Brksec 3697 PDF

Advanced ISE Services,
Tips & Tricks

Aaron T. Woland, CCIE #20113
Principal Engineer, Security Business Group
BRKSEC-3697
Please Participate in Poll While we Wait
Pollev.com/(cisco30)
22333
(cisco30)
<your response>
Web voting Text voting

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
This is a Deep Dive. It may get Intense!
- Gny. Sgt. Hartman - Full Metal Jacket, 1987
*Balance of Technical Bits & Bytes Without “Brain-Frying”

Sarcasm
“If we can’t laugh

at ourselves,
Then we cannot
laugh at anything
at all”
BRKSEC-3697 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Aaron Woland, CCIE# 20113
Principal Engineer
Security Business Group
loxx@cisco.com
@AaronWoland
http://www.networkworld.com/blog/secure-network-access/
Disclaimer
Please Fill Out The Survey!
Cisco ISE & TrustSec Sessions: Building Blocks
BRKSEC-2045 -
BRKCOC-2015 BRKSEC-3697
BRKSEC-3699 Mobile Devices and
Cisco IT's Assured Advanced ISE
Designing ISE for BYOD Security -
Network Access: (ISE) Services, Tips and
Scale & High Deployment and Best
Deployment and Best Tricks
Availability Practices
Practices (Wed 8:00am)…
(Thurs 8:00 am) (Mon 4:00pm)
(Thurs 10:30am). (Thurs 8:00am)…
(Tue 4:00pm)
PSOSEC-2009- ISE 2.0 BRKSEC-2695 - Building an BRKSEC-2059 Deploying

& 2.1 Features Enterprise Access Control ISE in a Dynamic Public
(Tue 12:30 pm + Wed Architecture using ISE and TrustSec Environment
10:30 am) (Mon 1:30 pm + Wed 8:00 am) (Thurs 8:00 am)
BRKCRS 1449 BRKCRS-2893 BRKSEC-2203 BRKSEC-3690 BRKSEC-2026 -

Enabling Security Choice of Deploying TrustSec Advanced Security Building Network
Everywhere on Segmentation and Security Group Group Tags: The Security Policy:
Enterprise Group-based Tagging Detailed Walk Through Data
Networks Policies (Tue 1:30pm) Through (Wed Intelligence
(Mon 4:00pm) (Thurs 8:00am) 1:30pm) (Thurs 1:00pm)
Multiple Sessions to Choose From:
Important: Hidden Slide Alert
Look for this “For Your Reference”

Symbol in your PDF’s
There is a tremendous amount of

hidden content, for you to use later!
ForYour
For Your
Reference
Reference
**~100 Slides in PDF
Lots of NEW Content
Watch Recordings of Prior Sessions
Roadmap and Futures
Everything
You Want
ISE 1.0
Roadmap and Futures
Agenda
• Introduction
• Certificates, Certificates, Certificates
• BYOD in Practice
• Integrating with Cisco and Non-Cisco
• Active Directory Best Practices (Limited)
• Serviceability & Troubleshooting
• Upgrade Tips from the Field
• Conclusion
ISE and Certificate Usage
Your Feedback is Heard!
• Other Resources:
• http://www.networkworld.com/blog/secure-network-
access/
• Books: http://amzn.com/1587144263
• My Previous Cisco Live Sessions: http://ciscolive.com
• Public ISE Community: http://cs.co/ise-community
Certificates
ForYour
For Your
What is an X.509 Certificate Reference

Reference
• A Certificate is a signed document…

• Think of it like a government form of
identity
X.509
username
organization
location
Certificates
ForYour
For Your
What is the purpose of an X.509 Certificate? Reference

Reference
Provides an
Identity
Who is What is WebSite

…
user endpoint Identity
Contains the Public Key for Encryption
Certificates
ForYour
For Your
Other Usages of X.509 Certificates Reference

Reference
Key Usages
Extended Key Usages (EKUs)
Server Client Key Cert …

Auth Auth Signing
Certificates
ISE and Certificates: Multiple Identities ForYour

For Your
Reference
Reference
Authentication Server
Layer 2 Layer 3
Link Link
Authentication
Supplicant Authenticator Server
Start
EAPoL Start
EAP-Request/Identity
Port Unauthorized
Secure
EAP-Response/Identity
Web Server
RADIUS Access Request
EAP-Request/PEAP RADIUS Access-Challenge

Multiple
Middle [AVP: EAP-Request PEAP] Challenge-
EAP-Response/PEAP Request
RADIUS Access Request Exchanges
[AVP: EAP-Response: PEAP]
Possible
Root CA
Internal
Communications BRKSEC-3697 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Certificates
Managing Local Certificates ForYour

For Your
Reference
Reference
ISE 1.0-1.2
PSN #1
• Generate CSR for PSN #1
• Bind CA-signed cert for PSN #1
• Generate CSR PAN’s

PSN #20
for PAN/MnT MnT’s • Generate CSR for PSN #20
• Bind CA-signed cert • Bind CA-signed cert for PSN #20
for PAN/MnT
• Generate CSR for

PSN #40
PSN #40 • Bind CA-signed cert
for PSN #40
Certificates
Centralized Certificate Management in 1.3+

PSN #1
Primary
PSN #20
• Generate CSRs for ALL NODES PAN
at Primary PAN
• Bind CA-signed certs for ALL NODES at
Primary PAN
• Manage System (Local) certs for ALL
NODES at primary PAN PSN #40
Certificates
Manage System Certificates ForYour

For Your
Reference
Reference
• Certificates used by: Admin, HTTPS Portals, pxGrid, EAP
• These are Private/Public Key Pairs – i.e.: They Identify ISE Personalities
Certificates
Certificates your ISE Cube will “Trust” ForYour

For Your
Reference
Reference
• Trust for EAP, MDM, etc.

• These are copies of their Public Certs. I.e.: They Identify Other Systems
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Certificates
ForYour
For Your
Trusted Certificates Reference

Reference
• In 1.3+, trusted certificates have a new “Trusted For” attribute.

• Security Goal: to prevent the public certificates used for Cisco Services from being
used internally.
• When importing a trust certificate, the user must specify what the certificate is
trusted for.
• It is important to select at least one category, or the cert will not be used in any
trust store.
Certificates
System Certificate Roles – ISE 1.3+ ForYour

For Your
Reference
Reference
1.2 Role Name 1.3 Role Name How Many May Use Wildcard May use Wildcard
(*) in SAN (*) in Subject
HTTPS Admin 1 Yes Yes
EAP EAP Authentication 1 Yes No1

- pxGrid 1 No No
- Portal Many Yes Yes
• ‘Admin’ cert is the server cert for the Admin Console
• ‘pxGrid’ cert is the server cert for authenticating the ISE node to pxGrid clients
• ‘Portal’ cert is a server cert associated with a particular ISE portal (Guest, Sponsor,
My Devices, …)
• In a freshly installed node, the default self-signed cert has all four roles
Certificates for all roles are managed from the Primary PAN node.
1 While ISE technically allows wildcard in the CN, Microsoft supplicants will reject, so never recommended
Certificates
ISE 1.3: Multiple Web Portals ForYour

For Your
Reference
Reference
Each Portal Could Use A Different Certificate

• Each Portal Exists
on ALL PSN’s
ISE PSN-1
• Each Portal
Requires a
Certificate
ISE PSN-2
• One Certificate per
Interface > IP:Port
ISE PSN-3
• Each PSN Could
Have Unique
Certificates
(Identity)
Certificates
Problem: Assign Certificate on All PSNs to Portal?

How To Assign “At Scale” ForYour
For Your
Reference
Reference
• New UI Paradigm with ISE 1.3 is to

Keep All Portal Configuration
Together.
• Options:
• Add complexity to the Portal
Configuration Page by Choosing
Certificates on Each Node?
• What about Large Deployments (40 PSNs)?
• Configure it entirely outside of the Portal
Configuration screen?
• Some way to combine?
X
PSN-1: Cert1
PSN-2: Cert2
PSN-3: Cert3
Certificates
ForYour
For Your
Solution: Portal Certificate Group Tag Reference

Reference
• Portal Certificate Group Tag provides a solution to configure node-specific

certificates for Portal configuration by associating node certificates to a logical
name.
Node 1 – Pri Admin, M&T and PSN Portal Configuration
Group Tag
Node 2 – Sec Admin, M&T and PSN
GuestPortalCerts
(Grouping Certificates to a
Node 3 - PSN Logical Name)
Certificates
ForYour
For Your
Reference
Reference
• For Scalability, X.509 Certificate
Certificate Chains Authorities may have hierarchy
• ISE will present full signing chain to
Root CA client during authentication
• Client must trust each CA within the chain
Subordinate
CA
Cert
Root  Sub  ISE
Certificates
Pro Tip: Always Add the Root & Sub CA’s

• Import All Certificates in Trust Path, One at-a-Time
Root CA
Subordinate CA
Subordinate CA
ISE Cert
If you must use a PKCS chain, it needs to be in PEM format (not DER)
Certificates
PEM versus DER

PEM Encoded DER Encoded
Convert DER to PEM: openssl x509 -inform der –in DER.cer -out NewFile.pem
Certificates
Joining an ISE Cube: Mutual Trust Required ForYour

For Your
Reference
Reference
• In order to join an ISE node to an

existing ISE Cube:
• You must trust the PAN Cert on the
2ndary node(s) PSN1
• And vice-versa. PAN
PSN2
PAN PSN PSN
Trusted Certs Trusted Certs

Certificates

For Your
Reference
Reference

existing ISE Cube:
2ndary node(s) PSN1
• Then you upgrade all Certs PSN2

• Delete the old Self-Signed Certificates
from the System Certs
• Delete the old Self-Signed Certs from
the Trusted Cert Store
X X
PSN
Trusted Certs
PSN
Certificates

For Your
Reference
Reference

existing ISE Cube:
2ndary node(s) PSN1
• Then you upgrade all Certs PSN2

• Delete the old Self-Signed Certificates
from the System Certs
• Delete the old Self-Signed Certs from
the Trusted Cert Store
• So, it’s often easiest to upgrade to a
CA-Signed & Trusted Cert Before
Joining the Cube.
Certificates
Simple URL for My Devices & Sponsor Portals

• In 1.3+: Sponsor Portal and My
Devices Portal must be accessed via
a user-friendly URL and selectable
port.
• Ex: http://mydevices.company.com
Automatic redirect to https://fqdn:port
• FQDN for URL must be added to DNS
and resolve to the Policy Service
node(s) used for Guest Services.
• Recommend populating Subject
Alternative Name (SAN) field of PSN
local cert with this alternative FQDN or
Wildcard to avoid SSL cert warnings
due to name mismatch.
Certificates
ISE Certificate without SAN

Certificate Warning - Name Mismatch
http://sponsor.company.com DNS Lookup = sponsor.company.com
DNS Response = 10.1.99.5 100.1.100.5

DNS
Server ISE-PSN-1
SPONSOR http://sponsor.company.com
100.1.100.6
https://sponsor.company.com:8443/sponsorportal
Load Balancer ISE-PSN-2
100.1.99.5
100.1.100.7
Name Mismatch!
Requested URL = sponsor.company.com ISE-PSN-3
Certificate Subject = ise-psn-3.company.com
Certificates
ISE Certificate with SAN

No Certificate Warning
http://sponsor.company.com DNS Lookup = sponsor.company.com
DNS Response = 10.1.99.5 100.1.100.5

DNS
Server ISE-PSN-1
SPONSOR http://sponsor.company.com
100.1.100.6
https://sponsor.company.com:8443/sponsorportal
Load Balancer ISE-PSN-2
100.1.99.5
Certificate OK! 100.1.100.7

Requested URL = sponsor.company.com
Certificate SAN = sponsor.company.com ISE-PSN-3
Certificates
ISE Certificate with SAN
CN must also exist in SAN
Other FQDNs as “DNS

Names”
IP Address is also option
Certificates
“Traditional” Wildcard Certificates

• Wildcard Certificates are used
to identify any secure web site
that is part of the domain:
• e.g.: *.woland.com works for:
• www.woland.com
• mydevices.woland.com
• sponsor.woland.com
• AnyThingIWant.woland.com
!= psn.[ise].woland.com
Position in FQDN is fixed
Certificates
Wildcard Certificates – Why use with ISE?
Use of all portals & friendly URL’s without Certificate

Match Errors.
Most Importantly: Ability to host the exact same certificate

on all ISE PSNs for EAP authentications
• Why, you ask?.......
Certificates
Clients Misbehave!
Example education customer:
• ONLY 6,000 Endpoints (all BYOD style)
• 10M Auths / 9M Failures in a 24 hours!
• 42 Different Failure Scenarios – all related to
clients dropping TLS (both PEAP & EAP-TLS).
Supplicant List:
• Kyocera, Asustek, Murata, Huawei, Motorola, HTC, Samsung, ZTE, RIM, SonyEric, ChiMeiCo,
Apple, Intel, Cybertan, Liteon, Nokia, HonHaiPr, Palm, Pantech, LgElectr, TaiyoYud, Barnes&N
5411 No response received during 120 seconds on last EAP message sent to the client
• This error has been seen at a number of Escalation customers
• Typically the result of a misconfigured or misbehaving supplicant not completing the EAP process.
Certificates
Recreating the Issue

Yes, my Wife
was
Absolutely
THRILLED
That this was
completed
In the
kitchen!!

Certificates
Recreating the Issue

Cisco Cius Android 2.2.2 / Kernel 2.6.31.6-mrst
Galaxy Player Android 2.3.5 / Kernel 2.6.35.7 iPad1 iOS 5.1.1 (9B206)
Galaxy TAB 10.1 Android 4.0.4 / Kernel 3.1.10 iPad2 iOS 6.0.1 (10A523)
Galaxy Tab 2 Android 4.1.1 / Kernel 3.0.31 iPad Mini iOS 6.1.2 (10B146)
Acer A110 Tab Android 4.1.2 / Kernel 3.1.10 iPhone 4 iOS 6.0 (10A403)
Google Nexus7 Android 4.2.2 / Kernel 3.1.10-g05b777c iPhone 5 iOS 6.1.3 (10B329)
iPod Touch 1Gen iOS 3.1.3 (7E18) Nook HD Nook 2.1.0
MacBook Pro 17 OSX 10.7.5

MacBook Air OSX 10.8.2 (12C30006)
Kindle Fire HD Version 7.3.0_user_3013320
Microsoft Surface WindowsRT
Win7 Native Windows7 Ultimate ServicePack1
WinXP Native WindowsXP SP3
Windows 8 Native Windows 8 Native Supplicant
Certificates
Clients Misbehave: Apple Example

• Multiple PSNs
ISE-1 ISE-2 • Each Cert signed by Trusted Root
• Apple Requires Accept on all certs!
• Results in 5411 / 30sec retry
ise1.ise.local ise2.ise.local
Cert Authority
1 5
NAD
SSID
1. Authentication goes to ISE-1

2. ISE-1 sends certificate
3. Client trusts ISE-1
4. Client Roams
Apple iOS & MacOS 6. Client Prompts for Accept
WiFi Profile © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificates
Solution: Common Cert, Wildcard in SAN

Allows anything
ending with
The Domain
Name.
-
Same EXACT Priv
/ Pub Key
May be installed
on all PSNs
Certificates
Coining a New Term
Certificates
Solution: Common Cert, Wildcard in SAN

• CN= psn.ise.local
ISE-1 ISE-2 • SAN contains all PSN FQDNs
psn.ise.local
*.ise.local
psn.ise.local
• Tested and works with:
Cert Authority psn.ise.local
comodo.com CA
SSL.com CA
Microsoft 2008 CA
1 5
• Failed with: GoDaddy CA
NAD -- they don’t like * in SAN
SSID -- they don’t like non-* in CN

2. ISE-1 sends certificate
Already Trusted 3. Client trusts ISE-1
4. Client Roams
6. Client Already Trusts Cert
Apple iOS & MacOS
WiFi Profile © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificates
1.4+ Certificate Management Improvements ForYour

For Your
Reference
Reference
• ‘Multi-Use’ usage in CSR Generation

• Ability to deselect the usage in Certificate Bind page
• Removal of ‘Allow Wildcard Certificate’ in Certificate Bind page
• Portal Tag re-assignment
• Multi Delete in CSR, Trust and System Certificate pages
• Enhanced delete error messages in Trust and Portal Certificates
• Wildcard Certificate changes replicated in a deployment
• Showing Portals and Nodes details in System Certificate Listing
• Showing Portals details in CSR, Import, Bind and Edit Certificate pages
• System Certificates Listing: ‘Not in Use’ for ‘Used By’ instead of ‘Unknown’
Certificates
Pro Tip: Don’t use Internal Domains Anymore

After November 1, 2015 Certificates for Internal Names Will No Longer Be
Trusted
In November 2011, the CA/Browser Forum (CA/B) adopted Baseline Requirements for the
Issuance and Management of Publicly-Trusted Certificates that took effect on July 1, 2012.
These requirements state:
CAs should notify applicants prior to issuance that use of certificates with a Subject
Alternative Name (SAN) extension or a Subject Common Name field containing a reserved
IP address or internal server name has been deprecated by the CA/B
CAs should not issue a certificate with an expiration date later than November 1, 2015 with a
SAN or Subject Common Name field containing a reserved IP address or internal server
Name
Source: Digicert – https://www.digicert.com/internal-names.htm
Certificates
Pro Tip: Don’t use Internal Domains Anymore

After November 1, 2015 Certificates for Internal Names Will No Longer Be
Trusted
In November 2011, the CA/Browser Forum (CA/B) adopted Baseline Requirements for the
Issuance and Management of Publicly-Trusted Certificates that took effect on July 1, 2012.
These requirements state:
ISE.LOCAL
CAs should notify applicants prior to issuance that use of certificates with a Subject
ISE.INTERNAL
Alternative Name (SAN) extension or a Subject Common Name field containing a reserved
IP address or internal server name has been deprecated by the CA/B
CAs should not issue a certificate with an expiration date later than November 1, 2015 with a
SAN or Subject Common Name field containing a reserved IP address or internal server
Name
Certificates
SSL Certificates for Internal Server Names
• An internal name is a domain or IP address that is part of a private network. Common

examples of internal names are:
• Any server name with a non-public domain name suffix. For example, psn.ise.local or
server1.ise.internal.
• NetBIOS names or short hostnames, anything without a public domain. For example,
Web1, ExchCAS1, or Frodo.
• Any IPv4 address in the RFC 1918 range.
• Any IPv6 address in the RFC 4193 range.
Certificates
Apple OS’s and ”Internal Domain Names”
/etc/hosts
1. psn.ise.local 10.1.100.1
DNS
2.
DNS Servers
Apple iOS & MacOS
Bonjour!
Internal CA
Certificate Authority
Internal Certificate Authority ForYour

For Your
Reference
Reference
Why use ISE as a Certificate Authority?

• Microsoft Public Key Infrastructure via a 2003/2008 Enterprise Server can add
significant complexity and expense to an ISE deployment.
Benefits of internal CA:
• Internal CA simplifies ISE deployment
• ISE can deliver certificates directly to endpoints
• No need to rely on integrating ISE to PKI for BYOD Cert provisioning
• Internal CA can still work with existing PKI Infrastructure
• Closed Loop BYOD Solution
• Focused on BYOD and MDM use-cases only, not a general purpose CA
Configuring the Native Certificate Authority ForYour

For Your
Reference
Reference
• Yes, that’s really it!

 So easy
Enabled by Default
NSP Flow – Internal CA Certificate Authority
PSN ForYour
For Your
SSID = CORP Reference
Reference
RA CA
Employee
PSN
Signing Certificate + User Certificate:

ISE sends Profile to Endpoint Wi-Fi Profile with EAP-TLS configured
SCEP Password = SessionID + Random
CSR is Generated on iOS

Password = SessionID + Random Key (from ISE)
CSR sent to ISE PSN (RA) via SCEP Validate Password Challenge
(session + random key)
CA Selection
CPP Certificate Template = Internal
User Certificate Issued:

Sent to Internal CA
CN = AD UserName
Certificate sent to ISE SAN = Values from Template
ISE sends Certificate to Endpoint

Wi-Fi Profile with EAP-TLS configured
CoA: ReAuth
EAP-TLS: User Cert
RADIUS Access-Request
RADIUS Access-Accept
NSP Flow – External CA Certificate Authority
PSN ForYour
For Your
SSID = CORP Reference
Reference
RA CA
Employee
PSN

ISE sends Profile to Endpoint Wi-Fi Profile with EAP-TLS configured
SCEP Password = SessionID + Random
CSR is Generated on iOS

Password = SessionID + Random Key (from ISE)
CSR sent to ISE PSN (RA) via SCEP Validate Password Challenge
(session + random key)
User Certificate Issued:
CA Selection CN = AD UserName
CPP Certificate Template = External SAN = Values from Template
SCEP Proxy to External Cert Authority
ISE sends Certificate to Endpoint Certificate sent to ISE

Wi-Fi Profile with EAP-TLS configured
CoA: ReAuth
EAP-TLS: User Cert
ISE CA: Multiple Personalities/Identities
Root CA Subordinate CA
OCSP Server Registration Authority
Root CA is Used to
ISE Certificate Authority Architecture Sign the certificates
for the Subordinate
CA’s.
Primary PAN Subordinate CA

Standby PAN ISE CA Root CA signs the Actual
Endpoint Certs
Secondary PAN is
another Root CA!
PSN PSN PSN PSN
Ensure you export
Primary PAN and
Subordinate CA Subordinate CA Subordinate CA Subordinate CA import on
SCEP RA SCEP RA SCEP RA SCEP RA Secondary
OCSP OCSP OCSP OCSP
Issue & Revoke Endpoint Certificates Certificate Authority
 Lists all the endpoint certificates issued by the Internal CA.

 Status – Active, Revoked, Expired
 Quick Overview of certificate details, Including the Template Used ForYour
For Your
Reference
Reference
 Automatically Revoked when an Endpoint is marked as “Lost”

 Certificates may be Manually Revoked
Node registration process Overview
Each PSN will get three certificates for CA functions: All PSNs are
• Subordinate CA – To sign endpoint certificates instructed by PAN to
• OCSP – To identify node with OCSP service Generate the CSR’s
• Registration Authority (RA) – To identify sub-ca when
requesting certificates for endpoints.
PAN (Root CA)
signs all three certs
PSN PAN
per-node
PSN is Joined to ISE Cube
Secondary PAN
PAN tells PSN to Generate 3x CSR’s (OCSP, Sub_CA_Endpoint, RA) does not generate
CSR’s are Generated on PSN
OCSP, Sub_CA_Endpoint, Registration Authority
CSR’s to Root CA
3x CSR’s sent to Root CA
MnT does not
3x Certificates: OCSP > Root; Sub_CA_EP > Root; RA > Root
generate any CSRs
to Root CA
ISE 1.3/1.4 Device w/ Cert Issued By ISE
Traffic is Still ISE Cube

Flowing Until
Next Re-Auth
PSN-1
MnT
NGFW
PSN-2
PAN
i-Net
Admin Revokes
Certificate
ISE Admin
ISE 2.0+ Device w/ a Cert Issued By ISE

2. If Cert has
Active Session, ISE Cube
Send CoA
PSN-1
MnT
NGFW
PSN-2
PAN
i-Net
1. Admin Revokes
Certificate
ISE Admin
ISE 2.0 Device w/ a Cert Issued By ISE

2. If Cert has
Active Session, ISE Cube
Send CoA
X PSN-1
MnT
NGFW
PSN-2
PAN
i-Net
ISE Admin
CoA-Terminate after Certificate revocation ForYour

For Your
Reference
Reference
• When an internal CA issued endpoint certificate is revoked, If there is an

endpoint using that particular certificate, currently on the network, then ISE
should send a CoA-Terminate to remove those from the network
• ISE will query MNT for all the active sessions based on the certificate serial
number and issue CoA on all the active sessions
• After the CoA-Terminate issuance, endpoint will be disconnected from the
network and prohibited from connecting back to the network using the revoked
endpoint certificate
• If there are no active sessions for the corresponding endpoint certificate then
no CoA will be issued.
Endpoint Certificate Revocation ForYour

For Your
Reference
Reference
Re-generate the Root CA ForYour
For Your
Reference
Reference
• The Entire certificate chain can be re-generated if needed.

• Old CA certificates remain in the Trust store to ensure
authentication of previously provisioned endpoints work
successfully.
ISE as an Intermediate CA ForYour
For Your
Reference
Reference
• ISE’s internal CA can work seamlessly with an existing CA in your deployment.

• Just make it an intermediate CA (sub-ordinate CA) to your existing CA.
• Create a CSR for the ISE node and get a certificate issued by the existing CA.
ForYour
For Your
ISE as an Intermediate CA Reference
Reference
Ensure that you get

a certificate from
your existing CA
with Key Certificate
signing capabilities
(Sub_CA Template)
Ensure the Existing

Root CA has a Tree
Size >= 3
(ISE is 2-tiers)
ForYour
For Your
Reference
Certificate Revocation Reference
• Online Certificate Status

Protocol (OCSP)
• Certificate Revocation List
(CRL)
ForYour
For Your
Reference
Reference
• Preferred method • A signed document published on

website
• Provides near real-time updates
• Periodically downloaded and stored
• Allows near real-time request locally
• The server examines the CRL to
• Think: Policeman checking from see if the client’s cert was revoked
laptop in squad-car, with live query already.
into DMV Database.
• Think: Policeman having a list of
suspended drivers in his squad car.
Note: ISE does not use the CRL field
in the cert, only the local configuration.
Default Internal OCSP Configuration ForYour

For Your
Reference
Reference
ForYour
For Your
OCSP Check Reference

Reference
ForYour
For Your
CA Server status Reference

Reference
Export CA Certs – ISE 1.3 – 1.4 ForYour

For Your
Reference
Reference
atw-lab-ise/admin# application configure ise
Selection ISE configuration option

<SNIP>
[7]Export Internal CA Store Root CA
[8]Import Internal CA Store
</SNIP>
Exporting the CA
[12]Exit
7 Certs to a
Export Repository Name: NAS
Enter encryption-key for export: ########## Sub CA Repository
Export on progress...............
The following 4 CA key pairs were exported to repository 'NAS' at

'ise_ca_key_pairs_of_atw-lab-ise':
Subject:CN=Certificate Services Root CA - atw-lab-ise
Will be an
Issuer:CN=Certificate Services Root CA - atw-lab-ise RA
Serial#:0x6012831a-16794f11-b1248b9b-c7e199ef Encrypted GPG
Subject:CN=Certificate Services Endpoint Sub CA - atw-lab-ise
Issuer:CN=Certificate Services Root CA - atw-lab-ise
Bundle
Serial#:0x3e4d9644-934843af-b5167e76-cc0256e0
OCSP
Subject:CN=Certificate Services Endpoint RA - atw-lab-ise
Issuer:CN=Certificate Services Endpoint Sub CA - atw-lab-ise
Four Key Pairs
Serial#:0x13511480-9650401a-8461d9d7-5b8dbe17
Subject:CN=Certificate Services OCSP Responder - atw-lab-ise

Serial#:0x10d18efb-92614084-895097f2-9885313b
ISE CA keys export completed successfully
Import of CA Certs – ISE 1.3 – 1.4 ForYour

For Your
Reference
Reference
atw-lab-ise/admin# application configure ise

<SNIP>
[7]Export Internal CA Store
</SNIP>
[12]Exit
8
Import Repository Name: NAS
Always perform the
Enter CA keys file name to import: ise_ca_key_pairs_of_atw-lab-ise
Enter encryption-key: ######## certificate import to
Import on progress...............
the secondary PAN
The following 4 CA key pairs were imported:
Subject:CN=Certificate Services Root CA - atw-lab-ise
Serial#:0x6012831a-16794f11-b1248b9b-c7e199ef Ensures that the
Subject:CN=Certificate Services Endpoint Sub CA - atw-lab-ise
Issuer:CN=Certificate Services Root CA - atw-lab-ise same PKI Tree is
Serial#:0x3e4d9644-934843af-b5167e76-cc0256e0
always used
Subject:CN=Certificate Services Endpoint RA - atw-lab-ise
Issuer:CN=Certificate Services Endpoint Sub CA - atw-lab-ise
Serial#:0x13511480-9650401a-8461d9d7-5b8dbe17
Subject:CN=Certificate Services OCSP Responder - atw-lab-ise

Serial#:0x10d18efb-92614084-895097f2-9885313b
Stopping ISE Certificate Authority Service...

Starting ISE Certificate Authority Service...
ISE CA keys import completed successfully
Native Supplicant Profile ForYour

For Your
Reference
Reference
Certificate Template(s)
• Define Internal or
External CA
• Set the Key Sizes
• SAN Field Options:
• MAC Address
• No Free-Form Adds..
• Set length of validity
ForYour
For Your
Reference
Reference
ForYour
For Your
Other Factoids Reference

Reference
• No temporary revocations (cannot un-revoke)

• Use Blacklist instead
• ISE does not publish a CRL, OCSP only
• ISE does not use the CRL distributions listed in endpoint Certs, it uses the
manual configured CRL distribution point
• Cannot selectively enable/disable CA service on PSNs. All or nothing.
• When issuing cert from PSN, it will be subordinate to the PAN
ISE CA: Dual Root Phenomenon

Different Chain of Trust
Promoted P-PAN PAN

S-PAN • The 4th PSN added
to Cube while S-PAN
temporarily the root.
• Now is a different
chain of trust!
PSN PSN PSN
Subordinate CA Subordinate CA Subordinate CA Subordinate CA

SCEP RA SCEP RA SCEP RA SCEP RA
OCSP OCSP OCSP
ISE CA: Dual Root Phenomenon

Single Chain of Trust
• Export Root CA &
Import into S-PAN
Promoted P-PAN PAN • The 4th PSN added

S-PAN
to Cube while S-PAN
temporarily the root.
• S-PAN has same

Chain of Trust
PSN PSN PSN PSN
Subordinate CA Subordinate CA Subordinate CA Subordinate CA

SCEP RA SCEP RA SCEP RA SCEP RA atw-lab-ise/admin# application configure ise
OCSP OCSP OCSP OCSP
<Snip>
[7]Export Internal CA Store
</Snip>
© 2016 [12]Exit
Cisco and/or its affiliates. All rights reserved. Cisco Public
CA Hierarchy in 2.0+
• A new certificate type called

NODE_CA has been introduced
- ROOT_CA – The Root CA for the entire
ISE PKI Hierarchy
- NODE_CA – Responsible for issuing the
subordinate EP_CA certificate and the
OCSP certificate
- EP_CA – Responsible for issuing the
Endpoints their identity and device
certificates
- OCSP – Responsible for signing the
OCSP responses
- EP_RA – Registration Authority for SCEP
to external CA’s
CA Hierarchy in 2.0+
• Multi Node Deployment with 2 PANs and a Single PSN
P-PAN
S-PAN
PSN1 PSN2 PSN3
• The NODE_CA on the Primary and Secondary PAN are signed by the ROOT_CA on the
Primary PAN
• The NODE_CA on the Primary PAN is also responsible for signing the EP_CA and
OCSP certificate for the PSNs
When does CA Hierarchy switch from 2 Roots to 1 Root?
 Fresh Install:
 Single Root Hierarchy for all New Installs.
 Upgrade:
 No changes on Upgrade
 To switch to the Single Root Hierarchy:
 Administration > System > Certificate > Certificate Signing Requests > Replace
ISE Root CA
 Note: If after an upgrade, the administrator does not trigger the “Replace ISE Root
CA” operation then any new PSN registering into the deployment will get its EP_CA
and OCSP certificates signed by the ROOT CA on the Primary PAN.
 This behavior is the same as 1.3/1.4
Example of Exported Keys ForYour

For Your
Reference
Reference
The following 5 CA key pairs were exported to repository 'disk' at 'ise_ca_key_pairs_of_atw-ise242':

Subject:CN=Certificate Services Root CA - atw-ise242
Issuer:CN=Certificate Services Root CA - atw-ise242
Serial#:0x06c4fb0a-812b4f07-8fc3361a-2c57ae24
Subject:CN=Certificate Services Node CA - atw-ise242

Issuer:CN=Certificate Services Root CA - atw-ise242
Serial#:0x7386ba45-9d754b69-9c82f764-d3263ca7
Subject:CN=Certificate Services Endpoint Sub CA - atw-ise242

Issuer:CN=Certificate Services Node CA - atw-ise242
Serial#:0x793e7b17-a0ec40e7-9bfc47f0-974fc909
Subject:CN=Certificate Services Endpoint RA - atw-ise242

Issuer:CN=Certificate Services Endpoint Sub CA - atw-ise242
Serial#:0x7e3c09ba-9168441f-a16f219f-6e62cbca
Subject:CN=Certificate Services OCSP Responder - atw-ise242

Issuer:CN=Certificate Services Node CA - atw-ise242
Serial#:0x08fcc154-b8414b25-a50ca00d-13994488
ISE CA keys export completed successfully
Do Not Delete ISE CA Certs

• Will Revoke the Certificate from CA
• All Endpoint Certificates will now be
Invalid & Rejected
• Cannot Undo
pxGrid & Grid Certificate Tips
Example pxGrid Integration: InfoBlox
Deployment
1. I need
pxGrid Bulk Downloads Bulk Session
(peer-to-peer) WWW
Data
2. Get it
From MnT
3. Direct
Data Transfer
FMC
Controller
MnT
Deployment
pxGrid Topic Extensibility WWW
Topic Publisher Subscribers
Session_Directory MnT Splunk, FMC, WSA ISE Admin
Vulnerable Hosts Rapid7
Controller
FMC
1. Req: Add New

Topic: 4. Announce:
“Vulnerable New Topic
Hosts” Available
MnT
3. Publish Topic
Deployment
pxGrid Topic Extensibility WWW
Topic Publisher Subscribers
Session_Directory MnT Splunk, FMC, WSA ISE Admin
Vulnerable Hosts Rapid7 FMC
FMC
Controller
1. Subscribe
Vulnerable
Hosts
2. Direct
MnT
Transfer
Deployment
CAVEATS ForYour
For Your
Reference
Reference
 pxGrid clients must be updated to understand the topic

Schema by the vendor
 Currently no existing topics known – there are a few in the
works
 Remember: pxGrid clients must trust each other’s
certificates for bulk downloads, not just the ISE (pxGrid
controller)
#1 complaint about pxGrid integration:
Certificates. Customers, Partners, other
BU’s all confused by the Certificate
usages w/ pxGrid.
It Does not need to be

complicated!
Simplify it with the CA in 2.1+
So, How to we “Certificate-ify” pxGrid?
WWW
1. Required 2-Way Trust Between

Controller & pxGrid Clients
2. IF Bulk Downloads THEN 2-Way
Trust Client-to-Client
3. In Other Words: A Full MESH
(“MESS”) of Trusts Controller
FMC
MnT
So, How to we “Certificate-ify” pxGrid?
WWW
1. Use a Single Certificate Authority

2. Each pxGrid Participant Trust That
3. Each pxGrid Client use a ‘pxGrid’
Certificate from that CA
FMC
Controller
4. *Controller Must still Authorize the

Communication
Instant Full Mesh Trust!
X.509
X.509
X.509
X.509X.509
pxGrid
pxGrid
pxGrid
pxGrid
X.509
pxGrid pxGrid
MnT
ISE 2.1 CA
ForYour
For Your
Reference
Reference
Step-by-Step Configuration of
pxGrid, Cert Portal, Firepower
Manager, & WSA Integration in
Hidden Slides
Deployment Notes ForYour
For Your
Reference
Reference
 Can do CSR’s one at a time, but Bulk Download works well, too.
 Pro Tip: Don’t bother with CSR’s – just generate certificate pairs from
the Portal.
 Best Practice, Follow an Order of Operations:
 Don’t enable pxGrid until all nodes have a pxGrid certificate.
 Wait for all the services to come up on 1st PSN before you enable pxGrid on
the 2nd PSN
Edit the Certificate Provisioning Portal ForYour
For Your
Reference
Reference
Setup the Portal ForYour
For Your
Reference
Reference
Create a Network User ForYour
Your
For
Reference
This will be used as an Admin User in Next Step Reference
Must Match Chosen

Group on Last Slide
Make an Admin User from the Network User
ForYour
For Your
Reference
Reference
Add User to Super Admin Group ForYour
Your
For
Reference
Only Super Admin & ERS Admin Roles can Issue pxGrid Certs Reference
Login to the Certificate Provisioning Portal
https://certs246.securitydemo.net
Login to the Certificate Provisioning Portal
Generate Bulk Certs w/ pxGrid Template. Prefer to use a pxGrid Prefix in CN. 1 per ISE Node
Download the Certificates
Extract the Zip File
There are Key-Pairs per node + ISE CA Roots + ISE Admin Roots – All PEM Encoded
ISE CA Certificates
One Cert + Key Per Node
ISE Admin Root Certificates (can Ignore)

Import the Cert Pairs for Each Node ForYour
For Your
Reference
Reference
1 at a time, for pxGrid Usage Rinse / Repeat

Per ISE node
Delete the old, Self-Signed Cert ForYour
For Your
Reference
Reference
For Cleanliness
ForYour
For Your
Reference
Reference
Now that all the ISE Nodes have

their pxGrid Certificates: It’s
time to enable pxGrid
Enable pxGrid on the First PSN ForYour
For Your
Reference
Reference
Admin > System > Deployment Best Practice: To

ensure a predictable
& successful
deployment, the
order of operations
should be followed.
Don’t enable pxGrid

until all nodes have
a pxGrid certificate.
Wait for all the

services to come up
on 1st PSN before
you enable pxGrid
on the 2nd PSN
After Enabling pxGrid – Services will Start ForYour
For Your
Reference
Reference
After Services Start PAN & MnT will Automatically Publish Topics
Enable pxGrid on the Second PSN ForYour
For Your
Reference
Reference
Admin > System > Deployment Best Practice: To

ensure a predictable
& successful
deployment, the
order of operations
should be followed.
Don’t enable pxGrid

until all nodes have
a pxGrid certificate.
Wait for all the

services to come up
on 1st PSN before
you enable pxGrid
on the 2nd PSN
ForYour
For Your
Reference
Reference
FMC Configuration Example

Configuring the FMC ForYour
For Your
Reference
Reference
Use the ISE Root CA for the pxGrid servers & the MnT Server
Primary pxGrid PSN
2ndary pxGrid PSN
ISE Root CA Certificate
Add the ISE Root CA to FMC ForYour
For Your
Reference
Reference
Assign Root CA Cert to pxGrid Server CA and MNT Server CA
Add the pxGrid Certificate for the FMC ForYour
For Your
Reference
Reference
Just like the ones for the ISE Nodes
ForYour
Your
Success
For
Reference
Reference
firesightisetest-sourcefire3d =
The Test Subscription (test button)
iseagent-sourcefire3d =
The FMC’s production Connection
ForYour
For Your
Reference
Reference
WSA Configuration Example

WSA Configuration - Part 1/3 ForYour
For Your
Reference
Reference
Use the ISE Root CA Cert for Both pxGrid Nodes
Primary pxGrid PSN
2ndary pxGrid PSN

For Your
Reference
Reference
Use the same ISE Root CA Cert for Both Monitoring Nodes
For Your
Reference
Reference
Install the WSA’s pxGrid Cert & Key from the ISE CA
X Don’t Test until

after Submit
Success ForYour
For Your
Reference
Reference
The WSA Subscribes to both

Session Directory &
TrustSecMetaData Topics
-pxgrid_client =
The WSA’s production Connection
-Test_client =
The WSA’s Test Connection
Deployment
pxGrid Certificate Template (MS Cert Authority) ForYour

For Your
Reference
Reference
“Fire & ISE”
Deployment
Rapid Threat Containment with Firepower Management Center and ISE

• Uses pxGrid + Endpoint
Fully Supported Protection Services (EPS)
• Note: ANC is Next Gen
on FMC 5.4 and version of the older EPS
• EPS functions are still there
ISE 1.3+ for Backward Compatibility
Loads as a • Remediation Module Takes

Remediation Action via the EPS call through
pxGrid
Module on FMC
Deployment
Remediation Module from Talos Labs ForYour

For Your
Reference
Reference
Deployment
ForYour
For Your
Reference
Reference
Remediation Options
• Quarantine- quarantines an endpoint based on
source ip address
• portBounce- temporarily bounces the endpoint or
host port
• Terminate- terminates the end-user session
• Shutdown- initiates a host port shutdown, this will
insert a “shutdown” command on the switch port
configuration
• reAuthenticate- reAuthenticates the end-user
• UnQuarantine- unquarantines the endpoint
Deployment
Rapid Threat Containment with Firepower

Management Center and ISE
WWW
Controller MnT
3. pxGrid EPS
1. Security Action: Quarantine
Events / IOCs + Re-Auth
NGFW Reported
2. Correlation
FMC
Rules Trigger
i-Net Remediation Action
Deployment
Rapid Threat Containment with Firepower

Management Center and ISE
WWW
4. Endpoint
Assigned Quarantine
+ CoA-Reauth Sent
Controller MnT
NGFW
FMC
i-Net
Agenda
• Introduction
• Active Directory Best Practices
• Conclusion
BYOD in Practice
BYOD
BYOD Security Practices from the Field

If you can, Create an Identity Group for your Corporate
Owned Devices.
• May be populated by .CSV import, or REST API
• Uses the Endpoint ID Group for what it was designed to do: MAC Address
Management
Provision Different Certificates for Corporate Owned Assets
• Available 1.3+, or if you use MDM to distribute the certificates
Don’t Trust ONLY the Certificate
• That is technically only authenticating the device, not the user
BYOD
Android-M (Marshmallow Release) CSCuw03007

Problem: Marshmallow Removes
• x Ability for Apps to Read the Endpoint’s MAC address
• x Update Existing Wi-Fi Network Configuration (that was not created by itself).
Network Setup Assistant App needs these permissions for BYOD onboarding
• The MAC address is used while requesting for a certificate (via SCEP)
• Ability to overwrite an existing network is required since the network being provisioned
could exist on the device already (eg: Single SSID flow).
Result: Broken BYOD Onboarding for Android-M
Cough,
Cough
BYOD
Solution
• NSA App 1.2.47+ uses MAC in Profile instead

of Reading it From Device
• NSA Prompts to Delete/Forget the WiFi

Network via “overlay” message
BYOD
ForYour
For Your
Reference
Reference
BYOD
ForYour
For Your
Reference
MDM Integration Tips – Things to Know

Reference
• ISE caches previous MDM state to grant access at Auth time

• A few seconds later: ISE does a look-up via MDM API.
• If there is any change, ISE issues a COA.
• Multiple MDM rely on MDM redirects to find the correct MDM Server
• ISE 1.4 cannot perform a MDM API look-up with a new device without MDM
redirect.
• ISE can on-board Brown Field devices, no need to on-board devices
again
• Again, relies on the MDM redirect
The Opposite of BYOD:
How to differentiate corporate provisioned devices?
BYOD
Corporate Assets ForYour

For Your
Reference
Reference
Provide differentiated access for IT-managed systems.

Start Here
Registered
Employee No No
GUEST
Yes Access-Reject
Yes
Domain
Member No
?
YES
Access-Accept
Internet Only
BYOD
Identifying the Machine AND the USER

Machine Access Restrictions (MAR)
• MAR provides a mechanism for the RADIUS server to search the previous
authentications and look for a machine-authentication with the same Calling-
Station-ID.
• This means the machine must do authenticate before the user.
• i.e. Must log out, not use hibernate, etc….
• See the reference slides for more possible limitations.
BYOD

Rule Name Conditions Permissions
MAR Cache
IP Phones if Cisco-IP-Phone then Cisco_IP_Phone
Calling-Station-ID 00:11:22:33:44:55 – Passed
MachineAuth if Domain Computers then MachineAuth
Employee &
Employee if WasMachineAuthenticated = then Employee
true
GUEST if GUEST then GUEST
Default If no matches, then WEBAUTH
NAD
SWITCHPORT
PSN
[EAP-ID=CorpXP-1] Matched Rule = MachineAuth
[cisco-av-pair] = dACL=Permit-All
BYOD

Rule Name Conditions Permissions
MAR Cache
Calling-Station-ID 00:11:22:33:44:55 – Passed
MachineAuth if Domain Computers then MachineAUth
Employee &
Employee if WasMachineAuthenticated = then Employee
true
NAD
SWITCHPORT
PSN
EAPoL Start Matched Rule = Employee

[EAP-ID = Employee1]
[cisco-av-pair] = dACL=Permit-All
BYOD
Machine Access Restrictions (MAR) ForYour

For Your
Reference
Reference
Potential Issues with MAR
• Potential Issues with MAR:

• Wired/WiFi transitions: Calling-Station-ID (MAC address) is used to link machine and
user authentication; MAC address will change when laptop moves from wired to
wireless breaking the MAR linkage.
• Machine state caching: The state cache of previous machine authentications is
neither persistent across ACS/ISE reboots nor replicated amongst ACS/ISE instances
• Hibernation/Standby: 802.1X fails when the endpoint enters sleep/hibernate mode
and then moves to a different location, or comes back into the office the following day,
where machine auth cache is not present in new RADIUS server or has timed out.
BYOD
Machine Access Restrictions (MAR) ForYour

For Your
Reference
Reference
Potential Issues with MAR
• Spoofing: Linkage between user authentication and machine authentication is

tied to MAC address only. It is possible for endpoint to pass user
authentication only using MAC address of previously machine-authenticated
endpoint.
• MAR description (from ACS guide):

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_ser
ver_for_windows/4.2/user/guide/UsrDb.html#wp354105
BYOD
Identifying the Machine AND the User ForYour

For Your
Reference
Reference
Real Customer Example: Custom DHCP Attribute & use of Profiler
C:\>ipconfig /setclassid "Local Area

Connection" CorpXYZ
Windows XP IP Configuration
DHCP ClassId successfully modified for adapter"Local Area Connection"
http://technet.microsoft.com/en-us/library/cc783756(WS.10).aspx
BYOD
Identifying the Machine AND the User

The next chapter of authentication: EAP-Chaining
• RFC-7170: Tunneled EAP (TEAP).

• Next-Generation EAP method that provides all benefits of current EAP Types.
• Also provides EAP-Chaining.
• http://www.rfc-editor.org/rfc/rfc7170.txt
• Cisco did it YEARS before TEAP was/is adopted

• EAP-FASTv2
• AnyConnect 3.1+
• Identity Services Engine 1.1.1+
• **Adopted & in Production at Organizations World-Wide!
• Only True Chain of Machine + User
BYOD
EAP-Chaining Rule Name Conditions Permissions
With AnyConnect 3.1.1 and ISE 1.1.1 IP Phones if Cisco-IP-Phone then Cisco_IP_Phone
MachineAuth Domain Computers MachineAuth

1. Machine Authenticates if then
Employee &
2. ISE Issues Machine Employee if
Network
then Employee
Access:EAPChainingResult =
AuthZ PAC User and machine suceeded
NAD
SWITCHPORT
PSN
EAPoL Start
[EAP-Tunnel = FAST]
EAP-Request:TLV RADIUS Access-Challenge
[EAP-TLV = “Machine”]
EAP-Response RADIUS Access-Request
TLV = “Machine” [EAP-TLV= “Machine”]
[EAP-ID=Corp-Win7-1] PAC
EAP Success
BYOD
EAP-Chaining Rule Name Conditions Permissions
With AnyConnect 3.1.1 and ISE 1.1.1 IP Phones if Cisco-IP-Phone then Cisco_IP_Phone
3. User Authenticates MachineAuth if Domain Computers then MachineAuth
4. ISE receives Machine PAC Employee &

Network
Employee if then Employee
5. ISE issues User AuthZ PAC Access:EAPChainingResult =
User and machine suceeded
NAD
SWITCHPORT
PSN
PAC
EAPoL Start
[EAP-Tunnel = FAST]
EAP-Request:TLV RADIUS Access-Challenge
PAC
[EAP-TLV = “Machine”]
EAP-Response RADIUS Access-Request
TLV = “User” [EAP-TLV= “User”]
[EAP-ID=Employee1] PAC
EAP Success
BYOD
ForYour
For Your
EAP-Chaining FAQ Reference

Reference
Q: I use MSChapV2 today, can I use that with EAP-Chaining?

A: TEAP & EAP-FAST are tunneled EAP methodologies, you may use whichever
inner-methods you would like, as long as both the supplicant and RADIUS sever
support the protocol(s). I.e.: EAP-TLS, EAP-MSChapV2, EAP-GTC.
Q: What Supplicants Support EAP-Chaining Today?
A: Today, only Cisco AnyConnect NAM has support through EAP-FASTv2.
Please talk to your OS Vendors about supporting TEAP in their native supplicants!
Q: Can I chain certificates with username/pwd’s?
A: Yes! You may mix and match the machine and user credential types however
you see fit. I.e.: Machine Certificates + User Certificates, or Machine Certificates
+ Username/PWDs, or Machine Passwords + Username/PWDs, etc.
BYOD
Identifying the Machine AND the User

What to do when EAP-Chaining is not Available?
• There are many needs to determine Machine AND the User
• Windows is the only current OS that can run EAP-Chaining (with AnyConnect)
• What about iOS or Android based Tablets?
• Chain together 802.1X with Centralized Web Authentication (CWA)

• Can validate the device using a user-issued certificates
• Will validate the ‘actual user’ with username/password or smartcard or other method
that validates the user
BYOD
Mobile Device w/ Certificate

What Identifies the Actual User?
Mobile Device
w/ Certificate
BYOD
802.1X and CWA Chaining Rule Name Conditions Permissions

AD:ExternalGroup=Employees
AND
Employee_CWA if then Employee & SGT
CWA:CWA_ExternalGroup=
Employees
1. EAP-TLS Authentication
Employee &
2. ISE Sends Access- Employee_1X if Network Access: then CWAchain
EAPAuthentication = EAP-TLS
Accept w/ URL-Redirect
NAD
SWITCHPORT
PSN
CN=employee1 || Cert is Valid
EAP-ID Response RADIUS Access-Request Session Data

[EAP-Protocol= “TLS”]
User Identity = employee1
[AVP:url-redirect, dacl]
User Group = employees
BYOD

AND
Employees
3. User Enters Uname/PWD
Employee &
4. ISE Sends CoA-reauth Employee_1X if Network Access: then CWAchain
BobSmith
xxxxxxxxx
NAD
SWITCHPORT
PSN
Session Data
RADIUS CoA
EAP-ID Req
[AVP:reauth]
CWA Identity = BobSmith

CWA Group = employees
BYOD
Following the Flow 1. Initial EAP-TLS Auth

ForYour
For Your
Reference
Reference
Redirection to CWA Portal
BYOD

AND
Employees
3. User Enters Uname/PWD
Employee &
4. ISE Sends CoA-reauth Employee_1X if Network Access: then CWAchain
5. Supplicant Responds with Cert
6. ISE sends Accept, dACL & SGT
NAD CN=employee1 || Cert is Valid

SWITCHPORT
PSN
EAP-ID Response RADIUS Access-Request Session Data

[EAP-Protocol= “TLS”]
[AVP: dacl + SGT]
Access-Granted
CWA Identity = BobSmith
CWA Group = employees
BYOD
Following the Flow 2. WebAuth from User

ForYour
For Your
Reference
Reference
CoA
Not Required to be Different Username

BYOD
Following the Flow 3. Final Auth with Full Result

ForYour
For Your
Reference
Reference
Final Authorization
BYOD
See NW Blog for More on User vs. Machine
Agenda
• Introduction
• Conclusion
Non-Cisco NAD Integration
Session IDs and Sessionization
Deployment
Cisco Session ID
Also Known as Audit Session ID or CPM Session ID
C0A8013C00000618B3C1CAFB
NAS IP Address Session Count Time Stamp
• 96 bits / 12-bytes (Concatenation of three 32-bit fields)

• Audit Session ID is created when NAD sends RADIUS authentication request to
the RADIUS server
• Used for correlation of events (i.e.: RADIUS + HT
• Used for Change of Authorization (CoA)
Cisco Session ID Deployment
• Glue That Binds Client Session to Access Device and ISE

• Can persist across multiple RADIUS Access Requests and reauth events.
NAD: “show authentication session”
About that Which

ISE: Detailed Authentication Report
session… one???
RADIUS
Browser: URL-redirect for Web Auth

https://ise14.example.com:8443/guestportal/gateway?C0A8013C00000618B3C1CAFB&portal=&action=cwa
Deployment
Cisco Session ID vs ACS Session ID ForYour

For Your
Reference
Reference
• Cisco Session ID – Also known as CPM or Audit Session ID. Can persist across
multiple RADIUS Access Requests and reauth events.
• AcsSessionID is a legacy session ID – Lifetime is from the first Access-Request
until Access-Accept/Access-Reject. AcsSessionID is constructed from ISE node
unique prefix and a counter.
Deployment
Cisco Session ID vs IETF RADIUS Accounting
Session ID cat3750x#sh auth sess int gi1/0/9 det
Interface: GigabitEthernet1/0/9
ForYour
For Your
Reference
Reference
MAC Address: 0050.56a0.0b3a

IPv6 Address: Unknown
• Cisco Session ID IPv4 Address: 10.1.10.101
• EDCS-509295 User-Name: 00-50-56-A0-0B-3A
Status: Authorized
• 12 bytes Domain: DATA
Oper host mode: single-host
• Can traverse multiple IETF
Oper control dir: both
Acct-Session-Id’s Session timeout: N/A
Common Session ID: 0A010A010000009751894E3B
• IETF Acct Session ID Acct Session ID: 0x000000A6
Handle: 0x4900006F
• RFC 2866 Current Policy: POLICY_Gi1/0/9
https://tools.ietf.org/html/rfc2866#section-5.5
• >= 3 Octets/Bytes Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority
• Unique per RADIUS 150)
Accounting Start->Stop Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
• ISE supports BOTH since ACS ACL: xACSACLx-IP-AD_LOGIN_ACCESS-55f5cb00
1.0FCS Method status list:

Method State © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deployment
Cisco Session-ID for 3rd Party NADs 2.0+
• A Synthesized Cisco Session-ID is Created when NAD does not send Cisco-AV-
Pair:Audit-Session-ID
• 24-Byte ASCII String
A45E60EB9A450033AC108601
Calling-Station- NAS- NAS-IP-Addr
ID Port attr(4)
attr(31) attr(5)
Change of Authorization
Deployment
• RFC 3576 (Cisco, Microsoft)

defined “Dynamic Authorization”
commonly known as Change of
Authorization (CoA). Updated in
RFC 5176 (Cisco, MS, RSA).
• Finally have the ability for a Policy
Change of Server to initiate communication
into the Network Device.
Authorization (CoA) • Previously, RADIUS only allowed
flows from the NAD  Policy
Server.
• Only 1 useful CoA Message Type
• CoA-Disconnect Message (CoA-
DM)
Advanced CoAs
• Cisco Advanced CoA’s (+/- 3 years before these are
standards)
• Reauth
• Quarantine
• Terminate with Port Shut Down
• Port Bounce (Helps tremendously with Non-802.1X
devices)
• SAnet Session Query
Deployment
What would happen with only CoA-DM Messaging

Step 1: AuthC to SSID Corp
Step 2: AuthZ Result = Quarantine Endpoint Posture
Step 3: NAC Posture Communication 00-00-0C-00-00-01 compliant

unknown
Step 4: CoA-DM
Step 5: Disconnected from SSID
CoA-DM
Policy
802.1X Authentication Corp
X AP
CAPWAP
WLC
Internet-Only
Traffic Flow
RFC 5176 (Obsoletes RFC 3576) Deployment
ForYour
For Your
Dynamic Authorization Extensions to RADIUS Reference
Reference
• Disconnect Message (DM)

• Also known as “Packet of Disconnect (PoD)” or “CoA Session Terminate”
• Terminate user session(s) on a NAS and discard all associated session context.
Disconnect-Request
Disconnect-ACK/NAK
• Change-of-Authorization (CoA) Messages

• Also known as “Authorize Only” or “CoA Push”
• CoA-Request packets contain information for dynamically changing session authorizations.
CoA-Request
CoA-ACK/NAK
RFC 5176 Deployment
ForYour
For Your
2.1. Disconnect Messages (DMs) s Reference
Reference
A Disconnect-Request packet is sent by the Dynamic Authorization Client in order to terminate user session(s) on a NAS
and discard all associated session context. The Disconnect-Request packet is sent to UDP port 3799, and identifies the NAS
as well as the user session(s) to be terminated by inclusion of the identification attributes described in Section 3.
The NAS responds to a Disconnect-Request packet sent by a Dynamic Authorization Client with a Disconnect-ACK if all
associated session context is discarded and the user session(s) are no longer connected, or a Disconnect-NAK, if the NAS
was unable to disconnect one or more sessions and discard all associated session context. A Disconnect- ACK MAY contain
the Acct-Terminate-Cause (49) Attribute [RFC2866] with the value set to 6 for Admin-Reset.
RFC 5176 Deployment
ForYour
For Your
Reference
Reference
2.2. Change-of-Authorization (CoA) Messages
CoA-Request packets contain information for dynamically changing session authorizations. Typically, this is used to change
data filters. The data filters can be of either the ingress or egress kind, and are sent in addition to the identification attributes
as described in Section 3. The port used and packet format (described in Section 2.3) are the same as those for Disconnect-
Request packets.
The following attributes MAY be sent in a CoA-Request:
Filter-ID (11) - Indicates the name of a data filter list to be applied for the session(s) that the identification attributes map to.
NAS-Filter-Rule (92) - Provides a filter list to be applied for the session(s) that the identification attributes map to [RFC4849].
The NAS responds to a CoA-Request sent by a Dynamic Authorization Client with a CoA-ACK if the NAS is able to
successfully change the authorizations for the user session(s), or a CoA-NAK if the CoA- Request is unsuccessful. A NAS
MUST respond to a CoA-Request including a Service-Type Attribute with an unsupported value with a CoA-NAK; an Error-
Cause Attribute with value "Unsupported Service" SHOULD be included.
CoA Examples Deployment
Cisco Wireless Example
Aruba Wireless Example
ForYour
For Your
RFC 5176 “CoA Push”

Reference
Reference
• Example shows Authorization Result “pushed” to NAD as part of CoA, not a

result of Reauth.
URL Redirection
Deployment
• URL Redirection has

become a key technology for
the seamless integration of
multiple services with the
strong authentication
capabilities of 802.1X and
URL Redirection as the flexible authentications of
a RADIUS RADIUS.
Authorization
• This has been critical to
successfully creating and
maintaining a positive end-
user experience.
Deployment
Dynamic URL Redirection

• Dynamic redirection instructs endpoint to “Come back to me — the RADIUS
session owner — and here is the Session ID to include in request”
• URL Redirection includes PSN-specific…
• FQDN • Portal • Flow Type (CWA, CPP, etc)
• SessionID • Port Number
Deployment
Where URL Redirection is Used

• Posture Discovery
• NAC Agents (any vendor) have a need to “find” the NAC Server to communicate
posture
• There is also the complication of what to do when no agent is installed
• Need to
• Captive Portal
• The URL Redirection with Session Awareness is critical to a successful transition of
states (change of authorizations) during web logins and authentications
• Device Registration / Onboarding
• Mobile Device Management Integration
• Supplicant & Certificate Provisioning
Deployment
URL Redirection
Cisco found it was CRITICIAL to customer success to accomplish at L2 Edge
Deployment
In-Efficient at Scale w/o Sessionization
Radius Server-Farm 1 Radius Server-Farm 2
X
802.1X Authentication Must have profiling replicated
To the box making the decision
Network Device Before the decision is made
How busy are boxes?
Will replication happen fast enough?
Too many unknowns!!!!
Deployment
Efficiency w/ URL-Redir & Sessionization
Radius Server-Farm 1 Radius Server-Farm 2
Posture/Profiling is sent to
802.1X Authentication The PSN that owns the login
Automatically no replication
Race-conditions exists & no
Network Device
Replication needed.
MAC Authentication Bypass (MAB)
MAB is NOT A
STANDARD!
Deployment
ISE and Endpoint Lookup

• ISE maintains a separate User and Endpoint
“store”.
• User store may be queried at any time.
• By default: endpoint store may only be accessed if

the incoming request was identified as a MAB.
(Service-Type = Call-Check)
• ISE also ignores the u-name/pwd fields, but uses the
calling-station-id (mac-address of the endpoint)
• Why?
• Security! Before this, malicious users would be able to put
a mac-address into the username & password fields of
WebAuth (or non-Cisco switches even in the supplicant
identity).
Deployment
Why Restrict MAB to Calling-Station-ID?

uname: 11:22:33:44:55:66 | pwd 11:22:33:44:55:66
Internal ID’s
Mix of Users &
Endpoints
11:22:33:44:55:66
11:22:33:44:55:66
Note: Possible to configure

supplicant for same thing!
Deployment
Cisco MAB – MAC Authentication Bypass

Users Endpoints
= MAB
= MAC
Deployment
ForYour
For Your
MAB Compatibility Settings Reference

Reference
• ISE 1.2 included changes for Non-Cisco device (3rd Party MAB) handling
• Relevant for PAP, CHAP and EAP-MD5
• Identity (User-Name) = MAC Address
• Check Password
• Checking of the trivial MAB password authenticates the sending network device where
Password = User-Name = MAC address
• Check Calling-Station-Id equals MAC address.
• When Calling-Station-Id is being sent, keep this check enabled as an extra safeguard.
Deployment
MAB Settings Reference ForYour

For Your
Reference
Reference
Process Host Lookup Used for mac-auth bypass of Cisco devices. Will allow User-Name
lookup of a MAC address in the endpoints store. It will also check that
RADIUS:
• Calling-Station-Id equals MAC address
• Service-type equals Call-Check
Detect <protocol> as Host Used for mac-auth bypass of non-Cisco devices. Will allow User-Name
Lookup lookup of a MAC address in the endpoints store.
Check Password Checking of the trivial MAB password authenticates the sending
network device. Disabling this setting is not recommended.
Password format The default setting “%User-Name%” uses the MAC address in the
User-Name, as the password to check. Only modify if the network
device adds other characters to the password, e.g. “.%User-Name%.”
shows the User-Name with periods (full stops) on either side.
Check Calling-Station-Id When Calling-Station-Id is being sent, keep this check enabled as an
equals MAC address extra safeguard.
Deployment
ISE 1.2-1.4 Method for 3rd Party MAB

• Many 3rd parties use Service-Type
= Login for 802.1X, MAB and Cisco
WebAuth
• Some 3rd Parties do not populate
Calling-Station-ID with MAC
address.
• With ISE 1.2, MAB can work with
different Service-Type, Calling- 3rd Party
Station-ID values, and “password”
settings.
Recommendation is to keep as many checkboxes

enabled as possible for increased security
Deployment
Setup a Policy Set for 3rd Party NADs
Create a separate Policy Set for 3rd

Party devices – to keep a clean
policy table and separate unrelated
policy results
Use Network Device Groups to

make the distinction
3rd Party MAB Authentication Policy Deployment
ISE 1.2-1.4 Example
Deny non-matches
Network Device Group =

“Third Party”
For “better” security, lock PAP &

CHAP into MAB lookups
(Internal Endpoints)
All other authentications are sent to

an Identity Sequence
(Internal Users > Guest > AD)
Deployment
Third Party Vendors VSA Attributes

Available Since ISE 1.0
• You may import other RADIUS Dictionaries into ISE:
Policy > Policy Elements > Dictionaries > System > RADIUS > RADIUS Vendors
FreeRADIUS
dictionaries work
https://github.com/FreeRADIUS/freeradius-server/tree/master/share
Deployment
Authorization Profiles for Third Party ForYour

For Your
Reference
Reference
Go to “Advanced
Attribute Settings” to
use the 3rd Party
Dictionaries
MAB and VSA Support Matrix All data subject to vendor hardware/software
versions!
ForYour
For Your
Service- CID = Reference
Reference
Vendor PW=UN? ACL VLAN Redirect CoA
Type MAC?
Alcatel Wired Call-Check N Y (CHAP) None Alcatel-Lucent:Alcatel-Auth-Group Dynamic N
Alcatel Wired Call-Check Y Y Filter-Id = Universal IETF Dynamic Y (3576)

(OmniSwitch docs) Network Profile (UNP) (Alcatel-Redirect-URL)
Aruba Wireless Login Y (PAP) N Aruba:Aruba-User-Role Aruba:Aruba-User-Vlan Static Y (3576)
Aruba Wireless Call-Check Y N Aruba:Aruba-User-Role Aruba:Aruba-User-Vlan Static Y (3576)

(6.4.2.5+)
Avaya/Nortel Wired Login N N ? IETF ? ?
Cisco Wired Call-Check Y N dACL/Filter-Id/inacl IETF Dynamic Y
(Nas-Filter-Rule?) (3576/Cisco)
Cisco Wireless Call-Check Y N Airespace:Airespace- IETF / Airespace-Wlan-Id Dynamic Y
ACL-Name (3576/Cisco)
HP (ProCurve) Wired Framed / ?/Y ?/Y Filter-Id / Nas-Filter- IETF Static Y (3576)
Call-Check (CHAP) (CHAP) Rule
HP (H3C) Wired Call-Check N(CHAP) Y (CHAP) None IETF None Y (3576)
(Y-PAP) (N-PAP) (Filter-Id) (Static but unworthy)
HP (H3C) Wireless Call-Check Y (PAP) N None IETF Dynamic Y (3576)

Juniper EX Wired Login Y Y IETF Filter-Id IETF Static Y (3576)
Motorola Wireless Framed Y (PAP) N None IETF Dynamic Y
(3576/Cisco)
Ruckus Wireless Framed Y (PAP) N None IETF
© 2016 None Y (3576)
Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE 2.0+ & 3rd Party NADs
How Does Cisco Deviate from Standards? Deployment
ForYour
For Your
Reference
Reference
• Session ID -> IETF RADIUS Accounting Session ID (RFC 2866)
• Cisco supports both RFC 2866 and Cisco Audit Session ID
• URL Redirection/Captive Portal -> NO STANDARD, BUT…
• ISE 2.0 supports specific vendor implementations of URL Redirection
• Different Methods used by Cisco and 3rd-party vendors:
• Redirect as a RADIUS Authorization (Cisco, Motorola)
• Local NAD Redirect (Cisco-LWA, Aruba, HP, others)
• L3/Inline device (Cisco NAC Appliance, WSA, IOS/ASA Auth Proxy, IPN)
• DHCP/DNS sinkholes (PacketFence)
• CoA -> IETF RADIUS CoA (RFC 3576 -> 5176)

• Cisco CoA “pre-standard” before 2.0. ISE 2.0 adds support for RFC 5176 and
configurable CoA port
• Note that many Cisco NADs already support RFC 3576 / 5176)
• MAB -> NO STANDARD, BUT…

• ISE 1.2 supports different vendor implementations of MAB
• ISE 2.0 includes pre-built profiles for different vendor implementations of MAB
Deployment
How Does ISE 2.0 Deviate from Standards? ForYour

For Your
Reference
Reference
Feature/Function Cisco Compliance with Standard

IETF RADIUS AAA Yes
3rd-Party RADIUS Dictionaries Yes
(ISE 2.0 includes many 3rd-party dictionaries out-of-the-box)
IETF RADIUS Session ID Yes
IETF RADIUS CoA Yes
(ISE 2.0 adds RFC 5176 support)
IEEE 802.1X Yes
URL Redirection / Captive Portal No Standard
(ISE 2.0 Phase 1 supports specific vendor implementations)
MAC Authentication / MAC Auth No Standard
Bypass (MAB) (ISE 1.2 supports different vendor implementations)
NAD Profiles
Deployment
3rd Party Work Flow ForYour

For Your
Reference
Reference
NAD Profile
Dynamic MAB VLAN
ACL
Smart Policy Eval
URL Redirect
Attribute Aliasing COA
Deployment
3rd Party Work Flow • Lookup NAD profile

for access device
• Dynamically match
auth flow (MAB,
PSN
802.1X, Web Auth)
• Match conditions on
NAD Profile user-friendly names
(attribute aliases).
• Smart policy applies
policy according to
Common or Vendor- NAD’s capabilities
Specific permissions:
• VLAN
• ACL
• URL-Redirect
• CoA
Network Device Profiles Deployment
Ready-to-Use 3rd-Party Packages
Create new profiles “from scratch” or duplicate existing

Import/Export simplifies sharing of custom profiles
NAD Profiles Deployment
Protocols and Dictionaries
• Define Protocols
and Services
supported by NADs
using this profile
• Specify Vendor and
select all relevant
dictionaries
• IETF RADIUS
dictionary included
by default
• Optionally change
icon associated to
vendor/profile.
NAD Profiles Deployment
Templates Define NAD Characteristics, Capabilities and Feature Support
RADIUS Attributes that Define MAB/1X/Web Flows

Attribute Aliases
MAB Lookup Settings
RADIUS Authorization Attributes – VLAN / ACL
CoA Type, Port, Timers for Disconnect/Reauth/Push
URL Redirect Type (Static/Dynamic) and URI Format
Generate new policy elements based on profile
Summary of Feature Support
3rd-Party NADs – Supported Features Deployment
ForYour
For Your
Features Vary By Vendor, Platform, and Versions ! Reference
Reference
• AAA  Posture
• 802.1X (since 1.0)
 BYOD
• MAB (since 1.2.)
• LWA to local portal (since 1.0)  Device registration
• CoA  Supplicant Provisioning
• Profiling (with CoA)  Certificate Provisioning
• Guest  Self-Service device management

• Hotspot (MyDevices)
• Central Web Authentication (CWA)  Single/Dual SSID
• Sponsored guest flow
• Self-Registration guest flow  TrustSec
• ISE hosted portals  Dynamic SGT and SXP Listener
Deployment
2.0 Vendor Test Results ForYour

For Your
Reference
Reference
Supported / Validated use cases

Vendor Verified Series Tested Model / CoA Profiler Posture Guest
Firmware /BYOD
Aruba Wireless 7000, InstantAP 7005-US/6.4.1.0 ✔ ✔ ✔ ✔
Motorola Wireless RFS 4000 Wing v5.5 ✔ ✔ ✔ ✔
HP Wireless 830 (H3C) 8P/3507P35 ✔ ✔ ✔ ✔
HP Wired HP 5500 HI Switch A5500-24G-4SFP
✔ ✖ ✖ ✖
Series (H3C) HI/5.20.99
HP Wired HP 3800 Switch 3800-24G-POE-2SFP
Series (ProCurve) (J9573A) ✖ ✖ ✖ ✖
KA.15.16.000. 6
Brocade Wired ICX 6610 24/08.0.20aT7f3 ✔ ✔ ✖ ✖
Ruckus Wireless ZD1200 9.9.0.0 build 205 ✔ ✔ ✖ ✖
Additional 3rd party NAD Support: ✔ Requires Requires Requires
CoA CoA & url- CoA & url-
 Requires identification of device properties/capabilities and to creation of a support redirect redirect
custom NAD profile in ISE. More detailed guide to be published. support support
ISE 2.1 – DNS Sinkhole for NADs
that Don’t Support the URL Redirect
Deployment
ISE 2.1 Adds DNS Sink-Hole Mechanism

• DNS and DHCP Services Added to ISE
• Initial Authentication (MAB or Dot1X) Lands in “Auth VLAN”
• DHCP from ISE
• Assigns ISE as DNS Server
• ISE Resolves Every DNS Request w/ It’s own IP Address
• HTTP/S Requests Sent to ISE
• ISE Redirects to CWA/BYOD/etc. Portal
• RADIUS or SNMP CoA Used to Change VLAN to Final / Correct VLAN

• Corporate DHCP Assigns True IP & DNS Server
Auth VLAN Flow Deployment
PSN Corp
Guest DHCP/ Portals /
DNS RADIUS
NAD
PSN
Connected
MAB or 802.1X RADIUS Authentication ISE stores the Web Portal
Details on the User’s
Authentication Unknown Endpoint Session in Session Cache.
phase
RADIUS: Access-Accept
Auth VLAN Applied
Auth VLAN
Limited Access
DHCP Discover
Assign IP Address.
DHCP Add to DHCP Binding Table
phase DNS = ISE PSN Itself
DHCP Offer: IP Address & Options Assigned by ISE
DNS DNS Query: www.bing.com

Address = External Domain
phase Respond with ISE IP Address
DNS Response: ISE PSN IP Address
HTTP/S Get – ISE PSN IP address

Auth VLAN Flow – Con’t Deployment
PSN Corp
Guest DHCP/ Portals /
DNS RADIUS
NAD
PSN
HTTP/S Get – ISE PSN IP address Lookup IP in DHCP Bind

Lookup MAC by IP
Session Lookup SessionID by MAC
Lookup & Portal is Part of Session
HTTP 302 Page Moved: Redirect to Guest Portal URL
Redirection
Web Authentication Process Guest User Authorized

Add info to Session
Send CoA
RADIUS or SNMP Change of Authorization (CoA)
RADIUS Account-Request (Stop) Session-Stitch Timer

Begins
CWA / Guest
Flow MAB or 802.1X RADIUS Authentication
Authorization Policy Lookup
Final AuthZ Profile Identified
RADIUS: Access-Accept
Final VLAN Applied
Guest VLAN
Normal Guest Access
HTTP/S Get – ISE PSN IP address
Meraki Wireless
Integration Update
No Longer a
“3rd-Party NAD”!
Deployment
Old New ForYour
For Your
ISE
Reference
Reference
Feature
Support
 Wireless
Platforms Only!
 Available for
beta Now!
 Please request
from your
Meraki SE/
support team
Deployment
So Which Flows are Supported?

• Basic and Advanced Guest
• HotSpot
• Self-Registration
• Sponsored
• BYOD
• Posture
• MDM
• Essentially anything requiring URL Redirection with ISE
Deployment
CWA Support in Meraki

• CWA Requires:
• RADIUS CoA
• URL-Redirect
MAB
• SSID Types:
• Wireless MAB 802.1X
• Wireless 802.1X
• Select ISE for Splash page
Specify ISE Auth

and Redirection
Deployment
CWA Support in Meraki

• What about the Redirect ACL?
• Not needed!
• Meraki will ignore the attribute from ISE
• Configure “Walled Garden“ in Meraki
Wireless clients will have

access to these servers
before authentication
Deployment
ForYour
For Your
What About ISE Configuration? Reference

Reference
• Use Cisco NAD Profile

• Redirect ACL ignored
• Static URL not required
• Can use default ISE conditions in Auth Policy
Deployment
Meraki Integration
Resources
• Integrating Meraki Networks with
Cisco Identity Services Engine:
http://www.cisco.com/c/dam/en/us/td/docs/sec
urity/ise/how_to/HowTo-86-
Integrating_Meraki_Networks.pdf
• ISE/TrustSec How-To Guides:

http://www.cisco.com/c/en/us/support/security/i
dentity-services-engine/products-
implementation-design-guides-list.html
• Put your untrusted clients on ISE

(Meraki Blog Post):
https://meraki.cisco.com/blog/2016/04/put-
your-untrusted-clients-on-ise/
Agenda
• Introduction
• Conclusion
BRKSEC-2132 What's
new in ISE Active
Directory connector
Active Directory Best Practices

Thanks to: Christopher Murray
Active Directory
What would make your life easier? BRKSEC-2132 What's

new in ISE Active
Directory connector
• Having worked on 100’s of cases
• Majority of AD ones were environment
• I was thinking what would be the best
piece of advice?
• AD and its dependencies are complex with

many variables…
Agenda
• Introduction
• Conclusion
Serviceability: ISE 1.3+
Serviceability
Serviceability User Stories
To make ISE easier to troubleshoot
To make ISE easier to deploy
To make ISE easier to use

Our Goal… Always:
Serviceability
See NW Blog for More Serviceability
Serviceability
ForYour
For Your
Tree View Reference

Reference
AuthC
Protocols
Identity
Store
Serviceability
ForYour
For Your
Tree View Reference

Reference
AuthC
Protocols
Serviceability
Filters in Live Log & Live Sessions ForYour

For Your
Reference
Reference
At Long Last! Regex in Filters
Serviceability
Right Click in Live Log & Live Sessions ForYour

For Your
Reference
Reference
Adds Right-Click > Copy for the Endpoint ID & Identity Fields in Live Log
Serviceability
Debug Endpoint
• Creates debug file of all
activity for all services
related to that specific
endpoint
• Executes and stored per
PSN
• Can be downloaded as
separate files per-PSN
• Or Merged as a single file
Serviceability
Bypass Suppression From Live-Log
• Ensures that all Activity

for Endpoint shows in
Live Log
• Removes Endpoint from
“Reject Anomalous
Endpoints” Conviction
• SOOOO USEFUL!!
Serviceability
Off-Line Examination of Configuration ForYour

For Your
Reference
Reference
Exportable Policy
Quick Link to
Export Page
Serviceability
ForYour
For Your
Exports as XML Reference

Reference
Serviceability
VMWare OVA Templates!

• MisConfigured VMWare is Root Cause of WAY Too Many TAC Cases
• We have supported OVA Templates
• Ensures customers will not mis-configure their VMWare settings
• Preset: Reservations, vCPU’s, Storage
BRKSEC-3699 BRKSEC-2059 Deploying

Designing ISE for ISE in a Dynamic Public
Scale & High Environment
Availability (Thurs 8:00 am)
(Thurs 8:00 am)
Serviceability
Set Logging Levels to Default ForYour

For Your
Reference
Reference
Serviceability
Test Repository from GUI ForYour

For Your
Reference
Reference
Serviceability
Test Button for Feed Service ForYour

For Your
Reference
Reference
Serviceability
Certificate Details
See Complete Chain
Certificate Status
Scroll Through Details
Serviceability
Certificate View showing incomplete trust chain
Serviceability
Certificate View showing certificate expiration warning
Serviceability
Cisco
Support Tunnels
Customer Location
s.tunnels.ironport.com
Bastion
Internet
Internal
tunnels.ironport.com
Enable Tunnel SSH to Tunnels Server
Set Key
SSH Tunnel established to Cisco Datacenter
Establishes
Session
SSH and Port Forwarding for HTTPS

ISE Admin TAC Engineer
Serviceability
Support Bundle Encryption w/ Cisco PKI

Enables Faster Automation for TAC Case Diagnostics
• TAC has Automation Tooling in Place
• Enables Faster Root Cause Analysis
• Identifies Many Common Issues & Provides Suggestions for Remediation
• Problem: Customers can Pick their Own Encryption Key

• Often do not Tell TAC, or Forget the Key
• So, the Bundle Cannot be Decrypted
• Days of Wasted Time
• Resolution: Use Cisco PKI to Encrypt the Bundle Instead

• Can only be Decrypted by Cisco
Serviceability

Enables Faster Automation for TAC Case Diagnostics
Customer Location
Internet
TAC Automation
Server
Create the
Bundle Customer Uploads the Bundle to the TAC Case
Bundle is Automatically
Decrypted and Analyzed
The Automation Tool Does it’s

Job, No Human Interaction
Needed
ISE Admin
Serviceability
Agenda
• Introduction
• Conclusion
Upgrade Tips from the Field
Jesse Dubois Vivek Santuka
TAC - Leader Field Engineer
Upgrade
Upgrade Tips from the Field
Test in Lab First
Only Upgrade What you Must
Reinstall the Rest

Test in a Lab First
Backup / Restore to a “Test” Node
Verify the Upgrade
Can Do Outside of Change Window
Upgrade
Upgrading ISE to 1.4

• Cisco ISE, Release 1.2 patch 14 or later
• Cisco ISE, Release 1.2.1 patch 5 or later
• Cisco ISE, Release 1.3 or later
PAN PAN
PAN1 PAN2
MnT MnT
MNT1 MNT2
PSN PSN PSNs**
Upgrade
Step 1: Upgrade S-PAN First, then S-MnT

New 1.4.0
Existing “Cube” Cube
PAN PAN
PAN2
PAN1 PAN2
MnT MnT
MNT2
MNT1 MNT2
PSN PSN PSNs**
Optional
Upgrade
Step 2: Install Patch on PAN & MnT + TEST

New 1.4
Existing “Cube” Patched Cube
PAN
PAN2
PAN1
MnT
MNT2
MNT1
PSN PSN PSNs**
TEST, TEST, TEST
Upgrade
Do your Post Upgrade Procedures from Install Doc

http://www.cisco.com/c/en/us/td/docs/security/ise/1-
3/upgrade_guide/b_ise_upgrade_guide_13/b_ise_upgrade_guide_13_chapter
_0100.html
Upgrade
Step 3: Install ISE 1.4 Cleanly on PSN2

1.4 Standalones New 1.4
PAN
PAN2
PAN1
MnT
MNT2
MNT1 Install Patch
Before you Join
PSN PSNs** To Cube
*Don’t allow PSN2 to receive RADIUS yet

Upgrade
Step 4: Join the PSN to the new Cube

PAN
PAN2
PAN1
MnT
MNT2
MNT1
PSN PSNs**
*Join PSN to Domain after it joins the Cube

Upgrade
Step 5: Join the PSN to the new Cube

PAN
PAN2
PAN1
MnT
Install Patch1
MNT2
Before you Join
MNT1
To Cube
PSN PSNs**
*Don’t allow PSN1 to receive RADIUS yet BRKSEC-3697 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 261
Upgrade
Guest Upgrade/Migration
Upgrade
FOR YOUR REFERENCE

Upgrade/Migration Experience
• HTML/CSS/Logos are copied to the upgraded portal directory

• Images: /portals/<portal_id>/images
• CSS: /portals/<portal_id>/custom
• HTML: /portals/<portal_id>/custom
• References within HTML files have to be updated to new directory
structure
• If problem with migration due to advanced customization or referencing
another flow or file path then will need to build a new portal in 1.3
Upgrade
Upgrade/Migration Experience – Migrated Portal
Upgrade
Upgrade/Migration Experience FOR YOUR REFERENCE
• Previous customized HTML pages are copied in as an existing portal

• Pages that are migrated are not accessible for further edits
• Outside of upgrade process, no tools to export/import old HTML pages
• To edit an HTML portal that has been migrated, you will need to be
rebuild into new portal and format (read-only)
Upgrade
Best Practice for 1.2.x (or below)

• Create brand-new Portals in 1.3+
• Cut over the redirect to the new portal when ready
• Nuke the older portals from orbit
Upgrade
FOR YOUR REFERENCE

Key Migration Concepts
1. Not all 1.2 values have an equivalent setting in 1.3
2. New 1.3 items that don’t have a 1.2 equivalent will be set to default values
3. 1.3 Guest Types ~= 1.2 Guest Roles + 1.2 Time Profiles
4. AD Sponsor Group members mapped to 1.3 GUID after admin rejoins AD
5. Guest User Time Zones are input to 1.3 Global Location Settings
6. No 1.2 SSID information is ported to 1.3
7. 1.3 Password Policies have separate lower and upper Alphabetic options
8. Optional Data fields under Guest Details Policy migrated to Global Custom Fields
9. Authorization Profiles: url-redirect format changed (hotspot)
10. Authorization Policy: Addition of new Guest Type Identity Groups for existing Identity
Group for a policy
ISE 2.0+
Better
Upgrades!
Upgrade
New Upgrade
Upgrade
New Upgrade
Upgrade
New Upgrade
Upgrade
New Upgrade
Upgrade
New Upgrade
Pro Tip:
Combining AND & OR
Policy Tips & Tricks
Combining AND with OR in AuthZ Policies
Cannot
Mix??

Advanced Editing
Advanced Editor

Advanced Editing
Simple Conditions
Pro Tip:
WLC Best Practices
Tips & Tricks
Network Device Versions
• TAC Recommended AireOS

https://supportforums.cisco.com/document/12481821/tac-
recommended-aireos
• Switches
• Use ISE compatibility matrix along with recommended CCO switch versions.
• http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-
device-support-tables-list.html
BRKSEC-2059 Deploying
ISE in a Dynamic Public
< Excellent Detail on
Environment the Wireless Settings
(Thurs 8:00 am) Best Practices
Tips & Tricks
WLC Recommended Configuration ForYour

For Your
Reference
Reference
 Do not configure interim accounting to ISE servers

 Interim accounting set by default when needed by ISE
 Increases load with no added benefit
 Pre 8.0 leave the interim accounting setting disabled
 Post 8.0 check the interim accounting box with a timer of 0 seconds
 Use public certificates on ISE and WLC Virtual IP to reduce client messaging.
 When using an Anchor/Foreign Setup do not configure AAA on the Anchor
Controller.
BRKSEC-2059 Deploying
ISE in a Dynamic Public
< Excellent Detail on
Environment the Wireless Settings
(Thurs 8:00 am) Best Practices
Tips & Tricks
Recommended WLC Timers ForYour

For Your
Reference
Reference
 Idle timeout: Leave global at 300 seconds, Open networks 300 seconds, Dot1x
networks 3600s can be used
 Client Exclusions: Enable them and set for 180 seconds
 Session Timeout: Set it per security policy preferably 7200+ seconds
 Aggressive Failover: Disabling reduces load on ISE but can increase failover times
 Configure Fast Secure Roaming to reduce RADIUS load during roam
 Advanced EAP Timers:
 config advanced eap identity-request-timeout 3
 config advanced eap identity-request-retries 10
 config advanced eap request-timeout 3
 config advanced eap request-retries 10
Agenda
• Introduction
• Staged Deployments (Time Permitting)
• Conclusion
Public ISE Community
• Public ISE Community: http://cs.co/ise-community

• Monitored and Responded to by TME’s on my Team
• Ask Questions There
• Get Answers by Cisco Experts & Partners
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Shameless Plug
Recommended Reading
• Buy our book, help us afford more beer!
http://amzn.com/1587144263 http://amzn.com/1587143259
Security Joins the Customer Connection Program
Customer User Group Program
19,000+
Members
• Who can join: Cisco customers, service Strong
providers, solution partners and training partners
• Private online community to connect with Join in World of Solutions
peers & Cisco’s Security product teams
Security zone  Customer Connection stand
• Monthly technical & roadmap briefings via
WebEx  Learn about CCP and Join
 New member thank-you gift*
• Opportunities to influence product direction  Customer Connection Member badge ribbon
• Local in-person meet ups starting Fall 2016

Join Online
• New member thank you gift*
& badge ribbon www.cisco.com/go/ccp
when you join in the Cisco Security booth
Come to Security zone to get your new member gift*
• Other CCP tracks: Collaboration & Enterprise and ribbon
Networks
* While supplies last
Please Fill Out The Survey!
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 Amazon gift card.
• Complete your session surveys
through the Cisco Live mobile
app or from the Session Catalog
on CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available

for viewing on-demand after the event at
CiscoLive.com/Online
Please join us for the Service Provider Innovation Talk featuring:
Yvette Kanouff | Senior Vice President and General Manager, SP Business
Joe Cozzolino | Senior Vice President, Cisco Services
Thursday, July 14th, 2016

11:30 am - 12:30 pm, In the Oceanside A room
What to expect from this innovation talk

• Insights on market trends and forecasts
• Preview of key technologies and capabilities
• Innovative demonstrations of the latest and greatest products
• Better understanding of how Cisco can help you succeed
Register to attend the session live now or

watch the broadcast on cisco.com
Thank you

Brksec 3697 PDF

Uploaded by

Copyright:

Available Formats

Brksec 3697 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec 3697 PDF

Uploaded by

Copyright:

Available Formats

Advanced ISE Services,

Tips & Tricks

Web voting Text voting

- Gny. Sgt. Hartman - Full Metal Jacket, 1987

*Balance of Technical Bits & Bytes Without “Brain-Frying”

“If we can’t laugh

PSOSEC-2009- ISE 2.0 BRKSEC-2695 - Building an BRKSEC-2059 Deploying

BRKCRS 1449 BRKCRS-2893 BRKSEC-2203 BRKSEC-3690 BRKSEC-2026 -

Look for this “For Your Reference”

There is a tremendous amount of

**~100 Slides in PDF

What is an X.509 Certificate Reference

• A Certificate is a signed document…

What is the purpose of an X.509 Certificate? Reference

Who is What is WebSite

Contains the Public Key for Encryption

Other Usages of X.509 Certificates Reference

Server Client Key Cert …

ISE and Certificates: Multiple Identities ForYour

EAP-Request/PEAP RADIUS Access-Challenge

Managing Local Certificates ForYour

• Generate CSR PAN’s

• Generate CSR for

Centralized Certificate Management in 1.3+

Manage System Certificates ForYour

Certificates your ISE Cube will “Trust” ForYour

• Trust for EAP, MDM, etc.

Trusted Certificates Reference

• In 1.3+, trusted certificates have a new “Trusted For” attribute.

System Certificate Roles – ISE 1.3+ ForYour

EAP EAP Authentication 1 Yes No1

• ‘Admin’ cert is the server cert for the Admin Console

ISE 1.3: Multiple Web Portals ForYour

Each Portal Could Use A Different Certificate

Problem: Assign Certificate on All PSNs to Portal?

• New UI Paradigm with ISE 1.3 is to

Solution: Portal Certificate Group Tag Reference

• Portal Certificate Group Tag provides a solution to configure node-specific

Node 1 – Pri Admin, M&T and PSN Portal Configuration

Root  Sub  ISE

Pro Tip: Always Add the Root & Sub CA’s

PEM versus DER

Joining an ISE Cube: Mutual Trust Required ForYour

• In order to join an ISE node to an

PAN PSN PSN

Trusted Certs Trusted Certs

Joining an ISE Cube: Mutual Trust Required ForYour

• In order to join an ISE node to an

• Then you upgrade all Certs PSN2

Joining an ISE Cube: Mutual Trust Required ForYour

• In order to join an ISE node to an

• Then you upgrade all Certs PSN2

Simple URL for My Devices & Sponsor Portals

ISE Certificate without SAN

http://sponsor.company.com DNS Lookup = sponsor.company.com

DNS Response = 10.1.99.5 100.1.100.5

ISE Certificate with SAN

http://sponsor.company.com DNS Lookup = sponsor.company.com

DNS Response = 10.1.99.5 100.1.100.5