Cisco dCloud

Cisco Identity Services Engine 2.6 v1 – Instant Demo

Last Updated: 21-NOVEMBER-2019

About This Demonstration

This guide for the preconfigured demonstration includes:

• About this Demonstration

• Requirements

• About this Solution

• Get Started

• Scenario 1. Network Visibility

• Scenario 2. Search for a User or Endpoint

• Scenario 3. What are the Unknown Endpoints on my Network?

• Scenario 4. View Live Authentications

• Scenario 5. Network Device Management

• Scenario 6. ISE Authentication and Authorization Policy

• Scenario 7. Scalable Group Tags (SGTs) and Software Defined Access (SDA)

• Summary

Limitations
Certain features of ISE 2.6 are not possible because the demonstration uses simulated traffic rather than real endpoints and users:

• BYOD registered endpoints and certificate provisioning

• EMM/MDM Compliance and Posture workflows

• Security integrations for threat assessments

Customization Options
This is a Read-Only demo to prevent configuration changes that would break future demo options.

You are highly encouraged to explore the ISE interface and features beyond the scripted demos contained here.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 17
 Cisco dCloud

Requirements
The table below outlines the requirements for this preconfigured demonstration.
Required Optional

A Computer with ISE Admin interface supported browsers: Adobe Flash Player is required for the Search Endpoints feature:
◦ Mozilla Firefox 6x and earlier versions
◦ Google Chrome 7x and earlier versions
◦ Microsoft Internet Explorer 10.x and 11.x

About This Solution

Cisco’s Identity Services Engine (ISE) simplifies the delivery of a single policy for wired, wireless and VPN secure access control
multivendor networks. With far-reaching, intelligent sensor and profiling capabilities, Cisco ISE can reach deep into the network to
deliver superior visibility into who and what is accessing enterprise networks. ISE enables you to see who and what is on your
network, and to share across network solutions while stopping and containing threats by dynamically controlling network access.

ISE can be used to provide the following capabilities for customers:

For more information you encouraged to visit:

• ISE Product Page: http://cisco.com/go/ise

• ISE Resources: http://cs.co/ise-resources

• ISE Public Community: http://cs.co/ise-community

• ISE Sales Community: http://cs.co/selling-ise

• ISE Demos: http://cs.co/selling-ise-demos

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 17
 Cisco dCloud

• ISE Sales Training: http://cs.co/selling-ise-training

• ISE Videos (YouTube): http://cs.co/ise-videos

• ISE Licensing: http://cs.co/ise-licensing

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 17
 Cisco dCloud

Get Started
BEFORE PRESENTING

Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front
of a live audience. This will allow you to become familiar with the structure of the document and content.

It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.

PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.

Follow the steps to schedule a session of the content and configure your presentation environment.

1. Initiate your dCloud session. [Show Me How]

2. Click Catalog, search for “ise” and select Instant Demo from the side bar to filter your options.

3. Click the appropriate View button to launch the Instant Demo.

4. You should automatically be logged in to the ISE Instant Demo as user amdemo1.

It may take up to 30 seconds for the ISE dashboard to appear, depending on the demo load.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 17
 Cisco dCloud

Scenario 1. Network Visibility

The first step to securing any network is to understand what exists. Once you understand this, you can take steps to further
educate yourself or your team in order to make informed decisions about what you should do next.

Steps
1. After launching the ISE Instant demo, you will be presented with the login banner reminding you that you have Read-Only
access. Simply Accept and Close the dialog.

2. When we first login into the system we are presented with the ISE Home > Summary dashboard which has metrics for the
Total number of unique endpoints ISE has ever seen, how many of those are currently Active on the network and how many
are Guests.

3. Next, review the Summary panels to see the percentage breakdowns of Authentications, Network Devices and Endpoints.

4. Hover over the donut wedges and labels to see the count of each category or type.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 17
 Cisco dCloud

5. Use the tabs within the panels to pivot to different views of the same information.

6. If you see anything interesting – like unexpected Entertainment Device.

and want to know the specifics like What and Where they are, click on the donut wedges or categories to drill down and Filter on
the Details behind the summary data:

7. There are other Dashboard tabs for Endpoints, Guests, Vulnerability, and Threat.

But remember that Vulnerability and Threat dashboards will NOT be populated because the Instant demo does not have these
security integrations. You may still want to show these to your customers and discuss how integrating ISE with these types of
security products could let them see these devices and even Quarantine them with Rapid Threat Containment.

Using these dashboard views, you can get a baseline understanding of your network in terms of being able to both Who and What
is Where on the network. Once you have this level of visibility, you can begin to make educated policy decisions about unexpected
devices, unregistered assets, potential risks and the need for segmentation.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 17
 Cisco dCloud

Scenario 2. Search for a User or Endpoint

NOTE: This feature still requires Adobe Flash in ISE 2.6. If you do not have Flash or want to install it, you will want to skip this
Scenario.

One of the most common tasks that administrators or helpdesk personnel need is the ability to quickly find and troubleshoot a
particular user or endpoint on the network. ISE has a convenient Search feature to do this.

Steps
1. ISE provides an extremely simple Search interface from the menu bar.

2. You must enter a minimum of only three (3) characters to quickly find matching Usernames, MAC addresses, IP addresses.

3. Search for a string like ‘cda’ above and you should see several matches for both MAC addresses and Users that you can
select and begin to see matching endpoints, connectivity status, and even what kinds of policies and authorizations were
recently applied.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 17
 Cisco dCloud

4. Bring up the search field again and search for the user Thomas. If the user thomas was calling the Help Desk to find out why
his iPhone was not getting onto the network, you could filter on the Failed attempts and see the most recent Failure Reason
was a Wrong Password!

5. The list of endpoints associated with his username would even show which one(s) had the problem and that he may need to
change any stored passwords on that device.

>>

6. Instant access to all of this relevant information as a result of a quick Search and a few clicks!

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 17
 Cisco dCloud

Scenario 3. What are the Unknown Endpoints on my Network?

Steps
1. Everyone wants to know if there are Unknown Endpoints connected to their network right now. These unknown endpoints
may simply be the result of previously overlooked and unregistered assets or potential threats attached to your network.

2. To see the complete inventory of endpoints that the system knows about, simply navigate to Context Visibility > Endpoints.

3. On the Authentications panel, select the Identity Group tab to see the breakdown by groups including Unknown
endpoints! Hover on the Unknown donut slice to see the total count of Unknown endpoints.

4. Click on the Unknown donut slice to filter all endpoints for just the Unknowns.

NOTE: You may need to scroll right to see that the assigned Authorization Profile was most likely the Default, because the
devices did not match of the existing policy rules and should have little to no access.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 17
 Cisco dCloud

5. Click on the MAC address to drill down and get all known attributes about the endpoint including the OUI vendor to begin the
process of registration, classification or investigation:

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 17
 Cisco dCloud

Scenario 4. View Live Authentications

ISE allows you to view live authentication to your network in real time using the Live Log capability. This allows you to not only see
what and what is coming in but you can drill down to understand how and why if something is failing or unexpected.

1. In ISE, navigate to Operations > RADIUS > Live Logs:

2. You can adjust the update frequency, number of records and window that you view:

NOTE: setting the update frequency too low can make it difficult to filter items due to the screen refreshes.

3. Notice all of the details about When, What, Who, Where and How subjects were authenticated to the network!

4. If you want to know Why something matched a specific Authentication or Authorization Policy, simply click on the
Authentication Details icon ( ) to get the Overview, Authentication Details, Attributes, Authorization Result and view
the Steps that ISE completed when evaluating its policies. This can be extremely helpful for troubleshooting!

5. If you wonder why a particular user or endpoint failed ( ) click on the details and ISE should tell you the reason and what
resolution you can take to fix it.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 17
 Cisco dCloud

Scenario 5. Network Device Management

1. In ISE, navigate to Administration > Network Resources > Network Devices to view all of the network devices that ISE
knows about:

2. By default, network access devices - or NADs – are listed by name but you can change the sort order by clicking on any
column title. Typically NAD attributes such as IP address, Profile (vendor, hardware, software), Location (theater, city,
building, floor, etc.) or Type (switch, wireless, VPN, etc.) are important for helping to define custom authentication and
authorization policies that apply to specific hardware functionality, government regulations, or access methods.

3. You can even Export all them to a CSV file using the Export > Export All option:

4. If you click on a network device name, you can see all of the configurable Network Device Profile and Protocol options

NOTE: the Network Device Groups cannot be viewed in Read-Only Admin mode.

5. Alternatively, if you want to see all of the endpoints connected through a specific network device, go to Context Visibility >
Network Devices and you can browse who or what is connected to which ports!

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 17
 Cisco dCloud

Scenario 6. ISE Authentication and Authorization Policy

In ISE 2.6, all policies were converted to Policy Sets because this is a more scalable and efficient way to build large numbers of
policies. Drill down into the ISE authentication and authorization policies for examples of many common policies, how Scalable
Group Tags (SGTs) are assigned and how many Hits they have in the hit counter.

1. In ISE, navigate to Policy > Policy Sets to see all policy sets. We only use the Default policy set for this demo to keep things
simple!

2. Click on the View arrow ( ) for the Default policy set to see its Authentication policies and Authorization policies.

3. Authentication Policies can be made very granular with Conditions - down to a specific user or endpoint! They generally
are used to filter authentications by NAD profiles (hardware functionality), access methods (wired, wireless, VPN),
authentication types (802.1X, MAB), authentication protocols (PEAP-MSCHAPv2, EAP-TLS), or Identity Stores (internal, AD,
token, etc.).

4. Review some of the Authorization Profiles to understand how the NAD attributes, Authentication method, Identity groups,
endpoint attributes and other information can all be tied together to result in a specific Authorization Profile. IOT endpoints
like surveillance cameras:

Employees in Active Directory:

And note the Default authorization if there are no other policy matches:

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 17
 Cisco dCloud

Scenario 7. Scalable Group Tags (SGTs) and Software Defined Access (SDA)
In the ISE Policy Sets you could see Scalable Group Tags (SGTs) being assigned to specific users or endpoints. To understand
how these tags relate to each another, you need to see the TrustSec Matrix. This will show how you can limit malware outbreaks
with a single SGACL.

1. In ISE, navigate to Work Centers > TrustSec > Components to see the list of configured Scalable Group Tags (SGTs).

2. Each SGT has a Name and Number (0-65535) representing a group of users or endpoints. By default ISE has 18 SGTs
defined and this demo has 21 SGTs defined.

3. In the side menu, choose Security Group ACLs to view all configured SGACLs. We have only defined one SGACL called
BlockMalware which blocks the typical ports (SMB/445) used for spreading malware such as WannaCry.

4. Click on the BlockMalware SGACL name if you want to see the complete ACL list. Notice that it is agnostic of IPv4 or IPv6
addresses which makes it topology-independent and far more efficient and scalable than traditional IP-based ACLs.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 17
 Cisco dCloud

5. Navigate to Work Centers > TrustSec > TrustSec Policy to see the TrustSec Matrix. The matrix is a scrollable matrix of cells
representing Contracts (SGACLs) between the Source (rows) and Destination (columns) tags where they intersect. The
matrix is a logical and compact way to express port-based access between these groups.

6. Configured SGACLs – like our BlockMalware – are represented with the blue cell color. The default catch-all rule Permit IP
are green and Deny IP are red. This gives you a quick visual assessment of what access is granularly configured or
completely allowed or blocked.

7. To edit a Contract, click on cell, then click on the pencil ( ) in the upper right corner of the cell. You can see Permit All and
Deny All in the Final Catch-All Rules.

NOTE: You will not be able to save any changes because this is a Read-Only administrative login!

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 17
 Cisco dCloud

Summary
ISE helps you get answers to Who, What, Where, When, Why and How a user or endpoint got access to your network. You can
manage access for any kind of network device whether Wired, Wireless or VPN and with any hardware that can talk RADIUS. ISE
policy creation can be as simple or as granular as you need it to be and scale to hundreds of policies. Finally, ISE allows you to
use group-based policy and with contracts to create and enforce a simpler, more efficient access control policy in our intent-based
networking future!

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 17
 Cisco dCloud

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 17