Cisco Ise Anc

29-03-2021
 |  [RAND-100] - Comments

The video looks at Adaptive Network Control (ANC) feature on Cisco ISE 2.0 and how it can be used to quarantine endpoint devices similarly to its legacy feature called Endpoint Protection Service (EPS). This lab exercise includes creating and testing ANC policies with various type of actions. There you go - AMP is now integrated and you can quarantine and unquarantine based on the alerts you received from AMP. I went through probably a bit more of the extra detail like setting up the ANC policy or the SOCK proxy but I wanted to give you guys a good overview on how to set it up from scratch in a lab or even in production in the event you are putting ISE behind a proxy. Now, take selective mitigation actions based on the severity of the threat using ISE ANC (Adaptive Network Control) policies TrustSec Security Group Tags (SGTs) can now be pulled from ISE and are mapped to IP addresses, which provides the ability to implement more efficient network segmentation by using SGTs to create Custom Security Events.

Cisco Identity Services Engine (ISE) is a server based product, either a Cisco ISE appliance or Virtual Machine that enables the creation and enforcement of access polices for endpoint devices connected to a companies network.

Be sure to check out Part 1 for Base licenses and Part 2 for Plus licenses.

What functionality is included in Apex licenses

  • 3rd party mobile device management (MDM) integration
  • Posture assessment/compliance
  • Threat Centric Network Access Control (TC-NAC)

What functionality is included in the Device Administration license

The Device Administration license has one function: Enable the TACACS+ server functions. That’s it. Pretty simple. If you want to use ISE as a TACACS+ server, this is the license you need.

What is involved with each Apex license function

Posture assessment is an extra layer of security. You can utilize a persistent agent like AnyConnect (with the ISE posture module) or a dissolvable agent to perform checks against a Windows or Mac client to verify they meet certain requirements. An example of the compliance requirements that can be checked are:

  • Specific antivirus program is installed, running, and updated
  • USB drive plugged in (Windows only)
  • Windows registry entries
  • Windows service status

Cisco ISE does not have posture clients available for mobile devices running Android and iOS. That’s where MDM integration comes into play. ISE can force mobile devices to register with your company’s MDM. If it’s already registered, ISE can check with the MDM to verify it meets all of the requirements set in your MDM. MDM integration is not only for Android and iOS devices. Any device managed by an MDM like Mac OS X and JAMF can be checked by ISE for MDM compliance. ISE integrates with several 3rd party MDM servers. The list of compatible MDM servers for ISE 2.3 can be found here.

TC-NAC is yet another layer of security for your network devices. It allows ISE to react to threat and vulnerability notifications from several vulnerability scanners. ISE can take action, like quarantining, via ANC to minimize the risk from that device being on the network when a threat notification is received. This feature is huge if you have a lot of IoT devices because those devices rarely value security. Cisco ISE 2.3 supports the following vulnerability scanners:

  • SourceFire FireAMP
  • Cognitive Threat Analytics (CTA) adapter
  • Qualys
  • Rapid7 Nexpose
  • Tenable Security Center

Note: TC-NAC should only be enabled on a dedicated PSN and only the TC-NAC persona should be enabled. Only one node can have TC-NAC enabled.

Cisco ise anc configuration

How are Apex licenses consumed?

Apex licenses are consumed along with Base licenses any time an authorization rule is based on the following conditions:

  • Posture assessment is utilized against an endpoint
  • An authorization rule triggers a TC-NAC event (scanning, quarantining, etc.)
  • An endpoint is verified against an MDM for compliance

How many Apex licenses do I need?

You will need enough Apex licenses to cover any of the above consumption scenarios. The number of Apex licenses must be less than or equal to the number of Base licenses. Let’s assume you have 10k endpoints (workstations, printers, APs, etc.) but only want to run posture assessment against 2k workstations. You would only need 2k Apex licenses.

One thing to remember is that the ISE Apex license does not cover licensing for using AnyConnect as the posture enforcement agent for Windows and Mac endpoints. You will also need AnyConnect Apex licenses for every endpoint.

How are Device Administration licenses consumed and how many do I need?

You only need one (1)! There is no consumption outside of enabling the TACACS+ server functions. Once you add the Device Administration license, you can enable device administration on all of your PSNs if you wanted to. But don’t do that. Plan your deployment properly so you’re not overwhelming your PSN between RADIUS authentications and TACACS+ authentications.

The first question I am going to answer is in this Cisco ISE Tutorial is:
What is Cisco ISE and what does Cisco ISE do?”

What is Cisco ISE used for?

Page Contents

  • What is Cisco ISE used for?
    • Cisco ISE Questions

Cisco Identity Services Engine (ISE) is a server based product, either a Cisco ISE appliance or Virtual Machine that enables the creation and enforcement of access polices for endpoint devices connected to a companies network.

In this Cisco ISE overview we are going to cover all the basic concepts so by the end of the post you will be able to explain all the basic concepts.

Some people think it is Cisco ICE, this is how it’s pronounced, but the correct acronym is ISE – Identity Services Engine.

What can you do with Cisco ISE?

Autocad 2012 64 bit iso. In simple terms you can control who can access your network and when they do what they can get access to. It can authenticate wired, wireless and vpn users and can scale to millions of endpoints. Based on many factors including the validity of a certificate, mac address or device profiling you can identify a machine and determine which vlan that machine is placed into. Any devices that do not pass authorisation will be placed into a guest vlan or denied access to the network.

All this information is logged and you can instantly get a view of what is connected to your network at any time.

ISE Nodes

The ISE solution is made up of a deployment of nodes with three different ISE personas:

  • Policy Administration Node (PAN)
  • Monitoring Node (MnT)
  • Policy Services Node (PSN)
  • pxGrid

Depending on the size of your deployment all three personas can be run on the same device or spread across multiple devices for redundancy and scalability. Lets go through each persona and explain their function.

Policy Administration Node (PAN)


The Policy Administration Node is where the administrator logs into to configure policies and make changes to the entire ISE system. Once configured on the PAN the changes are pushed out to the policy services nodes. It handles all system related configurations and can be configured as standalone, primary or secondary.

Monitoring Node (MnT)


The Monitoring Node is where all the logs are collected and where report generation occurs. Every event that occurs within the ISE topology is logged to the monitoring node you can then generate reports showing the current status of connected devices and unknown devices on your network.

Policy Services Node (PSN)


The Policy Services Node is the contact point into the network. Each switch is configured to query a radius server to get the policy decision to apply to the network port the radius server is the PSN. In larger deployments you use multiple PSN’s to spread the load of all the network requests. The PSN provides network access, posture, guest access, client provisioning, and profiling services. There must be at least one PSN in a distributed setup.

pxGrid Node

The pxGrid framework is used to exchange context-sensitive information from the CISCO ISE session directory. It allows the ISE system to pass data to other Cisco platforms and third party vendors. This information can then be used to invoke actions to quarantine users or block access in response to network security events.

ISE Hardware

The Cisco Secure Network Server is based on the Cisco UCS C220 Rack Server and is configured specifically to support the Cisco Identity Services Engine.

Cisco ISE End of Life

Note: The 3415 and 3495 secure network servers are now end of life (eol) and the last date for order for these appliances was October 7 2016. This post will be covering the latest hardware now available which is the 3515 and the 3595 – the 3595 appliance is shown below.


Secure Network Server 3595

There are two versions of the hardware:

  • Secure Network Server 3515 (For small and medium sized deployments)
  • Secure Network Server 3595 (For large deployments – includes redundant hard disks and power supplies)

Hardware details taken from cisco data sheet

[ultimatetables 3 /]

Endpoints supported for different platforms

[ultimatetables 5 /]

How Cisco ISE Works – Cisco ISE Deployment options

ISE has two different deployment options – Standalone and Distributed

Standalone Deployment

This consists of one node which runs all three personas. This is suitable for a small deployment or lab solution.

If you ran a standalone solution on your production network you have no redundancy.

Distributed Deployment

  • Small Network Deployments
  • Medium Network Deployments
  • Large Network Deployments

Small Network Deployment

The smallest distributed ISE deployment consists of two Cisco ISE nodes with one node functioning as the primary.

The primary node provides all the configuration, authentication and policy functions and the secondary node functions as a backup. The secondary supports the primary in the event of a loss of connectivity between the network devices and the primary.

Medium Network Deployment

As the size of your network grows or you want to expand your ISE topology you need to start adding more nodes and with a medium sized deployment start dedicating nodes to logging and administration. The medium sized deployment consists of a primary and secondary administration node and a primary and secondary monitoring node, alongside separate policy service nodes.

Large Network Deployment

With a large network deployment you dedicate each node to a separate persona. So a separate node (secure network server) for administration, monitoring and policy service. You should also consider using load balancers in front of the PSN nodes.

As the number of PSN nodes increases it becomes more of an administrative overhead to ensure even distribution of AAA client configuration. i.e if you have 1000 switches each of them will be configured to point to a specific primary and secondary radius server. If all switches point to one radius server (a single PSN node then this single node will take all the load and the other nodes will not be used. Putting a load balancer in front of the PSNs and creating a Radius VIP will ensure all switches can be configured with a single Radius server and the load balancer will balance the radius requests between all the PSN’s. This is also very beneficial when performing software upgrades as a single PSN node can be removed from service without any fear of a switch being configured to have it as it’s primary radius server.

Having a single load balancer does introduce a potential single point of failure so it is highly recommended to deploy two load balancers.

The large network deployment also uses a centralised dedicated logging server. One node setup specifically for logging. This would typically be an appliance with a lot of disk space. A secondary logging appliance would also be configured but in the first instance all logging information will go to a central point.

With the large network deployment you have a dedicated Primary PAN and dedicated secondary PAN. A Primary and Secondary MnT. All logging goes to the primary monitoring appliance. The number of PSN nodes is scaled out depending on the number of devices on the network. Typically allow 7,500 devices per PSN plus 2 more for redundancy.

Due the standard configuration on switches where most radius servers will be configured as primary / secondary there is a big potential for all devices to only talk to a single PSN loading it very heavily. To overcome this it is a best practice to introduce a load balancer and ideally a redundant pair which will provide a single virtual IP for the Radius Server.

The load balancers will load balance the requests to all the PSN nodes. This also is very beneficial for software updates on the PSN nodes which do happen quite frequently. For a software update you just take a single PSN node out of the cluster and perform the upgrade.

Ise

All administration is handled on the primary PAN and in the event of a failure would move over to the secondary which contains a replicated database.

Cisco ISE 2.2 is the current version at the time of writing and will be used for all information below.

Cisco ISE Licensing

I will try to simplify the license model below but all the information from Cisco can be found here in the 2.1 admin guide license section Shareeza p2p.

The Cisco ISE licensing model allows you to purchase licenee based on your enterprise needs. There are two ways of consuming licenses. Traditional or Smart.

  • Traditional licensing is where you import a license onto the appliance
  • Smart licensing is where you manage a cisco account that holds all the information on the license purchased for your deployment.

Licenses are counted against concurrent, active sessions. An active session is one for which a RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.

The valid license options are:

  • ISE Base only
  • ISE Base and Plus
  • ISE Base and Apex
  • ISE Base, Plus, and Apex
  • ISE Base, Plus, Apex and AnyConnect Apex

Base License

The base license is a perpetual license and is the only requirement for AAA and IEEE802.1x and also covers guest services and Trustsec. A base license is consumed for every active device on the network.

Base and Plus

A plus license is required for Bring Your Own Device (BYOD), Profiling, Adaptive Network Control (ANC) and PxGrid. A base license is required to install the plus license and the plus license is a subscription for 1,3 or 5 years.

Base and Apex

The Apex license is the same as the plus license in that it is a 1,3,5 year subscription, requires the base license but is used for Third Party Mobile Device Management & Posture Compliance.

Device Administration

There is a device administration license required for TACACS which is a perpetual license, a base license is required to install the device administration license and you only require one license per deployment. Hearts over head webcam effect.

Evaluation

An evaluation license covers 100 nodes and provide full Cisco ISE functionality for 90 days. All Cisco ISE appliances are supplied with an evaluation license.

ISE upgrade

At some point in time when you run Cisco ISE you will have to perform a software upgrade. Check out my comprehensive guide here to walk you through this process.

Cisco ISE Questions

What is Trustsec?

The ultimate goal in idea of Trustec is to assign a TAG or Security Group Tag SGT to the users or devices traffic at the ingress point to the network. And then to apply restrictions or permit the traffic at other parts of the network based on this tag.

Does Cisco ISE support Tacacs?

As of version 2.0 Cisco ISE now supports TACACS+

Up until this point the defacto TACACs+ server was ACS, but with this feature now available in ISE the migration of TACACS+ services has enabled network engineers to centralise all network authentications within one framework.

Device admin is not enabled by default, to enable it go to:

Administration / Deployment / Node Name / Enable Device Admin Service

This service should be enabled on the PSNs

What is Cisco ISE Profiling?

The profiling service allows the identity services engine to profile devices connected to the network and give them an identity based on numerous factors. These devices can then be granted access or denied access to the network based on the security policies. A typical network deployment would start by putting ISE into monitor mode. In monitor mode no enforcement takes place but the ISE administrator can start to see what devices are connecting to the network and what identity it has been given.

During this phase a lot of devices are normally discovered that the network administrator did not even know were connected to the network.

That is though the whole point of NAC to have a complete picture of all devices that are connected to your network and to be in complete control of their access.

What is Mac Authentication Bypass?

MAC Authentication Bypass (MAB) is a way to give a whitelist to certain network devices. If you know the MAC address of a certain device you know should get access to your network you can grant it access purely by it’s MAC address. This is used for devices that cannot have certificates loaded on them or are hard to profile.

How to change the IP address on ISE after installation

application stop ise

configure

interface GigabitEthernet 0

ip add <new ip address>

ISE will then restart all the services

Verify all the services are running with – show application status ise

To save the ISE config enter the command

write mem

Cisco ISE vs ACS

Cisco Ise Anchor Controller

I get a lot of questions about the differences between ISE and ACS. In simple terms ISE is the next generation of network authentication and is so much more powerful than ACS. ACS is used to authenticate users to network devices and for VPN sessions but it is not a NAC solution. If you want to implement full network access control you need ISE.

The official Cisco ISE pages on cisco.com

Ise

I hope this information has been a benefit to starting to learn the concepts of the Cisco Identity Services Engine. For more in depth posts on configuring and deploying ISE – Check out my Cisco ISE Training pages.

If you are looking for ISE training videos I can highly recommend Katherine Mcnamara’s site
https://www.network-node.com/video-training

Cisco ISE Ordering Guide

There is a very good PDF document entitled the Cisco ISE Ordering guide which can be downloaded here this steps you through all the appliances, licenses and numbers required for placing an order for an ISE appliance.

Cisco Ise And Sccm

What is Cisco ISE?

Cisco Identity Services Engine (ISE) is a server based product, either a Cisco ISE appliance or Virtual Machine that enables the creation and enforcement of access polices for endpoint devices connected to a companies network.

What is ISE?

ISE stands for Identity Services Engine and is Cisco’s flagship security product for network access control

How does Cisco ISE work?

Every time a user or device wants to connect to the network either wired or wireless, the device or user is validated to check if it’s permitted on the network. ISE can also posture devices and based on a profile allow or deny them access to the network

There is a also a lot of learning material on this .Learning resources on cisco.com

Cisco Ise Anyconnect

Other Reference Material

Cisco Ise Enable Anc

Other Articles you might be interested in