SlideShare a Scribd company logo

Customer Support Engineer AAA team Krakow TAC best practices

Download as PPTX, PDF
S
Sergey Kucherenko

The document provides best practices for Cisco Identity Services Engine (ISE) configurations. It discusses recommendations for wired and wireless dot1x configurations, redirected flows, upgrading to ISE 2.0, and configuring mobile device management (MDM) authorization policies across different ISE versions. Key recommendations include enabling radius server dead detection, using policy sets to optimize policy lookups, and configuring separate authorization policies for MDM redirection and registered devices.

1 of 46
Customer Support Engineer AAA team Krakow TAC ISE best practices Serhii Kucherenko
Quick start 1. Wired and Wireless dot1x best practices. 2. Redirected flows recommendations. 3. Upgrade to ISE 2.0, TAC recommendations. 4. MDM authorization policies configuration with different ISE versions. Symbol of device/product to which slide content belongs Hidden slide with additional information
Wired and Wireless dot1x best practices.
Wired dot1x high availability world Time, it is all about the time – Understating of EAP and Radius timers on NAD and supplicant is critical when we’re talking about ISE PSNs high availability. NAD SWITCHPORT PSNEAP RADIUS eap tx-period – how long NAD waiting response from client eap retries- how many times NAD is retrying before moving to next method radius timeout– how long NAD waiting response from AAA server radius retransmit - how many times NAD is retrying before moving to next AAA server Supplicant is often a black box for us from timers perspective
Let’s look on potential problems The best way to understand any best practice is to think what may happen wrong here NAD SWITCHPORT PSN PSN PSN1 PSN2 Radius server PSN1 Radius server PSN2 EAP Identity request Starting New Session EAP Identity response Access-Request Starting Radius Timeout Access-Request Retries Limit reached Access-Request Starting Radius Timeout Access-Request Starting Radius Timeout Access-Challenge Session Timeout . . . EAP Identity request Starting New Session EAP Identity response Access-Request
How to avoid this? Correct client side EAP timers – preferred method, allow us to avoid to aggressive radius timers. Decreasing Radius timers – Windows 7 supplicant is able to continue session on next available PSN with following radius timers 4*3 For 10k+ endpoints deployments 5s* radius timeout more preferred * - default value. 30 seconds EAP session timeout. 2 times more than default switch Radius timeout (3*5) Anyconnect NAM
Radius Server dead detection Allow switch to skip querying of AAA server for specified amount of time if Radius Dead criteria are met. NAD SWITCHPORT PSN PSN PSN1 PSN2 Radius server PSN1 Radius server PSN2 Access-Request Access-Request Access-Request Access-Request Failed request qty=X Detected during=Y Enable Dead Interval
Radius Server dead detection considerations  Should be enabled always.  Two commands only: Without specifying deadtime server won’t be marked as dead at all. Default deadtime = 0 Using of Radius server dead detection is extremely important when supplicant timers cannot be changed, also this will help you to minimize time to connect when primary AAA server is unavailable.
Radius Server automated tester NAD SWITCHPORT Radius server PSN1 Radius server PSN2 PSN PSN1 Test Access-Request Access-Accept/Access-Reject PSN PSN2 Test Access-Request Access-Accept/Access-Reject Counting Dead criteria Counting Dead criteria Might be used together with Radius Server Dead Detection to correctly identify outage even in time of authentication inactivity.
Radius Server automated tester avoiding noise To avoid receiving of authentication “noise” in live authentication/reports Collection Filter in ISE logging configuration can be used. Filter may be created to suppress logging for specific username (automated tester user)
Radius Server automated tester and dead time Let's assume that following timers/retries counts were configured radius timeout – 4 (5-7) radius retransmit – 3 (3-5) dead-criteria time – 60 (120) dead-criteria tries – 3 (5-15) automated tester idle-time – 5 Specified timers should be good enough for detecting server outage during both working and non working hours. Also 4/3 for radius timeout/retries allow windows supplicant switch-over during first authentication attempt. Values in parenthesis recommended for big deployments NAD SWITCHPORT Automated tester wake up 5min Access-Request Access-Request Access-Request Failed request qty=3 Detected during=60s 4s 4s
Other wired dot1x best practices  held-period – For how long switch should not accept EAP frames from supplicant after failed attempt. Help to avoid authentication flooding from misconfigured supplicants. Recommended value = 300 seconds  quiet-period – For how long switch should not start querying supplicant for authentication after failed attempt. Recommended value = 300 seconds
Other wired dot1x best practices (continue)  Inactivity Timer – how many seconds of inactivity switch will allow for client before re-authentication attempt Recommended value = disable, only exception is situation when supplicant is connected behind non Cisco IP phone.  Re-authentication – after what amount of time client need to be re-authenticated (defined locally on the switch, or pushed from AAA server) Recommended value = 10 hours, except situation when shorter value required by security policy
Wireless word AAA server aggressive failover By default WLC will go to the next server after 5 retransmissions for 'a client‘ One misbehaving client may cause entire WLAN switch-over to next Radius server With disabled aggressive failover 3 consequent request for 3 clients need to fail before switching to next AAA server PSN EAP Identity response Access-Request Access-challenge sent Awaiting next dateStarting New Session EAP Identity response Access-Request Ignore request. Previous one still in progress Retries
Wireless word AAA server High Availability Three possible modes: Off (Default)– first server in SSID setting is in use till it will be marked us unresponsive. After first server marked as “unresponsive” WLC will use next server and won’t return to previous one, Passive – after first server marked as unresponsive it is moved to dead server list for predefined amount of time (default is 300s), after dead timer will expire this server will be retried by WLC Active – of automated tester. WLC is marking server as dead and after dead timer expire will try to query this server with probe username
Wireless word AAA server High Availability (continue) Passive or Active mechanism are recommended. In scenarios when MAR cash are in use it could protect from huge quantity of failed authentication at time of switch-over. Machine authentication is normally triggered at time of reboot or user logoff/login event. In case of short PSN outage in the middle of a day all subsequent user authentication will fail against new PSN
Radius servers configuration recommendations  Server timeout – recommended value between 5-10 seconds. Avoid using of default 2s, it is too aggressive  RFC 3576 – enable COA support for this server. For ISE keep it always enabled
WLAN configuration recommendations Use the same server for Authentication and Accounting This will ensure that single PSN will be an exclusive holder of session/endpoint data Accounting Start/Stop/Update won’t trigger endpoint ownership change
WLAN configuration recommendations (continue)  AAA Override – allow applying of authorization attributes returned by server  Session Timeout – 10 hours is recommended value  Client Exclusion – ignore client authentication attempts after failed one. Recommended value is 180 seconds  NAC State – Enable COA support for WLAN
ISE side best practices - Suppression Suppression for Anomaly clients and for logging should always be enabled.  Anomaly client suppression – send access-reject to client immediately (during reject interval) if two or more unsuccessful attempts with the same scenario being detected from the same client during detection interval  Log suppression– logging only first successful authentication for client, for all subsequent authentication only authentication count will be updated.
Suppression might be disabled per endpoint for troubleshooting purposes. Suppression should be never disabled globally due to performance degradation, The only one reason for short time global disabling of suppression might be critical intermittent issue Disabling Suppression
ISE side best practices – Policy sets Using of policy sets allows to make policy selection process much more effective. No need to do a policy lookup over entire policy list. Lookup will be always localized inside of selected policy set. How to organize your policies:  Based on authentication type (dot1x/MAB)  Based on NAD type (Wireless/Wired/3rd Party)  Based on Device dictionary (Device Type/Location/Software)
Redirected flows recommendations.
What is redirected flow. Any kind of services provided by ISE to end client where redirection of client or client application is required to one of the ISE portals List of Redirected flows:  Guest authentication  BYOD onboarding  Posture  MDM
Redirect general logic As a result of authentication ISE returning Access-Accept message with two specific AV pairs if Authorization profile with redirect action being selected:  url-redirect-acl – name of ACL that should exist locally on NAD, this ACL instruct NAD which traffic should be redirected to ISE (only http/https can be redirected) and what traffic should cross NAD without redirection  url-redirect – normally PSN fqdn (client need to have possibility to resolve it) + portal id + session id When client initiate http session NAD is intercepting and returning url-redirect as new page location
Redirect best practices Wired  http server – enabled, default port 80 should be used except situation when proxy is involved  IPDT – enabled, IP device tracking is critical component for applying ACLs, (required for multi-domain and maulti-auth)  SVI in client subnet - otherwise traffic flow between client and switch need to be planned very carefully  DACL and redirect ACL – recommendation is to apply only Redirect ACL. DACL & Redirect ACL combination behaves differently on different platforms. Redirect ACL provide enough level of security as traffic will be either redirected, permitted or dropped
Redirect best practices Wireless  AAA override enabled – this will allow WLC to apply Redirect ACL and Redirect URL to client  NAC=Radius NAC – without this option COA won’t be supported for WLAN, and this will prevent applying of redirect attributes  Redirect ACL/Airspace ACL – the same recommendation as for switches. Protection provided by redirect ACL is enough
Short term guest access best practices Typical requirement – redirect user to guest portal each time when device disconnected for providing credentials  Session timeout – authorization profile applied to guest user after COA contain session timeout. This will cause user disconnect from WLC and new MAB request will be sent to ISE  Session Attributes– attributes like User Identity Group/Guest Flow belong to session. After endpoint disconnects session attributes are cleared. Losing of these attributes force ISE to select policy with redirect.
Long term guest access best practices Typical requirement – user should be redirected to guest portal at time of first connect. After this redirect should not happen for X days  Guest device registration – configured under guest portal. Guest device will be assigned to specific endpoint identity group (Group name need to be configured under corresponding Guest-Type)  Endpoint Based policy – Endpoint identity group can be used as condition for guest access policy after portal authentication. Session attributes should not be used there This approach is most effective from resource usage perspective
Admin certificate and redirect (BYOD use case) For BYOD and Posture flows software provided to end client by ISE are establishing connection to PSN over TCP port 8905  BYOD – this port is in use for certificate provisioning  Posture – this port is in use for posture Requirements push/ Posture report retrieval For connection over port 8905 ISE is always using Admin certificate PSN Connection to MyDevice Portal Portal Certificate Issuer - VeriSign psn1.xyz.comDo I trust VeriSign Do CN/SAN match FQDN Connection 8905 Admin Certificate Issuer – ca.xyz.com This is not causing any issues normally except …
Admin certificate, redirect and two interfaces (BYOD use case) PSN psn1.xyz.com G0G1 guest1.xyz.com Portal Certificate CN= guest1.xyz.com Issuer - VeriSign Admin Certificate CN= psn1.xyz.com Issuer – ca.xyz.com Access-Request Access-Accept url=guest1.xyz.com Connection to MyDevice Portal Do I trust VeriSign Do CN/SAN match FQDN Connection 8905 CN from Certificate doesn’t match FQDN Recommendation – Add FQDN of second interface as SAN to Admin certificate
Redirection to static FQDN Misunderstanding of this option is common reason for guest/BYOD/posture redirect issues in distributed deployment What customers expect: PSN PSN G0 10.1.1.10 DNS 10.1.1.20 G0 A=byod.xyz.com 10.1.1.10 10.1.1.20 Access-Request Access-Accept url=byod.xyz.com byod.xyz.com? 10.1.1.20 Connection to MyDevice Portal When this option should be used – only in situation when PSNs located behind LB and radius and SSL session binding is configured on LB
Upgrade to ISE 2.0, TAC recommendations.
Upgrade drivers 1. Bug fixes – fix of affecting bug exist in 2.0 2. New features needed:  TACACS+ Device Administration  Third-Party Device Support  TrustSec Dashboard, Matrix Enhancements, Work Center, Support for SXP  Location Based Authorization  Support for EAP-TTLS Protocol  KVM Hypervisor Support  Cisco ISE Telemetry
Upgrade preparation tasks 1. Backup collection – both configuration and operational backups need to be collected 2. Certificate backup – certificates export with private keys to secured location from your ISE nodes. During export process certificate roles need to be documented 3. Upgrade path discover – can I upgrade directly, if no what should be done?
New ISE version testing 1. Create two VMs – install clear version of ISE 2.0 on this VMs, restore your current backup and build distributed deployment (each ISE installation supplied with 90 days trial license) 2. Prepper testing scope – one test SSID one test switch, ensure that all flows that you’re using working as expected 3. Read upgrade guide carefully to avoid problems
Start actual upgrade
MDM authorization policies configuration with different ISE versions.
ISE 1.3 MDM  Single MDM server support – administrator could define multiple MDM servers in configuration but only one server can be active  Redirection to MDM portal not a “Must” - actual redirection may be used only for the “new” endpoints which have not been registered on MDM server. Due to this multiple customers don't have redirect policies at all. PSN Endpoint registered to MDM server Connect to Network MDM server query Registered/Compliant
MDM ISE 1.4 and higher enhancements  Multi MDM support – administrator can select which MDM server should be used in authorization profile  Endpoint Attribute MDM Server – As a result of multi MDM support ISE should know which MDM server need to be queried for each endpoint. To allow storing of this information new attribute being added to endpoint attribute list MDM redirect is a “Must” starting from ISE 1.4 How to specify to which MDM server redirect should be done – AD group/SSID, or any other significant attribute may be used for MDM server selection PSN Endpoint registered to MDM server Connect to Network Unknown to ISE Policy Selection=Redirect to Meraki MDM Write Meraki as an MDM server to endpoint MDM server query Registered/Compliant
ISE MDM best practices  At least two MDM authorization policies – 1. Lower policy for MDM redirect. Prior ISE 1.4 you can avoid using of this policy if all endpoint are externally on boarded but to avoid problems after upgrade it is highly recommended to have this policy in All ISE versions. 2. Upper policy for Compliant/Registered devices  Compound condition for endpoint deletion detection When endpoint deleted from MDM server ISE is getting empty message as a an API response. If endpoint previously been marked as compliant ISE will reuse this information. Registration status never reused
Useful links  Demystifying RADIUS Server Configurations  TECSEC-3672 - Identity Services Engine 1.3 Best Practices  ISE Traffic Redirection on the Catalyst 3750 Series Switch  BRKSEC-2059 - Deploying ISE in a Dynamic Public Environment  Configure the RADIUS Server Fallback Feature on Wireless LAN Controllers  Wired 802.1X Deployment Guide  Cisco Identity Services Engine Upgrade Guide, Release 2.0  Cisco CLI Analyzer
Customer Support Engineer AAA team Krakow TAC best practices
Customer Support Engineer AAA team Krakow TAC best practices

Recommended

Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco Canada
 
Building DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNBuilding DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNCisco Canada
 
Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"CREATE-NET
 
ISE-CiscoLive.pdf
ISE-CiscoLive.pdfISE-CiscoLive.pdf
ISE-CiscoLive.pdfssuserf4db0a
 
Cisco DNA
Cisco DNACisco DNA
Cisco DNAMohammad ali Safvati
 
CCNP Switching Chapter 1
CCNP Switching Chapter 1CCNP Switching Chapter 1
CCNP Switching Chapter 1Chaing Ravuth
 
Cisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Canada
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 

Recommended

Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco Canada
 
Building DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNBuilding DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNCisco Canada
 
Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"CREATE-NET
 
ISE-CiscoLive.pdf
ISE-CiscoLive.pdfISE-CiscoLive.pdf
ISE-CiscoLive.pdfssuserf4db0a
 
Cisco DNA
Cisco DNACisco DNA
Cisco DNAMohammad ali Safvati
 
CCNP Switching Chapter 1
CCNP Switching Chapter 1CCNP Switching Chapter 1
CCNP Switching Chapter 1Chaing Ravuth
 
Cisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Canada
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
Cisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Canada
 
CCNP Switching Chapter 4
CCNP Switching Chapter 4CCNP Switching Chapter 4
CCNP Switching Chapter 4Chaing Ravuth
 
Issues of OpenStack multi-region mode
Issues of OpenStack multi-region modeIssues of OpenStack multi-region mode
Issues of OpenStack multi-region modeJoe Huang
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USAJose Liste
 
DEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS CloudDEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS CloudAmazon Web Services
 
ACI Hands-on Lab
ACI Hands-on LabACI Hands-on Lab
ACI Hands-on LabCisco Canada
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnelArunKumar Subbiah
 
Introduction to nexux from zero to Hero
Introduction to nexux from zero to HeroIntroduction to nexux from zero to Hero
Introduction to nexux from zero to HeroDhruv Sharma
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authenticationAlberto Rivai
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka SecurityDataWorks Summit
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
OpenStack Neutron Tutorial
OpenStack Neutron TutorialOpenStack Neutron Tutorial
OpenStack Neutron Tutorialmestery
 
Introduction To OpenStack
Introduction To OpenStackIntroduction To OpenStack
Introduction To OpenStackHaim Ateya
 
Five common customer use cases for Virtual SAN - VMworld US / 2015
Five common customer use cases for Virtual SAN - VMworld US / 2015Five common customer use cases for Virtual SAN - VMworld US / 2015
Five common customer use cases for Virtual SAN - VMworld US / 2015Duncan Epping
 
EMEA Airheads- Switch stacking_ ArubaOS Switch
EMEA Airheads- Switch stacking_ ArubaOS SwitchEMEA Airheads- Switch stacking_ ArubaOS Switch
EMEA Airheads- Switch stacking_ ArubaOS SwitchAruba, a Hewlett Packard Enterprise company
 
Introduction to Software Defined WANs
Introduction to Software Defined WANsIntroduction to Software Defined WANs
Introduction to Software Defined WANsAPNIC
 
Vxlan control plane and routing
Vxlan control plane and routingVxlan control plane and routing
Vxlan control plane and routingWilfredzeng
 
Kubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveKubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveMichal Rostecki
 
Vpc notes
Vpc notesVpc notes
Vpc notesKrunal Shah
 
OpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release NotesOpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release NotesGerryJamisola1
 
Identity Services Engine Overview and Update
Identity Services Engine Overview and UpdateIdentity Services Engine Overview and Update
Identity Services Engine Overview and UpdateCisco Canada
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISECisco Canada
 

More Related Content

What's hot

Cisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Canada
 
CCNP Switching Chapter 4
CCNP Switching Chapter 4CCNP Switching Chapter 4
CCNP Switching Chapter 4Chaing Ravuth
 
Issues of OpenStack multi-region mode
Issues of OpenStack multi-region modeIssues of OpenStack multi-region mode
Issues of OpenStack multi-region modeJoe Huang
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USAJose Liste
 
DEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS CloudDEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS CloudAmazon Web Services
 
Introduction to nexux from zero to Hero
Introduction to nexux from zero to HeroIntroduction to nexux from zero to Hero
Introduction to nexux from zero to HeroDhruv Sharma
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authenticationAlberto Rivai
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka SecurityDataWorks Summit
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
OpenStack Neutron Tutorial
OpenStack Neutron TutorialOpenStack Neutron Tutorial
OpenStack Neutron Tutorialmestery
 
Introduction To OpenStack
Introduction To OpenStackIntroduction To OpenStack
Introduction To OpenStackHaim Ateya
 
Five common customer use cases for Virtual SAN - VMworld US / 2015
Five common customer use cases for Virtual SAN - VMworld US / 2015Five common customer use cases for Virtual SAN - VMworld US / 2015
Five common customer use cases for Virtual SAN - VMworld US / 2015Duncan Epping
 
Introduction to Software Defined WANs
Introduction to Software Defined WANsIntroduction to Software Defined WANs
Introduction to Software Defined WANsAPNIC
 
Vxlan control plane and routing
Vxlan control plane and routingVxlan control plane and routing
Vxlan control plane and routingWilfredzeng
 
Kubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveKubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveMichal Rostecki
 
OpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release NotesOpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release NotesGerryJamisola1
 

What's hot (20)

Cisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network Intuitive
 
CCNP Switching Chapter 4
CCNP Switching Chapter 4CCNP Switching Chapter 4
CCNP Switching Chapter 4
 
Issues of OpenStack multi-region mode
Issues of OpenStack multi-region modeIssues of OpenStack multi-region mode
Issues of OpenStack multi-region mode
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
 
DEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS CloudDEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
 
ACI Hands-on Lab
ACI Hands-on LabACI Hands-on Lab
ACI Hands-on Lab
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnel
 
Introduction to nexux from zero to Hero
Introduction to nexux from zero to HeroIntroduction to nexux from zero to Hero
Introduction to nexux from zero to Hero
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authentication
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka Security
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
 
OpenStack Neutron Tutorial
OpenStack Neutron TutorialOpenStack Neutron Tutorial
OpenStack Neutron Tutorial
 
Introduction To OpenStack
Introduction To OpenStackIntroduction To OpenStack
Introduction To OpenStack
 
Five common customer use cases for Virtual SAN - VMworld US / 2015
Five common customer use cases for Virtual SAN - VMworld US / 2015Five common customer use cases for Virtual SAN - VMworld US / 2015
Five common customer use cases for Virtual SAN - VMworld US / 2015
 
EMEA Airheads- Switch stacking_ ArubaOS Switch
EMEA Airheads- Switch stacking_ ArubaOS SwitchEMEA Airheads- Switch stacking_ ArubaOS Switch
EMEA Airheads- Switch stacking_ ArubaOS Switch
 
Introduction to Software Defined WANs
Introduction to Software Defined WANsIntroduction to Software Defined WANs
Introduction to Software Defined WANs
 
Vxlan control plane and routing
Vxlan control plane and routingVxlan control plane and routing
Vxlan control plane and routing
 
Kubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveKubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep Dive
 
Vpc notes
Vpc notesVpc notes
Vpc notes
 
OpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release NotesOpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release Notes
 

Viewers also liked

Identity Services Engine Overview and Update
Identity Services Engine Overview and UpdateIdentity Services Engine Overview and Update
Identity Services Engine Overview and UpdateCisco Canada
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISECisco Canada
 
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)Robb Boyd
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE Mahzad Zahedi
 
Ise 1 2-bdm-v4
Ise 1 2-bdm-v4Ise 1 2-bdm-v4
Ise 1 2-bdm-v4Danny Liu
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAAdkaya
 
How to See the Light in Others
How to See the Light in OthersHow to See the Light in Others
How to See the Light in OthersBruce Kasanoff
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
Cisco Prime infrastructure 3.0
Cisco Prime infrastructure 3.0 Cisco Prime infrastructure 3.0
Cisco Prime infrastructure 3.0 solarisyougood
 
Wireless LAN Security, Policy, and Deployment Best Practices
Wireless LAN Security, Policy, and Deployment Best PracticesWireless LAN Security, Policy, and Deployment Best Practices
Wireless LAN Security, Policy, and Deployment Best PracticesCisco Mobility
 
TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkVolker Hirsch
 

Viewers also liked (12)

Identity Services Engine Overview and Update
Identity Services Engine Overview and UpdateIdentity Services Engine Overview and Update
Identity Services Engine Overview and Update
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISE
 
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE
 
Ise 1 2-bdm-v4
Ise 1 2-bdm-v4Ise 1 2-bdm-v4
Ise 1 2-bdm-v4
 
AAA in a nutshell
AAA in a nutshellAAA in a nutshell
AAA in a nutshell
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAA
 
How to See the Light in Others
How to See the Light in OthersHow to See the Light in Others
How to See the Light in Others
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
 
Cisco Prime infrastructure 3.0
Cisco Prime infrastructure 3.0 Cisco Prime infrastructure 3.0
Cisco Prime infrastructure 3.0
 
Wireless LAN Security, Policy, and Deployment Best Practices
Wireless LAN Security, Policy, and Deployment Best PracticesWireless LAN Security, Policy, and Deployment Best Practices
Wireless LAN Security, Policy, and Deployment Best Practices
 
TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of Work
 

Similar to Customer Support Engineer AAA team Krakow TAC best practices

Текториал по тематике информационной безопасности
Текториал по тематике информационной безопасности Текториал по тематике информационной безопасности
Текториал по тематике информационной безопасности Cisco Russia
 
Tutorial radius client mikrotik
Tutorial radius client mikrotikTutorial radius client mikrotik
Tutorial radius client mikrotikAdi Utami
 
Routing host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamRouting host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamKarri Huhtanen
 
Let's keep it simple and streaming
Let's keep it simple and streamingLet's keep it simple and streaming
Let's keep it simple and streamingTimothy Spann
 
Let's keep it simple and streaming.pdf
Let's keep it simple and streaming.pdfLet's keep it simple and streaming.pdf
Let's keep it simple and streaming.pdfVMware Tanzu
 
LTM essentials
LTM essentialsLTM essentials
LTM essentialsbharadwajv
 
EMEA Airheads– Aruba Clarity. Because a Wi-Fi Problem's Often Not a "Wi-Fi" P...
EMEA Airheads– Aruba Clarity. Because a Wi-Fi Problem's Often Not a "Wi-Fi" P...EMEA Airheads– Aruba Clarity. Because a Wi-Fi Problem's Often Not a "Wi-Fi" P...
EMEA Airheads– Aruba Clarity. Because a Wi-Fi Problem's Often Not a "Wi-Fi" P...Aruba, a Hewlett Packard Enterprise company
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)rinnocente
 
Cert0101 HPE6-A42 & HPE6-A70.pdf
Cert0101 HPE6-A42 & HPE6-A70.pdfCert0101 HPE6-A42 & HPE6-A70.pdf
Cert0101 HPE6-A42 & HPE6-A70.pdfAllen Kuo
 
Radius client
Radius clientRadius client
Radius clientdhenis1
 
EAP-TLS (extended version)
EAP-TLS (extended version)EAP-TLS (extended version)
EAP-TLS (extended version)Karri Huhtanen
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentationwebhostingguy
 

Similar to Customer Support Engineer AAA team Krakow TAC best practices (20)

Adapting to evolving user, security, and business needs with aruba clear pass
Adapting to evolving user, security, and business needs with aruba clear passAdapting to evolving user, security, and business needs with aruba clear pass
Adapting to evolving user, security, and business needs with aruba clear pass
 
Текториал по тематике информационной безопасности
Текториал по тематике информационной безопасности Текториал по тематике информационной безопасности
Текториал по тематике информационной безопасности
 
Tutorial radius client mikrotik
Tutorial radius client mikrotikTutorial radius client mikrotik
Tutorial radius client mikrotik
 
Wireless LAN Design Fundamentals in the Campus
Wireless LAN Design Fundamentals in the CampusWireless LAN Design Fundamentals in the Campus
Wireless LAN Design Fundamentals in the Campus
 
Breakout - Airheads Macau 2013 - Top 10 Tips from Aruba TAC
Breakout - Airheads Macau 2013 - Top 10 Tips from Aruba TAC Breakout - Airheads Macau 2013 - Top 10 Tips from Aruba TAC
Breakout - Airheads Macau 2013 - Top 10 Tips from Aruba TAC
 
cudbardbell-freetheradius
cudbardbell-freetheradiuscudbardbell-freetheradius
cudbardbell-freetheradius
 
EMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issuesEMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issues
 
Routing host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamRouting host certificates in eduroam/govroam
Routing host certificates in eduroam/govroam
 
Let's keep it simple and streaming
Let's keep it simple and streamingLet's keep it simple and streaming
Let's keep it simple and streaming
 
Let's keep it simple and streaming.pdf
Let's keep it simple and streaming.pdfLet's keep it simple and streaming.pdf
Let's keep it simple and streaming.pdf
 
LTM essentials
LTM essentialsLTM essentials
LTM essentials
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA Implementation
 
EMEA Airheads– Aruba Clarity. Because a Wi-Fi Problem's Often Not a "Wi-Fi" P...
EMEA Airheads– Aruba Clarity. Because a Wi-Fi Problem's Often Not a "Wi-Fi" P...EMEA Airheads– Aruba Clarity. Because a Wi-Fi Problem's Often Not a "Wi-Fi" P...
EMEA Airheads– Aruba Clarity. Because a Wi-Fi Problem's Often Not a "Wi-Fi" P...
 
117641 config-asa-00
117641 config-asa-00117641 config-asa-00
117641 config-asa-00
 
117641 config-asa-00
117641 config-asa-00117641 config-asa-00
117641 config-asa-00
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)
 
Cert0101 HPE6-A42 & HPE6-A70.pdf
Cert0101 HPE6-A42 & HPE6-A70.pdfCert0101 HPE6-A42 & HPE6-A70.pdf
Cert0101 HPE6-A42 & HPE6-A70.pdf
 
Radius client
Radius clientRadius client
Radius client
 
EAP-TLS (extended version)
EAP-TLS (extended version)EAP-TLS (extended version)
EAP-TLS (extended version)
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentation
 

Customer Support Engineer AAA team Krakow TAC best practices

  • 1. Customer Support Engineer AAA team Krakow TAC ISE best practices Serhii Kucherenko
  • 2. Quick start 1. Wired and Wireless dot1x best practices. 2. Redirected flows recommendations. 3. Upgrade to ISE 2.0, TAC recommendations. 4. MDM authorization policies configuration with different ISE versions. Symbol of device/product to which slide content belongs Hidden slide with additional information
  • 3. Wired and Wireless dot1x best practices.
  • 4. Wired dot1x high availability world Time, it is all about the time – Understating of EAP and Radius timers on NAD and supplicant is critical when we’re talking about ISE PSNs high availability. NAD SWITCHPORT PSNEAP RADIUS eap tx-period – how long NAD waiting response from client eap retries- how many times NAD is retrying before moving to next method radius timeout– how long NAD waiting response from AAA server radius retransmit - how many times NAD is retrying before moving to next AAA server Supplicant is often a black box for us from timers perspective
  • 5. Let’s look on potential problems The best way to understand any best practice is to think what may happen wrong here NAD SWITCHPORT PSN PSN PSN1 PSN2 Radius server PSN1 Radius server PSN2 EAP Identity request Starting New Session EAP Identity response Access-Request Starting Radius Timeout Access-Request Retries Limit reached Access-Request Starting Radius Timeout Access-Request Starting Radius Timeout Access-Challenge Session Timeout . . . EAP Identity request Starting New Session EAP Identity response Access-Request
  • 6. How to avoid this? Correct client side EAP timers – preferred method, allow us to avoid to aggressive radius timers. Decreasing Radius timers – Windows 7 supplicant is able to continue session on next available PSN with following radius timers 4*3 For 10k+ endpoints deployments 5s* radius timeout more preferred * - default value. 30 seconds EAP session timeout. 2 times more than default switch Radius timeout (3*5) Anyconnect NAM
  • 7. Radius Server dead detection Allow switch to skip querying of AAA server for specified amount of time if Radius Dead criteria are met. NAD SWITCHPORT PSN PSN PSN1 PSN2 Radius server PSN1 Radius server PSN2 Access-Request Access-Request Access-Request Access-Request Failed request qty=X Detected during=Y Enable Dead Interval
  • 8. Radius Server dead detection considerations  Should be enabled always.  Two commands only: Without specifying deadtime server won’t be marked as dead at all. Default deadtime = 0 Using of Radius server dead detection is extremely important when supplicant timers cannot be changed, also this will help you to minimize time to connect when primary AAA server is unavailable.
  • 9. Radius Server automated tester NAD SWITCHPORT Radius server PSN1 Radius server PSN2 PSN PSN1 Test Access-Request Access-Accept/Access-Reject PSN PSN2 Test Access-Request Access-Accept/Access-Reject Counting Dead criteria Counting Dead criteria Might be used together with Radius Server Dead Detection to correctly identify outage even in time of authentication inactivity.
  • 10. Radius Server automated tester avoiding noise To avoid receiving of authentication “noise” in live authentication/reports Collection Filter in ISE logging configuration can be used. Filter may be created to suppress logging for specific username (automated tester user)
  • 11. Radius Server automated tester and dead time Let's assume that following timers/retries counts were configured radius timeout – 4 (5-7) radius retransmit – 3 (3-5) dead-criteria time – 60 (120) dead-criteria tries – 3 (5-15) automated tester idle-time – 5 Specified timers should be good enough for detecting server outage during both working and non working hours. Also 4/3 for radius timeout/retries allow windows supplicant switch-over during first authentication attempt. Values in parenthesis recommended for big deployments NAD SWITCHPORT Automated tester wake up 5min Access-Request Access-Request Access-Request Failed request qty=3 Detected during=60s 4s 4s
  • 12. Other wired dot1x best practices  held-period – For how long switch should not accept EAP frames from supplicant after failed attempt. Help to avoid authentication flooding from misconfigured supplicants. Recommended value = 300 seconds  quiet-period – For how long switch should not start querying supplicant for authentication after failed attempt. Recommended value = 300 seconds
  • 13. Other wired dot1x best practices (continue)  Inactivity Timer – how many seconds of inactivity switch will allow for client before re-authentication attempt Recommended value = disable, only exception is situation when supplicant is connected behind non Cisco IP phone.  Re-authentication – after what amount of time client need to be re-authenticated (defined locally on the switch, or pushed from AAA server) Recommended value = 10 hours, except situation when shorter value required by security policy
  • 14. Wireless word AAA server aggressive failover By default WLC will go to the next server after 5 retransmissions for 'a client‘ One misbehaving client may cause entire WLAN switch-over to next Radius server With disabled aggressive failover 3 consequent request for 3 clients need to fail before switching to next AAA server PSN EAP Identity response Access-Request Access-challenge sent Awaiting next dateStarting New Session EAP Identity response Access-Request Ignore request. Previous one still in progress Retries
  • 15. Wireless word AAA server High Availability Three possible modes: Off (Default)– first server in SSID setting is in use till it will be marked us unresponsive. After first server marked as “unresponsive” WLC will use next server and won’t return to previous one, Passive – after first server marked as unresponsive it is moved to dead server list for predefined amount of time (default is 300s), after dead timer will expire this server will be retried by WLC Active – of automated tester. WLC is marking server as dead and after dead timer expire will try to query this server with probe username
  • 16. Wireless word AAA server High Availability (continue) Passive or Active mechanism are recommended. In scenarios when MAR cash are in use it could protect from huge quantity of failed authentication at time of switch-over. Machine authentication is normally triggered at time of reboot or user logoff/login event. In case of short PSN outage in the middle of a day all subsequent user authentication will fail against new PSN
  • 17. Radius servers configuration recommendations  Server timeout – recommended value between 5-10 seconds. Avoid using of default 2s, it is too aggressive  RFC 3576 – enable COA support for this server. For ISE keep it always enabled
  • 18. WLAN configuration recommendations Use the same server for Authentication and Accounting This will ensure that single PSN will be an exclusive holder of session/endpoint data Accounting Start/Stop/Update won’t trigger endpoint ownership change
  • 19. WLAN configuration recommendations (continue)  AAA Override – allow applying of authorization attributes returned by server  Session Timeout – 10 hours is recommended value  Client Exclusion – ignore client authentication attempts after failed one. Recommended value is 180 seconds  NAC State – Enable COA support for WLAN
  • 20. ISE side best practices - Suppression Suppression for Anomaly clients and for logging should always be enabled.  Anomaly client suppression – send access-reject to client immediately (during reject interval) if two or more unsuccessful attempts with the same scenario being detected from the same client during detection interval  Log suppression– logging only first successful authentication for client, for all subsequent authentication only authentication count will be updated.
  • 21. Suppression might be disabled per endpoint for troubleshooting purposes. Suppression should be never disabled globally due to performance degradation, The only one reason for short time global disabling of suppression might be critical intermittent issue Disabling Suppression
  • 22. ISE side best practices – Policy sets Using of policy sets allows to make policy selection process much more effective. No need to do a policy lookup over entire policy list. Lookup will be always localized inside of selected policy set. How to organize your policies:  Based on authentication type (dot1x/MAB)  Based on NAD type (Wireless/Wired/3rd Party)  Based on Device dictionary (Device Type/Location/Software)
  • 24. What is redirected flow. Any kind of services provided by ISE to end client where redirection of client or client application is required to one of the ISE portals List of Redirected flows:  Guest authentication  BYOD onboarding  Posture  MDM
  • 25. Redirect general logic As a result of authentication ISE returning Access-Accept message with two specific AV pairs if Authorization profile with redirect action being selected:  url-redirect-acl – name of ACL that should exist locally on NAD, this ACL instruct NAD which traffic should be redirected to ISE (only http/https can be redirected) and what traffic should cross NAD without redirection  url-redirect – normally PSN fqdn (client need to have possibility to resolve it) + portal id + session id When client initiate http session NAD is intercepting and returning url-redirect as new page location
  • 26. Redirect best practices Wired  http server – enabled, default port 80 should be used except situation when proxy is involved  IPDT – enabled, IP device tracking is critical component for applying ACLs, (required for multi-domain and maulti-auth)  SVI in client subnet - otherwise traffic flow between client and switch need to be planned very carefully  DACL and redirect ACL – recommendation is to apply only Redirect ACL. DACL & Redirect ACL combination behaves differently on different platforms. Redirect ACL provide enough level of security as traffic will be either redirected, permitted or dropped
  • 27. Redirect best practices Wireless  AAA override enabled – this will allow WLC to apply Redirect ACL and Redirect URL to client  NAC=Radius NAC – without this option COA won’t be supported for WLAN, and this will prevent applying of redirect attributes  Redirect ACL/Airspace ACL – the same recommendation as for switches. Protection provided by redirect ACL is enough
  • 28. Short term guest access best practices Typical requirement – redirect user to guest portal each time when device disconnected for providing credentials  Session timeout – authorization profile applied to guest user after COA contain session timeout. This will cause user disconnect from WLC and new MAB request will be sent to ISE  Session Attributes– attributes like User Identity Group/Guest Flow belong to session. After endpoint disconnects session attributes are cleared. Losing of these attributes force ISE to select policy with redirect.
  • 29. Long term guest access best practices Typical requirement – user should be redirected to guest portal at time of first connect. After this redirect should not happen for X days  Guest device registration – configured under guest portal. Guest device will be assigned to specific endpoint identity group (Group name need to be configured under corresponding Guest-Type)  Endpoint Based policy – Endpoint identity group can be used as condition for guest access policy after portal authentication. Session attributes should not be used there This approach is most effective from resource usage perspective
  • 30. Admin certificate and redirect (BYOD use case) For BYOD and Posture flows software provided to end client by ISE are establishing connection to PSN over TCP port 8905  BYOD – this port is in use for certificate provisioning  Posture – this port is in use for posture Requirements push/ Posture report retrieval For connection over port 8905 ISE is always using Admin certificate PSN Connection to MyDevice Portal Portal Certificate Issuer - VeriSign psn1.xyz.comDo I trust VeriSign Do CN/SAN match FQDN Connection 8905 Admin Certificate Issuer – ca.xyz.com This is not causing any issues normally except …
  • 31. Admin certificate, redirect and two interfaces (BYOD use case) PSN psn1.xyz.com G0G1 guest1.xyz.com Portal Certificate CN= guest1.xyz.com Issuer - VeriSign Admin Certificate CN= psn1.xyz.com Issuer – ca.xyz.com Access-Request Access-Accept url=guest1.xyz.com Connection to MyDevice Portal Do I trust VeriSign Do CN/SAN match FQDN Connection 8905 CN from Certificate doesn’t match FQDN Recommendation – Add FQDN of second interface as SAN to Admin certificate
  • 32. Redirection to static FQDN Misunderstanding of this option is common reason for guest/BYOD/posture redirect issues in distributed deployment What customers expect: PSN PSN G0 10.1.1.10 DNS 10.1.1.20 G0 A=byod.xyz.com 10.1.1.10 10.1.1.20 Access-Request Access-Accept url=byod.xyz.com byod.xyz.com? 10.1.1.20 Connection to MyDevice Portal When this option should be used – only in situation when PSNs located behind LB and radius and SSL session binding is configured on LB
  • 33. Upgrade to ISE 2.0, TAC recommendations.
  • 34. Upgrade drivers 1. Bug fixes – fix of affecting bug exist in 2.0 2. New features needed:  TACACS+ Device Administration  Third-Party Device Support  TrustSec Dashboard, Matrix Enhancements, Work Center, Support for SXP  Location Based Authorization  Support for EAP-TTLS Protocol  KVM Hypervisor Support  Cisco ISE Telemetry
  • 35. Upgrade preparation tasks 1. Backup collection – both configuration and operational backups need to be collected 2. Certificate backup – certificates export with private keys to secured location from your ISE nodes. During export process certificate roles need to be documented 3. Upgrade path discover – can I upgrade directly, if no what should be done?
  • 36. New ISE version testing 1. Create two VMs – install clear version of ISE 2.0 on this VMs, restore your current backup and build distributed deployment (each ISE installation supplied with 90 days trial license) 2. Prepper testing scope – one test SSID one test switch, ensure that all flows that you’re using working as expected 3. Read upgrade guide carefully to avoid problems
  • 38.
  • 39.
  • 40. MDM authorization policies configuration with different ISE versions.
  • 41. ISE 1.3 MDM  Single MDM server support – administrator could define multiple MDM servers in configuration but only one server can be active  Redirection to MDM portal not a “Must” - actual redirection may be used only for the “new” endpoints which have not been registered on MDM server. Due to this multiple customers don't have redirect policies at all. PSN Endpoint registered to MDM server Connect to Network MDM server query Registered/Compliant
  • 42. MDM ISE 1.4 and higher enhancements  Multi MDM support – administrator can select which MDM server should be used in authorization profile  Endpoint Attribute MDM Server – As a result of multi MDM support ISE should know which MDM server need to be queried for each endpoint. To allow storing of this information new attribute being added to endpoint attribute list MDM redirect is a “Must” starting from ISE 1.4 How to specify to which MDM server redirect should be done – AD group/SSID, or any other significant attribute may be used for MDM server selection PSN Endpoint registered to MDM server Connect to Network Unknown to ISE Policy Selection=Redirect to Meraki MDM Write Meraki as an MDM server to endpoint MDM server query Registered/Compliant
  • 43. ISE MDM best practices  At least two MDM authorization policies – 1. Lower policy for MDM redirect. Prior ISE 1.4 you can avoid using of this policy if all endpoint are externally on boarded but to avoid problems after upgrade it is highly recommended to have this policy in All ISE versions. 2. Upper policy for Compliant/Registered devices  Compound condition for endpoint deletion detection When endpoint deleted from MDM server ISE is getting empty message as a an API response. If endpoint previously been marked as compliant ISE will reuse this information. Registration status never reused
  • 44. Useful links  Demystifying RADIUS Server Configurations  TECSEC-3672 - Identity Services Engine 1.3 Best Practices  ISE Traffic Redirection on the Catalyst 3750 Series Switch  BRKSEC-2059 - Deploying ISE in a Dynamic Public Environment  Configure the RADIUS Server Fallback Feature on Wireless LAN Controllers  Wired 802.1X Deployment Guide  Cisco Identity Services Engine Upgrade Guide, Release 2.0  Cisco CLI Analyzer