Cisco ISE 1.2 Video Guide to Installation and Configuration

Video Guide

At this point, we should have type of users; those that are looking to begin with a fresh installation and those that are already in possession of the pre-1.2 install and looking to upgrade. Let’s first take care of the former. 

 

Our first video starts on a drawing board. Planning is very critical to a successful ISE deployment and you want to make sure to come up with an appropriate design to support a potentially growing environment. This video takes you through sizing strategies, including the different deployment models, and how to decide on number of nodes, appliance model, or VM specification. Even though we already had an installation video for ISE 1.1, since the VM has to be created differently now to support 64-bit OS, the installation process is repeated in this video.

 

Even in an upgrade situation, it might not be such a bad idea to take another look at your current deployment and make sure what you have deployed originally follows Cisco recommended design, or that you are not running into issue with scalability. So you might still want to review the first half of this video because if you happen to need to make changes architecturally, here is the time to it.

Upgrading might sound simple, but you still definitely want to become familiar with the process and understand some of the ramifications before pulling that trigger. This video demonstrates an upgrade process and will show you what to expect before and after the upgrade. Although, this is for a standalone node, the same procedures apply to a multiple-node deployment except for few extra steps to break up the nodes connections and the order of execution. Consult Cisco ISE 1.2 upgrade guide for more detail.

Now that you have either a fresh install or have successfully upgraded to ISE 1.2 (congratulation by the way :-) ), it is time to review what is new in this release. We will go through the release note together in this video and look at each feature one-by-one and locate them on the web interface (where applicable). You will find that the web interface, for the most part, is identical to ISE 1.1 so you should feel right at home. One new feature in particular I want to mention is Policy Set. You might find this helpful in putting some hierarchies into policy configuration, similarly to ACS5.x, instead of a flat policy table. If you like it, enable it now or you will find yourselves configuring your policies twice.

Feature Videos

1. Wildcard Certificate

ISE 1.1 requires each node to have a unique certificate. ISE 1.2 eliminates this by allowing a single certificate to be shared among nodes in a form of wildcard certificate. This video shows you how to properly generate the CSR for a wildcard certificate and we will try to install it on two different nodes and see how it actually works.

2. Endpoint Protection Service (EPS)

EPS has been around since ISE 1.1 and is probably one of less known features. The feature basically allows you to remove a device from network, both wired, and wireless, by quarantining its MAC address and preventing it from reconnecting by failing all future authentications. You will get to see this in action in this video.

3. AnyConnect VPN

Another most commonly use case for ISE is RADIUS authentication and authorization server for remote VPN access. Although this is not specific to ISE 1.2, or actually to ISE at all as you can achieve the same thing with ACS or any RADIUS servers. But as more people migrate to ISE for their RADIUS server, we figure that we should create a video for this to help those that need it. We will perform basic RADIUS AAA with class-attribute returned to place user under appropriate group-policy.

4. FlexConnect

If you have wireless access points in FlexConnect mode and wish to enforce ACL beyond ‘permit all’, this is the video for you. We will discuss how the name ACL is not supported and what would be an alternative to achieve the same level of security.

5. BYOD

Since we have had an in depth discussion and configuration on BYOD in ISE 1.1 video series, this video is almost a repeat to show you the configuration steps and some of the web portal that have been revamped in ISE 1.2. We will go through start-to-finish configuration to implement BYOD wireless onboarding with single SSID, including testing of Widows computer, iPhone and Android.

6. MDM Integration

Another long-waited feature is MDM integration. You will see how you can leverage device posture information from a MDM to determine the level of access a device should have on your wireless LAN. We will go through a complete life-cycle of a device being on-boarded to ISE, registered to MDM, posture assessed, remediated if non-compliant, and finally allowed access to network. Our demonstration includes iPhone and Android with MobileIron MDM server.

7. Guest Customized Portal

Not everyone likes to use Cisco default login portal in the production, and some would like to have it look just like to their company website. This video takes you above and beyond changing logo or background color to a fully customized set of portals. We will dig deep into the HTML code that will make your guest portals look that exact same way you would like it to be. A background on basic HTML coding would definitely help here.

That is pretty much it for our ISE 1.2 video series. This might not be as long as the last one but we hope that you have learnt as much. If you have any question, feel free to post them under the corresponding video page or Lab Minutes forum. When the next version of ISE is released, there will be another video series so be sure to sign up on our website and the newsletter to be the first one to know.