Inside Cisco IT:
How Cisco Deployed Cisco Identity Services Engine (ISE) and TrustSec
Throughout the Enterprise
David Iacobacci
Bassem Khalife
BRKCOC-2018
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCOC-2018Cisco Spark spaces will be available until July 3, 2017.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• Introduction
• Large Enterprise ISE Deployment
• Network Security That Follows You
• Managing a Critical Global Security Service
• Evolving to Deliver Advanced Capabilities
• Q&A
BRKSEC-3699: Designing ISE for Scale and High Availability
BRKSEC-3697: Advanced ISE Services, Tips and Tricks
BRKSEC-2059: Deploying ISE in a Dynamic Environment
BRKSEC-2051: It's all about Securing the Endpoint!
LTRSEC-2002: ISE Integration with Firepower using pxGrid Protocol
BRKSEC-2695: Building and Enterprise Access Control Architecture
using ISE and TrustSec
TECSEC-3672: Identity Services Engine 2.2 Best Practices
BRKSEC-3014: Security Monitoring with Stealthwatch: The detailed
walkthrough
BRKSEC-2026: Building Network Security Policy Through Data
Intelligence
BRKSEC-2047: Operationalizing Advanced Threat Solutions
Related ISE Sessions
We’re
BRKCOC-2018
BRKCOC-2006: ACI & Tetration Analytics
BRKCOC -2019: Leveraging Cisco WAAS to Improve Network Performance
BRKCOC-2016: Containers on Enterprise Compute and Networks
BRKCOC-2014: Increasing the Speed of Business using AppDynamics
BRKCOC-2012: A Day in the life of a Network Engineer -Day 2 with ACI
BRKCOC-2023: Security Overview - Making it Work
BRKCOC-2013: Embedding Collaboration in Business Workflows using Cisco Spark
BRKCOC-2021: DNA and the Next Generation Network
BRKCOC-2017: Using Machine Learning Technologies to Drive Digital Transformation
Inside Cisco IT Sessions
We’re
“No person shall be held to answer …
nor shall be compelled …
to be a witness against himself …”
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
92
166182
225
276
0
50
100
150
200
250
300
CL San Diego 2015 CL Berlin 2016 CL Vegas 2016 CL Berlin 2017 CL Vegas 2017
The Cisco IT ISE Deployment Story (Attendees)
ISE 1.2 ISE 1.3 ISE 1.4 ISE 2.1 ISE 2.1 => ISE 2.3
?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8BRKCOC-2018
Feedback For Speakers…
Expected a more technical integration guide
Hoped for more technical details
Nice to see Cisco has same issues as us with its products and features
Excellent useful information for ISE deployment
The best session I've attended. The best speaker ...
The Lunch Preparations was going on and it was very loud
Little Cold in the Room
The sound was not great
Lots of outside noise. Thin walls
5
Large Enterprise ISE Deployment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Identity Services Engine (ISE)?
Network ResourcesAccess Policy
TraditionalCisco
TrustSec®
BYOD Access
Threat Containment
Guest Access
Role-Based
Access
Identity Profiling
and Posture
A centralized security solution that automates context-aware access to network resources and shares
contextual data
Network
Door
Physical or VM
ISE pxGrid
Controller
Who
Compliant
What
When
Where
How
Context
Threat
Vulnerability
BRKCOC-2018 10
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11BRKCOC-2018
Defending Cisco: What We Must Protect
~130K Workforce
92 Countries (~500 Sites)
~3M IP Addresses
215K Infra Devices
275K Total Hosts
2500+ IT Applications
26K Remote Office Connections (CVO)
16 major Internet connections
~47 TB bandwidth used daily
1350 Labs
195+ Acquisitions
300 partner extranet connections
500 Cloud ASPs
WebEx, Meraki, OpenDNS and Growing Portfolio of Offers
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12BRKCOC-2018
Cisco IT Network Security Requirements
Visibility + Attribution
Control
Consistency
Centralization
Automation
Simplification
Integration
Real-Time Defense
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13BRKCOC-2018
Seamless Connectivity and Integrated Security
Identity Services Engine
Wireless Devices
AnyConnect VPNUmbrella
AMP For Endpoints
WSAESA
AMP For Network
Wired Network Devices
Adaptive Security
Appliance
Device Management
StealthWatch
AMP Threat-Grid
FireSight
Home Access (CVO)
UmbrellaCisco Core
Network
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2018
ISE Deployment Ecosystem: Building Blocks
ISE
(Logical Layer)
ISE (Physical Layer) : ISE Appliance OR VM (Fabric, Compute, Storage)
Network: DNS, NTP, SFTP, Load Balancers
Network Access
Devices
Endpoints: Devices,
Users & Supplicants
Enterprise Monitoring: HTTP(S), RADIUS, PEAP, EAP-FAST, EAP-TLS
User
Provisioning
Mobile Device
Management
Network
Device
Provisioning
ISE Policy
Management
Active
Directory
Call Manager
Data
Analysis
(Syslog)
Quality
MAP
Monitor
ActPrevent
14
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15BRKCOC-2018
ISE Program Management Structure
ISE
Program
Management
Network Infra &
Services
Network Access &
Platform Mgmt, NW Ops
IT Mobility
Services
Device Management &
Posture Compliance
Architecture &
Design
Security Services & ISE
Architecture
Infra Security
Services
ISE Deployment &
Operations
ISE BU & TAC
ISE Best Practices,
Cisco-on-Cisco, Config
Optimization
InfoSec
Security Policies,
Quarantine, Trusted
Services
Directory
Services (AD)
DC & Hosting
Services (VMs)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16BRKCOC-2018
Sample ISE Basic Deployment Roadmap
Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Completion
Fine tune Optimize
FoundationISE 1.2
Install
ISE 1.3
Upgrade
ISE 1.4
Upgrade
Infra
Design, Proof of Concepts, Data Analysis
Apply
patches
Fine tune Optimize
Network
Guest
Wireless
Monitor
Endpoint Analysis: Wired dot1x MM & Profiling
VPN
Wired
Guest Access
Wireless (WLAN) Auth Deployment
CVO (Home Office) Wireless Auth
VPN AuthCVO Wired Auth
Limited Sites Wired Auth
Global Wired Auth Enforcement
Quarantine/Remediation
Posture Enforcement (ISE)
Security Group Tagging (SGT)Advanced Capabilities
ISE 2.1
Upgrade
Fine tune
Posture Assessment (DM)
PxGrid Integration
Wired 802.1X Monitor Mode Deployment
ISE 2.3
Upgrade
802.1x Authentication
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2018
Cisco IT ISE Production Deployment Metrics
Internet Only
Corporate Access
WLAN, CVO, VPN, LAN
ISE 1.2, 8 VMs, 2 DCs
ISE 2.1, 24 VMs, 8 DCs
1.5 Million active profiled “Endpoints”
Max ~450K Concurrent “Endpoints”
27K CVO; ~60K EP
580 WLC; ~200K EP
70 ASA; ~90K EP
2K SW; ~200K EP
8 Sites; ~8K EP
~14K Guest/WeekCWA
Central Web Auth
17
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2018
Cisco IT ISE Global Deployment (WLAN, VPN, LAN)
ISE PSNs Data Center (8) Network Devices (sites/cities) Auth traffic to ISE PSNs
18
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2018
Single Global ISE Deployment (WLAN, CVO, LAN, VPN)
AER
RTP
ALN
SNG
Secondary ISE PAN/M&T
ISE PSNs
Primary ISE PAN/M&T
24 ISE Nodes
20 PSNs; 8 DC (Node Groups)
TYO
HKG
BGL
19
MTV
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2018
Cisco IT ISE Global Deployment (All Network Devices)
20
How many?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21BRKCOC-2018
Authentication Statistics (24 hours)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Load Balancing Dashboard
22BRKCOC-2018
Authentication, Accounting, and Profiling events over 24 hours.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23BRKCOC-2018
ISE Deployment High Availability ArchitectureOriginal Design
PS
N PS
N
MTV-VIPs
PS
N
PS
N PS
N
RTP-VIPs
Primary, Secondary
RADIUS Servers
NADs Proximity
HA NAD Configuration
MTV-WLAN
MTV-LAN
MTV-VPN
MTV-CVO
Modularity
ALN-VIPs
PPAN SPAN
Primary -> Secondary
Automatic Failover
PMnT SMnT
MTV ALN
ISE Product EvolutionHA SLB Configuration
Load Balancer
User-probe AuthVIP by Service
Is PSN Authenticating?
• Interval = 10 sec
• Down Time = 30 sec
• Retries = 3
PSN1
PSN2
PSN3
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why Use Load Balancers?
• Ease of global configuration
• Overcome device limits for AAA servers
• Ease of migration, cluster split. No need to change thousands of network devices
24BRKCOC-2018
Request for
service at
single host
‘psn-cluster’PSN
PSN
PSN
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
User
LB
Response from ise-psn-3.company.com
DNS Lookup = psn-cluster.company.com
DNS Response = 10.1.98.10
Request to psn-cluster.company.com
VIP: 10.1.98.10
PSN-CLUSTER
10.1.99.5
10.1.99.6
10.1.99.7
DNS
Server
VLAN 99 (10.1.99.0/24)VLAN 98 (10.1.98.0/24)
Access
Device
DNS
request sent
to resolve
psn.cluster
FQDN
Request sent to Virtual IP Address
(VIP) 10.1.98.10
Response received from real server
ise-psn-3 @ 10.1.99.7
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Consideration When Using Load Balancers
25BRKCOC-2018
• CoA traffic has to be NAT’ed from PSN to client by the load balancer
• Be careful what other traffic sits on udp/1700 you may catch
• Your LB may not behave as you expect…test
PSN
PSN
PSN
ISE-PSN-3
ISE-PSN-1
SLB10.1.98.10
10.1.99.5
10.1.99.6
10.1.99.7
ISE-PSN-2
CoA SRC=10.1.99.5
CoA SRC=10.1.98.10
aaa server radius dynamic-author
client 10.1.99.5 server-key cisco123
client 10.1.99.6 server-key cisco123
client 10.1.99.7 server-key cisco123
client 10.1.99.8 server-key cisco123
client 10.1.99.9 server-key cisco123
client 10.1.99.10 server-key cisco123
<…one entry per PSN…>aaa server radius dynamic-author
client 10.1.98.10 server-key cisco123
PSN
ISE-PSN-X
Before
After10.1.99.x
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26BRKCOC-2018
Guest Access Deployment (ION)
Sponsor Portal GSSinternet.cisco.com
Guest Account Creation
Wireless access
Wired access
NADs AMER
Guest Portal Auth
Pri
mary
ion-mtv-sponsor
Wireless access
Wired access
NADs EMEA/APJC
Guest Portal Auth
PPAN Alias PAN MnT
MTV
PSN PSN
AER
PSN PSN
ion-aer-sponsor
Pri
mary
ION LB
VIPs
Visitor
Management
Tool (API
Integration)
Lobby Ambassadors
(Physical & Virtual)
Guest Account Creation
Integration With Reception
Secondary
Secondary
PAN MnT
ION LB
VIPs
ion-aer-guestion-mtv-guest
Account Creation
Authentication
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Top 4 cities by number of guest authentication over a 7-day period
6,379 3,583
2,232
2,107
BRKCOC-2018
Cisco IT ISE Guest Network
27
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28BRKCOC-2018
Identity, Device & Location Drive Access Permission
Internet Only
Access
Full access
No
restrictions
Limited Access
Fully Compliant
Trusted devices
Doesn’t meet
Trusted Device
Standard
Some Trusted
Device ElementsPolicy
Decision
Point
Manager
IT Analyst
Engineer
Network Security That Follows You
Wired 802.1x
Identity Based Differentiated Access
Posture Based Differentiated Access
Areas of Focus
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Monitor ModeAuthentication without Enforcement
31
RADIUS Authentication & Accounting Logs:
• Passed / Failed 802.1X
(Who has bad credentials? Misconfigurations?)
• Passed / Failed MAB attempts
(What don’t I know?)
MONITOR MODE
Prepares for Enforcement Mode
Evaluates Remaining Risk
Provides Baseline NAD ISE
.1X-Pass
Known
MAC
Unknown
MAC
.1X
Failures
BRKCOC-2018
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32BRKCOC-2018
IBNS 2.0 Concurrent AuthenticationFaster on-boarding of endpoints into the network
• Faster on-boarding, good for
delay sensitive endpoints.
• An endpoint may be
authenticated by both methods,
but priority determines the
ultimate authorization.
authentication order dot1x mab
Sequential Authentication
Campus LAN
.1x
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
Concurrent Authentication
Campus LAN
.1x
EAP
EAP RADIUS
CDP/DHCP
EAP
EAP RADIUS
CDP/DHCP
• Additional load to RADIUS
Server. Multiple Authentication
requests hit the server for same
client
• Configuration simplified with
modular policy and interface
templates
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
IBNS 2.0 Fine Tuning
Devices w/o supplicants & minimal traffic Configure switch ports to initiate EAP transactions
“access-session control-direction in”
Dot1x timer adjustments Modify defaults per best practices, e.g.
“dot1x timeout quiet-period 300”
Apple Thunderbolt ethernet adapter Additional EAP session initiated
Resolved: ISE 2.1 patch 2. (CSCva74189/ CSCuz17763)
33BRKCOC-2018
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2018
Wired Auth 802.1x Learning
Communicate!
Implement!
Empower!
Think User-Experience
34
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access-Accept
dACL: Permit IP any
35
Wired Connection Authentication
Access-Accept (Restricted)
Access restricted by dACL
URL-Redirect
Redirect ACL (Called by ISE)
Deny traffic for: Laptop builds,
Support portal, PWD Reset
BRKCOC-2018
Port ACL Permit
DNS, DHCP, NTP
dACL Defined on ISE:
Permit DNS, TCP 80/443
ICMP, & Redirect Traffic
Access-Request
802.1x &
MAB
Permit Access
dACL Defined on ISE:
Permit IP
Access-Accept
Access-Request
Failed Auth
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Redirect ACLs Dependent Upon Device Profile
• Redirect-ACLs have size limitation Same as dACLs & per-user ACLs
Max 4000 ASCII characters
36BRKCOC-2018
ACL By Endpoint Type, Profiling Based
Windows
Cisco Linux
Others
Same ACL For All Endpoint Types
Windows
Cisco Linux
Others
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
To Improve Profiling
• Started with device-sensor using CDP
• Added DHCP and LLDP device-sensor
• Note: When CDP & LLDP concurrently enabled Some older UCV 89xx & 9xxxx phones with firmware > 9.2.1 reboot
Simple workaround disable LLDP on the phone
37BRKCOC-2018
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38BRKCOC-2018
Minimizing Service Disruptions
X
AuthC (automate-tester)
Access-Reject
Service Disruption
NOT Detected
Synthetic AuthC (test user)
Access-RejectService Disruption
Detected
EEM
X
Allow
Access
Temp.
EEM
AuthC
Restore
EEM
X
Access-Accept
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
EEM script provides assurance
End-to-end test of authentication process
If authentication fails:
1. Inserts "ip deny any any” to line 1 port ACL
2. Records which switch ports configured with dot1x
“sh run | i interface GigabitEthernet|dot1x timeout”
3. Removes commands under the Interface template
"no dot1x pae authenticator”, “no mab” …
Upon successful authentication:
802.1x restored
Users/devices must re-authenticate
39BRKCOC-2018
Identity Based Differentiated Access
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41BRKCOC-2018
Identity Software Defined Segmentation Use Cases
Divestiture IoTPartnersDevelopment
Benefits:
• Maintain existing network topologies
• Simple, cost effective
• Centralize policy management
• Consistent, faster deployments
• Quicker response to threats
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42BRKCOC-2018
Divestiture Use Case
Initiative
To divest assets including employees and
properties
Objective
To create logical separation & provide
secure access in shared workspace
Solution
TrustSec w/SGT’s dynamically assigned
based on user group membership
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example: DC Access Control with TrustSec
43
Voice Employee Suppliers Guest Quarantine
Employee Tag
Supplier Tag
Guest Tag
Quarantine Tag
Data Center
Firewall
Voice
Building 3
WLAN Data VLAN
Campus Core
Data Center
Main Building
Data VLAN
Employee Quarantine
Access Layer
• SGT assignment
• Policy creation
• Policy deployment
• IP-SGT mapping
Enforcement
BRKCOC-2018
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP-SGT Mapping
44BRKCOC-2018
Engr. App1
(1000)
10.10.0.0/16
10.20.0.0/15
10.30.96.0/20
10.40.0.0/14
cts role-based sgt-map 10.10.0.0/16 sgt 1000cts role-based sgt-map 10.3.5.0/28 sgt 1001cts role-based sgt-map 10.6.7.0/29 sgt 1003cts role-based set-map 10.50.1.0/28 sgt 1009
Static AssignmentDynamic Assignment
Cisco (1)
Technicolor (2)
Printer(3)Profiling
Tag assigned by
ISE at Authentication
(1001)
10.3.5.0/28
10.70.24.0/28
10.80.64.0/28
10.90.32.0/28
DNS
(1003)
10.6.7.0/29
10.60.24.0/29
AD
(1009)
10.50.1.0/28
10.100.2.0/29
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45BRKCOC-2018
Destination SGT
En
gin
ee
rin
g A
pp
(10
00
)
Ma
il
(10
01
)
MD
M
(10
02
)
DN
S
(10
03
)
Un
kn
ow
n
(10
05
)
Cis
co
Em
plo
ye
e
(1)
Te
ch
nic
olo
r E
mp
.
(2)
Pa
rtn
er
A
(3)
So
urc
e
SG
T
Technicolor Emp. (2) O SGACL SGACL SGACL SGACL O SGACL O
Partner A (3) O O SGACL SGACL O O O SGACL
Untrusted (1666) O O O O O O O O
Policy Matrix
Source SGT SGACLs Destination SGT
Technicolor Emp. (2)UDP_53
TCP_53DNS (1003)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Where to Enforce Policy
IT Objective: • Enforce as close to user as possible
• Ideally on the access switches and WLCs
Challenge:• 3850 has Destination SGT limit of 255
• 4510 could not enforce policies for destination subnets – only hosts
• ASAs configured to support Remote Access VPN (AnyConnect) could not enforce TrustSec policies
46BRKCOC-2018
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47BRKCOC-2018
Solution: Enforce at 1st Hop Router
Dynamically assigned SGT’s propagated to the policy enforcement point (PEP)
Cisco
Technicolor
SXP Listener
SXP Speaker
SXP = Security Group Exchange Protocol
SXP Speaker
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Putting It All Together
SXP
SXPSXP
SXP
Configure SXP Speaker - Listener pairs on access switches/WLC & first-hop routerA
Configure ISE with SG, SGT, SG ACLs, TrustSec policies & IP-SGT mappingB
SGT, Policies
IP-SGT mapping
BRKCOC-2018 58
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49BRKCOC-2018
Differentiated Access For AnyConnect VPN
Problem• Different VPN solutions for
different user communities
• Overhead of HW and
management
Solution• Use consolidated VPN clusters
• Tag traffic and enforce policies as required
• Allows greater resiliency and availability
Before TrustSec
Employee High Risk Partner
After TrustSec
Employee Partner High Risk
Single Cluster
Posture Based Differentiated Access
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51BRKCOC-2018
What is ‘Posture’?How are we approaching it?
Posture defines the state of compliance with the company’s security policy
Anti-Virus?
Posture Conditions
Anti-Malware Condition
Anti-Spyware Condition
Anti-Virus Condition
Application Condition
Compound Condition
Disk Encryption Condition
File Condition
Patch Management Condition
Registry Condition
Service Condition
USB Condition
Posture status determines the level of access a device is granted
Assessment
Enforcement
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52BRKCOC-2018
AnyConnect Posture For Desktop
ISE Service Condition: MDM Agent Service is
running
AnyConnect Posture Scan
Managed Windows Device?
Managed Mac Device?
ISE Registry Condition: Cisco IT SCCM Server
ISE File Condition: Cisco IT Casper Server
Remediation &
Internet only
Conditions Fail
Internal
Network
& Internet
Conditions Pass
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Unknown Device
1 Device is unknown – Internal access restricted to enrollment
2 ISE instructs NAD to redirect device to its AnyConnect portal
3 AnyConnect posture agent downloaded & installed on device
4 AnyConnect sends posture status to ISE
1
34
URL redirect
2
Desktop
53BRKCOC-2018
Desktop Device Enrollment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Mobile Device Posture
Managed
Compliant
Daily inventory
Every day
MDM-ISE API
MDM Compliance Job
Every x hours
Is device compliant?
Get all non compliant devices
When device connects
BRKCOC-2018 54
Trusted Device
Registration
Anti-Malware
Encryption
Minimum OS
Not Rooted
Passcode enabled
Inventory available
Configuration & Policy
Status and Inventory
Internal
Network
& Internet
Remediation
& Internet
ManagedBy:
MDM
• And Compliant
• And NOT Compliant
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55BRKCOC-2018
Mobile Device ISE Policy Set And Enrollment
DMsISE
Enrolls
Enrollment job
Detects new devices
Every 10 mins
Updates ManagedBy custom attribute
(if device not found, Create new device)
Device Enrollment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56BRKCOC-2018
ISE vs MDM Deployment
AER
RTP
ALN
MTV
SNG
TYO
HKG
BGL
Many to One Relationship
MDM Server
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAD
Enforcement
Point
Access based on
Policy Matrix from ISE
57BRKCOC-2018
Posture Based Differentiated Access Enforcement
Assign tag based on
device postureSend IP <-> SGT Mapping
& Policy Matrix
Internal
Network
& Internet
Remediation
& Internet
COMPLIANT
Non-COMPLIANT 21
20
COMPLIANT
Non-COMPLIANT 21
20
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAD
Enforcement
Point
SSH
ISE
PAN
Speaker Listener
58BRKCOC-2018
IP <-> SGT Mapping Via SSH
Static Connection Dynamic Connection
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAD
Enforcement
Point
SXP
ISE PSN 1
ISE PSN 2
ISE PSN 3
59BRKCOC-2018
IP <-> SGT Mapping Via SXP
Speaker Listener
Speaker
Tip 1: SXP pushes IP-SGT mapping immediately upon configuration
Tip 2: IP-SGT mapping is lost if SXP connection drops!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE
Reflector
Reflector
Enforcement
Point
60BRKCOC-2018
Best Of Both Alternatives – SXP Reflectors
Hybrid IP <-> SGT mapping via SSH and SXP
Speaker
Listener
Listener
Speaker
Speaker
Managing a Critical Global Security Service
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lessons From Deployment Challenges
Scaling ISE for large scale distributed deployments:
• Don’t let replication or misconfiguration become an issue for authentication:
• Tuning the “deployment” (ISE, NADs, and Endpoints)• RADIUS Accounting
• Profiling
• Authentication(s)
• Latency & Distributed Replication
• Failover & Redundancy
• Tuning the “environment”• Load Balancers
• Active Directory
BRKCOC-2018 62
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2018
Active Directory Dedicated Infra For ISE
Before:
• Highly recommended by the BU
• Highly avoided by the teams
• Highly costly, causing few outages
After:
• Better fine-tuning to suit ISE requirements
• Better – and faster – troubleshooting
• Better monitoring for preventative measures
Active
Directory
63
Active
DirectoryISE (Logical Layer)
Network Access
Devices
Endpoints: Devices,
Users & Supplicants
Active
Directory
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64BRKCOC-2018
ISE Deployment Failover Architecture (Target)
NADs (Wireless, Wired, CVO, VPN)
ISE-MTV ISE-ALN ISE-RTP ISE-DR-MTV ISE-DR-ALN ISE-DR-RTP
1 2 3 5 64
PSNPSN
PSN
ISE-MTV-VIP
PSNPSN
ISE-ALN-VIP
PSNPSN
PSN
ISE-RTP-VIP
ISE Primary Cluster - US Sites
PSNPSN
PSN
DR-MTV-VIP
PSNPSN
DR-ALN-VIP
PSNPSN
PSN
DR-RTP-VIP
ISE Disaster Recovery Cluster - US Sites
US AD DCs
Main Forest
US AD DCs
Failover Forest
Automatic ISE VIP
Failover
Manual AD
Forest Failover
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65BRKCOC-2018
ISE Services Failover (Target)
Wired Auth
ISEPrimary Cluster
Fail-Open Access
ISEFailover Cluster
Primary AD
Backup AD
Wireless Auth
IBNS 2.0 EEM
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deployment Health Monitoring
Drill-down troubleshootingTransaction focused, Step-by-step breakdown
Basic Reporting
ISE Out-of-Box
Dashboard, Alarms & Alerts
Dependency MonitoringISE, AD, DNS, NTP, Filer
ISE Infra Monitors
VMs, LB VIPs,
Resource Utilization
ISE Protocol MonitorsRadius, HTTPS, PEAP, EAP
Enterprise MonitorsSNMP Based,
Integrated Monitoring
Event CorrelationISE, NADs, DM, AD
Early-detection of potential issuesPattern analysis, Benchmark comparative analysis
Enhanced Reporting
SplunkData Analytics,
Pro-active Alerting
ISE Deployment : Monitoring & Troubleshooting
BRKCOC-2018 66
Preventive PredictiveProtective
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67BRKCOC-2018
Splunk Dashboards To Monitor ISE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68BRKCOC-2018
Splunk Dashboards To Monitor ISE (continued)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2018
Anomaly Detection With IQR: Interquartile Range
• Splunk monitoring detects “anomalies”:
• New type of syslog events
• Sudden surge or drop in number of events
• Email alert sent to Admin(s)
• Admin clicks on link to open Splunk dashboard
• Active alerts displayed; further investigation to assess severity
• Preventative actions taken
69
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2018
Splunk Custom Dashboards For Troubleshooting
70
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71BRKCOC-2018
Beware of Misbehaving Endpoints
Over 800K Failed Attempts per day from only 3 misconfigured IP Phones
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72BRKCOC-2018
Restricted Access Enforcement Reporting
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73BRKCOC-2018
Collaboration Device Landscape
Device 802.1x support Certificate Authentication methods
7960^ Yes LSC LSC, MAB
79XX Yes MIC, LSC LSC, MIC, MAB
88XX Yes MIC, LSC EAP-TLS, EAP-FAST, MAB
99XX Yes MIC, LSC MIC, LSC
DX650 Yes MIC, LSC LSC, MIC, MAB
EX-Series* Yes, not centrally managed
CA-Signed EAP-TLS, PEAP, MAB
S-Series* Yes, not centrally managed
CA-Signed EAP-TLS, PEAP, MAB
C-Series* Yes, not centrally managed
CA-Signed EAP-TLS, PEAP, MAB
MXP* Yes, not centrally managed
CA-Signed EAP-TLS, PEAP, MAB
CTS No No MAB
TX No No MAB
VG310 No No MAB
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74BRKCOC-2018
New Endpoints Connecting To The Network
Long. 0
Lat. 0
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75BRKCOC-2018
MDM Data Integration in Splunk
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2018
Testing High Availability When 1 DC Fails
76
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Modular Virtual IP Address by Service
WLC
Switch
PSN
PSN
PSN
DC1_Dep1
iseDC1-prd-wlan
iseDC1-prd-lan
ASA (VPN)
iseDC1-prd-vpn
PSN
PSN
PSN
DC1_Dep2X
Solution used for a controlled product upgrade, or the eventual need to split the deployment.
Change done on the load balancer. No need to change the Network Device configuration
BRKCOC-2018 77
Evolving to Deliver Advanced Capabilities
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79BRKCOC-2018
Unified Threat Response by Sharing Contextual DataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner
Ecosystem
ISE
Cisco Network
pxGrid
Controller
Context
32
1
45
Cisco® ISE collects
contextual data from network1
Context is shared via
pxGrid technology2
Partners use context to
improve visibility to
detect threats3
Partners can direct Cisco ISE
to rapidly contain threats4
Cisco ISE uses partner data
to update context and
refine access policy5
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network
SecurityCisco
ISE
Network Context
WHO, WHAT, HOW, WHERE,
WHEN
Connector
Context-
Aware App
Security
Network + App
Security Context
WHO, WHAT, HOW, WHERE, WHEN
Network
Limited
Context
AFARIA CASPER
SCCMMDMs
2
ISE pxGrid
1 3
4
Application
Security
Network
Rich Context
Better Security(Layered Sec, Elevated Auth)
Better User Experience(Zero Sign-On Experience)
Flexible & Granular
Access Policies
5
6Device Context
WHAT
User Context
WHO
Other Context
HOW, WHERE, WHEN
Risk Context
Vulnerability, Threat
Context-Aware Security : Bridging The Gap…
BRKCOC-2018 80
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Service Oriented Orchestration
Service Grouping
Access Control
ACI TrustSec IOS
EPG
Contract SGACL
SGTObject Group
ACL
IPv4
IPv6
IPv4
IPv6
Change ipv4/6 hosts
once
Change service port
information onceBRKCOC-2018 81
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82BRKCOC-2018
TrustSec and ACI Integration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
In Conclusion…
• Scaling, sizing, and operating your
deployment
• Cross functional teams for success
• Dependencies and business value
• Ecosystem enabling greater reach
• Security is a business enabler
• Speed and automation critical to
meeting challenges
83BRKCOC-2018
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card.
• Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
85BRKCOC-2018
Thank you