Studying, Labbing, and Implementing Cisco ISE

This isn't really certification-specific so I thought I'd drop it in here. I have been put into an interesting position at work. We were supposed to deploy ISE last year but that got held up when he hit a bug code in the XE IOS that caused some issues with dACLs that would eventually freeze the switches and make us hard reload them daily. Since the bug fix wasn't out, we ended up rolling back ISE for the rest of the year except on wireless.

It's a little less than a year later and the architect that was in charge of ISE is gone. I've been now tasked with designing ISE to fit the needs of my enterprise, creating a project plan for implementation, and implementing it in a phased approach using our corporate office as the pilot site (starting slowly) and then rolling it out to out branch offices throughout the US.

It's been really interesting studying and working with ISE. As I research it, I'm finding that despite the growing demand for ISE, there is a general lack of training and experts on it in the field. I think 90% of networking people have no idea what ISE is so I figured I'd jump on here and explain some things, provide some solid training resources, and give some ideas for labbing for anyone who is interested. Maybe if there is interest, I'll also update this thread on general things I'm experiencing as I'm deploying it and some tips on implementation.

What is ISE?

Well... if you read the Cisco definition, it's "a security policy management and control platform" which is pretty damn generic sounding. In truth, its does lot. From profiling, posturing, AAA services, etc.It's fairly new technology that was first introduced in 2010 I believe and it was sort of the child of a similar but less robust Cisco product. It allows you to enforce policies and dynamically adjust access on wireless, wired, and VPN based on many different policies. For example, you can push out certificates via GPO and create a policy in ISE where if someone plugs into a wired connection and their computer does not have the certificate, they will be given internet-only access or you can deny them access altogether. You can also use it for your ACS functions. Unfortunately with ISE, Cisco used RADIUS instead of TACACS because they went for standardization. The licensing in ISE functions more as user licenses instead of device licensing so you can manage 10000 switches using RADIUS and the only licenses you use is when an admin logs into the switch. Since the licenses are reused, the license is re-added once the admin logs out of the switch. You can also have ISE posture clients based on system requirements and security. You can have ISE dynamically switch the VLAN of a port depending on the kind of device plugged in. For example, ISE can identify that you just plugged a Telepresence unit into port Fa1/0/1 and based on the policies you defined, it will dynamically switch the VLAN to the Telepresence VLAN. You can also define different security policies per site.

I'm sort of glossing over concepts but you get the general idea. There are plenty of regulated industries that will have a use for ISE such as financial, medical, etc. If you want to read more into the features of ISE, check out Cisco's page:
Cisco Identity Services Engine (ISE) - Cisco Systems

Are there any ISE-specific certifications?
Not that I've seen but if someone finds something, please correct me. I know that it's been added to the CCIE Security track so if you're heading that route, it might be good to jump onboard with studying for ISE.

What are some good training resources for ISE?
Last year when I first was introduced to ISE, there wasn't much besides the Cisco manual for the product which wasn't that exciting of a read. Thankfully, a bit has changed since them. I would highly recommend the following book by James Heary:
Cisco ISE for BYOD and Secure Unified Access: Jamey Heary, Aaron Woland: 9781587143250: Amazon.com: Books
I've been reading through it and it's great. Not only does it provide technical details but it gives you a good overview of the business case for ISE and planning and deployment ideas.

Lab Minutes has some amazing free videos on ISE. I highly recommend them. Not only does the trainer seem to have a solid understanding of ISE but he really goes into it in his videos. Here's the link:
Video: Security - ISE | Lab Minutes

There is an INE ISE Primer but in my opinion, it was bad. The trainer really kept getting stuck on technical parts of ISE and he didn't really seem like he knew what he was doing. It's only about 5 hours long but it definitely wasn't as good as Lab Minutes which is free.

There is also a Cisco Partner ISE training. I'm heading to that at the end of the month so I'll write a review on it if anyone is interested or works at a company that will pay for it. If you do consider Cisco training, I recommend going to the 1.2 SISE class. The 1.1 version is still around but 1.2 is probably more applicable anyways for new deployments and just general training.

How do I try out ISE or lab it?

That's the fun part. You have to get your hands on an ISE iso. I downloaded easily enough with my CCO but I don't know if everyone has access to it or not. I would reach out to your Cisco rep if your company has one and explain that your company is interested in ISE and would like an ISO to lab it. Usually they're more than willing to help you out if you're considering purchasing a product.

ISE is pretty resource intensive so you need to have a pretty powerful machine to run it on. It needs at least a dual-core x64 processor, 4GBs of RAM, and 100GB of HD space. It also should run on VMWare. I've tried it in Virtual box or with less than the recommended specs and it refused to install. To get a really good lab going, you need to run two ISE VMs (One for the Admin/Monitoring node and one for the Policy Services node). You also need an NTP server available at the time of installation - there will be lots of issues if ISE cannot reach an NTP server and to fix those issues, you might need to completely reinstall ISE. You can work a little magic with regedit to modify Server 2008 for NTP or you can just aim ISE to a switch that's attached to the computer. I would also recommend installing a Windows 7 VM and Window Server 2008 Active Directory/DNS/CA VM.

So with four VMs going for a good sized lab, you'll need about 24GB RAM to give your computer a little buffer and about 400GB HD space. Right now I have all the VMs running on my computer and it's clocking along at 16GB RAM utilization at any given time but the PC is still running great.

I recommend connecting a physical switch that is ISE compatible to the computer. I have a 3750 running 15.X code connected to the NIC on my PC. That way I can start enforcing polices using the switch.

After everything was installed, I bridged my Win 7 VM with my WiFi card in the PC, installed log me in on both the VM and my PC, configured my PC to never turn off, and WALLAH! I now have a Cisco ISE sandbox that I can access remotely.

Anyways, I hope this was useful for some of you. If any of you are interested in ISE, I'll keep this thread going with my tales of woe and triumph as I roll this thing out to an international enterprise in the next couple of months. Maybe I'll even open up my sandbox to some people who are interested or share some times. Let me know.

Find more posts tagged with

Comments

googol

I am in a new role for my new job, shifting to the networking and security side full time for now and also have discussed ISE for future budget. I enjoyed your writeup and definitely would love to hear more. Ours won't be as complicated as yours, but not sure if it is the right fit, but will have to check the $$ and effort to set it up, but once its setup and configured, sounds like automation until new devices appear. Thanks again, appreciate it.

santaowns

Thanks iris you rock. Always quality posts from you.

shodown

Good luck I will be following this. ISE has caused a lot of pain please be careful, and have fall back plans when you cut things over. I watched a guy lose his job at a ISE install we did after he was fooling around with it after it was installed.

Iristheangel

Ironically, Shodown, we had the opposite issue at our enterprise. ISE was deployed for just WiFi after the XE dACL bug issue and no one touched it for about 6 months. The network architect who owned it left and I took ownership of it last month. I tried to login to the Admin node and couldn't get in. Both primary and secondary Admin nodes were behaving funny when I tried logging in and I couldn't even get into the CLI for the primary.

We were running the 1.1.3 code and no one touched it much since install. I put in a change order to do a console-level password reset and patch it last weekend. I ended up completing the password reset and I still couldn't get into the CLI of the primary. It was giving me an error that there wasn't enough memory to launch the CLI. I reviewed the bugs for that code and it ended up being an issue with that code. The bug involved the Monitoring node not dumping historical data when the HD got full and locking out everyone who tried to get in. Since the Admin and Monitoring node were on the same VM, buh bye node! Thankfully, Policy Service Nodes (the ones that actually authenticate people and gives them access) continue to operate without an Admin node as long as their not interrupted or as long as you don't need to provision new devices (more of a wired thing).

On top of that all, the ftp repository was full that ISE was backing up to so we didn't have any backups since ISE was put into production. If the secondary Admin node had filled up, we literally would have been starting from scratch!

I ended up failing over to the secondary Admin node and had to completely reformat the primary node and rejoining it to the domain. The Policy Service nodes also hit a bug that corrupted the certificate store. Since the PSNs use the cert for encrypting replication and TAC and I couldn't delete the corrupt certs, I ended up having to reformat them as well and rejoin the fresh nodes to the domain. After that was completed, I patched everything up to the latest for 1.1 which fixes all those issues.

If someone had logged into ISE often or just patched it as needed, we would have avoided ISE eating 12 hours of my weekend. But if that guy you were talking about was doing more than just updating and he was actually changing or influencing policy for his own enjoyment or education on a production system, he's a moron then and probably deserved to lose his job.

Well... I'm really excited to take ownership of ISE. I know a lot of companies that are foaming at the mouth for more ISE experts so I'm hoping that single-handedly deploying ISE in an enterprise with over 100 locations will be a good boost of the resume. In a lot of ways, I'm feeling like this is going to be like a greenfield deployment. The former architect didn't really build a design that was scalable and since I want to deploy the latest code (1.2), I'll need to build new VMs for it anyways since I need new VMs provisioned with 64-bit processors. I'll create separate dedicated resources for the Admin, Monitoring and PSN nodes and load them up with a ton more memory. I'm going to also try to pitch a combination of VM and appliances for the design so we're not completely dependent on our VM environment.

Ok... I'll end my nerdy rant. Can you all tell I'm pretty excited for this? LoL

shodown

Yes your very excited and your ISE talk was over my head,lol.

DevilWAH

I have played with ACS before and that was so simple to manage. ISE on the other hand is a bit more involved. I just upgraded ours to 1.3, ask you cisco rep as they should be able to get you 1.3 rather than 1.2 even with a full CCO access when i got hold of 1.3 I had to go though my cisco contact. I am about to start hitting it hard over then next month. Really just looking at the Base licence features, but have a few 100 advanced licences as well so I can play with that to

Mainly using it for port and wireless based authentication, but will also be looking at device admin control.

One thing I really want to get head around is CWA or central web access for visitor/guest wireless and wired access with accounting. Was sitting with out support team and you can do some neat stuff with it if you want to play about.

Also plays nicely with prime so you can see all the authentication and access attempts from prime with out having to log on to the ISE server its self once its set up.

I am in the nice position of having had it to play with for last few months, and have a week of consultancy with a engineer from our support company who I have worked with for a few years now who will go over all the config and prime integration with me. Basically getting a experienced network engineer who has a lot of real world experience with it to cast his eye over my attempt and give me a list of suggested improvements.

One thing I have found with both Prime and ISE is there is not a great deal of material around you do have to go looking. But its great fun to set up, and allows you to start being so dynamic with devices and users. Some thing feels so much safer about applying policies on the physical switch port a PC is connected to, to be able to control access precisely to the network based on user/machine/OS and software. Different user logs in, new policy applied. but move the same device and same PC to new location and some access with out any config...

One thing worth looking at is if you want IP phones to use a licence or not? you can have it so that if you run the PC through the phone, that once the PC authenticates it allows the voice vlan as well. If you have a lot of phones and you are OK with it this can save a packet in licence costs.

Oh and TACACS is on the road map, was talking to one of the engineers about this recently and all ACS functions will be added over time. TACACS was great for administration control, you could really control and monitor administration. Great if you have junior admins you want to access devices but stop them doing and damage.

Iristheangel

I'll have to hit up my Cisco SE for 1.3. Thanks for the tip!

I haven't played with Prime yet. I'll look into that as well.

I'll probably do something similar to what you're doing by getting a seasoned ISE engineer from a VAR to look over my shoulder while I'm doing the design and implementation in our corporate office and then I'll do our remote sites and offices by myself.

Good tip about the license! I'll look into that. The crummy part is trying to get the end users to daisy-chain the phone and computer. They usually just ignore IT communication and keep doing what they do. I don't have the bandwidth to go check 1000+ people's physical connections but I can try.

TACACS would be a great addition. We're currently using it through our ACS server but we're not using it in any granular sort of way so in reality, we could use RADIUS and wouldn't have to make any adjustments to our enterprise

DevilWAH

When I ran ACS and TACAS to be honest I only had 3 profiles

1. mMy GOD profile

2. Standard Admins
3. Basic Show commands and allow interface state to be changed and vlan assigned.

One thing to be carefully if you do have some daisy chain the phones it to make sure the phone can authenticate if the PC is switched off! So if only the phone is on it takes once licence, then once the PC is switched on it re authentic the port using a new licence but freeing up the one the phone was using

I do like Prime, possible an over kill for my company, but really good for getting an over view, also has a nice provisioning feature, plug a switch in to the network, Prime will see it and deliver a default config to at least get it talking. You can then apply templates as you wish. My favourite thing is that once I have tested a deployment on say a 2960c, I have and access layer group set up with mutiply models of devices. I can simply create a template that only apply to 2960c for the new change. and have it automatic deploy to the access group, where it only deploys to that model. once I have tested it on another model, just open the template, tick the box for the new model and it goes away and applies it to them to... Makes keeping config in sync so much simpler.

union122

Great Write up. Thank You, I am hoping to deploy ISE with AirWatch for an MDM Wireless project at work. This will
help a great deal with getting started.

Iristheangel

Very nice, union! You'll like ISE. I would highly highly highly recommend beefing up your computer and building your own sandbox to play with at first. It's a lot easier to absorb the basic ISE concepts if you have a non-production network to play with.

@DevilWAH - I think I can do the switch auto-provisioning with Solarwinds as my TFTP server as well and push config updates using SNMP. I was looking through the Cisco configuration guide for DHCP Autoconfiguration for the 2960S and thinking about testing that out with the next site I deploy. I have about 15 sites this year that I'm doing a network refresh and redesign for as part of a WiFi upgrade and there's currently over 100 switches sitting in my storage room waiting for me to configure. Trying to simplify that a bit more.

DevilWAH

you can use solar winds, quite a few others as well, you can do scripted templates and or templates that apply differently to different devices. there's a whole scripting language with in the template design if you wish to use it. I sue to use Kiwikat tools years back and for basic stuff it was great.

An new part of prime allows you to auto provision from a mobile device, so you set up the device on prime and down load the configs to a laptop, then when you go to the remote site if you don't have connectivity, (new site no active devices). you then just attach the device to the lapop tap in the right code and its done. You can even use it on an Iphone, something flash about deploying a full config to a switch from a ipad using a 4 digit code.

I just purchased a few 2960c switches for play, been using them a lot in our small offices, there great little compact devices (8 or 12 port) passively cooled and silent, so I have one on my desk for testing ISE and other things. if you can afford £300 I suggest getting on. the run the full IOS and you can even get a 3650C version is having L3 is important.

kj0

Just put this up on my blog's Twitter and facebook page. Very good write up.

Keep up the great work Iris.

JustFred

Thanks for sharing Iris, sounds quite interesting. I'm going to look into it deeply

Iristheangel

Just thought I'd throw a quick update on here. I've been labbing ISE for the last couple of days and pretty happy with my progress. Using just the Labminute videos, I have both ISE nodes replicating using a certificate I generated from the CA VM I created. I also have the Meraki AP my boss let me borrow for labbing purposes running through it for authentication and I have my switches in my home lab using ISE for Radius authentication. I've integrated it with my AD server so all authentication requests are going through there first but I have been playing around with local accounts on ISE as well.

Here's a nice visual:

I could basically administer to ISE before this and I understand the base concepts of deployment but it's pretty exciting to be building it from scratch before I have to do it in production next month!

ISECapture.jpg

Iristheangel

I started my SISE class today. First day was all slides. No labbing at all. It was all stuff I learned already through the LabMinutes free videos. Tomorrow we start labbing so I'm hopeful that we start to move into material I haven't seen before. We'll see. I'll probably post a review at the end of the class on Friday or Saturday.

There's an associated exam that I can take based on the materials in the class (500-254) and since my company is paying for it, I scheduled it for this weekend as sort of a challenge for myself. If I pass, I don't get a certification but it's still nice to say I could pass it.

DevilWAH

I been playing with my ISE quite a bit lately. We are not planning to use the profiling / posturing advanced features at the moment, although I did look at them a bit. I did find you could use Regex in condition statements that is nice

the only thing I haven't completely finished setting up if the web-portal for guests, I have the basic portal configured, but looking to implemented one with a bit more logic to it so users can choose if they are staff or guests. So if you are staff you can use your username/password. and if you are a guest visiting site you just have to enter name/company/email and chose if you want to receive company news etc. But external identity sources and proxying to remote radius servers is all working good

Over all I like ISE, took a few days to get my head round the parts as not always is it clear what fits with what. But once I did I find it easy to build up the rules.

I might have to look up that SISE course sounds interesting as there little official training out there for it.

Iristheangel

My company paid for this course. If I had to pay for it out of pocket, I'd definitely say it wasn't worth the $4K but with someone else's money? Sure. It's some nice practice.

If you don't want to spend the week in training or money on a course, I'd say you can get more out of the BYOD book, the Labminutes videos and a home lab combined.

RouteMyPacket

My client site here is now on 1.2.0.899, upgraded a few months back. Looks like I am now officially one of three Engineers that make up our ISE practice now. Woo!

I have been around ISE for 1.5yrs probably now, first time was leveraging it for WLAN and Guest Services but now the full monty, wired/wireless. It is a beast and I can honestly say I don't "know" it in and out..I can manage it and troubleshoot dot1x pretty good but looks like I will be getting intimate with it now. Excited to say the least.

Looks like Cisco want to merge ACS into ISE at 2.0 last I heard?

As far as the guy who messed with the ISE installation and got canned. lol Man, do not play with ISE, it's not a toy..you change anything and issues can go through the roof..profiling, provisioning, posture...oh lordy that guy went full retard. Never go full retard man!

Iristheangel

I did hear from one of my friends that work at Cisco that they're looking to replace ACS fully with ISE in the next couple years. You can currently use ISE for ACS functions. It just uses RADIUS instead of TACACS. Supposedly TACACS is on the roadmap for release 2.0 but until it's released, who knows...

I have my equipment in my home lab set up to use ISE for AAA but haven't rolled it out in our enterprise yet. I'll probably introduce that side-by-side with our general ISE rollout.

Iristheangel

So today is the last day of my ISE class. I have to say I'm not really satisfied with it and VERY glad that I didn't pay for this with my own money. It's not the content itself that is bad, it's actually pretty awesome but we didn't get to any of the good stuff.
Before the class began, I received 2 large student guides in the mail and a lab guide. The student guides comprised of the slides and explanations for them broken down in the various days. The lab guide was also broken down into 5 days as well. Well... We're on day 5 and we're doing day 2's slides and labs in the class. We've also had various issues where we didn't have the passwords for various pieces of the lab or the lab wasn't set up how it was supposed to be in the book so it threw everything off.

I have the feeling this class was supposed to be 10 days long based on the number of slides and content combined with the amount and detail of the labs but I suspect the Cisco learning partners decided to turn it into a 5 day class to be cheaper. So that part sort of sucks so I have been studying for 8 hours a day after the class and using the lab remotely at night to keep up to where we're "supposed" to be at.

It is what it is but I want to do some more extensive labbing. My home lab is pretty similar to the SISE class lab but the only thing I'm lacking at this point is a WLC. I'm looking on ebay and thinking I'll pick up a 2504 for $600 (ouch!) unless anyone here is selling one for cheaper or know a different place I can buy one from. The LAPs I can borrow from my company without an issue, it's just the WLC that's going to be pricey.

Since I've been reading and labbing heavily after each class, I'm going to go for the 500-254 exam anyways tomorrow. It's not really a certification exam but it's the closest they have to ISE-certified right now and work is paying for it. *shrug*

DevilWAH

Over the last few weeks I have been getting in to ISE a lot more, what I have discovered is that out Certserver and infrastructure was set up by some one who had know idea what they where doing! Which basicly means i need to strip it out and re-implement it on the live network.

On the ISE side though its all good

I do think some of the policy elements are not clear and the GUI needs a bit more work to become really slick. However once you get it I find its really nice and modular to set up.

As far as integration in to prime it seems more of just the reporting side, but this is still useful as I can see from Prime how devices have authenticated and get and idea if there are any issues with out having to log in to ISE to.

Hope you have got some good out of the course, I wish I got to play with more of the profiling and posturing side of ISE, at the moment we are only using the base licences for about 99% of things. In the lab I have played around with it a bit but sadly not in the live network. The last thing I need to really get my head around is customizing the captive portal for guest wireless. I want to see if I can do some nice active web site for our visitors and staff to use.

DevilWAH

Question have you tried using ISE as a Radius proxy client?

So the situation is one of my users is at a remote company who we are partnered with for wireless access.

When my user joins there wireless network, there WLC sends a radius request to there NAC server, this in turn then proxies the request to My ISE which should authenticate the client and return a result to there NAC server to allow or disallow access.

At the moment it works fine if one of there employees is on my site, ISE proxies the request to there home server and all works as expected. But the other way around I see the proxy request coming from there server through the firewall, but no sign of them on ISE. I know they are going out the right interface with the correct IP address towards it, but then they get lost?

so question is how can i get ISE to behave as the client in a Radius Proxy set up?

Cheers

DevilWAH

Hi,

OK I got another questions about this.

Using Basic licences (no profiling) I want to assign a user to a vlan based on the machine they authenticate from.

So in ISE you can set up a rule that says

1 - if machine authenticated put in vlan X

2 - if user is authenticated and machine was authenticated already (user logs on to a machine that has already authenticated with machine name) put in to vlan Y

3 - OR if user is authenticated and in AD group A put in VLan Z

But I want to say

1 - if user is authenticated and machine is in AD group A put in VLAN X

2 - if user is authenticated and machine is in AD group B put in VLAN Y

Simple really

Vusa

Great work Iris l have seen two customers that have ISE Implemented l will say not upto the level that ISE can do, l am labbing ISE and l have being involved in these Implementations plaining to do it full time.

Vusa

l am looking forward to ISE version 1.3 with new features since the company l work for they have multiple domains

Vusa

DevilWAH is version 1.3 released...wow

Vusa

Guys how can you block internal users not to use Guest wireless to browser internet with ISE?

abehola

Hey Iris, nice piece here. I guess I'm coming to the dance late but could you kindly give any update from your implementation as I just took over a project on ISE as just like you the previous resource left and its now dumped on my laps to run with and the little I've been able to gather here has gone a long way in preparing me so you'd agree it's only natural to ask that you kindly give further updates on your implementation so as to learn more.

Iristheangel

Vusa wrote: »

Guys how can you block internal users not to use Guest wireless to browser internet with ISE?

Easiest way to do this is to uncheck the box under the Guest portal that allows employees to login to the Guest Portal and use Sponsor Portals to create guest accounts. Restrict access to who can access the Sponsor Portal and create guest accounts

Iristheangel

abehola wrote: »

Hey Iris, nice piece here. I guess I'm coming to the dance late but could you kindly give any update from your implementation as I just took over a project on ISE as just like you the previous resource left and its now dumped on my laps to run with and the little I've been able to gather here has gone a long way in preparing me so you'd agree it's only natural to ask that you kindly give further updates on your implementation so as to learn more.

LoL. I actually have a server sitting next to me right now running ISE 1.4 (Had to downgrade from ISE 2.0 for POC reasons *sniff*) with Pxgrid integration across Lancope, WSA, Firepower and controlling wireless and wired access. I tend to favor PEAP-EAP-TLS for my corp devices and I have Guest Access provided through Sponsor Portals. I haven't had much need to play around with or configure posturing yet. I'm about to run out of the house but let me give you a bit of a **** on here when I get back and hopefully that gives you some ideas on how to successfully implement ISE.