ISE-Slides

Cisco Identity Services Engine (ISE)
Balancing Business Objectives and Providing

Protection with Zero-Trust in The Workplace
Cisco Secure Zero Trust
A comprehensive approach to securing all access across your
people, applications, and environments.
Workforce Workplace Workloads

Ensure only the right users and secure Secure all user and device Secure all connections within your apps,
devices can access applications. connections across your network, across multi-cloud.
including IoT.
2
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Foundations of Zero Trust in Your Workplace
Visibility Segmentation Containment
Grant the right level of Shrink zones of trust and Automate containment of
network access to users grant access based on infected endpoints and
across domains least privilege revoke network access
3
ISE Provides Zero Trust for the Workplace
Enterprise Security
Endpoints Network Devices Cisco ISE Identity Services Security Services

• Users • Switches • Standalone ISE • Azure/AD/LDAP • Cloud Analytics
• Devices • WLCs / APs • Multi-node ISE • MDM • Secure Firewall
• Things • VPN • VM/Appliance • SAML/MFA • Partners
ISE
Cisco DNA Center
4
ISE Secure Access Control Options
Native Supplicants | Cisco AnyConnect SAML IdPs Single Sign-On
Certificate based Auth

Azure Active Directory
Passwords/Tokens
802.1X APIs
2,000,000 concurrent sessions
Up to 100K Certificate
Network Devices Authorities External Identity Stores
SCEP/CRL
Azure Active Directory
WebAuth
Enterprise LDAP/SQL Active Directory
Network OAuth:ROPC
VPN
ISE SQL Server
Built-in CA
300K Internal Users

PostgreSQL
MAB
Authentication Methods Authorization Options
• MAC Authentication Bypass • Downloadable / Named ACL

Passive Identity • Easy Connect ® • Air Space ACL Up to 50 distinct AD domain support
• VLAN Assignment
• IEEE 802.1X
• Web Authentication • Security Group Tags
Active Identity – Central WebAuth • URL-Redirection
– Local WebAuth • Port Configuration :
ASP Macro / Interface-Template
5
Why Customers Buy ISE
TACACS+ Migrating from Cisco Secure ACS or building a new Device Administration Policy Server, this
Device Administration allows for secure, identity-based access to the network devices
Allow wired, wireless, or VPN access to network resources based upon the identity of the
Secure Access user and/or endpoint. Use RADIUS with 802.1X, MAB, Easy Connect, or Passive ID
Differentiate between Corporate and Guest users and devices. Choose from Hotspot, Self-Registered
Guest Access Guest, and Sponsored Guest access options
Use the probes in ISE and Cisco network devices to classify endpoints and authorize them
Asset Visibility appropriately with Device Profiling. Automate access for many different IoT devices
Use agentless posture, AnyConnect, MDM, or EMM to check endpoints to verify

Compliance & Posture compliance with policies (Patches, AV, AM, USB, etc.) before allowing network access
ISE pxGrid is an ecosystem that allows any application or vendor to integrate with ISE for endpoint identity
Context Exchange and context to increase Network Visibility and facilitate automated Enforcement.
Group-based Policy allows for segmentation of the network through the use of Scalable Group Tags
Segmentation (SGT) and Scalable Group ACLs (SGACL) instead of VLAN/ACL segmentation.
ISE integrates with DNA Center to automate the network fabric and enforces the policies throughout the
Cisco SDA/DNAC entire network infrastructure using Software-Defined Access (SDA)
Allow employees to use their own devices to access network resources by registering their device and
BYOD downloading certificates for authentication through a simple onboarding process
Using a Threat Analysis tool, such as Cisco Cognitive Threat Analytics, to grade an endpoints threat
Threat Containment score and allow network access based upon the results
6
Device Administration with TACACS+
Network Admin
SSH, Telnet, Serial

Help desk Admin
7
A Typical Customer Journey
Not a standard or recommended approach
Each use case may be the end goal
Use Case
Visibility Visibility
Wireless Guest Wired Posture Segmentation RTC
Customer Corporate
Start with Secure Wired See Apps & Use SGTs for Integrate with
Wireless Access HW inventory segmentation eco-system
partners
Non-disruptive 802.1X / MAB Enforce system Enforce Group
due to SSIDs (with Profiling) compliance based policies Contain threats
BYOD
8
Guest Solution Overview
1
million API
EMAIL PRINT SMS

# of supported Portal language Social Media Manage guest
Guest accounts Guest account notification options customization Login support accounts via REST
The 3 types of guest access
Hotspot Self Registered Sponsored Guest Access
Immediate, un-credentialed Self-registration by guests, Sponsors Authorized sponsors create account

Internet access may approve access and share credentials
9
ISE BYOD Solution
Public
Device Support EMM/MDM Integrations
Single / Dual Access based on

iDevice SSID provisioning MDM policy
Android
Resources
✕✓✕✓✓✓
Devices
macOS ✓✓✕✓✕✕
✕✓✓✕✕✕
Windows
Native supplicant ISE internal CA for

ChromeOS & cert provisioning BYOD certificates
Corporate
EMM: Enterprise Mobility Management | MDM: Mobile Device Management
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://cisco.com/go/csta 10
Endpoint Profiling
The profiling service in Cisco ISE identifies the devices that connect to your network
ISE Data Collection Methods for Device Profiling

Active Probes: Netflow | DHCP | DNS | HTTP | RADIUS | NMAP | SNMP | AD
DS Device Sensor: CDP| LLDP | DHCP | HTTP | H323 | SIP | MDNS
AnyConnect: ACIDex
Endpoints send
interesting data,
that reveal their
device type Feed Service
(Online/Offline)
DS ISE
ACIDex
AnyConnect Identity Extensions (ACIDex) | Device Sensor (DS)
11
Profiling Packages and Integrations
Medical Devices IOT Building & Automation
Library
X pX s1
250+ Medical
Hospital device profiles
pxGrid ISE
IND
Factory
Cisco Industrial
Network Director Cisco AI Endpoint Analytics
Industrial Devices
Profiles IOT devices and sends endpoint labels via pxGrid to ISE for authorization
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://community.cisco.com/t5/tag/ise-endpoint-profile/tg-p/board-id/4561-docs-security12
Cisco AI Endpoint Analytics and ISE
Cisco ISE
Web Interface Cisco DNAC+EA
Context
Classifications ISE
Policy
Endpoint Analytics shows
device classification results
associated with endpoints Distribution
SPAN
Layer
Wireless LAN
NBAR Telemetry Traffic Controller
(SD-AVC Agent) Appliance (TTA)
Catalyst 9000
Legacy Cisco Switches / 3rd party devices
13
Group Based Policy Simplifies Segmentation
Traditional Segmentation TrustSec DC Servers
Enterprise Micro/Macro Segmentation Enterprise

Static ACL Backbone Central Policy Provisioning Backbone
Routing No Topology Change
ISE
Redundancy Aggregation No VLAN Change
VACL
DHCP Scope Layer Policy
Address ISE Employee Tag
VLAN Supplier Tag

Access Layer Non-Compliant Tag Access Layer
Non-Compliant Voice Employee Supplier BYOD Voice Non-Compliant Employee Supplier BYOD
Quarantine Voice Data Guest BYOD Voice Data

VLAN VLAN VLAN VLAN VLAN VLAN VLAN
Security Policy based on Topology Use existing topology and automate

High cost and complex maintenance security policy to reduce OpEx
14
Non-Fabric Group-Based Policy Enforcement
deny icmp
deny udp src dst eq domain
deny tcp src dst eq 3389
deny udp src dst eq snmp
deny tcp src dst eq telnet
15
Context Build, Summarize, Exchange
Visibility and Access Control Context Reuse
ISE builds context and applies access control restrictions to users and devices by eco-system partners for analysis & control
Threat Intelligence Mobility Services Engine
System managers Mobile Device Managers Who
Directory Services Vulnerability Scanners What

When Secure Network Analytics
pxGrid
How
REST API Secure Firewall
Where
Syslog
ISE Posture
DNAC
Threat + 3rd Party Partners

Vulnerability
Scalable Group
Endpoints
16
Posture & Compliance MDM Attributes
ActivityType
AdminAction
AdminActionUUID
AnyConnectVersion
DaysSinceLastCheckin
DetailedInfo
DeviceID
DeviceName
DeviceType
DiskEncryption
Agentless EndPointMatchedProfile
FailureReason
IdentityGroup
IMEI
Authorization Policy IpAddress
JailBroken
AnyConnect IF JailBroken is No LastCheckInTimeStamp
ISE AND PinLock is Yes

THEN Compliant
MacAddress
Manufacturer
MDMCompliantStatus
MDMFailureReason
MDMServerName
MEID
EMM/MDM Model
OperatingSystem
PhoneNumber
PinLock
PolicyMatched
RegisterStatus
SerialNumber
ServerType
https://cisco.com/go/csta SessionId
UDID
UserName
UserNotified 17
Cisco AnyConnect
A Suite of Security Service Enablement Modules
VPN Module (Core)
Network Access Manager (NAM)
Web Security (CWS))
Posture
Umbrella Module
HostScan (aka: ASA posture) (No UI)
Network Visibility Module (NVM) (No UI)
AMP Enabler Module

Diagnostics and Reporting Tool (DART)
18
Agentless Posture 3.0
Employee
802.1X / MAB
Compliant
Unknown
PowerShell / SSH
Posture Status
19
Threat Visibility Rapid Threat Containment (RTC)
1 2 AMP on Endpoint notifies the cloud
Jim 5
3
Threat from
Harry Jim’s device
Cisco ISE
Alice
20
Vulnerability Assessment (Threat-Centric NAC)
On-prem Scanner
3 Scans Scan report 4
Jim 1 6
2 Scan Jim’s Endpoint
5
CVSS=10
Harry
Cisco ISE
Alice
Authorization Policy
If CVSS is Greater than 5 = true, then Quarantine
CVSS: Common Vulnerability Scoring System
21
ISE REST APIs
http://cs.co/ise-api
22
ISE Architecture
Distributed ISE
Standalone ISE Policy Administration Node (PAN)
• Single plane of glass for ISE admin
• Replication hub for all config changes
Monitoring & Troubleshooting Node (MnT)

• Reporting and logging node
• Syslog collector from ISE Nodes
Network
Policy Services Node (PSN)
• Makes policy decisions
• RADIUS / TACACS+ Servers
pxGrid Controller
• Facilitates sharing of context
Single Node (Virtual/Appliance) Multiple Nodes (Virtual/Appliance)
Up to 20,000 concurrent endpoints 3500 Up to 500,000 concurrent endpoints
Up to 50,000 concurrent endpoints 3600 Up to 2,000,000 concurrent endpoints
23
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential http://cs.co/ise-scale
ISE Node Personas… Explained
SIEM, MDM, NBA, IPS,
IPAM, etc.
ISE PSN IP address* =
Admin
ANC action PAN
AAA RADIUS server SIEM
Context (pxGrid)
Operates
DNAC Automation REST

Partner Eco System
Context (pxGrid)
RADIUS, TACACS+,
Profiling, etc.,
Config Sync Context

Optional
PSN PAN
ISE-PXG
Authorization Policy Exchange Topics
If Employee then VLAN-100 TrustSecMetaData

Logs Context SGT Name: Employee = SGT-10
SGT Name: Contractor = SGT-20
If Contractor then SGT-20 MNT ...
SessionDirectory
If Things then ACL-300 Bob with Win10 on CorpSSID
*PSNs can optionally be behind a load-balancer and can be accessed via Load Balancer Virtual IP address (VIPs)
24
• Resources
ISE Customer http://cs.co/ise-resources
Resources • Community
http://cs.co/ise-community
• YouTube Channel
http://cs.co/ise-videos
• Evaluations
http://cs.co/ise-eval
• Integration Guides
http://cs.co/ise-guides
• Compatibility Guides
http://cs.co/ise-compatibility
• Licensing Guide
http://cs.co/ise-licensing
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25

ISE-Slides

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISE-Slides

Uploaded by

Copyright:

Available Formats

Cisco Identity Services Engine (ISE)

Balancing Business Objectives and Providing

Workforce Workplace Workloads

Visibility Segmentation Containment

Endpoints Network Devices Cisco ISE Identity Services Security Services

Certificate based Auth

300K Internal Users

Authentication Methods Authorization Options

• MAC Authentication Bypass • Downloadable / Named ACL

Use agentless posture, AnyConnect, MDM, or EMM to check endpoints to verify

SSH, Telnet, Serial

Wireless Guest Wired Posture Segmentation RTC

EMAIL PRINT SMS

The 3 types of guest access

Hotspot Self Registered Sponsored Guest Access

Immediate, un-credentialed Self-registration by guests, Sponsors Authorized sponsors create account

Single / Dual Access based on

Native supplicant ISE internal CA for

EMM: Enterprise Mobility Management | MDM: Mobile Device Management

ISE Data Collection Methods for Device Profiling

AnyConnect Identity Extensions (ACIDex) | Device Sensor (DS)

Legacy Cisco Switches / 3rd party devices

Enterprise Micro/Macro Segmentation Enterprise

VLAN Supplier Tag

Quarantine Voice Data Guest BYOD Voice Data

Security Policy based on Topology Use existing topology and automate

Threat Intelligence Mobility Services Engine

System managers Mobile Device Managers Who

Directory Services Vulnerability Scanners What

Threat + 3rd Party Partners

ISE AND PinLock is Yes

VPN Module (Core)

Network Access Manager (NAM)

Web Security (CWS))

AMP Enabler Module

Monitoring & Troubleshooting Node (MnT)

Single Node (Virtual/Appliance) Multiple Nodes (Virtual/Appliance)

Up to 20,000 concurrent endpoints 3500 Up to 500,000 concurrent endpoints

Up to 50,000 concurrent endpoints 3600 Up to 2,000,000 concurrent endpoints

DNAC Automation REST

Config Sync Context

If Employee then VLAN-100 TrustSecMetaData

You might also like