The main purpose of ISE is to 'Reduce The Attack Surface By Controlling Network Access’
- Cisco ISE profiles endpoints and identifies users. Based on contextual data collected, ISE creates role-based access (RBAC) policy.
- Cisco ISE uses Cisco TrustSec technology, embedded in Cisco routers and switching to enforce policy throughout the network.
- If an endpoint is compromised, ISE can be notified and change the access policy to contain or quarantine the threat
ISE is
deployed as an appliance or runs on a virtual machine (VM). At the time of writing Cisco ISE has reached ver2.4. In this post i will cover basic setup and integration with AD.
Basic Initialisation
steps
Once the
ISE VM is deployed you are presented with the following CLI prompt
For basic setup the following information will be required
Hostname, IP address, subnet mask, default gateway, domain name, NTP server, DNS server, SSH enablement, admin access credentials.
Once completed, https access will be possible via the management ip address.
At this point base policy configuration can be applied. Generally this will be local ISE users, network device setup with shared secret between ISE and network device, AD authentication for centralised authentication, Identity Source Sequences for authorization, and ISE topology (standalone or distributed).
Add users
Admin->identities->add
user
Admin->identities->groups->add
group
Admin->identities->groups->add
user to group
Add
network devices
Admin - network resources - network devices - add {switch name}
Make ISE
primary
Admin - deployment – {ise hostname} - make primary
Add AD
authentication
Admin – external identity sources -
active directory
Now test LDAP connection
Create Identity Source Sequence
Policy authentication - add new identity
source sequence
No comments:
Post a Comment