Please enable JavaScript.
Coggle requires JavaScript to display documents.
Preparing the Identity Services Engine (ISE) for SD-Access (For Customers)…
Preparing the Identity Services Engine (ISE) for SD-Access (For Customers) (CUST-SDA-ISE) v1.0
DNA Center
Design > Policy > Provision > Assurance
Assurance (Visibility)
Controller
ISE
Cisco ISE
Context aware policy service, control access ad threat across wired, wireless and VPN networks
CA server for BYOD devices
PxGrid and APIs (exchange data with other systems) - ISE and DNA-C
Cisco Anyconnect
Supplicant, provides posture and much more
Visibility
Visibility Setup Wizard
Posture
Profiling
online/offline feed services in cloud to recognize different devices (signatures)
Active probes
: netflow, dhcp (MAC OUI, DHCP class id), dns, http (WLC only), radius, nmap, snmp
Device sensor - from cisco devices/infrastructure
: cdp lldp, dhcp, http, h323, sip, mdns
ACIDex
(Anyconnect agent)
AAA
Authentications
:
MAB (MAC) - passive - when no supplicant avialable (cameras)
802.1X - active
Webauth - active
802.1x
[EAP]
Supplicant (supports EAP packet)>> network device - authenticatior (supports RADIUS) >> ISE (supports RADIUS) >> AD
EAP - secures the credentials (password / token / cert) - L2
Network Device (authenticatior) sends credentials as RADUIS packet to ISE
Identity stores
LDAP / AD / SQL servers/ RSA IDs
SAML IDP (ID providers like Azure AD, Oracle)
Authorizations
Dynamic VLANS, ACLs, SGTags, URL-redir, Port configs macros
Granting SGTags
=
Host Onboarding
- DACL (Downloadable ACL)
- wired
- Named ACL
- (Wired+ Wireless)
Dynamic VLANS
Security GTs
- TrustSecs
ChangeOfAuthorization (CoA) -
adopt policy to changes in Endpoint state (context)
SessiondID
- generated by authenticator - different unique session on the same port (multiauth)
Guest Access
Hostspot (no registration, policy acceptance only)
Self Sponsored (self registration, sponsor may approve)
Sponsor Guest Access
BYOD
works on wired and wireless device
register personal device
report and block access from device if stolen
Base license vs Base Plus license (full automation of process, cert installation, manage, native supplicant config)
MDM
Dual SSID - 1 for onboarding process
ISE can recognize coroprate employees vs guest users by corporate credentials used on welcome BYOD portal
ISE allows to install cert, profile and supplicant on BYOD device
TrustSec
Microsegmentation
Detect malware and automatically or manually assign Quarantine tag (RTC -Rapid Threat Containment)
Classify & Mark Traffic
(employee ? or guest? personal or private? Tag it!). Manually or ISE can take decision automatically - made by switch
CONTEXT -Host-Onboarding/User/Dev auth
Dynamic (ISE)
:
802.1x / VPN auth (supplicant), Web auth / MAC Ayth bypass
IP Device tracking
switch tracks IP and adds TAG XX. also informs (speaker) other switches (listeners). ISE may be speaker as well.
Static:
ip address / VLAN / subnet / L2 int / L3 int / Virtual port profile (Nexus)...
Propagation
Inline SGT tagging
(data plane) - if device supports SGT in ASIC
SXP
(control plane) - shared between devices that don't have SGT-capable-ASIC (for ex 3rd party switches). SGT tag is not added to L2 frame.
SGACL (Contract)
- IP addr agnostic (ACLS consist only ports/prot - like
permit udp dst eq 53
or
permit udp src eq 68 dst eq 67
DEFCON
stop traffic in case of compromise (reclass all and block)
Enforce
Policy Matrix (src-dts and action)
Micro and Macro Segmenattion
Macro - limited segmentation
via Virtual Networks (VNET/VLANS) - via external firewall
Micro- full segmentattion
SGTs
Contract = SGACL
Dictionary (ISE vs DNA-Center):
SGT :: SG (scalable groups)
TrsutSec Matrix/SG ACL :: Group-Based Access Control Policy / Contracts
AuthC & AuthZ Policies :: Access-Polices (Host OnBoarding)
TrustSec Policy :: Access Control Policies
DNA-C and ISE Integrations
Communication Channels
SSH to trust relationship - exchange certificates (22/tcp) -> to ISE
REST (to program ISE) (443/tcp) -> to ISE
pxGRID - Context and TrustSec Metadata - SGT, SGACLS, Matrix (5222, 7400, 8910, 12001/tcp) -> to DNA-C
(both way)
PxGrid - clients (DNA-C) subscribe to topics:
SessionDirectory (logs, auths) - Context of user devices
TrsuSecMetadata - Policies
High Availability
Deployments
PSN - Policy Service Nodes AAA
(ISE nodes)
makes policy decisions
RADIUS/TACACS servers
can be behind LB as vIP
PAN - Policy Administration Nodes
(write policies, add switches) - push to PSN
Single plane of glass for ISE admin
Replican hub for all database config changes
MnT - Monitoring and Troubleshooting Node
(logging)
reporting and logging node
Syslog collector from ISE nodes
PxGRID Controller
Facilitates
sharing of context
(send once to all in group/subscribers)
ISE - 20k devices per single ISE
multiple ISEs - 500k devices
ISE Models
3515 - up to 7500 endpoints
3595 - up to 20 000 endpoints
Distributed Persona
50 x 3595 PSNs
500k active sessions, 1,5 M endpoints
Fully Distributed deployment
50 PSNs