This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, the last post in the Cisco ISE blog post series: Profiling and posture. For both features is the Cisco ISE advanced license required.
Profiler is a functionality for discovering, locating and determing the capabilities of the attached endpoints. It will detect the network type and will authorize it.
Tia portal v13 update 4. A sensor in the network captures network packets by quering the NADs, it forwards the attributes to the analyzer. The analyzer checks the attributes using policies and identity groups. The results is stored in the ISE database with the corresponding device profile. The MAC address of the device will be linked to a existing endpoint identity group.
There are 9 availabled probes:
- Netflow
- DHCP
- DHCP SPAN
- HTTP
- RADIUS
- NMAP
- DNS
- SNMPQUERY
- SNMPTRAP
Cisco Ise Mab Configuration Guide
Part 6: Policy enforcement and MAB Part 7: Configuring wireless network devices Part 8: Inline posture and VPN Part 9: Guest and web authentication Part 10: Profiling and posture This week, the last post in the Cisco ISE blog post series: Profiling and posture. For both features is the Cisco ISE advanced license required. Cl eye test. The video introduces you to a concept of MAC Authentication Bypass (MAB) in Cisco ISE 2.2. We will used MAB to authenticate the network devices that we profiled in the last video. You will learn about Logical Device profile, and the basic structure of authentication and authorization policies. For devices that cannot be profile, we will statically map the device to an Endpoint Identity Group. Cisco ISE Configuration. The following sections focuses on Cisco ISE 2.4 and it will present a basic configuration with default web portal from Cisco ISE. For more information about web portal customization please look into ISE documentation. Note: ISE Profiler does not clear or remove previously learned attributes.The current logic is to add or overwrite, but not delete attributes it has not collected. As an example, if a client sends DHCP attributes 1 and 2 and later sends attributes 2 (different value) and 3, ISE will merge the attributes to include attribute 1 (original value) + 2 (updated value) + 3 (initial value); attribute.
Profiling uses CoA (change of authorization). There are 3 options:
How To Configure Cisco Ise
- No CoA: CoA is disabled
- Port bounce: use this only of there is a single session on a switchport
- Reauth: enforce reauthentication of a currently authenticated endpoint when it’s profiled
ISE creates three identity groups by default and two identity groups that are specific for Cisco IP phones. Creation of extra groups is optional.
An endpoint profiling policy contains a simple condition or a set of conditions (compound).
Configuring
Probe configuration
First, make sure the ISE appliance can SNMP to the switches (SNMPv2 or 3) with a read only community string. Also, configure a snmp trap destination to Cisco ISE policy node.
For DHCP probing, configure an additional IP helper on the SVI to the policy node:
Cisco Ise Mab List
Cisco ISE configuration
Click Administration – System – Settings, click Profiling and configure the CoA.
Click Administration – System – Deployment – Deployment. Choose the node and click edit. Select the Profiling configuration tab. Enable and configure the probes as needed.
Next, click: Administration – Network resources – Network devices and edit your switch. Scroll down and check/edit the SNMP settings.
To create a new policy: Click Policy – Profiling, choose Profiling policies and click Create.
Enter a name, a minimum certaincy factor and a exception action. Apply the needed rules with the certaincy factors.
To check the discovered endpoints, click Administration – Identity management – identities – endpoints.
Monitor the authentication by clicking Monitor – Authentications.
Appendix
If you want to use IOS probing with a switch on IOS 15.0 or newer, use the following configuration:
Posture
To check inside a host for available antivirus, firewall, registry keys etc, posture is being used. A NAC agent is needed for this.
There are 3 modes:
Lyrics to Do Not Disturb by Drake from the More Life album - including song video, artist biography, translations and more! I take a glass, it don't mean, 'Nah, don't go with me home.' Might move our annual shit to the 'Dome I need 40,000 people to see what I'm on Yeah, ducked a lot of spiteful moves. Drake do not disturb lyrics. 'Do Not Disturb' lyrics. Drake Lyrics 'Do Not Disturb' Yeah, stylin' though Dissin', but got pictures with me smilin' though All the things you need, you still want problems though All the things I know, I still been silent though Yeah, used to be at SilverCity Indigo. I don't want to have to go to funerals I gotta start sleepin' at the studio I don't have no time to be no Romeo All the love I need is at the rodeo. Original lyrics of Do Not Disturb song by Drake. Explain your version of song meaning, find more of Drake lyrics. Watch official video, print or download text in PDF. Comment and share your favourite lyrics.
- Audit (audit only)
- Optional (client can ignore the result)
- Mandatory
The most common conditions:
- Windows update
- Virus application
- Virus definition
- Windows screensaver password
- Registry entry
The NAP client is using the SWISS protocol (UDP/8905). Make sure the client can connect to the policy node on UDP/8905. A client can download the NAC client (it’s read-only software). There are againts for Windows, MAC OS-X and a web agent.
The provisioning flow:
- Client provisioning
- Posture subscription and policy
- Authorization policy
Make sure the ISE appliance is up to date with the latest posture files. You can download those from the Cisco website with a CCO account. These updates are a set of predefined checks, rules and antivirus support charts. These updates can be downloaded automatically. Check this by clicking Administration – System – Settings – Posture – updates
This was a 10 series blog post about Cisco ISE. Hope you’ll liked it!