Saturday, October 6, 2018

Cisco Identity Services Engine (ISE) - part 1

The main purpose of ISE is to 'Reduce The Attack Surface By Controlling Network Access’
  • Cisco ISE profiles endpoints and identifies users. Based on contextual data collected, ISE creates role-based access (RBAC) policy.
  • Cisco ISE uses Cisco TrustSec technology, embedded in Cisco routers and switching to enforce policy throughout the network.
  • If an endpoint is compromised, ISE can be notified and change the access policy to contain or quarantine the threat

ISE is deployed as an appliance or runs on a virtual machine (VM). At the time of writing Cisco ISE has reached ver2.4.  In this post i will cover basic setup and integration with AD.

Basic Initialisation steps

Once the ISE VM is deployed you are presented with the following CLI prompt

For basic setup the following information will be required
Hostname, IP address, subnet mask, default gateway, domain name, NTP server, DNS server, SSH enablement, admin access credentials.

Once completed, https access will be possible via the management ip address.

At this point base policy configuration can be applied. Generally this will be local ISE users,  network device setup with shared secret between ISE and network device, AD authentication for centralised authentication, Identity Source Sequences for authorization, and ISE topology (standalone or distributed).

Add users
Admin->identities->add user
Admin->identities->groups->add group
Admin->identities->groups->add user to group

Add network devices
Admin - network resources - network devices - add {switch name}

Make ISE primary
Admin - deployment – {ise hostname} - make primary

Add AD authentication
Admin – external identity sources - active directory

Now test LDAP connection

Create Identity Source Sequence
Policy authentication - add new identity source sequence

No comments: