In this video, we’ll walk though the configuration on ISE to support remote access VPN
ISE Custom Profiles: Can't See The Forest From The Trees
When it comes to profiling endpoints, I’ve noticed that even some of the more ISE-focused engineers even see it as something that’s magical and vague that happens behind the scenes. This is not specific to ISE either. I don’t think I’ve ever seen a network access control product that has 100% profiling fidelity or as granular as a customer might expect it to be. I would say that the built-in profiles for ISE probably identifies 90% of endpoints from at least a high level. The purpose of this blog post is to help remove some of that “behind-the-scenes” magic for you so you can making profiling work for you.
ISE Custom Profile Github
ISE Profiling Deep-Dive
Vendor Specific RADIUS Dictionaries for ISE
I took some time to import and update quite a bit of RADIUS vendor dictionaries for 3rd party vendors into ISE. I grabbed this information from various community and open source sites but I obviously can't test it against every vendor out there since I don't have a selection of 140+ 3rd party NADs sitting in my lab. After I imported them to ISE, I exported them and have uploaded them here.
ISE WLC ACL Configs Through the CLI
ISE C3PL Switch Configuration
In this blog post, I'm going to go over a different way to configure your switch for ISE called Cisco Common Classification Policy Language (C3PL). I have known about this configuration for awhile but I will admit that I didn't really try to learn it until recent. If you read the IBNS 2.0 deployment guide here, it's pretty intimidating guide at a whopping 65 pages long and reads like a typical manual. I ended up reading Jamey Heary and Aaron Woland's Cisco ISE for BYOD Second Edition and they broke it down beautifully in 4 pages which made me go "Team C3PL."
ISE Design - Going Above The Configuration
ISE 2.3 - What's New?
ISE 2.3 - New Policy Sets
In this blog post, I'm going to go over the new policy sets in ISE 2.3. A lot of people have come to me and said they were worried about having to learn the new policy sets. Well, I have good news for you: While there are some enhancements, it's not really as initimating or new as you think. Are there enhancements? Sure! But it doesn't mean you have to re-learn the whole thing if you don't want to.
ISE 2.3 - Passive ID & EasyConnect Enhancements
In this post, I'm going to review the PassiveID features of ISE that are new as of ISE 2.2 and 2.3. In this particular post, I'll be doing it all from ISE 2.3 but bear in mind that you can do all this from ISE 2.3 as well. In ISE 2.0, there was a feature added called EasyConnect which utilized WMI logs from the Active Directory Domain Controller to check for login events. Based on those login events, ISE would make a decision to grant access. This allowed ISE to grant network access beyond the typical 802.1x and profiling methods. This functioned well but required a LOT of backend work to prepare Active Directory to share the WMI logs and if you read my earlier post here, you will see what I mean The creators of ISE decided to revamp this process and create a better way to do this in ISE 2.2 and later.
CCIE Security Notes: ISE 2.1 Notes
ISE 2.1 - Switch and Wireless Controller TrustSec Configuration
In this blog post, I'll go through the configuration for TrustSec and SXP for both my Catalyst 3650 switch and wireless controller. I'll walk through the configuration, create the SXP connection, and verify. After that, I'll test out a policy by connecting a client to the switch, watching the tag be applied on ingress and the policy applied.
ISE 2.1 - TrustSec Overview and ISE Configuration
In this blog post, we're going to go over the configuration of TrustSec in ISE 2.1. This configuration also applies to ISE 2.0 as well for the most part. While TrustSec is not a required configuration for a secure ISE deployment, it definitely has some great advantages. It's a security architecture utilizing security group tags (SGTs) that allows that network to enforce access control policy, reduce ACL complexity, and can be utilized for policy in other security devices which I will go into further in later blog posts when I go over pxGrid on different systems.
ISE 2.1 - Configuration of AMP & ISE Integration
This post is going to go over the integration of ISE 2.1 and AMP for Endpoints. ISE 2.1 introduces the concept of a "Threat Centric NAC" which allows you to configure vulnerabiltiy and threat adapters to send high fidelity Indicators of Compromise (IoC), Threat Detected events, and CVSS scores to ISE so that threat-centric access policies can be created to change the privilege of the endpoint accordingly.
ISE 2.1 Just Released
ISE 2.0 - Profiling
In a perfect world, you could authenticate your hosts onto the network with either dot1x or going through a guest portal but the reality is that not every device connected to your network will have the ability to navigate the guest flow or utilize dot1x. Unfortunately, most of us don't live in a perfect world and have to connect devices to our networks such as phones, IP cameras, printers, badge readers, access points, etc so for that reason, profiling comes in. What ISE will do is gather a series of attributes from the NADs that the endpoints are connected to and based on those collections of attributes, ISE is able to make a determination of what kind of device that endpoint is
ISE 2.0 - Hotspot Policy
In this post, I'm going to configure Hotspot access. Hotspot access is a little different than regular guest access in ISE. The use case for Hotspot is where you might want to allow guests to access the internet without issuing them credentials or directly identifying them but still have some level of control. An example of this is if you own a chain of retail stores and you want to give your customers guest access to the internet and you don't want them to have to self-register or disclose information about their identity. Hotspot would be the solution to provide access. With Hotspot access, you can have a branded portal for marketing reasons, have the user accept an AUP for legal reasons, redirect them to your company's page or maybe a webpage with the latest deals/coupons, and you can even have them enter an access code that you have displayed in this location to reduce random connections to the network from users not location in the establishment.
ISE 2.0 - Guest Policy
In this post, I'm going to create my guest wireless policy. Guest access is typically what you think of when you visit a company, connect to the wireless and then get a splash page to enter some sort of credentials you were either provided or you self-register to get your own credentials. I'm going to create a basic guest wireless policy but I'll walk you through some of the different options you can use with this policy if you want to play around with this in your own lab or you're looking to deploy this in your production network.
ISE 2.0 - MDM Configuration
In this guide, I'm going to walk through MDM integration with ISE. MDM is used to deploying, securing, monitoring, integrating and managing mobile devices in the workplace. The MDM software that is download to the mobile device can control the distribution of application and patches as well as control data and configuration on the endpoint.