CCIE Security Notes: ISE 2.1 Notes

 

RADIUS Live Log

  • Settings remembered per user
  • All fields hide-able
  • All fields sortable
  • Right-click copy
  • Ctrl-F searching
  • Powerful filters:
  • Filter on most fields
  • Can perform complex filtering
  • Save filters

 

  • Target icons for actions on Live Log & Live Sessions:

 

 

Expanded Work Centers

 

Context Visibility

  • Provides better visibility into different users and endpoints connected to the network with as much info as possible through a simple, flexible and highly consumable interface. Combines value of the rich live log and reports into common view. 
    • Find endpoints with compliance issues or behavior anomalies - better enterprise security and more automated mitigation activities 
    • ISE collects information about different users and endpoints connected to a network
    • New Context Visibility provides the administrator with a more holistic view of the network.  A new interactive UI allows for quick sorting and filtering of context information such as Endpoints, Users, Compliance and more.  Then quickly see associated data listed right on the page
    • Context Visibility provides a quick and easy way to understand the various users and endpoints on your network. Context Visibility starts with overview of ISE deployment providing administrators with selectable dashlets. Administrators can click on the dashlets to get detailed drill downs with additional graphs and tabular data.
    • Stores current state of all endpoints. 
       

Customizable Dashboards and Wizards

  •  See data you want to see in one place
  • Framework support dashboard customizations and user preferences
  • Custom tabs – Add/remove/rename tabs
  • User controls what to view – Add/remove/rename dashlets
  • Control layout – Ordering dashlets, select from layout templates
  • Drag & drop of dashlets
  • Export – Excel and pdf
  • Sample dashlets:

 

 

  • Visibility Wizard:
    • Setup ISE to start collecting endpoint information from a network
    • Configure the network access devices - i.e SPAN configuration, IP helper, etc
    • Allows IP ranges to discover NADs 
    • Wizard would enable the following probes: HTTP probe, DHCP probe, and SNMP probe

 

Diagnostics

  • Per Process/Thread visibility with show application status ise
  • show cpu usage
  • SNMP traps adopted into ISE 2.1. These are similar to the traps on ACS 5.7
    • Cold start – while re-initializing the snmp daemon sends the traps. 
    • Linkup – During Ethernet Interface up
    • Link down – During Ethernet Interface down
    • Authentication failure – In case of community string mismatch
    • Process Start
    • Process Stop
    • Execution Failed – If the process status goes from “monitored” state to “Execution Failed” state then ISE will send a trap)
    • Does not exist – (There is a process status “Does not exists” , If the process status goes from “monitored” state to “Does not exists” state then ISE will send a trap)
    • Disk utilization – (Disk utilization threshold limits are added from CARS cli command below, for ISE process status there is no separate CLI command, if the SNMP server host is configured it will use that ip to send trap

 

  • Dashlets with key events above the Live Log

 

  • Debug Endpoint
    • Creates debug file of all activity for all services related to that specific endpoint 
    • Executes and stored per PSN
    • Can be downloaded as separate files per-PSN
    • Or Merged as a single file
  • Bypass suppression from live-log so that all activity for the endpoint will show in the Live Log

 

  • Predefined Smart-Defaults & Policies:

 

  • Time-based support bundles:

 

  • Set logging levels to default:
  • Test repository from GUI:

 

  • Test Button for Feed Service:

 

  • Certificate Details:

 

pxGrid Certificates Through the Provisioning Portal

  1. Required 2-Way Trust Between Controller & pxGrid Clients
  2. IF Bulk Downloads THEN 2-Way Trust Client-to-Client
  3. In Other Words,  A Full MESH of Trusts
  • With pxGrid certificates, you have an instant full mesh of trust since:
    • Uses a Single Certificate Authority
    • Each pxGrid Participant Trust That Certificate Authority
    • Each pxGrid Client use a ‘pxGrid’ Certificate from that CA
    • Controller still authorizes the Communication

 

  • With the Cert Portal:
    • Can do CSR’s one at a time, but Bulk Download works well, too.
    • Protip:  Don’t bother with CSR’s – just generate certificate pairs from the Portal.
    • Best Practice, Follow an Order of Operations: 
      • Don’t enable pxGrid until all nodes have a pxGrid certificate.
      • Wait for all the services to come up on 1st PSN before you enable pxGrid on the 2nd PSN

To configure the Cert portal:

  • Edit the Certificate Provisioning Portal
  • Setup the portal:
  • Must choose an authorized group for login to the portal
  • Must specify a friendly name for the portal and it must have name resolution
  • Must select the pxGrid template as being available from the portal
  • Create a Network Users - will be used as an admin user in the next step
  • Make an admin user from the network user:
  • Add user to Super Admin Group - Only Super Admin & ERS Admin roles can issue pxGrid certs:
  • Login to the Certificate Provisioning Portal:
  • Login to the Certificate Provisioning Portal:Login to the Certificate Provisioning Portal - Generate bulk certs with the pxGrid template - prefer to use pxGrid prefix in CN - 1 per ISE node:
  • Download the certificates 
  • Extract the ZIP file - there are key-pairs per node + ISE CA Roots + ISE Admin Roots - All PEM encoded:

 

  • Import the cert pairs for each node - 1 at a time, for pxGrid usage - Rinse/Repeat per ISE node:

 

  • Delete the old, self-signed certified for cleanliness:
  • After the ISE nodes have all their pxGrid certificates, it’s time to enable pxGrid
  • Enable pxGrid on the first PSN under Administration>System>Deployment:
  • To ensure a predictable & successful deployment, the order of operations should be followed.
  • Don’t enable pxGrid until all nodes have a pxGrid certificate.
  • Wait for all the services to come up on 1st PSN before you enable pxGrid on the 2nd PSN
  • After enabling pxGrid - Services will start - after services start PAN & MnT will automatically publish topics:
  • Enable pxGrid on the second PSN 

 

Device Administration

  • New TACACS+ profile types:

 

  • New WLC TACACS+ profile types:
  • Shows you WLC debug data:
  • Pre-built TACACS+ profiles for the WLC:

 

  • Selectable default network device so you can choose RADIUS, TACACS+ or both
  • Improved shared secret handling - allows admin to set a grace period for old shared secrets and allows ISE to use shared secrets for large device pools for changing over time

 

  • Configure default retirement time:
  • Centralized control of TACACS+ services:
  • Within Work Cener 
  • Control centrally
  • Configure ports - up to 4 ports
    • tcp/49
    • tcp/ >1024
       
  • Deny All Shell profile - ability to send a “Fail” when authentication passed

 

NIC Bonding

  • NIC Bonding 
  • Used for HA/Redundancy for network connectivity 
    • ISE physical interface failure
    • Loss of switch port connectivity (switch goes down, etc)
      Note: not for NIC teaming/port channels
  • Bonding pairs are set - up to 6 interfaces for ISE 2.1 - bonds/backup interfaces are pre-chosen & unchangeable 
  • When Gig0 is down, Gig1 takes over
    • Both interfaces assume the same L2 address
    • When gig0 fails, gig1 assumes the IP address and keeps the communications alive
    • Based on the link state of the primary interface
  • Configured at the CLI - add the backup to the primary interface configuration:
  • ISE updates the configuration pages - per node configurations are updated. Multi-node configurations allow configuration:
  • Disabling bonded interfaces using the no backup interface <interface> command

 

ODBC Support

  • ODBC Authentication 
    • Use ODBC as an external DB store in ISE
    • Support for MAB authentication, LEAP, CHAP, EAP-MD5, MSCHAPv1/v2, EAP-MSCHAPv2(PEAP/EAP-FAST), EAP-TLS
  • ODBC Authorization 
    • Stored procedure for DB lookup and authorization (Radius-accept)
    • Ability to retrieve groups and user attributes and store as template
    • Ability to translate groups to be used in policies 
    • Ability to translate attributes to ISE attributes via GUI
  • Extends ISE’s external ID sources to include other databases
  • ODBC Support:
    • ODBC supported DBMS in ISE 2.1:
    • Oracle Database
    • Microsoft SQL server
    • MySQL
    • PostgreSQL
    • Sybase
    • SAP ASE
    • SAP SQL Anywhere
  • ODBC Authentication protocols supported in ISE 2.1:
    • Non-EAP
      • ASCII/PAP
      • CHAP
      • MS-CHAP v.1
      • MS-CHAP v.2
    • EAP
      • LEAP
      • EAP-MD5
      • EAP-TLS
      • PEAP (EAP-GTC)
      • PEAP (EAP-MSCHAPv2)
      • EAP-FAST
      • EAP-TTLS -- (added in ISE 2.0)

Threat-Centric NAC

  • Allows threat-centric Network Access Control via ISE policy for vulnerability and threat detection utilizing Cisco Advanced Malware Protection pushing high fidelity Indications of Compromise (IoC) to ISE. This allows ISE to change the privilege and context of an endpoint dynamically, notifying the network and other applications of the change so that access to resources can be restricted
  • Correleating threat and vulnerability information to reduce time to remediation with ISE network fabric visibility and control
  • Discover vulnerable embedded IOT devices 
  • Automated containment of vulnerable endpoints based on CVE score
  • Immediate action on prioritized vulnerability to maximize SOC resources
  • Vulnerability - Security assessment service leverages industry standards for vulnerability and threats. Vulnerable endpoints based on CVSS scores
     
  • Threat - Endpoints based on incidents and indicators 
  • Example: Threat Centric NAC with Qualys Overview
  • TC-NAC Components
  • Qualys cloud platform can be accessed using browser. Qualys provides vulnerability assessment capabilities. Different cloud platforms URLs are provided based on location 
  • Qualys scanners (scanner appliances or virtual scanners on ESX) are deployed with access to networks where the endpoints which need to be scanned are located and they communicate directly (or via proxy) with the Qualys cloud platform
  • All actions including checking scan results, trigger scan using a specified appliance is done from Qualys cloud platform through browser or REST API (as is the case with ISE). Actual scan is performed by the scanner appliance specified
  • Note the following regarding configuration at Qualys cloud platform:
    • Enable CVSS Scoring at Vulnerability Management>Reports>Setup>CVSS>Enable CVSS Scoring
    • Ensure that user credentials used in adapter configuration has manager privileges 
    • Ensure that IP addresses.subnets of endpoints requiring Vulnerability Assessment is added to Qualys at Vulnerability Management>Assets>Host Assets>New>IP Tracked Hosts
  • Threat-Centric NAC Summary - 
    • Ability to trigger vulnerability assessment checks
    • Trigger on-demand scan if required
    • Consumed these results to generate normalized results and CVSS scores for Vulnerability assessment
    • ISE has the ability to evaluate and change network access again using authorization policies
    • Threat Centric NAC is a service in ISE
  • Configuring Threat-Centric NAC with Qualys
    • Step 1: Add third party vendor under Administration>Threat Centric NAC>Third Party Vendors
  • Adapter for Threat Centric NAC:
    • ISE provides ability for partners to leverage plugin adapters which can communicate to their ecosystems and provide ISE with results
  • Step 2.1: Configure the Adapter
  • Step 2.2: Map the Scanner:
  • Step 2.3: Configure the Adapter Settings 
  • Step 2.4: Configure On-Demand Settings for the Adapter
  • The Scanner should be active

 

  • Step 3: Define policy: Policy>Policy Elements>Results>Authorization>Authorization Profile

 

 

  • Threat Centric NAC in ISE consists of the following:
    • Trigger vulnerability results check when certain conditions are matched in authorization policies and continue to allow regular network access based on the policy match
    • Execute vulnerability assessment result check and when required an on-demand scan using the configured vulnerability assessment vendor ecosystems
    • Fetch results from the vendor and extract CVSS scores and CVE_IDs
    • Trigger a Change of Authorization (CoA) when a certain degree of vulnerability (Expressed in terms of STIX attributes such as CVSS Score) is matched so that based on authorization policy conditions which uses these attributes the devices can be quarantined or provided limited network access.
  • On-Demand SCAN: When does ISE trigger?
    • When an endpoint connects to the network and ISE does not know it’s vulnerability status. This will especially be the case for endpoints connecting to the network for the first time
    • When endpoints connect to the network after an extended period of inactivity 
    • When endpoint connects and its compliance state is unknown/non-compliant or a connected endpoint’s compliant state becomes non-compliant. The source for truth for this is device manager. 
    • When the time a connected endpoint was last managed exceeds certain interval. Again, the source of truth is device manager
    • When the time a connected endpoint was last checked for vulnerability exceeds certain interval 

 

Debugging Logs:

 

BYOD Enhancements

 

  • BYOD Enhancements 

    • Key Highlights 

    • Enhanced Admin BYOD workflow

    • Chromebook on-boarding

    • Enrollment over Secure Transport (EST) support

    • Pre-canned policies

  • BYOD is all pre-configured - just enable the policies
  • What needs to be done? 
    • Just enable authorization policies - you are done with the BYOD config
  • BYOD pre-configured elements (starting in ISE 2.0)
    • Internal CA server and certificate provisioning
    • Provisioning policies for different PC and mobile endpoints 
    • BYOD authorization profiles for on-boarding and blacklisting
    • External ID stores e.g Active Directory for BYOD authentication and MyDevicesPortal
  • BYOD authorization Policies that are pre-defined:

 

  • Internal CA: Pre-configured enhanced CA, multiple certificate templates

 

  • Client Provisioning: BYOD Enhancements - Pre-defined client provisioning policies
  • Client provisioning resources: BYOD enhancements 
  • Pre-configured SSID for BYOD

 

Posture Enhancements

  • Key Highlights 
    • Enhanced Admin Posture workflow
    • USB mass storage check and remediation 
    • Posture reporting for failure reasons
    • Anti-malware checks
  • Posture Workflow
    • For ease of configuration
    • All tasks easily achievable following simple easy steps
  • Three steps to configure posture

 

  • ISE also has some checks which are not part of libraries but will be supported as V3, V4 or “Any Version value”, e.g.
    • File Check
    • Service Check
    • Application check, etc
  • Upgrade is supported to ISE 2.1 from previous versions
  • USB Condition and Remediation - 
    • USB checks are “Dynamic” aka real time enforced although USB check could be configured at initial posture check or Passive Reassessment checks (PRA)
    • AnyConnect 4.3 enforces the Disk Encryption Policy
  • Message TEXT available to notify users:

 

  • Reporting : USB Condition and Remediation - Reports are available for USB checks

 

Guest Enhancements

  • Guest Enhancements - 
    • Guest Key Highlights
    • Integration with more SAML providers for web portals.
    • Guest Portal allows credential and SAML SSO login option.
    • Usability Improvements (e.g. From First Login, etc ..)
    • Sponsor Approval Pending accounts filtered view
    • Proxy support for HTTP API (SMS)
    • NIC Teaming
  • Proxy support for http api (SMS message transmission): Administration>System>Settings>Proxy
  • From First-Login Guest type - Work Centers>Guest>Configure>Guest Type
  • Benefits:
    • Allows creation of an account that may be used for X amount of hrs
    • Sponsors can pre-print vouchers with credentials ahead of time
  • From First-Login Guest Type 
    • Account Creation
  • Sponsor Portal>Create Accounts
  • Select from first login guest type
  • Notice no start stop time, instead you enter how many days (or hours)
  • Account Creation - Account Information:
  • Start/end time stamp no set until after first login (account is activated)
  • The time left number is the time the account will be inactive before its moved to expired state and then purged by normal purge policy
  • Account duration (how long it was created for ex: 8hrs or 1 day) - missing

 

  • List display behavior - Sponsor Portal managed account list 
  • Expiration column is empty until user logs in
  • Time left number is the time the account will be inactive before its moved to the expired state and then purged by normal purge policy 
  • After user logs in:
    • Account will be set with an expiration and will behave exactly like a regular guest
    • All GUI indications of the guest user will be the same as a regular guest (except for the guest type)
  • Work Centers>Guest Access Settings>Guest Account Purge Policy
  • First Login Guest accounts moved to Expired after N days as configured (90 days)
  • Purge of these expired guests occurs as per scheduled purge policy specified for any expired guest accounts (every 15 days)
  • NIC Interface Teaming (Bonding)
  • Used for redundancy, no aggregation of bandwidth 
  • Simple Primary Backup config
  • Each PSN will have it’s own configuration (via the CLI)
  • Portal selects the ports it will use across all PSNs (depending on the PSN config)
  • Understand: Interface selections for a portal apply to all PSNs in a deployment
  • Perfectly valid to select Eth0/Eth1 AND Bond0 
  • When a physical interface pair is bonded, the portal listens on the IP address of the even-numbered interface i.e. Eth0, Eth2, or Eth4
  • On a PSN where Eth0/Eth1 are bonded, the settings shown above indicate that the PSN will not listen on the Eth0 IP address since Bond0 is not selected. The selection of Eth0 alone has no effect when Eth0 is part of a bonded pair
     
  • Updated SAML Support - Integration with more providers and more generic support
    • Guest, Sponsor and My Devices Portals
    • Oracle (supported since 1.4)
    • SAML SSO with PingOne (Cloud), PingFederate (CPE), Azure AD, SecureAuth
    • Support Generic SAML SSO as a standard (SAML2)

 

ISE Requirements

  • ISE Virtual OS and NIC support -
    • ISE 2.0/2.1
    • VMware ESXi 5.x 
    • Vmware ESXi 6.x
    • KVM
  • Notes for VMware Virtual Appliance installs using ISO image (OVA recommended): 
    • Choose  Redhat Linux 7 (64-bit) (ISE 2.0.1+)
    • Manually enter resource reservations
  • Virtual Network Interfaces
    • Choose either E1000 or VMXNET3 (default)
    • ISE 2.0 supports up to (6) Network Adapters
    • ESX Adapter Ordering Based on NIC Selection

ADE-OS         ISE         E1000     VMXNET3
eth0    GE0           1    4
eth1    GE1          2    1
eth2    GE2           3    2
eth3    GE3            4    3
eth4    GE4            5    5
eth5    GE5            6    6
 

Profiling Enhancements

  • Profiler UX Changes

 

  • New Work Center “houses” virtually all pages related to Profiler configuration
ISE97.PNG
  • Offline Feed Service Updates - 
    • If no internet access with highly secured deployment, there is the offline profiler feed
  • HTTP Probe - User Agent White Listing
  • Key benefits of HTTP User Agents
    • User agents can tell us the difference between the various Windows versions, Android, Linux, Mac OS, and iOS device types, sometimes delivering OS and versions details not available from other profile attributes
       
  • HTTP Profiling Fidelity 
    • Key pitfalls of HTTP User Agents
      • Due to the many thousands of web-enabled applications, most user agents are benign or provide little or not value for profiling 
      • More problematic, these benign values cause profiles to flip from a valid classification to Unknown or less accurate profile, often breaking policies based on profiling
    • Create Black List of “Bad User Agent Strings” (User Agents to Ignore)
    • Static Black List 
      • Only updated by enhancements request or CDETs 
      • Updates applied to next ISE release or possibly patch
    • Due to the thousands of current benign agents and continuously growing list of web-enabled apps - maintaining a static filter list is a race no one can win. HTTP profiler feature often seen as suitable for visibility, not for policy enforcement 
  • Agent White Listing and Ignored Tracking:
    • This prevents profile flipping from bogus user agents and reduce database replication due to profile changes
    • Or add secondary attribute to endpoint that tracks “Ignored-User-Agent” 
    • ISE continues to provide visibility into new user agents but value used for profiling is current User-Agent attribute and restricted to white list
    • Creating a new user agent condition based on a string automatically updates white list 
  • NMAP Probe Enhancement - 
    • NMAP Probe  
    • Revamped manual scan page with reusable templates
    • Ping check
    • Custom ports
    • Banner/service info 
    • ePO check 
    • SMB discovery
  • Manual NMAP Scan - Work Center>Profiler>Manual Scans
  • Manual NMAP Scan Results - Work Centers>Profiler>Manual Scans (or Administration>Identity Management>Identities
    • After running a manual NMAP scan:
  • Endpoints included in last completed scan where one or more attributes are added or changes and can be correlated to endpoint in ISE database based on it’s MAC address
  • If you’re not seeing all endpoints (or any endpoints) under latest scan results:
    • Be aware of what will not be shown in scan results:
      • Prior scan results (Scan results before last completed scan)
        • Results are for LAST manual NMAP scan operation only across all PSNs
    • Endpoints without an IP-to-MAC binding
      • If data cannot be correlated to endpoint in ISE database, results will be dropped
    • Unchanged endpoints - 
      • Endpoints where NMAP results are the same as current endpoint data are not displayed 
  • NMAP Scan Actions - Used in profiler policies (triggered scans) or manual scans
  • Triggered NMAP scan using template - Policy > Profiling > Profiling Policies (or Work Centers > Profiler > Profiling Policies)

 

  • Enhanced NMAP Probe
  • Custom ports, service info, ePO check
  • AD Probe - Administration > System > Deployment > (node) > Profiling Configuration  - or -  Work Centers > Profiler > Node Config > Deployment > (node) > Profiler Config
  • Increases OS fidelity through detailed info extracted via AD
  • Distinguishes corporate from non-corporate endpoints -> Is device a corp asset? 
  • Leverages AD Runtime Connector
  • Attempts fetch of AD attributes once computer hostname learned from:
    • DHCP Probe
    • DNS Probe
  • AD queries gated by: 
    • Rescan interval (default 1 day)
    • Profiler activity for endpoint 
  • Note: If AD probe enabled after endpoint learned and hostname acquired, then no AD query
  • Conditions and attributes:
  • Endpoint custom attributes - Administration > Identity Management > Settings

 

  • Once defined, custom attributes can be set using:
    • Admin UI
    • File import
    • LDAP import
    • ERS API
  • Expose NDGs as profiler conditions:

PassiveID (Very different in this version vs ISE 2.2)

  • Simplifies network authorization without requiring 802.1X on the endpoints. Active Directory logins are used to map user information into network connections, which is then used for authorizing users on the network even when ISE is not involved in the user authentication process. PassiveID can be used as a backup authentication method or way to add a second level of identity. Powered by PassiveID
  • What’s easy about it? 
    • NO Supplicant required to implement this technology!
    • NO PKI/cert requirements!
    • Leverages existing AD logins (and ticket renewals!) to provide identity to network connections
    • Visibility mode only needs RADIUS Accounting or Device Sensor on switch
    • Enforcement mode requires only basic MAB/802.1X config on switch
    • AD lookups and authorization based on AD login identity without requiring 802.1X / WebAuth for user identity, so more transparent to client 
    • Simple integration with pxGrid for publishing session info related to Identity Mapping and PassiveID
    • Seamless integration with TrustSec via ISE SXP for AD-authenticated sessions
       
  • Passive Identity Caching:
  • Once Passive Identity learned, it can be reused for new auth sessions until cache expires (session aging time)
  • Once RADIUS info merged, ISE updates Passive ID entry with MAC address and endpoint profile, if available. MAC/IP address and profile retained for lifetime of Identity Cache. 
  • If user disconnects from network, PassiveID reauthorizes same user even if IP address changes based on MAC address--No additional AD Login required.
  • If new login or Kerberos ticket renewal event occurs, Passive Identity mapping updated with IP address and CoA sent.
  • PassiveID -  Authorization Profile 
  • Authorization Policy - Add conditions based on PassiveID
  • PassiveID  Monitoring - Enable useful attributes in the Live/Session Log 

 

SNMP CoA Support

  • SNMP CoA
    • ISE 2.1 adds SNMP CoA support—session disconnection / re-authentication using SNMP.
    • Device must support it using standard MIBs or Vendor-specific MIBs
  • Configuring SNMP CoA (NAD Page) - Administration>Network Resources>Network Devices
    • Use SNMP Settings under NAD Configuration page to configure SNMP for specific device
  • Configure SNMP CoA (NAD Profile) - Administration>Network Resources>Network Device Profiles
  • CoA Commands using SNMP