BRKSEC-3697 - Advanced ISE Services, Tips & Tricks

Advanced ISE
Services, Tips & Tricks

Aaron T. Woland, CCIE #20113
Principal Engineer, Security
BRKSEC-3697
Advanced ISE Services, Tips &
Tricks
Aaron Woland, CCIE# 20113
Principal Engineer
Advanced Threat Security
loxx@cisco.com
@AaronWoland
http://www.networkworld.com/blog/secure-network-access/
http://cs.co/ise-community
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sarcasm
“If we can’t laugh

at ourselves,
Then we cannot
laugh at anything
at all”
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Disclaimer
Multiple Sessions to Choose From:
ForYour
For Your
Reference
Reference
Craig Hyps, Principal

Engineer will continue
the Advanced ISE
Session in 2018
Help me Reach my Dream of 5.0
Please Fill Out The Survey!
Look for me in 2018:
Advanced Security
Integrations, Tips &
Tricks
Important: Hidden Slide Alert
Look for this “For Your Reference”

Symbol in your PDF’s
There is a tremendous amount of

hidden content, for you to use later!
ForYour
For Your
Reference
Reference
**~300 Slides in PDF
NEW Content
Watch Recordings of Prior Sessions
Cisco Spark
Questions?
Use Cisco Spark to chat with the
speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
Cisco Spark spaces will be cs.co/ciscolivebot#BRKSEC-3697

available until July 3, 2017.
Roadmap and Futures
Everything
You Want
ISE 1.0
Roadmap and Futures
Agenda
• Introduction
• ISE as Center of Security EcoSystem
• Context Sharing w/ pxGrid
• RTC and TC-NAC
• Passive vs. Active Identities
• Passive ID Enhancements in ISE 2.2
• The Future of Secure Network Access
• Conclusion
A Security EcoSystem is a Complex
Living Thing
Ecosystems
Using ISE in a Security EcoSystem

Endpoints Access Distribution Edge
Branch
Mobile
Provider
Guest
Campus
Bad USB
Internet
Data Center
ISE
EPS
pxGrid
FMC
Stealthwatch
NetFlow ( )
Ecosystems
Incident Response challenge
Contextual awareness key to security event prioritization and response
Check Endpoint
Associate User to Posture Where is it on
Authorization the Network?
Associate User What Kind of
to Event NAC Device is it?
IAM ???
Potential AAA
???
Logs
Breach How Do I
Event! Mitigate?
Security ???
Event ???
???
MANY SCREENS DATA EXPLOSION MISSING LINKS EXPENSIVE FIX
Ecosystems
“a real platform is something that,

somebody else can develop code
for, somebody else can integrate
with in a fundamental way….”
Marty Roesch @ RSA Conference 2016
Cisco Security VP
https://youtu.be/pafHZmWWGo8
Ecosystems
Integrating the traditional way

I have reputation info! I have application info!
I need threat data… I need location & auth-group…
I have sec events! I have NBAR info!

I need reputation… I need identity…
I have NetFlow! Proprietary I have location!

I need entitlement…
APIs aren’t I need identity…
the solution
I have threat data! I have MDM info!
I need reputation… I need location…
I have firewall logs! I have app inventory info!

I need identity… I need posture…
I have identity & device-type!

I need app inventory & vulnerability…
Ecosystems
The problem!
I have reputation info! I have application info!
I need threat data… I need location & auth-group…
I have sec events! I have NBAR info!

TRADITIONAL APIs – One Integration at aI need
I need reputation… Timeidentity…
I have NetFlow!
• Single-purpose function = need for manyProprietary
APIs/dev (and lots of testing)
I have location!
I need entitlement…
APIs aren’t I need identity…
• Not configurable = too much/little info for interface systems (scale issues)
the solution
I havedata
• Pre-defined threat data! = wait until next release if you need a change
exchange I have MDM info!
I need reputation… I need location…
• Polling architecture = can’t scale beyond 1 or 2 system integrations
I have firewall logs! I have app inventory info!
• Security can be “loose”
I need identity… I need posture…
I have identity & device-type!

I need app inventory & vulnerability…
Ecosystems
Cisco Identity Services Engine (ISE) pxGrid

Open* Sharing to Get Answers Faster; Control to Stop Threats
ISE
Any-any sharing
 Publish
 Subscribe I have location! I have application info!
I need app I need location and
and identity… device type
ISE sharing
ISE
 Identity context Grid
I have identity and
ISE network control I have sec events!
device!
I need geo-location
I need identity
 Adaptive network control and device…
and MDM…
I have MDM info!

* IETF Standards Track: Managed Incident Lightweight Exchange (MILE) I need location…
* IETF Standards Track: Security Automation & Continuous Monitoring (SACM)
Ecosystems
Cisco Platform Exchange Grid (PxGrid) ForYour

For Your
Reference
Reference
Enable Unified Threat Response by Sharing Contextual Data
Cisco® ISE collects

pxGrid
1 contextual data from network
2 Controller 3
Who Context is shared via

1
2 pxGrid technology
What
Partners use context to

When
3 improve visibility to
detect threats
Where ISE Cisco and Partner
Ecosystem
How Partners can direct ISE to
4 rapidly contain threats
Context
5 Cisco Network 4 ISE uses partner data to
5 update context and
refine access policy
Ecosystems
pxGrid enables these 4 scenarios
CONTEXT TO PARTNER ENRICH ISE CONTEXT THREAT MITIGATION CONTEXT BROKERAGE
CISCO ECO- CISCO ECO- CISCO ECO- CISCO

ISE PARTNER ISE PARTNER ISE PARTNER ISE
CONTEXT CONTEXT ACTION pxGrid ECO-

PARTNERS
MITIGATE ISE 2.2
ISE makes Customer IT Enrich ISE context. Make Enforce dynamic policies in ISE brokers Customer’s IT
Platforms User/Identity, ISE a better Policy to the network based on platforms to share data
Device and Network Aware Enforcement Platform Partner’s request amongst themselves
~10min
Agenda
• Introduction
• RTC and TC-NAC
• Conclusion
Context Sharing
platform exchange Grid (pxGrid)
Publish & Subscribe Bus
Not API Driven
Can point to REST / other API where needed, etc.
Strong Authorization
Context Sharing
pxGrid components
TLS / 5222
HTTP / 443
pxGrid pxGrid pxGrid

Publisher Controller Subscriber
Listens on ports:
TCP/7400: Connection from internal processes
TCP/5222: Accepts connection from pGrid Clients
TCP/1521: Accepts connections to DB from XCP
TCP/694: Heartbeat traffic between pxGrid nodes
Context Sharing
pxGrid Controller ForYour

For Your
Reference
Reference
 Password authentication support from ISE 2.1 (discussed later)

 Client connection can be auto approved or can be set to manual approval
pxGrid
Controller
Very important setting. If checked any client
with valid cert connects to the grid.
pxGrid service running

Context Sharing
pxGrid Publisher / Subscriber ForYour

For Your
Reference
Reference
 PAN and MnT node publish and subscribe topics of information

 Authenticates and authorizes pxGrid clients
pxGrid ISE nodes

Pub/Sub
Publish / Subscribe topics

Context Sharing
Publish or subscribe specific topics

- ISE nodes can publish specific topics or subscribe to specific topics.
pxGrid
Pub/Sub
Topics being published / subscribed by pxGrid node

Context Sharing
Capabilities or Topics ForYour

For Your
Reference
Reference
GridControllerAdminService provides pxGrid services to subscriber

INTERNAL
Core provides pxGrid client the capability to query all the registered
capabilities on the ISE pxGrid node
AdaptiveNetworkControl provides enhanced pxGrid ANC mitigation capabilities to subscriber
EndpointProfileMetada provides pxGrid clients with available device information from ISE.
EndpointProtectionService provides compatible EPS/ANC pxGrid mitigation actions from ISE

1.3/1.4.
TrustSecMetaData provides pxGrid clients with exposed security group tag (SGT)
information
IdentityGroup provides pxGrid clients with Identity Group information that may not
be available via 802.1X authentications
SessionDirectory provides pxGrid clients with ISE published session information, or
available session objects.
https://communities.cisco.com/docs/DOC-68291
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Context Sharing
pxGrid Clients authenticate and subscribe to the Grid

 Authenticates to ISE pxGrid node using self-signed or CA-signed certificates
 Subscribe or direct queries
 Communicate TCP/5222 to ISE pxGrid node
pxGrid
Subscriber
Topics FMC is subscribed to

Context Sharing
Subscription and Groups

What you can subscribe
to / capable of?
E.g.:
 AdaptiveNetworkControl,
 SessionDirectory,
SUBSCRIBE  TrustSecMetaData
GROUP
pxGrid pxGrid What are you authorized

Subscriber Controller for?
E.g.:
 Session
 ANC
Context Sharing
pxGrid Client Groups ForYour

For Your
Reference
Reference
 pxGrid uses group-based authorization.

 When a client connects for the first time, the client is associated with a group.
Basic provides ISE pxGrid node connectivity. ANC Adaptive Network Control, access to ’exception
No session data policy’
Session Members can subscribe to session notification, EPS Earlier version of ANC (used by Splunk,
query session info, download bulk session data. Lancope, FireSIGHT Management Center 5.4)
Context Sharing
The Grid controller authorizes exchange ForYour

For Your
Reference
Reference
Publisher GCL Client pxGrid Controller XCP Server GCL Client Subscriber
Authenticates & Allow pxGrid Cont Conm Publisher Auth &

C Status & Account
Authenticate & allow pxGrid Cont.Comml
O Subscriber Auth &
Status & Account
N
Add Publisher to
T Authorize Publisher To Topic Sequence
topic
R Authorize Subscriber to Topic Sequence
O
Add Subscriber to
L topic
Publish Message to Topic
Publish Success
I Published Message to Subscriber
N Subscribe Success
F Publisher Capability & JID Query
R Publisher JID
A XMPP:Bulk Download Query
Builk Data Stream Over REST API

Context Sharing
pxGrid authentication
CERTIFICATES
XSelf-signed pxGrid Client and pxGrid ISE Node certificates

How-to: https://communities.cisco.com/docs/DOC-68286
CA signed pxGrid Client and pxGrid ISE Node certificates

How-to: https://communities.cisco.com/docs/DOC-68287 *Best Practice
PASSWORDS
New* in ISE 2.1
No clients yet.
Release Notes: http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/release_notes/ise21_rn.html#pgfId-678203
Context Sharing
Example pxGrid Integration: InfoBlox
Context Sharing
pxGrid Bulk Downloads 1. I need Bulk
(peer-to-peer) Session Data
2. Get it From
MnT
3. Direct Data
Transfer
Controller
FMC
MnT
Context Sharing
pxGrid Topic Extensibility

Topic Publisher Subscribers
Session_Directory MnT Splunk, FMC, WSA ISE Admin
Vulnerable Hosts Rapid7
Controller
FMC
1. Req: Add New

4. Announce:
Topic:
New Topic
“Vulnerable Hosts”
Available
MnT
3. Publish Topic
Context Sharing
pxGrid Topic Extensibility

Topic Publisher Subscribers
Session_Directory MnT Splunk, FMC, WSA ISE Admin
Vulnerable Hosts Rapid7 FMC
Controller
FMC
1. Subscribe
Vulnerable
Hosts
2. Direct
MnT
Transfer
Context Sharing
ForYour
For Your
Reference
Reference
CAVEATS
• pxGrid clients must be updated to understand the topic
Schema by the vendor
• Currently no existing topics known – there are a few in the
works
• Remember: pxGrid clients must trust each other’s
certificates for bulk downloads, not just the ISE (pxGrid
controller)
Context Sharing
#1 complaint about pxGrid integration:

Certificates. Customers, Partners, other
BU’s all confused by the Certificate
usages w/ pxGrid.
It Does not need to be
complicated!
Simplify it with the CA in 2.1+

Even better in ISE 2.2
Context Sharing
So, How to we “Certificate-ify” pxGrid?
1. Required 2-Way Trust Between

Controller & pxGrid Clients
2. IF Bulk Downloads THEN 2-Way
Trust Client-to-Client
3. In Other Words: A Full MESH
(“MESS”) of Trusts Controller
FMC
MnT
Context Sharing
Pro Tip: Use A Common CA
Pro Tip
Context Sharing
So, How to we “Certificate-ify” pxGrid?
1. Use a Single Certificate Authority

2. Each pxGrid Participant Trust That
Certificate Authority
3. Each pxGrid Client use a ‘pxGrid’
Certificate from that CA
FMC
4. *Controller Must still Authorize the Controller
Communication
Instant Full Mesh Trust!
X.509
X.509
X.509
X.509X.509
pxGrid
pxGrid
pxGrid
pxGrid
X.509
pxGrid pxGrid
MnT
ISE 2.1 CA
Context Sharing
CA signed pxGrid certificate
Special cert template with

Root CA
EKU for both client and
Public
server authentication
Public Private Key Public Private Key
ISE
Trusted Certificates Client Trusted Certificates
C
Grid Controller Grid Client
Context Sharing
ISE 2.2+ - pxGrid Certs added to pxGrid UI

Within pxGrid UI
No Longer Have to Create
Portal / Add Portal User,
Etc.
Generate Certificates
With or W/O CSR
Bulk Certs w/ CSV
Download Root PKCS12
Certificate Formats
Only Encrypted Options
All Include Root Certs
PEM or PKCS12
Context Sharing
Generating Cert/Key-Pairs From pxGrid UI *Trick of the Trade
Friendly CN
Make it something that is
unique – like prefix pxGrid
Cert Template
Hard-Coded to use the
pxGrid Template.
Client + Server EKU’s
Real FQDN in SAN

Ensure the Real FQDN and
IP Address are in SAN, just
in-case.
Context Sharing
Contents of Resulting ZIP File
Root & Sub CA Certificates

Signed Certificate
Encrypted Private Key
Note from the Trenches:
ISE 1.3
Certificate Complexity ISE 1.4

ISE 2.0
You MIGHT Run Into ISE 2.1
Fixed in 2.2
Context Sharing
pxGrid Certificates & Bulk Download
• ISE 2.2+ there is ONE pxGrid

Certificate per ISE node
Uses pxGrid Cert
• Prior to 2.2: X.509
• pxGrid Certificate used for pxGrid pxGrid

pxGrid: ISE 2.2+
comms TCP/5233
• Data Xfer used the Admin Cert
Controller
FMC
• Problem:
• Which Signing CA do I trust?
• All pxGrid Tests Succeeded..
REST XFer:
TCP/8910 Uses Admin Cert
X.509
Admin
MnT
Context Sharing
pxGrid Certificates & Bulk Download
• ISE 2.2+ there is ONE pxGrid

Certificate per ISE node
Uses pxGrid Cert
• Prior to 2.2: X.509
• pxGrid Certificate used for pxGrid pxGrid

pxGrid: ISE <= 2.1
comms to Controller TCP/5233
• Data Xfer used the Admin Cert
Controller
FMC
• Problem:
• Which Signing CA do I trust?
• All pxGrid Tests Succeeded..
REST XFer:
TCP/8910 Uses pxGrid Cert
X.509
pxGrid
MnT
For Your
Reference
Step-by-Step
Configuration of
pxGrid, Cert Portal,
Firepower Manager,
& WSA Integration in
Hidden Slides
~10min
Agenda
• Introduction
• RTC and TC-NAC
• Conclusion
Context Sharing
Vocabulary Level Set (Here’s Those TLA’s)
ForYour
For Your
Reference
Reference
• Quarantine – a term that seems to mean something different to everyone you

speak to
• Endpoint Protection Services (EPS) – Added in ISE 1.2. Advertised in 1.3 w/
pxGrid.
• Can assign an endpoint to Quarantine only.
• Used with or Without pxGrid
• Adaptive Network Control (ANC) – EPS renamed to ANC in 1.4. New ANC
Functionality added in 2.0.
• Create ANC “classifications” (aka: name spaces) – and endpoints can be assigned to those classifications.
• Quarantine, Kick_off_Network, Investigate, Nuke_From_Orbit, etc.
• Used with or without pxGrid in v2.2+.
• Rapid Threat Containment (RTC) – the “solution level” of integrating products

together that use ANC or EPS
• Change of Authorization (CoA) – The ability to dynamically change the level of
access an endpoint has on the network.
• TrustSec – A simple Tag that represents the full context of an endpoint/user –
yet powerful.
Vocabulary Level Set (Here’s Those FLA’s)
ForYour
For Your
Reference
Reference
• Platform eXchange Grid (pxGrid) – A communication bus (not an API)

designed to rapidly share security data at large scale, without the pains of a
point-API or being application specific.
• Uses a Publish/Subscribe (Pub/Sub) model to share information.
• Has Central, Proxy, and Broker mechanisms.
• Structured Threat Information Expression (STIX) – A language used to share

Cyber Threat Intelligence (CTI), aka: threat data.
• It’s a format, not a transport protocol. It requires something like TAXII or pxGrid to carry it between consumers and
producers of the STIX data.
• Trusted Automated eXchange of Intelligence Information (TAXII) – Protocol

used to exchange CTI over secure communication (HTTPS).
• Designed specifically to carry STIX CTI.
• Follows a Publish / Subscribe (pub/sub) model, similar to pxGrid – but Central model only.
• Common Vulnerability Scoring System (CVSS) – Open standard for

assessing the severity of computer vulnerabilities.
Threat Containment
EPS / ANC Mitigation Actions ForYour

For Your
Reference
Reference
ANC Mitigation Actions

EPS RESTful API ANC 1.0(legacy EPS) ANC 2.0(enhanced EPS)
• Quarantine • Quarantine Includes legacy EPS functionality

CISCO ECO- • Unquarantine • Unquarantine Note: The remediation and provisioning
ISE PARTNER • Shutdown • Port Bounce actions have been depreciated in ISE
• Terminate 2.1
• Shutdown • Apply Endpoint Policy by MAC or IP
ACTION • Re-Authenticate • Clear Endpoint Policy by MAC or IP
• Get Endpoint By IP
• Create/Update/Delete Policy
• Get Policy By Name
MITIGATE • Get All Policies
• Get Endpoints By MAC
• Get All Endpoints
• Get Endpoint by Policy
Available in ISE 1.2 + Available in pxGrid Available in pxGrid &

starting in ISE 1.3 + ANC API (ISE 2.1)
Threat Centric NAC
(TC-NAC)
TC-NAC
Attack Vectors In the News

2016 Verizon Breach Report
• “Older Vulnerabilities are still heavily targeted”
• “All the patching is for naught, if we aren’t patching the
right things”
2017 Cisco Annual Cybersecurity Report

• “Threats specifically seek vulnerable browsers and
plugins.
• “Adversaries See Opportunity in Unpatched Software”
TC-NAC
Threat Centric NAC

Cisco ISE protects your Create ISE authorization policies based on the threat and vulnerability attributes
network from data breaches
by segmenting compromised
and vulnerable endpoints for
remediation.
AMP Qualys
- Vulnerability assessments - Threat events
Compliments Posture - Threat notifications - CVSS Who
Vulnerability data tells endpoint’s - IOC
posture from the outside What
Expanded control When
driven by threat intelligence and
vulnerability assessment data Where
Network Access Policy
Faster response How
with automated, real-time policy
updates based on vulnerability Cisco ISE  Posture
data and threat metrics
Threat
Endpoints
Vulnerability
Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC)
TC-NAC
Threat Centric NAC explained ForYour

For Your
Reduce vulnerabilities, contain threats Reference

Reference
IOC CVSS
“Threat detected” Vulnerability scan

1 4
Malware infection Infection spread
Quarantine and
3 Vulnerability detected Remediate
Cisco AMP Vulnerable host

2 Malware scans for vulnerable endpoints
Compromised endpoints spread malware by exploiting Flag compromised and vulnerable hosts and limit
known vulnerabilities in the network access to remediation Segment
Most endpoint AMP deployed in ‘visibility only’ mode
Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC) | Advanced Malware Protection (AMP)
TC-NAC
Threat Centric NAC
Pick Vulnerability assessment vendor of your choice
ISE 2.2
Cisco CTA
• In ISE 2.2+, TC-NAC supports

Tenable, Cisco Cognitive Threat
STIX Analytics (CTA) and Rapid7.
SCAN REQUEST • A standard “listener” will be

SCANNER
CVSS Score supported for threats using the
VULNERABILITY
STIX framework for automatic
SCANS
quarantining of critically infected
endpoints.
TC-NAC
TC-NAC service on ISE ForYour

For Your
Reference
Reference
PAN
CONTEXT ATTRIBUTES
MnT
PSN
Threat Centric NAC attributes appear in the Policy Administration Node.
TC-NAC TC-NAC service runs in the ‘Policy Services Node’ when enabled.
Requires ISE Apex license
TC-NAC
Enabling TC-NAC ForYour

For Your
Reference
Reference
PSN Administration > System > Deployment

ise-2/admin# show application status ise
ISE PROCESS NAME STATE PROCESS ID

--------------------------------------------------------------------
VA Database running 9715
VA Service running 10108
Vulnerability Assessment (VA) service to request scan service
ISE PROCESS NAME STATE PROCESS ID

--------------------------------------------------------------------
TC-NAC Docker Service running 6681
TC-NAC MongoDB Container running 7058
TC-NAC RabbitMQ Container running 7393
TC-NAC Core Engine Container running 8991
Service disabled by default Core Engine responsible for handling threat based authorizations
TC-NAC
TC NAC configuration ForYour

For Your
Reference
Reference
Administration > Threat Centric NAC > Third Party Vendors
After the TC-NAC service is enabled, either one or both of the

services be configured depending on the need.
TC-NAC
Vulnerability based access control ForYour

For Your
Reference
Reference
High-level flow
Qualys ScanGuard Cisco ISE 2.1

ISE requests a VA scan for Endpoint
5
Qualys reports the CVSS score
Qualys scans the

Endpoint for Initial limited CoA based on scan
Vulnerabilities
4 Authorization 2 6 status (Full Access /
(VA-Scan) Quarantine)
1
Endpoint connects to
the network
Endpoint Network Access Device
TC-NAC
‘Vulnerability’ based access control

ENDPOINT NETWORK DEVICE MNT PSN PAN VULN SCANNER
TC-NAC
Device connects to Authentication Request

the network
Limited Access + ‘VA Scan’ flag
Syslog: Event Log

Scan request for endpoint IP address
Vulnerability scanning Queue requests
Endpoint’s CVSS
(Vulnerability Score)
COA Vulnerability attributes
Change of Authorization
(Full or Quarantine access)
TC-NAC
‘Vulnerable Endpoints’
Based on Common Vulnerability Scoring System (CVSS)
TC-NAC
‘Vulnerable Endpoints’
Based on Common Vulnerability Scoring System (CVSS)
QID-90043 - SMB Signing Disabled or SMB Signing Not Required

QID-95001 - X-Window Sniffing
QID-38170 - SSL Certificate - Subject Common Name Does Not Match Server FQDN
QID-38173 - SSL Certificate - Signature Verification Failed Vulnerability
QID-38601 - SSL/TLS use of weak RC4 cipher
QID-90882 - Windows Remote Desktop Protocol Weak Encryption Method Allowed
TC-NAC
Configuration ForYour
For Your
Reference
Reference
ISE talks to Qualys cloud system over REST APIs
Default scanner PSN will use
Qualys API host address
Qualys account credentials
TC-NAC
PSN to (local) Scanner mapping ForYour

For Your
Reference
Reference
sbg-bgla-pdp01 SJ-4
npf-sjca-pdp01 SJ-3
npf-sjca-pdp02 Qualys
SJ-2
ISE PSNs Scanners
Virtual machines or appliance
TC-NAC
Qualys adapter flow ForYour

For Your
Reference
Reference
SCAN Results
Qualys Adapter • IP Address
(Docker instance) • Vulnerabilities (QID)
• Last SCAN time
• MAC Address
(maybe as a QID)
Check Last SCAN results (using IP Address)
IS Last Scan time < Specified Interval ?
Trigger SCAN : Originating PSN

YES NO
Optional: IS MAC Address = Requested MAC? Trigger SCAN to GET results
YES MAC address

Vulnerabilities (QIDs)
CVSS Scores
MAC address and High CVSS
TC-NAC Core Engine

for ANC policy
TC-NAC
ForYour
For Your
Reference
Reference
When does ISE request a on-demand scan

• When an endpoint connects to the network and Identity Service Engine does
not know its vulnerability status. This will especially be the case for endpoints
connecting to the network for first time.
• When endpoints connect to the network after an extended period of inactivity
• When endpoint connects and its compliance state is unknown/non-compliant
or a connected endpoint’s compliant state becomes non-compliant. The
source for truth for this is device manager.
• When the time a connected endpoint was last managed exceeds certain
interval. Again the source for truth for this is device manager.
• When the time a connected endpoint was last checked for vulnerability
exceeds certain interval.
TC-NAC
Timer configurations ForYour

For Your
Reference
Reference
Last scan result checks
New MAC with old IP should be

subject to scan
Scan timers
By default ‘256’ max IPs

submitted to scanner per PSN
TC-NAC
Authorization Profile ForYour

For Your
Reference
Reference
Limited initial access
Scan for vulnerability every

48 hours.
TC-NAC
Authorization Policy ForYour

For Your
Reference
Reference
Authorization policy for ‘vulnerability’
Initial ‘limited access’ + Vulnerability Scan
TC-NAC
‘Threat’ based access control

ENDPOINT w AMP NETWORK DEVICE MNT PSN PAN AMP CLOUD
TC-NAC
AMP Adapter (once configured) subscribes to the

events from AMP Cloud
Session
Endpoint authorized for full access
AMP report the event
"1107296280": { AMP notifies incident

"name": "Suspicious Download",
"desc": "A suspicious file was downloaded.", Incidents & Indicators
"Likely_Impact": "High"
},
Change of Authorization
(Quarantine access)
Manual CoA
TC-NAC
‘Compromised Endpoints’
Based on Incidents and Indicators
Structured Threat Information Expression (STIX) format

TC-NAC
TC-NAC with AMP configuration

*Pitfall: AMP connector

requires direct Internet
Connectivity or
SOCKS proxy (port 1080)
Standard HTTP Proxy
will not work.
Pretty identical configuration for

most deployments*
TC-NAC
ForYour
For Your
Reference
Reference
TC-NAC with AMP configuration

Can filter event type.
TC-NAC
Manual Quarantine
TC-NAC
Remember: YOU create these.
Manual Quarantine There are no “default” ANC

Policies (aka: classifications)
TC-NAC
Threat Centric NAC Summary

 Ability to trigger vulnerability assessment checks
 Trigger on-demand scan if required.
 Consume these results to generate normalized results in Structured Threat
Information Expression (STIX) format and CVSS scores for Vulnerability
assessment.
 ISE has the ability to evaluate and change network access again using
authorization policies.
 For using vulnerability assessment results in network access policies Identity
Services Engine will use the approach of “Innocent until proven guilty” since
data is NOT real time.
Rapid Threat
Containment
Threat Containment
Rapid Threat Containment with Firepower Management Center and ISE

• Uses pxGrid + Endpoint
Fully Supported Protection Services (EPS)
• Note: ANC is Next Gen
on FMC 5.4 and version of the older EPS
• EPS functions are still there
ISE 1.3+ for Backward Compatibility
Loads as a • Remediation Module Takes

Remediation Action via the EPS call through
pxGrid
Module on FMC
Threat Containment
Remediation Module from Talos Labs ForYour

For Your
Reference
Reference
Threat Containment
ForYour
For Your
Reference
Reference
Remediation Options
• Quarantine- quarantines an endpoint based on
source ip address
• portBounce- temporarily bounces the endpoint or
host port
• Terminate- terminates the end-user session
• Shutdown- initiates a host port shutdown, this will
insert a “shutdown” command on the switch port
configuration
• reAuthenticate- reAuthenticates the end-user
• UnQuarantine- unquarantines the endpoint
Threat Containment
AMP <-> ISE TC-NAC Integration
• Limitation of Manual Remediation only.

• To Automate: Use Firepower Management Center*
• Correlation Rule: Malware Event Occurred
• Then Use the ISE Remediation Module (Rapid Threat Containment)
*Trick of the Trade

Threat Containment
FMC Correlation Rule
Malware Events
• Network
• Endpoint
• Retrospection
Threat Containment
Endpoint Malware
General Event from AMP for
Endpoints Cloud
Threat Containment
Endpoint Malware
Specific Events from AMP
for Endpoints Cloud
Threat Containment
The Remediation
Quarantine
Remediation that triggers
EPS Quarantine via pxGrid
Threat Containment
Rapid Threat Containment with Firepower

Management Center and ISE
WWW
Controller MnT
3. pxGrid EPS
1. Security Action: Quarantine
Events / IOCs + Re-Auth
NGFW Reported
2. Correlation
FMC
Rules Trigger
i-Net Remediation Action
Threat Containment
Rapid Threat Containment with Firepower

Management Center and ISE
WWW
4. Endpoint Assigned
Quarantine + CoA-
Reauth Sent
Controller MnT
NGFW
FMC
i-Net
Threat Containment
RTC with AMP, FMC and ISE

WWW
1. Threat /
IOCs Reported
Controller MnT
3. pxGrid EPS
Action: Quarantine
+ Re-Auth
NGFW
2. Correlation
FMC
Rules Trigger
i-Net Remediation Action
Threat Containment
RTC with AMP, FMC and ISE

WWW
Quarantine + CoA-
Reauth Sent
Controller MnT
NGFW
FMC
i-Net
Threat Containment
RTC w/ Stealthwatch & ISE

2. SW is Also 1. SW is Analyzing
Merging Identity Flows from Flow
Data from ISE Collector
3. Admin is Alerted of
Suspicious Behavior
WWW
Controller
NGFW
Flow Collector
FMC
i-Net
Threat Containment

4. Admin Initiates
Endpoint Quarantine
(EPS over pxGrid)
WWW
Controller
Quarantine + CoA-
NGFW Reauth Sent
Flow Collector
FMC
i-Net
Threat Containment
6. New Traffic Rules

apply to the new state
of the endpoint
6a. Could Deny

Access (ingress)
WWW
Controller
6b. Could Filter it

within network
(egress)
NGFW
Flow Collector
FMC
i-Net
Threat Containment
What if I want ANC without pxGrid?

• I’m glad you asked… Beginning
with ISE 2.1, ANC is available via https://ISE:9060/ers/sdk
REST API.
Step 1: ANC Policy

Learn which policies exist
Step 2: ANC Endpoint

Assign the Policy to an
Endpoint
Threat Containment
Operations > ANC
Threat Containment
Operations > ANC
Threat Containment
Key Point: RTC Action Does not

have to be “Kick of Network” only
- Can Allow Limited Access &
Inspect More.
Pro Tip
Threat Containment
Example: Quarantine Endpoint
Conditions Results
EPS ANC Limited Access
OR
is is +
Quarantine Quarantine Quarantine Tag
Threat Containment
Example: Trigger Vuln Scan & SSL Decrypt

Conditions Results
CTA Course of Action ANC Limited Access
+
= OR = Vuln Scan
Monitoring Investigate +
Investigate SGT
Threat Containment
Automate AMP Remediation in ISE via FMC
• FMC can Assign the endpoint to “Quarantine”

• Instead of Kicking Off Net:
• Triggers a Vulnerability Scan
• After FMC Quarantine and Vulnerability Scan
“agree”, then Kick from Network
• -Or- After FMC Quarantine and CTA “agree”, then
Kick from Network
Threat Containment
1. FMC Quarantine = Vuln Scan & SSL Decrypt

Conditions Results
EPS ANC Limited Access
OR +
is is Vuln Scan
Quarantine Investigate +
Investigate SGT
Threat Containment
2. Quarantine + CVSS = DeathToMing
Conditions Results
( EPS
is
Quarantine
OR
ANC
is
Investigate )&( CVSS
>
7
OR
CTA
Action
Eradicate ) Blacklist
Threat Containment
Pro Tip: Use TrustSec Tags for This
Pro Tip
Threat Containment
Assign Tag on Ingress, Apply Policy Everywhere
www
Threat Containment
Assign Tag on Ingress, Apply Policy Everywhere

W3C Logs
Apply Policy Apply Policy
Based on SGT Based on SGT Cognitive
Threat
• Decrypt SSL • No SSL Decrypt Analytics
• Filter URLs • Filter URLs
• Deny Apps • Permit Apps
• Scan for Malware • Scan for Malware
• Route to DLP
Who: Doctor
What: Desktop
What: w/ AMP
Where: Office www
Who: Doctor
What: Desktop
What: Vulnerable
Where: Branch
Threat Containment
One Little Tag, so Many Uses

• Influence Path through Network (PBR)
• Influence QoS of traffic
• SGT can trigger for enabling certain port configuration on access switch.
• Determine if Traffic Needs to be Inspected Further
• I.e.: Sending to an IPS module or Firepower Services
• Specify the Policy Applied at the Web Gateway
• Determine the (simplified) Firewall Policy
• Block East-West Traffic (peer-to-peer)
~10min
Agenda
• Introduction
• RTC and TC-NAC
• Conclusion
Passive ID
Motivation
Identity is Critical to All Security Solutions
Problem: Each SBG Product has it’s Solution: Single product / one
own Method / Technology to provide implementation across SBG
Identity • Best features of each solution /
• Vast feature / functionality eliminate missing capabilities
discrepancies • Leverage existing expertise /
• Impacting Customer Satisfaction componentry for time to market
• Systems approach increasing cross-
product integration.
What is Passive
Identity?
Passive ID
Passive vs Active Identity / Authentication

• Most of SBG Competitors and many SBG products use Passive Authentication
to provide user identity.
• Is “asking” Microsoft AD to please tell our product the username & IP address of users
who authenticate to AD. I.e.: It’s all hearsay
• Example: CDA leveraging Windows Management Infrastructure (WMI) to inform it when
a user authenticates and what their IP is.
• Active authentication is learning it from the endpoint/user directly.
• Example: aawoland@cisco.com has authenticated to the wireless network “Blizzard”
• Cisco ISE was the authentication server & learned directly from Aaron
• Is more reliable and works for all devices/users, not just AD managed systems.
Passive ID
Active Authentication
Data Center
AD AD X.509
X.509
X.509
AD
CA
NGFW
RADIUS
EAP
802.1X – part of WPA2
• Credentials provided directly to ISE via EAP (802.1X)

• ISE Validates Credentials Against ID Store
• ISE Providing Authorization Results
Passive ID
Passive Authentication
Data Center
K AD AD
AD Login / Kerberos AD
NGFW
ISE
• Credentials not provided directly by user/endpoint

• ISE “trusts” the source that user auth succeeded
• ISE pulls groups and attributes from ID store
Passive ID
What Exists in SBG Today for “Passive-Identity”? ForYour

For Your
Reference
Reference
FirePOWER Solutions Content Security (WSA) Cisco ISE
Source Fire User Agent (SFUA) Cisco Directory Agent (CDA) / pxGrid Built-in PBIS for Active-Auth, WMI type
[MS-AD Only] w/ ISE solution for Passive-Auth.
• Limited to 5 DC’s per FMC • Favorite of customers for WSA Identity • Joins 50 Domains, Queries 2000.
• No Multi-forest support • FREE -some key bugs prevent adoption • Huge investment right now in Passive a
• DCOM access required • Plans to EoL CDA or roll into ISE compliment to Active
• Registry hacks prevent adoption • Requirement to deploy ISE for a NGFW Sale
• No way to see Logoff’s leads to countless losses – Need FREE tool
• No way to check if endpoint no longer on
network
ASA (Classic) CWS OpenDNS Stealthwatch
Context Directory Agent CWS Connector / ISR Agent Sends to Virtual Were OEM’ing A10 ID Broker.
(CDA) Connector w/ CDA Appliance Log-scraping with NXLog
• Favorite of customers for ASA • CDA has been quite Sends full LDIF export to Cloud Note: More duplication of efforts
Identity successful
• FREE -some key bugs • Registry hacks prevent
prevent adoption adoption
• Plans to EoL CDA or roll into • No way to see Logoff’s
ISE • No way to check if endpoint
no longer on network
~10min
Agenda
• Introduction
• RTC and TC-NAC
• Conclusion
ISE 2.2 Introduces Major
Enhancements to PassiveID
Capabilities
Passive ID
Passive ID Enhancements at a Glance
• Designed to be the Single ID • New Features & Sources

Solution for ALL Cisco Security • Agents, WMI, Syslog, REST
Portfolio • Remotely Check with Endpoints
• Best of All Existing Solutions • Is Endpoint Still on Network?
• True Single Source of Identity • Is User Still Logged In?
• No Longer Need Separate Connection to
AD, LDAP, etc. • Scale to 100’s of DC’s
• Passive Identity Sharing via pxGrid

with BASE License
Passive ID
Why customers buy ISE

Identity sharing with partner eco-system to provide a single source of truth that
Passive ID provides actionable intelligence for better partner solution effectiveness.
Cisco ISE can reach deep into the network to deliver superior visibility into who
Asset Visibility and what is accessing resources.
Fully customizable branded mobile and desktop guest portals, with dynamic
Guest Access visual workflows to easily manage guest user experience.
Consistent access control in to wired, wireless and VPN Networks. 802.1X,

Access Control MAC, Web Authentication and Easy connect for admission control.
Simplified BYOD management with built-in CA and 3rd party MDM integration
BYOD Access for on boarding and self-service of personal mobile devices
Topology independent Software-defined segmentation policy to contain

Segmentation network threats by using Cisco TrustSec technology.
Context sharing with partner eco-system to provide a single source of user and
Context Sharing device details for better partner solution effectiveness.
Security ecosystem partners from a broad variety of technology areas integrate with
Threat Control ISE to take network mitigation and investigation actions in response to security events.
Cisco ISE supports device administration using the TACACS+ security protocol
Device Admin to control and audit the configuration of network devices
Passive ID
Introducing the ISE-PIC Form-Factor

• Same PassiveID Capabilities of its big brother, ISE.
• All the passive sources, and sharing capabilities of pxGrid
• Just in a new, smaller packaging and license
• Very Low Cost
• Passive Identity Only
• No Authorization. No Policies.
• Everything in one Virtual Appliance (2 for redundancy)
• Simple to Install and Use
• Upgrade to full ISE with Simple License
Passive ID
Why customers buy ISE-PIC

Identity sharing with partner eco-system to provide a single source of truth that
Passive ID provides actionable intelligence for better partner solution effectiveness.
Cisco ISE can reach deep into the network to deliver superior visibility into who
Asset Visibility and what is accessing resources.
Fully customizable branded mobile and desktop guest portals, with dynamic
Guest Access visual workflows to easily manage guest user experience.
Consistent access control in to wired, wireless and VPN Networks. 802.1X,

Access Control MAC, Web Authentication and Easy connect for admission control.
Simplified BYOD management with built-in CA and 3rd party MDM integration
BYOD Access for on boarding and self-service of personal mobile devices
Topology independent Software-defined segmentation policy to contain

Segmentation network threats by using Cisco TrustSec technology.
Context sharing with partner eco-system to provide a single source of user and
Context Sharing device details for better partner solution effectiveness.
Security ecosystem partners from a broad variety of technology areas integrate with
Threat Control ISE to take network mitigation and investigation actions in response to security events.
Cisco ISE supports device administration using the TACACS+ security protocol
Device Admin to control and audit the configuration of network devices
Passive ID
Vision ASA
Cloud Web
Security
CWS / ISR
Connector
OpenDNS WWW
APIC-DC
OpenDNS
VA
APIC-EM
SSX CON
SSX Stealthwatch
ISE or PIC
Cloud
Syslog & REST
FMC Terminal
AD Services Agent
AD
AD
Session Directory
Context Attributes Needed
Username AD Group Membership (?) MSE Location
AD Domain Name Endpoint Profile NDG Location
Assigned SGT ISE ID Groups (User / Express Raw EPG?
Endpoint) LDAP ODBC
Users’ DN AD Attributes NSX Group Scraping?
Certificate Attribs & MDM Management Info
Template ID (may have to allow
SmartSearch Editing)
(Which MDM & State)
SAML
Passive ID
WWW
FMC
pxGrid Pub/Sub Bus

Output
ISE or PIC
Input to ISE-PIC / ISE

Kerberos ISE-PIC Endpoint
WMI SPAN Agent Syslog REST API Probe
Same Still
Custom User? There?
AD AD AD AD Apps
AD AD
Almost Anything
Passive ID
Four Tenet’s of a Complete Solution

• Build Binding • Pub/Sub
Table • pxGrid
• Multiple • CDA-RADIUS
Methods
Learn Share
Update Use
• Verify
Endpoint • Management
• Inform of Interfaces
Changes • Caching
Passive ID
For ISE to Build the Bindings of Users and IPs

Active Directory
Learn • Windows Management Instrumentation (WMI)
• Active Directory Pub/Sub Messaging
• ISE Subscribes to Certain Security Events, AD Informs ISE of Events
• ISE-PIC Agent
• Native Windows Application
• Load on Domain Controller or Member Server
• SPAN
• Passively Monitor Kerberos Exchanges and Build Table of Bindings
Passive ID
For ISE to Build the Bindings of Users and IPs

Syslog Sources
Learn • Custom Parsers w/ Easy Automatic Builder Tool
• Source Types:
• AAA Servers (ISE, ACS)
• VPN (F5 VPN, ASA VPN, Nortel VPN), Web Security Appliances (BlueCoat)
• IP Address Managers (InfoBlox, BlueCat, AD, dhcpd)
• Provides L2 to L3 Binding Data & DHCP leases used to identify logoff
REST API Sources
• Terminal Services Agent
• Same Agent used by Firepower Management Center
• Citrix and MS Terminal Servers
• Binds users to IP and source port-range
• Generic API Sources
• Guest Solutions, Badging Systems and Custom Integrations
Passive ID

Table • pxGrid
Methods
Learn Share
Update Use
• Verify
Changes • Caching
Passive ID
Sharing of WHO is on the Network and their IP Address

Platform eXchange Grid (pxGrid)
Share • Pub/Sub Communication Bus
• Same pxGrid Topics for ISE and ISE-PIC
• Support for 20 Subscribers at FCS
• Simplified Registration / Configuration in ISE & ISE-PIC (v2.2+)
• Easier Certificate Usages
• Username / Password / Token Assertion
CDA-RADIUS Interface (Not in FCS Code)
• Legacy Interface used by ASA Classic, CWS and Older WSA Code
• Will be available shortly after ISE 2.2 FCS
• Maybe in 2.2 Patch 1 (TBD)
Passive ID

Table • pxGrid
Methods
Learn Share
Update Use
• Verify
Changes • Caching
Passive ID
Management (Metadata) APIs are Required

Use • It’s not enough to receive the IP to User Bindings from pxGrid
• The Consumers’ Management Application must know what groups /
users exist to build the policies.
• The Management App must know how to tie back the usernames
received from pxGrid to the usernames pulled from the Single
Source of Truth
• ISE & ISE-PIC can provide that information to the subscribers, but
the management apps have to be updated to use ISE as that source
of truth.
Simply Put: What’s needed for Policy Authoring and binding of what
configured in the Policy to the information that is received from pxGrid.
Passive ID
Stealthwatch:
Use • Stealthwatch 6.9 uses ISE 2.2 as the Single-Source-of-Truth
• SW 6.9 will work with ISE 1.3 – 2.1, but less data will be available.
• Endpoint Protection Services (EPS) works as always
• Stealthwatch 6.8 is last version of Stealthwatch that should
use the syslog method of ISE integration
• Upgrades from 6.8 to 6.9:
• If pxGrid was configured in 6.8, will continue to function
• If syslog only, will need to reconfigure ISE connection
• SW adds pxGrid session data to User Table and Flow
Attribution
• No separate Management/Metadata API Required
Passive ID
Firepower Management Center:

Use • Firepower 6.1 & 6.2 are still using their existing “Realms” for
the MetaData
• Configured under System > Integrations > Realms
• LDAP configuration to Pick Interesting Users and Groups for Access
Policies
• Future Versions could use ISE, and it is a Roadmap Item
• Users and Groups selected from Realms are bound to session
data sent via pxGrid
• Matching entries are added to Identity Cache and sent to Firepower
Appliances
• Firepower 6.2 has newer pxGrid libraries
• Enhanced error-handling
• Multi-threaded
Passive ID
Web Security Appliance (WSA):

Use • WSA has CDA-RADIUS interface for CDA Integration
• WSA also has pxGrid interface for SGT-Based Policies
• No TrustSec with ISE-PIC
• User-Specific Policies would be necessary with ISE-PIC
• No Group-Based Policies available in WSA w/ pxGrid today
• When CDA-RADIUS Interface ships for ISE-PIC, could
integrate WSA that way.
• Roadmap Item for WSA for full pxGrid Support
• WSA would use Realms for Metadata
• Then Binds the pxGrid or CDA-RADIUS data to the selections from
the Realms
Passive ID

Table • pxGrid
Methods
Learn Share
Update Use
• Verify
Changes • Caching
Passive ID
Identify Changes
Update • Logoff Detection
• Endpoint Probe uses WMI to remotely verify endpoint and user are
still there.
• DHCP lease expirations indicate to clear session
• Remove session from Syslog provider
• TS Agent removes session
• WMI Update Events
• Can renew session
• Can show logoff, and expire the session
• Session Timeouts
• Purge of inactive sessions
• Configurable 1-24 hours
A Day In the Life
of ID Sharing with
StealthWatch
Passive ID
A Day in the Life of PassiveID w/ Stealthwatch

User DHCP AD ISE / PIC Stealthwatch
Join Network: DHCP Request
DHCP IP Address Assignment

(Optional) Syslog
L2/L3 Binding Added to Session Directory
Kerberos - User Authenticates to Active Directory
LEARN WMI or Agent Notification
Username:IP_Address Added to Session Directory
Lookup: Groups & Attribs for User

Groups & Attribs Added to Session Directory
pxGrid: Notify
SHARE
pxGrid: Get Info
USE Merge ID info into Stealthwatch User Table & Flow Attribution
Endpoint Probe: WMI – Who is Current User
Lease Expiration
(Optional) Syslog Delete Session
UPDATE
pxGrid: Notify
Update ID the Stealthwatch ©User Table & Flow Attribution

2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Passive ID
A Day in the Life of PassiveID w/ FMC

User Firepower FMC ISE / PIC DHCP AD
Realms: Lookup Users and Groups

Build Access Policy
USE
Group D IP Permit/Deny
Join Network: DHCP Request
DHCP IP Address Assignment
L2/L3 Binding Added to Session Directory (Optional) Syslog
Kerberos -- User Authenticates to Active Directory

LEARN Username:IP_Address Added to Session Directory WMI or Agent Notification
Lookup: Groups & Attributes for User

Groups & Attribs Added to Session Directory
pxGrid: Notify
SHARE pxGrid: Get Info
Update Access Lists. Group is substituted by Source IP

USE S IP D IP Permit/Deny Update ACL / Cache
Lease Expiration
Endpoint Probe: WMI – Who is Current User
(Optional) Syslog
Delete Session
UPDATE
pxGrid: Notify
Drill Down into Identity Providers for
ISE and PIC
Windows
Management
Instrumentation
(WMI)
Passive ID
Past (CDA and ISE) vs ISE 2.2 & ISE-PIC

• CDA and ISE ≤ 2.1:
• Config AD and PassiveID DCs in separated places
• Enter each PassiveID DC manually
• Registry Hacks on the DCs
• ~10 Pages of Instructions
• ≥ ISE 2.2:
• One Place for Active Directory config
• Automagically lists eligible DC’s
• Simple as clicking “Config WMI”
• Interesting AD groups
• Setup Wizard
• Can Leverage Agent (See Agent Section)
Passive ID
Windows Management Instrumentation (WMI)

• Remotely Connects to DC’s Leveraging WMI
• Acts like a Pub/Sub communication:
• ISE-PIC subscribes to certain events
• WMI alerts ISE-PIC when those events occur
• 4768 (Kerberos Ticket Granting) & 4770 (Kerberos Ticket Renewal)
• Entries in Session Director Expire (Purge) configuration (1-24 hours)
• If nothing new has been learned / updated
Passive ID
PassiveID Integrated with Active Directory
Passive ID
Join AD in ISE-PIC
Passive ID
Join AD in PIC Continued…
”Store Credentials”
Passive ID
Configure PassiveID in PIC
Passive ID
Configure PassiveID in PIC Continued…

Lists All the DC’s in Domain
Passive ID
Configure WMI in PIC
• Output file /opt/CSCOcpm/logs/ad_agent.log
Passive ID
Test Connection
Passive ID
Working with WMI

• Windows Management Instrumentation is a core Windows
management technology
• WMI allows you to manage both local or remote computers
• Does not require installation of an agent in the domain
• Connectivity requirements for successful WMI connection must be
met
• The ‘Config WMI’ will do it for you
Passive ID
What ‘Config WMI’ Does

• Need 5 things:
1. Registry Changes
2. Permissions to use DCOM
3. Permissions to use WMI Remotely
4. Access to Read the Security Event Log of the Active Directory Domain Controller
5. Windows Firewall must allow traffic from / to ISE-PIC
Passive ID
ForYour
For Your
Reference
1. Registry Changes
Reference
• Creating Keys that Add the ID of WBEM Client

• 76A64158-CB41-11D1-8B02-00600806D9B6
• Add key in 2 locations
• HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
• HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-
00600806D9B6}
• Listing the ID as a valid App for DCOM
Passive ID
ForYour
For Your
Reference
2. Permissions to Use DCOM
Reference
• User (Domain admin or special user) needs Local and Remote Access
• Dcomcnfg (for example add DCOM permission for the user shelisha)
Passive ID
ForYour
For Your
Reference
3. Permissions to use WMI Remotely
Reference
• The Active Directory users do not have the Execute Methods and Remote
Enable permissions by default. These can be granted by using the
wmimgmt.msc
• Allow Execute Methods and Remote Enable
Passive ID
4. Access to Read the Security Event Logs and ForYour

For Your
Reference
Reference
Distributed COM Users

• Add user to 2 groups
• Event Log Readers group
• Distributed COM Users group
• Can be configured via the GUI
Passive ID
5. Windows Firewall must allow traffic from / to ISE ForYour

For Your
Reference
Reference
• Allow traffic from windows server to ise-pic

• netsh advfirewall firewall add rule name=" Firewall Off ISE-PIC IP " dir=in action=allow
protocol=ANY remoteip=<ise-pic-IP>
• It can also be configured via the GUI
Passive ID
NTLM for Authentication

• The Active Directory user used by ISE-PIC
can be authenticated either by NT Lan
Manager (NTLM) v1 or v2.
• You need to verify that the Active Directory
NTLM settings are aligned with ISE-PIC
NTLM settings to ensure successful
authenticated connection between ISE-PIC
and the Active Directory Domain Controller
Passive ID
PassiveID Settings
Passive ID
Limitations / Etc.
• Can only monitor DC’s in Domains that are Joined Directly
• i.e.: A Join Point must Exist
• Configuration need to be per domain controller (on all DCs)
• Uses DCOM (WMI is DCOM Based)
• 100 Monitored DC’s
• Supported Windows versions
• 2003 and above
• ‘Config WMI’ only works on 2008 and above
Passive ID
Store Credentials
• Join Creds will be stored encrypted
• Endpoint probe cannot work without it
• Needs the Admin credentials to enter endpoint
• Will be used for PassiveID monitored DCs
• If not checked, then credentials will have to be entered separately for each monitored DC
• Cannot be uncheck in ISE-PIC
Passive ID
Leveraging AD for PassiveID

• Retrieve from AD for every passive identity learned
• UPN – user@domain
• DN – CN=Administrator,CN=Users,DC=demo,DC=local,
• Interesting AD groups
• Works for all providers, not just WMI
Passive ID
PassiveID Wizard
• Simple and Easy way to configure AD for PassiveID
• Enter Active Directory and Credentials
• Select interesting AD groups
• Choose DCs to monitor
• Start wizard from two places
Passive ID
PassiveID Wizard
Passive ID
PassiveID Wizard
Passive ID
PassiveID Wizard
Passive ID
PassiveID Wizard
Passive ID
ISE-PIC Dashboard
• Monitor DCs
connection status
ISE-PIC Agent
Passive ID
ISE-PIC Agent
• Currently, the Agent comes when you Install ISE-PIC, or Upgrade to ISE 2.2.
• Upgrade and Download Agent from Agents tab in UI
• Manually Install or Push from ISE!! Yes, I said Push from ISE
• Native, 32-bit Application
• Agent Requires .Net 4.0 or Above
• Can be installed on Member Server or DC
Passive ID
ISE-PIC & the Agent Communication

• Agent is client, it needs to know which server to connect to
• When pushing from ISE-PIC, it is configured automagically
• Manual installation, the admin must tell the agent who to speak with
• There is NO User Interface for the Agent
• Admin must create nodes file
• Agent can send mapping to more than one ISE-PIC Node – H.A
• Mapping & Configuration is only 1 at a time.
• If an error is received, it moves to the next node in the list
Passive ID
ISE-PIC & the Agent Communication

• 10 second poling which doubles as the keep alive
• Config is provided from ISE-PIC to Agent during that poll
• Immediate updates when there is a change
• Every one minute Agent sends the status of the DC connection to ISE-PIC
• Mapping is sent immediately
Passive ID
Push Installation from ISE-PIC

• When deploying from ISE-PIC
• Builds the nodes file automatically including all Passive Nodes from the ISE /PIC
Deployment
• nodes file is stored in agent root folder
• Leverages ISEExec to run the installation
• Copies the MSI from ISE to %SYSTEMROOT%
• Executes the MSI
Passive ID
Deploying Agent from ISE-PIC
Passive ID
Manually Register a Manual Deployed Agent
Passive ID
Agent Is Running
Passive ID
Agent Directory
Passive ID
Agent Nodes File

• Contains list of ISE-PIC nodes
• Agent communicates with one node at a time
• If an error is received, it moves to the next node in the list
• For Manual Installs: Must put the PIC Nodes in the nodes file
• Read at startup
Passive ID
Agent Config File
Change logging level
Change log file size

Change num of files
Passive ID
Agent Log File
Passive ID
Binding Monitored DC to an Agent
Passive ID
DC is monitored by Agent
Passive ID
Uninstall
• EASY!
Passive ID
Considerations and Limitations

• Agent Can Monitor More than on DC
• Reverse lookup
• Ensure you have configured reverse lookup from the Agent’s IP to hostname for the
relevant DNS server/s from ISE-PIC side
• Agent uses Native Windows API’s
• Agent still uses WMI
• Coming a “Windows Approved Server”, so Doesn’t need Registry Hacks
• If Domain Admin, you don’t need any other changes to Windows AD
• No UI at all
• Agent Runs as a Windows Service
• Manual Removal
• When Changing the PassiveID nodes, you much manually change the Nodes
File
• Must Restart Agent when Changing the Nodes file – because it’s read at startup
Passive ID
Log Forwarding to Increase Scale

DC3
Design Tip DC1

Monitored
DC2
Member
ISE
w/ Agent
DC5
Monitored
DC4
https://blogs.technet.microsoft.com/wincat/2008/08/11/quick- DC6
and-dirty-large-scale-eventing-for-windows/
Kerberos Sniffing
via SPAN
Passive ID
SPAN Configuration
• Make sure Passive Identity Service is enabled:
Administration -> Deployment -> General Settings
Enable Passive Identity Service checkbox
Passive ID
SPAN Configuration
• List of nodes and interfaces will be displayed, but only for those running the
PassiveID Service
• Pick Node, and then the interface. PassiveID must be running as a pre-requisite
• Work Center -> PassiveID -> Providers -> SPAN
Passive ID
Network Configuration
• Configure the switch to span network from AD
• Or create a VACL that sends only Kerberos traffic into the SPAN port
• Configure dedicated port on ISE for SPAN (use this interface only for span traffic)
For Your
Reference
REST API
Provider
Passive ID
ForYour
For Your
Reference
REST API Provider
Reference
• Designed for the Terminal Services Agent (TS-Agent)

• Usable also by any custom integrations
• Customers can integrate their IT environment to share identity information with ISE-
PIC and this information will then be shared with the subscribers
• Not part of ERS
• Running a separated process
• Port 9094
• REST API framework implements certificate-based authentication and the
user identity information is delivered to ISE-PIC over a secure socket layer
(SSL) in JSON format
Passive ID
ForYour
For Your
Reference
REST API Provider
Reference
• API provider enables you to interface with network applications such as the
TS-Agent on a Citrix server, where all users have the same IP address but are
assigned unique ports.
Passive ID
ForYour
For Your
Reference
REST API Provider flow
Reference
• For client authentication, ISE-PIC requires an authentication token

• Initial configured user and password credential are mandatory
• This token will be used for all future communication
• Add identity – Post request
• JSON format with identity information
• Response contains userID
• Remove identity – Delete request
• The userID requesting to remove
• All APIs can be found in Admin Guide
Passive ID
ForYour
For Your
Reference
Configure
Reference
Passive ID
ForYour
For Your
Reference
REST API Provider
Reference
• API ID’s will not Be joined to EasyConnect

• Reverse lookup
• Ensure you have configured reverse lookup from the rest client’s IP to hostname for
the relevant DNS server/s from ISE-PIC side
• Can configure client with IP instead of hostname
• High Availability - redundancy is to send requests to 2 nodes
• But is sending twice & added noise
• Or use Anycast to do it cheaply
• Or use Load Balancer
Syslog
Provider
Passive ID
Identity Syslog Sources

• Define syslog clients in order to receive
and parse syslog messages
• Configure
• Host / IP
• Connection type
• UDP – port 40514
• TCP – port 11468
• Template
• Default Domain
• If the domain is not identified in the syslog
message for the specific user,
this default domain is automatically
assigned to the user in order to ensure
that all users are assigned a domain.
Passive ID
Identity Syslog Sources

• Could have any source (Theoretically)
• Log Message must include:
• Mapping operation
• New Mapping (Mandatory)
• Remove Mapping
• Data
• IP Address (Mandatory)
• Username (Mandatory, unless DHCP)
• Domain (Optional)
»Will use Default Domain if Domain not Included
• MAC Address (Optional)
Passive ID
Example:
Paste The Syslog
Here & It Will Show
You the Identified
Data as a Validation
of the Parser
Passive ID
Built-In
• Large List of
Pre-Existing
Templates /
Parsers
Passive ID
DHCP Syslogs
• DHCP Syslogs from IPAM Providers
• Used for L2<>L3 Bindings (MAC to IP)
• Will not be presented by themselves in the Session Table
• Identity is the Key (Identity Connector)
• Will be merged to an existing session with Identity (based on IP)
• Used for Lease Renewal & Lease Expiration updates
• Expired DHCP Lease will Remove Session from Sessions Table
Passive ID
Details
• Syslog ID’s will not Be joined to EasyConnect
• The syslog service matches the host name from the message to that
which the administrator previously defined in the GUI in order to
identify the correct client template
• Ensure you have configured reverse lookup from the syslog client’s IP to
hostname for the relevant DNS server/s from ISE-PIC side
• Can configure with hostname instead of IP
Passive ID
Details
• High Availability - redundancy is to send syslogs to 2 nodes
• But is sending double logs & added noise
• Or use Anycast to do it cheaply
• Or use Load Balancer
• Not part of MnT syslogs parsing
• Running a separated process
• Different ports
Passive ID
ISE & ACS Details

Syslog message
received in PIC
Yes No
Is 5200 / 3000 / 3001 / 3002
message?
No
Has Session Id ? Drop message
Yes 3000 / 3002

Has 5200 with same session
id arrived before? No
Message code
Yes
3001
No
Contains domain name?
Remove 5200
mapping
Override domain Yes
Mapping exists?
Cache message based on No Yes

session id and wait for
3000 / 3002 Create mapping Update mapping
Endpoint Probe
aka: “Is the user still there”
Passive ID
Endpoint Probe
• Is the user still there:
• Endpoint is reachable
• Same User is still Logged on
• Requires Administrative Privilege on Endpoint
• Domain Admins Group
• Uses the Stored Credentials from the Join Point
• Will not work without those
Passive ID
Endpoint Probe – Active Directory

• Windows Only
• Saved Domain Admin Creds will be Used
Passive ID
Endpoint Probe flow

• Runs every 4 hours (not configurable)
• Tries WMI for the Endpoint First
• Easier & Faster
• WMI Fails – then ISEExec will be run
• Query the Endpoint for the User
• Enable WMI for next time
• Also retrieves
• Mac address
• OS type (Endpoint profile)
• Reverse lookup is mandatory – translate ip to hostname
Passive ID
Endpoint Probe session

• Tracking Identity Session
• If endpoint unreachable – no update
• If same user logged in - update session with new info (mac, os type, last seen)
• Otherwise, remove session
• Endpoint Probe is used in conjunction with EasyConnect also
• When user is no longer there:
• As a result CoA is sent to NAD to end the Network Session
Passive ID
Endpoint Probe Configuration – ISE Only
• Designed for Scale

• Only in ISE
• PSNs Configured to “Own”
Subnets
• Similar to AD Sites & Services
• Configure the Closest PSN to
do the probing
• If subnet does not exist here it
will not be queried
• Comma separated subnets
• 10.56.15.0/24,10.56.14.0/24
Passive ID
Endpoint Probe – Manual Check

• Query endpoint on demand
For Your
Reference
Mapping
Filters
Passive ID
ForYour
For Your
Reference
Mapping Filters
Reference
• Prevents Passive Sessions from Being Created & Shared

• Ex: Admin remotely logging into computer to solve problem
Deploying ISE-PIC
Passive ID
It’s the same code!
Different License
Separate ISO’s & OVA’s

for Tracking Purposes
Passive ID
ISE-PIC Platforms
• Install Choices:
• 3315 and 3595 Virtual Appliances
• Standard ISE .ISO / .OVA
• ISE-PIC .ISO & .OVA
• Hardware Shipping with PIC Pre-Installed is on Roadmap
Passive ID
Deployment
• Max of 2 nodes in deployment
• Secondary node is for High
Availability only
• In case of Primary failure all features
will still run on secondary except UI
• Only manual promotion to Primary will
enable the UI
• You cannot change the services
running on a PIC persona
• But you can change Primary /
Secondary
Passive ID
Simplified Deployment Process

• Much Easier to Register Secondary Node
• No longer need to Deal with bi-directional certificate trusts
• No need to “Make Primary” before joining them together
• No selection of Persona’s or Services
• Prompts on the primary to trust the secondary certificate
• New, simple method is not available on ISE
• Only ISE-PIC
Passive ID
Simple
Passive ID
Enable PassiveID in ISE node
• Will enable all passive identity

providers
• Same functionality as ISE-PIC
Licensing and
Upgrade To Full
Blown ISE
Passive ID
Licensing
• ISE-PIC installs with a 90-Day PIC License
• Enables PassiveID Functions
• Limited UI
• pxGrid for Cisco Consumers Only
• CA for pxGrid Only
• No Portals, No Guest
• No RADIUS or TACACS+
• No Profiling, No BYOD
• No Authentication. No EasyConnect.
• No TrustSec. No Authorization of any kind.
• No 802.1x
Passive ID
Licensing
• Each perpetual license is uploaded to a single ISE-PIC node and a separate
license is required for the second node, if you have two nodes in the deployment
• Generate a separate license for each UDI and then add the licenses to each
node separately
• After you install Cisco ISE-PIC and initially configure the appliance as the
primary node, you must obtain a license for Cisco ISE-PIC and then register that
license
• Register all licenses via the primary and secondary node hardware UID
Passive ID
Upgrading to ISE
• Step 1: Install an Upgrade License
• Converts the low-cost PIC VM to a full-cost ISE VM
• Step 2: Install BASE license
• Now a full-blown ISE install
• Step 3: Shake your head in amazement. That is really all it takes.
Passive ID
Upgrading to ISE
• When upgrading from ISE-PIC to the base license for ISE, ISE continues to offer
all features that were available to you in ISE-PIC prior to upgrade and you will
not need to re-configure any settings that you had already configured
• You can perform the full upgrade process by first installing the ISE-PIC Upgrade
License on the node and then:
• Adding the upgraded ISE-PIC node to an existing ISE deployment
• The node receives the deployment’s configuration
• Installing at least a Base license
• Once you upgrade to a full ISE deployment, you cannot roll back to the previous
ISE-PIC installation
Passive ID
Licensing
ISE-PIC Limited pxGrid, CA (pxGrid), Limited GUI, PassiveID , etc.
ISE-PIC Limited pxGrid, CA (pxGrid), PassiveID, etc.

Upgrade License Used to allow the Base License to install
Base License RADIUS RUNTIME, Active Authentications, ETC
Base License RADIUS RUNTIME, ETC

Plus License Full pxGrid + Profiling + etc.
For Your
Reference
Comparison
Tables
Passive ID
ISE vs. PIC vs. CDA Comparison Summary

Full ISE ISE-PIC CDA SFUA
Authentication &
Authorization Types
Authorization Policies Yes – – –
TrustSec Yes – – –
Network Access AAA w/
Yes – – –
RADIUS
Device Admin AAA w/
Yes – – –
TACACS+
BYOD Yes – – –
GUEST Yes – – –
Posture Yes – – –
Attributes from AD Yes – – –

Passive ID
Passive Auth Details
# of Domain Controllers 100 100 80 5 / 25**
# of Subscribers 20 20 – 5 FMCs
WMI (Agentless) Yes Yes Yes –

Windows Server Agent
Yes Yes – Yes
Available
DCOM Required No (SPAN) No (SPAN) Yes Yes
Easy Connect Yes – – –

Kerberos sniffing w/
Yes Yes – –
SPAN
Passive ID
Passive Auth Continued
Endpoint Probe Yes Yes – Yes
Syslog ID Sources Yes Yes – –

DHCP Sources
Yes Yes – –
(Validation)
pxGrid
Cisco Subscribers
pxGrid Controller Yes – –
Only
pxGrid Topic Extensiblity Yes – – –
pxGrid on Dedicated
Yes – – –
Node(s)
Passive ID
Certificate Authority (CA)

pxGrid Certificate
Yes Yes – –
Templates
Endpoint CA Yes – – –
Enrollment over Secure
Yes – – –
Transport (EST)
SCEP Yes – – –
Other Certificate
Yes – – –
Templates
Passive ID
Visibility & Context
Context Visibility Yes – – –
Profiling Yes – – –
Reports Yes Yes ? ?
Send Syslogs Yes No – –
Passive ID
What Merges with Easy Connect?
Provider
WMI Yes
ISE-PICAgent No
Endpoint Probe Yes
Syslog (Identity) No
Syslog (DHCP) No
SPAN (Kerberos) No
API Provider No
~10min
Agenda
• Introduction
• RTC and TC-NAC
• Conclusion
The Future of Secure Network
Access
TEAP
Problems we Face Today w/ Secure Network Access
What Certificates do I Trust For EAP?
How can I easily get a Certificate onto my Systems
Easily Renew My Certificates
Identify Computer and User
TEAP
TEAP
TEAP vs. Other EAP Types

EAP- TEAP EAP-FASTv2 EAP-TTLS
EAP-PEAP
(RFC-7170) (Proprietary) (RFC-5281)
Certificate
Provisioning in-band
Distribute EAP
Server Trust-List
User + Machine
EAP Chaining
Posture Transport
in-band (PT-TLS or
PT-EAP)
Certificate Renewals
in-Band
Fast Reconnect w/
Server
Fast Reconnect w/
PAC File
TEAP
Real World Issues TEAP Would Help With

Example education customer:
• ONLY 6,000 Endpoints (all BYOD style)
• 10M Auths / 9M Failures in a 24 hours!
• 42 Different Failure Scenarios – all related to
clients dropping TLS (both PEAP & EAP-TLS).
Supplicant List:
• Kyocera, Asustek, Murata, Huawei, Motorola, HTC, Samsung, ZTE, RIM, SonyEric, ChiMeiCo,
Apple, Intel, Cybertan, Liteon, Nokia, HonHaiPr, Palm, Pantech, LgElectr, TaiyoYud, Barnes&N
5411 No response received during 120 seconds on last EAP message sent to the client
• This error has been seen at a number of Escalation customers
• Typically the result of a misconfigured or misbehaving supplicant not completing the EAP process.
TEAP
Recreating the Issue

Yes, my Wife
was
Absolutely
THRILLED
That this was
completed
In the
kitchen!!

TEAP
Recreating the Issue

Cisco Cius Android 2.2.2 / Kernel 2.6.31.6-mrst
iPad1 iOS 5.1.1 (9B206)
Galaxy Player Android 2.3.5 / Kernel 2.6.35.7
iPad2 iOS 6.0.1 (10A523)
Galaxy TAB 10.1 Android 4.0.4 / Kernel 3.1.10
iPad Mini iOS 6.1.2 (10B146)
Galaxy Tab 2 Android 4.1.1 / Kernel 3.0.31
iPhone 4 iOS 6.0 (10A403)
Acer A110 Tab Android 4.1.2 / Kernel 3.1.10
iPhone 5 iOS 6.1.3 (10B329)
Google Nexus7 Android 4.2.2 / Kernel 3.1.10-g05b777c
Nook HD Nook 2.1.0
iPod Touch 1Gen iOS 3.1.3 (7E18)
MacBook Pro 17 OSX 10.7.5

MacBook Air OSX 10.8.2 (12C30006)
Kindle Fire HD Version 7.3.0_user_3013320
Microsoft Surface WindowsRT
Win7 Native Windows7 Ultimate ServicePack1
WinXP Native WindowsXP SP3
Windows 8 Native Windows 8 Native Supplicant
TEAP
Clients Misbehave: Apple Example

• Multiple PSNs
ISE-1 ISE-2 • Each Cert signed by Trusted Root
• Apple Requires Accept on all certs!
• Results in 5411 / 30sec retry
ise1.ise.local ise2.ise.local
Cert Authority
1 5
NAD
SSID
1. Authentication goes to ISE-1

2. ISE-1 sends certificate
3. Client trusts ISE-1
4. Client Roams
Apple iOS & MacOS 6. Client Prompts for Accept
WiFi Profile © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TEAP
WorkAround: Common Cert, Wildcard in SAN

Allows anything
ending with
The Domain
Name.
-
Same EXACT Priv
/ Pub Key
May be installed
on all PSNs
TEAP
Workaround: Common Cert, Wildcard in SAN

• CN= psn.ise.local
ISE-1 ISE-2 • SAN contains all PSN FQDNs
psn.ise.local
*.ise.local
psn.ise.local
• Tested and works with:
Cert Authority psn.ise.local
comodo.com CA
SSL.com CA
Microsoft 2008 CA
1 5
• Failed with: GoDaddy CA
NAD -- they don’t like * in SAN
SSID -- they don’t like non-* in CN

2. ISE-1 sends certificate
Already Trusted 3. Client trusts ISE-1
4. Client Roams
6. Client Already Trusts Cert
Apple iOS & MacOS
WiFi Profile © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TEAP
Added RADIUS Server, Your Network + MDM
RADIUS Servers RADIUS Servers RADIUS Servers
A B C A B C D E F
3
EAP
Authentication
3 ✓ 1 ✓
EAP
Authentication MDM Pushes Network MDM MDM
Config + EAP Certs 2 1
2 Joins Network MDM Updates List
Joins Network of EAP Certs
Managed Endpoint is pre-populated with Network Managed Endpoints can be Updated Early to be
Configs and List of EAP Certs to Trust Ready for New RADIUS servers
TEAP
Added RADIUS Server – Not Your Network
RADIUS Servers RADIUS Servers RADIUS Servers

3 On-Board Provides All
RADIUS EAP Certs
A B C A B C D E F
4 ✓ X
3
EAP 2 Manually Accepts New Server

Authentication First Certificate Not Trusted
1
1
Joins Network 2 EAP to New
Joins Network RADIUS Server
Contractor goes to work at Customer, and on-boards. When Servers are Added or Changed in Environment,
Is given the certificate of the RADIUS Server(s) the Endpoint Doesn’t get new Certs. Connection Fails
TEAP
Workaround: Common Cert, Wildcard in SAN
• Breaks security acceptable practices

• Loading same private key on multiple RADIUS servers
• Leverages Wildcard values
• Security Practices Dictate: Unique certificates for each unique endpoint
• How to get multiple RADIUS servers’ certificates trusted on endpoint?

• Adding new servers
• Different locations
TEAP
TEAP Solution to the EAP Server Cert Problem
Endpoint Auth ID
Wi-Fi
Servers Repository
Association Request to WPA2 Protected Wi-Fi

EAPoL ID-Req
TLS Tunnel Establishment

ACCEPT | REJECT
EAP-TEAP: MSCHAPv2 username / password

RADIUS Access-Request
Update Cert Trust Authenticate Uname/Pwd
List
EAP-TEAP: EAP Server Trust List, Req Certificate RADIUS Access-Accept
EAP-TEAP: EST Certificate Enrollment Request

EAP-TEAP: EST CSR Response TEAP Handles:
• Certificate Renewal
RADIUS CoA
EAPoL ID-Req • Updating List of Trusted
EAP Servers
802.1x auth (EAP-TEAP: TLS Inner Method w/ device Certificate)
validate device certificate
TEAP
Identifying the Machine AND the User

The next chapter of authentication: EAP-Chaining
• Is this a corporate Asset (Machine Credential)

• Is this a valid & authorized employee? (User Credential)
• Cisco did it YEARS before TEAP was/is adopted
• EAP-FASTv2
• AnyConnect 3.1+
• Identity Services Engine 1.1.1+
• **Adopted & in Production at Organizations World-Wide!
• Only True Chain of Machine + User
TEAP
EAP-Chaining Rule Name Conditions Permissions

With AnyConnect 3.1.1 and ISE 1.1.1 IP Phones if Cisco-IP-Phone then Cisco_IP_Phone
MachineAuth Domain Computers MachineAuth

1. Machine Authenticates if then
Employee &
2. ISE Issues Machine Employee if
Network
then Employee
Access:EAPChainingResult =
AuthZ PAC User and machine suceeded
GUEST if GUEST then GUEST
Default If no matches, then WEBAUTH
NAD
SWITCHPORT
PSN
EAPoL Start
[EAP-Tunnel = FAST]
EAP-Request:TLV RADIUS Access-Challenge
[EAP-TLV = “Machine”]
EAP-Response RADIUS Access-Request
TLV = “Machine” [EAP-TLV= “Machine”]
[EAP-ID=Corp-Win7-1] PAC
RADIUS Access-Accept
EAP Success
TEAP
EAP-Chaining Rule Name Conditions Permissions

With AnyConnect 3.1.1 and ISE 1.1.1 IP Phones if Cisco-IP-Phone then Cisco_IP_Phone
3. User Authenticates MachineAuth if Domain Computers then MachineAuth
4. ISE receives Machine PAC Employee &

Network
Employee if then Employee
5. ISE issues User AuthZ PAC Access:EAPChainingResult =
User and machine suceeded
GUEST if GUEST then GUEST
Default If no matches, then WEBAUTH
NAD
SWITCHPORT
PSN
PAC
EAPoL Start
[EAP-Tunnel = FAST]
EAP-Request:TLV RADIUS Access-Challenge
PAC
[EAP-TLV = “Machine”]
EAP-Response RADIUS Access-Request
TLV = “User” [EAP-TLV= “User”]
[EAP-ID=Employee1] PAC
RADIUS Access-Accept
EAP Success
TEAP
ForYour
For Your
Reference
EAP-Chaining FAQ
Reference
Q: I use MSChapV2 today, can I use that with EAP-Chaining?

A: TEAP & EAP-FAST are tunneled EAP methodologies, you may use whichever
inner-methods you would like, as long as both the supplicant and RADIUS sever
support the protocol(s). I.e.: EAP-TLS, EAP-MSChapV2, EAP-GTC.
Q: What Supplicants Support EAP-Chaining Today?
A: Today, only Cisco AnyConnect NAM has support through EAP-FASTv2.
Please talk to your OS Vendors about supporting TEAP in their native supplicants!
Q: Can I chain certificates with username/pwd’s?
A: Yes! You may mix and match the machine and user credential types however
you see fit. I.e.: Machine Certificates + User Certificates, or Machine Certificates +
Username/PWDs, or Machine Passwords + Username/PWDs, etc.
ForYour
For Your
Reference
Reference
Craig Hyps, Principal

Engineer will continue
the Advanced ISE
Session in 2018
Help me Reach my Dream of 5.0
Complete Your Online
Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile app
or on www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be

available for viewing on demand after the
event at www.CiscoLive.com/Online.
Cisco Spark
Ask Questions, Get Answers, Continue the Experience
Use Cisco Spark to communicate with the Speaker and fellow

participants after the session
Download the Cisco Spark app from iTunes or Google Play

1. Go to the Cisco Live Berlin 2017 Mobile app
2. Find this session
3. Click the Spark button under Speakers in the session description
4. Enter the room, room name = BRKSEC-3697
5. Join the conversation!
The Spark Room will be open for 2 weeks after Cisco Live
Shameless Plug
Recommended Reading
Buy our books, help us afford more beer!
http://amzn.com/1587144263
http://a.co/5h1W1zK
http://a.co/iir9D6E
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you
For Your
Reference
Step-by-Step
Configuration of
pxGrid, Cert Portal,
Firepower Manager,
Stealthwatch &
WSA Integration
Context Sharing
ForYour
For Your
Reference
Reference
Deployment Notes
• Can do CSR’s one at a time, but Bulk Download works well, too.
• Pro Tip: Don’t bother with CSR’s – just generate certificate pairs from the
Portal.
• Best Practice, Follow an Order of Operations:
• Don’t enable pxGrid until all nodes have a pxGrid certificate.
• Wait for all the services to come up on 1st PSN before you enable pxGrid on the 2nd
PSN
Context Sharing
Edit the Certificate Provisioning Portal ForYour

For Your
Reference
Reference
Context Sharing
Setup the Portal ForYour

For Your
Reference
Reference
Context Sharing
Create a Network User ForYour

For Your
Reference
Reference
This will be used as an Admin User in Next Step
Must Match Chosen

Group on Last Slide
Context Sharing
Make an Admin User from the Network User

ForYour
For Your
Reference
Reference
Context Sharing
Add User to Super Admin Group ForYour

For Your
Reference
Reference
Only Super Admin & ERS Admin Roles can Issue pxGrid Certs
Context Sharing
Login to the Certificate Provisioning Portal ForYour

For Your
Reference
Reference
https://certs246.securitydemo.net
Context Sharing
Login to the Certificate Provisioning Portal ForYour

For Your
Reference
Reference
Generate Bulk Certs w/ pxGrid Template. Prefer to use a pxGrid Prefix in CN. 1 per ISE Node
Context Sharing
Download the Certificates ForYour

For Your
Reference
Reference
Context Sharing
Extract the Zip File ForYour

For Your
Reference
Reference
There are Key-Pairs per node + ISE CA Roots + ISE Admin Roots – All PEM Encoded
ISE CA Certificates
One Cert + Key Per Node
ISE Admin Root Certificates (can Ignore)

Context Sharing
ForYour
For Your
Import the Cert Pairs for Each Node Reference

Reference
1 at a time, for pxGrid Usage Rinse / Repeat

Per ISE node
Context Sharing
ForYour
For Your
Delete the old, Self-Signed Cert Reference

Reference
For Cleanliness
For Your
Reference
Now that all the

ISE Nodes have
their pxGrid
Certificates: It’s
time to enable
pxGrid
Context Sharing
ForYour
For Your
Enable pxGrid on the First PSN Reference

Reference
Admin > System > Deployment Best Practice: To

ensure a predictable
& successful
deployment, the
order of operations
should be followed.
Don’t enable pxGrid

until all nodes have a
pxGrid certificate.
Wait for all the

services to come up
on 1st PSN before
you enable pxGrid on
the 2nd PSN
Context Sharing
After Enabling pxGrid – Services will Start

ForYour
For Your
Reference
Reference
After Services Start PAN & MnT will Automatically Publish Topics
Context Sharing
ForYour
For Your
Enable pxGrid on the Second PSN Reference

Reference
Admin > System > Deployment Best Practice: To

ensure a predictable
& successful
deployment, the
order of operations
should be followed.
Don’t enable pxGrid

until all nodes have a
pxGrid certificate.
Wait for all the

services to come up
on 1st PSN before
you enable pxGrid on
the 2nd PSN
For Your
Reference
Configuring
Stealthwatch 6.9
with ISE-PIC /
ISE
Context Sharing
Step 1 – Download System Certificate from ISE

ISE PIC: Certificate Management > System Certificates
Select the Certificate Issued by Certificate Services

Endpoint Sub CA – ise-pic-4 and select Export
Select Export Certificate Only
A .pem file is downloaded to the system

Note: You may need to unblock pop-up menus
for the download
Context Sharing
Step 2 – Gen PKCS12 Bundle Certificates on ISE / PIC

ISE: Work Centers > PassiveID > Subscribers > Certificates
PIC: Subscribers > Certificates
The Common Name will be

used to name the exported
file and used in the
certificate. It is
recommended to use the
Fully Qualified Domain Name
for this field.
Select PKCS12 format
This password will be

requested when uploading to
the Stealthwatch SMC
A .zip file will be created. Unzip this file to access the .p12 file.
Note: You may need to unblock pop-up menus for the download
Context Sharing
Step 3 – Navigate to Administer Appliance
Select the Administer

Appliance Menu from
the Global Settings
icon. The Admin
screen will appear in
a separate tab of
your browser
Context Sharing
Step 4 – Upload the Certificate Authority Certificate

SW (Admin Appliance): Configuration > Certificate Authority
Certificates
Upload .pem file previously

downloaded from ISE and select Add
Certificate. The Cerfificate will then
appear in the records displayed at the
top of the screen.
Context Sharing
Step 5 – Upload SSL Client Cert in Stealthwatch

SW (Admin Appliance): Configuration > SSL Certificate
IMPORTANT:
Scroll to the
Upload PCKS12
Bundle section to
create a friendly
name, add
password and
upload the .p12
file.
Context Sharing
Step 6 – Complete ISE Configuration Setup

SW: Deploy > Cisco ISE Configuration
The Cluster Name will be used to refer to the

ISE Cluster in the Stealthwatch UI
The Friendlsy name for the uploaded .p12

Certificate file will be available here
A Primary pxGrid Node is required for the

configuration. A secondary pxGrid Node can be
added for High Availability
The User Name will appear as the Subscriber’s

Client Name in ISE. The connection can not be
finalized until this Client is accepted on ISE
Save the configuration to send the information

necessary to create and accept the Subscriber
in ISE.
Context Sharing
Step 7 – Accept the Subscriber in ISE

ISE-PIC: Subscribers > Clients
ISE: Administration > pxGrid Services
Select the Subscriber’s Client

name and select the “Approve”
option
Context Sharing
Step 8 – Refresh Config Page and Confirm Connectivity

SW: Deploy > Cisco ISE Configuration The connection status shows green
when Stealthwatch and ISE are
communicating. If yellow, hover over
the status indicator for more
information
For Your
Reference
FMC
Configuration
Example
Context Sharing
ForYour
For Your
Configuring the FMC Reference

Reference
Use the ISE Root CA for the pxGrid servers & the MnT Server
Primary pxGrid PSN
2ndary pxGrid PSN
ISE Root CA Certificate
Context Sharing
ForYour
For Your
Add the ISE Root CA to FMC Reference

Reference
Assign Root CA Cert to pxGrid Server CA and MNT Server CA
Context Sharing
ForYour
For Your
Add the pxGrid Certificate for the FMC Reference

Reference
Just like the ones for the ISE Nodes
Context Sharing
ForYour
For Your
Success Reference
Reference
firesightisetest-sourcefire3d =
The Test Subscription (test button)
iseagent-sourcefire3d =
The FMC’s production Connection
For Your
Reference
WSA
Configuration
Example
Context Sharing
ForYour
For Your
WSA Configuration - Part 1/3 Reference

Reference
Use the ISE Root CA Cert for Both pxGrid Nodes
Primary pxGrid PSN
2ndary pxGrid PSN

Context Sharing
ForYour
For Your

Reference
Use the same ISE Root CA Cert for Both Monitoring Nodes
Context Sharing
ForYour
For Your

Reference
Install the WSA’s pxGrid Cert & Key from the ISE CA
X Don’t Test until

after Submit
Context Sharing
ForYour
For Your
Reference
Reference
Success
The WSA Subscribes to both

Session Directory &
TrustSecMetaData Topics
-pxgrid_client =
The WSA’s production Connection
-Test_client =
The WSA’s Test Connection
Context Sharing
pxGrid Certificate Template (MS Cert Authority) ForYour

For Your
Reference
Reference

BRKSEC-3697 - Advanced ISE Services, Tips &amp; Tricks

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKSEC-3697 - Advanced ISE Services, Tips &amp; Tricks

Uploaded by

Copyright:

Available Formats

Advanced ISE

Services, Tips & Tricks

“If we can’t laugh

Craig Hyps, Principal

Look for this “For Your Reference”

There is a tremendous amount of

**~300 Slides in PDF

Cisco Spark spaces will be cs.co/ciscolivebot#BRKSEC-3697

Using ISE in a Security EcoSystem

MANY SCREENS DATA EXPLOSION MISSING LINKS EXPENSIVE FIX

“a real platform is something that,

Integrating the traditional way

I have sec events! I have NBAR info!

I have NetFlow! Proprietary I have location!

I have firewall logs! I have app inventory info!

I have identity & device-type!

I have sec events! I have NBAR info!

I have identity & device-type!

Cisco Identity Services Engine (ISE) pxGrid

I have MDM info!

Cisco Platform Exchange Grid (PxGrid) ForYour

Cisco® ISE collects

Who Context is shared via

Partners use context to

pxGrid enables these 4 scenarios

CONTEXT TO PARTNER ENRICH ISE CONTEXT THREAT MITIGATION CONTEXT BROKERAGE

CISCO ECO- CISCO ECO- CISCO ECO- CISCO

CONTEXT CONTEXT ACTION pxGrid ECO-

MITIGATE ISE 2.2

platform exchange Grid (pxGrid)

Publish & Subscribe Bus

Not API Driven

Can point to REST / other API where needed, etc.

pxGrid pxGrid pxGrid

pxGrid Controller ForYour

 Password authentication support from ISE 2.1 (discussed later)

pxGrid service running

pxGrid Publisher / Subscriber ForYour

 PAN and MnT node publish and subscribe topics of information

pxGrid ISE nodes

Publish / Subscribe topics

Publish or subscribe specific topics

Topics being published / subscribed by pxGrid node

Capabilities or Topics ForYour

GridControllerAdminService provides pxGrid services to subscriber

EndpointProtectionService provides compatible EPS/ANC pxGrid mitigation actions from ISE

pxGrid Clients authenticate and subscribe to the Grid

Topics FMC is subscribed to

Subscription and Groups

pxGrid pxGrid What are you authorized

pxGrid Client Groups ForYour

 pxGrid uses group-based authorization.

The Grid controller authorizes exchange ForYour

Authenticates & Allow pxGrid Cont Conm Publisher Auth &

Publish Message to Topic

Builk Data Stream Over REST API

XSelf-signed pxGrid Client and pxGrid ISE Node certificates

CA signed pxGrid Client and pxGrid ISE Node certificates

Example pxGrid Integration: InfoBlox

pxGrid Topic Extensibility

Session_Directory MnT Splunk, FMC, WSA ISE Admin

Vulnerable Hosts Rapid7

1. Req: Add New

pxGrid Topic Extensibility

BRKSEC-3697 - Advanced ISE Services, Tips & Tricks

BRKSEC-3697 - Advanced ISE Services, Tips & Tricks