- Hey welcome back, Sean Barnin.
At looking point. We help IT
organizations make decisions
throughout collaboration
security and networking.
Today we are going to
be talking about ISE.
What it is, how you implement
it, and things to consider.
And this is the Tech Talk.
(upbeat techno music)
- We're back, and I am
here with my man, Dominic.
And we are talking about ISE.
Hey Dom, thanks for being here.
- Thanks for having me Sean.
- So let's start out, what is ISE?
- ISE is a network
admission control product.
It helps secure your
access networks in the same
kind of way that you'd want to secure your
perimeter network traditionally.
- And so if I was a customer
and I'm thinking about
securing my network even more I guess.
- [Dominic] Sure.
- What are some of the
benefits I get with ISE?
- ISE can authenticate everything
attaching to your network.
Your wired network, your wireless network,
your VPN access points.
So it gives you that
assurance that all the devices
on your network should be there, for one.
And then secondarily, you can go further
and you can inspect
what software is running
on those N points.
See what kind of N points they are.
And give you that visibility and control
over your access network.
- And so things like, if
I have a mobile device,
laptop, phones.
- Sure, yeah I mean you may
want your mobile devices
only to get out to the internet when they
attach to your corporate network.
Whereas your computers,
your domain join machines,
you want them to have full access.
You may want your HR
Department to have access
to some accounting servers that you don't
want your development
team to have access to.
So ISE will help you
institute those kind of
policies on your network.
- So policy enforcement, authentication,
identifying devices,
and controlling access.
- That's what it does.
- Okay. Beautiful.
So if I'm a customer, or I'm
just looking to implement
this technology, what
are some of the things I
should consider before implementing.
What are the things, is there readiness?
- Yeah, certainly there is readiness.
So ISE works hand in hand with
your network infrastructure.
Particularly, your wireless
system and your network
access switches.
So you want to make sure you're running a
recent-ish.
At this point in time, we
don't run into many customers
who don't have a network
infrastructure that's ready
to accept an application like ISE.
But there are some basic
things you want to check out
if you're still running some old,
like cisco 3560 switches.
Those gen one 3750 switches.
You might want to take a closer look
at compatibility.
- So one of the things
we want to do in this
Tech Talk is cover ISE, what it is,
why you want it.
Is talk about a basic
architecture and things like
if I was going to implement it, what that
architecture would look like.
So we can draw it up
here on the white board.
- Sure.
- And maybe step through
a couple scenarios.
- Sure, sounds good.
- All right, let's draw it up.
- Draw it up.
(slow techno music)
- So this is a diagram
that kind of illustrates
802.1x architecture within ISE.
ISE serves as your Radius
server in this picture here.
And you got your access
network that are hosted by
your wired switches.
These would be in your IDF's.
And then you might have
a wireless controller,
or these can be access
points if you're running
an antimonous wireless system.
And over here on the left hand side,
we have our end points that
are connecting to the network.
Here, we have a computer,
printer, and IP phone.
Some things we commonly
see on access networks.
So, one of the fundamental
use cases for ISE
is authentication to the network.
So we want to make sure that
the computers, printers,
and phones in this case,
are valid end points
that we want to connect to the network.
In order to authenticate
them, we use 802.1x
So the end points talk
to the switches using
a protocol called EAP, we'll
forget about the details
for a second.
The switches proxy that
authentication information
to your Radius servers.
So ISE could live in a data
center across the when,
you could put it local to
where your access networks
are at.
It doesn't matter.
Radius is a routed protocol, right?
So, these access switches and controllers
They're going to take those
credentials sent by your
end points connecting to the network.
They're going to forward them to ISE.
ISE is going to use a
robust policy engine,
to make a decision on
whether or not the end point
should get access to the network,
or a limited set of access to the network.
And for that purpose,
ISE integrates with identity stores.
So this most commonly is
Microsoft Active Directory.
Most of our customers
already have a pretty robust
security group architecture there.
All their users when they get
onboard and get put in the
appropriate groups.
ISE can leverage all of
that existing directory
structure to make decisions
about what devices
should be allowed on the network
and what level of access they
should get to that network.
- So let me ask you a question.
So these devices, the
switches, and the end points
will typically be in the same site, right?
- Correct.
- But, and I think you mentioned this,
ISE or Radius is a routed protocol,
so the ISE authentication
servers could be back in
a data center, or centrally managed
where you could have remote
offices with switches
and access points in the office.
These devices are
obviously in that office.
But they can still authenticate
back centrally to a
single ISE instance or
maybe a couple data centers.
- Absolutely.
- Okay, and then you mentioned
once they're authenticated,
what are some of the things
that we can do from an ISE
perspective?
Because you mentioned, limiting
access and things like that.
How does that work?
- There are a number of ways it can work.
It could be as simple as
ISE looks at what active
directory group you belong to.
And we can write a policy that says,
"this active directory
group gets this level of
access to the network".
We can use more advance
techniques, like profiling.
ISE will take in, medi-data,
about the end points
connecting to the network.
Using attributes the end
points send its DHCP request,
using CDP information off the switches,
LLDP information off the switches.
And we'll attempt to
profile a device into being
a Windows ten computer, being
a printer, a Ricoh Printer.
And then you can write policies that say
"devices that look like a Ricoh Printer,
get this level of network access.
- It essentially makes the
network smarter by leveraging
some of the things the devices
share with the network,
and then we write policy around it.
- Yeah, and when we think about it,
there's so much information
that the network has access
to, that we just haven't used.
It's just been discarded.
ISE makes use of all that information
to determine what policy and what level
of access we want you
to have to the network.
- This is a great high level overview.
What's under the hood?
When we push policy to a switch,
is it using an ACL,
how does that get done?
Or is there multiple ways?
- Multiple ways of doing it,
and that is where the
generation of equipment
you have at your access
network plays a role.
The make and model play a role.
It can be as simple as
ISE instructing the switch
to put users on a different V/Line.
That's kind of the base case.
Any switch that supports 802.1x,
will support a V/Line change.
And in that scenario the
access control will be
on the SVI on the network
that V/Line belongs to.
The ACL will be on the SVI.
More often we'll be pushing
policy down to the port
that the end points connecting to, right?
That's where we get
into micro-segmentation.
Micro-segmentation can
be done with an ACL,
so we just push your
standard, classic, ACL.
But instead of applying
it centrally to the
core switch on the V/Line,
we're going to apply
it to the port that the
end points are connecting to.
- Got it.
So you can have everyone
on the same V/Line,
but have different levels
of access to the network
based on the way they
were authenticated on ISE.
- Right, right.
One of the other ways
you can enforce policy
on the network, is assigning.
Again everyone can be
connected to the same V/Line,
instead of pushing an
ACL down to the port.
We're just going to push
a tag down to the port.
We're going to say end point
connecting to this port
is in group one.
All right.
And we write a policy on ISE that says
"group one is allowed
to talk to group two,
using these ports and protocols.
No IP addresses at all,
anywhere in our policies.
So were these tags to filter access.
Cisco refers to that as
their TrustSec architecture.
- Is that better because
its more scalable?
- Yeah, its easier to manage at scale
because we're no longer
dealing with specific
IP addresses per site, right?
One of the problems that
TrustSec was aiming to solve
was access less sprawl, right?
You turn up a new site
or a new data center,
now it has this new IP
range associated to it.
Now I got to go back
through whole enterprise
and I got to update all
of my ACL's with the
information about this new IP range.
TrustSec solves that by
classifying things into groups.
We don't care about
the IP address anymore.
If you look, historically
IP address was just meant
to provide your location
on the network, right?
And where you can be
reached on the network.
We've overloaded the IP
address with your security
context as well, right?
Now your IP address is not
just where you're located
on the network,
but its also what you are
allowed to do on the network.
TrustSec kind of separates
that security context
from the IP address and puts
it into its own paradigm
using this security group text.
- Got it.
So it's kind of separating
where you are from who you are.
- Exactly.
- Okay, great.
So now we covered the high
level ISE architecture,
how it works.
What about just covering
what a small deployment
would look like, maybe
redundance small deployment.
We could go through something like that.
- Sure, let's draw it up.
- All right.
(calming music)
- All right, your ISE appliance can be,
you can have a single
ISE appliance to perform
network access control
for your entire network.
The limiting factor there
would be redundancy, right?
If that ISE appliance goes down,
your network access control
can be affected, right?
You can either fail open or fail close.
That being said,
one ISE node can service your deployment.
And each ISE node runs,
three distinct fundamental services.
So there's the PAN role,
Primary Administration Node.
That's where I'm going to
log in and do all of my
configuration as the
administrator to the system,
I am just interacting with this.
This service that ISE provides.
ISE also has a role called
monitoring and troubleshooting.
So this is the log collector, right?
So all of the authentications
that get processed
by ISE.
Everything that ISE does,
results in a log that get
sent to the ISE server
that is running the monitoring role.
If I'm logging into the PAN,
and I'm looking through the logs,
the PAN is actually pulling
the log from the MNT service
on that node.
And then work horse of the ISE deployment
is the PSN.
That's the Policy Services Persona.
This is the service that runs Radius
on those nodes.
In that previous diagram
where we we're looking
at the network switches and
the wireless controllers,
integrating with ISE through Radius.
This is the service that
they're integrating with.
- So the IP address of the ISE server that
is running this node
is where appoint Radius
for those devices from authentication.
- You got it.
- So in a small deployment
at limited scale,
you can get away with one
node running all three
of these roles.
And Cisco's terminology they
call them personas, right?
So I may say that word interchangeably.
And then for redundancy,
you can add a second one
of these nodes, right?
And that would constitute
a small ISE deployment.
- Now how do they replicate information,
how does that work?
Is there a database sync?
- Exactly.
The database synchronization
incurs between
the ISE node, right?
And that all happens behind the scenes,
after you join the ISE
nodes to a deployment.
You really don't have to
worry about that anymore.
All of the policy that
you configure on the PAN,
over here,
gets replicated down to the PSN's.
In this case it's all one box,
so there is no real need for replication.
But when you have these
two nodes over here,
anything that you do on the
Primary Admin Node will
get replicated over
to your second node.
All of your policy configurations
done from one place.
No matter how large
your ISE deployment is.
- And so when you point
your devices to the PSN,
it sounds like also,
you could scale this out
and have multiple PSN's
and maybe a location and
those devices locally
could point to a local PSN.
- Yeah, good point.
Let's look at a larger ISE deployment.
See how these roles would separate.
(upbeat music)
So here we're looking at
a larger ISE deployment.
In this model, we distribute
those three core services
onto dedicated appliances, right?
So it's still all part of
the same ISE deployment,
and I'm still managing
the entire deployment from
the Primary Administration Node.
This is a little confusing,
this says PAN over here.
It's actually the Secondary
Administration Nodes,
in active standby.
So if the Primary Administration
Node were to fail,
the Secondary promoted.
And that's where you can log in and
do all your config changes.
So a common architecture that
we see for a large deployment
is we put our PAN and MNT nodes at
two different geo locations
in the customers network.
For fault tolerance reasons.
Disaster recovery reasons.
And then the Policy Service Nodes,
these can be deployed anywhere
in the network, right?
These can be local to the site,
if you want to have local
authentication services.
You can have some deployed
at your data centers
to provide central
authentication services.
That's really where the
art of designing your
ISE system comes into play.
This solution can scale up to have fifty
dedicated Policy Service Nodes.
What that means in the end,
I think right now the current
scale is ISE can support,
somewhere along the lines
of five hundred thousand
end points connected
to a single deployment.
Which really covers the least case for
most organizations.
- Some questions.
So these are all three
of these nodes are in
Data Center one.
These three are in Data Center two.
Primary management is
through this PAN node.
Now if this PAN node fails,
is it a different IP
address to access that one?
- Yes, so all of these components in the
environment have their own IP addresses.
So if that PAN were to fail,
the ISE deployment doesn't go down, right?
So these nodes can be offline, right?
All of those nodes can be offline.
It's these nodes that
are the ones providing
the authentication and run
time when a device connects
to the network and we
need to authenticate that
end point, push down its policy.
These are critical components to be.
So we'll have our network
devices down here.
And we'll point them to
Redundant Policy Service Nodes.
And there is really no limit on how many
Policy Service Nodes we can
configure on these guides.
Typically we'll see two or three done.
Across a couple different locations.
As long as these nodes are up,
these nodes integrate
directly with those ID stores.
So like, Microsoft Active Directory.
So we can perform
authentication to the network,
even in this situation
where our back in server,
if you want to call the PAN's
and MNT's that are down.
- So you mentioned these are appliances,
these are running on VM ware,
or some hypervisor?
- Sure, yeah. You could run on a
physical appliance if you want to.
Sisco sells a hardware
appliance that you can
install and run ISE on.
Or you can run them on hyper v.
You can run them on VM ware.
You can run them on KVM.
- All right, cool.
We pretty much covered
the beginning in ISE,
so like why you would want it,
what it is,
some implementation approaches,
and how you an scale out the architecture.
- Yeah.
- Well cool. I really
appreciate you being here today.
And thanks for taking us
through ISE and the basics.
And obviously you written
a lot of blog articles
about this, and you go
into a lot more detail
around authentication,
which has been awesome.
- Yeah, check those out.
- Cool. All right. Well
thanks for watching today.
If you want anymore information about ISE,
or maybe just implementation guides.
You can check out lookingpoint.com
and check out our blog.
Dom's done a great job putting
together a whole ISE series.
So check it out there.
And then also, make you like
and subscribe so you get
all of our content as we release it.
And we'll see you on the next Tech Talk.
Thanks for watching.
(upbeat music)
