Scribd Logo
Upload

Welcome to Scribd!

  • Identity Services Engine (ISE)

    Uploaded by

    Vk V
    32 views33 pages
    The document provides an overview of Cisco Identity Services Engine (ISE). ISE is a centralized authentication, authorization, and profiling solution. It authenticates and authorizes users and devices connecting to a network, and can identify device types to apply appropriate policies. ISE goes beyond traditional AAA solutions by profiling endpoints and enforcing adaptive network access policies based on device posture and security profile. The document compares ISE to Cisco's previous ACS solution, outlines ISE's components and licensing options, and describes how it integrates with directory servers and uses RADIUS to authenticate and authorize network access.

    Original Description:

    cisco ise

    Original Title

    ISE BASIC

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document provides an overview of Cisco Identity Services Engine (ISE). ISE is a centralized authentication, authorization, and profiling solution. It authenticates and authorizes users and devices connecting to a network, and can identify device types to apply appropriate policies. ISE goes beyond traditional AAA solutions by profiling endpoints and enforcing adaptive network access policies based on device posture and security profile. The document compares ISE to Cisco's previous ACS solution, outlines ISE's components and licensing options, and describes how it integrates with directory servers and uses RADIUS to authenticate and authorize network access.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    32 views33 pages

    Identity Services Engine (ISE)

    Uploaded by

    Vk V
    The document provides an overview of Cisco Identity Services Engine (ISE). ISE is a centralized authentication, authorization, and profiling solution. It authenticates and authorizes users and devices connecting to a network, and can identify device types to apply appropriate policies. ISE goes beyond traditional AAA solutions by profiling endpoints and enforcing adaptive network access policies based on device posture and security profile. The document compares ISE to Cisco's previous ACS solution, outlines ISE's components and licensing options, and describes how it integrates with directory servers and uses RADIUS to authenticate and authorize network access.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 33

    IDENTITY SERVICES ENGINE

    (ISE)
    INTRODUCTION
    What is the ISE?

    It is a software/Hardware capable of
    authenticating and authorizing users and devices
    that are connected to a network.

    It is a centralized based authentication process
    similar to the Cisco’s AAA/ACS

    The model of deploying an ACS or ISE server in the
    network is said to be a part of Cisco’s Trust Sec
    Model
    TrustSec Solution Overview
    •TrustSec helps secure networks by enforcing
    identity-based access policies.
    • Provides the following:
    –Who?
    –What?
    –Where?
    –How?
    TrustSec Solution Overview
    The Pillars
    • Authentication
    – 802.1x
    – MAB
    – Web
    • Authorization
    – VLAN
    – DACL
    AAA

    Authentication – Who can access ?

    Authorization – What the user can access or do?

    Accounting – What the user did when logged in

    AAA is used to centralize the management of Login,


    Privilege level and keeping track of what users are
    doing once they login to a device
    So why did Cisco come up with ISE
    when ACS could do the job?
    ISE

    ISE came out in the mid July 2011

    ISE was released to develop more advancements and
    flexibility on any sort of policy definition

    During the time of its release it is the only device that could
    identify what are the devices that are connected to a
    network

    Where as no other ACS or other vendors were able to do the


    same , they could only authenticate and authorize any
    user/device , it was not able to identify the type of device and
    apply policy based on that.
    HOW ISE Identifies

    Example
    Need OF identifying Devices :BYOD

    In this modern world of electronics, Organizations have a
    policy of BYOD

    BYOD is a strategy in order to boost employees productivity
    of using any platform of their own trust and connect to the
    very network in order to gain access to the network
    resources.

    Those days have gone were employees use their cooperate
    laptops to get access to the network.

    As an network administrator you will have lot of
    challenges, since you will be giving access to more
    platforms more OS vulnerabilities to compromise your
    very network itself.
    Merits of ISE over ACS

    ISE could identify what are the devices that are
    connected to a network

    ISE can understand the OS connected to an
    network and apply policies based on it.

    ISE supports Posturing

    ISE can also state limitations as to where the user
    connects from
    ISE server is not designed to be a box where usernames and
    passwords are stored or where all the credentials are stored.
    The ISE is not a database server, it is a Authentication and
    Authorization Engine, it is a policy decision engine. Typically
    one would store not only username and passwords or any
    authentication details like certificates, mac-address or OTP
    authentication.

    ISE is primarily used defining and storing policies.

    What are Policies?
    Policies are If and Then statements
    DIRECTORY SERVERS

    Generally in Organizations you don’t give all the credentials on an ISE,
    but will always integrate the ISE with an extended directory server


    What is a Directory Server?
    Directory Servers is a database of all sorts of storage information.
    Credentials like first name, last name, email address, username, password,
    login time, logout time etc. are stored here.

    1> Microsoft Directory Server is named as Active Directory


    2> Open Source is LDAP (Lightweight Directory Access Protocol)
    3> Oracle Directory Server is named as Sun Directory
    DIRECTORY SERVERS
    •A Username in AD should be predefined for ISE
    •The ISE User Role must be “super admin” or
    “system admin”
    •AD can not reside behind a NAT device
    •Once we join the AD Domain we can use ISE
    to configure and retrieve AD Groups.
    –These groups can be used for authorization policy
    conditions

    ISE runs only on radius, but later this
    year ISE will be introduced with
    TACACS+.

    Cisco’s ACS has reach its EOL/EOS.

    ISE runs on radius only as of today.
    RADIUS

    RADIUS (Remote Authentication Dial-In User Service)

    Runs on the following UDP port
    1> 1645 and 1646 -------Legacy Ports
    1645-----For Authentication & Authorization
    1646-----For Accounting

    Since the above ports were used by the protocol siteline, IANA made an
    another set of ports

    2>1812 and 1813


    1812------- For Authentication & Authorization
    1813-------For Accounting

    Described in RFC’s 2865,2866


    CHANGE OF AUTHORIZATION

    RADIUS CoA provides a mechanism to change the attributes of a certain
    session after it is authenticated. When there is a change in policy for a
    user or user group , administrators can send the RADIUS CoA packets
    from the AAA server such as Cisco Secure ACS to reinitialize
    authentication and apply the new policies.
    The Cisco software supports the RADIUS Change of Authorization (CoA)
    extensions that are typically used in a pushed model and allow for the
    dynamic reconfiguring of sessions from external AAA servers.

    Port used for CoA is 1700

    Described in RFC 3576
    COA can do the following

     Session reauthentication

     Session termination

     Session termination with port shutdown
    LISTENING PORTS

    ISE and ACS listen on all the ports 1645 & 1646
    1812 & 1813
    1700


    Router IOS version below 14---1645/46 by default

    Switch CAT OS version below 12.2(55)---1645/46

    Router IOS version 15 and above---1812/13 by default

    Switch CAT OS version 12.2(55) and above--1812/13
    RADIUS PACKET EXCHANGE
    RADIUS PACKET
    CODE FIELD
    PACKET IDENTIFIER

    Packet identifier is used to track one unique set of
    authentication and authorizations

    Every set of authentication and authorization will be
    identified with a unique packet identifier

    When ever a user tries to connect to the radius server
    (network) for the first time , the packet identifier field will
    have a value zero, the reply packet from the server will have
    the same value in the field

    After which when ever the user tries to connect again to the
    network the packet identifier field values keeps
    incrementing by one.
    Header Explanation
    LENGTH FIELD:
    It indicates the length of the RADIUS packet.

    AUTHENTICATOR FIELD:
    Its 128 Bits in length
    MD5 Hash
    Password is encrypted here and stored here
    ATTRIBUTE VALUE PAIR (AVP)

    It indicates how authentication and authorization can be done or
    performed

    AVP are additional information that is applied by a radius client to a
    radius server or vice versa
    TWO TYPES OF AVP

    1. Standard IETF Radius


    AVP Number <1>Username - (Plain Text)
    AVP Number <2>Password- - (Encrypted)
    AVP Number <64>Dynamic VLAN assignment
    AVP Number <65> Priv-level can be downloaded from the server
    AVP Number <81> Downloadable ACLS (DACLs)
    Complete list
    http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrdat1.html#wpxref1037589

    2. Vendor Specific Attributes


    For example Privilege level
    CISCO ISE PRODUCT LINE
    CISCO ISE PRODUCT LINE
    ISE – 3315/3355/3395 [EOL/EOS] ($ 14000 to 20,000)
    3395
    -------600GB Hard disk
    -------16GB RAM
    -------2 Quadcore Processors
    Cisco Secure network server
    3415/3495 (cost – $22,990)
    -------1TB Hard disk
    -------32GB to 64GB RAM
    -------Can support up to 4 Quadcore Processors
    VM [1.0MR2/1.1.1/1.1.2/1.1.3/1.1.4]
    ISE Software Engines
    • Several Software Engines That Interact With One Another
    –External Identity Source
    • Retrieves Policies or Policy Information about a user or a device

    –Administration Node

    •User Interface and Licensing Control

    –Policy Server Node

    •Makes the decisions

    –Network Device

    •Queries the Policy Server Node and enforces what it says

    –Monitoring Node

    • Logging and Reporting Data


    ISE LICENSING

    Base Licensing
    * AAA
    *Guest Provisioning (For guest based wireless networks)

    Advance Licensing-Base+
    * Profiling-Series of steps in order to understand devices
    connected to any given network
    * Posturing-Understanding or setting limitations as to what devices
    can connect to a network
    * Self-Registering

    Evaluation-Base+Advance (90 days)
    Only 100 endpoints

    End Point specific –Specific license
    (100,500,1000,2000,5000……….100000,250000)
    CLI access
    •Username “admin”
    •Password defined during setup
    •Feels like Cisco CLI
    –show run
    –show version
    –show inventory
    –show interface
    –show application status ise
    GUI access
    •Default Credentials:
    –admin/cisco

    •Can be controlled via CLI


    •Requires Flash
    •Certificates are verified
    • Initial Tasks might include
    –CA Configuration, Licensing, Adding Network Devices,
    Admin User Configuration and NTP/Name-Server
    Types of deployment

    1>Standalone
    2>Distributed
    Installation
    In Practical

    You might also like