain the same, it only makes sense for us to create a video series that reflects those changes. For a comprehensive lab video tutorial on ISE 1.1, you can visit ISE video pages for online viewing or purchase our lab videos for download.
This article will guide you through ISE 1.2 videos Lab Minutes have created to help you understand not only what features are available, but most importantly, how to configure them. If you have been following our ISE 1.1 video series, you should already be familiar with the lab setup and layout. For more information on the product, please consult Cisco ISE 1.2 Release Notes.
At this point, we should have type of users; those that are looking to begin with a fresh installation and those that are already in possession of the pre-1.2 install and looking to upgrade. Let’s first take care of the former.
Our first video starts on a drawing board. Planning is very critical to a successful ISE deployment and you want to make sure to come up with an appropriate design to support a potentially growing environment. This video takes you through sizing strategies, including the different deployment models, and how to decide on number of nodes, appliance model, or VM specification. Even though we already had an installation video for ISE 1.1, since the VM has to be created differently now to support 64-bit OS, the installation process is repeated in this video.
Even in an upgrade situation, it might not be such a bad idea to take another look at your current deployment and make sure what you have deployed originally follows Cisco recommended design, or that you are not running into issue with scalability. So you might still want to review the first half of this video because if you happen to need to make changes architecturally, here is the time to it.
- SEC0106 - ISE 1.2 VMware Sizing and Installation (Part 1)
- SEC0106 - ISE 1.2 VMware Sizing and Installation (Part 2)
Upgrading might sound simple, but you still definitely want to become familiar with the process and understand some of the ramifications before pulling that trigger. This video demonstrates an upgrade process and will show you what to expect before and after the upgrade. Although, this is for a standalone node, the same procedures apply to a multiple-node deployment except for few extra steps to break up the nodes connections and the order of execution. Consult Cisco ISE 1.2 upgrade guide for more detail.
Now that you have either a fresh install or have successfully upgraded to ISE 1.2 (congratulation by the way :-) ), it is time to review what is new in this release. We will go through the release note together in this video and look at each feature one-by-one and locate them on the web interface (where applicable). You will find that the web interface, for the most part, is identical to ISE 1.1 so you should feel right at home. One new feature in particular I want to mention is Policy Set. You might find this helpful in putting some hierarchies into policy configuration, similarly to ACS5.x, instead of a flat policy table. If you like it, enable it now or you will find yourselves configuring your policies twice.
1. Wildcard Certificate
ISE 1.1 requires each node to have a unique certificate. ISE 1.2 eliminates this by allowing a single certificate to be shared among nodes in a form of wildcard certificate. This video shows you how to properly generate the CSR for a wildcard certificate and we will try to install it on two different nodes and see how it actually works.
2. Endpoint Protection Service (EPS)
EPS has been around since ISE 1.1 and is probably one of less known features. The feature basically allows you to remove a device from network, both wired, and wireless, by quarantining its MAC address and preventing it from reconnecting by failing all future authentications. You will get to see this in action in this video.
- SEC0110 - ISE 1.2 Endpoint Protection Service (EPS) (Part 1)
- SEC0110 - ISE 1.2 Endpoint Protection Service (EPS) (Part 2)
3. AnyConnect VPN
Another most commonly use case for ISE is RADIUS authentication and authorization server for remote VPN access. Although this is not specific to ISE 1.2, or actually to ISE at all as you can achieve the same thing with ACS or any RADIUS servers. But as more people migrate to ISE for their RADIUS server, we figure that we should create a video for this to help those that need it. We will perform basic RADIUS AAA with class-attribute returned to place user under appropriate group-policy.
- SEC0111 - ISE 1.2 AnyConnect VPN RADIUS Authentication and Authorization (Part 1)
- SEC0111 - ISE 1.2 AnyConnect VPN RADIUS Authentication and Authorization (Part 2)
If you have wireless access points in FlexConnect mode and wish to enforce ACL beyond ‘permit all’, this is the video for you. We will discuss how the name ACL is not supported and what would be an alternative to achieve the same level of security.
- ISE 1.2 Wireless 802.1X Authorization with FlexConnect (Part 1)
- ISE 1.2 Wireless 802.1X Authorization with FlexConnect (Part 2)
Since we have had an in depth discussion and configuration on BYOD in ISE 1.1 video series, this video is almost a repeat to show you the configuration steps and some of the web portal that have been revamped in ISE 1.2. We will go through start-to-finish configuration to implement BYOD wireless onboarding with single SSID, including testing of Widows computer, iPhone and Android.
- SEC0113 - ISE 1.2 BYOD Wireless Onboarding Single SSID (Part 1)
- SEC0113 - ISE 1.2 BYOD Wireless Onboarding Single SSID (Part 2)
- SEC0113 - ISE 1.2 BYOD Wireless Onboarding Single SSID (Part 3)
6. MDM Integration
Another long-waited feature is MDM integration. You will see how you can leverage device posture information from a MDM to determine the level of access a device should have on your wireless LAN. We will go through a complete life-cycle of a device being on-boarded to ISE, registered to MDM, posture assessed, remediated if non-compliant, and finally allowed access to network. Our demonstration includes iPhone and Android with MobileIron MDM server.
- SEC0114 - ISE 1.2 BYOD MDM Integration (Part 1)
- SEC0114 - ISE 1.2 BYOD MDM Integration (Part 2)
- SEC0114 - ISE 1.2 BYOD MDM Integration (Part 3)
7. Guest Customized Portal
Not everyone likes to use Cisco default login portal in the production, and some would like to have it look just like to their company website. This video takes you above and beyond changing logo or background color to a fully customized set of portals. We will dig deep into the HTML code that will make your guest portals look that exact same way you would like it to be. A background on basic HTML coding would definitely help here.
- SEC0115 - ISE 1.2 Wireless Guest with HTML Customized Portal (Part 1)
- SEC0115 - ISE 1.2 Wireless Guest with HTML Customized Portal (Part 2)
That is pretty much it for our ISE 1.2 video series. This might not be as long as the last one but we hope that you have learnt as much. If you have any question, feel free to post them under the corresponding video page or Lab Minutes forum. When the next version of ISE is released, there will be another video series so be sure to sign up on our website and the newsletter to be the first one to know.