Scribd
Upload
66 views7 pages

Isa Deployment

Isa Deployment

Uploaded by

milko
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
66 views7 pages

Isa Deployment

Isa Deployment

Uploaded by

milko
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Deployment Checklists

Based on your answers to the questions in the Planning Checklist above, complete the following
Deployment Checklist forms. These tables will be valuable references to field engineers to expedite
initial configurations in Cisco ISE and network devices.

Network Services
Document all the basic network services and the hosts that provide them in your network. This will
aid you in the creation of access control list (ACL) exceptions and ISE service configuration.

Role

DNS Names

Network Address(es)

Protocol

Details

CA Server(s)
DNS Server(s) UDP:53
DHCP Server(s)
NTP Server(s) UDP:123
FTP Servers TCP:21 username:password
Proxy Servers (to Internet) HTTP/S:# username:password
TFTP/PXE Boot Servers UDP:69 username:password
Syslog Servers UDP:514 username:password
Identity Store: Active Directory username:password
Identity Store: LDAP
Identity Store: OTP
ISE Admin Node HTTP (TCP:80)
HTTPS (TCP:443)
CLI: admin: cisco

Web: admin: cisco

RADIUS Key:

ISE Policy Service Node HTTP (TCP:80)


HTTPS (TCP:443)
RADIUS (UDP:1812)
RADIUS (UDP:1813)
CoA: 1700 & 3799
CLI: admin: cisco

Web: admin: cisco


RADIUS Key:

Digital Certificates

Create and use CA-signed certificates for your TrustSec infrastructure to minimize long-term
problems due to untrusted, self-signed certificates.

Component

FQDN

Org Unit

Org

City

State

Country

(2 letter)

Key Size
(max)

Cert
Format

Certificate Authority
ISE Admin #1
ISE Admin #2
ISE PSN #1
ISE PSN #2

Network Devices
Use the Network Devices List to document each type of network access device in your network by
model, supervisor (if appropriate), and software version. It is highly recommended that you upgrade
all switches to the latest validated software version in the ISE Compatibility Guides and TrustSec
Platform Support Matrix to avoid feature and behavioral inconsistencies. Each network device IP
address must be added to ISE unless you use wildcard entries.

Model

Cisco IOS® Software Version

Management IP Address

Management DNS Name

Security Policy
Describe your major network access scenarios and how you will use contextual, network-based
attributes to enforce secure access. Consider scenarios such as user versus endpoint authentication,
managed endpoint posture, unmanaged endpoint identification, role-based identification and
segmentation (employees, contractors, guests, and so on), or location-based differentiation. These
unique authorization states will map directly to your final ISE authorization rules and policies.
Below are some pseudo-policy examples.

Scenario Name

Conditions (Who, What, When, Where, How)

Authorization

Result

Corporate Workstation

Active Directory Domain Computers

Workstation_Access

PhonesProfiled IP Phones Voice_Network


Printers Profiled Printers Printer_Network
Employee AD Employees Employee_Access
BYOD AD Employees & Registered Device Internet_Only
Guest Guest SSID & Sponsored Guest Internet_Only
Default - Guest_Redirect

Enforcement States
Identify the specific RADIUS authorization attributes for each unique authorization states you
identified in your Authorization Poliicy. This will help you understand the subtle differences
between each enforcement state and identify the number of unique ACLs or Scaleable Group Tags
that you must create.

RADIUS Attributes

Authorization Profiles

Workstation_Access
VLAN: Data

dACL: ACL-WORKSTATIONS

Session Timeout: 86400 (24 hours)

Voice_Network
Voice VLAN Permission: Yes

Session Timeout: 86400 (24 hours)

Printer_Network
VLAN: Data

dACL: ACL-PRINT-SERVERS

Session Timeout: 86400 (24 hours)

Employee_Access
VLAN: Data

dACL: ACL-EMPLOYEE-ACCESS

Session Timeout: 28800 (8 hours)

Internet_Only
VLAN: Data

dACL: ACL-INTERNET-ONLY

Session Timeout: 28800 (8 hours)


Guest_Redirect
URL-Redirect: ACL-CENTRAL-WEBAUTH

URL-Redirect-ACL: ACL-URL-GUEST-REDIRECT

Session Timeout: 600 (10 minutes)

Endpoints
In the Endpoint Details table, specify how all the various network endpoints will be authenticated
when TrustSec is enabled. Possible authentication methods include 802.1X, MAB, and web
authentication.

Endpoint

Authentication Method

Notes

Windows XP SP# (native supplicant)


Windows Vista SP# (native supplicant)
Windows 7 (native supplicant)
Windows 7 (AnyConnect®)
Windows XP SP3
Apple Mac OS X 10.7.x (native supplicant)
Linux
Apple iOS devices
Android devices
Cisco IP Phones
Cisco Access Point
Printers
Guests
PXE Boot

Test Scenarios
Based on your desired security policy, anticipated endpoints, and enforcement states, create a list of
scenarios to test in your lab or small proof of concept deployment before deploying at scale. Table 7
lists some suggested scenarios to get you started.
Scenario

Result (Pass/ Fail)

Comments

MAB
Phone
Printer
Other
IOT: Camera

MAB+Profiling
User Authentication to Active Directory Domain
Single Sign-On (SSO): Username/Password

Windows Machine Authentication (Wired)


802.1X Windows Native Supplicant Machine Authentication using PEAP-MSCHAPv2
802.1X Windows Native Supplicant Machine Authentication using EAP-TLS
802.1X Windows Native Supplicant Machine Authentication on Docking Station
802.1X Windows Native Supplicant Machine Authentication behind IP Phone
802.1X Windows Native Supplicant Machine Authentication in VM on PC in Docking Station
behind IP Phone
802.1X Windows Native Supplicant Machine Authentication after Sleep/Hibernation

Windows User Authentication (Wired)


802.1X Windows Native Supplicant Username+Password (PEAP-MSCHAPv2)
802.1X Windows Native Supplicant User Certificate (EAP-TLS)
802.1X Windows Native Supplicant User Authentication: Not domain-joined
802.1X Windows Native Supplicant User Authentication: Domain-joined
802.1X Windows Native Supplicant User Authentication on Docking Station
802.1X Windows Native Supplicant User Authentication behind IP Phone
802.1X Windows Native Supplicant User Authentication in VM on PC in Docking Station behind
IP Phone
802.1X Windows Native Machine Authentication after Sleep/Hibernation
Remote Desktop Protocol (RDP) Login with Windows Native Supplicant

Windows with AnyConnect (Wired and/or Wireless)


802.1X AnyConnect NAM using PEAP-MSCHAPv2
802.1X AnyConnect NAM using EAP-TLS
802.1X AnyConnect NAM EAP Chaining Machine (EAP-FAST: Certificate)
802.1X AnyConnect NAM EAP Chaining User (EAP-FAST: Username)
802.1X AnyConnect NAM EAP Chaining Both (EAP-FAST: Machine Certificate + Username)

Easy Connect
802.1X + Passive-ID - Post
802.1X + Passive-ID - Post
Easy Connect - Post

Wireless
802.1X iOS
802.1X Android
802.1X Other Mobile OS
802.1X BYOD post-onboarding using EAP-TLS
802.1X Anonymous

Guest Access (Wired and/or Wireless)


Guest: Hotspot (with/out Passcode, AUP, etc.)
Guest: Registration & Login
Guest: Sponsor User Creation
Guest: Sponsored User Login
WebAuth: Employee login with AD
CWA Chaining (Cert) Initial WebAuth pending
CWA Chaining (Cert)
CWA Chaining (Username) WebAuth pending
CWA Chaining (Username)

Posture
EAP Chaining Both (Machine cert + username) Posture pending
EAP Chaining Both (Machine cert + username) Posture compliant

VPN
AnyConnect SSL VPN Username+Password
AnyConnect SSL VPN Certificate

AAA AnyConnect Identity Services Engine (ISE) Policy and Access TrustSec VPN

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy