This event is locked

Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

Event

Fri, 11/07/2014 - 14:08
ciscomoderator Oct 26th, 2014
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.

October 27, 2014 through November 7, 2014.

The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.

Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.

Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.

Remember to use the rating system to let Craig know if you have received an adequate response.

Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

 

Please submit your questions on the discussion.

 Cisco Ask the Expert

Monday, October 27th, 2014 6:45 AM PDT to Saturday, November 8th, 2014 6:45 PM PST
Loading.
Rasika Nayanajith Fri, 10/31/2014 - 14:14
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi Craig,

Sometime back you were talking about validated design document on how to setup ISE behind F5 for RADIUS load-balancing. Has this document published ?

Regards

Rasika

Craig Hyps Mon, 11/03/2014 - 16:15
User Badges:
  • Cisco Employee,

Rasika,

Many apologies for the delayed response.  I was just informed by the program manager of this outstanding question and for some reason did not receive an automatic notification.  In any case, let me get to your question.

The good news is YES, I have written an ISE-F5 Load Balancing Deployment Guide.  I am working closely with F5 to release as a joint paper to ensure both parties are in agreement with best practice guidance and recommendations.  The document will cover load balancing for ISE RADIUS, Profiling, and Web Services. 

I am in process of finalizing some key items with F5 team before submitting the document to corporate editing.  I am not sure on exact timeline for final release but hope it will be in next few weeks.  I am also working with F5 team to host partner and customer webinars that cover the integration details.

Regards,
Craig

Rasika Nayanajith Mon, 11/03/2014 - 18:28
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi Craig,

Thanks for the response Craig, that's fine with the delayed response.

It is very good to see the documentation come on this. Look forward to see it.

By the way, there is no option to rate your response individually.

Thanks again

Rasika

Craig Hyps Tue, 11/04/2014 - 14:14
User Badges:
  • Cisco Employee,

You would need to Join the discussion and post questions here to rate responses. There is currently a limitation that you cannot specify rating if post question under the event. This may also explain why I did not receive notification of your postings to this page.

/Craig

Rasika Nayanajith Mon, 11/03/2014 - 18:45
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi Craig,

I know this session is about ISE 1.2.

Since 1.3 already released what is your view on moving to 1.3  ? Is there any  improvement on scalability figures on 1.3 compare to 1.2

NB: We are with 1.2.1 & had to resarts PSN nodes time to time (eg CSCur43427), so thinking about move onto 1.3 with given status of 1.2

Rasika

Craig Hyps Tue, 11/04/2014 - 14:02
User Badges:
  • Cisco Employee,

Rasika,

ISE 1.3 questions are fair game as it was not expected to be released before the end of this particular Ask the Expert event.

There is no specific changes to sizing guidance in ISE 1.3 compared to 1.2. One exception is that we did increase the number of guests accounts from 100k to 1M.

The addition of auto-registration and purging for guest flows can certainly be leveraged to scale web auth services.  Using these features, users are not required to continually perform a new web auth upon every reconnect for the specified interval and successive authentications are treated as basic MAB auth which has very high performance.

Similarly, there is option to bypass posture upon reauth for a set interval that improves the connection speed for end users.

From a stability perspective, there were a number of enhancements added in ISE 1.2.1 that are incorporated into ISE 1.3. For example, there are additional database sanity checks added to 1.2.1.   There were also some index rebuilding options added to keep system indexes “fresh” and improve responsiveness.  You can see some of these options from CLI under ‘app config ise’.

Specific defects like the one encountered are exception cases that need to be addressed on a case-by-case basis and not to be treated as a general scaling metric for the release.

Regards,

Craig

grabonlee Thu, 11/06/2014 - 03:36
User Badges:
  • Bronze, 100 points or more

Hi Craig,

I want to create authorisation rules based on location and assign a VLAN through authorisation profile. What is the best method?

For example, IP phones attached to different wired closets with named vlan (Voice_Vlan) but different vlan IDs. 

 

Do I,

1. Create a single rule and use the authorisation policy with the named VLAN, but have the wired closets on different VTP domains, so that once the rule match, IP phone in building A gets VLAN 10, building B gets vlan 20 and so on.

 

2. Create a nested or inner rule within a single rule based on location and assign different authorisation profiles that have the VLAN IDs and not name. If so, please could you describe how to create the inner rules.

 

Thanks for your help.

Craig Hyps Thu, 11/06/2014 - 07:48
User Badges:
  • Cisco Employee,

Below is copy of my response to same question posted under the discussion section of this event...

My first recommendation is to authorize based on VLAN Name and/or VLAN Group Name.  Note that names are case sensitive. This allows you to assign users to same functional VLAN even if the numbers are not consistent across network devices.

For switches that support VLAN Group Name, it allows for an even higher level of abstraction to assign users to on of many VLANs that are associated to the same group/function.  An example would be a switch where you run out of address space and need to allocate another VLAN to extend the address space into a different subnet.  For wireless, you can assign assign VLAN by number, but also be Interface Name or Interface Group Name.

The above would be my first recommendation bit does require validation that your naming is consistent across the network. If for some reason you are unable to facilitate the use of VLAN Names or Group Names (for example, unable to get consistent naming in place), then option 2 is valid as well, albeit not as efficient. 

You would not need to nest Authorization Policy rules. You can simply have consecutive rules with varying conditions to match on things like Network Device Group (NDG) name, then assign the appropriate location-specific Authorization Profile.  Optionally, you could have separate Policy Sets based on NDG location.

For reference, I posted a separate guide to the support forum that highlights a similar configuration for the purpose of returning different authorizations for different web authentication portals based on location here.

Regards,

Craig

Actions

This Event

Related Content