ISE 2.6 Policy Sets & Using Network Device Groups

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

thank you for tuning in I created a bunch of these ice videos a couple years ago when I was building out my lab it's been a while since I added to these videos and I was pretty busy with work and studying for my CCIE security I've received some requests to create some new video since then and I needed to rebuild certain parts of my lab anyway so I'm using this as an opportunity to record some videos as I go by no means is this supposed to be you know a fully professional video series set this is just kind of me explaining some of the things I do as I am in production and in my lab as I go and kind of showing the configuration of certain parts of ice and other things I fully plan on kind of creating some videos about different things I do and ice some of the updated UI information NetFlow stealthWatch Splunk some IPS tuning VPN configuration and think you know maybe Meraki and ice as I go so expect some more videos for me over the next few weeks to a month I'll publish them on my youtube channel but and my blog but just bare mind as I go one of the biggest requests I've received in probably for last year is as of ice 2.3 there's a big UI change in the policy sets and it's it is and it isn't a big change it looks very different but there's a lot of the same things you could do with the old policy sets are still there and I'll walk through and show you in this video kind of some of the things I do and you know as far as using policy sets and also go through the new policy sets UI with you so the first thing we're going to dig into is the network device groups and how I kind of use them for defining which policy I'm going to be using so let me go ahead and whiteboard this really quickly for you so let's say you have two policy sets with the same author is a ssin and authentication rules on both sides and the only difference between these two policy sets is maybe the one one will have the default rule at the very end as permit access and that that might be you know while you're sitting there defining your policy or trying to you know figure it out and move into more of a closed you have a policy set by like that then over on the other one is you know a default rule of of deny access after if it doesn't match anything else no I access so maybe as you're refining your policy and you're starting to deploy ice this is going to be what you use for everything but eventually you're going to want to move over to this and you're not going to want to move everything over overnight so how do you kind of move one network device or switch at a time that's where I would use network device groups to kind of define that so maybe I'll have this policy set saying you know if it's you know if the network device group is in the network device group is in this group or network access devices in this group it'll go ahead and fall under this policy set but if I move the network device group or the network network access device to the other group it'll fall into policy set to so that's kind of a what I'm gonna go through and show you how to configure in this video and well as we're doing it we're gonna also hit the new policy sets so let's go ahead and go to our configuration and create our network device groups so you'll notice that it's under administration Network resources Network device groups and right now in my previous videos I created a location network device group and what type of devices they are now we're gonna create a new one I'm gonna create one you can name it whatever you want you can name it pink fluffy bunnies roof but you know probably wouldn't be very professional but you you could do it anything as long as it's something you can use in a policy so I'm going to create a route group of mode and very simply I'm going to put two two network device groups underneath it one's just going to be open and one's gonna be closed and I'll show you kind of how we would create these policy sets so and then another one is going to be closed so here's our to policy set there are two network device groups now if we go over to administration network resources and Network Devices we're gonna go ahead and put our switches into open first let's just how I'm gonna start it out at say that if it switched to over there as well so this is a new version of ice I actually am in ice 2.6 if anyone's been treated is a long time ice user you'll notice that ice as the last time I did videos they were ice 2.2 the policy sets looked a bit different as I've stated before and we went from two for two to six and you're probably wondering where to five go well there's a standard convention inside and outside of Cisco that even-number releases of ice are considered long-term releases and my understanding is that the business ice business unit wanted to release the next version of ice to be a long lasting version so instead of doing two five and kind of confusing people they decided to call it - six which would be an even number but of course confuses people because they're wondering if they missed a version so that what I'm configuring today is nothing but ice - dot 2.6 so just bear that in mind so I'm gonna go ahead and go over to the policies that's and now we're gonna start creating policies so let's let's kind of dig into this so I have a single endpoint out there configured for 802 dot 1x but I haven't configured any policy sets because this is a fresh install of ice so I'm gonna create a new policy set right now now if you notice the these policy sets look very very different from the old policy sets but the logic is pretty much the same so I'm gonna just go ahead and pull up a picture of what the old policy sets look like so just give me a moment to kind of illustrate here really quickly so what you see right here is actually what we are doing right here inside of the new policy sets instead of having it on the right of the screen and being able to configure the actual colors on the left of the screen and having the policy sets to display it on the right it's just got its own screen now so just like the old the old policy sets you could actually create the policy set here define what what would be the conditions to meet this policy set and then start configuring underneath it's just a little separate now I don't know why they changed that but we're gonna kind of walk our way through this so this is going to be security demo wired open policy set and the conditions to meet this for this policy set to be used are going to be now I'm just going to be using thing the things attributes based off of network device groups so let's go ahead and call this a device type is going to be switches cuz this is wired and we're gonna click new again and the device location it's gonna be my security demo lab now you might want to use like a different location if you have different policy sets by geolocation you could create you when you add the network devices to ice you could basically tag them with their own network device groups showing what location region city or even office they're in if you have to make those policies that different and that granular this is a way to use that to make sure that the correct policy set was hit then we're going to go ahead and create another condition and that's where we're going to do our mode that we were talking about before so this is going to be a mode of open and I'm just gonna use the allowed protocols of default network access and click Save so now in order for this this network device screw this policy set to be hit essentially what has to happen is that it needs to be a network device device with the Tavi now inside the network device groups of switches security demo lab and open so if those three policies are not hit then it's essentially not going to use this policy set one thing you'll also notice with the new policy sets is you can do and/or statements you can also have a bunch of an statements and then add an or at the very end you can also set it to is not so let's say you want to create a policy that's basically like it can be everything except for this and then just to find that is not this instead of having it define a bunch of different different attributes you can just say is not this and then go ahead and use this policy set so in order to get to the the actual policy set configuration we just click on that right arrow and we're brought into it in the later versions of ice I think it's two four and Beyond they got rid of everything that everything flash so it's very snazzy I like it for the fact that I can search for stuff about a lot faster so in the older versions of ice if you needed a search for an attribute you could you could type it in and start you know trying to find something like 'if but it it's fun and waited for a long time in this in this version you can see here that it came up right away it's pretty it's pretty snazzy and quick and that's what I like about it it doesn't take too long to to search for a policy condition anymore some of the people don't really like it because it looks different and I will admit that one one of the things that I found kind of annoying is that if you had a policy sets before you upgraded to ice to three let's say you had a one like my my old one where I had different authentication methods in the same in the same policy where it's mAb and dot 1x it would break it out to two different policy sets upon upgrade but after it's upgraded or if you're installing a fresh ice version you can still do the same thing you did before and I'm gonna show you how that I'm gonna do that so in this case I'm going to create two authentication policy rules first one is just going to be for wired 802 dot 1x so let's go ahead and create that wired and there's a readi a rule in here for Wired 802 dot 1x that's created just a default library condition if you want to see what that means you can go over the I and it says basically normalized radius equals wired 802 802 dot 1x and we're gonna go ahead and use that based off of you know our our security demo ad if that that's not see if that users not found I'm just going to have it continue to the next method then I'm going to do a rule below which is mAb and I'm going to use the built-in wire wired map rule throw that over there and as you can see here it's normalized radius radius flow type equals wired map and same thing I'm going to use instead of internal users its internal endpoints is something that's been seen and if users not found I'm gonna have that continue to the neck next one so I'm just gonna go ahead and minimize this really quickly if you've followed along my old videos or looked at my blog you'll notice that in I made I define these rules these authentication rules a little bit further I put like authentication method equals PKI and you know I'm certificate subject alternative name would have like security demo in it you can't do that in the authentication policy anymore you'll you'll notice that that's one of those things where it just doesn't allow you to add that condition but you can put it in the authorization rule so let's see so network access and you notice here you don't see an authentication method anymore so you're probably saying well but if I want to make sure that that's something that's checked not a problem you can still use that it's just going to be under the authorization rule that kind of threw me off at first when I did it too so just I'll show you in just a few minutes just how we do that now the the authorization policy exceptions so local exception might be something that even if they match this criteria if yeah let's say we're doing a reusing threat centric knack for example or if they're something that's quarantined maybe I want to go and say that it doesn't matter if they were if they were already authenticated and they made she these other conditions if they're you know cbss score is something less than you know five for example we're still going to make sure that they don't have unrestricted access even if they normally would have so in that case I would have some a rule like this just for this for this and for this area so I'll just say nope I probably didn't mean to do that Qualis based score of less than five and then I'll have something like saying only give them guests Internet access because we don't want them to have full access to the rest of our network if we're if we're if we're they've authenticated but they're you know possibly compromised I would have a something like guest access here so I'll just go ahead and say Internet access I think I have a guest ACL yep right there so that's a way of maybe having a local exception for the wire policy where if anyone gets on but you know the scanner determined that they're they're potentially vulnerable end point there even if they're authenticated and they've hit another authorization rule it doesn't matter until that's resolved they're only going to get internet access to prevent potentially prevent them from compromising your network now that that's if it's a local exception it only counts for that local that local policy set now if you wanted a global exception that that's spread out again against every policy set you have that's where you would do do a policy set or a authorization rule here now I'm going to go ahead and delete this because I don't have this connected to a vulnerability scanner yet that's a bit another video I actually plan on doing but just kind of making you aware of that so I'm gonna create some very basic authorization Paul policy rules so let's start with add a new rule insert a new row above this is going to be an administrator policy so remember before I said that you couldn't do this in the authentication rules but you can do them in the authorization rules that's where we're going to go ahead and create this so I'm gonna first start with what I normally put so I'm gonna do EEP tunnel since I have this configured of for PPP LS like my my previous videos I'm just going to go ahead and put those basic EEP EEP EEP tunnels peep and then eat both education is epls I'm also going to make sure that it's defining itself based it's looking at which ad group this user is in so it's an external group this member is a member if the member is a member of administrators group and that's next we're going to do network authentication method so network access authentication method equals PK I kind of like I used to put in the authentication policy now I'm using it in the author the authorization policy so in order to meet this this author's a roll it needs to be authenticating through PKI using peep-peep TLS and the user must be a member of the administrators group so I'm gonna use that policy set as it is and I'm gonna define that the profile should be admin access now I'm going to go ahead and just do you know for the sake of speed I'll just duplicate below and change a couple things so employee access and that's going to be changing the it from administrator to employee and the authorization result it'll use is going to be my employee access actually below bender same thing and last but not least I'll have my computer only a one because if no one's logged into the computer I still want them to have access to certain things where you know for example I want them to be able to that computer to be able to update if it's got you know be getting access to my I wanted to just have enough access to do like GPO updates maybe certificate updates if we're pushing patches in the middle of the night I wanted to still have access to that now the default rule I was talking about before I'm gonna change that to permit access so if it doesn't mean if that endpoint doesn't meet any of these things it will still be permitted access it's kind of a fail open or you know testing open sort of way of testing I and ice policy said now going back to policy sets really quickly now if I wanted to create a second policy set with that would be failing or be having the default of closed I'm going to just rename that and the only difference here is mode closed and click Save and going over here the only thing I'll change under here is we're not going to permit access anymore we're going to deny access as the default rule so let's take a quick look to see what what my one 802 dot 1x endpoint is authenticating to whether it's going towards security demo wired closed or security demo wired open since we have both switch 1 and switch two configured for for open mode it should be hitting open but let's double check so yep as you can see here that one 802 dot 1x endpoint that I have is configured and is configured to hit open so I'm going to go ahead and change this really quickly let's say we've gotten to the point where we've tested all of our network policy or security policies we've decided we want to start enforcing this a little bit more we want to make sure that the default rule is closed so all I would have to do to essentially make sure that this is only hitting one switch at a time as we're rolling this out slowly is I go to over to switch to which my 802 dot 1 at X endpoint is is connected to I'm just going to make sure that the mode is currently and is switched over to closed and that will force it to go to the new policy set that we created because as you remember here we go to policy sets and the only difference between these two to hit one or the other is that it has to essentially hit that it has to essentially be either in closed or open mode and since we just changed that that'll the next time that endpoint reoffended s-- it would hit the new policy set I'm going to force it to relent gate right now but if I just doing a simple open shut of the port or shut no shudder the port shut no shut and let's take a look at radius live logs to see what happens here so refreshes yep as you can see here now it's hitting the close the closed policy set

Info

Channel: Katherine McNamara

Views: 31,450

Rating: undefined out of 5

Keywords: ISE, Identity Services Engine, ISE 2.6, Cisco, Security

Id: gEnWHS8nBZ4

Channel Id: undefined

Length: 20min 41sec (1241 seconds)

Published: Sun Mar 17 2019