ISE Training

Cisco TAC BN Team Liu Yang

 Why Migrate to ISE

 Existing ACS customer who require posture, profiling or guest services

 Existing NAC customers looking for 802.1X port level controls and adv authorization controls
(e.g. SGA)
 Existing NAC Profiler customer who require additional capacity

Migration Offer
 NAC 3315/55/95 and ACS 1121 appliances can be reimaged to support ISE. Older
appliances, NAC 33x0 platforms, NAC 3140 and ACS 1120, cannot. Customers with these
older appliances quality for discounted appliance migration skus (and yes they get to keep
their older appliances)
 Existing ACS and NGS customers entitled to any number of Base Migration Licenses (50%
discount over list price of Base Licenses)
 Existing NAC and NAC Profiler customers entitled to Advanced Migration License (3 YR)
based on the total number of NAC and/or Profiler Licenses at $0
 Existing support contracts transition to ISE support contract but prorated
Physical
Appliance SKUs
ISE-3315-M-K9
ISE-3395-M-K9
ISE-3355-M-K9

Virtual Appliance
(VM) SKUs
ISE-VM-M-K9=
ISE-5VM-M-K9=
ISE-10VM-K9=
 Vmaware ISE-VM-K9
• CPU—Intel Dual-Core; 2.13 GHz or faster
• •Memory—4 GB RAM
• •Hard Disks (minimum allocated memory):
• –Stand-alone—200 GB
• –Administration—200 GB
• –Policy Service and Monitoring—200 GB
• –Monitoring—200 GB
• –Policy Service—60 GB
• Note Cisco does not recommend allocating any more than 600 GB maximum space
for any node.
• •NIC—1 GB NIC interface required (you can install up to 4 NICs)
• •Supported VMware versions include:
• –ESX 4.x
• –ESXi 4.x
• –ESXi 5
• –For an evaluation or production version, the minimum disk space is 60 GB.
• •Memory—4 GB RAM
 ISE Packaging and Licensing
ISE Base License ISE Advanced License

Base Feature Set Advanced Feature Set

Perpetual Licensing 3 / 5 Year Term Licensing

• Authentication / Authorization • Device Profiling

• Guest Provisioning • Host Posture
• Link Encryption Policies • Security Group Access

Appliance Platforms
Small 3315/1121 | Medium 3355 | Large 3395 | Virtual Appliance

Note: Advanced License does not include Base

 ISE Wireless License

Wireless Package
Policy for Wireless Endpoints
5 Yr Term Licensing

Base Advanced

• Authentication / Authorization • Device Profiling

• Guest Provisioning • Host Posture
• Link Encryption Policies • Security Group Access

Platforms
Small 3315/1121 | Medium 3355 | Large 3395 | Virtual Appliance

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
 • Default Customer Offer
Advanced + Base • Common policy across Wired,
License Wireless, and VPN
• Advanced capabilities

• Customer wants base and advanced

functionality only for wireless endpoints
Wireless License • Looking for lower cost solution

• Customer wants basic authentication

Base License • Customer wants only “Base” features

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
http://wwwin-
tools.cisco.com/SWIFT/SLT/viewIntPubKeyGen.do?subGroup=POSITRONFE
AT&keytype=PUBLICINTERNAL

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
 Description Maximum
Max Concurrent Endpoints per ISE Instance 100,000
Max Policy Service Nodes per ISE Instance 40 (Currently Tested)
Max Inline Posture Service Nodes per ISE Instance No Hard Limit
3315 Policy Service Node Running All Services* 3,000 Devices
3355 Policy Services Node Running All Services* 6,000 Devices
3395 Policy Services Node Running All Services* 10,000 Devices
VM Running All Services 10,000 Devices
(Same Spec as 3395)
Single Server Running Admin/Policy 2,000 Devices
Services/Monitoring Nodes

* Potentially higher without Posture/Profiling

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
 • First step in ACS policy flow was Access Service selection or
RADIUS Proxy Service using “Service Selection Policy”
• Each service has a protocols configuration and set of policies (e.g.
Identity and Authorization)
• A session processing is in the scope of the AccessService and
according to the service configuration

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
 Service Selection RADIUS Proxy
Policy (SSP) Servers

Access Service 1 Access Service 2 Access Service N

…
Identity Policy Identity Policy Identity Policy
Group Mapping Authorization Group Mapping
Policy Policy Policy
External Policy Authorization
Check Policy
Authorization
Policy

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
 • No more Access Services

• Global Authentication Policy (one set of rules)

• Authentication policy contains two phases:

1. Protocols Selection - selection of the allow protocols for the
session
2. Identity Selection - selection of the Identity Source (along with the
advanced processing options)
Outer set of rules to select allowed protocols, and under each rule there
is additional set of inner rules for Identity Source selection

• Global Authorization Policy (one set of rules)

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
 Authentication Policy

Protocols RADIUS Proxy

Selection Servers

Identity
Selection
Identity
Selection
… Identity
Selection

Authorization
Policy

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
 10.75.61.250
10.75.61.220

10.75.61.249

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
1 ISE 10.75.61.250
SSH username : admin password : Payton123
GUI username : admin password : Cisco123
2 AD b.com 10.75.61.220
RDP Username : administrator password : Cisco123
3 DOT1X client Win7
On 10.75.61.200 username : administrator password : CisCo@123
VmwarefavoritesTestPCWIN7245-ISE-Training

4 C3750 console 10.75.60.10 : 2029

telnet 10.75.61.249 username : cisco password : cisco

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
• For expert debug details, the following debug logs can help developers
troubleshooting
• prrt.log replace the acs-runtime.log from acs – it has the same
messages (without the rule-engine)
• ise-psc.log (component epm-pip) provides details on rule evaluation

• ise-prrt.log provides details on runtime-JNI

• catalina.out can provide details about errors in the initial policy

configuration (less relevant for runtime)

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77