Cisco ISE (Identity Services Engine) is a comprehensive network access control and policy enforcement solution developed by Cisco Systems. It provides centralized authentication, authorization, and accounting (AAA) services for network devices and endpoints, allowing organizations to enforce security policies and control access to their networks.
Key features and capabilities of Cisco ISE include:
1. **Authentication and Authorization**: Cisco ISE authenticates users and devices attempting to connect to the network, verifying their identities and determining their access privileges based on predefined security policies. It supports various authentication methods, including 802.1X, MAC Authentication Bypass (MAB), and web authentication.
2. **Policy Enforcement**: Cisco ISE enforces network access policies dynamically, applying role-based access control (RBAC) policies and security policies based on user identities, device types, locations, and other contextual attributes. It can enforce policies at both the network access layer and the application layer, providing granular control over access to network resources.
3. **Device Profiling and Compliance**: Cisco ISE performs device profiling to identify and classify endpoints connecting to the network based on their characteristics, such as operating system, device type, and installed applications. It can assess endpoint compliance with security policies and quarantine non-compliant devices to protect the network from security threats.
4. **Guest Access Management**: Cisco ISE provides capabilities for managing guest access to the network, allowing organizations to securely onboard guests, visitors, and contractors while enforcing appropriate access controls and security policies. It supports self-service guest registration, sponsored guest access, and captive portal authentication.
5. **Endpoint Compliance and Remediation**: Cisco ISE integrates with endpoint security solutions to assess the security posture of endpoints and enforce compliance with security policies. It can identify security threats, such as malware infections or policy violations, and trigger automated remediation actions to mitigate risks and enforce security controls.
6. **Integration with Network Infrastructure**: Cisco ISE integrates seamlessly with Cisco network infrastructure components, including switches, routers, wireless LAN controllers (WLCs), and VPN gateways. It leverages industry-standard protocols such as RADIUS, TACACS+, and SAML to communicate with network devices and enforce security policies.
7. **Centralized Management and Reporting**: Cisco ISE provides a centralized management interface for configuring, monitoring, and managing network access policies and security settings across distributed network environments. It offers comprehensive reporting and auditing capabilities to track access events, policy violations, and compliance status.
Overall, Cisco ISE is designed to enhance network security, streamline access control processes, and ensure compliance with regulatory requirements by providing a comprehensive identity-based approach to network access control and policy enforcement. It is widely used by organizations of all sizes and industries to secure their networks and protect against security threats.
802.1x terminology:
1. Authenticator: can be a switch or wireless Lan controller to manage access point.
Authenticator is requesting the credentials
2. Back end Authentication Server: to evaluate the credentials
could be ACS or ISE
A language used to communicate between Authenticator and authentication server is RADIUS.In case of ACS use can use TACACS or RADIUS but in case of ISE 1.2.x it only supports RADIUS.
3. Supplicant: running on PC/devices
It can be built in. Supplicant is going to supply credentials
Options for Installing ISE on virtualized env :
Can be installed on :
VM workstation 10
ESXI Host
Verify RADIUS :
Connect to ip address of ISE server
https://192.168.1.117/
provide username and password
Create network device group where we can put our network access devices i.e. switch in it
Add -> Nuglab-Vegas (group)
Name: SW-1
ip address: 192.168.1.121
ping from the switch to ISE to verify reachability
To verify let's create one end user account on local database of ISE server
Administration -> Identity management -> identities -> users -> add
Bob
password :
Switch config :
SW#enable secret Nugget!23
aaa new-model
aaa authentication login default enable
radius server ISE
address ipv4 192.168.1.117 auth-port 1812 acc-port 1813
key Nugget!23
aaa group server radius ISE-group
server name ISE
radius-server vsa send authentication
radius-server vsa send accounting
ip device tracking
Note: RADIUS uses UDP at L4
vsa is vendor-specific attributes
Now test basic services between ISE and AAA server
SW# debug radius
test aaa group ISE-group bob Nugget!23 new-code
1. Authenticator: can be a switch or wireless Lan controller to manage access point.
Authenticator is requesting the credentials
2. Back end Authentication Server: to evaluate the credentials
could be ACS or ISE
A language used to communicate between Authenticator and authentication server is RADIUS.In case of ACS use can use TACACS or RADIUS but in case of ISE 1.2.x it only supports RADIUS.
3. Supplicant: running on PC/devices
It can be built in. Supplicant is going to supply credentials
Options for Installing ISE on virtualized env :
Can be installed on :
VM workstation 10
ESXI Host
Verify RADIUS :
Connect to ip address of ISE server
https://192.168.1.117/
provide username and password
Create network device group where we can put our network access devices i.e. switch in it
Add -> Nuglab-Vegas (group)
Name: SW-1
ip address: 192.168.1.121
ping from the switch to ISE to verify reachability
To verify let's create one end user account on local database of ISE server
Administration -> Identity management -> identities -> users -> add
Bob
password :
Switch config :
SW#enable secret Nugget!23
aaa new-model
aaa authentication login default enable
radius server ISE
address ipv4 192.168.1.117 auth-port 1812 acc-port 1813
key Nugget!23
aaa group server radius ISE-group
server name ISE
radius-server vsa send authentication
radius-server vsa send accounting
ip device tracking
Note: RADIUS uses UDP at L4
vsa is vendor-specific attributes
Now test basic services between ISE and AAA server
SW# debug radius
test aaa group ISE-group bob Nugget!23 new-code
No comments:
Post a Comment