ISE Deployment

Improvements Tips and Tricks

Katherine McNamara – Technical Solutions Architect

BRKSEC-2347

#CiscoLive
 https://ciscolive.ciscoevents.com/

Cisco Webex App ciscolivebot/#BRKSEC-2347

Questions?
Use Cisco Webex App to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App

2 Click “Join the Discussion”

3 Install the Webex App or go directly to the Webex space

4 Enter messages/questions in the Webex space

Webex spaces will be moderated Enter your personal notes here

by the speaker until June 7, 2024.

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
 • Where to Start
• Laying the Foundation
• A Phased Approach
• Tuning Policy Sets
Agenda • The Power of Profiling
• Integrations
• Post-Deployment
• Conclusion

BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
A little about me…
• Started as an early ISE 1.1 customer
• 15+ years of network & security
experience
• Lots of paper: BS and MS in IT Security, 2x
CCIE (Data Center + Security), CISSP, and
various other industry certifications
• Co-authored recent CiscoPress SISE book
• Co-organize for the largest Cisco Meetup
study group – Routergods and owner of
network-node blog

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Where to Start

5
 Simplifying and optimizing your deployment is
how you can lower the administrative burden of
managing ISE

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
 The Swiss Army Knife of Network Access Control
TACACS+ Migrating from Cisco Secure ACS or building a new Device Administration Policy Server,
Device Administration this allows for secure, identity-based access to the network devices

Allow wired, wireless, or VPN access to network resources based upon the identity of the
Secure Access user and/or endpoint. Use RADIUS with 802.1X, MAB, Easy Connect, or Passive ID

Differentiate between Corporate and Guest users and devices. Choose from Hotspot, Self-Registered
Guest Access Guest, and Sponsored Guest access options

Use the probes in ISE and Cisco network devices to classify endpoints and authorize them
Asset Visibility appropriately with Device Profiling. Automate access for many different IoT devices

Use agentless posture, Cisco Secure Client, MDM, or EMM to check endpoints to verify
Compliance & Posture compliance with policies (Patches, AV, AM, USB, etc.) before allowing network access
ISE pxGrid is an ecosystem that allows any application or vendor to integrate with ISE for endpoint identity
Context Exchange and context to increase Network Visibility and facilitate automated Enforcement.

Group-based Policy allows for segmentation of the network through the use of Security Group Tags
Segmentation (SGT) and Security Group ACLs (SGACL) instead of VLAN/ACL segmentation.

ISE integrates with DNA Center to automate the network fabric and enforces the policies throughout
Cisco SDA/DNAC the entire network infrastructure using Software-Defined Access (SDA)

Allow employees to use their own devices to access network resources by registering their device and
BYOD downloading certificates for authentication through a simple onboarding process

Using a Threat Analysis tool, such as Cisco Cognitive Threat Analytics, to grade an endpoints threat
Threat Containment score and allow network access based upon the results

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Where To Start…
• Define your business and security objectives
• What is it that you want ISE to do for you?
• Determine which teams will be needed
• Virtualization team?
• Desktop support?
• PKI?
• etc
• Collaborate with those teams at the beginning of the project
• Get management buy-in early

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Laying the
Foundation
Let’s Talk about ISE Personas…
• Administration Node (PAN)
• Max 2 in a deployment Policy Administration Node (PAN)
- Single plane of glass for ISE admin
- Replication hub for all database config changes

• Monitoring Node (MNT)

• Max 2 in a deployment Monitoring and Troubleshooting Node (MnT)
- Reporting and logging node
- Syslog collector from ISE Nodes

• Policy Service Node (PSN)

• Max 50 in a deployment Policy Services Node (PSN)
- Makes policy decisions
- RADIUS/TACACS+ Servers

• pxGrid Node
• Max 4 in a deployment pXGrid Controller
- Facilitates sharing of context

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
ISE Deployment Scale <=50: PSNs + <= 4 PXGs)

Lab and Evaluation Small HA Deployment Medium Multi-node Deployment Large Deployment
2 x (PAN+MNT+PSN) 2 x (PAN+MNT+PXG), <= 6 PSN 2 PAN, 2 MNT, <=50: PSNs + <= 4 PXGs

100 Endpoints Up to 50,000 Endpoints Up to 2,000,000 Endpoints 3600

100 Endpoints Up to 100,000 Endpoints Up to 2,000,000 Endpoints 3700

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
ISE Node Types
Physical Appliances Virtual Machines Cloud Instances

SNS-3795
SNS-3755
SNS-3715
SNS-3695 Future
SNS-3655
SNS-3615
SNS-3595

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Expanding Your ISE Deployment…

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Adding an ISE Node

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Changing the Persona

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Recommendations
• Make your life easier: Use load balancers
• Easier to add PSNs
• Easier to upgrade
• Failover is more seamless
• Scale up as you grow
• VMs or appliances? Same specs!
• Device Admin? Think about separate PSNs for TACACS+
• Use the ISE Scalability Guide as a reference

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Licensing
• Endpoint licenses are based on
concurrently connected endpoints only
• Endpoint licenses are term-based
• Endpoint licenses does not include
Secure Client/AnyConnect licenses
• Other license types:
• Virtual Machine Licenses
• Device Admin Licenses

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Certificates
• ISE’s EAP Cert is only for ISE to identify/authenticate itself endpoint
• ISE can accept certificate-based authentication issued from various
Root CAs

EAP ISE EAP

EAP

BYOD Employee IP Phone

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Certificates
• ISE’s EAP Cert is only for ISE to identify/authenticate itself endpoint
• ISE can accept certificate-based authentication issued from various
Root CAs

ISE

BYOD PKI
Vendor

BYOD Employee IP Phone

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Certificates
• Pre-load trusted root certificates – including potentially:
• Manufacturer certificates for phones, printers, etc
• Internal PKI root certificate
• etc
• “Trust for client authentication and Syslog”

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Reduce Chaos and Unpredictability
• As best as you can: Standardize! Standardize! Standardize!
• Switch IOS Versions
• Wireless Controller Versions
• Switch and Wireless Configuration Templates
• Check the versions and capabilities against the ISE Network
Component Capability Releases
• If possible, validated OS versions
• Enable SMTP for alerts, warnings of certificates expiring, etc

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Reduce Chaos and Unpredictability
• Create and deploy Active Directory GPO
• Seamless native supplicant configuration for user
• Seamless wired-to-wireless transition
• Endpoint and Trusted Root Certificates
• Use SCCM or software delivery package if needed for Secure Client
• Utilize the 90 day VM evaluation – Lab It Up

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Lab It Up!

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
A Phased
Approach

24
A Phased Approach to ISE…
• VPN:
• Create a test VPN profile
• Migrate the profile to production after testing
• Wireless:
• Create a test SSID
• Migrate the profile to production after testing
• But what about wired?

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Wired Phases
Monitor Mode Low-Impact Mode Closed Mode

File ISE ISE File ISE File

DHCP DNS
Servers Servers Servers
Servers

Campus Network Campus Network Campus Network

PREAUTH ACL PERMIT ACL

Port Open permit eap dhcp dns permit ip any any Only EAP
deny any Allowed
Unconditionally

Pass / Failed Before After Before After

Authentication Authentication Authentication Authentication Authentication

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Monitor Mode
• No impact to existing network
• Prepare for enforcement
• Visibility to:
• Endpoints on network & their supplicant configuration
• Passed/Failed 802.1x & MAB attempts
• To configure:
• Enable 802.1X and MAB
• Enable Open Access
• Enable Multi-Auth host mode

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Low Impact Mode
• Begin to control/differentiate access
• Minimize impact to existing network while
retaining visibility of Monitor Mode
• Start from Monitor Mode
• Add ACLs, dACLs, Flex-auth, etc
• Limit number of devices connecting to
ports

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Closed Mode
• Not everyone goes to Closed Mode
• No access at all before authentication
• Rapid access for non-802.1x-capable corporate
assets
• Logical isolation of traffic at the access layer
• Return to default “closed” access
• Implement identity-based access assignment

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
More on Wired Access…
• Start as much as you can on Monitor Mode
• Gathers contextual information about endpoints
• Find the “Unknown” endpoints
• What endpoints would have failed AuthC/AuthZ
• Build and test your policies in Monitor Mode
• Note: Monitor Mode can still enforce/transition to low-impact mode if
Authz is enabled/enforce
• Utilize Network Device Groups to make policy easier
• Move switch-by-switch into low-impact mode this way

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Monitor Mode for Policy Rules

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Creating and Applying Network Device Groups

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Policy Set Example – Monitor vs Low-Impact

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Moving from Monitor to Low-Impact Mode

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Wired – High Availability
• More PSNs – Up to 50x
• Failover to another PSN – Initial delay (deadtime)
• Failover to another PSN (Load balancer)
• Local PSN deployed to critical sites
• Switch configuration:
• IBNS 1.0 Pros:
• Fail Open/VLAN/Voice Authorization
• Reauthorize once RADIUS server available
• IBNS 1.0 Cons:
• Not very dynamic

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Wired – High Availability
• Switch configuration:
• IBNS 2.0 Pros:
• Fail open/ACL/ACL with Conditions/SGT/VLAN/Voice Authorization/etc - Any
number of options/conditions
• Extremely dynamic
• IBNS 2.0 Cons:
• More complicated to configure
• IBNS 1.0 is the “out-of-box” configuration style
• Switch can be converted to IBNS 2.0 with a single command:
authentication display new-style
• Warning: Cannot change back to legacy style without formatting switch

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
IBNS 1.0: Inaccessible Authentication Bypass

• Switch detects PSN unavailable

Critical Data VLAN can be anything:
• Enables port in critical VLAN • Same as default access VLAN
• Same as guest/auth-fail VLAN
• Existing sessions retain authorization status • New VLAN
• Recovery action can re-initialize port when AAA returns

authentication event server dead action authorize vlan 100

authentication event server alive action reinitialize
authentication event server dead action authorize voice Critical Voice VLAN

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
IBNS 1.0: Critical Auth for Data and Voice

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
IBNS 1.0: Default Port ACL Issues with Critical VLAN
Limited Access Even After Authorization to New VLAN
• Data VLAN reassigned to critical auth VLAN, but new (or reinitialized) connections are still
restricted by existing port ACL

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
 IBNS 2.0: Authorize Port if AAA Down

• Event: Session started

interface g1/0/1
dot1x pae authenticator
spanning-tree portface
• Attempt to authenticate using 802.1x until switchport access vlan 100
failure switchport mode access
mab
access-session port-control auto
• Event: Authentication failure service-policy type control subscriber POLICY-A

• If AAA is complete down: Stop 802.1x and policy-map type control subscriber POLICY-A
event session-started match-all
authorize the port 10 class always do-until-failure
10 authenticate using dot1x
• If no response from AAA (but not down yet), event authentication-failure match-first
10 class AAA-DOWN do-all
authorize to guest VLAN 10 terminate dot1x
20 authorize
20 class DOT1X_NO_RESP do-until-failure
• If 802.1x authentication failure, authorize to 10 activate service-template GUEST_VLAN
guest VLAN 30 class 1X-FAIL do-all
10 activate service-template GUEST_VLAN

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
 IBNS 2.0: Assign Critical ACL if AAA down
interface g1/0/1
dot1x pae authenticator
• Event: Session started spanning-tree portface
switchport access vlan 100
• Attempt to authenticate using 802.1x until switchport mode access
mab
failure access-session port-control auto
service-policy type control subscriber POLICY-A

• Event: Authentication failure policy-map type control subscriber POLICY-B

event session-started match-all
• If AAA is down, do the following: 10 class always do-until-failure
10 authenticate using dot1x
• Authorize the port event authentication-failure match-all
10 class AAA-DOWN do-all
• Activate service-template CRITICAL on the port 10 authorize
20 activate service-template CRITICAL
which consists of a local ACL named “ACL- 30 terminate dot1x
CRITICAL”
service-template CRITICAL
• Terminate 802.1x authentication access-group ACL-CRITICAL

ip access-list extended ACL-CRITICAL

permit udp any eq bootpc any eq bootps
permit udp any any eq domain
…

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
 IBNS 2.0: Assign VLAN if AAA down

• Event: Session started

interface g1/0/1
dot1x pae authenticator
spanning-tree portface
• Attempt to authenticate using 802.1x until switchport access vlan 100
failure switchport mode access
mab
access-session port-control auto
• Event: Authentication failure service-policy type control subscriber POLICY-A

• If AAA is down, do the following: policy-map type control subscriber POLICY-B

event session-started match-all
• Authorize the port 10 class always do-until-failure
10 authenticate using dot1x
event authentication-failure match-all
• Activate service-template CRITICAL on the port 10 class AAA-DOWN do-all
which consists of VLAN 110 10 authorize
20 activate service-template CRITICAL
• Terminate 802.1x authentication 30 terminate dot1x

service-template CRITICAL
vlan 110

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
 IBNS 2.0: Assign Voice VLAN if AAA down

• Event: Session started

interface g1/0/1
dot1x pae authenticator
spanning-tree portface
• Attempt to authenticate using 802.1x until switchport access vlan 100
failure switchport mode access
mab
access-session port-control auto
• Event: Authentication failure service-policy type control subscriber POLICY-A

• If AAA is down, do the following: policy-map type control subscriber POLICY-B

event session-started match-all
• Authorize the port 10 class always do-until-failure
10 authenticate using dot1x
event authentication-failure match-all
• Activate service-template CRITICAL which 10 class AAA-DOWN do-all
authorizes the voice VLAN 10 authorize
20 activate service-template CRITICAL
• Terminate 802.1x authentication 30 terminate dot1x

service-template CRITICAL
voice vlan

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
 IBNS 2.0: Assign SGT if AAA down

• Event: Session started

interface g1/0/1
dot1x pae authenticator
spanning-tree portface
• Attempt to authenticate using 802.1x until switchport access vlan 100
failure switchport mode access
mab
access-session port-control auto
• Event: Authentication failure service-policy type control subscriber POLICY-A

• If AAA is down, do the following: policy-map type control subscriber POLICY-B

event session-started match-all
• Authorize the port 10 class always do-until-failure
10 authenticate using dot1x
event authentication-failure match-all
• Activate service-template CRITICAL which assigns 10 class AAA-DOWN do-all
SGT 10 to the endpoint 10 authorize
20 activate service-template CRITICAL
• Terminate 802.1x authentication 30 terminate dot1x

service-template CRITICAL
sgt 10

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
 IBNS 2.0: Assign CRITICAL ACL, Voice
VLAN and VLAN if AAA down
interface g1/0/1
dot1x pae authenticator
spanning-tree portface
switchport access vlan 100
• Event: Session started switchport mode access
mab
access-session port-control auto
• Attempt to authenticate using 802.1x until service-policy type control subscriber POLICY-A
failure
policy-map type control subscriber POLICY-B
event session-started match-all
• Event: Authentication failure 10 class always do-until-failure
10 authenticate using dot1x
• If AAA is down, do the following: event authentication-failure match-all
10 class AAA-DOWN do-all
10 authorize
• Authorize the port 20 activate service-template CRITICAL
30 terminate dot1x
• Activate service-template CRITICAL on the port
which consists of a local ACL named “ACL- service-template CRITICAL
CRITICAL”, Voice VLAN, SGT 10, and VLAN 110 access-group ACL-CRITICAL
vlan 110
• Terminate 802.1x authentication voice vlan
sgt 10

ip access-list extended ACL-CRITICAL

permit udp any eq bootpc any eq bootps
permit udp any any eq domain
…

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Authentication
• Multiple authentication methods
• 802.1x
• Multiple 802.1X EAP methods simulanteously –
• TEAP-EAP-TLS for Corporate Endpoints
• EAP-TLS for supported printers and phones
• PEAP-MSCHAPv2 for BYOD
• Easy Connect
• User authentication without 802.1x
• Web Auth
• MAB

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Allowed Protocols
• ISE gives many options…
• Most common allowed protocols:
• Process Host Lookup
• EAP-TLS
• PEAP-MSCHAPv2
• PEAP-EAP-TLS
• EAP-TEAP

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
 EAP-TTLS and EAP-
Azure AD/Entra ID Support TLS currently
supported

2. ISE verifies
ISE the certificate
comes from a
EAP-TLS: UPN trusted
1. Client Optional: GUID certificate
presents 3. ISE extracts authority
certificate. the UPN and
Have UPN in requests the User REST ID
cert. Groups/Attributes Groups and Attributes? 4. Entra ID returns
Optional: GUID from Entra ID the User
in cert for Intune User Groups/Attributes Groups/Attributes
to ISE
5. (Optional)
ISE extracts
GUID and GUID: Compliant 6. (Optional)
requests Status? Intune returns
compliance Compliant compliant
status from status for
Intune 7. ISE endpoint
Authorized authorizes the
endpoint and
grants access
to the network
#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
 Easy Connect

ISE
1. Endpoint
initially Endpoint
2. Endpoint
connects to Connects
MAB authenticates
the network 3. Endpoint is Authentication via MAB
granted access Authorized:
to basic services AD Login Only
to allow AD login 4. User logs into computer
User logs into with their AD credentials
computer - credentials
5. Credentials which is authenticated
sent to Active Directory
successfully against Active Directory
authenticate and Login
the login is Successful
6. ISE receives Login event
successful Login Event for log from Active Directory
User with username and MAC
Change of
7. ISE issues a CoA to the address of endpoint. ISE
Authorization
NAD binds this to the existing
Full Access MAB session to determine
8. ISE grants endpoint full
authorization
access

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Example of Easy Connect AD Only ACL
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit tcp any host <AD-DC> eq 88
permit udp any host <AD-DC> eq 88
permit udp any host <AD-DC> eq ntp
permit tcp any host <AD-DC> eq 135
permit udp any host <AD-DC> eq netbios-ns
permit tcp any host <AD-DC> eq 139
permit tcp any host <AD-DC> eq 389
permit udp any host <AD-DC> eq 389
permit tcp any host <AD-DC> eq 445
permit tcp any host <AD-DC> eq 636
permit udp any host <AD-DC> eq 636
permit tcp any host <AD-DC> eq 1025
permit tcp any host <AD-DC> eq 1026

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Migrating to 802.1x? Make it easier with Easy
Connect

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Phased Posturing – Client Provisioning
• Determines which posture agent type
• Can be filtered to a test on a subset of endpoints based on:
• Endpoint Identity Groups
• Access Method
• User Identity
• etc
• Create a client provisioning policy for a test group first
• After testing, move the policy to production

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Client Provisioning – Creating a Test Policy

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Phased Posturing – Posture Policy
• Determines which requirements will be checked
• Conditions can be applied similar to the Client Provisioning policy
• Requirements may be added over time
• Requirements have three modes:
• Mandatory
• Optional
• Audit

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Posture Policy – Creating a Test Policy

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Tuning Policy
Sets

56
Policy Logic
• All policies in ISE follow the same following policy logic:
if {condition} then {result}
• Think about it in non-technical terms:
• If {the user is in the marketing department} then {let him/her on the network}
• If {the user is using their laptop from home} then {only give them internet access}

• Think about what you’re trying to achieve in non-technical terms first, then
create the policy in ISE using technical conditions/results that accomplish it
• Similar to an ACL: First matched rule

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Policy Conditions
• AND – Both Conditions MUST match
• “SSID is Corp-WiFi AND endpoint needs to be authenticating with wireless
802.1”

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Policy Conditions
• OR – At least one of the conditions must match
• “Endpoint must be authenticating on the wired network with 802.1x OR MAB”

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Policy Conditions
• NOT – This condition must NOT be met
• “Endpoint should NOT be an Apple device”

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Policy Conditions
• Combine them to create
conditions required to meet your
business use-case:
• “The endpoint’s user and machine
must have both successfully
authenticated AND the user must be
part of the Corporate OR Enterprise
AD groups and they should NOT be
trying to connect to a network
device in San Francisco”

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
A little history lesson…

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Introduced in ISE 1.3: Policy Sets
• Groups of authentication and authorization policies to manage
network access control
• Create segmented authorization and authorization rules for specific
use cases, locations, NAD times, authentication methods, and so
much more…
• No more single running list of authentication/authorization rules to
manage and troubleshoot
• Reduces the fault surface if there is a misconfiguration

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
 Condition: RADIUS packet from
RADIUS a NAD in the SJC01 group and
part of windows-dot1x-azure

Policy Set Flow

Result: First policy set

matched checks allows
protocols and
processes packet

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
 Condition: RADIUS Packet
RADIUS has an EAP Tunnel of
EAP-TTLS

Policy Set Flow

Result: Credentials
authenticated against
Azure AD

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
 Condition: User is part of
After successful
RADIUS the Azure
authentication, AD
Authorization
Policy evaluated next
EmployeeGroup

Policy Set Flow

Result: Endpoint is
granted full access

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Grouping Policy Sets
There is more than one way to make an omelette!
• Many ways to overcomplicate, but many ways to simplify
• Embrace the KISS principle!
• Commonly two trains of thought:
1. Policy Sets based on device type, location, and/or SSID:
• Network Device Group: Switches, Wireless Controller, VPN
• (Optional) Network Device Group Location: HQ
• (Optional) SSID: Corp-Guest
2. Policy Sets based Use-Case:
• Use-Case: Wired 802.1x, Wireless 802.1x, Wired MAB, Wireless MAB, etc
• (Optional) Network Device Group Location: HQ
• (Optional) SSID: Corp-Guest

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Policy Sets
Option 1 Example

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Policy Sets
Option 2 Example

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
The Power of
Profiling

70
Endpoint Profiling – Visibility Data Sources
The profiling service in Cisco ISE identifies the devices that connect to your
devices
ISE Data Collection Methods for Device Profiling
Active Probes: Netflow | DHCP | DNS | HTTP | RADIUS | NMAP | SNMP | AD
DS Device Sensor: CDP| LLDP | DHCP | HTTP | H323 | SIP | MDNS

Cisco Secure Client (formerly AnyConnect): ACIDex

Endpoints send
interesting data,
that reveal their
device type Feed Service
(Online/Offline)
DS ISE

ACIDex

Cisco Secure Client Identity Extensions (ACIDex) | Device Sensor (DS)

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
ISE Profiling Probes
• RADIUS
• Collects session attributes as well as CDP, LLDP, DCHP, HTTP, and MDM from IOS Device Sensor

• SNMP Query and Traps

• Collects information such as interface, CDP, LLDP, ARP, Linkup, Lidown, and MAC notifications

• DHCP
• Listens for DHCP Packets

• DNS
• Performs a DNS lookup for the FQDN

• HTTP
• Receives and parses HTTP packets to discover the User-Agent

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
ISE Profiling Probes
• Netflow
• Collects Netflow packets – Don’t use this one!

• Active Directory
• Queries AD for Windows information

• NMAP
• Scans endpoints for open ports, service information, and OS

• pxGrid
• Fetches attributes of MAC or IP address of a subscriber

• AnyConnect ACIDEX
• Provides ACIDEX information to ISE over RADIUS – device public MAC and device
platform
#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
RADIUS Probe Sample Configuration
aaa authentication dot1x default group ise- aaa group server radius ise-group
group
server name ise
aaa authorization network default group ise-
group !

aaa accounting dot1x default start-stop group ip radius source-interface <Interface>

ise-group !
aaa accounting update newinfo periodic 2880 radius-server attribute 6 on-for-login-auth
! radius-server attribute 8 include-in-access-req
radius server ise radius-server attribute 25 access-request
address ipv4 <ISE-PSN-IP> auth-port 1812 include
acct-port 1813 radius-server vsa send accounting
key <Shared-Secret> radius-server vsa send authentication

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
SNMP Probe Sample Configuration
interface <interface> snmp-server community <string> RO

snmp trap mac-notification change added cdp run

snmp trap mac-notification change removed !

! interface <interface>

mac address-table notification change cdp enable

mac address-table notification mac-move

! lldp run

snmp-server trap-source <interface> !

snmp-server enable traps snmp linkdown linkup interface <interface>

snmp-server enable traps mac-notification change lldp receive

move
lldp transmit
snmp-server host <ISE-PSN-IP> version 2c <string>

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
HTTP Probe Sample Configuration
ip http server
ip http secure-server

ip access-list extended REDIRECT-

ACL
deny ip any host <ISE-PSN-IP>
permit tcp any any eq http
permit tcp any any eq https

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
DHCP Probe Sample Configuration
interface vlan 30
ip helper-address <PSN-IP-
Address>

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Device Sensor for Wired

1) Filter DHCP, CDP, and LLDP options/TLVs

2) Enable sensor data to be sent in RADIUS
Accounting including all changes
device-sensor accounting
device-sensor notify all-changes

3) Disable local analyzer if sending sensor

updates to ISE (central analyzer)
no macro auto monitor
access-session template monitor

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Device Sensor for WLCs

• Per WLAN Enable/Disable

device profiling
• DHCP (WLC 7.2.110.0)
• Hostname, Class ID
• HTTP/Both (WLC 7.3)
• User Agent
• FlexConnect with Central
Switching supported

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Device Sensor for Catalyst 9800s
Configuration> Tags & Profiles > Policy

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Enabling Probes on ISE

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Profiling Logic

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Profile Hierarchy
Profile: Cisco-Device
Minimum Certainty Factor: 10
NMAP Action: OS-scan
15 Rules In order to
Must match 1-2 rules profiled as a
Cisco-AP-
Profile: Cisco-Access-Point Aironet-1040,
Minimum Certainty Factor: 10 the endpoint
6 Rules must match 3-4
Must match at least 1 rule
unique rules in
Profile: Cisco-AP-Aironet-1040 total based on
Minimum Certainty Factor: 30 default policies
4 Rules built into ISE
Must match at least 1 rule

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Profile Packages and Integrations
Medical Devices IOT Building & Automation
Library

XML

250+ Medical
Hospital device profiles

pxGrid ISE pxGrid

Factory
Cisco
Industrial Devices CyberVision Cisco AI Endpoint Analytics
Profiles IOT devices and sends endpoint labels via pxGrid to ISE for authorization

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Creating Custom Profiles
• Sometimes we need to create custom endpoint profiles
• GUI does not make it easier to view collective attributes across many
endpoints
• Sadly, ISE Endpoint Analytics Tool is no longer supported after ISE 2.6
• How do we make it easier to create custom profiles?
• Answer: Endpoint export to CSV from the CLI!

• Best practices:
• Utilize hierarchical profiles if needed
• Minimum certainty factor should be higher than pre-built profiles (aim for 500+)

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Creating Custom Profiles – Get All Endpoints

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Creating Custom Hierachical Profiles

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Profiling Attributes
• OUI • AD operating-system
• FQDN • HTTP User-Agent
• DHCP client-identifier • CDP Cache Platform
• DHCP class-identifier • CDP System Name
• DHCP parameter-request-list • LLDP System Name
• DHCP host-name • LLDP System Description
• AD host-exists • SNMP information

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
 Cisco AI Analytics
Cisco ISE
Web Interface Cisco Catalyst Center
Context

Classifications ISE
Policy
Endpoint Analytics shows
device classification results
associated with endpoints Distribution
SPAN
Layer

Wireless LAN
NBAR Telemetry Traffic Controller
(SD-AVC Agent) Appliance (TTA)

Catalyst 9000

Legacy Cisco Switches / 3rd party devices

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Cisco AI Endpoint Analytics
Clustering Rule Creation
ML groups different Creates a rule that
endpoints into clusters uniquely groups
based on attribute data together endpoint
clusters Active Learning
Cluster 2
ML learns new labels
and validates existing
labels

Attribute B
Cluster 1 New Labels
Bosch
= Coffee
Machine
Arlo Pro
Attribute
A = Wireless
Unknown ISE Cam

endpoints
Label Validation
Endpoint Labeling
System recommends labels or customer can
teach ML what to label the endpoints in a cluster
= Apple
Watch

Cisco IP
= Phone
These are Bosch 7980
Coffee Machines

= This step is done in the ML

Cloud
#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
AI Endpoint Analytics on ISE

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Integrations

92
Platform Exchange Grid (pxGrid)
• Open and scalable Security Product Integration Framework (SPIF)
that allows for bi-directional any-to-any partner platgorm
integration
• Introduced in ISE 1.3
• Integrations with 100+ Cisco and non-Cisco products
• Reduces silos by integrating your security architecture together to
share context, respond to threats, and ingest information
• Tons of guides on integrations at cs.co/ise-guides
• But also check out developer.cisco.com/site/pxgrid

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
 On-Prem pxGrid Integration

1. Both ISE and the pxGrid Client need 3. The pxGrid initiates the
to have an identity (pxGrid) certificate connection to ISE and
issued from a Root CA the other trusts. authenticates itself with it’s
Note: Certificate EKU must have Client identity (pxGrid) certificate
and Server Authentication 5. ISE should now list the
pxGrid client in the pxGrid
Client’s
pxGrid
dashboard and share
Certificate session context with the
client by default. In the
pxGrid dashboard, this
client can also be
ISE assigned additional
ISE’s permissions by being
pxGrid added pxGrid groups
Certificate
such as ANC
2. The pxGrid client is configured 4. ISE will authenticate itself
with the IP addresses of ISE’s back to the client with its own
pxGrid nodes pxGrid certificate

Note: Password-based pxGrid authentication is available but rarely used

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
pxGrid Cloud Integration

ISE
dna.cisco.com

OFFER

OFFER Subscribe ✓
OFFER
Launch

Register Partner
App

App App App App App App

Connec
t App Store Activate

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
 Context Sharing with pxGrid
Eco system partnership to enrich, exchange context and enact

Context to Partner Enrich ISE Context Threat Mitigation Context Brokerage

Cisco ISE Eco-Partner Cisco ISE Eco-Partner Cisco ISE Eco-Partner Cisco ISE

CONTEXT CONTEXT ACTION Eco-Partner

MITIGATE
ISE 2.2+

ISE makes Customer Enrich ISE context. Make Enforce dynamic policies ISE brokers Customer’s IT
IT Platforms User/Identity, ISE a better Policy into the network based on platforms to share data
Device and Network Aware Enforcement Platform Partner’s request amongst themselves

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
PxGrid/ANC Policies in ISE

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Other pxGrid Use-Case Examples
• Secure Firewall
• Share IP-to-Username binding, SGT, and profile information with Secure
Firepower
• Create ACPs in Firepower based on profile, identity/AD Group, and SGT
• Quarantine endpoints from ISE based on detections from Secure Firewall

• Secure Network Analytics (SNA)

• Shares IP-to-Username binding, SGT, and profile information with SNA
• Create network-based detection policies in SNA that will quarantine or
change access endpoint access level through ISE
• And much more…

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
pxGrid Integration Tips
• Start with integrating to share context out:
• Gives information to a pxGrid subscriber such as username-to-IP binding, profile, SGT,
etc

• (Optional) Migrated data in for richer profiling:

• Custom third party attributes don’t build the profiles themselves
• Will still need to build profiles
• Leverage AI Analytics to help

• Rapid Threat Containment:

• Automates the change of access based on a trigger from a pxGrid subscriber
• Start with the “low hanging fruit” – Don’t need to quarantine everything

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Threat-Centric NAC (TC-NAC)
• Integrates with third-party vulnerability scanners such as Qualys,
Rapid7, and Tenable
• Trigger an endpoint scan
• Ingest vulnerability information into ISE
• Integrates with Cisco Secure Endpoint and Cognitive Threat
Analytics
• Ingests threat information about an endpoint
• Contextual information stored under endpoint attributes as well as
Context Visibility dashboards to see overview of the data

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Vulnerability Assessment with Threat-Centric
NAC
On-prem Scanner
3 Scans Scan report 4

Jim 1 6
2 Scan Jim’s Endpoint

5
CVSS=10
Harry

Cisco ISE

Alice
Authorization Policy
If CVSS is Greater than 5 = true, then Quarantine
CVSS: Common Vulnerability Scoring System

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
MDM Integrations
• Integrates with many third-
party MDM vendors
• Onboard endpoints to MDM
through ISE
• Control and visibility into non-
corporate and mobile devices
• MDM posture checks in ISE
authorization rules

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
MDM Integration Example

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
ISE APIs and Automation
internaluser
OpenAPIs
certificate
sgt
sgacl
Postman endpoint
REST policy
ISE identitygroup
node portal

activedirectory

guestuser

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Integration Example: Catalyst Center and ISE
• Catalyst Center supercharges AI Analytics
• Granular profile recommendations utilizing telemetry and DPI

• Zero trust: Trust Score

• Score based on:
• Change in profile label
• Traffic pattern anomaly
• Unauthorized ports and weak credentials
• and more
• Quarantine low scoring endpoints via ISE integration

• Configure Trustsec SGACLs and policy utilizing historic traffic patterns

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Catalyst Center Trust Score and Spoofing
Detection

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Catalyst Center AI Endpoints Telemetry

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
TrustSec Policies with Catalyst Center Integration

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Post-
Deployment

10
Supporting your ISE Deployment
• Document, Document Document!
• Policy Configuration
• Supplicant Configuration
• Certificate Information
• Network Access Devices
• Network Access Device Configuration

• Standardize above Configurations

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Supporting your ISE Deployment
• ISE Version
• Patch Regularly
• If possible, wait until patch is 1-2 weeks old
• Upgrade when necessary
• End of Support
• Necessary feature
• Preferably upgrade to gold star

• Backup Schedule
• Operational Backup – Occasionally
• Configuration Backup - Regularly

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Supporting your ISE Deployment
• Utilized built-in ISE roles for Helpdesk, NOC, etc
• Train your support
• Avoid being called for every issue
• Playbook for common issues for:
• NOC
• Helpdesk

• Know the tools you have to troubleshoot and monitor your

deployment
• Create your playbook for your support with these tools
• Hidden Troubleshooting slides in this presentation for the playbook

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Troubleshooting Endpoint Issues
• ISE –
• Operations>RADIUS>Live Logs - Click the Details for the failed authentication
• Operations>Troubleshooting> Diagnostic Tools>Endpoint Debug – Add MAC address
and start debug

• Endpoint –
• Check the supplicant configuration for the endpoint
• Check that all necessary certificates are installed on the endpoint
• Check the OS version
• Check if User, Computer or User and Computer authentication is picked
• For wired access, ensure that the Wired AutoConfig service is turned on
• Check if endpoint is joined to AD domain or BYOD onboarded

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Troubleshoot Network Access Device Issues
• ISE –
• Administration>Network Resources>Network Devices – Check to see if NAD exists and
shared secret
• Operations>RADIUS>Live Logs – Check to see alerts for Misconfigured Network Devices
and RADIUS drops

• Network Access Device –

• Check OS version/model - Are similar NADs working with same OS/model?
• Check configuration – Is it running the same template as others with same OS/model?
• Are only some endpoints on the device failing? Check to see if CoA is working
• Debug commands
• RADIUS/TACACS source interface defined?

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Debugging Switches for ISE/CTS Issues
• General CTS: • AAA: • CTS Auth
• debug cts all • debug radius • debug cts authen details
• debug cts condition level • debug radius all • debug cts auth
detail • debug cts aaa • debug dot1x events
• debug cts messages • debug cts ifc events • debug dot1x packets
• debug cts packets • debug eap events • debug dot1x errors
• PAC Failure: • debug eap errors • debug cts ifc events
• debug cts provision events • debug authen event • CTS Policy dnload:
• debug cts provision packet • debug authen error • debug cts author event
• debug cts ifc events • debug dot1x all • debug cts author
• debug authen feature all • debug cts author aaa
• debug mab all • debug cts aaa
• debug cts ifc events
#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Debugging Switches for ISE/CTS Issues
• CTS Policy Install: • CTS Env Data: • CTS SAP:
• debug cts author event • debug cts environment-data all • debug cts sap events
• debug cts autho • debug cts env • debug cts ifc events
• debug cts author aaa • debug cts aaa • debug cts errors
• debug cts author rbacl • debug radius • debug cts sap packets
• debug rbm • debug cts ifc events • debug macsec events
• debug rbm policy • debug cts authe • debug cts sap pakdump
• debug rbm binding • debug cts autho • debug cts dp info
• debug rbm api • CTS L3IF & Mapping: • debug cts dp error
• debug rbm platform • debug macsec
• debug rbm bindings
• debug cts ifc events • debug cts sap
• debug cts ifc events
• debug cts sgt-map • CTS Cache:
• debug cts ifc events
• debug cts cache

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Debugging Switches for ISE/CTS Issues
• CTS HW Path: • CTS SGT Cache: • debug cts sxp mdb
• debug platform cts dp api • debug rbm bindings • debug cts sxp message
• debug platform cts dp event • debug rbm api • debug ip tcp trans
• debug platform cts dp error • debug fm rbacl caching packets • debug up tcp packet
• debug platform cts dp • debug fm rbacl caching events • IPv6:
redundancy
• debug fm rbacl all • debug ipv6 snooping binding
• CTS HA/Sync • debug fm rbacl monitoring • debug ipv6 snooping fsm
• debug cts ha core • debug cts sgt-caching • debug epm all
• debug cts ha config • SXP: • debug epm events session
• debug cts ha infra details
• debug cts sxp connection
• debug cts err • debug epm plugin cts error
• debug cts sxp errors
debug cts ifc ev • debug epm plugin cts event
•
• debug cts sxp all
• debug cts cluster • debug cts sxp • debug rbm all
• debug cts ha • debug cts sxp internal

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Debugging Switches for ISE/CTS Issues
• CoA:
• debug cts coa event
• debug aaa coa
• debug radius dynamic-authorization
• NX-OS Specific:
• show tech-support cts
• show tech-support forward l3 unicast detail
• show tech module <mod #>
• show tech-support routing ip unicast

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Troubleshoot Network Access Device Issues
Operations>RADIUS>Live Logs – Check Misconfigured Network Devices

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Troubleshooting Network Issues
• Check bandwidth utilization
• Check interfaces for dropped packets
• Check QoS – RADIUS being prioritized?
• IP connectivity
• Traceroute
• Packet filtering?
• To/from NAD PSNs to ISE
• Ports allowed? 1812/UDP, 1813/UDP, 1700/UDP, etc

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Network Ports open for ISE

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Troubleshooting ISE Issues
• Check ISE health
• RADIUS latency?
• RADIUS packets on other PSNs?
• Check load guidelines
• ISE replication occurring?

• Certificates
• Any expired certificates?
• Missing trusted CAs?

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Troubleshooting ISE Issues
Dashboard – Check Authentication Latency per ISE Node

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Troubleshooting ISE Issues
Administration>System>Deployment – Check Node Status for replication
issues

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Troubleshooting ISE Issues
Administration>System>Certificates>System Certificates – Check system
certificates

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Troubleshooting ISE Issues
Administration>System>Certificates>Trusted Certificates – Check Trusted
Certificates

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Troubleshooting ISE Issues
Administration>Deployment – Check Node Status for replication issues

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Troubleshooting ISE Issues
Operations>System 360>Monitoring – ISE Node Health Monitoring

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Troubleshooting ISE Issues
Administration>Network Resources>Network Devices – Check to see if NAD
exists

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Troubleshooting ISE Issues
Operations>System 360>Log Analytics – ISE Node, RADIUS, and TACACS
Health

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Troubleshooting ISE Issues
Operations>Troubleshooting>Diagnostic Tools>RADIUS Authentication
Troubleshooting – Troubleshoot RADIUS Authenications

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Troubleshooting ISE Issues
Operations>Troubleshooting>Diagnostic Tools>Posture Troubleshooting –
Troubleshoot Posture Events

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Troubleshooting ISE Issues
Operations>Troubleshooting>Diagnostic Tools>Agentless Posture
Troubleshooting – Troubleshoot Agentless Posture Events

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Troubleshooting ISE Issues
Operations>Troubleshooting>Diagnostic Tools>TCP Dump – Troubleshoot
traffic a PSN is receiving

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Troubleshooting ISE Issues
Operations>Troubleshooting>Diagnostic Tools>Session Trace – Test the
policy flows in a predictable way without needing real traffic from a real
device

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Troubleshooting ISE Issues – Policy
Troubleshooting 1
Operations>RADIUS>Live Logs – Check AuthC/AuthZ policy and rules the
endpoint hits

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Troubleshooting ISE Issues – Policy
Troubleshooting 2
Operations>RADIUS Live Logs – Click Details for endpoint

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Troubleshooting ISE Issues – Policy
Troubleshooting 3
Detail: Check Steps on the right side to see authentication details

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Troubleshooting ISE Issues – Policy
Troubleshooting 4
Policy>Policy Sets – Check Conditions compared to authentication details

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Troubleshooting ISE Issues – Policy
Troubleshooting 5
Check Policy Set conditions against previously checked Authentication Detail

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Troubleshooting ISE Issues – Policy
Troubleshooting 6
Check Policy Set conditions against previously checked Authentication Detail

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Conclusion
 Simplifying and optimizing your deployment is
how you can lower the administrative burden of
managing ISE

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Helpful Links and Training
• CiscoPress SISE Book - https://tinyurl.com/ciscopress-sise
• ISE Scalability Guide - https://tinyurl.com/ise-scale
• ISE Loadbalancing Guides - https://tinyurl.com/ise-loadbalancing
• ISE NAD Compatability Matrix - https://tinyurl.com/ise-compatibility
• ISE Mega-list of Integration/Configuration Guides - https://cs.co/ise-guides
• Cisco Security Technical Alliance Partners - https://cisco.com/go/csta
• Deploy ISE in Cloud - https://tinyurl.com/ise-cloud
• ISE APIs and Automation - https://github.com/CiscoISE

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Helpful Links and Training
• ISE Switch Deployment Guide - https://tinyurl.com/ise-switch-guide
• ISE WLC Deployment Guide - https://tinyurl.com/ise-wlc-config
• ISE Catalyst 9800 Wireless Guide - https://tinyurl.com/ISE-9800-Guide
• Profile Packs:
• Medical NAC 2.0 Profiles - https://tinyurl.com/ise-medical-nac-2
• Automation and Control Profiles - https://tinyurl.com/ise-automation-library
• Industrial Network Director IoT Profiles - https://tinyurl.com/ind-profiles
• Windows-Embedded IoT Profiles - https://tinyurl.com/windows-embedded
• ISE Licensing - https://cs.co/ise-licensing

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
Helpful Links and Training
• TrustSec Troubleshooting Guide - https://tinyurl.com/TS-
Troubleshooting
• ISE Webinars - https://cs.co/ise-webinars
• ISE Community - https://cs.co/ise-community
• Cisco’s ISE YouTube Channel - https://cs.co/ise-videos

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
Helpful Links and Training
• Network-Node Blog – https://www.network-node.com
• My ISE Videos - https://tinyurl.com/KM-ISE-Videos
• Labminutes ISE Configuration Videos - https://tinyurl.com/LM-ISE
• Aaron Woland’s ISE Blog Posts – https://tinyurl.com/Woland-ISE
• Brad Johnson’s ISE Support Blog - https://www.ise-support.com
• Steve McNutt’s Blog –
• PKI for Network Engineers - https://tinyurl.com/PKI-for-NE
• ISE Posts - https://tinyurl.com/McNutt-ISE

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Complete Your Session Evaluations

Complete a minimum of 4 session surveys and the Overall Event Survey to be

entered in a drawing to win 1 of 5 full conference passes to Cisco Live 2025.

Earn 100 points per survey completed and compete on the Cisco Live
Challenge leaderboard.

Level up and earn exclusive prizes!

Complete your surveys in the Cisco Live mobile app.

#CiscoLive BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
 • Visit the Cisco Showcase
for related demos

• Book your one-on-one

Meet the Engineer meeting
Continue Attend the interactive education
your education
•
with DevNet, Capture the Flag,
and Walk-in Labs

• Visit the On-Demand Library

for more sessions at
www.CiscoLive.com/on-demand

BRKSEC-2347 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Thank you

#CiscoLive