Cisco ISE for BYOD and Secure Unified Access, 2nd edition
Published by Cisco Press (June 16, 2017) © 2017
- Aaron Woland
- Jamey Heary
Price Reduced From: $72.95 AUD
This product is expected to ship within 5-7 business days for Australian customers.
This edition of Cisco ISE for BYOD and Secure Unified Access contains more than eight brand-new chapters as well as extensively updated coverage of all the previous topics in the first edition book to reflect the latest technologies, features, and best practices of the ISE solution. It begins by reviewing today’s business case for identity solutions. Next, you walk through ISE foundational topics and ISE design. Then you explore how to build an access security policy using the building blocks of ISE. Next are the in-depth and advanced ISE configuration sections, followed by the troubleshooting and monitoring chapters. Finally, we go in depth on the new TACACS+ device administration solution that is new to ISE and to this second edition.
With this book, you will gain an understanding of ISE configuration, such as identifying users, devices, and security posture; learn about Cisco Secure Access solutions; and master advanced techniques for securing access to networks, from dynamic segmentation to guest access and everything in between.
The full text downloaded to your computer
With eBooks you can:
- search for key concepts, words and phrases
- make highlights and notes as you study
- share your notes with friends
eBooks are downloaded to your computer and accessible either offline through the Bookshelf (available as a free download), available online and also via the iPad and Android apps.
Upon purchase, you'll gain instant access to this eBook.
Time limit
The eBooks products do not have an expiry date. You will continue to access your digital ebook products whilst you have your Bookshelf installed.
Introduction xxix
Part I Identity-Enabled Network: Unite!
Chapter 1 Regain Control of Your IT Security 1
Security: Still a Weakest-Link Problem 2
Cisco Identity Services Engine 3
Sources for Providing Identity and Context Awareness 5
Unleash the Power of Centralized Policy 6
Summary 8
Chapter 2 Fundamentals of AAA 9
Triple-A 10
Compare and Select AAA Options 10
   Device Administration 11
   Network Access 12
TACACS+ 13
   TACACS+ Authentication Messages 14
   TACACS+ Authorization and Accounting Messages 15
RADIUS 17
   AV Pairs 20
   Change of Authorization 20
Comparing RADIUS and TACACS+ 21
Summary 21
Chapter 3 Introducing Cisco Identity Services Engine 23
Architecture Approach to Centralized and Dynamic Network Security Policy Enforcement 23
Cisco Identity Services Engine Features and Benefits 26
ISE Platform Support and Compatibility 30
Cisco Identity Services Engine Policy Construct 30
ISE Authorization Rules 33
Summary 34
Part II The Blueprint, Designing an ISE-Enabled Network
Chapter 4 The Building Blocks in an Identity Services Engine Design 35
ISE Solution Components Explained 35
   Infrastructure Components 36
   Policy Components 42
   Endpoint Components 42
ISE Personas 43
ISE Licensing, Requirements, and Performance 45
   ISE Licensing 45
   ISE Requirements 46
   ISE Performance 47
ISE Policy-Based Structure Explained 48
Summary 49
Chapter 5 Making Sense of the ISE Deployment Design Options 51
Centralized Versus Distributed Deployment 52
   Centralized Deployment 52
   Distributed Deployment 55
Summary 58
Chapter 6 Quick Setup of an ISE Proof of Concept 59
Deploy ISE for Wireless in 15 Minutes 59
   Wireless Setup Wizard Configuration 60
       Guest Self-Registration Wizard 61
       Secure Access Wizard 65
       Bring Your Own Device (BYOD) Wizard 67
Deploy ISE to Gain Visibility in 15 Minutes 69
   Visibility Setup Wizard 69
       Configuring Cisco Switches to Send ISE Profiling Data 73
Summary 75
Part III The Foundation, Building a Context-Aware Security Policy
Chapter 7 Building a Cisco ISE Network Access Security Policy 77
Components of a Cisco ISE Network Access Security Policy 78
   Network Access Security Policy Checklist 79
   Involving the Right People in the Creation of the Network Access Security Policy 79
Determining the High-Level Goals for Network Access Security 81
   Common High-Level Network Access Security Goals 82
   Network Access Security Policy Decision Matrix 84
Defining the Security Domains 85
Understanding and Defining ISE Authorization Rules 87
   Commonly Configured Rules and Their Purpose 88
Establishing Acceptable Use Policies 89
Host Security Posture Assessment Rules to Consider 91
   Sample NASP Format for Documenting ISE Posture Requirements 96
   Common Checks, Rules, and Requirements 97
   Method for Adding Posture Policy Rules 98
       Research and Information 98
       Establishing Criteria to Determine the Validity of a Security Posture Check, Rule, or Requirement in Your Organization 99
       Method for Determining What Posture Policy Rules a Particular Security Requirement Should Be Applied To 100
       Method for Deploying and Enforcing Security Requirements 101
Defining Dynamic Network Access Privileges 102
   Enforcement Methods Available with ISE 102
   Commonly Used Network Access Policies 103
Summary 105
Chapter 8 Building a Device Security Policy 107
ISE Device Profiling 107
   ISE Profiling Policies 109
   ISE Profiler Data Sources 110
   Using Device Profiles in Authorization Rules 111
Threat-Centric NAC 111
   Using TC-NAC as Part of Your Incident Response Process 113
Summary 116
Chapter 9 Building an ISE Accounting and Auditing Policy 117
Why You Need Accounting and Auditing for ISE 117
Using PCI DSS as Your ISE Auditing Framework 118
   ISE Policy for PCI 10.1: Ensuring Unique Usernames and Passwords 126
   ISE Policy for PCI 10.2 and 10.3: Audit Log Collection 128
   ISE Policy for PCI 10.5.3, 10.5.4, and 10.7: Ensure the Integrity and Confidentiality of Audit Log Data 129
   ISE Policy for PCI 10.6: Review Audit Data Regularly 130
Cisco ISE User Accounting 131
Summary 132
Part IV Let’s Configure!
Chapter 10 Profiling Basics and Visibility 133
Understanding Profiling Concepts 133
   ISE Profiler Work Center 137
       ISE Profiling Probes 137
       Probe Configuration 138
       DHCP and DHCPSPAN Probes 140
       RADIUS Probe 142
       Network Scan (NMAP) Probe 143
       DNS Probe 147
       SNMPQUERY and SNMPTRAP Probes 148
       Active Directory Probe 149
       HTTP Probe 150
       HTTP Profiling Without Probes 152
       NetFlow Probe 152
Infrastructure Configuration 153
   DHCP Helper 153
   SPAN Configuration 156
   VLAN ACL Captures 157
   Device Sensor 157
   VMware Configurations to Allow Promiscuous Mode 159
Profiling Policies 160
   Profiler Feed Service 160
       Configuring the Profiler Feed Service 160
       Verifying the Profiler Feed Service 162
       Offline Manual Update 164
   Endpoint Profile Policies 167
   Context Visibility 169
   Logical Profiles 178
ISE Profiler and CoA 179
   Global CoA 180
   Per-Profile CoA 181
   Global Profiler Settings 182
       Configure SNMP Settings for Probes 182
       Endpoint Attribute Filtering 182
       NMAP Scan Subnet Exclusions 183
Profiles in Authorization Policies 183
   Endpoint Identity Groups 183
   EndPointPolicy 187
   Importing Profiles 187
Verifying Profiling 189
   The Dashboard 189
       Endpoints Dashboard 189
       Context Visibility 190
   Device Sensor Show Commands 191
Triggered NetFlow: A Woland-Santuka Pro Tip 191
Summary 194
Chapter 11 Bootstrapping Network Access Devices 195
Cisco Catalyst Switches 195
   Global Configuration Settings for Classic IOS and IOS 15.x Switches 196
       Configure Certificates on a Switch 196
       Enable the Switch HTTP/HTTPS Server 197
       Global AAA Commands 198
       Global RADIUS Commands 199
       Create Local Access Control Lists for Classic IOS and IOS 15.x 202
       Global 802.1X Commands 204
       Global Logging Commands (Optional) 204
       Global Profiling Commands 205
   Interface Configuration Settings for Classic IOS and IOS 15.x Switches 207
       Configure Interfaces as Switch Ports 208
       Configure Flexible Authentication and High Availability 208
       Configure Authentication Settings 211
       Configure Authentication Timers 212
       Apply the Initial ACL to the Port and Enable Authentication 213
   Configuration Settings for C3PL Switches 213
       Why Use C3PL? 213
       Global Configuration for C3PL 216
       Global RADIUS Commands for C3PL 217
       Configure Local ACLs and Local Service Templates 219
       Global 802.1X Commands 220
       C3PL Fundamentals 221
       Configure the C3PL Policies 222
Cisco Wireless LAN Controllers 225
   AireOS Features and Version History 225
   Configure the AAA Servers 226
       Add the RADIUS Authentication Servers 226
       Add the RADIUS Accounting Servers 227
       Configure RADIUS Fallback (High Availability) 229
   Configure the Airespace ACLs 229
       Create the Web Authentication Redirection ACL 230
       Add Google URLs for ACL Bypass 231
   Create the Dynamic Interfaces for the Client VLANs 232
       Create the Employee Dynamic Interface 233
       Create the Guest Dynamic Interface 234
   Create the Wireless LANs 236
       Create the Guest WLAN 236
       Create the Corporate SSID 240
Summary 245
Chapter 12 Network Authorization Policy Elements 247
ISE Authorization Policy Elements 247
Authorization Results 251
   Configuring Authorization Downloadable ACLs 251
   Configuring Authorization Profiles 253
Summary 256
Chapter 13 Authentication and Authorization Policies 257
Relationship Between Authentication and Authorization 257
   Enable Policy Sets 258
Authentication Policy Goals 261
   Accept Only Allowed Protocols 261
   Route to the Correct Identity Store 261
   Validate the Identity 261
   Pass the Request to the Authorization Policy 262
Understanding Authentication Policies 262
   Conditions 263
   Allowed Protocols 266
       Authentication Protocol Primer 268
   Identity Store 271
       Options 272
   Common Authentication Policy Examples 272
       Using the Wireless SSID 272
       Remote-Access VPN 277
       Alternative ID Stores Based on EAP Type 278
Authorization Policies 280
   Goals of Authorization Policies 280
       Understanding Authorization Policies 280
       Role-Specific Authorization Rules 286
   Authorization Policy Example 286
       Employee and Corporate Machine Full-Access Rule 286
       Internet Only for Mobile Devices 288
       Employee Limited Access Rule 292
Saving Attributes for Reuse 295
Summary 297
Chapter 14 Guest Lifecycle Management 299
Overview of ISE Guest Services 301
Hotspot Guest Portal Configuration 302
Sponsored Guest Portal Configuration 304
   Create an Active Directory Identity Store 304
   Create ISE Guest Types 305
   Create Guest Sponsor Groups 307
Authentication and Authorization Guest Policies 310
   Guest Pre-Authentication Authorization Policy 310
   Guest Post-Authentication Authorization Policy 312
Guest Sponsor Portal Configuration 313
   Guest Portal Interface and IP Configuration 313
   Sponsor and Guest Portal Customization 313
       Sponsor Portal Behavior and Flow Settings 313
       Sponsor Portal Page Customization 315
       Guest Portal Behavior and Flow Settings 316
       Guest Portal Page Customization 317
       Creating Multiple Guest Portals 318
Guest Sponsor Portal Usage 318
   Sponsor Portal Layout 319
   Creating Guest Accounts 320
   Managing Guest Accounts 320
Configuration of Network Devices for Guest CWA 321
   Wired Switches 321
   Wireless LAN Controllers 322
Summary 325
Chapter 15 Client Posture Assessment 327
ISE Posture Assessment Flow 329
Configure Global Posture and Client Provisioning Settings 331
   Posture Client Provisioning Global Setup 331
   Posture Global Setup 335
       Posture General Settings 335
       Posture Reassessments 336
       Posture Updates 337
       Acceptable Use Policy Enforcement 338
Configure the AnyConnect and NAC Client Provisioning Rules 339
   AnyConnect Agent with ISE Compliance Module 339
   AnyConnect Posture Profile Creation 340
   AnyConnect Configuration File Creation 341
   AnyConnect Client Provisioning Policy 343
Configure the Client Provisioning Portal 343
Configure Posture Elements 345
   Configure Posture Conditions 345
   Configure Posture Remediations 349
   Configure Posture Requirements 353
Configure Posture Policy 355
Configure Host Application Visibility and Context Collection (Optional) 357
Enable Posture Client Provisioning and Assessment in Your ISE Authorization Policies 359
   Posture Client Provisioning 359
   Authorization Based On Posture Compliance 360
Posture Reports and Troubleshooting 361
Enable Posture Assessment in the Network 362
Summary 363
Chapter 16 Supplicant Configuration 365
Comparison of Popular Supplicants 366
Configuring Common Supplicants 367
   Mac OS X 10.8.2 Native Supplicant Configuration 367
   Windows GPO Configuration for Wired Supplicant 369
   Windows 7, 8/8.1, and 10 Native Supplicant Configuration 373
   Cisco AnyConnect Secure Mobility Client NAM 377
Summary 382
Chapter 17 BYOD: Self-Service Onboarding and Registration 383
BYOD Challenges 384
Onboarding Process 386
   BYOD Onboarding 386
       Dual SSID 387
       Single SSID 387
       Configuring NADs for Onboarding 388
       ISE Configuration for Onboarding 392
       End-User Experience 393
       Configuring ISE for Onboarding 408
       BYOD Onboarding Process Detailed 423
   MDM Onboarding 429
       Integration Points 430
       Configuring MDM Integration 431
       Configuring MDM Onboarding Policies 433
The Opposite of BYOD: Identify Corporate Systems 435
EAP Chaining 436
Summary 437
Chapter 18 Setting Up and Maintaining a Distributed ISE Deployment 439
Configuring ISE Nodes in a Distributed Environment 439
   Make the Policy Administration Node a Primary Device 440
   Register an ISE Node to the Deployment 442
   Ensure the Persona of All Nodes Is Accurate 445
Understanding the HA Options Available 446
   Primary and Secondary Nodes 446
       Monitoring & Troubleshooting Nodes 446
       Policy Administration Nodes 448
   Policy Service Nodes and Node Groups 450
       Create a Node Group 451
       Add the Policy Service Nodes to the Node Group 452
   Using Load Balancers 453
       General Guidelines 454
       Failure Scenarios 455
   Anycast HA for ISE PSNs 456
Cisco IOS Load Balancing 459
Maintaining ISE Deployments 460
   Patching ISE 460
   Backup and Restore 462
Summary 463
Chapter 19 Remote Access VPN and Cisco ISE 465
Introduction to VPNs 465
Client-Based Remote Access VPN 468
   Configuring a Client-Based RA-VPN on the Cisco ASA 469
       Download the Latest AnyConnect Headend Packages 470
       Prepare the Headend 471
       Add an AnyConnect Connection Profile 473
       Add the ISE PSNs to the AAA Server Group 478
       Add a Client Address Pool 481
       Perform Network Reachability Tasks 484
   Configure ISE for the ASA VPN 487
   Testing the Configuration 488
       Perform a Basic AAA Test 488
       Log In to the ASA Web Portal 490
       Connect to the VPN via AnyConnect 492
Remote Access VPN and Posture 494
   RA-VPN with Posture Flows 495
       Adding the Access Control Lists to ISE and the ASA 496
       Adding Posture Policies to the VPN Policy Set 499
       Watching It Work 501
Extending the ASA Remote Access VPN Capabilities 507
   Double Authentication 507
   Certificate-Based Authentication 509
       Provisioning Certificates 509
       Authenticating the VPN with Certificates 515
       Connecting to the VPN via CertProfile 518
Summary 519
Chapter 20 Deployment Phases 521
Why Use a Phased Approach? 521
   A Phased Approach 523
   Authentication Open Versus Standard 802.1X 524
Monitor Mode 526
   Prepare ISE for a Staged Deployment 527
       Create the Network Device Groups 528
       Create the Policy Sets 529
Low-Impact Mode 530
Closed Mode 532
Transitioning from Monitor Mode to Your End State 534
Wireless Networks 535
Summary 535
Part V Advanced Secure Access Features
Chapter 21 Advanced Profiling Configuration 537
Profiler Work Center 537
Creating Custom Profiles for Unknown Endpoints 538
   Identifying Unique Values for an Unknown Device 539
   Collecting Information for Custom Profiles 541
   Creating Custom Profiler Conditions 542
   Creating Custom Profiler Policies 543
Advanced NetFlow Probe Configuration 544
   Commonly Used NetFlow Attributes 546
   Example Profiler Policy Using NetFlow 546
   Designing for Efficient Collection of NetFlow Data 547
   Configuration of NetFlow on Cisco Devices 548
Profiler CoA and Exceptions 550
   Types of CoA 551
   Creating Exceptions Actions 552
   Configuring CoA and Exceptions in Profiler Policies 552
Profiler Monitoring and Reporting 553
Summary 556
Chapter 22 Cisco TrustSec AKA Security Group Access 557
Ingress Access Control Challenges 558
   VLAN Assignment 558
   Ingress Access Control Lists 560
What Is TrustSec? 562
   So, What Is a Security Group Tag? 562
       Defining the SGTs 564
       Classification 565
       Dynamically Assigning an SGT via 802.1X 566
       Manually Assigning an SGT at the Port 567
       Manually Binding IP Addresses to SGTs 568
       Access Layer Devices That Do Not Support SGTs 569
Transport: SGT eXchange Protocol (SXP) 569
   SXP Design 570
       Configuring SXP on IOS Devices 572
       Configuring SXP on Wireless LAN Controllers 573
       Configuring SXP on Cisco ASA 576
       Configuring SXP on ISE 578
Transport: pxGrid 579
Transport: Native Tagging 580
   Configuring Native SGT Propagation (Tagging) 581
       Configuring SGT Propagation on Cisco IOS Switches 582
       Configuring SGT Propagation on a Catalyst 6500 584
       Configuring SGT Propagation on a Nexus Series Switch 586
Enforcement 587
   Traffic Enforcement with SGACLs 588
       Creating TrustSec Matrices in ISE 590
   Traffic Enforcement with Security Group Firewalls 591
       Security Group Firewall on the ASA 591
       Security Group Firewall on the ISR and ASR 592
Summary 592
Chapter 23 Passive Identities, ISE-PIC, and EasyConnect 593
Passive Authentication 594
Identity Sharing 596
   Tenet 1: Learn 598
       Active Directory 598
       Syslog Sources 611
       REST API Sources 614
       Learning More Is Critical 615
   Tenet 2: Share 615
       pxGrid 616
       CDA-RADIUS 617
   Tenet 3: Use 617
       Integration Details 618
       Integration Summary 623
   Tenet 4: Update 623
       Logoff Detection with the Endpoint Probe 623
       WMI Update Events 625
       Session Timeouts 625
ISE Passive Identity Connector 626
EasyConnect 628
Summary 630
Chapter 24 ISE Ecosystems: The Platform eXchange Grid (pxGrid) 631
The Many Integration Types of the Ecosystem 632
   MDM Integration 632
   Rapid Threat Containment 632
   Platform Exchange Grid 635
pxGrid in Action 637
   Configuring ISE for pxGrid 639
   Configuring pxGrid Participants 642
       Configuring Firepower Management Center for pxGrid 642
       Configuring the Web Security Appliance for pxGrid 649
       Configuring Stealthwatch for pxGrid 652
Summary 658
Part VI Monitoring, Maintenance, and Troubleshooting for Network Access AAA
Chapter 25 Understanding Monitoring, Reporting, and Alerting 659
ISE Monitoring 660
   Cisco ISE Home Page 660
   Context Visibility Views 663
   RADIUS Live Logs and Live Sessions 666
   Global Search 667
   Monitoring Node in a Distributed Deployment 669
   Device Configuration for Monitoring 669
ISE Reporting 670
   Data Repository Setup 671
ISE Alarms 672
Summary 672
Chapter 26 Troubleshooting 673
Diagnostic Tools 674
   RADIUS Authentication Troubleshooting 674
   Evaluate Configuration Validator 675
   TCP Dump 678
   Endpoint Debug 680
   Session Trace 682
Troubleshooting Methodology 685
   Troubleshooting Authentication and Authorization 685
       Log Deduplication 686
       Active Troubleshooting 688
       Option 1: No Live Logs Entry Exists 689
       Option 2: An Entry Exists in the Live Logs 694
   General High-Level Troubleshooting Flowchart 697
   Troubleshooting WebAuth and URL Redirection 697
   Debug Situations: ISE Logs 701
       The Support Bundle 702
Summary 703
Chapter 27 Upgrading ISE 705
The Upgrade Process 705
Repositories 708
   Configuring a Repository 708
   Repository Types and Configuration 708
Performing the Upgrade 714
Command-Line Upgrade 718
Summary 720
Part VII Device Administration
Chapter 28 Device Administration Fundamentals 721
Device Administration in ISE 723
   Large Deployments 724
   Medium Deployments 725
   Small Deployments 726
Enabling TACACS+ in ISE 726
Network Devices 727
   Device Administration Global Settings 728
       Connection Settings 729
       Password Change Control 729
       Session Key Assignment 729
   Device Administration Work Center 730
       Overview 730
       Identities 731
       Network Resources 733
       Policy Elements 733
       Device Admin Policy Sets 736
       Reports 738
Summary 738
Chapter 29 Configuring Device Admin AAA with Cisco IOS 739
Preparing ISE for Incoming AAA Requests 739
   Preparing the Policy Results 739
       Create the Authorization Results for Network Administrators 740
       Create the Authorization Results for Network Operators 742
       Create the Authorization Results for Security Administrators 743
       Create the Authorization Results for the Helpdesk 745
   Preparing the Policy Set 747
   Configuring the Network Access Device 749
Time to Test 752
Summary 758
Chapter 30 Configuring Device Admin AAA with Cisco WLC 759
Overview of WLC Device Admin AAA 759
Configuring ISE and the WLC for Device Admin AAA 761
   Preparing ISE for WLC Device Admin AAA 761
       Prepare the Network Device 761
       Prepare the Policy Results 762
       Configure the Policy Set 766
   Adding ISE to the WLC TACACS+ Servers 768
Testing and Troubleshooting 770
Summary 775
Chapter 31 Configuring Device Admin AAA with Cisco Nexus Switches 777
Overview of NX-OS Device Admin AAA 777
Configuring ISE and the Nexus for Device Admin AAA 778
   Preparing ISE for Nexus Device Admin AAA 778
       Prepare the Network Device 778
       Prepare the Policy Results 779
       Configure the Policy Set 782
   Preparing the Nexus Switch for TACACS+ with ISE 783
       Enable TACACS+ and Add ISE to NX-OS 784
Summary 784
Part VIII Appendixes
Appendix A Sample User Community Deployment Messaging Material 785
Sample Identity Services Engine Requirement Change Notification Email 785
Sample Identity Services Engine Notice for a Bulletin Board or Poster 786
Sample Identity Services Engine Letter to Students 788
Appendix B Sample ISE Deployment Questionnaire 789
Appendix C Sample Switch Configurations 793
Catalyst 3000 Series, 12.2(55)SE 793
Catalyst 3000 Series, 15.0(2)SE 796
Catalyst 4500 Series, IOS-XE 3.3.0 / 15.1(1)SG 800
Catalyst 6500 Series, 12.2(33)SXJ 804
Appendix D The ISE CA and How Cert-Based Auth Works 807
Certificate-Based Authentication 808
   Has the Digital Certificate Been Signed by a Trusted CA? 808
   Has the Certificate Expired? 810
   Has the Certificate Been Revoked? 811
   Has the Client Provided Proof of Possession? 813
   So, What Does Any of This Have to Do with Active Directory? 814
ISE’s Internal Certificate Authority 815
   Why Put a CA into ISE? 815
   ISE CA PKI Hierarchy 815
       The Endpoint CA 818
       Reissuing CA Certificates 819
       Configuring ISE to be a Subordinate CA to an Existing PKI 820
   Backing Up the Certificates 823
   Issuing Certificates from the ISE CA 826
Â
Â
9781587144738Â Â TOCÂ Â 5/26/2017
Â
Need help? Get in touch