1. Introduction
Every company, even the smallest one, has a need for authentication, authorization and accounting of users (AAA protocol family). At the initial stage, AAA is quite well implemented using protocols such as RADIUS, TACACS + and DIAMETER. However, as the number of users and companies grows, so does the number of tasks: maximum visibility of hosts and BYOD devices, multi-factor authentication, creating a multi-level access policy, and much more.
For such tasks, the NAC (Network Access Control) class of solutions is excellent - network access control. In a series of articles dedicated to (Identity Services Engine) - NAC solution for providing context-aware user access control to the internal network, we will take a detailed look at the architecture, initialization, configuration and licensing of the solution.
Let me briefly remind you that Cisco ISE allows you to:
-
Quickly and easily create guest access in a dedicated WLAN;
-
Detect BYOD devices (for example, employees' home PCs they bring to work);
-
Centralize and apply security policies to domain and non-domain users using SGT security group labels (technology );
-
Check computers for the presence of certain software installed and compliance with standards (posturing);
-
Classify and profile endpoints and network devices;
-
Provide visibility into endpoints;
-
Give logs of logon / logoff users, their accounts (identity) on NGFW to form a user-based policy;
-
Natively integrate with Cisco StealthWatch and quarantine suspicious hosts involved in security incidents ();
-
And other standard AAA server features.
Colleagues in the industry have already written about Cisco ISE, so in the future I advise you to read: ,.
2. Architecture
There are 4 entities (nodes) in the Identity Services Engine architecture: the Policy Administration Node, the Policy Service Node, the Monitoring Node, and the PxGrid Node. Cisco ISE can be in a standalone or distributed installation. In the Standalone option, all entities are located on the same virtual machine or physical server (Secure Network Servers - SNS), when in the Distributed option, the nodes are distributed across different devices.
Policy Administration Node (PAN) is a mandatory node that allows you to perform all administrative operations on the Cisco ISE. It handles all AAA-related system configurations. In a distributed configuration (nodes can be installed as separate virtual machines), you can have a maximum of two PANs for fault tolerance - Active / Standby mode.
Policy Service Node (PSN) is a mandatory node that provides network access, state, guest access, client service provisioning, and profiling. PSN evaluates the policy and enforces it. Typically, multiple PSNs are installed, especially in a distributed configuration, for more redundant and distributed operation. Of course, these nodes try to install in different segments so as not to lose the ability to provide authenticated and authorized access for a second.
Monitoring Node (MnT) is a mandatory node that stores event logs, logs of other nodes and policies on the network. The MnT node provides advanced monitoring and troubleshooting tools, collects and correlates various data, and provides meaningful reports. Cisco ISE allows you to have a maximum of two MnT nodes, thereby forming fault tolerance - Active / Standby mode. However, the logs are collected by both nodes, both active and passive.
PxGrid Node (PXG) is a node that uses the PxGrid protocol and provides communication between other devices that support PxGrid.
β a protocol that provides integration of IT and information security infrastructure products from different vendors: monitoring systems, intrusion detection and prevention systems, security policy management platforms, and many other solutions. Cisco PxGrid allows context to be exchanged unidirectionally or bidirectionally with many platforms without the need for an API, thereby enabling the technology to be used (SGT tags), change and apply the ANC (Adaptive Network Control) policy, as well as perform profiling - determining the device model, OS, location, and more.
In a high availability configuration, PxGrid nodes replicate information between nodes via the PAN. In the event that the PAN is disabled, the PxGrid node stops authenticating, authorizing, and accounting for users.
Below is a schematic representation of the operation of various Cisco ISE entities in a corporate network.
Figure 1 Cisco ISE Architecture
3. Requirements
Cisco ISE can be implemented, like most modern solutions, virtually or physically as a separate server.
Physical devices with Cisco ISE software installed are called SNS (Secure Network Server). They come in three models: SNS-3615, SNS-3655 and SNS-3695 for small, medium and large businesses. Table 1 provides information from SNS.
Table 1. Comparison table of SNS for different scales
Parameter
SNS 3615 (Small)
SNS 3655 (Medium)
SNS 3695 (Large)
Number of endpoints supported in a Standalone installation
10000
25000
50000
Number of endpoints supported per PSN
10000
25000
100000
CPU (Intel Xeon 2.10 GHz)
8 cores
12 cores
12 cores
RAM
32 GB (2 x 16 GB)
96 GB (6 x 16 GB)
256 GB (16 x 16 GB)
HDD
1 x 600 GB
4 x 600 GB
8 x 600 GB
Hardware RAID
No
RAID 10, the presence of a RAID controller
RAID 10, the presence of a RAID controller
Network interfaces
2 x 10Gbase-T
4 x 1Gbase-T
2 x 10Gbase-T
4 x 1Gbase-T
2 x 10Gbase-T
4 x 1Gbase-T
For virtual deployments, VMware ESXi (minimum VMware version 11 for ESXi 6.0), Microsoft Hyper-V, and Linux KVM (RHEL 7.0) hypervisors are supported. Resources should be about the same as in the table above, or more. However, the minimum requirements for a small business virtual machine are: CPU 2 with a frequency of 2.0 GHz and higher, 16 GB RAM ΠΈ 200 GB HDD.
For the rest of the Cisco ISE deployment details, refer to or to , .
4. Installation
Like most other Cisco products, ISE can be tested in several ways:
-
β cloud service of pre-installed lab layouts (requires a Cisco account);
-
- request from Cisco specific software (method for partners). You create a case with the following typical description: Product type [ISE], ISE Software [ise-2.7.0.356.SPA.x8664], ISE Patch [ise-patchbundle-2.7.0.356-Patch2-20071516.SPA.x8664];
-
- contact any authorized partner for a free pilot project.
1) Having created a virtual machine, if you requested an ISO file, and not an OVA template, you will get a window in which ISE requires you to select an installation. To do this, instead of the username and password, write "setupβ!
Note: if you deployed an ISE from an OVA template, then the login information admin/MyIseYPass2 (this and more is stated in the official ).
Figure 2 Installing Cisco ISE
2) Then you should fill in the required fields, such as IP address, DNS, NTP and others.
Figure 3 Cisco ISE initialization
3) After that, the device will reboot, and you will be able to connect via the web interface to the previously set IP address.
Figure 4 Cisco ISE Web Interface
4) In a tab Administration > System > Deployment you can choose which nodes (entities) are enabled on a particular device. The PxGrid node is enabled here.
Figure 5 Cisco ISE Entity Management
5) Then in tab Administration > System > Admin Access > Authentication I recommend configuring the password policy, authentication method (certificate or password), account expiration, and other settings.
Figure 6. Authentication type settingFigure 7. Password policy settingsFigure 8. Configuring account shutdown after time expiresFigure 9. Setting up account blocking
6) In a tab Administration > System > Admin Access > Administrators > Admin Users > Add you can create a new administrator.
Figure 10. Creating a Local Cisco ISE Administrator
7) The new administrator can be made part of a new group or pre-defined groups. Administrator groups are managed in the same panel in the tab admin groups. Table 2 summarizes information about ISE administrators, their rights and roles.
Table 2. Cisco ISE Administrator Groups, Access Levels, Permissions, and Restrictions
admin group name
Permissions
Restrictions
Customization Admin
Setting up guest, sponsorship portals, administration and customization
Inability to change policies, view reports
Helpdesk Admin
Ability to view the main dashboard, all reports, larmas and troubleshoot streams
You cannot modify, create, or delete reports, alarms, or authentication logs.
Identity Admin
Management of users, privileges and roles, the ability to view logs, reports and alarms
You can not change policies, perform tasks at the OS level
MNT Admin
Full monitoring, reporting, alarms, logs and management
Inability to change any policies
Network Device Admin
Rights to create, modify ISE objects, view logs, reports, main dashboard
You can not change policies, perform tasks at the OS level
policy admin
Full management of all policies, changing profiles, settings, viewing reports
Inability to perform settings with credentials, ISE objects
RBAC Admin
All settings in the Operations tab, ANC policy setting, reporting management
You cannot change policies other than ANC, perform tasks at the OS level
super admin
Rights to all settings, reporting and management, can delete and change administrator credentials
Can't edit, remove other profile from Super Admin group
System Admin
All settings in the Operations tab, managing system settings, ANC policy, viewing reporting
You cannot change policies other than ANC, perform tasks at the OS level
External RESTful Services (ERS) Admin
Full access to the Cisco ISE REST API
Only for authorization, management of local users, hosts and security groups (SG)
External RESTful Services (ERS) Operator
Read permissions for the Cisco ISE REST API
Only for authorization, management of local users, hosts and security groups (SG)
Figure 11 Cisco ISE Admin Predefined Groups
8) Optional in the tab Authorization > Permissions > RBAC Policy You can edit the rights of the preset administrators.
Figure 12. Managing Cisco ISE Administrator Predefined Profile Privileges
9) In a tab Administration > System > Settings all system settings are available (DNS, NTP, SMTP and others). You can fill them in here in case you missed them during the initial initialization of the device.
5. ΠΠ°ΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅
This concludes the first article. We discussed the effectiveness of the Cisco ISE NAC solution, its architecture, minimum requirements and deployment options, and initial installation.
In the next article, we will look at creating accounts, integrating with Microsoft Active Directory, and creating guest access.
If you have questions about this topic or need help testing the product, please contact .
Stay tuned for updates in our channels (, , , , ).
Source: habr.com