Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.

October 27, 2014 through November 7, 2014.

Cisco Expert, Craig Hyps

The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.

Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.

Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.

Remember to use the rating system to let Craig know if you have received an adequate response.

Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

(Comments are now closed)

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hello Kevin,Whether posture

Hello Kevin,

Whether posture or any security control is a good investment is always a balance between security policy, risk, and the cost/impact to organization to deploy such controls.  I will not attempt to answer that for your organization here, but will try to shed light on other facets of your query.

I do not have exact counts, but in my years working with both NAC Appliance and ISE, I would say most NAC customers deploy posture.  I would say less than half deploy posture with ISE, but realize that many have migrated from a AAA-only deployment, say CiscoSecure ACS, and many are green-field deployments where customer starts with basic authentication and access enforcement and then builds upon that foundation with more advanced functions of profiling and endpoint compliance.

Higher education is a unique vertical and the decision to perform posture or not is often rooted in the university's culture--some have the mantra that students shall have free access to all resources and do not mandate installation of any client software on student PCs; others treat the network as a privilege that is governed by specific terms of use including the installation of posture agent and software to help ensure the connected device is not a threat to other PCs or to the security and productivity of university as a whole. Depending on which camp your organization sits will often dictate whether posture is deployed.

With the growing popularity of Bring Your Own Device (BYOD) in the broader market, endpoint compliance is becoming a more prominent requirement. Endpoint compliance incorporates both the traditional posture assessment functions attributed to PC desktops/laptops as well as the more recent Mobile Device Management (MDM) solutions with a primary focus on mobile devices. With users connecting from personal devices where they have admin controls versus a managed endpoint that has been locked down with a corporate image, customers want to make sure there is a way to validate that the BYOD device meets some minimal compliance level.

Interestingly, Higher Ed has been a BYOD environment many years before the term became popularized in corporate networks. However, the same security concerns exist and the university culture and IT policy will dictate whether endpoint compliance is more important than unfettered student access from their personal devices.  

Moving forward I see MDM usage increasing and general endpoint compliance treated simply as a super-set of these device assessment and remediation options.  In my opinion, basic posture/MDM makes perfect sense to improve the general security of network and connected devices. I also agree that its use not significantly impact user productivity. ISE 1.3 targeted for end of this month adds support for AnyConnect 4.0 as the posture agent.  This is a major step forward to integrate endpoint compliance and security functions into single client and to improve on the end user experience and administration across the entire organization.

I hope this answered your questions.

Regards,

Craig

40 REPLIES
New Member

hi Craig,We currently utilize

hi Craig,
We currently utilize Cisco NAC (Clean Access) to perform posture assessment, to make sure the endpoints have proper anti-virus software/definition, and up-to-date Windows patches.

What's your take on posture assessment?
Is it still a good investment in today's environments?
We're torn between continuing doing posture, or only doing authentication when we migrate to ISE.
We think it's a good idea to do posture, but it's a hard sale to management because of the premium Cisco charges for Advanced/Apex-AC licenses, and the technical complexity it brings.

Does Cisco have more customers doing posture than those not doing posture?
If you had to guess, what's the percentage breakdown between the two, in general, and in higher education?
I'm guessing most Fed/SLED customers would want to do posture, but I'm interested in knowing what other colleges & universities are doing.

Thank you,
Kevin

Cisco Employee

Hello Kevin,Whether posture

Hello Kevin,

Whether posture or any security control is a good investment is always a balance between security policy, risk, and the cost/impact to organization to deploy such controls.  I will not attempt to answer that for your organization here, but will try to shed light on other facets of your query.

I do not have exact counts, but in my years working with both NAC Appliance and ISE, I would say most NAC customers deploy posture.  I would say less than half deploy posture with ISE, but realize that many have migrated from a AAA-only deployment, say CiscoSecure ACS, and many are green-field deployments where customer starts with basic authentication and access enforcement and then builds upon that foundation with more advanced functions of profiling and endpoint compliance.

Higher education is a unique vertical and the decision to perform posture or not is often rooted in the university's culture--some have the mantra that students shall have free access to all resources and do not mandate installation of any client software on student PCs; others treat the network as a privilege that is governed by specific terms of use including the installation of posture agent and software to help ensure the connected device is not a threat to other PCs or to the security and productivity of university as a whole. Depending on which camp your organization sits will often dictate whether posture is deployed.

With the growing popularity of Bring Your Own Device (BYOD) in the broader market, endpoint compliance is becoming a more prominent requirement. Endpoint compliance incorporates both the traditional posture assessment functions attributed to PC desktops/laptops as well as the more recent Mobile Device Management (MDM) solutions with a primary focus on mobile devices. With users connecting from personal devices where they have admin controls versus a managed endpoint that has been locked down with a corporate image, customers want to make sure there is a way to validate that the BYOD device meets some minimal compliance level.

Interestingly, Higher Ed has been a BYOD environment many years before the term became popularized in corporate networks. However, the same security concerns exist and the university culture and IT policy will dictate whether endpoint compliance is more important than unfettered student access from their personal devices.  

Moving forward I see MDM usage increasing and general endpoint compliance treated simply as a super-set of these device assessment and remediation options.  In my opinion, basic posture/MDM makes perfect sense to improve the general security of network and connected devices. I also agree that its use not significantly impact user productivity. ISE 1.3 targeted for end of this month adds support for AnyConnect 4.0 as the posture agent.  This is a major step forward to integrate endpoint compliance and security functions into single client and to improve on the end user experience and administration across the entire organization.

I hope this answered your questions.

Regards,

Craig

New Member

Cisco ise 1.2.1 patch 2 I'm

Cisco ise 1.2.1 patch 2

 

I'm using sponsor portal and wondering if I can either eliminate the help link on the sponsor portal or modify the hyperlink to point to another document and not the default sponsor portal user guide that Cisco provides.
 

Cisco Employee

Under ISE 1.2.x, you can only

Under ISE 1.2.x, you can only change the label under the Sponsor Language Template.  This option is intended to serve as a basic online user guide for the sponsor portal.

Sponsor Portal customization is very limited under ISE 1.2 and earlier versions.  However, under ISE 1.3 targeted to be released in latter part of November 2014, you will have the ability to fully customize the Sponsor portal as well as other user-facing portals (except Admin web interface).

By default, you will still have the Help button which will link to the online documentation, but you can simply remove that label from Admin UI and it will no longer appear.  By default, we will additionally display a Contact Support link next to the Help link.  This is fully customizable and provides a simple option to collect and report end user details to aid in troubleshooting.  Again, you will decide if you want this label/link to display in the portal, which support info is displayed, and other options such as custom links.  ISE 1.3 also supports multiple sponsor portals so more than one portal can be created to serve different geographies or groups of sponsors.

Hope this helps.

Regards,

Craig

New Member

Can you change the sponsor

Can you change the sponsor portal default timeout value in 1.3?  In 1.2 it is 20mins but doesn't seem to be configurable.
 

Cisco Employee

Yes, it is configurable in 1

Yes, it is configurable in 1.3.  This is covered in the ISE 1.3 Admin Guide documentation.  If not aware, ISE 1.3 was released on 11/01/14 and documentation posted to Cisco.com.

Portal Settings for Sponsor Portals

Idle timeout

Enter the time in minutes that you want Cisco ISE to wait before it logs out the user if there is no activity in the portal. The valid range is from 1 to 30 minutes.

 

Regards,

Craig

New Member

This command works without

This command works without any issues with ISE version 1.1 and 1.2:

ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1

 

However, it does NOT work in ISE version 1.3.  See below:

ciscoisedev/admin(config)# ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1
% Warning: Could not find outgoing interface for gateway 127.0.0.1 while trying to add the route.

% Error: Error adding static route.
ciscoisedev/admin(config)#

 

Any ideas why it is not working with version 1.3?

Cisco Employee

I am not really sure the

I am not really sure the purpose of your static route to a loopback address in ISE 1.2. To answer the question on static route changes between ISE 1.2 and 1.3, the answer is YES. 

Brief background on situation...

With ISE 1.2 we added support for web services on different interfaces. This was great option for customers that want to segregate user traffic from RADIUS and management traffic, but created a challenge for path symmetry since the routing table was interface specific.  In other words, traffic received on a specific interface was not sent out same interface by default and trying to create subnet-specific routes is not feasible for most customers. 

For reference, I touch on this use case in a Cisco Live session (BRKSEC-3699: Designing ISE for Scale & High Availability) posted here.
The workaround I propose is to source NAT traffic to the web-portal interface so that client https requests always exit the same interface on which received.

With ISE 1.3 we allow a default route per interface or subnet-specific routes for specific interfaces. As part of these enhancements, we verify the next-hop address is in a valid subnet for one or more local interfaces. This would explain the error that you are seeing.

Hopefully this enhanced functionality addresses your requirements and the purpose for your original static route to a loopback address.

Regards,
Craig

New Member

hi Craig,Thank you for the

hi Craig,
Thank you for the reply to my previous question.

As a higher education operator, we allow any anti-virus software, as part of our posture assessment check.
So on our current Cisco NAC manager, under User Management / User Roles / Temporary

Role / Host, there's a long list of URL's as "Allowed Host", where users can go, to get their AV software installed/patched to be complianed.
For example: .mcafee.com, .symantec.com, .trendmicro.com, etc.

How can we migrate this function to ISE?
A few more recent platforms support DNS based ACL, but most of our Cat2K switches don't.
There are ~50 entries on that list.
Any way to support it on ISE w/o having to manage an ACL that's based on IP's?

Ditto for allowing access to Google Play to onboard Android devices.

Thx,
Kevin

Cisco Employee

Kevin,NAC Appliance relies on

Kevin,

NAC Appliance relies on being an inline enforcement device to perform the DNS snooping function that allows the domain-based ACL policy enforcement.

ISE leverages the existing infrastructure to perform policy enforcement. This keeps your policy server or other overlay appliance out of the data path but consequently requires the access device or other upstream device to perform this function.

As you noted, the WLC 7.6 added support for DNS ACLs to support this requirement for wireless clients during the URL redirection state when BYOD, MDM, and Posture integration are triggered. It is also possible to integrate with web security solutions like the WSA with transparent login such that specific networks can have access controlled based on domain name.  There are other options that rely on DNS tricks or other security devices that support host-based policies including ASA, but the best solutions are those like WLC that dynamically allows access based on specific client DNS responses (similar in concept to what NAC Appliance Server is doing).

For the 2960 switch that does not currently support DNS ACLs, I would consider an upstream web security solution that applies transparent proxy with URL-based policy controls to users in a pre-compliance/quarantine VLAN/source network.

I double-checked with switching product team and support for DNS ACLs is being considered but not yet committed, so be sure to work with local Cisco sales team to add your name and business requirement to raise feature prioritization.

Regards,

Craig

New Member

Hello Craig, We are using ISE

Hello Craig,

 

We are using ISE 1.2 for guest, and byod with a certificate from an internal MS CA using NDES. We provide access to the corporate network via a standard ssid on our WLC using WPA2 enterprise using an AD back-end.

We would like to move our corporate  ssid over to ISE using some kind of certificate.  How would we differentiate the CERT issued for the byod from the one for our new network.  We would not want someone with an byod CERT to gain access to our corporate network.  

Thank you

 

 

 

 

Cisco Employee

S Doherty,ISE 1.2 exposes a

S Doherty,

ISE 1.2 exposes a number of certificate attributes to the Authentication and Authorization Policy to validate that the issued certificate matches or does not match the specified criteria.  For example, you may wish to use Issuer CN or Issuer OU to distinguish between your BYOD certs and other corporate certs.

ISE 1.2.1 added a couple new attributes to validate expiry.  The just released ISE 1.3 version exposes additional certificate attributes to the Auth Policy such as Key Usage/EKU.  ISE 1.3 attributes include the following:

  • Serial Number
  • Template Name
  • Is Expired
  • Days to Expiry
  • Key Usage
  • Extended Key Usage - Name
  • Extended Key Usage - OID
  • Issuer
  • Issuer - Common Name
  • Issuer - Country
  • Issuer - Domain Component
  • Issuer - Email
  • Issuer - Location
  • Issuer - Organization
  • Issuer - Organization Unit
  • Issuer - Serial Number
  • Issuer - State or Province
  • Issuer - Street Address
  • Issuer - User ID
  • Subject
  • Subject - Common Name
  • Subject - Country
  • Subject - Domain Component
  • Subject - Email
  • Subject - Location
  • Subject - Organization
  • Subject - Organization Unit
  • Subject - Serial Number
  • Subject - State or Province
  • Subject - Street Address
  • Subject - User ID
  • Subject Alternative Name
  • Subject Alternative Name - DNS
  • Subject Alternative Name - EMail
  • Subject Alternative Name - Other Name

Note that ISE 1.3 also includes an embedded CA in case you want ISE to manage certs for BYOD.  It will allow BYOD certs to be issued by embedded CA or by your private CA using SCEP based on matching conditions.

Regards,

Craig

New Member

Hello again Craig and thank

Hello again Craig and thank you for your answers!

To continue the discussion on using certificates and their fields whether the Subject Name or SAN.  I read on another post you mentioned byod and using the 'SAN radius:Calling-Station-ID' id field to authorize clients - this is how we do byod as well.  The client sends this information in the radius flow - this is the documented method.

Now lets say you want to differentiate certs between byod and corporate. If you use another Certificate field lets say AD/email,  each users email is different so how do you set this up in an authorization policy.  I guess I do not understand how the certificate actually functions.  In this case would ISE do a call to AD to verify what is being presented by the client certificate matches what is on the clients AD account?  Does it just check to see if the certificate has an email address or does it check the clients certificate against the CA certificate to see if that email addresses match?

 

Thank you!

 

 

 

 

Cisco Employee

For certificate-based auth

For certificate-based auth client will send certificate to ISE via RADIUS. In both Authentication and Authorization phase, ISE can look at the certificate fields listed previously and match on specific values such as Issuer.

During Authorization, ISE can perform lookups based on the Identity specified in the Certificate Authentication Profile. For example, if Identity based on Subject CN and client certificate has CN set to 'user_xyz', then PSN performs lookup to specified ID store using that identity.  So if you have populated one of the supported fields for ISE policy matching, you could compare that field to the one configured in the users AD account. 

Example:

   Authorization Policy Rule = AD_User_Email_Match

   if CERTIFICATE:Subject - Email EQUALS AD1:mail then Permit_Access

In this example, the Certificate Auth Profile listed Subject CN as the field to use for Identity and that field was employee1. During authorization, PSN looks up employee1 in AD1 and will compare the value in actual certificate presented by client to the mail attribute for this user in AD.

Hope that clarifies how certificate authorization is performed.

Regards,

Craig

New Member

Craig,Is there a way to have

Craig,

Is there a way to have confidence that certificate authentication is being done by the device to which certificate was issued? We would like to avoid a certificate being installed on multiple machines.

Cisco Employee

For starters, there are basic

For starters, there are basic precautions that are possible outside of ISE such as setting issued certificate to be non-exportable.  That is not full-proof, but will not make things so simple for typical user.

For Windows PCs, there is also option to have separate machine and user certificates. AnyConnect supplicant can further enhance functionality by allowing separate identities to be chained together using EAP Chaining. This would allow, for example, to validate machine using cert or even AD machine account (not easily hacked) and then user auth to occur via user cert.

For general OSes, one simple option is to issue certificate with endpoint identifiable information that can be verified during authentication and authorization phase. For example, ISE BYOD allows certs to be issued whereby the MAC address of the registering client is captured during enrollment and automatically populated into the issued certificate's SAN field. If issuing client certificates using MDM, similar options exist to capture attributes from client and populate cert fields.

During authentication/authorization, you can then compare the Calling-Station-ID (commonly MAC Address) of client to the certificate field that is populated with the MAC Address.  If using MDM, then possible to check if mobile device is rooted/jailbroken which may also indicate possible tampering with device credentials/certs.

We have also supported binary comparison during authentication which basically compares the certificate issued to a user with the one they are presenting.  For example, if pushing certificates from AD CA and AD has a copy of issued cert, we will compare that cert presented is actual cert for that endpoint.  If user has multiple machines, then certs would be different, even if each valid.

Hope that helps.

Craig

dal
New Member

Hello Craig.I have some

Hello Craig.

I have some questions about ISE v1.3 if you don't mind.

I see that the guest part of ISE has been upgraded, is it now possible for a guest to send a sms to a given phone number and get a login link in return?

If not, is it possible for a guest to self register, and then recieve a link they can click on, and be logged in? I mean so guests don't have to enter username and password at all, it is all embedded in the link?

We use NowSMS as SMS Gateway. Have you heard of it? Any pointers on how to configure ISE against it?

Will we see Norwegian language files for sponsor and guest portal? We we make them ourselves?

Can we use phone number as username?

Where can I change what fields the sponsors have to fill out when making new guest accounts?

Thank you.

Cisco Employee

No problem asking questions

No problem asking questions on ISE 1.3.  When asked for topic for this event, we did not know that ISE 1.3 would be shipping yet, so I listed ISE 1.2 to avoid questions on pre-release code.  Now that it is shipping, ISE 1.3 questions are fair game.

1. SMS Notification: Yes, a guest can send SMS to acquire credentials and this is admin configurable. They automatically are redirected to the login page from web browser but will need to manually enter the credentials received via SMS. We hope to provide update in interim release that will offer link with credentials that allows automatic login, but that did not make the first ISE 1.3 release.

2. Auto-Login Guest: When users self-register, YES, you can allow automatic login after they submit the requested information.

3. SMS Provider Support: ISE 1.3 comes preconfigured with a number of major SMS providers including both HTTPS and SMTP gateway support. NowSMS is not one of the preconfigured providers, but you can leverage one of the existing templates as a guide for populating the template for this provider.

4. Language Support: ISE 1.3 does not have Norwegian language support out-of-the-box, but the language files in ISE 1.3 make it much easier for customers to create and customize their own "templates", more similar to the way we support multiple language files with AnyConnect VPN.  You will be able to export the language file for selected portal, copy the properties file for supported language like English or German, make all changes to properties file offline, and then import the language file back into ISE with new properties entry.

5. Phone # as Username: There is an option to allow self-registered users to set username. We also support option to set custom username via API so you could create your own sponsor app to do this. For standard sponsor portal, the username is either the email address or derived from first and last name, often with additional numeric suffix to ensure uniqueness. Further testing would be required to see if custom CSS or Javascript could accomplish similar result from a sponsor portal.

6. Sponsor Fields: The fields that will be populated are configured under the Sponsor Portal > Portal Page Customization. Select the Page customization for Create Account for Known Guests. You will  see a Preview of the sponsor portal on right side. Click the Settings option above the preview. Here you can select which fields are displayed and whether they are mandatory entry fields.  You can also configure specific attributes required for specific Guest Types.  These will be automatically added if create guest from that portal when that guest type is selected.

Regards,

Craig

dal
New Member

Hello again, and thank you

Hello again, and thank you for your answers.

1. This is actually possible? A guest can send a SMS and get login credentials back? Without any web page involved before the actual login? Do have an example for this?
I'm looking forward to the login link contain login credentials

2. Very nice. Do you have any pointers where I can find that option?

3. I actually found this one out myself, and I now have NowSMS working as SMS Gateway for ISE :)

4. Yeah, I downloaded a few of them and started the conversion. Exactly how many language files are there? Is there a way to download them all at once?

5. I'm not sure what you mean (There is an option to allow self-registered users to set username). Where can I do that?

6. Found it, thanks for that.

Thank you again.

Cisco Employee

1. Self registration flow

1. Self registration flow starts with user being redirected to a login web portal, selecting option that they need to setup an account, and then completing form. If self-service portal is also configured to allow notification through SMS, then user will be sent text message with login credentials that will be used at login page.

Below is an example configuration for the self-service portal with SMS options enabled.

If do not want to automatically send credentials via email or SMS, you can set the option to have user select whether they want credentials sent via email or SMS:

Under the Portal Customization, you can use default notification or add your own text and variables. In below example, I was using the optional access code, so added that to the default SMS notification message:

2. See second screenshot above where I highlighted option "Allow guests to log in directly from the Self-Registration Success page" under the Self-Registration Success Settings.

4. Language files in 1.3.0 are portal specific. There is one language file per portal that can be exported as a zip and contains all supported languages under separate properties files. You can make changes to any of the default properties files or add a new one.  If you want changes to apply to multiple portals of the same type, then you will need to import new zipped language file into each portal. 

5. Yes. For example, maybe the guest wants to use their phone number or other personal ID.  See first screenshot where I highlighted the optional User name field under the  Self-registration Page Settings.

Regards,

Craig

dal
New Member

Hello, and thank you again

Hello, and thank you again for your answers.

1. This is not what I meant. I was hoping for there was a way for the guest to send a SMS to acquire login credentials. Not going via the web page first.

Like sending a SMS with a code word, ie. GUEST first name last name, and get a response with an auto generated username (or phone number as username) and a password. And to top it all off, a link containg the login credentials :)

4. Ok, but let's say I have 1 portal for each type (1 guest portal, 1 sponsor portal, 1 self registration portal, etc) How many language files do I end up with then? Or do they all use the same language file? Or should I say language template?

But I have trouble making the portal work.

The self registration works fine, sending credentials with SMS works fine, and login works fine.

I'm getting a message saying: Success, you now have Internet access through this network.

But after this, whenever I try to go to any web site, I get redirected back to the Guest Portal..

I'm guessing it have something to do with the fact that we use Aerohive for WIFI.

Doesn't ISE need to send some "message" back to the accesspoint, telling the accesspoint that access is granted?

If so, what kind of message is that? And how to make an Authorization Result with it?

Two more things:

What exactly are the URL's for the sponsor and guest portals? The only way I have found to access them is via the setup page and portal test URL

When will Anyconnect 4 be released?

Thanks again.

Cisco Employee

1. Guests cannot send SMS to

1. Guests cannot send SMS to ISE and have it parse info to generate guest account. You could however have user send SMS to an external application that is able to process the data and use the Guest API in ISE 1.3 to create the account and automatically send SMS notification to the guest. 

4. By default, there is one language file per portal type that contains all of the text for that specific portal. For example, there is one language file for guest portals, one for Sponsor portals, one for My Devices, etc. If you were to have three portals of different types, then you would have three different language files.  You can export the language files in your current portals and see this first-hand.

 

Regarding authorization issue, you need to review ISE Live Authentications log under Operations > Authentications and look for the events for user in question. Verify that ISE is matching proper policy rule and returning the expected RADIUS authorization attributes to your wireless device.

Since you mention 3rd-party wireless device, this will be Local Web Authentication (LWA) versus Central Web Authentication (CWA) where ISE sends CoA after web auth. You should see a basic PAP request from the access device where it submits the guest credentials and returns specific authorization. In LWA, redirection does not come from PSN, but from your local access device. The Success message indicates authentication was successful, but need to review Live Log to determine which authorization was returned.

For CWA, it is not necessary to know actual portal location since ISE returns specific location automatically. For LWA, you need to enter a static URL destination. The syntax for portal under ISE 1.3 would be:

https://<psn_fqdn>:<port>/portal/PortalSetup.action?portal=<portal_name>

where:

   <psn_fqdn> resolves to a specific PSN or load-balanced server>
   <port number> is 8443 by default
   <portal_name is exact name assigned to portal including spaces. May need to add Unicode equivalents for spaces and special characters depending on your access device.

For Sponsor Portal, the best method is to use the simple URL (ISE 1.2) or the FQDN setting under the portal config. This allows you to configure DNS with this simple FQDN and have it resolve to desired destination.

 

Regarding AC 4.0, I cannot provide information on future release dates in this forum. Please contact your local Cisco account team for information on future releases.

Regards,
Craig

New Member

Hi Craig,A customer of ours,

Hi Craig,

A customer of ours, which is intending to grow their deployment wants to deploy F5 load balancing in front of their ISE deployment.

The broad question I have is: Is there any F5/ISE integration/best practice guide that can be used to ensure this deployment is successful?

The technical problem that we are running in to is with traffic that was originated by the ISE PSN, or traffic from a client that addresses the ISE PSN directly instead of through the F5 VIP (such as guest portal traffic). Because the F5 is the PSN's default gateway for all traffic, OCSP traffic from ISE (10.10.10.10) for example, is getting sent through the F5 (10.10.10.253), however the return traffic from the OCSP server is using the regular path to the ISE node, which is through the firewall (10.10.10.254). This causes the stateful firewall to reject this packet, and the conversation is broken.

Is the solution here simply to place the ISE nodes on a L3 segment with the F5 routing all traffic for that network? Or is there something else we can do here?

Thank you,

Aaron

Cisco Employee

Aaron,Yes there is an F5/ISE

Aaron,

Yes there is an F5/ISE LB Deployment and Best Practices Guide that is almost ready for release.  Please see my response to similar question on the main page of this event here. (Search on F5).

Current best practice guidance is to ensure the F5 LTM is fully inline with traffic and using IP Forwarding servers to address non-LB traffic.  There are cases where some traffic may bypass F5 and I cover this in my guide, but most LB flows like RADIUS should always be fully inline.

Technically there are ways to make some flows bypass the F5 LB, but my focus for this first revision of the guide is to advocate proven, working configurations that have successful deployments around them.  There are so many variables when traffic is asymmetric and difficult to capture.  I am hoping to have a larger deployment base with these variations before promoting them as best practice. 

In your case you mention issues with asymmetric flows through firewall.  There are methods to address asymmetry through a firewall which are independent of the topic of load balancing.  You could create a static route to OCSP server that points to firewall, but my recommendation is to start with fully inline--either physically or logically inline--to help ensure success.

Since you mention "a customer of ours", it sounds like you may be a Cisco partner. If so, please reach out to your Cisco Security Channels SE for information on an upcoming webinar I will be delivering with F5 team next month on this very topic.

Regards,
Craig
 

Bronze

Hi Craig,I want to create

Hi Craig,

I want to create authorisation rules based on location and assign a VLAN through authorisation profile. What is the best method?

For example, IP phones attached to different wired closets with named vlan (Voice_Vlan) but different vlan IDs. 

 

Do I,

1. Create a single rule and use the authorisation policy with the named VLAN, but have the wired closets on different VTP domains, so that once the rule match, IP phone in building A gets VLAN 10, building B gets vlan 20 and so on.

 

2. Create a nested or inner rule within a single rule based on location and assign different authorisation profiles that have the VLAN IDs and not name. If so, please could you describe how to create the inner rules.

 

Thanks for your help.

Cisco Employee

My first recommendation is to

My first recommendation is to authorize based on VLAN Name and/or VLAN Group Name.  Note that names are case sensitive. This allows you to assign users to same functional VLAN even if the numbers are not consistent across network devices.

For switches that support VLAN Group Name, it allows for an even higher level of abstraction to assign users to on of many VLANs that are associated to the same group/function.  An example would be a switch where you run out of address space and need to allocate another VLAN to extend the address space into a different subnet.  For wireless, you can assign assign VLAN by number, but also be Interface Name or Interface Group Name.

The above would be my first recommendation bit does require validation that your naming is consistent across the network. If for some reason you are unable to facilitate the use of VLAN Names or Group Names (for example, unable to get consistent naming in place), then option 2 is valid as well, albeit not as efficient. 

You would not need to nest Authorization Policy rules. You can simply have consecutive rules with varying conditions to match on things like Network Device Group (NDG) name, then assign the appropriate location-specific Authorization Profile.  Optionally, you could have separate Policy Sets based on NDG location.

For reference, I posted a separate guide to the support forum that highlights a similar configuration for the purpose of returning different authorizations for different web authentication portals based on location here.

Regards,

Craig

Bronze

Hi Craig,Thanks for the quick

Hi Craig,

Thanks for the quick response. My naming convention will be consistent, so I will use the first option, which would be to have a single authorization rule for each category of user/device and assign profile with the VLAN name. Please you did confirm if VTP domain must be different or can be the same across wiring closets but the mode will be Transparent.

Another question I have is regarding device provisioning with PEAP only no SCEP and no device registration. I understand that the authentication would be through Wired or Wireless MAB, but I want the Authorisation rule to match the profile for self-provisioning. I already have my default rule Authorisation rule as Web_Auth.

So would my authz rule be:

If Wireless_MAB or Wired_MAB and Network Access: AuthenticationMethod = MSCHAPv2 then Self_Provisioning_profile. Should there be any other differentiating condition so that othe MAB devices don't match this rule?

Do I place this before rule for 802.1X devices that are configured properly and don't require provisioning or after?

Lastly for wired devices, do I still need to configure Guest Portal?

Thanks a lot

 

 

Cisco Employee

The use of VTP has no

The use of VTP has no relevance on the authorization. VTP essentially controls how VLANs are auto-populated.

Regarding second question, you mention that you want to use device provisioning but not for device registration and no SCEP.  I interpret your request to mean that you want to provision the supplicant on user devices for 802.1X using PEAP-MSCHAPv2. Based on this premise...
let me clarify that device registration is a prerequisite for supplicant provisioning which is part of the BYOD flow. This is not a big issue and actually a good thing.  For each user provisioned you will see that user's identity defined as the PortalUser for the endpoint. The endpoint will also show that it has been registered and users will be able to manage their registered devices and do things like report lost or stolen.

Typical flow would be to start with Central Web Auth. You have option to enable Supplicant Provisioning for all non-Guest users by a config setting in the portal. This may work fine if you want to provision all employees hitting that CWA portal, but I generally recommend using the web authentication result to perform lookup to ID store and determine if that user should be placed into provisioning flow.

In the below example, the user hits CWA by default.  Based on their identity captured from CWA, I send specific users (members of the AD group "employee") through supplicant provisioning.

Other CWA users like guests, or other non-AD users, could match a less specific policy below the one that matches the more specific conditions for employee. Guest Flow condition basically matches users that just completed a successful web auth and going through reauthentication after CoA.

Hope this answers your question.

Craig

Bronze

Hello,Please what do you mean

Hello,

Please what do you mean by "I generally recommend using the web authentication result to perform lookup to ID store and determine if that user should be placed into provisioning flow".

 

My use case is this:

An AD and Non-AD user (Identity store through radius proxy) without 802.1X setup properly will use Supplicant provisioning. I am not differentiating between Employee BYOD or a non-employee as long as they fall into the ID stores I mentioned above. The default rule which is WebAuth is just for users without matching Authz rule to provide AD credential and gain limited access. 

Also in the Multi-portal configuration menu, Device registration is not checked. Must this be checked as you mentioned that it's a prerequisite.

I appreciate your help.

 

Thanks

1724
Views
100
Helpful
40
Replies
CreatePlease login to create content