Scribd
Upload
74 views

Identity Services Engine (ISE)

The document provides an overview of Cisco Identity Services Engine (ISE). ISE is a centralized authentication, authorization, and profiling solution. It authenticates and authorizes users and devices connecting to a network, and can identify device types to apply appropriate policies. ISE goes beyond traditional AAA solutions by profiling endpoints and enforcing adaptive network access policies based on device posture and security profile. The document compares ISE to Cisco's previous ACS solution, outlines ISE's components and licensing options, and describes how it integrates with directory servers and uses RADIUS to authenticate and authorize network access.

Uploaded by

Vk V
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
74 views

Identity Services Engine (ISE)

The document provides an overview of Cisco Identity Services Engine (ISE). ISE is a centralized authentication, authorization, and profiling solution. It authenticates and authorizes users and devices connecting to a network, and can identify device types to apply appropriate policies. ISE goes beyond traditional AAA solutions by profiling endpoints and enforcing adaptive network access policies based on device posture and security profile. The document compares ISE to Cisco's previous ACS solution, outlines ISE's components and licensing options, and describes how it integrates with directory servers and uses RADIUS to authenticate and authorize network access.

Uploaded by

Vk V
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 33

IDENTITY SERVICES ENGINE

(ISE)
INTRODUCTION
What is the ISE?

It is a software/Hardware capable of
authenticating and authorizing users and devices
that are connected to a network.

It is a centralized based authentication process
similar to the Cisco’s AAA/ACS

The model of deploying an ACS or ISE server in the
network is said to be a part of Cisco’s Trust Sec
Model
TrustSec Solution Overview
•TrustSec helps secure networks by enforcing
identity-based access policies.
• Provides the following:
–Who?
–What?
–Where?
–How?
TrustSec Solution Overview
The Pillars
• Authentication
– 802.1x
– MAB
– Web
• Authorization
– VLAN
– DACL
AAA

Authentication – Who can access ?

Authorization – What the user can access or do?

Accounting – What the user did when logged in

AAA is used to centralize the management of Login,


Privilege level and keeping track of what users are
doing once they login to a device
So why did Cisco come up with ISE
when ACS could do the job?
ISE

ISE came out in the mid July 2011

ISE was released to develop more advancements and
flexibility on any sort of policy definition

During the time of its release it is the only device that could
identify what are the devices that are connected to a
network

Where as no other ACS or other vendors were able to do the


same , they could only authenticate and authorize any
user/device , it was not able to identify the type of device and
apply policy based on that.
HOW ISE Identifies

Example
Need OF identifying Devices :BYOD

In this modern world of electronics, Organizations have a
policy of BYOD

BYOD is a strategy in order to boost employees productivity
of using any platform of their own trust and connect to the
very network in order to gain access to the network
resources.

Those days have gone were employees use their cooperate
laptops to get access to the network.

As an network administrator you will have lot of
challenges, since you will be giving access to more
platforms more OS vulnerabilities to compromise your
very network itself.
Merits of ISE over ACS

ISE could identify what are the devices that are
connected to a network

ISE can understand the OS connected to an
network and apply policies based on it.

ISE supports Posturing

ISE can also state limitations as to where the user
connects from
ISE server is not designed to be a box where usernames and
passwords are stored or where all the credentials are stored.
The ISE is not a database server, it is a Authentication and
Authorization Engine, it is a policy decision engine. Typically
one would store not only username and passwords or any
authentication details like certificates, mac-address or OTP
authentication.

ISE is primarily used defining and storing policies.

What are Policies?
Policies are If and Then statements
DIRECTORY SERVERS

Generally in Organizations you don’t give all the credentials on an ISE,
but will always integrate the ISE with an extended directory server


What is a Directory Server?
Directory Servers is a database of all sorts of storage information.
Credentials like first name, last name, email address, username, password,
login time, logout time etc. are stored here.

1> Microsoft Directory Server is named as Active Directory


2> Open Source is LDAP (Lightweight Directory Access Protocol)
3> Oracle Directory Server is named as Sun Directory
DIRECTORY SERVERS
•A Username in AD should be predefined for ISE
•The ISE User Role must be “super admin” or
“system admin”
•AD can not reside behind a NAT device
•Once we join the AD Domain we can use ISE
to configure and retrieve AD Groups.
–These groups can be used for authorization policy
conditions

ISE runs only on radius, but later this
year ISE will be introduced with
TACACS+.

Cisco’s ACS has reach its EOL/EOS.

ISE runs on radius only as of today.
RADIUS

RADIUS (Remote Authentication Dial-In User Service)

Runs on the following UDP port
1> 1645 and 1646 -------Legacy Ports
1645-----For Authentication & Authorization
1646-----For Accounting

Since the above ports were used by the protocol siteline, IANA made an
another set of ports

2>1812 and 1813


1812------- For Authentication & Authorization
1813-------For Accounting

Described in RFC’s 2865,2866


CHANGE OF AUTHORIZATION

RADIUS CoA provides a mechanism to change the attributes of a certain
session after it is authenticated. When there is a change in policy for a
user or user group , administrators can send the RADIUS CoA packets
from the AAA server such as Cisco Secure ACS to reinitialize
authentication and apply the new policies.
The Cisco software supports the RADIUS Change of Authorization (CoA)
extensions that are typically used in a pushed model and allow for the
dynamic reconfiguring of sessions from external AAA servers.

Port used for CoA is 1700

Described in RFC 3576
COA can do the following

 Session reauthentication

 Session termination

 Session termination with port shutdown
LISTENING PORTS

ISE and ACS listen on all the ports 1645 & 1646
1812 & 1813
1700


Router IOS version below 14---1645/46 by default

Switch CAT OS version below 12.2(55)---1645/46

Router IOS version 15 and above---1812/13 by default

Switch CAT OS version 12.2(55) and above--1812/13
RADIUS PACKET EXCHANGE
RADIUS PACKET
CODE FIELD
PACKET IDENTIFIER

Packet identifier is used to track one unique set of
authentication and authorizations

Every set of authentication and authorization will be
identified with a unique packet identifier

When ever a user tries to connect to the radius server
(network) for the first time , the packet identifier field will
have a value zero, the reply packet from the server will have
the same value in the field

After which when ever the user tries to connect again to the
network the packet identifier field values keeps
incrementing by one.
Header Explanation
LENGTH FIELD:
It indicates the length of the RADIUS packet.

AUTHENTICATOR FIELD:
Its 128 Bits in length
MD5 Hash
Password is encrypted here and stored here
ATTRIBUTE VALUE PAIR (AVP)

It indicates how authentication and authorization can be done or
performed

AVP are additional information that is applied by a radius client to a
radius server or vice versa
TWO TYPES OF AVP

1. Standard IETF Radius


AVP Number <1>Username - (Plain Text)
AVP Number <2>Password- - (Encrypted)
AVP Number <64>Dynamic VLAN assignment
AVP Number <65> Priv-level can be downloaded from the server
AVP Number <81> Downloadable ACLS (DACLs)
Complete list
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrdat1.html#wpxref1037589

2. Vendor Specific Attributes


For example Privilege level
CISCO ISE PRODUCT LINE
CISCO ISE PRODUCT LINE
ISE – 3315/3355/3395 [EOL/EOS] ($ 14000 to 20,000)
3395
-------600GB Hard disk
-------16GB RAM
-------2 Quadcore Processors
Cisco Secure network server
3415/3495 (cost – $22,990)
-------1TB Hard disk
-------32GB to 64GB RAM
-------Can support up to 4 Quadcore Processors
VM [1.0MR2/1.1.1/1.1.2/1.1.3/1.1.4]
ISE Software Engines
• Several Software Engines That Interact With One Another
–External Identity Source
• Retrieves Policies or Policy Information about a user or a device

–Administration Node

•User Interface and Licensing Control

–Policy Server Node

•Makes the decisions

–Network Device

•Queries the Policy Server Node and enforces what it says

–Monitoring Node

• Logging and Reporting Data


ISE LICENSING

Base Licensing
* AAA
*Guest Provisioning (For guest based wireless networks)

Advance Licensing-Base+
* Profiling-Series of steps in order to understand devices
connected to any given network
* Posturing-Understanding or setting limitations as to what devices
can connect to a network
* Self-Registering

Evaluation-Base+Advance (90 days)
Only 100 endpoints

End Point specific –Specific license
(100,500,1000,2000,5000……….100000,250000)
CLI access
•Username “admin”
•Password defined during setup
•Feels like Cisco CLI
–show run
–show version
–show inventory
–show interface
–show application status ise
GUI access
•Default Credentials:
–admin/cisco

•Can be controlled via CLI


•Requires Flash
•Certificates are verified
• Initial Tasks might include
–CA Configuration, Licensing, Adding Network Devices,
Admin User Configuration and NTP/Name-Server
Types of deployment

1>Standalone
2>Distributed
Installation
In Practical

You might also like