ISE

=Identity Services Engine= CCIE Security ISE Primer :: ISE Configuration - http://www.youtube.com/watch?v=GXZRAKw2qLQ CCIE Security ISE Primer :: Policy Enforcement; Wired Authentication - http://www.youtube.com/watch?v=xzsSlJcXCuY

User Guide: http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_user_guide.html Install Guide: http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_ig.pdf ISE 1.1.4 Software: http://software.cisco.com/download/release.html?mdfid=283801620&release=1.1.2&atcFlag=N&dwldImageGuid=A3E8FFE0FCAC9E30518299EB0B9C8865D5D1CA90&softwareid=283802505&dwnld=true

CLI Access

 * Username "admin"
 * Password defined during setup
 * Feels like Cisco CLI
 * show run
 * show version
 * show inventory
 * show interface
 * show application status ise

GUI Access

 * Default credentials
 * admin/cisco
 * Can be controlled via CLI
 * Requires Flash
 * Certificates are verified
 * CA Configuration, Licensing, Adding network devices, Admin user configuration and NTP
 * The default certificate is not trusted because it's self signed

ISE Licensing

 * Installing a License
 * Removing a License
 * Administration Tab

Network Devices

 * NADs are AAA Clients
 * If not listed in ISE an AAA Client is not able to use the services of ISE
 * Devices require a shared secret verified based on IP
 * If none is defined ISE uses default network device

Policy Enforcement
Administration > Identity Management > External Identity Sources - add an identity source like LDAP or whatever. Save the configuration and join. Input the credentials to authenticate. The ISE will act like a normal user with no extended privileges needed and no special admin role.

Once connected to the AD, go to the 'Groups' tab and pull the users down in the "Select Directory Groups" area. Enter in the domain and "*" for all users. Here you can select the groups for policy enforcement.

You can pull the AD attributes by putting in the user name and pulling the attributes. You can add these attributes for policy enforcement.

Classification and Policy Enforcement


Allowed Protocols - These are the protocols that ISE should use when communicating with network devices PAP PEAP MS-CHAPv2 EAP-MD5 EAP-TLS EAP-FAST PEAP-TLS

Conditions
 * Attributes are compared to their values
 * Authentication policies can define what the value should or should not be
 * Based on evaluation, the authentication attempt may be performed or not

Authentication consists of a network access service and an identity source
 * Network Access Service is either an allowed protocol service or a proxy service that will proxy to an external RADIUS Server
 * The identit source defines where ISE should look when verifying credentials provided by a user or machine.

Policy Enforcement with Simple Policy
 * Statically define the allowed protocols and the identity source or identity source sequence
 * No conditions are defined
 * It is assumed all conditions have been met



You can select the policy enforcement to be either Simple Policy or Rule-Based Policy. If you switch to simple from rule-based you will lose all of your rule-based policies!

Policy Enforcement with Rule-Based Policy
 * Cover a wider variety of variables that can provide more options of what to do with the network traffic
 * Example: If wired 802.1x the use Default Network Access to define allowed protocols and then authenticate with the hq.ine.com AD database

Commands
Show the applications that are running on the ISE platform show application status ise

Setup an FTP server to go to and grab something... repository url ftp ftp.hq.ine.com user anonymous password plain/hash cisco@ise

Shows the files in the specified repository show repository

Restarts the ISE application stop ise

Configure a Domain Name Server ip name-server x.x.x.x

Test a user against the radius server test aaa group radius new-code

Some debugs: debug aaa authentication debug radius authentication