What is Cisco Identity Services Engine (ISE)?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
- Hey welcome back, Sean Barnin. At looking point. We help IT organizations make decisions throughout collaboration security and networking. Today we are going to be talking about ISE. What it is, how you implement it, and things to consider. And this is the Tech Talk. (upbeat techno music) - We're back, and I am here with my man, Dominic. And we are talking about ISE. Hey Dom, thanks for being here. - Thanks for having me Sean. - So let's start out, what is ISE? - ISE is a network admission control product. It helps secure your access networks in the same kind of way that you'd want to secure your perimeter network traditionally. - And so if I was a customer and I'm thinking about securing my network even more I guess. - [Dominic] Sure. - What are some of the benefits I get with ISE? - ISE can authenticate everything attaching to your network. Your wired network, your wireless network, your VPN access points. So it gives you that assurance that all the devices on your network should be there, for one. And then secondarily, you can go further and you can inspect what software is running on those N points. See what kind of N points they are. And give you that visibility and control over your access network. - And so things like, if I have a mobile device, laptop, phones. - Sure, yeah I mean you may want your mobile devices only to get out to the internet when they attach to your corporate network. Whereas your computers, your domain join machines, you want them to have full access. You may want your HR Department to have access to some accounting servers that you don't want your development team to have access to. So ISE will help you institute those kind of policies on your network. - So policy enforcement, authentication, identifying devices, and controlling access. - That's what it does. - Okay. Beautiful. So if I'm a customer, or I'm just looking to implement this technology, what are some of the things I should consider before implementing. What are the things, is there readiness? - Yeah, certainly there is readiness. So ISE works hand in hand with your network infrastructure. Particularly, your wireless system and your network access switches. So you want to make sure you're running a recent-ish. At this point in time, we don't run into many customers who don't have a network infrastructure that's ready to accept an application like ISE. But there are some basic things you want to check out if you're still running some old, like cisco 3560 switches. Those gen one 3750 switches. You might want to take a closer look at compatibility. - So one of the things we want to do in this Tech Talk is cover ISE, what it is, why you want it. Is talk about a basic architecture and things like if I was going to implement it, what that architecture would look like. So we can draw it up here on the white board. - Sure. - And maybe step through a couple scenarios. - Sure, sounds good. - All right, let's draw it up. - Draw it up. (slow techno music) - So this is a diagram that kind of illustrates 802.1x architecture within ISE. ISE serves as your Radius server in this picture here. And you got your access network that are hosted by your wired switches. These would be in your IDF's. And then you might have a wireless controller, or these can be access points if you're running an antimonous wireless system. And over here on the left hand side, we have our end points that are connecting to the network. Here, we have a computer, printer, and IP phone. Some things we commonly see on access networks. So, one of the fundamental use cases for ISE is authentication to the network. So we want to make sure that the computers, printers, and phones in this case, are valid end points that we want to connect to the network. In order to authenticate them, we use 802.1x So the end points talk to the switches using a protocol called EAP, we'll forget about the details for a second. The switches proxy that authentication information to your Radius servers. So ISE could live in a data center across the when, you could put it local to where your access networks are at. It doesn't matter. Radius is a routed protocol, right? So, these access switches and controllers They're going to take those credentials sent by your end points connecting to the network. They're going to forward them to ISE. ISE is going to use a robust policy engine, to make a decision on whether or not the end point should get access to the network, or a limited set of access to the network. And for that purpose, ISE integrates with identity stores. So this most commonly is Microsoft Active Directory. Most of our customers already have a pretty robust security group architecture there. All their users when they get onboard and get put in the appropriate groups. ISE can leverage all of that existing directory structure to make decisions about what devices should be allowed on the network and what level of access they should get to that network. - So let me ask you a question. So these devices, the switches, and the end points will typically be in the same site, right? - Correct. - But, and I think you mentioned this, ISE or Radius is a routed protocol, so the ISE authentication servers could be back in a data center, or centrally managed where you could have remote offices with switches and access points in the office. These devices are obviously in that office. But they can still authenticate back centrally to a single ISE instance or maybe a couple data centers. - Absolutely. - Okay, and then you mentioned once they're authenticated, what are some of the things that we can do from an ISE perspective? Because you mentioned, limiting access and things like that. How does that work? - There are a number of ways it can work. It could be as simple as ISE looks at what active directory group you belong to. And we can write a policy that says, "this active directory group gets this level of access to the network". We can use more advance techniques, like profiling. ISE will take in, medi-data, about the end points connecting to the network. Using attributes the end points send its DHCP request, using CDP information off the switches, LLDP information off the switches. And we'll attempt to profile a device into being a Windows ten computer, being a printer, a Ricoh Printer. And then you can write policies that say "devices that look like a Ricoh Printer, get this level of network access. - It essentially makes the network smarter by leveraging some of the things the devices share with the network, and then we write policy around it. - Yeah, and when we think about it, there's so much information that the network has access to, that we just haven't used. It's just been discarded. ISE makes use of all that information to determine what policy and what level of access we want you to have to the network. - This is a great high level overview. What's under the hood? When we push policy to a switch, is it using an ACL, how does that get done? Or is there multiple ways? - Multiple ways of doing it, and that is where the generation of equipment you have at your access network plays a role. The make and model play a role. It can be as simple as ISE instructing the switch to put users on a different V/Line. That's kind of the base case. Any switch that supports 802.1x, will support a V/Line change. And in that scenario the access control will be on the SVI on the network that V/Line belongs to. The ACL will be on the SVI. More often we'll be pushing policy down to the port that the end points connecting to, right? That's where we get into micro-segmentation. Micro-segmentation can be done with an ACL, so we just push your standard, classic, ACL. But instead of applying it centrally to the core switch on the V/Line, we're going to apply it to the port that the end points are connecting to. - Got it. So you can have everyone on the same V/Line, but have different levels of access to the network based on the way they were authenticated on ISE. - Right, right. One of the other ways you can enforce policy on the network, is assigning. Again everyone can be connected to the same V/Line, instead of pushing an ACL down to the port. We're just going to push a tag down to the port. We're going to say end point connecting to this port is in group one. All right. And we write a policy on ISE that says "group one is allowed to talk to group two, using these ports and protocols. No IP addresses at all, anywhere in our policies. So were these tags to filter access. Cisco refers to that as their TrustSec architecture. - Is that better because its more scalable? - Yeah, its easier to manage at scale because we're no longer dealing with specific IP addresses per site, right? One of the problems that TrustSec was aiming to solve was access less sprawl, right? You turn up a new site or a new data center, now it has this new IP range associated to it. Now I got to go back through whole enterprise and I got to update all of my ACL's with the information about this new IP range. TrustSec solves that by classifying things into groups. We don't care about the IP address anymore. If you look, historically IP address was just meant to provide your location on the network, right? And where you can be reached on the network. We've overloaded the IP address with your security context as well, right? Now your IP address is not just where you're located on the network, but its also what you are allowed to do on the network. TrustSec kind of separates that security context from the IP address and puts it into its own paradigm using this security group text. - Got it. So it's kind of separating where you are from who you are. - Exactly. - Okay, great. So now we covered the high level ISE architecture, how it works. What about just covering what a small deployment would look like, maybe redundance small deployment. We could go through something like that. - Sure, let's draw it up. - All right. (calming music) - All right, your ISE appliance can be, you can have a single ISE appliance to perform network access control for your entire network. The limiting factor there would be redundancy, right? If that ISE appliance goes down, your network access control can be affected, right? You can either fail open or fail close. That being said, one ISE node can service your deployment. And each ISE node runs, three distinct fundamental services. So there's the PAN role, Primary Administration Node. That's where I'm going to log in and do all of my configuration as the administrator to the system, I am just interacting with this. This service that ISE provides. ISE also has a role called monitoring and troubleshooting. So this is the log collector, right? So all of the authentications that get processed by ISE. Everything that ISE does, results in a log that get sent to the ISE server that is running the monitoring role. If I'm logging into the PAN, and I'm looking through the logs, the PAN is actually pulling the log from the MNT service on that node. And then work horse of the ISE deployment is the PSN. That's the Policy Services Persona. This is the service that runs Radius on those nodes. In that previous diagram where we we're looking at the network switches and the wireless controllers, integrating with ISE through Radius. This is the service that they're integrating with. - So the IP address of the ISE server that is running this node is where appoint Radius for those devices from authentication. - You got it. - So in a small deployment at limited scale, you can get away with one node running all three of these roles. And Cisco's terminology they call them personas, right? So I may say that word interchangeably. And then for redundancy, you can add a second one of these nodes, right? And that would constitute a small ISE deployment. - Now how do they replicate information, how does that work? Is there a database sync? - Exactly. The database synchronization incurs between the ISE node, right? And that all happens behind the scenes, after you join the ISE nodes to a deployment. You really don't have to worry about that anymore. All of the policy that you configure on the PAN, over here, gets replicated down to the PSN's. In this case it's all one box, so there is no real need for replication. But when you have these two nodes over here, anything that you do on the Primary Admin Node will get replicated over to your second node. All of your policy configurations done from one place. No matter how large your ISE deployment is. - And so when you point your devices to the PSN, it sounds like also, you could scale this out and have multiple PSN's and maybe a location and those devices locally could point to a local PSN. - Yeah, good point. Let's look at a larger ISE deployment. See how these roles would separate. (upbeat music) So here we're looking at a larger ISE deployment. In this model, we distribute those three core services onto dedicated appliances, right? So it's still all part of the same ISE deployment, and I'm still managing the entire deployment from the Primary Administration Node. This is a little confusing, this says PAN over here. It's actually the Secondary Administration Nodes, in active standby. So if the Primary Administration Node were to fail, the Secondary promoted. And that's where you can log in and do all your config changes. So a common architecture that we see for a large deployment is we put our PAN and MNT nodes at two different geo locations in the customers network. For fault tolerance reasons. Disaster recovery reasons. And then the Policy Service Nodes, these can be deployed anywhere in the network, right? These can be local to the site, if you want to have local authentication services. You can have some deployed at your data centers to provide central authentication services. That's really where the art of designing your ISE system comes into play. This solution can scale up to have fifty dedicated Policy Service Nodes. What that means in the end, I think right now the current scale is ISE can support, somewhere along the lines of five hundred thousand end points connected to a single deployment. Which really covers the least case for most organizations. - Some questions. So these are all three of these nodes are in Data Center one. These three are in Data Center two. Primary management is through this PAN node. Now if this PAN node fails, is it a different IP address to access that one? - Yes, so all of these components in the environment have their own IP addresses. So if that PAN were to fail, the ISE deployment doesn't go down, right? So these nodes can be offline, right? All of those nodes can be offline. It's these nodes that are the ones providing the authentication and run time when a device connects to the network and we need to authenticate that end point, push down its policy. These are critical components to be. So we'll have our network devices down here. And we'll point them to Redundant Policy Service Nodes. And there is really no limit on how many Policy Service Nodes we can configure on these guides. Typically we'll see two or three done. Across a couple different locations. As long as these nodes are up, these nodes integrate directly with those ID stores. So like, Microsoft Active Directory. So we can perform authentication to the network, even in this situation where our back in server, if you want to call the PAN's and MNT's that are down. - So you mentioned these are appliances, these are running on VM ware, or some hypervisor? - Sure, yeah. You could run on a physical appliance if you want to. Sisco sells a hardware appliance that you can install and run ISE on. Or you can run them on hyper v. You can run them on VM ware. You can run them on KVM. - All right, cool. We pretty much covered the beginning in ISE, so like why you would want it, what it is, some implementation approaches, and how you an scale out the architecture. - Yeah. - Well cool. I really appreciate you being here today. And thanks for taking us through ISE and the basics. And obviously you written a lot of blog articles about this, and you go into a lot more detail around authentication, which has been awesome. - Yeah, check those out. - Cool. All right. Well thanks for watching today. If you want anymore information about ISE, or maybe just implementation guides. You can check out lookingpoint.com and check out our blog. Dom's done a great job putting together a whole ISE series. So check it out there. And then also, make you like and subscribe so you get all of our content as we release it. And we'll see you on the next Tech Talk. Thanks for watching. (upbeat music)
Info
Channel: LookingPoint, Inc.
Views: 19,146
Rating: 4.852941 out of 5
Keywords: Cisco, Cisco ISE, Identity Services Engine, Security, LookingPoint, LP, Tech Talk, Technology, ISE
Id: 20ivU_n_iJ8
Channel Id: undefined
Length: 17min 13sec (1033 seconds)
Published: Tue Nov 26 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.