CCIE Security: Theory – Section 5.6 – ISE

5.6 Cisco Identity Services Engine (ISE)

ISE is a massive topic. This is only touching the tip of the iceberg.

Info comes from here: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide.html.

Combines AAA into one appliance
Enforces endpoint compliance through provisioning, including 802.1X
Security Group Access (SGA) through use of Security Group Tags (SGTs) and Security Group Access Control Lists (SGACL).
User authentication supports PAP, CHAP, PEAP and EAP w/ RADIUS
Supports 802.1X, MAB, & browser based authentication
Policy sets – group sets of authentication and authorisation policies.
FIPS 140-2 implementation – supported, but means EAP-MD5, LEAP and PAP are disabled when in FIPS-mode. FIPS mode automatically disabled PAP and CHAP & guest login.
 
Client Posture assessment:
Cisco NAC Web Agent – temporal agent
Cisco NAC agent – persistent
Service – specific feature that a persona provides (i.e. network access, profiler, posture, security group access, monitoring and troubleshooting)
Node – individual instance that runs ISE software.
Persona – determine the services provided by a node
Deployment model – determines if deployment is distributed, standalone, or HA
Different “personas” – Administration, Monitoring and Policy Service, inline posture.
Flexible deployment:
Primary and secondary administration nodes for HA – like ASA Active/Standby
Pair of monitoring for auto failover
One or more policy service nodes for session failover
Pair of inline posture nodes for HA

ISE Services:

Network Access:

Profiler:

Discover, locates and determines capabilities of attached endpoints.
Components:
  • Sensor – contains a number of probes. Capture network packets by querying network access devices – forwards the attributes and their values to the analyser
  • Probe manager – provides support to profiler service. controls probes, start/stop collecting. Event manage within the sensor allows communication of the events between probes in the probe manager.
  • Forwarder – stores endpoints into ISE database along w/ attributes, notifies analyser of new endpoints detected on your network. classifies endpoints to the endpoint identify groups and stores endpoints w/ match profile in database
  • Analyzer – evaluates using the configured policies and identity groups to match attributes and their attribute values collected, classifies endpoints to the specified group and stores endpoints w/ matched profile in ISE database

 

Probes:
NetFlow, DHCP, DHCP SPAN, HTTP, RADIUS, DNS & SNMP Query & Trap probes.

Posture:

Does not support fast user switching.
Components:
Posture Administration Service – provides back-end support for posture specific custom conditions & remediation actions
Posture Run-time Services – encapsulates the SWISS protocol and all interactions between NAC agents & Cisco ISE server.
SWISS protocol – stateless request-response protocol allowing NAC agents running on managed clients to discover the IE server & to retrieve configuration & operational information. ANC agent uses UDP/8905. NAC agent tunnels all the requests over HTTPS.
Custom Permissions for Posture:
Unknown – no matching posture policy – then may be set to unknown.
Compliant – matching posture policy – therefore compliant
Noncompliant – matching policy – but fails to meet the mandatory requirements during posture assessment.
 
Security Group Access – SGA solution establishes clouds to trusted network devices to build secure networks. Each device in SGA cloud is authenticated by its peers. Communication between devices secured w/ encryption, message integrity checks & data-path replay protection mechanisms.
SGA uses device & user identity obtained during authentication to classify packets. Classification is maintained by tagging packets as they enter the SGA network. Tag is called Security Group Tag (SGT).
Features:
Network Device Admission Control (NDAC) – NDAC uses 802.1x & EAP-FAST. Successful & authentication and authorisation in NDAC process results in Security Association Protocol.
Endpoint Admission Control (EAC) – authentication process end endpoint user or device. Typically happens at access level switch. Successful authenticator and authorisation in EAC process results in SGT assignment to user or device. Includes
802.1X
MAB
WebAuth
Security Group – (SG) – grouping of users, endpoint devices, resources that share access control policies.
Security Group Tag (SGT) – SGA service assigns each security group a unique 16-bit security group number. Can reserve a range of SGTs for SGT-to-IP mapping.
Security Group Access Control List (SGACL) – control access and permissions on the SGTs that are assigned
Security Exchange Protocol (SXP) – protocol developed for SGA service to propagate IP-to-SGT biding table across network devices that do not have SGT-capable hardware to support hardware that supports SGT/AGACL
Environment Data download – SGA device obtains environment data from ISE -contains
Server Lists, Device SG, Expiry timeout
SGT Reservation – reserve a range of SGTs to enable IP to SGT mapping
IP-to-SGT mapping – bind endpoint IP to SGT and provision it to an GA-capable device. 1.2 supports 1000 IP-to-SGT mappings
Identity-to-port mapping – method for switch to define identity on a port to which endpoint is connected
Components required for SGA:
  • User Identity Repository
  • DHCP Service
  • DNS Service
  • Certificate Authority Service
  • Target Servers
  • Endpoint PC