ISE Tips&Trics PDF

Advanced ISE Services, Tips & Tricks
BRKSEC-3697
Craig Hyps (chyps@cisco.com)

Senior Technical Marketing Engineer
Session Abstract
Cisco's Identity Services Engine (ISE) delivers context-based access control for
every endpoint that connects to your network. This advanced session will focus on
the advanced services of ISE, successful deployment strategies, integration with
Cisco as well as third party network infrastructure, as well as deployment tips and
tricks.
We will examine best practices for Bring Your Own Device (BYOD) deployments
with the most common mobile platforms, including multiple tiers of registered
devices. We will perform a detailed examination of certificate usage including
integration of ISE with your enterprise certificate authority (CA), endpoint
certificate usage, and wildcard certificates. There will be a detailed examination of
guest life-cycle management, including self-service and sponsored guest access
models. Lastly, attendees will be introduced to troubleshooting and serviceability
tips.
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Live Melbourne: ISE and TrustSec Sessions
BRKSEC-3697 BRKSEC-3699 BRKSEC-2690 BRKSEC-3690
Advanced ISE Designing ISE for Deploying Security Advanced Security
Services, Tips and Scale & High Group Tags Group Tags: The
Tricks Availability (Wed 2:30pm) Detailed Walk Through
(Fri 2:00pm) (Fri 8:45am) (Fri 8:45am)
BRKSEC-2044 Building an Enterprise Access Control Architecture Using ISE & TrustSec (Thurs 8:30am)
DEVNET-1618
BRKSEC-1011 BRKSEC-2691 Cisco pxGrid: A New
Written to Realised IBNS 2.0: New-style Architecture for
Security Policy 802.1X and more Security Platform
(Thurs 2:45pm) (Thurs 4:30pm) Integration
(Thurs 2:00pm)
Important: Hidden Slide Alert
Look for this For Your Reference

Symbol in your PDFs
There is a tremendous amount of

hidden content, for you to use later!
ForYour
For Your
Reference
Reference
**200 +/- Slides in PDF
Agenda
Introduction
Certificates, Certificates, Certificates
BYOD Best Practices
Integrating with Cisco and Non-Cisco
ISE in a Security EcoSystem
Serviceability & Troubleshooting
Staged Deployments (Time Permitting)
Conclusion
ISE and Certificate Usage
Certificates
What is an X.509 Certificate

A Certificate is a signed document
Think of it like a government form of
identity
X.509
username
organization
location
Certificates
What is the purpose of an X.509 Certificate?

Provides an
Identity
Who is What is WebSite

user endpoint Identity
Acts as a seed value for encryption
Certificates
ISE and Certificates: Multiple Identities

Authentication Server
Layer 2 Layer 3
Link Link
Authentication
Supplicant Authenticator Server
Start
EAPoL Start
EAP-Request/Identity
Port Unauthorized
Secure
EAP-Response/Identity
Web Server
RADIUS Access Request
EAP-Request/PEAP RADIUS Access-Challenge

Multiple
Middle [AVP: EAP-Request PEAP] Challenge-
EAP-Response/PEAP Request
RADIUS Access Request Exchanges
[AVP: EAP-Response: PEAP]
Possible
Root CA
Internal
BRKSEC-3697
Communications 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Certificates
Certificates and Web Portals

All Web Portals (Admin, WebAuth, MyDevices, Sponsor, CPP, etc.)
Client/Browser NAD ISE
SSID
Step 1: Initiate Request to Establish HTTPS Tunnel with Portal (https://ISE/admin)
Step 2: Certificate sent to Browser
Step 3: User is Prompted to Accept Certificate.

Once accepted, it is Stored in Browser, KeyChain, or Trusted Store
Step 4: SSL Tunnel is Formed, Encrypting the HTTP Communications (HTTPS)
Certificates
Certificates and EAP Communication

EAP Connections (PEAP, FAST, EAP-TLS)
Client/Supplicant NAD ISE
SSID
Step 1: Initiate Request to Establish TLS Tunnel with Authenticator
Step 2: Certificate sent to Supplicant
Step 3: User is Prompted to Accept Certificate.

If accepted, it is Stored in WiFi Profile
Step 4: TLS Tunnel is Formed, EAP happens next
Certificates
ISE Admin/EAP/Portal Certificate Examination

ise.company.com
ISE Wildcard Cert Portal-TAG ise.company.com

ise-lab.company.com ise-lab.company.com
ise.company.com
Used for Admin, Portal and EAP.

Any Portal using Portal-Tag uses Cert.
Publically Signed Certificate
Purpose is for Client and Server Auth
ise.company.com SAN includes Wildcard and the CN

*.company.com
Certificates
ise/admin# application configure ise
ISE Root Certificate Examination Selection ISE configuration option

<Snip>
ise-ca [7]Export Internal CA Store
Only way to Access [8]Import Internal CA Store
</Snip>
The Root Certificate [12]Exit
ise-ca
ise-ca
ise-ca-#0002
ise-ca-#0002
ise-ca-#00002
Self Signed Certificate (Its a Root Cert)
Purpose is for Cert Signing / It is a CA
Certificates
Endpoint Certificate Examination

employee1
ise-ca
employee1
CN=employee1 employee1
ise-ca
Signed by ISE Sub-CA
Purpose is for Client Auth

ise-ca
SAN includes MAC Address
Certificates
Certificate Provisioning User Experience in ISE 1.0 1.2
PSN #1
Generate CSR for PSN #1
Bind CA-signed cert for PSN #1
Generate CSR
Primary
PSN #20
for Primary PAN PAN Generate CSR for PSN #20
Bind CA-signed cert Bind CA-signed cert for PSN #20
for Primary PAN
PSN #40
Generate CSR for PSN #40
Bind CA-signed cert for PSN #40
Certificates
Centralized Certificate Management in 1.3

PSN #1
Primary
PSN #20
Generate CSRs for ALL NODES PAN
at Primary PAN
Bind CA-signed certs for ALL NODES at
Primary PAN
Manage System (Local) certs for ALL
NODES at primary PAN PSN #40
Certificates
Manage System Certificates

Certificates used by: Admin, HTTPS Portals, pxGrid, EAP
These are Private/Public Key Pairs i.e. they Identify ISE Personalities
ISE Wildcard Cert Portal-Tag ise.company.com
ise-lab.company.com ise-lab.company.com
Certificates
Certificates your ISE Deployment will Trust

Trust for EAP, MDM, etc.
These are copies of their Public Certs. i.e.: They Identify Other Systems
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificates
Trusted Certificates
In 1.3, trusted certificates have a new Trusted For attribute.
Security Goal: To prevent the public certificates used for Cisco Services from being
used internally.
When importing a trust certificate, the user must specify what the certificate is
trusted for.
It is important to select at least one category, or the cert will not be used in any
trust store.
Certificates
System Certificate Roles ISE 1.3

1.2 Role Name 1.3 Role Name How Many May Use Wildcard May use Wildcard
(*) in SAN (*) in Subject
HTTPS Admin 1 Yes Yes
EAP EAP Authentication 1 Yes No1
- pxGrid 1 No No
- Portal Many Yes Yes
Admin cert is the server cert for the Admin Console

pxGrid cert is the server cert for authenticating the ISE node to pxGrid clients
Portal cert is a server cert associated with a particular ISE portal (Guest, Sponsor,
My Devices, )
In a freshly installed node, the default self-signed cert has all four roles
Certificates for all roles are managed from the Primary PAN node.
1 While ISE technically allows wildcard in the CN, Microsoft supplicants will reject, so never recommended
Certificates
ISE 1.3: Multiple Web Portals

Each Portal Could Use A Different Certificate
Each Portal Exists
on ALL PSNs
ISE PSN-1
Each Portal
Requires a
Certificate
ISE PSN-2
One Certificate per
Interface > IP:Port
Each PSN Could ISE PSN-3
Have Unique
Certificates
(Identity)
Certificates
Problem: Assign Certificate on All PSNs to Portal?

How To Assign At Scale
New UI Paradigm with ISE 1.3 is to
Keep All Portal Configuration
Together.
Hotspot-DRW
Options:
Add complexity to the Portal
Configuration Page by Choosing
Certificates on Each Node?
What about Large Deployments (40 PSNs)?
Configure it entirely outside of the Portal
Configuration screen?
Some way to combine?
X
PSN-1: Cert1
PSN-2: Cert2
PSN-3: Cert3
Certificates
Solution: Certificate Group Tag

Certificate Group Tag provides a solution to configure node-specific
certificates for Portal configuration by associating node certificates to a logical
name.
Node 1 Pri Admin, M&T and PSN Portal Configuration
Group Tag
Node 2 Sec Admin, M&T and PSN
GuestPortalCerts
(Grouping Certificates to a
Node 3 - PSN Logical Name)
Certificates
Certificate Chains For Scalability, X.509 Certificate

Authorities may have hierarchy
ISE will present full signing chain to
Root CA client during authentication
Client must trust each CA within the chain
Subordinate
CA
ise.company.com
ise.company.com
Cert
Root Sub ISE
ise.company.com
Certificates
Always Add the Root and Subordinate CAs

Import All Certificates in Chain, One at-a-Time
Root CA
ise.company.com
Subordinate CA
Subordinate CA
ISE Cert
BRKSEC-3697 If you must use a PKCS chain, it needs to be in PEM format (not DER)
2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificates
PEM versus DER

PEM DER
root.cer
Certificates
Joining an ISE Deployment

Mutual Trust Required
In order to join an ISE node to an existing ISE
deployment:
You must trust the PAN certificate on the PSN1
Secondary node(s) PAN
Secondary nodes must trust PAN certs
PSN2
PAN PSN PSN
Trusted Certs Trusted Certs

Certificates

deployment:
PSN2
Then you upgrade all certs
Delete the old Self-Signed Certificates from the
System Certs
Delete the old Self-Signed Certs from the Trusted
Cert Store
X X
PSN PSN
Trusted Certs
Certificates

deployment:
PSN2
Then you upgrade all certs
Delete the old Self-Signed Certificates from the
System Certs
Delete the old Self-Signed Certs from the Trusted
Cert Store
So, it is often easier to upgrade to a CA-Signed
& Trusted Cert before Joining the deployment.
Certificates
Simple URL for My Devices & Sponsor Portals

In 1.3: Sponsor Portal and My Devices
Portal accessed via a user-friendly
URL and selectable port.
Ex: http://mydevices.company.com
Automatic redirect to https://fqdn:port
FQDN for URL must be added to DNS
and resolve to the Policy Service
node(s) used for Guest Services.
mydevices.company.com
Recommend populating Subject
Alternative Name (SAN) field of PSN
local cert with this alternative FQDN or
Wildcard to avoid SSL cert warnings
due to name mismatch.
Certificates
ISE Certificate without SAN

Certificate Warning - Name Mismatch
http://sponsor.company.com DNS Lookup = sponsor.company.com
DNS Response = 10.1.99.5 100.1.99.5

DNS
Server ISE-PSN-1
SPONSOR http://sponsor.company.com
100.1.99.6
https://sponsor.company.com:8443/sponsorportal
Load Balancer ISE-PSN-2
100.1.98.8
100.1.99.7
Name Mismatch!
Requested URL = sponsor.company.com ISE-PSN-3
Certificate Subject = ise-psn-3.company.com
Certificates
ISE Certificate with SAN

No Certificate Warning
http://sponsor.company.com DNS Lookup = sponsor.company.com
DNS Response = 10.1.99.5 100.1.99.5

DNS
Server ISE-PSN-1
SPONSOR http://sponsor.company.com
100.1.99.6
https://sponsor.company.com:8443/sponsorportal
Load Balancer ISE-PSN-2
100.1.99.8
Certificate OK! 100.1.99.7

Requested URL = sponsor.company.com
Certificate SAN = sponsor.company.com ISE-PSN-3
Certificates
ISE Certificate with SAN
CN must also exist in SAN

ise-psn ise-psn/Admin
ise-psn.company.com
mydevices.company.com Other FQDNs as DNS

sponsor.company.com
Names
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public IP Address is also option
Certificates
Traditional Wildcard Certificates

Wildcard Certificates are used
https://ise-psn-1.company.com/admin/login.jsp
to identify any secure web site
that is part of the domain:
*.company.com e.g.: *.domain.com works for:
*.company.com
www.domain.com
mydevices.domain.com
sponsor.domain.com
AnyThingIWant.domain.com
*.company.com
!= psn.[ise].domain.com
Position in FQDN is fixed
Certificates
Wildcard Certificates Why use with ISE?
Use of all portals & friendly URLs without Certificate

Match Errors.
Most Importantly: Ability to host the exact same certificate

on all ISE PSNs for EAP authentications
Why, you ask?.......
Certificates
Clients Misbehave!
Example education customer:
ONLY 6,000 Endpoints (all BYOD style)
10M Auths / 9M Failures in a 24 hours!
42 Different Failure Scenarios all related to
clients dropping TLS (both PEAP & EAP-TLS).
Supplicant List:
Kyocera, Asustek, Murata, Huawei, Motorola, HTC, Samsung, ZTE, RIM, SonyEric, ChiMeiCo,
Apple, Intel, Cybertan, Liteon, Nokia, HonHaiPr, Palm, Pantech, LgElectr, TaiyoYud, Barnes&N
5411 No response received during 120 seconds on last EAP message sent to the client
This error has been seen at a number of Escalation customers
Typically the result of a misconfigured or misbehaving supplicant not completing the EAP process.
Certificates
Recreating the Issue
Certificates
Clients Misbehave: Apple Example

Multiple PSNs
ISE-1 ISE-2 Each Cert signed by Trusted Root
Apple Requires Accept on all certs!
Results in 5411 / 30sec retry
Cert Authority ise-psn-1.domain.com ise-psn-2.domain.com
1 5
NAD
ise-psn-1.domain.com
SSID
1. Authentication goes to ISE-1

2. ISE-1 sends certificate
3. Client trusts ISE-1
4. Client Roams
5. Authentication goes to ISE-2
Apple iOS & MacOS 6. Client Prompts for Accept
BRKSEC-3697 WiFi Profile
2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Certificates
Solution: Common Cert, Wildcard in SAN

Wildcard allows
anything ending
with the Domain
Name.
Same EXACT
Private / Pub Key
may be installed
on all PSNs
Certificates
Solution: Common Cert, Wildcard in SAN
CN = ise-psn.domain.com
ISE-1 ISE-2 SAN contains
ise-psn.domain.com
*.domain.com, or
all PSN FQDNs
Cert Authority ise-psn-1.domain.com ise-psn-2.domain.com Wildcard SAN support:
comodo.com CA
SSL.com CA
1 5 Digicert.com CA
Symantec/Verisign CA
NAD Microsoft 2008 CA
ise-psn.domain.com
SSID Failed with GoDaddy CA
Do not support * in SAN
Only support * in CN
1. Authentication goes to PSN-1

Already Trusted 2. PSN-1 sends certificate
3. Client trusts PSN-1
4. Client Roams
5. Authentication goes to PSN-2
Apple iOS & MacOS 6. Client Already Trusts Cert
BRKSEC-3697 WiFi Profile
2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Certificates
SSL Certificates for Internal Server Names

After November 1, 2015 Certificates for Internal Names Will No Longer Be
Trusted
In November 2011, the CA/Browser Forum (CA/B) adopted Baseline Requirements for the
Issuance and Management of Publicly-Trusted Certificates that took effect on July 1, 2012.
These requirements state:
CAs should notify applicants prior to issuance that use of certificates with a Subject
Alternative Name (SAN) extension or a Subject Common Name field containing a reserved
IP address or internal server name has been deprecated by the CA/B
CAs should not issue a certificate with an expiration date later than November 1, 2015 with a
SAN or Subject Common Name field containing a reserved IP address or internal server
Name
Source: Digicert https://www.digicert.com/internal-names.htm
Certificates
Use Publicly-Signed Certs for Guest Portals!

In 1.3, HTTPS cert
for Admin can be
different from web Redirection based on first
portals service-enabled interface;
if eth0, return host FQDN;
Guest portals can c else return interface IP.
use a different,
public certificate
c
Public Portal Certificate Group
Certs assigned to
Admin and internal this group signed by
employee portals 3rd-party CA
(or EAP) can still
use certs signed by
private CA.
Certificates
CWA Example
DNS and Port SettingsSingle Interface Enabled for Guest Portal
CWA Guest Portal access for ISE-PSN1 configured for eth1
IP Address for eth1 on ISE-PSN1 is 10.1.91.5

ISE Node IP Address Interface
ISE-PSN1 10.1.99.5 # eth0
ISE-PSN1 10.1.91.5 # eth1
ISE-PSN1
ISE-PSN1
10.1.92.5
10.1.93.5
# eth2
# eth3
I have a feeling this is
going to end badly!
Resulting URL Redirect = ???
https://10.1.91.5:8443/...
Certificates
CWA Example with FQDNs in SAN

URL Redirection Uses First Guest-Enabled Interface (eth1) Admin/RADIUS:
eth0: 10.1.99.5
1. RADIUS Authentication requests sent to ise-psn1 @ 10.1.99.5. ISE-PSN1
2. RADIUS Authorization received from ise-psn1 @ 10.1.99.5 with
URL Redirect to https://10.1.91.5:8443/... PSN
3. User sends web request directly to ise-psn1 @ 10.1.99.5.
4. User receives cert name mismatch warning.
1 RADIUS request to ise-psn1 @ 10.1.99.5

RADIUS authorization: URL redirect =
https://10.1.91.5:8443/...
2
Access Switch
Device https://10.1.91.5:8443/...
User
3 HTTPS response from 10.1.91.5 Guest
eth1: 10.1.91.5
Name Mismatch!
MyDevices
ISE Certificate Requested URL = 10.1.91.5
eth2: 10.1.92.5
Subject=
Certificate SAN = ise-psn1.comany.com
ise-psn1.company.com 4 = sponsor.company.com Sponsor
SAN = = mydevices.company.com eth3: 10.1.93.5
ise-psn1.company.com
sponsor.company.com
mydevices.company.com
Certificates
Interface Aliases Available in ISE 1.2

Specify alternate hostname/FQDN for URL redirection
Aliases assigned to interfaces using ip host global config command in ADE-OS:
(config)# ip host <interface_ip_address> <hostname|FQDN> <hostname|FQDN>
Up to two values can be specifiedhostname and/or FQDN; if specify

hostname, then globally configured ip domain-name appended for use in URL
redirection. FQDN can have different domain than global domain!!!
GigabitEthernet1 (GE1) Example:
ise-psn1/admin(config)# ip host 10.1.91.5 ise-psn1-guest ise-psn1-guest.company.com
Host entry for Gigabit Ethernet 0 (eth0) cannot be modified

Use show run to view entries; Use no ip host <ip_address> to remove entry.
Change in interface IP address or alias requires application server restart.
Certificates
Interface Alias Example

DNS and Port Settings Single Interface Enabled for Guest
Interface eth1 enabled for Guest Portal

ip host 10.1.91.5 ise-psn1-guest.company.com
URL redirect = https://ise-psn1-guest.company.com:8443/...
Guest DNS resolves FQDN to correct IP address
DNS SERVER
DNS SERVER DOMAIN = COMPANY.LOCAL
DOMAIN = COMPANY.COM
ISE-PSN1 IN A 10.1.99.5 # eth0
ISE-PSN1-GUEST IN A 10.1.91.5 # eth1 ISE-PSN1-MDP IN A 10.1.92.5 # eth2
ISE-PSN1-SPONSOR IN A 10.1.93.5 # eth3
ISE-PSN2-GUEST IN A 10.1.91.6 # eth1
ISE-PSN3-GUEST IN A 10.1.91.7 # eth1 ISE-PSN2-MDP IN A 10.1.92.6 # eth2
ISE-PSN2-SPONSOR IN A 10.1.93.6 # eth3

ISE-PSN3-MDP IN A 10.1.92.7 # eth2
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 ISE-PSN3-SPONSOR IN A 10.1.93.7 # eth3
Certificates
CWA Example using Interface Alias

URL Redirection Uses First Guest-Enabled Interface (eth1) Admin/RADIUS:
eth0: 10.1.99.5
1. RADIUS Authentication requests sent to ise-psn1 @ 10.1.99.5.
ISE-PSN1
2. RADIUS Authorization received from ise-psn1 @ 10.1.99.5 with
URL Redirect to https://ise-psn1-guest:8443/...
PSN
3. DNS resolves alias FQDN ise-psn1-guest to 10.1.91.5 and sends
web request to ise-psn1-guest @ 10.1.99.5.
4. No cert warning received since SAN contains interface alias FQDN.
1 RADIUS request to ise-psn1 @ 10.1.99.5

RADIUS authorization: URL redirect =
https://ise-psn1-guest.company.com:8443/...
2
Access Switch
Device https://ise-psn1-guest.company.com:8443/...
User
3 HTTPS response from 10.1.91.5 All Web Portals
eth1: 10.1.91.5
Certificate OK!
ISE Certificate All Web Portals
Requested URL = ise-psn1-guest.company.com eth2: 10.1.92.5
Subject = Certificate SAN = ise-psn1-guest.company.com
ise-psn1.company.com
4 All Web Portals
SAN= ise-psn1- eth3: 10.1.93.5
guest.company.com
Could also use wilcard SAN or UCC cert
Internal CA Details
Certificate Authority
Internal Certificate Authority

Why use ISE as a Certificate Authority?
Microsoft Public Key Infrastructure via a 2003/2008 Enterprise Server can add
significant complexity and expense to an ISE deployment.
Benefits of internal CA:
Internal CA simplifies ISE deployment
ISE can deliver certificates directly to endpoints
No need to rely on integrating ISE to PKI for BYOD Cert provisioning
Internal CA can still work with existing PKI Infrastructure
Closed Loop BYOD Solution
Focused on BYOD and MDM use-cases only, not a general purpose CA
Configuring the Native Certificate Authority

Yes, thats really it!
So easy
Enabled by Default
NSP Flow Internal CA Certificate Authority
PSN
SSID = CORP
RA CA
Employee
PSN
Signing Certificate + User Certificate:

ISE sends Profile to Endpoint Wi-Fi Profile with EAP-TLS configured
SCEP Password = SessionID + Random
CSR is Generated on iOS

Password = SessionID + Random Key (from ISE)
CSR sent to ISE PSN (RA) via SCEP Validate Password Challenge
(session + random key)
CA Selection
CPP Certificate Template = Internal
User Certificate Issued:
Sent to Internal CA
CN = AD UserName
Certificate sent to ISE SAN = Values from Template
ISE sends Certificate to Endpoint

Wi-Fi Profile with EAP-TLS configured
CoA: ReAuth
EAP-TLS: User Cert
RADIUS Access-Request
RADIUS Access-Accept
NSP Flow External CA Certificate Authority
PSN
SSID = CORP
RA CA
Employee
PSN

ISE sends Profile to Endpoint Wi-Fi Profile with EAP-TLS configured
SCEP Password = SessionID + Random
CSR is Generated on iOS

Password = SessionID + Random Key (from ISE)
CSR sent to ISE PSN (RA) via SCEP Validate Password Challenge
(session + random key)
User Certificate Issued:
CA Selection CN = AD UserName
CPP Certificate Template = External SAN = Values from Template
SCEP Proxy to External Cert Authority
ISE sends Certificate to Endpoint Certificate sent to ISE

Wi-Fi Profile with EAP-TLS configured
CoA: ReAuth
EAP-TLS: User Cert
ISE CA: Multiple Personalities/Identities
Root CA Subordinate CA
OCSP Server Registration Authority
ISE Certificate Authority Architecture Root CA is Used to

Sign the certificates
for the Subordinate
CAs.
Primary PAN
Subordinate CA
ISE CA Root CA
Standby PAN signs the actual
Endpoint Certs
Secondary PAN is
another Root CA!
PSN PSN PSN PSN Ensure you export
Primary PAN and
Subordinate CA Subordinate CA Subordinate CA Subordinate CA import on
SCEP RA SCEP RA SCEP RA SCEP RA
Secondary
Node Registration Process Overview Certificate Authority
All PSNs are
Each PSN will get three certificates for CA functions: instructed by PAN to
Subordinate CA To sign endpoint certificates Generate the CSRs
OCSP To identify node with OCSP service
Registration Authority (RA) To identify sub-ca when
requesting certificates for endpoints. PAN (Root CA)
signs all three certs
PSN PAN
per-node
PSN is Joined to ISE Deployment Secondary PAN

does not generate
PAN tells PSN to Generate 3x CSRs (OCSP, Sub_CA_Endpoint, RA)
CSRs are Generated on PSN

CSRs to Root CA
OCSP, Sub_CA_Endpoint, Registration Authority
3x CSRs sent to Root CA MnT does not

3x Certificates: OCSP > Root; Sub_CA_EP > Root; RA > Root generate any CSRs
to Root CA
Issue & Revoke Endpoint Certificates Certificate Authority
Lists all the endpoint certificates issued by the Internal CA.

Status Active, Revoked, Expired
Quick Overview of certificate details, Including the Template Used
Automatically Revoked when an Endpoint is marked as Stolen
Certificates may be Manually Revoked
View Endpoint Certificate contents
Revoke certificates
Re-generate the Root CA
The Entire certificate chain can be re-generated if needed.

Old CA certificates remain in the Trust store to ensure
authentication of previously provisioned endpoints work
successfully.
ISE as an Intermediate CA
ISEs internal CA can work seamlessly with an existing CA in your deployment.

Just make it an intermediate CA (sub-ordinate CA) to your existing CA.
Create a CSR for the ISE node and get a certificate issued by the existing CA.
ISE as an Intermediate CA
Ensure that you get

a certificate from
your existing CA
with Key Certificate
signing capabilities
(Sub_CA Template)
Ensure the Existing

Root CA has a Tree
Size >= 3
(ISE is 2-tiers)
Certificate Revocation
Online Certificate Status

Protocol (OCSP)
Certificate Revocation List
(CRL)
Preferred method A signed document published on

website
Provides near real-time updates
Periodically downloaded and stored
Allows near real-time request locally
The server examines the CRL to see if
Think: Policeman checking from the clients cert was revoked already.
laptop in squad-car, with live query into
DMV Database.
Think: Policeman having a list of
suspended drivers in his squad car.
Note: ISE does not use the CRL field in
the cert, only the local configuration.
Default Internal OCSP Configuration
OCSP Check
CA Server status
Export CA Certs
Ise-pan1/admin# application configure ise
Selection ISE configuration option

<SNIP>
[7]Export Internal CA Store Root CA
[8]Import Internal CA Store
</SNIP>
[12]Exit
Exporting the CA
7
Export Repository Name: NAS
Certs to a
Enter encryption-key for export: ########## Sub CA
Export on progress............... Repository
The following 4 CA key pairs were exported to repository 'NAS' at
'ise_ca_key_pairs_of_atw-lab-ise':
Subject:CN=Certificate Services Root CA - atw-lab-ise
Issuer:CN=Certificate Services Root CA - atw-lab-ise RA Will be an
Serial#:0x6012831a-16794f11-b1248b9b-c7e199ef
Encrypted GPG
Subject:CN=Certificate Services Endpoint Sub CA - atw-lab-ise
Issuer:CN=Certificate Services Root CA - atw-lab-ise Bundle
Serial#:0x3e4d9644-934843af-b5167e76-cc0256e0
OCSP
Subject:CN=Certificate Services Endpoint RA - atw-lab-ise
Issuer:CN=Certificate Services Endpoint Sub CA - atw-lab-ise
Serial#:0x13511480-9650401a-8461d9d7-5b8dbe17
Four Key Pairs
Subject:CN=Certificate Services OCSP Responder - atw-lab-ise
Issuer:CN=Certificate Services Root CA - atw-lab-ise
Serial#:0x10d18efb-92614084-895097f2-9885313b
ISE CA keys export completed successfully
Import of CA Certs
ise-pan1/admin# application configure ise

<SNIP>
[7]Export Internal CA Store
</SNIP>
[12]Exit
8
Import Repository Name: NAS Always perform the
Enter CA keys file name to import: ise_ca_key_pairs_of_atw-lab-ise
Enter encryption-key: ########
Import on progress...............
certificate import to
The following 4 CA key pairs were imported:
the secondary PAN
Subject:CN=Certificate Services Root CA - atw-lab-ise
Serial#:0x6012831a-16794f11-b1248b9b-c7e199ef
Ensures that the
Subject:CN=Certificate Services Endpoint Sub CA - atw-lab-ise
Serial#:0x3e4d9644-934843af-b5167e76-cc0256e0
same PKI Tree is
Subject:CN=Certificate Services Endpoint RA - atw-lab-ise
always used
Issuer:CN=Certificate Services Endpoint Sub CA - atw-lab-ise
Serial#:0x13511480-9650401a-8461d9d7-5b8dbe17
Subject:CN=Certificate Services OCSP Responder - atw-lab-ise

Serial#:0x10d18efb-92614084-895097f2-9885313b
Stopping ISE Certificate Authority Service...

Starting ISE Certificate Authority Service...
ISE CA keys import completed successfully
Native Supplicant Profile
BYOD-NSP TLS-template
TLS-template
Certificate Template(s)
Define Internal or
External CA
TLS-template
Set the Key Sizes
SAN Field Options:
MAC Address
No Free-Form Adds..
Set length of validity
Other Factoids ForYour

For Your
Reference
Reference
No temporary revocations (cannot un-revoke)

Use Blacklist instead
ISE does not publish a CRL, OCSP only
ISE does not currently use the CRL distributions listed in endpoint Certs,
ISE uses the manually configured CRL distribution point
Cannot selectively enable/disable CA service on PSNs. All or nothing.
When issuing cert from PSN, it will be subordinate to the PAN
ISE CA: Dual Root Phenomenon

Different Chain of Trust
The 4th PSN

Promoted P-PAN PAN
S-PAN added to
deployment while
S-PAN temporarily
the root.
PSN PSN PSN

Now is a different
Subordinate CA Subordinate CA Subordinate CA Subordinate CA
chain of trust!
ISE CA: Dual Root Phenomenon

Single Chain of Trust Export Root CA &
Import into S-PAN
The 4th PSN

Promoted P-PAN PAN
S-PAN
added to
deployment while
S-PAN temporarily
the root.
PSN PSN PSN PSN S-PAN has same

Subordinate CA Subordinate CA Subordinate CA Subordinate CA
Chain of Trust
atw-lab-ise/admin# application configure ise

<Snip>
[7]Export Internal CA Store
</Snip>
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 [12]Exit
Do Not Delete ISE CA Certs
Will Revoke the Certificate from CA

All Endpoint Certificates will now be
Invalid & Rejected
Cannot Undo
Agenda
Introduction
BYOD Best Practices
Conclusion
BYOD in Practice
BYOD
Walk Through BYOD Onboarding ForYour

For Your
Reference
Reference
Out of the box flow walks

users through onboarding.
Fully customizable user

experience with Themes.
My Devices gives end

users control to add an
manage their devices.
Mobile and desktop ready

out of the box.
BYOD
Java-Less Provisioning
BYOD
Downloads as DMG
Double-Click to Run
App
BYOD
Downloads as DMG
Double-Click to Run
App
BYOD
Native Supplicant Provisioning (iOS use-case)
ForYour
For Your
Reference
Reference
PSN
Employee ISE / SCEP Proxy RegisteredDevices CA / SCEP Server
SSID = BYOD-Open / CWA Device Registration

HTTPS to the NSP Portal CENTRAL_WEB_AUTH state
ISE sends CA certificate to endpoint for trust with OTA

User clicks register.
ISE sends Profile Service to iOS

Device Device Enrollment
CSR is
Generated on
Encrypted Profile Service:
iOS https://ISE:8905/auth/OTAMobileConfig?sessionID
CSR sent to ISE
SCEP to MS Cert Authority Device Certificate Issued
Certificate sent to ISE CN =
ISE sends Device Certificate to iOS
74ba333ef6548dfc82054d0c7fec36e6ddddcbf1#employee1
Device
SAN = 00-0a-95-7f-de-06
Device Provisioning
CSR sent to ISE SCEP to MS Cert Authority
Certificate sent to ISE User Certificate Issued

ISE sends User Certificate to iOS CN = Employee
Device SAN = 00-0a-95-7f-
Signing Cert + User Cert: Wi-Fi Profile + EAP-TLS configured de-06
SSID = CTS-CORP / EAP-TLS Connect using EAP-TLS
RUN Access-Accept
state
BYOD
NSP (Android use-case) ForYour
For Your
Reference
Reference
PSN
RegisteredDevice
Employee Wireless Controller ISE / SCEP Proxys CA / SCEP Server Google Play
SSID = BYOD-Open / CWA CWA Redirect / Redirect ACL = CWA Device Registration
CENTRAL_WEB_AUTH
User opens browser
state
Redirect to ISE for CWA
CWA login
CWA login successful / Redirect to NSP Portal
User clicks Register
CoA to WLC Sample WLC ACL: Download SPW
ALLOW_GOOGLE
Redirect browser to http://play.google.com (Session:DeviceOS=Android)
permit udp any any dns
Access-Request permit tcp any <ISE_PSN>
NSP Redirect / Redirect ACL = deny ip any <internal_network>
SUPPLICANT_PROVISIONING ALLOW_GOOGLE permit tcp any 74.125.0.0
state Download Supplicant Provisioning Wizard (SPW) app from255.255.0.0
Google Playstore
permit tcp any 173.194.0.0
User installs application and launches 255.255.0.0 Device Provisioning
App sends request to
Redirect Discovery to ISE permit tcp any 206.111.0.0
http://DFG/auth/discovery
255.255.0.0
ISE sends Device BYOD_Profile to Android Device deny ip any any
SCEP to MS Cert
CSR sent to ISE
Authority
ISE sends User Certificate to Android Certificate sent to
ISE User Cert Issued
Device
SSID = CTS-CORP / EAP-TLS CN = Employee
Connect using EAP-TLS SAN = 00-0a-95-7f-
Access-Accept de-06
RUN
state
BYOD
Refresher: Native Supplicant Provisioning Flow

Single-SSID Flow
AuthZ Policy
AuthZ Result
Redirect to
NSP Portal
Client Provisioning
Policies for OS Type NSA APP or
iOS OTA Process
(Next Slide)
BYOD
Refresher: Native Supplicant Provisioning Flow

Certificate
NSA App Template
Or Apple OTA
Native Supplicant
Profile
SCEP Certificate
Provisioning & Native
Supplicant Profile
BYOD
New: Windows & iOS Settings in NSP
TLS-Profile
TLS-Profile
TLS-template
BYOD
Renewing Certificates
Works Comments
1.2.1
Before Expiry
iOS
Android
Windows
Mac OSX
After Expiry
iOS
Android
Windows Supplicant will not use an expired cert
Mac OSX
BYOD
Allowing Expired Certificates
Option to allow expired certs for:

Pure EAP-TLS
EAP-TLS as an Inner Method
BYOD
Redirect Expired Certs
BYOD
BYOD Security Practices from the Field

If you can, Create an Identity Group for your Corporate
Owned Devices.
May be populated by .CSV import, or REST API
Uses the Endpoint ID Group for what it was designed to do: MAC Address
Management
Provision Different Certificates for Corporate Owned Assets
Available 1.3+, or if you use MDM to distribute the certificates
Dont Trust ONLY the Certificate
That is technically only authenticating the device, not the user
The Opposite of BYOD:
How to differentiate corporate provisioned devices?
Corporate versus Personal Assets
Provide differentiated access for IT-managed systems
Start Here
Registered
Employee No No
Guest
Yes Access-Reject
Yes
BYOD Workstation
No No
Device _Corp
BYOD-Device
Yes Yes
Endpoint = Corp device

Access-Accept User = Employee
Internet Only
BYOD
Identifying Corporate Assets using Profiler ForYour

For Your
Reference
Reference
Using Profiling Attributes Based on RADIUS, DNS, DHCP
radius-server host @IP_ISE key xxxx DNS
ip device tracking Server Probe Attribute .
RADIUS probe DHCP Hostname (12) = jsmith-win7

DNS probe RADIUS AD Domain = myompany.com
EAP-ID=Uname/PW DHCP Client FQDN (81) =
DHCP jsmith.win7.mycompany.com
ISE DNS FQDN = jsmith.win7.mycompany.com
DHCP probe
Multiple probes or
probe attributes can
produce required
attribute values
interface Vlan20 DHCP Server
ip helper-address @IP DHCP server
ip helper-address @IP_ISE
BYOD
Identifying Corporate Assets using Profiler ForYour

For Your
Reference
Reference
Custom Profile
Workstation_Corp
Duplicate profile
Workstation
Add rule to match any
(OR) of these
conditions to
mycompany.com:
DNS FQDN
DHCP client-fqdn
DHCP domain-name
Increase CF by 20
Minimum CF=30
BYOD
Identifying the Machine AND the User ForYour

For Your
Reference
Reference
Real Customer Example: Custom DHCP Attribute & use of Profiler
C:\>ipconfig /setclassid "Local Area

Connection" CorpXYZ
Windows IP Configuration
DHCP ClassId successfully modified for adapter"Local Area Connection"
http://technet.microsoft.com/en-us/library/cc783756(WS.10).aspx
BYOD
Identifying Corporate Assets using Posture ForYour

For Your
Reference
Reference
Check for Domain Attribute
ISE Posture checks
Windows registry for
domain value.
Ex: mycompany.com.
BYOD
Identifying Corporate Assets using Posture ForYour

For Your
Reference
Reference
Check for Unique Corp Attributes
ISE Posture checks registry for

pre-populated or unique entries.
Example: Check for key Terces with
value YNAPMOC under
HKLM\SOFTWARE\
Microsoft\Bmurc\Daerb\
Optional Checks:
Files unique to
corporate image
Applications/
Services specific to
organizations SOE.
SOE=Standard Operating Environment
BYOD
ForYour
For Your
Client
Identity Certificates Reference
Reference
Non-Exportable Certificate (Private Key)
Assumption is that certificate is locked to trusted device

Determined/knowledgeable can often find ways to export.
Server
Windows CA Server
> MMC > Certificate
Templates:
Template does not
allow private key to Windows Client > User Certificate Store:
be exported
If attempt to export certificate, not given option
to export private key (required for import into
another client).
BYOD
Identifying the Machine AND the USER

Machine Access Restrictions (MAR)
MAR provides a mechanism for the RADIUS server to search the previous
authentications and look for a machine-authentication with the same Calling-
Station-ID.
This means the machine must authenticate before the user.
i.e. Must log out, not use hibernate, etc.
See the reference slides for more possible limitations.
BYOD

Rule Name Conditions Permissions
MAR Cache
IP Phones if Cisco-IP-Phone then Cisco_IP_Phone
Calling-Station-ID 00:11:22:33:44:55 Passed
MachineAuth if Domain Computers then MachineAuth
Employee &
Employee if WasMachineAuthenticated = then Employee
true
GUEST if GUEST then GUEST
Default If no matches, then WEBAUTH
NAD
SWITCHPORT
PSN
[EAP-ID=CorpXP-1] Matched Rule = MachineAuth
[cisco-av-pair] = dACL=Permit-All
BYOD

MAR Cache
Calling-Station-ID 00:11:22:33:44:55 Passed
MachineAuth if Domain Computers then MachineAUth
Employee &
Employee if WasMachineAuthenticated = then Employee
true
NAD
SWITCHPORT
PSN
EAPoL Start Matched Rule = Employee

[EAP-ID = Employee1]
[cisco-av-pair] = dACL=Permit-All
BYOD

Potential Issues with MAR
Wired/WiFi transitions: Calling-Station-ID (MAC address) is used to link machine
and user authentication; MAC address will change when laptop moves from wired to
wireless breaking the MAR linkage.
Machine state caching: The state cache of previous machine authentications is
neither persistent across PSN reboots nor replicated amongst PSN nodes
Hibernation/Standby: 802.1X fails when the endpoint enters sleep/hibernate mode
and then moves to a different location, or comes back into the office the following
day, where machine auth cache is not present in new RADIUS server or has timed
out.
Spoofing: Linkage between user authentication and machine authentication is tied to
MAC address only. It is possible for endpoint to pass user authentication only using
MAC address of previously machine-authenticated endpoint.
BYOD
Identifying the Machine AND the User

The Next Chapter of Authentication: EAP-Chaining
IETF working group has published standard on Tunneled EAP (TEAP).
Next-Generation EAP method that provides all benefits of current EAP Types.
Also provides EAP-Chaining.
RFC-7170 http://www.rfc-editor.org/rfc/rfc7170.txt
Cisco has done it before TEAP is ready
EAP-FASTv2
AnyConnect 3.1
Identity Services Engine 1.1.1 (1.1 Minor Release)
BYOD
EAP-Chaining Rule Name Conditions Permissions
With AnyConnect 3.1.1 and ISE 1.1.1 IP Phones if Cisco-IP-Phone then Cisco_IP_Phone
MachineAuth Domain Computers MachineAuth

1. Machine Authenticates if then
Employee &
2. ISE Issues Machine Employee if
Network
then Employee
Access:EAPChainingResult =
AuthZ PAC User and machine suceeded
NAD
SWITCHPORT
PSN
EAPoL Start
[EAP-Tunnel = FAST]
EAP-Request:TLV RADIUS Access-Challenge
[EAP-TLV = Machine]
EAP-Response RADIUS Access-Request
TLV = Machine [EAP-TLV= Machine]
[EAP-ID=Corp-Win7-1] PAC
EAP Success
BYOD
EAP-Chaining Rule Name Conditions Permissions
With AnyConnect 3.1.1 and ISE 1.1.1 IP Phones if Cisco-IP-Phone then Cisco_IP_Phone
3. User Authenticates MachineAuth if Domain Computers then MachineAuth
4. ISE receives Machine PAC Employee &

Network
Employee if then Employee
5. ISE issues User AuthZ PAC Access:EAPChainingResult =
User and machine suceeded
NAD
SWITCHPORT
PSN
PAC
EAPoL Start
[EAP-Tunnel = FAST]
EAP-Request:TLV RADIUS Access-Challenge
PAC
[EAP-TLV = Machine]
EAP-Response RADIUS Access-Request
TLV = User [EAP-TLV= User]
[EAP-ID=Employee1] PAC
EAP Success
BYOD
EAP-Chaining FAQ ForYour

For Your
Reference
Reference
Q: I use MSChapV2 today, can I use that with EAP-Chaining?

A: TEAP & EAP-FAST are tunneled EAP methodologies, you may use whichever
inner-methods you would like, as long as both the supplicant and RADIUS sever
support the protocol(s). I.e.: EAP-TLS, EAP-MSChapV2, EAP-GTC.
Q: What Supplicants Support EAP-Chaining Today?
A: Today, only Cisco AnyConnect NAM has support through EAP-FASTv2.
Please talk to your OS Vendors about supporting TEAP in their native supplicants!
Q: Can I chain certificates with username/pwds?
A: Yes! You may mix and match the machine and user credential types however
you see fit. i.e.: Machine Certificates + User Certificates, or Machine Certificates
+ Username/PWDs, or Machine Passwords + Username/PWDs, etc.
BYOD
Identifying the Machine AND the User

What to do when EAP-Chaining is not Available?
There are many needs to determine Machine AND the User
Windows is the only current OS that can run EAP-Chaining (with AnyConnect)
What about iOS or Android based Tablets?
Chain together 802.1X with Centralized Web Authentication (CWA)

Can validate the device using a user-issued certificates
Will validate the actual user with username/password or smartcard or other method
that validates the user
BYOD
Mobile Device w/ Certificate

What Identifies the Actual User?
Mobile Device
w/ Certificate
802.1X and CWA Chaining Rule Name Conditions Permissions

AD:ExternalGroup=Employees
AND
Employee_CWA if then Employee & SGT
CWA:CWA_ExternalGroup=
Employees
1. EAP-TLS Authentication
Employee &
2. ISE Sends Access- Employee_1X if Network Access: then CWAchain
EAPAuthentication = EAP-TLS
Accept w/ URL-Redirect
NAD
SWITCHPORT
PSN
CN=employee1 || Cert is Valid
EAP-ID Response RADIUS Access-Request Session Data

[EAP-Protocol= TLS]
User Identity = employee1
[AVP:url-redirect, dacl]
User Group = employees

AND
Employees
3. User Enters Uname/PWD
Employee &
4. ISE Sends CoA-reauth Employee_1X if Network Access: then CWAchain
BobSmith
xxxxxxxxx
NAD
SWITCHPORT
PSN
Session Data
RADIUS CoA
EAP-ID Req
[AVP:reauth]
CWA Identity = BobSmith

CWA Group = employees

AND
Employees
3. User Enters Uname/PWD
Employee &
4. ISE Sends CoA-reauth Employee_1X if Network Access: then CWAchain
5. Supplicant Responds with Cert
6. ISE sends Accept, dACL & SGT
NAD CN=employee1 || Cert is Valid

SWITCHPORT
PSN
EAP-ID Response RADIUS Access-Request Session Data

[EAP-Protocol= TLS]
[AVP: dacl + SGT]
Access-Granted
CWA Identity = BobSmith
CWA Group = employees
BYOD
Following the Flow 1. Initial EAP-TLS Auth
Redirection to CWA Portal
BYOD
Following the Flow 2. WebAuth from User
CoA
Not Required to be Different Username

BYOD
Following the Flow 3. Final Auth with Full Result
Final Authorization
Agenda
Introduction
BYOD Best Practices
Conclusion
Non-Cisco NAD Integration
Deployment
ISE and Endpoint Lookup

ISE maintains a separate User and Endpoint store.
User store may be queried at any time.
By default: endpoint store may only be

accessed if the incoming request was
identified as a MAB:
(Service-Type = Call-Check)
ISE also ignores the u-name/pwd fields, but uses the calling-
station-id (mac-address of the endpoint)
Why?
Security! Before this, malicious users would be able to put a mac-
address into the username & password fields of WebAuth (or non-
Cisco switches even in the supplicant identity).
Deployment
Why Restrict MAB to Calling-Station-ID?

uname: 11:22:33:44:55:66 | pwd 11:22:33:44:55:66
Internal IDs
Mix of Users &
Endpoints
11:22:33:44:55:66
11:22:33:44:55:66
Note: It is possible to configure

supplicant for same thing!
Deployment
Cisco MAB MAC Authentication Bypass

Users Endpoints
= MAB
= MAC
Deployment
3rd-Party Devices and MAB

Many 3rd parties use Service-Type
= Login for 802.1X, MAB and Cisco
WebAuth
Some 3rd Parties do not populate
Calling-Station-ID with MAC
address.
With ISE 1.2, MAB can work with
different Service-Type, Calling- 3rd Party
Station-ID values, and password
settings.
Recommendation is to keep as many checkboxes

enabled as possible for increased security
Deployment
Setup a Policy Set for 3rd Party NADs
Create a separate Policy Set for 3rd

Party devices to keep a clean
policy table and separate unrelated
policy results
Use Network Device Groups to

make the distinction
Deployment
Example: Nortel & Alcatel Authentication Policy
Network Device Group = Nortel
For better security, lock PAP &

CHAP into MAB lookups
(Internal Endpoints)
All other authentications are sent to

an Identity Sequence
(Internal Users > Guest > AD)
Deployment
Example: Rest of 3rd Party Authentication Policy
Deny non-matches
Network Device Group =

Third Party
For better security, lock PAP &

CHAP into MAB lookups
(Internal Endpoints)
All other authentications are sent to

an Identity Sequence
(Internal Users > Guest > AD)
Deployment
Third Party Vendors VSA Attributes

You may import other RADIUS Dictionaries into ISE:
Policy > Policy Elements > Dictionaries > System > RADIUS > RADIUS Vendors
Dictionaries for
FreeRADIUS
will work
Deployment
Authorization Profiles for Third Party

Go to Advanced
Attribute Settings to
use the 3rd Party
Dictionaries
Deployment
3rd-Party MAB Configuration Examples ForYour

For Your
Reference
Reference
Alcatel Switch: Juniper EX Switch:

Uncheck both Calling-Station-ID & Password Leave Calling-Station-ID & Password Checked
To set VLAN:
Tunnel-Medium-Type = IEEE-802 HP (H3C) Switch:
Tunnel-Type = VLAN
Tunnel-Private-Group-ID = 100 Uncheck Calling-Station-ID, Leave Password Checked
Avaya (Nortel) Switch: RuggedCom Switch:

Uncheck both Calling-Station-ID & Password Uncheck Calling-Station-ID, Leave Password Checked
BYOD Onboarding for 3rd Party NADs
Deployment
Using a Cisco Catalyst Switch as Inline PeP
Caution:
3rd Party Catalyst
1. Join NAD Switch
Each switch will vary in its
Open SSID resource limits that impact
PSN
scaling
124 In general, limit endpoint
sessions per port to a few.
Port Configured as RADIUS Access-Request
Access Port + Multi-Auth [USER=1122.3344.5566]
MAB
2. Browse RADIUS Access-Accept
HTTP Request [cisco-av-pair] = url-redirect
Redirection to PSN
Submit Credentials
3. WebAuth CWA
Native Supplicant Provisioning Process
4. NSP
NSP
5. Join
Corp SSID
802.1X Devices are Authorized to
124
a different VLAN / Port

Dot1X
128
Deployment
Using a Cisco Catalyst Switch as Inline PeP
ForYour
For Your
Reference
Reference
3rd Party Catalyst
1. Join NAD Switch
Open SSID
PSN
124
Port Configured as RADIUS Access-Request

Access Port + Multi-Auth [USER=1122.3344.5566]
MAB
2. Browse RADIUS Access-Accept
HTTP Request [cisco-av-pair] = url-redirect
Redirection to PSN
Submit Credentials
3. WebAuth CWA
RADIUS CoA - reauth
[USER=1122.3344.5566]
[cisco-av-pair] = dACL=inetOnly
4. GUEST
CoA
Access
Guest Access Granted
129
Deployment
DETAILS ON 3rd PARTY On-Boarding Process
ForYour
For Your
Reference
Reference
interface X
description For 3rd Party OnBoarding
switchport access vlan 41
switchport mode access
switchport voice vlan 99
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 2274
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open To authenticate virtually unlimited endpoints
authentication order mab dot1x
authentication priority dot1x mab Since 99.9999% MAB, try MAB First
authentication port-control auto
authentication violation restrict
Will clear the mac-address after 5 minutes
mab
dot1x pae authenticator
dot1x timeout quiet-period 300 Enabled Provisioning from CWA Flow
dot1x timeout tx-period 10
spanning-tree portfast
ip dhcp snooping information option allow-untrusted
end
130
Deployment
3rd Party Onboarding, WLC Configuration ForYour

For Your
Reference
Reference
Dedicated Physical Port
Open WLAN
Deployment
Inline Posture Node ForYour

For Your
Reference
Reference
Special ISE Node deployed behind a RADIUS NAD for POSTURE ONLY!
VPN Example
eth1 eth0 Trusted

Internet
Network
VPN User 3rd Party L3 Switch Policy Services
ISE Inline
VPN 1) RADIUS auth for VPN
Posture
headend
VPN Wired Node
2) Auth/Posture for Inline
Posture Node
IPN provides
Entry key functions
Point for Third to support
Party Wireless
rd
ExamplePosture behind 3 -party access devices:
RADIUS Proxy
URL Redirection for Client Provisioning,
eth1 eth0
Discovery, and Posture Assessment
dACLs AP
Wireless for traffic enforcement
Controller
ISE Inline L3 Switch Policy Services
CoA to apply new access policy after
User
posture state change
Posture 1) 802.1X auth for WLC
Wireless Wired Node 2) Auth/Posture for Inline
Posture Node
Agenda
Introduction
BYOD Best Practices
Conclusion
Using ISE in a Security EcoSystem
Endpoints Access Distribution Edge
Branch
Mobile
Provider
Guest
Campus
Bad USB
Internet
Data Center
EPS
pxGrid
Lancope
Stealthwatch
NetFlow ( )
SourceFire Nation Remediation Plugins
Modules are BETA

Community Supported
Not TAC Supported
https://supportforums.cisco.com/community/12226126/sourcefire-api#quicktabs-community_activity=1
Add the Remediation Module to FireSight
FireSIGHT to ISE Remediation Explained
Remediation API supports programmatic responses to Correlation Rules in FireSIGHT Management Center
ISE Remediation Module is uploaded to the FireSIGHT Management Center
User defines rules on one or more triggering conditions i.e., Malware, IPS, connection, application events etc.
Multiple actions can be configured to initiate different responses from ISE
Quarantining or disconnecting user among possible actions
Module download here: ISE 1.2 Rem Module
ISE - Dynamic Network Control
Splunk ISE App
http://apps.splunk.com/app/1589
LanCope StealthWatch
Monitor Mode StealthWatch
Management
Maintain historical session table
Open Mode, Multi-Auth Console Correlate NetFlow to username
Unobstructed Access Build User-centric reports
No impact on productivity
Profiling, posture assessment
Gain Visibility
syslog
Authenticated Session Table

Agenda
Introduction
BYOD Best Practices
Conclusion
Serviceability: ISE 1.3
Serviceability
Serviceability User Stories
To make ISE easier to troubleshoot
To make ISE easier to deploy
To make ISE easier to use

Serviceability
Tree View
AuthC
Protocols
Identity
Store
Tree View
AuthC
Protocols
Serviceability
Filters in Live Log & Live Sessions

At Long Last! Regex in Filters
Serviceability
Right Click in Live Log & Live Sessions

Adds Right-Click > Copy for the Endpoint ID & Identity Fields in Live Log
Serviceability
Debug Endpoint
Creates debug file of all
activity for all services
related to that specific
endpoint
Executes and stored per
PSN
Can be downloaded as
separate files per-PSN
Or Merged as a single file
Serviceability
Off-Line Examination of Configuration

Exportable Policy
Quick Link to
Export Page
Serviceability
Exports as XML
Serviceability
VMWare OVA Templates!

Finally! We have supported OVA Templates
Ensures customers will not mis-configure their VMWare settings
Preset: Reservations, vCPUs, Storage
Based on following Specs:
ISE-1.3.x.x-Eval-100-endpoint.ova:
4 CPU cores
4 GB RAM
200 GB disk
4 NICs
ISE-1.3.x.x-Virtual-SNS-3415.ova: ISE-1.3.x.x-Virtual-SNS-3495.ova:
4 CPU cores 8 CPU cores
16 GB RAM 32 GB RAM
600 GB disk 600 GB disk
4 NICs 4 NICs
Serviceability
Tabular View of Processes ForYour

For Your
Reference
Reference
Combining AND & OR
Policy Tips & Tricks
Combining AND with OR in AuthZ Policies
Cannot
Mix??

Advanced Editing
Advanced Editor

Advanced Editing
Simple Conditions
Agenda
Introduction
BYOD Best Practices
Conclusion
Jump to Conclusion
Staged Deployments
Phased Deployments
Monitor Mode Policies

BE CAREFUL
Monitor Mode needs to keep Authorization Results simple

Access-Accept / Reject
For Phones, needs: Voice Domain also
Local Authorizations Still Possible (be careful):
interface X Good for Monitor
authentication
event fail action next-method Mode
authentication
event server dead action reinitialize vlan 11
authentication
event server dead action authorize voice
authentication
event server alive action reinitialize
authentication
violation restrict interface X
authentication event fail action authorize vlan 4096
authentication event server dead action reinitialize vlan 11
Dangerous for authentication event server dead action authorize voice
authentication event server alive action reinitialize
Monitor Mode authentication violation restrict
Phased Deployments
Moving from Monitor to Low-Impact Mode

Monitor Mode
interface GigabitEthernet1/0/1 IP Phones if Cisco-IP-Phone then Cisco_IP_Phone

authentication open
mab BYOD if BYOD and Employee then Employee
Non_AuthZ if i-device or Android then GUEST
Contractor if Contractor then Contractor
Employee if Employee then Employee
NAD
Default If no matches, then Deny Access
SWITCHPORT
PSN
[AVP: 00.0a.95.7f.de.06 ]
Matched Rule = Default
RADIUS Access-Reject
No Supplicant
MAC-Addr is Unknown
Continue to AuthZ table
Phased Deployments
Moving from Monitor to Low-Impact

Low-Impact

authentication open
ip access-group ACL-DEFAULT in Non_AuthZ if i-device or Android then GUEST
NAD
SWITCHPORT
PSN
[AVP: 00.0a.95.7f.de.06 ]
Matched Rule = Default
No Supplicant
MAC-Addr is Unknown
Phased Deployments
Network Device Groups

Creation of many: Organize & Why use them
A little up-front work, can really help you get specific

in your policies.
Organize by:
Device Type
Wired / Wireless / Firewall / VPN
OEAP / CVO
Place in Network
Access-Layer / Data Center
Geographic Location
Phased Deployments

Low-Impact: An Entire Switch at a Time
Create a Network Device Group for all Switches that will use Low-Impact.
Phased Deployments
Moving from Monitor to Low-Impact ForYour

For Your
Reference
Reference
Low-Impact: An Entire Switch at a Time


authentication open
Conf_Rooms if DEVICE:Stage EQUALS Stage#LowImpact then WEBAUTH

NAD
SWITCHPORT
PSN Default If no matches, then Deny Access
RADIUS Access-Request All Other Switches

[AVP: 00.0a.95.7f.de.06 ]
Matched Rule = Conf_Rooms Will still be in Monitor
RADIUS Access-Accept Mode!
No Supplicant
MAC-Addr is Unknown
Phased Deployments
ForYour
For Your
ISE 1.2: Policy Sets Reference

Reference
ISE 1.2+
Separate Set of Policies for Each Mode of Deployment
Phased Deployments
ISE 1.2: Policy Sets ISE 1.2+

Separate Set of Policies for Each Mode of Deployment
Authentication Policy
Authorization Policy
Phased Deployments

For Your
Reference
Reference
Specifying NAD + Interfaces in AuthZ Policy
When you are willing to enable it a switch at a time, its easy.

Most want to enable it a port at a time (Conference rooms only, for example).
How can we identify which port(s) should be treated differently?
We can build a static list of Switches and their Ports
Requires 1 AuthZ rule line Per Switch
Phased Deployments

For Your
Reference
Reference
Specifying NAD + Interfaces in AuthZ Policy
When you are willing to enable it a switch at a time, its easy.

Most want to enable it a port at a time (Conference rooms only, for example).
How can we identify which port(s) should be treated differently?
We can build a static list of Switches and their Ports
Requires 1 AuthZ rule line Per Switch
Phased Deployments

mab eap Trick of the Trade
What is mab eap?

Option of MAB configuration uses EAP-MD5 to transmit the MAB data.
Behavior with ISE will be the same.
We can use this as a differentiator ports that should be in Low-Impact.
C3750X(config-if)#mab ?
eap Use EAP authentication for MAC Auth Bypass
<cr>
C3750X(config-if)#mab eap
C3750X(config-if)#description Conference Room B
Available
with
ISE 1.1+ *6500 added support in
SXJ4
Phased Deployments

MAB EAP Trick of the Trade
Policy Policy Elements Authentication Results Allowed Protocols

Allow EAP-MD5
Detect EAP-MD5 as
Host Lookup
Note: Best-Practice
is to never modify
default objects
Phased Deployments


authentication open
mab eap BYOD if BYOD and Employee then Employee

Network Access:EapAuthentication
Conf_Rooms if then WEBAUTH
NAD EQUALS EAP-MD5
SWITCHPORT
PSN Default If no matches, then Deny Access
[AVP: 00.0a.95.7f.de.06 ]
All Other Switches
Matched Rule = Conf_Rooms Will still be in Monitor
RADIUS Access-Accept Mode!
No Supplicant
MAC-Addr is Unknown
Phased Deployments

Phased Deployments
Packet Capture ForYour

For Your
Reference
Reference
Comparing MAB to MAB EAP
MAB MAB EAP
Agenda
Introduction
BYOD Best Practices
Conclusion
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco Live 2015 T-Shirt!
Complete Overall Event Survey + 5 Session Evaluations.
Directly from your mobile device on the Cisco Live
Mobile App
By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/clmelbourne2015
Visit any Cisco Live Internet Station located
throughout the venue
Learn online with Cisco Live!
T-Shirts can be collected in the World of Solutions Visit us online after the conference for full
on Friday 20 March 12:00pm - 2:00pm access to session videos and
presentations. www.CiscoLiveAPAC.com
Recommended Reading
http://amzn.com/1587143259
Questions ?
177
Additional Reference Slides
Agenda
Introduction
BYOD Best Practices
Multi-Join Active Directory
Conclusion
Multi-Join AD Connector
Multi-AD
ISE 1.3 Multi-AD Enhancement

Multiple Un-trusted AD Forests:
Ability to join up to 50 un-trusted Active Directory forests/domains. (Not required to be untrusted)
Domain Diagnostic:
A new utility that can be run either prior to joining a domain or subsequent to this action to determine whether
there are any environmental issues related to the domain.
Test Authentication:
Allows an authentication for a specific user to be directed to specific node and return results together with
authorization related information such as groups and attributes.
Username Lookup:
Ability for administrator to lookup all group memberships and attributes of a user from AD, without requiring
the users password. Similar to the authorization-only test in the ASA.
SID Based Group Mapping:
Group related policy functionality will be modified so that it is based on SIDs (Security Identifier) of the group
and not simply the textual group name as was done previously. This has significant performance advantages.
Key Terminology
AD Instance
ISE Joined to an AD Domain (i.e.: cisco.com)

May Join up to 50
Scope
Group or Subset of your AD Instances

Useful for Shortcut in Policies
Authentication Domain List
Whitelist of Domains within AD Instance

Used to Limit Which Domain(s) to Use
Multi-AD
Terminology Illustrated - In ISE 1.2, we called this tree an

AD connector:.
- ISE 1.3, each tree would be
referred to as an AD Instance
- ISE 1.3 supports up to 50 AD
cisco.com
cisco.com
Instances
- Here we have the ise1 node
joined to aspac.cisco.com domain
ise1.aspac.cisco.com
aspac.cisco.com within cisco.com AD Instance
ise1.na.cisco.com
emea.cisco.com emerging.cisco.com na.cisco.com
- Same ISE node can connect to
the same AD multiple times as
long as domain is different
- Here we have ise1 node also
joined to na.cisco.com domain
Multi-AD
Terminology Continued
acs.com
acs.com
acs.com
acs.com
Instances
amer.acs.com
Company-B.com
A
brazil.south.amer.acs.com
Scope
Company-C.com
All AD
oceania.acs.com
Company-D.com
australia.oceania.acs.com
Company-E.com
canberra.australia.oceania.acs.com
1.3 AD Instance == 1.2 AD
186
Multi-AD
acs.com
acs.com
acs.com
amer.acs.com
Company-B.com
Scope A
Company-C.com
oceania.acs.com
Company-D.com
Company-E.com

Scope defines selected instances.
Here we have 3 AD instances for
Scope A out of 5 AD instances
configured on the ISE 187
Multi-AD
acs.com
acs.com
acs.com
amer.acs.com
Company-B.com
Scope A
Company-C.com
oceania.acs.com
Company-D.com
Company-E.com

Domain Whitelist defines domains within the AD
instance to be used for authentication. Here we
have 2 domains to be used for authentication out
of 5 domains found within acs.com AD instance
188
Multi-AD
AD Authentication Flow
Identity
Scope AD
Rewrite
AuthC (Optional) Instance (Optional)
Policy to
AD Domain List Target
(Optional) AD
Multi-AD
Authentication Policy
Individual AD
Instance can be
selected
Scopes can be selected

(All_AD_Instances, is a
synthetic scope created
automatically to select all
configured AD instances)
Multi-AD
AD Authentication Flow - Scope
Identity
Scope AD
Rewrite
Policy to
AD Domain List Target AD
(Optional)
- Scopes allow a single policy to be written

- Scope also allow multiple AD instances to be
selected without having to lookup against all
configured AD instance
- Single AD instance can be part of multiple scopes
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved.
at the same time
Cisco Public
Multi-AD
Scope management ForYour

For Your
Reference
Reference
ISE installs in single scope mode, where all AD instance is part of single scope
Adding a scope enables multi-scope mode and moves all of the AD instances into
automatically created Default_Scope
You may always delete all other scopes & return to single scope mode
Multi-AD
Scope Fun Facts ForYour

For Your
Reference
Reference
Scopes Can (and usually do) Contain > 1 AD instances

The Lookup Fans out From a Scope
Evaluating each until its got all the results
Then it decides if its ok (e.g. unique username).
It may stop prematurely if it hits a stopper
I.e.: > 1 users same name and password == ambiguous
Scopes can be used in ID-Sequences
Can put >1 Scope in an ID-Sequence, but not recommended.
Not as efficient as creating one scope with all the relevant AD instances and calling into AD once.
Multi-AD
AD Authentication Flow AD Instance
Identity
Scope AD
Rewrite
Policy to
AD Domain List Target AD
(Optional)
AD Instance is the domain the ISE node is part of
With ISE 1.3 ISE can be part of 50 domains
Multi-AD
AD Instance Fun Facts

1.3 can be joined to 50 different un-trusted ADs
Usually Separate Forests
Fun Fact: You can join the same forest more than once
In some cases its useful to bypass a permission issue
e.g. caused by a 1-way trust.
You can join either side of the trust thereby seeing domains on both sides
Have used this trick at a customer site to get around an issue
Multi-AD
Configuring AD Instance ForYour

For Your
Reference
Reference
Admin account requirement
Permission for Join Operations

- Search Active Directory (to see if ISE machine account already exists)
- Add workstation to domain (if does not already exist)
- Set attributes on the new machine account (OS type and version optional)
Permission for Leave Operations
- Search Active Directory (to see if ISE machine account already exists)
- Remove workstation from domain
Permission for the Resulting Machine Account
- Ability to change its own password
- Read the user/machine objects relevant to the customers needs
- Query the Active Directory schema to learn about namespaces
Multi-AD

For Your
Reference
Reference
DNS Requirement
- DNS should be able to resolve AD nodes for both forward & reverse.
- Note: for Kerberos referrals to work properly, it is usually necessary to make sure the
DNS server can resolve (both forward and backward) the machine names for ISE
- i.e. DNS records should be created for these ISE generated machine accounts.
- DNS should be able to resolve A & SRV record of all AD servers consistently
Multi-AD

For Your
Reference
Reference
OU can be
specified during
Domain join
process
Multi-AD
DC Selection Process ForYour

For Your
Reference
Reference
1. Acts like any other AD-Joined PC, and follows that process much closer than ever
before.
2. Does leverage AD Sites & Services to leverage the best DC.
3. Sends CLDAP ping requests to domain controllers according to priorities in SRV record
and processes only the first response, if any. Note: The CLDAP response contains DC
site and Client site (e.g. site to which ISE machine is assigned).
4. If DC site and Client site are the same then response originator (i.e. DC) is selected.
5. If DC site and Client site are not the same then AD Connector performs DNS SRV query
scoped to the discovered Client site, gets list of domain controllers serving the client site,
sends CLDAP ping requests to these domain controllers and processes only the first
response, if any. The response originator (i.e. DC) is selected. Note: If no DC in clients
site serving the site or no DC currently available in the site then DC detected in #2 is
selected.
Multi-AD
Network Ports ForYour

For Your
Reference
Reference
Protocol Port (remote- Exposure Authenticated Notes

local)
DNS (TCP/UDP) 53 Network Infra No May use DNSSEC
MSRPC 445 Network Infra Yes
Kerberos (TCP/UDP) 88 Network infra Yes (Kerberos) MS AD/KDC
Kpasswd 464 Network infra No
LDAP (TCP/UDP) 389 Network infra Yes
NTP 123 Network infra No
IPC 80 ISE internode Yes, using creds ISE REST Library.
from RBAC system.
Multi-AD
AD Authentication Flow Authentication Domains

Whitelist of Domains within AD Instance.
Used to Limit Which Domain(s) to perform lookups against.
The default setting is not to use the domain list (i.e.: All)
Identity
Scope AD
Rewrite
Policy to
(Optional) AD
Multi-AD
Authentication Domains
- This is a white-list of AD
domains that ISE should
use.
- These domains are the

Trusted Domains as
defined by Microsoft AD.
- By Default, the page will

be set to permit
authentication to all
Trusted Domains, in
which case the table is
ignored
Multi-AD
AD Authentication Flow ID Rewrite
Identity
Scope AD
Rewrite
Policy to
(Optional) AD
Identity Rewrite allows username to

be manipulated before being sent to
AD for authentication
Multi-AD
Identity Rewrite
ID Rewrite rules are

applicable per AD
instance
Multi-AD
Identity Re-Write Fun Facts ForYour

For Your
Reference
Reference
Can Re-Write from EAP-TLS as well

Used already to work with mis-provisioned certificates
We collate all identity attributes, whether from inner EAP, inside candidate cert fields,
etc. and offer them to rewrite
Multi-AD
SID Based Group Mapping
Multi-AD
Test Authentication
Can run
from
scope
level
Can run from

AD instance
Multi-AD
Test Authentication
Different authentication types
ISE node can be selected to run the test auth
Can provide group & attribute details if options are

selected
Multi-AD
Domain Diagnostics
Can run
from
scope
level
Can run from

AD instance
Multi-AD
Domain Diagnostics
Multi-AD
Domain Diagnostics Continued ForYour

For Your
Reference
Reference
Multi-AD
Certificate (EAP-TLS) Smart Search
Multi-AD
Smart Search Fun Facts ForYour

For Your
Reference
Reference
You can have a mix of TLS certs with identity in different X509 fields
ISE will figure it out
Even if usernames are ambiguous, say two johnsmith from an acquisition, if the client
certs are in AD it will auto-magically use them to rule out the ambiguity
Multi-AD
Identity Resolution ForYour

For Your
Reference
Reference
What to do with usernames without domain markup
Multi-AD
Note about Ambiguous Identity ForYour

For Your
Reference
Reference
SAM Names:
- If the identity is a SAM name (username or machine name without any domain
markup), we will search the forest of each join point (once) looking for the identity. If
there is one (unique) match, we determine their domain / unique name and continue
the AAA flow.
- If the SAM name is not unique and we are using a password-less protocol like EAP-
TLS, we have no other criteria to locate the right user so we fail with an Ambiguous
identity error.
- If we are using a password based protocol like (EAP)PAP/MSCHAP, then we continue
to check the passwords. If there is only one account with the supplied password, we
have a unique match and can continue the AAA flow. However, if there is more than
one account with the same password, we fail with Ambiguous identity error.
Multi-AD
Note about Ambiguous Identity ForYour

For Your
Reference
Reference
Avoiding Issues
- The customer should be encouraged to use UPNs or FQDN host identities if they hit
ambiguity errors frequently. In some cases, it will be the only way to resolve their
issue. In others, it may be sufficient to guarantee the users have unique passwords
and the hunting algorithm will work, although it will be more efficient and lead to less
password lockout issues if unique identities are used in the first place.
Multi-AD
Note about Ambiguous Identity continued ForYour

For Your
Reference
Reference
Uniqueness Enforcement
- Unqualified identities can result in non-unique user or machine identities, which would
lead to potentially incorrect policy being returned if we do not catch them. Therefore,
we must verify if an identity is unique and if it is not, the authentication must fail with an
ambiguous username error.
- This has performance implications because we need to search each of our join points
forests for a possible match to the unqualified identity. Therefore, customers should
be encourage to use qualified identities in the first place to avoid the performance hit.
- A secondary issue is what if a domain is unavailable and we are resolving an
ambiguous username. We cannot know for certain if the identity is unique (it could
exist in the domain thats unavailable)
- If SAM names must be used, the Authentication Domains feature should be used to
define the account domains that really matter. This will limit the search scope to just
those and ignore errors from domains outside of the Authentication Domain list.
Multi-AD
Other Details ForYour

For Your
Reference
Reference
Rediscovery Frequency: The discovery process should run at startup and at no

more than 24 hour intervals. If possible, Active Directory notifications should be
employed to trigger rediscovery only when needed, e.g. if a new UPN or domain
is created
Supported Group Types: Due to the complexity of resolving Domain Local
Groups efficiently at runtime, they will not be supported in this release. All other
group types (Universal, Global, Builtin), will be supported
GUI based advanced tuning (Only with TAC supervision!!!)
- Preferred DCs
- Preferred GCs
- DC Failover parameters
- Timeouts
Multi-AD
Advanced Tuning ForYour

For Your
Reference
Reference
Should only be
performed under
TAC supervision!!!!
Multi-AD
Caveats ForYour
For Your
Reference
Reference
When using UPN usernames, the UPN suffix or AD domain suffix must be unique.
When using NetBIOS domain prefix in identities, the NetBIOS domain must be unique.
When using machine authentication with a fully qualified machine name, e.g.
host/machine.domain.com, the DNS domain (domain.com) must be unique.
If not using any domain markup in identities, i.e. using SAM names, they should be unique
to improve performance. They must be unique if using password-less protocols such as
EAP-TLS. The {username,password} combination must be unique if using a password
based protocol.
The DNS names (forward lookup such A and SRV records) of Active Directory servers
must be unique and lead to consistent results.
The IP addresses (reverse lookup) of servers used by AD connector must be unique and
lead to consistent results.
Multi-AD
Supported username format ForYour

For Your
Reference
Reference
User Principal Name (aka UPN)

Example: chyps@cisco.com
Alternative UPN
Example: chyps@alt.upn
NetBIOS prefixed name

Examples: CISCO\chyps and CISCO\machine$
SAM name
Examples: chyps and machine$
Host/ prefix, unqualified machine

Example: host/machine
Host/ prefix, fully qualified machine

Example: host/machine.cisco.com

ISE Tips&Trics PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

ISE Tips&Trics PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Advanced ISE Services, Tips & Tricks

Craig Hyps (chyps@cisco.com)

Look for this For Your Reference

There is a tremendous amount of

**200 +/- Slides in PDF

What is an X.509 Certificate

What is the purpose of an X.509 Certificate?

Who is What is WebSite

Acts as a seed value for encryption

ISE and Certificates: Multiple Identities

EAP-Request/PEAP RADIUS Access-Challenge

Certificates and Web Portals

Step 1: Initiate Request to Establish HTTPS Tunnel with Portal (https://ISE/admin)

Step 2: Certificate sent to Browser

Step 3: User is Prompted to Accept Certificate.

Step 4: SSL Tunnel is Formed, Encrypting the HTTP Communications (HTTPS)

Certificates and EAP Communication

Client/Supplicant NAD ISE

Step 1: Initiate Request to Establish TLS Tunnel with Authenticator

Step 2: Certificate sent to Supplicant

Step 3: User is Prompted to Accept Certificate.

Step 4: TLS Tunnel is Formed, EAP happens next

ISE Admin/EAP/Portal Certificate Examination

ISE Wildcard Cert Portal-TAG ise.company.com

Used for Admin, Portal and EAP.

Publically Signed Certificate

Purpose is for Client and Server Auth

ise.company.com SAN includes Wildcard and the CN

ISE Root Certificate Examination Selection ISE configuration option

Self Signed Certificate (Its a Root Cert)

Purpose is for Cert Signing / It is a CA

Endpoint Certificate Examination

Signed by ISE Sub-CA

Purpose is for Client Auth

SAN includes MAC Address

Certificate Provisioning User Experience in ISE 1.0 1.2

Centralized Certificate Management in 1.3

Manage System Certificates

ISE Wildcard Cert Portal-Tag ise.company.com

Certificates your ISE Deployment will Trust

System Certificate Roles ISE 1.3

EAP EAP Authentication 1 Yes No1

- Portal Many Yes Yes

Admin cert is the server cert for the Admin Console

ISE 1.3: Multiple Web Portals

Problem: Assign Certificate on All PSNs to Portal?

Solution: Certificate Group Tag

Node 1 Pri Admin, M&T and PSN Portal Configuration

Certificate Chains For Scalability, X.509 Certificate

Root Sub ISE

Always Add the Root and Subordinate CAs

PEM versus DER

Joining an ISE Deployment

PAN PSN PSN

Trusted Certs Trusted Certs

Joining an ISE Deployment

Joining an ISE Deployment

Simple URL for My Devices & Sponsor Portals

ISE Certificate without SAN

http://sponsor.company.com DNS Lookup = sponsor.company.com

DNS Response = 10.1.99.5 100.1.99.5

ISE Certificate with SAN

http://sponsor.company.com DNS Lookup = sponsor.company.com