Cisco Identity Services Engine Demo Zone Guide

First Published: 2021-08-11

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
© 2021 Cisco Systems, Inc. All rights reserved.
 CONTENTS

CHAPTER 1 Scenarios 1

Network Visibility 1
View Live Authentications 7
ISE Authentication and Authorization Policy 9

Cisco Identity Services Engine Demo Zone Guide

iii
Contents

Cisco Identity Services Engine Demo Zone Guide

iv
 CHAPTER 1
Scenarios
• Network Visibility, on page 1
• View Live Authentications, on page 7
• ISE Authentication and Authorization Policy, on page 9

Network Visibility
The first step to securing any network is to understand what exists. Once you understand this, you can take
steps to further educate yourself or your team in order to make informed decisions about what you should do
next.
When we first login into the system we are presented with the ISE Home > Summary dashboard which has
metrics for the Total number of unique endpoints ISE has ever seen, how many of those are currently Active
on the network and how many are Guests.

Cisco Identity Services Engine Demo Zone Guide

1
 Scenarios
Network Visibility

Figure 1: ISE Home Summary Dashboard

Procedure

Step 1 Review the Summary panels to see the percentage breakdowns of Authentications, Network Devices and
Endpoints.

Cisco Identity Services Engine Demo Zone Guide

2
Scenarios
Network Visibility

Example:

Step 2 Hover over the donut wedges and labels to see the count of each category or type.
Example:

Cisco Identity Services Engine Demo Zone Guide

3
 Scenarios
Network Visibility

Step 3 Use the tabs within the panels to pivot to different views of the same information.
Example:

Cisco Identity Services Engine Demo Zone Guide

4
Scenarios
Network Visibility

Step 4 To view additional details about any of the sections of the graphic, click on the donut wedges or categories
to drill down and filter on the details behind the summary data. A new tab will open with the filtered results.
Close the tab when you are finished viewing the data.
Example:

Cisco Identity Services Engine Demo Zone Guide

5
 Scenarios
Network Visibility

Step 5 View the Endpoints, Guests, Vulnerability, and Threat tabs.

Example:

Remember that Vulnerability and Threat dashboards will NOT be populated because the Instant demo does
not have these security integrations. You may still want to show these to your customers and discuss how
integrating ISE with these types of security products could let them see these devices and even Quarantine
them with Rapid Threat Containment.

Using these dashboard views, you can get a baseline understanding of your network in terms of being able to
both Who and What is Where on the network. Once you have this level of visibility, you can begin to make
educated policy decisions about unexpected devices, unregistered assets, potential risks and the need for
segmentation.

Cisco Identity Services Engine Demo Zone Guide

6
 Scenarios
View Live Authentications

View Live Authentications

ISE allows you to view live authentication to your network in real time using the Live Log capability. This
allows you to not only see what and what is coming in but you can drill down to understand how and why if
something is failing or unexpected.

Procedure

Step 1 In ISE, navigate to Operations > RADIUS > Live Logs.

Example:

Step 2 You can adjust the update frequency, number of records and window that you view.
Example:

Note Setting the update frequency too low can make it difficult to filter items due to the screen refreshes.

Step 3 Notice all of the details about When, What, Who, Where and How subjects were authenticated to the network.
Example:

Cisco Identity Services Engine Demo Zone Guide

7
 Scenarios
View Live Authentications

Step 4 If you want to know Why something matched a specific Authentication or Authorization Policy, simply click
on the Authentication Details icon
( )
to get the Overview, Authentication Details, Attributes, Authorization Result and then view the Steps
that ISE completed when evaluating its policies.
This can be helpful for troubleshooting.
Example:

Cisco Identity Services Engine Demo Zone Guide

8
 Scenarios
ISE Authentication and Authorization Policy

ISE Authentication and Authorization Policy

In ISE 3.0, all policies were converted to Policy Sets because this is a more scalable and efficient way to build
large numbers of policies. Drill down into the ISE authentication and authorization policies for examples of
many common policies, how Scalable Group Tags (SGTs) are assigned and how many Hits they have in the
hit counter.

Cisco Identity Services Engine Demo Zone Guide

9
 Scenarios
ISE Authentication and Authorization Policy

Procedure

Step 1 In ISE, navigate to Policy > Policy Sets to see all policy sets.
Step 2 Click on the View arrow
( )
for the Default policy set to see its Authentication and Authorization policies.

Step 3 Authentication Policies can be made very granular with Conditions, down to a specific user or endpoint.
They are generally used to filter authentications by NAD profiles (hardware functionality), access methods
(wired, wireless, VPN), authentication types (802.1X, MAB), authentication protocols (PEAP-MSCHAPv2,
EAP-TLS), or Identity Stores (internal, AD, token, etc.).
Example:

Cisco Identity Services Engine Demo Zone Guide

10
Scenarios
ISE Authentication and Authorization Policy

Step 4 Review some of the Authorization Profiles to understand how the NAD attributes, Authentication method,
Identity groups, endpoint attributes and other information can all be tied together to result in a specific
Authorization Profile.
Example:
IOT endpoints like surveillance cameras:

Employees in Active Directory:

Cisco Identity Services Engine Demo Zone Guide

11
 Scenarios
ISE Authentication and Authorization Policy

And note the Default authorization if there are no other policy matches:

Cisco Identity Services Engine Demo Zone Guide

12