The first question I am going to answer is “What is Cisco ISE and what does Cisco ISE do?
What is Cisco ISE?
Cisco Identity Services Engine (ISE) is a server based product, either a Cisco ISE appliance or Virtual Machine that enables the creation and enforcement of access polices for endpoint devices connected to a companies network.
What does Cisco ISE do?
In simple terms you can control who can access your network and when they do what they can get access to. It can authenticate wired, wireless and vpn users and can scale to millions of endpoints. Based on many factors including the validity of a certificate, mac address or device profiling you can identify a machine and determine which vlan that machine is placed into. Any devices that do not pass authorisation will be placed into a guest vlan or denied access to the network.
All this information is logged and you can instantly get a view of what is connected to your network at any time.
The ISE solution is made up of a deployment of nodes with three different personas:
- Policy Administration Node (PAN)
- Monitoring Node (MnT)
- Policy Services Node (PAN)
Depending on the size of your deployment all three personas can be run on the same device or spread across multiple devices for redundancy and scalability. Lets go through each persona and explain their function.
Policy Administration Node (PAN)
The Policy Administration Node is where the administrator logs into to configure policies and make changes to the entire ISE system. Once configured on the PAN the changes are pushed out to the policy services nodes. It handles all system related configurations and can be configured as standalone, primary or secondary.
Monitoring Node (MnT)
The Monitoring Node is where all the logs are collected and where report generation occurs. Every event that occurs within the ISE topology is logged to the monitoring node you can then generate reports showing the current status of connected devices and unknown devices on your network.
Policy Services Node (PSN)
The Policy Services Node is the contact point into the network. Each switch is configured to query a radius server to get the policy decision to apply to the network port the radius server is the PSN. In larger deployments you use multiple PSN’s to spread the load of all the network requests. The PSN provides network access, posture, guest access, client provisioning, and profiling services. There must be at least one PSN in a distributed setup.
The pxGrid framework is used to exchange context-sensitive information from the CISCO ISE session directory. It allows the ISE system to pass data to other Cisco platforms and third party vendors. This information can then be used to invoke actions to quarantine users or block access in response to network security events.
The Cisco Secure Network Server is based on the Cisco UCS C220 Rack Server and is configured specifically to support the Cisco Identity Services Engine.
Note: The 3415 and 3495 secure network servers are now end of life (eol) and the last date for order for these appliances was October 7 2016. This post will be covering the latest hardware now available which is the 3515 and the 3595 – the 3595 appliance is shown below.
Secure Network Server 3595
There are two versions of the hardware:
- Secure Network Server 3515 (For small and medium sized deployments)
- Secure Network Server 3595 (For large deployments – includes redundant hard disks and power supplies)
Hardware details taken from cisco data sheet
|Product Name||Secure Network Server 3515||Secure Network Server 3595|
|Processor||1 – Intel Xeon 2.40 GHz E5-2620||1 – Intel Xeon 2.60 GHz E5-2640|
|Cores per Processor||6||8|
|Memory||16 GB (2 x 8 GB)||64 GB (4 x 16 GB)|
|Hard Disk||1 - 2.5-in. 600-GB 6Gb SAS 10K RPM||4 - 2.5-in. 600-GB 6Gb SAS 10K RPM|
|Hardware RAID||No||Level 10 Cisco 12G SAS Modular RAID Controller|
|Network Interfaces||6 x 1GB||6 x 1GB|
|Power Supplies||1 x 770W||2 x 770W|
Endpoints supported for different platforms
|Endpoints supported in a standalone configuration||7,500||20,000|
|Endpoints supported per Policy Services Node||7,500||40,000|
How Cisco ISE Works
ISE has two different deployment options – Standalone and Distributed
This consists of one node which runs all three personas. This is suitable for a small deployment or lab solution.
If you ran a standalone solution on your production network you have no redundancy.
- Small Network Deployments
- Medium Network Deployments
- Large Network Deployments
Small Network Deployment
The smallest distributed ISE deployment consists of two Cisco ISE nodes with one node functioning as the primary.
The primary node provides all the configuration, authentication and policy functions and the secondary node functions as a backup. The secondary supports the primary in the event of a loss of connectivity between the network devices and the primary.
Medium Network Deployment
As the size of your network grows or you want to expand your ISE topology you need to start adding more nodes and with a medium sized deployment start dedicating nodes to logging and administration. The medium sized deployment consists of a primary and secondary administration node and a primary and secondary monitoring node, alongside separate policy service nodes.
Large Network Deployment
With a large network deployment you dedicate each node to a separate persona. So a separate node (secure network server) for administration, monitoring and policy service. You should also consider using load balancers in front of the PSN nodes.
As the number of PSN nodes increases it becomes more of an administrative overhead to ensure even distribution of AAA client configuration. i.e if you have 1000 switches each of them will be configured to point to a specific primary and secondary radius server. If all switches point to one radius server (a single PSN node then this single node will take all the load and the other nodes will not be used. Putting a load balancer in front of the PSNs and creating a Radius VIP will ensure all switches can be configured with a single Radius server and the load balancer will balance the radius requests between all the PSN’s. This is also very beneficial when performing software upgrades as a single PSN node can be removed from service without any fear of a switch being configured to have it as it’s primary radius server.
Having a single load balancer does introduce a potential single point of failure so it is highly recommended to deploy two load balancers.
The large network deployment also uses a centralised dedicated logging server. One node setup specifically for logging. This would typically be an appliance with a lot of disk space. A secondary logging appliance would also be configured but in the first instance all logging information will go to a central point.
With the large network deployment you have a dedicated Primary PAN and dedicated secondary PAN. A Primary and Secondary MnT. All logging goes to the primary monitoring appliance. The number of PSN nodes is scaled out depending on the number of devices on the network. Typically allow 7,500 devices per PSN plus 2 more for redundancy.
Due the standard configuration on switches where most radius servers will be configured as primary / secondary there is a big potential for all devices to only talk to a single PSN loading it very heavily. To overcome this it is a best practice to introduce a load balancer and ideally a redundant pair which will provide a single virtual IP for the Radius Server.
The load balancers will load balance the requests to all the PSN nodes. This also is very beneficial for software updates on the PSN nodes which do happen quite frequently. For a software update you just take a single PSN node out of the cluster and perform the upgrade.
All administration is handled on the primary PAN and in the event of a failure would move over to the secondary which contains a replicated database.
Cisco ISE 2.2 is the current version at the time of writing and will be used for all information below.
Cisco ISE Licensing
I will try to simplify the license model below but all the information from Cisco can be found here in the 2.1 admin guide license section
The Cisco ISE licensing model allows you to purchase licenee based on your enterprise needs. There are two ways of consuming licenses. Traditional or Smart.
- Traditional licensing is where you import a license onto the appliance
- Smart licensing is where you manage a cisco account that holds all the information on the license purchased for your deployment.
Licenses are counted against concurrent, active sessions. An active session is one for which a RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.
The valid license options are:
- ISE Base only
- ISE Base and Plus
- ISE Base and Apex
- ISE Base, Plus, and Apex
- ISE Base, Plus, Apex and AnyConnect Apex
The base license is a perpetual license and is the only requirement for AAA and IEEE802.1x and also covers guest services and Trustsec. A base license is consumed for every active device on the network.
Base and Plus
A plus license is required for Bring Your Own Device (BYOD), Profiling, Adaptive Network Control (ANC) and PxGrid. A base license is required to install the plus license and the plus license is a subscription for 1,3 or 5 years.
Base and Apex
The Apex license is the same as the plus license in that it is a 1,3,5 year subscription, requires the base license but is used for Third Party Mobile Device Management & Posture Compliance.
There is a device administration license required for TACACS which is a perpetual license, a base license is required to install the device administration license and you only require one license per deployment.
An evaluation license covers 100 nodes and provide full Cisco ISE functionality for 90 days. All Cisco ISE appliances are supplied with an evaluation license.
Cisco ISE Questions
What is Trustsec?
The ultimate goal in idea of Trustec is to assign a TAG or Security Group Tag SGT to the users or devices traffic at the ingress point to the network. And then to apply restrictions or permit the traffic at other parts of the network based on this tag.
Does Cisco ISE support Tacacs?
As of version 2.0 Cisco ISE now supports TACACS+
Up until this point the defacto TACACs+ server was ACS, but with this feature now available in ISE the migration of TACACS+ services has enabled network engineers to centralise all network authentications within one framework.
Device admin is not enabled by default, to enable it go to:
Administration / Deployment / Node Name / Enable Device Admin Service
This service should be enabled on the PSNs
What is Cisco ISE Profiling?
The profiling service allows the identity services engine to profile devices connected to the network and give them an identity based on numerous factors. These devices can then be granted access or denied access to the network based on the security policies. A typical network deployment would start by putting ISE into monitor mode. In monitor mode no enforcement takes place but the ISE administrator can start to see what devices are connecting to the network and what identity it has been given.
During this phase a lot of devices are normally discovered that the network administrator did not even know were connected to the network.
That is though the whole point of NAC to have a complete picture of all devices that are connected to your network and to be in complete control of their access.
What is Mac Authentication Bypass?
MAC Authentication Bypass (MAB) is a way to give a whitelist to certain network devices. If you know the MAC address of a certain device you know should get access to your network you can grant it access purely by it’s MAC address. This is used for devices that cannot have certificates loaded on them or are hard to profile.
How to change the IP address on ISE after installation
application stop ise
interface GigabitEthernet 0
ip add <new ip address>
ISE will then restart all the services
Verify all the services are running with – show application status ise
To save the ISE config enter the command
Cisco ISE vs ACS
I get a lot of questions about the differences between ISE and ACS. In simple terms ISE is the next generation of network authentication and is so much more powerful than ACS. ACS is used to authenticate users to network devices and for VPN sessions but it is not a NAC solution. If you want to implement full network access control you need ISE.
The official Cisco ISE pages on cisco.com
I hope this information has been a benefit to starting to learn the concepts of the Cisco Identity Services Engine. For more in depth posts on configuring and deploying ISE – Check out my Cisco ISE Training pages.
Cisco ISE Ordering Guide
There is a very good PDF document entitled the Cisco ISE Ordering guide which can be downloaded here this steps you through all the appliances, licenses and numbers required for placing an order for an ISE appliance.
There is a also a lot of learning material on this .Learning resources on cisco.com