- Hey welcome back, Sean Barnin. At looking point. We help IT
organizations make decisions throughout collaboration
security and networking. Today we are going to
be talking about ISE. What it is, how you implement
it, and things to consider. And this is the Tech Talk. (upbeat techno music) - We're back, and I am
here with my man, Dominic. And we are talking about ISE. Hey Dom, thanks for being here. - Thanks for having me Sean. - So let's start out, what is ISE? - ISE is a network
admission control product. It helps secure your
access networks in the same kind of way that you'd want to secure your perimeter network traditionally. - And so if I was a customer
and I'm thinking about securing my network even more I guess. - [Dominic] Sure. - What are some of the
benefits I get with ISE? - ISE can authenticate everything
attaching to your network. Your wired network, your wireless network, your VPN access points. So it gives you that
assurance that all the devices on your network should be there, for one. And then secondarily, you can go further and you can inspect
what software is running on those N points. See what kind of N points they are. And give you that visibility and control over your access network. - And so things like, if
I have a mobile device, laptop, phones. - Sure, yeah I mean you may
want your mobile devices only to get out to the internet when they attach to your corporate network. Whereas your computers,
your domain join machines, you want them to have full access. You may want your HR
Department to have access to some accounting servers that you don't want your development
team to have access to. So ISE will help you
institute those kind of policies on your network. - So policy enforcement, authentication, identifying devices,
and controlling access. - That's what it does. - Okay. Beautiful. So if I'm a customer, or I'm
just looking to implement this technology, what
are some of the things I should consider before implementing. What are the things, is there readiness? - Yeah, certainly there is readiness. So ISE works hand in hand with
your network infrastructure. Particularly, your wireless
system and your network access switches. So you want to make sure you're running a recent-ish. At this point in time, we
don't run into many customers who don't have a network
infrastructure that's ready to accept an application like ISE. But there are some basic
things you want to check out if you're still running some old, like cisco 3560 switches. Those gen one 3750 switches. You might want to take a closer look at compatibility. - So one of the things
we want to do in this Tech Talk is cover ISE, what it is, why you want it. Is talk about a basic
architecture and things like if I was going to implement it, what that architecture would look like. So we can draw it up
here on the white board. - Sure. - And maybe step through
a couple scenarios. - Sure, sounds good. - All right, let's draw it up. - Draw it up. (slow techno music) - So this is a diagram
that kind of illustrates 802.1x architecture within ISE. ISE serves as your Radius
server in this picture here. And you got your access
network that are hosted by your wired switches. These would be in your IDF's. And then you might have
a wireless controller, or these can be access
points if you're running an antimonous wireless system. And over here on the left hand side, we have our end points that
are connecting to the network. Here, we have a computer,
printer, and IP phone. Some things we commonly
see on access networks. So, one of the fundamental
use cases for ISE is authentication to the network. So we want to make sure that
the computers, printers, and phones in this case,
are valid end points that we want to connect to the network. In order to authenticate
them, we use 802.1x So the end points talk
to the switches using a protocol called EAP, we'll
forget about the details for a second. The switches proxy that
authentication information to your Radius servers. So ISE could live in a data
center across the when, you could put it local to
where your access networks are at. It doesn't matter. Radius is a routed protocol, right? So, these access switches and controllers They're going to take those
credentials sent by your end points connecting to the network. They're going to forward them to ISE. ISE is going to use a
robust policy engine, to make a decision on
whether or not the end point should get access to the network, or a limited set of access to the network. And for that purpose, ISE integrates with identity stores. So this most commonly is
Microsoft Active Directory. Most of our customers
already have a pretty robust security group architecture there. All their users when they get
onboard and get put in the appropriate groups. ISE can leverage all of
that existing directory structure to make decisions
about what devices should be allowed on the network and what level of access they
should get to that network. - So let me ask you a question. So these devices, the
switches, and the end points will typically be in the same site, right? - Correct. - But, and I think you mentioned this, ISE or Radius is a routed protocol, so the ISE authentication
servers could be back in a data center, or centrally managed where you could have remote
offices with switches and access points in the office. These devices are
obviously in that office. But they can still authenticate
back centrally to a single ISE instance or
maybe a couple data centers. - Absolutely. - Okay, and then you mentioned
once they're authenticated, what are some of the things
that we can do from an ISE perspective? Because you mentioned, limiting
access and things like that. How does that work? - There are a number of ways it can work. It could be as simple as
ISE looks at what active directory group you belong to. And we can write a policy that says, "this active directory
group gets this level of access to the network". We can use more advance
techniques, like profiling. ISE will take in, medi-data,
about the end points connecting to the network. Using attributes the end
points send its DHCP request, using CDP information off the switches, LLDP information off the switches. And we'll attempt to
profile a device into being a Windows ten computer, being
a printer, a Ricoh Printer. And then you can write policies that say "devices that look like a Ricoh Printer, get this level of network access. - It essentially makes the
network smarter by leveraging some of the things the devices
share with the network, and then we write policy around it. - Yeah, and when we think about it, there's so much information
that the network has access to, that we just haven't used. It's just been discarded. ISE makes use of all that information to determine what policy and what level of access we want you
to have to the network. - This is a great high level overview. What's under the hood? When we push policy to a switch, is it using an ACL,
how does that get done? Or is there multiple ways? - Multiple ways of doing it, and that is where the
generation of equipment you have at your access
network plays a role. The make and model play a role. It can be as simple as
ISE instructing the switch to put users on a different V/Line. That's kind of the base case. Any switch that supports 802.1x, will support a V/Line change. And in that scenario the
access control will be on the SVI on the network
that V/Line belongs to. The ACL will be on the SVI. More often we'll be pushing
policy down to the port that the end points connecting to, right? That's where we get
into micro-segmentation. Micro-segmentation can
be done with an ACL, so we just push your
standard, classic, ACL. But instead of applying
it centrally to the core switch on the V/Line, we're going to apply
it to the port that the end points are connecting to. - Got it. So you can have everyone
on the same V/Line, but have different levels
of access to the network based on the way they
were authenticated on ISE. - Right, right. One of the other ways
you can enforce policy on the network, is assigning. Again everyone can be
connected to the same V/Line, instead of pushing an
ACL down to the port. We're just going to push
a tag down to the port. We're going to say end point
connecting to this port is in group one. All right. And we write a policy on ISE that says "group one is allowed
to talk to group two, using these ports and protocols. No IP addresses at all,
anywhere in our policies. So were these tags to filter access. Cisco refers to that as
their TrustSec architecture. - Is that better because
its more scalable? - Yeah, its easier to manage at scale because we're no longer
dealing with specific IP addresses per site, right? One of the problems that
TrustSec was aiming to solve was access less sprawl, right? You turn up a new site
or a new data center, now it has this new IP
range associated to it. Now I got to go back
through whole enterprise and I got to update all
of my ACL's with the information about this new IP range. TrustSec solves that by
classifying things into groups. We don't care about
the IP address anymore. If you look, historically
IP address was just meant to provide your location
on the network, right? And where you can be
reached on the network. We've overloaded the IP
address with your security context as well, right? Now your IP address is not
just where you're located on the network, but its also what you are
allowed to do on the network. TrustSec kind of separates
that security context from the IP address and puts
it into its own paradigm using this security group text. - Got it. So it's kind of separating
where you are from who you are. - Exactly. - Okay, great. So now we covered the high
level ISE architecture, how it works. What about just covering
what a small deployment would look like, maybe
redundance small deployment. We could go through something like that. - Sure, let's draw it up. - All right. (calming music) - All right, your ISE appliance can be, you can have a single
ISE appliance to perform network access control
for your entire network. The limiting factor there
would be redundancy, right? If that ISE appliance goes down, your network access control
can be affected, right? You can either fail open or fail close. That being said, one ISE node can service your deployment. And each ISE node runs, three distinct fundamental services. So there's the PAN role, Primary Administration Node. That's where I'm going to
log in and do all of my configuration as the
administrator to the system, I am just interacting with this. This service that ISE provides. ISE also has a role called
monitoring and troubleshooting. So this is the log collector, right? So all of the authentications
that get processed by ISE. Everything that ISE does, results in a log that get
sent to the ISE server that is running the monitoring role. If I'm logging into the PAN, and I'm looking through the logs, the PAN is actually pulling
the log from the MNT service on that node. And then work horse of the ISE deployment is the PSN. That's the Policy Services Persona. This is the service that runs Radius on those nodes. In that previous diagram
where we we're looking at the network switches and
the wireless controllers, integrating with ISE through Radius. This is the service that
they're integrating with. - So the IP address of the ISE server that is running this node
is where appoint Radius for those devices from authentication. - You got it. - So in a small deployment
at limited scale, you can get away with one
node running all three of these roles. And Cisco's terminology they
call them personas, right? So I may say that word interchangeably. And then for redundancy, you can add a second one
of these nodes, right? And that would constitute
a small ISE deployment. - Now how do they replicate information, how does that work? Is there a database sync? - Exactly. The database synchronization
incurs between the ISE node, right? And that all happens behind the scenes, after you join the ISE
nodes to a deployment. You really don't have to
worry about that anymore. All of the policy that
you configure on the PAN, over here, gets replicated down to the PSN's. In this case it's all one box, so there is no real need for replication. But when you have these
two nodes over here, anything that you do on the Primary Admin Node will
get replicated over to your second node. All of your policy configurations
done from one place. No matter how large
your ISE deployment is. - And so when you point
your devices to the PSN, it sounds like also, you could scale this out
and have multiple PSN's and maybe a location and
those devices locally could point to a local PSN. - Yeah, good point. Let's look at a larger ISE deployment. See how these roles would separate. (upbeat music) So here we're looking at
a larger ISE deployment. In this model, we distribute
those three core services onto dedicated appliances, right? So it's still all part of
the same ISE deployment, and I'm still managing
the entire deployment from the Primary Administration Node. This is a little confusing,
this says PAN over here. It's actually the Secondary
Administration Nodes, in active standby. So if the Primary Administration
Node were to fail, the Secondary promoted. And that's where you can log in and do all your config changes. So a common architecture that
we see for a large deployment is we put our PAN and MNT nodes at two different geo locations
in the customers network. For fault tolerance reasons. Disaster recovery reasons. And then the Policy Service Nodes, these can be deployed anywhere
in the network, right? These can be local to the site, if you want to have local
authentication services. You can have some deployed
at your data centers to provide central
authentication services. That's really where the
art of designing your ISE system comes into play. This solution can scale up to have fifty dedicated Policy Service Nodes. What that means in the end, I think right now the current
scale is ISE can support, somewhere along the lines
of five hundred thousand end points connected
to a single deployment. Which really covers the least case for most organizations. - Some questions. So these are all three
of these nodes are in Data Center one. These three are in Data Center two. Primary management is
through this PAN node. Now if this PAN node fails, is it a different IP
address to access that one? - Yes, so all of these components in the environment have their own IP addresses. So if that PAN were to fail, the ISE deployment doesn't go down, right? So these nodes can be offline, right? All of those nodes can be offline. It's these nodes that
are the ones providing the authentication and run
time when a device connects to the network and we
need to authenticate that end point, push down its policy. These are critical components to be. So we'll have our network
devices down here. And we'll point them to
Redundant Policy Service Nodes. And there is really no limit on how many Policy Service Nodes we can
configure on these guides. Typically we'll see two or three done. Across a couple different locations. As long as these nodes are up, these nodes integrate
directly with those ID stores. So like, Microsoft Active Directory. So we can perform
authentication to the network, even in this situation
where our back in server, if you want to call the PAN's
and MNT's that are down. - So you mentioned these are appliances, these are running on VM ware, or some hypervisor? - Sure, yeah. You could run on a physical appliance if you want to. Sisco sells a hardware
appliance that you can install and run ISE on. Or you can run them on hyper v. You can run them on VM ware. You can run them on KVM. - All right, cool. We pretty much covered
the beginning in ISE, so like why you would want it, what it is, some implementation approaches, and how you an scale out the architecture. - Yeah. - Well cool. I really
appreciate you being here today. And thanks for taking us
through ISE and the basics. And obviously you written
a lot of blog articles about this, and you go
into a lot more detail around authentication,
which has been awesome. - Yeah, check those out. - Cool. All right. Well
thanks for watching today. If you want anymore information about ISE, or maybe just implementation guides. You can check out lookingpoint.com
and check out our blog. Dom's done a great job putting
together a whole ISE series. So check it out there. And then also, make you like
and subscribe so you get all of our content as we release it. And we'll see you on the next Tech Talk. Thanks for watching. (upbeat music)