SISE Certification

300-715 SISE
 Certification

• Value of the Cisco Certification Brand

• Evolution of Cisco Certifications
• Preparing for the CCNP Security exams
• CCNP Security SCOR
• Sample exam questions
Certified employees are valued assets

Increased performance
of certified employees

99%
of organizations use
certifications to make
hiring decisions
+59% +42% +41%
higher quality of better selection more efficient
service of technology operations
solutions
Today’s certification portfolio
Entry Associate Professional Expert
Architect CCAr Architect

Cloud CCNA Cloud CCNP Cloud

Collaboration CCNA Collaboration CCNP Collaboration CCIE Collaboration

Cybersecurity Operations CCNA CyberOps

Data Center CCNA Data Center CCNP Data Center CCIE Data Center

Design CCENT CCDA CCDP CCDE

Industrial / IoT CCNA Industrial

Routing & Switching CCENT CCNA Routing & Switching CCNP Routing & Switching CCIE Routing & Switching

Security CCENT CCNA Security CCNP Security CCIE Security

Service Provider CCNA SP CCNP SP CCIE SP

Wireless CCENT CCNA Wireless CCNP Wireless CCIE Wireless

Other Certifications Certified Technician

Collaboration Data Center Internet of Things Network Programmability

Technical Specialists
Operating System Software Security Service Provider

Digital Transformation Specialists Business Architecture Customer Success

AppDynamics ACIP
Tomorrow’s certification portfolio

Associate Professional Expert

CCIE Enterprise Infrastructure
CCNP Enterprise
CCIE Enterprise Wireless

CCNP Service Provider CCIE Service Provider

CCNA CCNP Data Center CCIE Data Center

CCNP Collaboration CCIE Collaboration

CCNP Security CCIE Security

How our program is evolving
Technology Core Concentration or Lab
Exam 1 Exam 2

Enterprise Choose your concentration

Core
Single Exam Choose between 2 labs
Network foundation exam.
Covers Key components like
IP fundamentals, Network Choose your concentration Concentration Exam
access, IP Connectivity, Security Core Choose one concentration exam in
Automation, Security. your technology.
Take the lab Concentration covers products,
solutions, and/or roles.

Service Choose your concentration

Provider Core Take the lab

Collaboration Choose your concentration

Core Take the lab Lab
Choose one, 8hr lab
focusing on full lifecycle.
Lab exam covers design, deploy,
Data Center Choose your concentration automate, operate, and optimize.
Core Take the lab
Cisco Enterprise certification track
CCNP: CCIE:
Professional Level Expert Level

Certified Professional Certified Expert

1 technology core & 1 concentration exam in 1 technology core & 1 lab

any order, but from the same track in the same track

Enterprise
Enterprise concentration exam options Enterprise lab options
Security

Service Provider C C C C C C L L
Collabora

tion Data
Advanced Implementing Implementing CCIE
Center
Routing and Wireless Cisco SD-WAN Enterprise
Services Networks Solutions Wireless Lab
Exam
Designing
Wireless Designing Automating and CCIE Enterprise
Networks Cisco Enterprise Programming Infrastructure
Networks Cisco Enterprise Lab Exam
Solutions
CCNP R&S, Wireless,CCDP - Today vs 2.0

Today February 24, 2020

300-101 ROUTE 300-360 WIDESIGN 300-401 Enterprise Core Mandatory

300-115 SWITCH 300-365 WIDEPLOY 300-410 Advanced Routing

300-135 TSHOOT 300-370 WITSHOOT 300-415 SD-WAN

300-320 ARCH 300-375 WISECURE 300-420 Enterprise Design

Choose 1
300-425 Wireless Design

300-430 Wireless Implement

300-435 Enterprise Automation

We redesigned CCNP to meet your needs
Summary

Five technology tracks: Enterprise, Service Provider, Data Center, Collaboration, Security

Two exams and you’re certified, one core and one concentration exam

Choose the concentration exam based on your interests and needs

No prerequisites for either exam

Core exams also apply to CCIE and cover implementation of key technologies

New continuing education options meet recertification requirements

Guiding Principles

Everyone Everyone Everyone

Everyone Maintains their
has a Gains
Home Certification Awarded
Badges
We provide recognition as you learn

For You get Which looks like

Passing any written, proctored exam Cisco Certified Specialist

Passing the CCNA exam Cisco Certified Network Associate

Passing one core exam and one concentration

Cisco Certified Network Professional
exam in the same technology

Passing one core exam and the corresponding lab

Cisco Certified Internetwork Expert
in the same technology
Personalized credential dashboard
Certifications Badges

Enterprise SD- WAN Advanced Enterprise

Design Routing Automation

Enterprise

Skills

BGP Device Security Diagnostics EIGRP

Fundamental Routing Concepts Encryption
LAN Switching IPv4 and IPv6 Addressing
Layer 2 Multicast Network Services Network Security
CCNP Security (in-flight migration)

Today February 24, 2020

300-101 ROUTE
Credit 300-401 Enterprise Core Badge
300-115 SWITCH

300-135 TSHOOT Credit 300-410 Adv Routing Badge

300-320 ARCH Credit 300-420 Design Badge

300-370 WITSHOOT
300-430 Wireless Implement Badge
300-375 WISECURE

300-365 WIDEPLOY
CCNP Enterprise (current certification holders)

Today February 24, 2020

300-401 Enterprise Core Badge

CCNP RS Earn
300-410 Adv Routing Badge

300-401 Enterprise Core Badge

300-425 Wireless Design Badge

CCNP Wireless Earn
300-430 Wireless Implement Badge

300-401 Enterprise Core Badge

CCDP Earn
300-420 Enterprise Design Badge
 Describe Cisco Security
This exam tests a candidate's knowledge of Cisco Identify Services
Engine, including architecture and deployment, policy enforcement,
Web Auth and guest services, profiler, BYOD, endpoint compliance,
and network access device administration. The course,
Implementing and Configuring Cisco Identity Services Engine, helps
candidates to prepare for this exam.
https://learningnetwork.cisco.com/s/sise-exam-topics
1.0 : Architecture and Deployment

1.1.Configuring Personas
1.2 Describe deployment options

Before getting into insights of Configuration and deployment options, lets get
familiar with ISE as a appliance, its purpose and associated terminologies; we
will discussing and referencing all these throughout the course …..
ISE (Identity Service Engine)
It’s a necessary security platform in IT infra for any growing organizations or
industry; irrespective of any sector e.g. it could be Healthcare, Banking,
Manufacturing, IT, etc.
Almost every organization deeply rely-on and inclined towards Digitalization,
IoT, BYODs and what not. And with evolvement there is exponential expansion
of end-points devices that want to integrate with network. This explosion of new
additions are adding agility and flexibility and producing significant values to
customers
HOWEVER it has raised the challenges and complexities to IT team; because
you need to have framework which can track and identify the end-points and
accordingly authenticate, authorize and profile them correctly in network; to
delivery secure platform.
ISE (Identity Service Engine)
Before ISE, Cisco has developed few engines as per new and growing demands,
for e.g. well known ACS, Cisco clean access, NAC for Guest and Profiles, They
all served well but deploying and managing them separately is not scalable and
tedious job.

ISE is a platform which has merged there functionalities along with many new
features. Also increasing complexity requires a different approach to both
manage and secure the evolving enterprise network.

Cisco ISE is context aware policy service, to control access and threats across
wired, wireless and VPN networks.
ISE Roles and Duties
SIEM, MDM, NBA, IPS, IPAM, etc.
CISCO ISE
WHO WHEN

WHAT WHERE PxGRID

HOW HEALTH
& APIs

THREATS CVSS
Partner Eco System
ACCESS POLICY

FOR ENDPOINTS FOR NETWORK

WIRED WIRELESS VPN

Role-based Access Control | Guest Access | BYOD | Secure Access

ISE Benefits

Greater visibility and accurate IoT and end-point identification

Deploy robust guest and BYOD experience
It creates and enables Zero Trust Workplace secure network access; across
wireless, wired and VPN infra
Scalable segmentation that eliminates unauthorized communications
ISE can track and secure 2 million concurrent end-point sessions

Few well known features and services that ISE delivers in Infrastructure services
are as follows :-
Why customers buy ISE?

Consistent access control in to wired, wireless and VPN Networks. 802.1X,

Access Control MAC, Web Authentication and Easy connect for admission control.

Cisco ISE can reach deep into the network to deliver superior visibility into who
Asset Visibility and what is accessing resources.

Fully customizable branded mobile and desktop guest portals, with dynamic
Guest Access visual workflows to easily manage guest user experience.

Simplified BYOD management with built-in CA and 3rd party MDM integration
BYOD Access for on boarding and self-service of personal mobile devices

Topology independent Software-defined segmentation policy to contain

Segmentation network threats by using Cisco TrustSec technology.

Context sharing with partner eco-system to improve their overall efficacy and
Threat Control accelerate time to containment of network threats.

Cisco ISE supports device administration using the TACACS+ security

Device Admin protocol to control and audit the configuration of network devices
 Managing policy based on ‘Trust’
Connecting Trusted Devices to Trusted Services

CISCO IDENTITY SERVICES ENGINE

User-Groups Device-type

Cloud

Non-Trusted App / Services

Trusted App / Services
Trusted User

Cloud App A
Cloud App B

Server B
Server A
Partners
Location Posture

Trusted Asset ✓ ✕ ✓ ✓ ✓ ✓
On Prem
Trusted User ✕ ✓ ✓ ✓ ✓ ✕
Time Threats Partners ✕ ✕ ✓ ✓ ✕ ✕

Behavior Vulnerability

Software-Defined Segmentation, Location-Free App/Service

Improved Visibility and Decision
Service Access & Entitlement Access
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Architecture majorly consist of of below components :-

Node
Personas
Node Type
PSN, PAN, MnT, PXG
Service
Network Resources
Endpoints
Roles
ISE Terminologies

A node is an individual physical instance or Virtual ISE

appliance. Cisco ISE is available as an appliance and also as a
software (OVA file) that can be run on VMware.
Personas :- Determines the services provided by a node. A
Cisco ISE node can assume any or all of the following personas
• A Cisco ISE node can assume the Administration, Policy
Service, or Monitoring personas.
 A node type Cisco ISE node can assume any of the following personas:
Administration = PAN, Policy Service = PSN, Monitoring = MnT, pXGrid =
PXG

STANDALONE ISE Policy Services Node (PSN) MULTI-NODE ISE

Node - Makes policy decisions
- RADIUS / TACACS+ Servers
Policy Administration Node (PAN)
- Single plane of glass for ISE admin
- Replication hub for all database config changes
Network
Monitoring and Troubleshooting Node (MnT)
- Reporting and logging node
- Syslog collector from ISE Nodes

pXGrid Controller
- Facilitates sharing of context
Policy Service Node (PSN)
RADIUS/TACACS+ Server for the Network Devices

• Per policy decision, responsible for: • Directly communicates to external

• Network access (AAA/RADIUS services) identity stores for user authentication
• Device Admin (TACACS +) • Provides GUI for sponsors, agent
• Posture download, guests access, device
• BYOD / MDM services registration, and device on - boarding
• Guest access (web portals)
• Each ISE deployment must have one
• Client Provisioning
or more PSNs (max 50)
• Profiling
• Web Auth
• Posture/MDM
• Client Provisioning AD/LDAP/
ODBC/
RADIUS
External
ID
Store
RADIUS/TACACS+/
Profiling
PSN
NAD
3
 Policy Administration Node (PAN)
Writeable Access to the Database

• Interface to configure and view PAN

policies External
ID
AD/LDAP Store
• Responsible for policy sync across Administration

all PSNs and secondary PAN

• Provides:
• Licensing
• Admin authentication & authorization
• Admin audit

• Each ISE deployment must have at least

one PAN
• Only 1x Primary and 1x Secondary (Backup)
PAN possible
Policy Synchronization
• Changes made via Primary PAN DB are automatically synced to
Secondary PAN and all PSNs. PAN
(Secondary)

PSN
Policy Sync

Policy Change Policy Sync

Admin PSN
User
PAN
(Primary)
PSN
• Guest account creation
Policy Sync
• Device Profile update

PSN

35
Network Access Device (NAD)
Also Known as the ‘RADIUS Client’ (or ‘TACACS+ Client’)

• Major Secure Access component that enforces network policies.

• NAD sends request to the PSN for implementing authorization decisions for
resources.
• Common enforcement mechanisms:
NADs
• VLAN Assignment/VRF
• dACLs & named ACLs
• Scalable Group Tags (SGT)
Rd
• Basic NAD types (including 3 party)
• Cisco Catalyst Switches
• Cisco Wireless LAN Controllers
• Cisco ASA & FTD for VPN
pxGrid Controller (PXG)
Context Data Sharing

• Enabled as pxGrid persona

• Max 2 nodes
• Control Plane to register Publisher/Subscriber topics
• Authorize and setup pxGrid
client communications
• pxGrid Clients subscribe to
published topics of interest

• ISE 1.X: ISE is only controller

and publisher; 2.0 supports other publishers;
2.4 supports ISE as a subscriber (Profiler probe)
• MnT publishes Session Directory
 Monitoring and Troubleshooting Node (MnT)
Logging and Reporting

• MnT node receives logging from PAN, PSN, NAD (RADIUS & TACACS)
• Each ISE deployment must have at least one MnT
• Max 1x Primary and 1x Secondary (Backup) MnT possible
PAN

Syslog
Syslog from access devices are
correlated with user/device session
MnT

PSN

Syslog from firewall is correlated Syslog from other ISE nodes are
with guest access session sent to monitoring node for reporting
 Monitoring and Troubleshooting Node
Smart Dashboard

PAN

MnT
ISE Node Personas Functional Roles and chronology
Policy Administration Node Policy Service Node Monitoring and Network Access Device
All Management UI Activities RADIUS, Profiling, Web Auth, Troubleshooting Access-Layer Devices
Synchronizing all ISE Nodes Posture, Sponsor Portal, Client Logging and Enforcement Point for all
Provisioning Reporting Data Policy

PAN PSN NAD

MnT

Admin
User All Policy is Synchronized
from PAN to PSNs User
RADIUS from NAD to Policy Service Node

PSN Queries AD Directly

AD
RADIUS From PSN to NAD w/ Enforcement Result

RADIUS Accounting

Logging
Logging
Service :- A service is a specific feature that a persona provides
such as network access, profiler, posture, security group access,
monitoring and troubleshooting etc.

Network Resources :- ISE can be leveraged as medium to

define and categorize Network devices , Network groups,
RADIUS, MDM servers etc.

Endpoints :- Network capable device that connect to network,

they can be PC/ Laptops, Phones , Printers, FAX etc .
Role :- Determines if a node is a standalone, primary, or
secondary node and applies only to Administration and
Monitoring nodes.

If all personas are running on same appliance or VM

instance then its ISE standalone node.

Roles can be assigned to ISE nodes in distributed design ;

to tackle failures and accomplish redundancy. We will
discuss these in details in upcoming deployment
sections.
 Architecture :- Putting It All Together…

Network Access Device Monitoring and Policy Service Node Policy Administration
Access-Layer Devices Troubleshooting Admin
The “Work-Horse”: RADIUS, Node: All Management UI
Enforcement Point for all Logging and Profiling, WebAuth, Posture, Activities & synchronizing
Policy Reporting Data Sponsor Portal Client all ISE Nodes
Provisioning

NAD MnT PSN PAN PXG

Policy Sync
RADIUS from NAD to PSN
Platform
eXchange Grid
RADIUS response from Node: Share
PSN to NAD PSN queries context in/out
User external database
RADIUS Accounting
directly
Publish
Syslog
Config
Publish Sessions
1.2 Describe deployment options
Standalone Deployment :- All personas resides on single
appliance, it has 2 variants
Standalone ISE Node Deployment
Standalone ISE Node (Redundant) Deployment
Distributed Deployment :- One or more Personas are distributed
to different ISE Nodes
Hybrid-Distributed Deployment
Dedicated-Distributed Persona Deployment
Fully Dedicated-Distributed Deployment
Example :-

Suppose you have a Global Operations Center and Network Infra has 20
switches of 48 ports to accommodate wired connections like PC, thin
clients etc. Assume 1000 users and 50 Guest users everyday.

Access Switch Ports + (Users x 2) + Guests = RADIUS Sessions

(20-48=960) (2000) (50) = 3010 sessions

Based on this number and future hiring strategy, Network Admin and
solution architect can take call on ISE model selections, In coming slides
we will discussing ISE deployment and its models in details.
Standalone Deployment
All Personas on a Single Node: PAN, PSN, MnT, pxGrid

Maximum sessions as per ISE platform

5,000 for 3415 ISE Node

10,000 for 3615 PAN

20,000 for 3595
25,000 for 3655 MnT
50,000 for 3695
PSN

PXG

#CLUS
41 BRKSEC-3699 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
ISE Standalone (Redundant)

• Maximum sessions – 50,000

• Redundant sizing – 50,000

• Only 3415 and 3515 session limit

Prima dary
ry Secon
is 20,000. They are EOL/EOS PAN
now
Prima da ry
ry
MnT Secon

PSN
Prima dary
ry
PXG Secon

42
 ISE Standalone (Redundant) continue….
Maximum Sessions = 50,000 (Platform dependent)

Admin (S)
Admin (P) PXG PXG MnT (RO) All Services run on both ISE Nodes
MnT (P)
PSN
PSN Set one for Primary Admin / Primary MnT
AD/LDAP Set other for Secondary Admin / Primary MnT
(External ID/
Attribute Store)
(RO)
Campus
A Max Sessions is platform dependent:
ASA VPN 3415 = Max 5k sessions (EOL/EOS)
w / CoA

3515 = Max 7.5k sessions (EOL/EOS)

WLC

AP
802.1X Switch
802.1X
3615 = Max 10k sessions
3595 = Max 20k sessions
Branch A
Branch B 3655 = Max 25k sessions
3695 = Max 50k sessions
Switch Switch
AP 802.1X AP 802.1X
Hybrid-Distributed Deployment
( Admin | MnT ) on same appliance; PSN on dedicated appliance

2 (PAN | MnT) + PXG

Max 5 PSNs PAN PAN
MnT MnT
Optional: Dedicate 2 of the 5 for pxGrid
PXG
Platform supported max session PXG
5,000 for 3415 PAN + MnT (EOL/EOS)
7,500 for 3515 PAN + MnT (EOL/EOS)
10,000 for 3615 PAN + MnT
20,000 for 3595 PAN + MnT PSN PSN PSN
PSN PSN
25,000 for 3655 PAN + MnT
50,000 for 3695 PAN + MnT

44
Basic Hybrid-Distributed Deployment Distributed
Policy Services
Maximum Sessions = 50,000 | Maximum 5 PSNs PSN PSN

Admin (P) Admin Policy Services

MnT (P) (S) Cluster
MnT AD/LDAP
(S) PSN (External ID/
PSN PSN DC B Attribute Store)

WLC
AD/LDAP 802.1X
(External ID/
Attribute Store)
DC-A
• Dedicated Management Appliances
ASA VPN
w / CoA
• Primary Admin / Primary MnT
• Secondary MnT / Secondary Admin
WLC
802.1X Switch
• Dedicated Policy Service Nodes—Up to 5 PSNs
AP 802.1X
• No more than 50,000 Sessions Supported
3615 = Max 10k sessions
Branch A
Branch B 3595 = Max 20k sessions
3655 = Max 25k sessions
Switch Switch
802.1X 802.1X 3695 = Max 50k sessions
AP AP
 Dedicated-Distributed Persona Deployment
Dedicated Appliance for Each Persona: Admin, Monitoring, pxGrid, Policy

2 - PAN and 2 – MnT and up to 4 - PXG

PAN Mn Optional
Max PSNs (Platform dependent) T
 40 using 3495 as PAN and MnT
 50 using 3595/3655/3695 as PAN and MnT
PXG
Max sessions (Platform dependent)
 250k using 3495 as PAN and MnT
 500k using 3595/3655/3695 as PAN and MnT

PSNs

46
 Fully Dedicated-Distributed Deployment
Maximum Sessions = 500,000 | Maximum 50 PSNs
Distributed
Admin (P) Monitor (P) Policy Services Cluster Policy Services pxGrid (S)
Admin (S) Monitor (S)
PSN PXG
PAN MnT PSN PSN PSN PSN PAN
PSN
MnT
AD/LDAP AD/LDAP
pxGrid (P) PXG (External ID/ (External ID/
DC B Attribute Store)
Attribute Store)
Data
Center A WLC
802.1X
ASA VPN
Switch
w / CoA
802.1X AP

WLC
802.1X Switch
• Redundant, dedicated PAN and MnT split across DCs
802.1X
AP
• Policy Service cluster for Wired/Wireless services at main campus
• Distributed Policy Service clusters for DR sites or larger campuses
Branch B with higher-bandwidth, lower-latency interconnects.
Branch A
• Centralized PSN clusters for remote Wired/Wireless branch devices
• VPN/Wireless (non-CoA) at main campus via HA Inline Posture nodes
Switch Switch
AP 802.1X AP
802.1X
#CLUS
47 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scaling RADIUS, Web, Profiling, and TACACS with Load-Balancing
• Policy Service nodes can be configured in a cluster behind a load balancer (LB).
• Access Devices send RADIUS and TACACS+ AAA requests to LB virtual IP.

PSNs

Load Balancing covered

under the High Availability Load Balancers
Section
Virtual IP

NAD
Sizing and Specification Guideline.
ISE node sizing selection is very significant, generally once
deployed successfully you don’t have to touch it.

Secondly, its role is critical and has lot of dependency and if you
want to re-size and re-image things then you need to have
redundant nodes.

Each persona role is unique and different, hence sizing and

scaling also varies. Memory, max sessions, and other table
spaces are based on Persona and Platform Profile
ISE 2.4 Scaling by Deployment/Platform/Persona – (3515 and 3595)
• Deployment- 1.Standalone , 2.Distributed and 3.Dedicated

Max Active Sessions Max # Dedicated Min # Nodes (no HA) /

Deployment Model Platform
per Deployment PSNs / PXGs Max # Nodes (w/ HA)
Stand-
Stand- Allpersonas
All personason
on 3515 7,500 0 1/2
alone
alone samenode
same node
3595 20,000 0 1/2
PAN+MnT+PXGon
PAN+MnT+PXG on
3515 as PAN+MNT 7,500 5 / 2* 2/7
Hybrid
Hybrid samenode;
same node;
DedicatedPSN
Dedicated PSN 3595 as PAN+MNT 20,000 5 / 2* 2/7
Dedicated PAN and
DedicatedDedicated PAN and 3595 as PAN and MNT 500,000 50 / 2 3 / 58
Dedicated
MnTnodes
MnT nodes 3595 as PAN and
Large MNT 500,000 50 / 4 3 / 58

Max Active Sessions

Scaling per PSN Platform per PSN Max Active Sessions = Max
Dedicated Policy nodes SNS-3515 7,500 End-points; ISE 2.1+
(Max Sessions Gated by Total supports 1.5M End-points
Deployment Size) SNS-3595 40,000
 Scaling by Deployment/Platform/Persona (3615-3655-3695)
Max Concurrent Session Counts by Deployment Model/Platform 2.6
• Deployment- 1.Standalone , 2.Distributed and 3.Dedicated
Max Active Sessions Max # Dedicated Min # Nodes (no HA) /
Deployment Model Platform per Deployment PSNs / PXGs Max # Nodes (w/ HA)
3615 10,000 0 1/2
Stand- All personas on 25,000
3655 0 1/2
alone same node 50,000
3695 0 1/2
PAN+MnT+PXG on 3615 as PAN+MNT 10,000 5 / 2* 2/7
Hybrid same node; 3655 as PAN+MNT 25,000 5 / 2* 2/7
Dedicated PSN 3695 as PAN+MNT 50,000 5 / 4* 2/7
Dedicated PAN and 3655 as PAN and MNT 500,000 50 / 4 3 / 58
Dedicated MnT nodes 3695 as PAN & MNT 500k (2M RAD ONLY) 50 / 4 3 / 58

• By PSN
Max Active Sessions per Max Active Sessions = Max
Scaling per PSN Platform PSN
Dedicated Policy nodes SNS-3615 10,000 End-points; ISE 2.6+ supports
(Max Sessions Gated by Total SNS-3655 50,000 2M End-points
Deployment Size) SNS-3695 100,000
What are sessions ? And its significance in ISE world.

Sessions :- A session begins when a user logs in to or accesses a

particular computer or service. It ends when the user logs out of the
service, or shuts down the computer.

Sessions we will refer throughout the course are Radius session. They are
significant because sessions count plays deciding factor; in finalizing
size of nodes and deployment type.
Formula which is referred and well known in industry is

Access Switch Ports + (Users x 2) + Guests = RADIUS Sessions

802.1X enabled switch-ports Expected Guest users count

in Wired-network

802.1X enabled users X2 = Assuming 2

in Wireless-network. mobile devices per user
Sizing Production VMs to Physical Appliances OLD – FOR REFERNCE

Appliance used for CPU Memory Physical Disk

sizing comparison # Cores Clock Rate* (GB) (GB) **

SNS-3415 4 2.4 16 600

SNS-3495 8 2.4 32 600
SNS-3515 6 2.3 16 600
SNS-3595 8 2.6 64 1,200
* Minimum VM processor clock rate = 2.0GHz per core (same as OVA).
* * Actual disk requirement is dependent on persona(s) deployed and other factors.
See slide on Disk Sizing.
Warning: # Cores not always = # Logical processors / vCPUs due to Hyper Threading

54
 Sizing Production VMs to Physical Appliances
Summary

Appliance used for CPU Memory Physical Disk

sizing comparison # Cores Clock Rate*
(GB) (GB)**
SNS-3515 6 2.4 16 600
SNS-3595 8 2.6 64 1,200
SNS-3615 8 2.1 32 600
SNS-3655 12 2.1 96 1,200
SNS-3695 12 2.1 256 1,200/2,400
* Minimum VM processor clock rate = 2.0GHz per core (same as OVA).
** Actual disk requirement is dependent on persona(s) deployed and other factors.
See slideDisk
on Sizing.
Warning: # Cores not always = # Logical processors / vCPUs due to Hyper Threading
*REQUIRED*
 Appliance Hardware Specifications 36xx
Basis for Virtual Appliance Sizing and Redundancy – supports ISE 2.4+
SNS-3615 SNS-3655 SNS-3695
Platform
(36x5 Small) (36x5 Medium) (36x5 Large)

Intel Xeon CPU 4410 Intel Xeon CPU 4416 Intel Xeon CPU 4416
Processor @ 2.10 GHz @ 2.10 GHz @ 2.10 GHz
(8 total cores) (12 total cores) (12 total cores)

Memory 32 GB 96 GB 256 GB
8 x 600-GB, 6Gb 10k SAS
HDDs
1 x 600-GB, 6Gb 10k SAS HDD 4 x 600-GB, 6Gb 10k SAS HDDs
Hard disk
(600 GB total disk space) (1200 GB total disk space) (2400G total disk space)

RAID No Level 10 Level 10

Ethernet 2x 10Gbase-T 2x 10Gbase-T 2x 10Gbase-T
NICs 4x 1GBase-T 4x 1GBase-T 4x 1GBase-T
1x 770W
Redundant Optional
2x 770W 2x 770W
Power? UCSC-PSU1-770W BRKSEC-3432
 Appliance Hardware Specifications 34/35xx
Basis for Virtual Appliance Sizing and Redundancy - 35xx required for 2.4
SNS-3500 Series
• ISE SNS Appliance Specifications
SNS-3415 SNS-3495 SNS-3515 SNS-3595
Platform
(34x5 Small) (34x5 Large) (35x5 Small) (35x5 Medium)
1 x QuadCore 2 x QuadCore 1 x 6-Core 1 x 8-Core
Intel Xeon CPU E5-2609 Intel Xeon CPU E5-2609 Intel Xeon CPU E5-2620 Intel Xeon CPU E5-2640
Processor @ 2.60 GHz+20MB Cache
@ 2.40 GHz @ 2.40 GHz @ 2.30 GHz
(4 total cores) (8 total cores) (6 total cores) (8 total cores)

Memory 16 GB 32 GB 16 GB 64 GB
1 x 600-GB 10k SAS HDD 2 x 600-GB 10k SAS HDDs 1 x 600-GB 10k SAS HDD 4 x 600-GB 10k SAS HDDs
Hard disk
(600 GB total disk space) (600 GB total disk space) (600 GB total disk space) (1.2 TB total disk space)
No (1GB FBWC Yes (RAID 10)
RAID No Yes (RAID 1)
Controller Cache) (1GB FBWC Cache)
2 x Integrated GE Ports 2 x Integrated GE Ports
Ethernet
4x Integrated Gigabit NICs 4 x Integrated Gigabit NICs 4x mLOM GE Ports 4x mLOM GE Ports
NICs
(6 total LAN ports) (6 total LAN ports)
Redundant
PSU optional) Yes PSU optional)
Power?

57
 ISE VM Disk Storage Requirements
Minimum Disk Sizes by Persona
• Upper range sets #days MnT log retention Persona Disk (GB)
• Min recommended disk for MnT = 600GB Standalone 200+*
• Max hardware appliance disk size = 1.2TB PAN 200-300**
MnT 200+*
• Max virtual appliance disk size = 2TB
PSN 200
CSCvb75235 - DOC ISE VM installation can't be done if disk
PAN + MnT 200+*
is greater than or equals to 2048 GB or 2 TB
PAN + MnT + PSN 200+*

** Variations depend on where backups saved or upgrade files staged (local or

repository), debug, local logging, and data retention requirements.

58
Introducing “Super” MnT
High Speedy Performance
• ISE 2.4 Virtual Appliance Only option
• Requires Large VM License MnT
• 3595 specs + 256 GB (3695 appliance/VM 2.6)
• 8 cores @ 2GHz min (16000+ MHz)
= 16 logical processors
• 256GB RAM
• Up to 2TB* disk w/ fast I/O
• Fast I/O Recommendations:
• Disk Drives (10k/15k RPM or SSD)
• Fast RAID w/Caching (ex: RAID 10)
* CSCvb75235 - DOC ISE VM installation can't be
• More disks (ex: 8 vs 4) done if disk is greater than or equals to 2048 GB
or 2 TB, fixed in 2.6
ISE 2.4 MnT Vertical Scaling Scaling Enhancements
Benefits MnT
Faster Live Log Access on ALL ISE
• Run session directory tables from pinned memory platforms
• Tables optimized for faster queries

Faster Report & Export Performance

• Report related tables pinned into memory for faster retrieval.
• Optimize tables based on platform capabilities.

Collector Throughput improvement

• Added Multithreaded processing capability to collector.
• Increased collector socket buffer size to avoid packet drops.

Major Data Reduction

• Remove detailed BLOB data > 7 days old (beyond 2.3 reductions)
• Database optimizations resulting in up to 80% efficiencies
ISE 2.4 MnT+ Fast Access to Logs and Reports

Live Logs / Live Sessions

Reports
ISE 2.4 MnT+ Fast Access to Logs and Reports

Live Logs / Live Sessions

Firstly Fast-Scanning
Secondly Instant-Result
Finally :- Reduced waiting time
Reports during troubleshooting and Instant
logs
ISE 2.4 Super MnT
Scale Test Results/Observations
Scenarios Results Results Performance

(256GB RAM (256GB RAM Gain

+ 4 HDDs) + 8 HDDs)
Live Log: initial load of live log page 30 Sec 10 Sec 67%

Live Log : show 100 records within Last 3 hours 20 Sec 5 Sec 75%

Live Log with Filters: Identity (Scale) 55 Sec 25 Sec 55%

Live Log with Filters: (Network device name) 40 Sec 15 Sec 63%

Reports: single session Today Launch 42 Sec 5 Sec 88%

Reports: single session 30 Days Launch 180 Sec 75 Sec 58%

 Nodes will hang and cause
ISE VM Disk Provisioning Guidance outages
• Please! No Snapshots! IO Performance Requirements:
• Snapshots NOT supported ; no option ➢Read 300+ MB/sec
to quiesce database prior to snapshot. ➢Write 50+ MB/sec
• VMotion supported but storage
motion not QA tested. Recommended disk/controller:
➢10k RPM+ disk drives
• Recommend avoid VMotion due to
snapshot restrictions. ➢Supercharge with SSD !
• Thin Provisioning supported ➢Caching RAID Controller

• Thick Provisioning highly recommended ➢RAID mirroring

Especially for PAN and MnT
Slower writes using RAID 5*
• No specific storage media and file system
restrictions. *RAID performance levels:
http://www.datarecovery.net/articles/raid-level-
• For example, VMFS is not required and NFS allowed
comparison.html
provided storage is supported by VMware and meets ISE http://docs.oracle.com/cd/E19658-01/820-4708-
IO performance requirements. 13/appendixa.html
 Configuring CPUs in VMware
• ESXi 5.x Example Configure CPU
based on cores.
If HT enabled,
logical CPUs
effectively
doubled, but #
physical cores is
same.
• ESXi 6.x Example
 Setting Memory Allocations in VMware
Guest VM Resource Reservations and Limits

• CPU Example • Memory Example

Set Reservation to
Minimum VM appliance Optionally set CPU allocation limit Similar settings apply to Max
specs to ensure required >= Min ISE VM specs to prevent Allocation and Min Reservations for
CPU resources available over-allocation when actual CPU Memory.
and not shared with other assigned exceeds ISE VM
VMs. requirements.
Setting CPU and Memory Allocations in VMware
Guest VM Resource Reservations and Limits

4
Set Reservation to Minimum VM
appliance specs to ensure required
CPU resources available and not
shared with other VMs.

“All Locked” is optional. It allows VM

to automatically adjust reservations
to Memory allocation setting.
Otherwise, changes to mem
Similar settings apply to Max Allocation and allocation require manual adjustment
Min Reservations for Memory. to reservations.
ISE VM Provisioning Guidance
• Use reservations (built into OVAs)
• Do not oversubscribe!

• Customers with VMware expertise may choose to disable resource

reservations and over-subscribe, but don’t do that.
On-boarding ISE node Guidelines :-
Cisco Identity Services Engine (ISE) can be installed on Cisco SNS (Secure Network
Hardware) hardware or virtual appliances.

To achieve optimum performance, non-erratic behaviour and scalability comparable to the

Cisco ISE hardware appliance, the virtual machine should be allocated system resources
equivalent to physical. We have discussed a lot in our previous slides

Correct sizing plays very pivotable role here . If sizing standards are not followed, then ISE
services and functions will behave erratic and unstable. For example ; sudden purging of
MAC address from active sessions, Alarm of insufficient resources on dashboards etc. So
please refer the previous slides for details, also go-through Cisco recommendation for any
new updates.
ISE Hypervisor Support
Check for latest updates from
Cisco before selection and
• ISE 1.0+ VMware ESXi 5.x / 6.x deployment for e.g.

• ISE 2.0+ RHEL 7.0 or Ubuntu 14.04 LTS

• ISE 2.2+ MS Windows 2012 R2 or later

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/install_guide/b_ise_InstallationGuide2
6/b_ise_InstallationGuide_26_chapter_01.html
Once ISE version, model, patch, sizing and scaling is finalised and we
are determined to install ISE on VM; next steps is to gather details for
configuration and have them ready before ISE node installation.

Hostname
IP address and subnet mask
Default gateway
DNS suffix
Name server (Up to 3)
System time zone
NTP server (Up to 3)
SSH
Admin username/password
For our example ;we are going to cover ISE VMware Virtual machine installation on for
reference.

Cisco has packaged the recommended virtual machine compute/storage combinations into
unique OVA files to make things easy for us and to avoid unsupported virtual machine
configurations.

https://software.cisco.com/download/home/283801620/type/283802505/release/2.4.0

You can select the package as per the deployment plan and persona, latest patches are
recommended -- and download the OVA file.

Login to VMware vSphere -> Select host -> Deploy OVF Template
ISE Setup Wizard

After the virtual machine image is deployed, we have some initial configuration to
perform in the setup wizard. This setup is done in the Vmware console.

The first time the ISE nodes are powered ON after installation, they will prompt you to
run ‘setup’.
Initial Wizard Setup

After entering to setup, we need

feed these during ISE to
complete the installation..

ISE will proceed to perform

tests like pings to Gateway,
DNS and NTP. If everything
succeeds, ISE will then install.

Checking

Congrats
ISE installation generally take 30-40 minutes on average; as many processes need to be
come-up. You need to keep an eye on ISE application status and it should turn to running.
Once this is accomplished , ISE Is ready for GUI access; credentials are username and
password used in initial wizard config.
Configuring Personas :-
This is straight forward and few- clicks task and not et-all tedious or
complex. We have discussed various personas in previous slides; hence
not getting into it again.

In Standalone deployment, a node acts as PAN, PSN and MnT. You

cannot edit the personas or services of a standalone Cisco ISE node.

However when ISE nodes are in high-availability , then framework is

distributed. ISE nodes personas are configured in primary-backup (PAN
and MnT) or active-active (PSN) fashion.
After ISE node is operational.
Newly onboarded standalone has all 3 personas default, we need to modify
personas of standalone node to take primary/secondary roles in cluster; below is
the snip.

Below is the example of newly turned-up ISE node.

https//ise-pan-1 >> Administration >> Deployment

Configuring ISE Personas Newly onboarded standalone has all 3 personas default, we
need to modify personas of standalone node to take
Enable Only What Is Needed !! primary/secondary roles in cluster

• ISE Personas:
• PAN
• MNT
• PSN
• pxGrid

• PSN Services
• Session
• Profiling
• TC-NAC
• ISE SXP
• Device Admin
(TACACS+)
• Passive Identity
(Easy Connect)
ISE registration for Cluster/Cube in distributed design

To have ISE nodes together in redundancy / cluster /Cube;

there are few prerequisites

ISE nodes must be added to DNS and they should resolve each
other; forward and reverse. This is a easy task.

ISE Admin node must have certificate trust to all other nodes. We
will cover this from ISE perspective
Certificate is a signed document, issue by a trusted source to prove
identity, for e.g. we have Passports ,UPI, ID cards in real world.

ISE uses PKI (Public Key Infrastructure) to secure the communication

in its framework for multiple purpose, for example:- Certificates are
used to identify Cisco ISE to an endpoint, Inter ISE node
communication, secure the communication between that endpoint and
the Cisco ISE node, etc.

PKI trusts X.509 digital certificates for encryption/decryption and

authentication.
 What is an X.509 Certificate
• A Certificate is a signed document…
– Think of it like a government form of identity

username
organization
location
What is the purpose of an X.509 Certificate?

Provides an
Identity

Who is What is WebSite

…
user endpoint Identity

Contains the Public Key for Encryption

Other Usages of X.509 Certificates

Key Usages
Extended Key Usages (EKUs)

Server Client Key Cert …

Auth Auth Signing
ISE Certificate Use
• ISE Node registration • Posture
• pxGrid Communication
• Secure syslog (Optional)
• EAP Authentication • Secure LDAP (Optional)
• Admin Portal
• End user Portals
• Interfacing with 3rd party API

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Certificates are used for all HTTPS communication and the Extensible
Authentication Protocol (EAP) communication

ISE is NextGen device and heavily operates on GUI/https/browser. For

example; PAN administration portal is access via browser, likewise
there are Web-Auth, Sponsor portal for guest etc. All these https based
interactions; trust certificates for secure communication.

Certificates are needed for all types of EAP (EAP-TLS, PEAP, EAP-FAST)
communication . EAP is the framework followed by wired/wireless end-
points talks to servers (PSN) for AAA/Radius.
Certificate Usage
In a world of mobile devices, bring your own device IT models and
networks without borders, certificates are fast becoming a common
form of identification.
The most difficult concept for many to understand is the concept of a
public certificate vs. a private certificate. Certificates are part of Public-
Key cryptography or asymmetric encryption.
Asymmetric means that the two communicating devices will each
encrypt and decrypt the data with different encryption keys. The term
“key” may sometimes be thrown around and interchanged with the term
“certificate”.

87
Public Key: The public key is contained in the public certificate,
and may be given to anyone in the world with whom you will
communicate. In most cases.

Private Key: The private key should rarely leave the end-system.
They represent the identity of that particular system, and if they
are exposed and used by another entity – that other entity is now
impersonating your identity.

89
Items that are encrypted using your public key may only be
decrypted with your private key.

If endpoint C uses endpoint A’s public key to encrypt some data, it

can only be decrypted by endpoint A.

Similarly, if B uses C’s public key to encrypt data, that data may
only be decrypted with C’s private key.

Certificate is meant to represent you, and prove you are who you
say you are

90
Examples of different certificates and what services they may secure
Here are examples of what certificates are being used for in the above diagram:-
Both PSN’s admin certificates are being used to secure not only its communication with
the PAN, but also the Guest portal for CWA.
The sponsor portal is being protected with a certificate with sponsor.securitydemo.net in
the certificate subject. The same certificate is being used for the sponsor portal on both
PSN1 and PSN2.
PSN1 and PSN2 are using their own EAP certificate for the securing of EAP
communications.
The PAN is using its admin certificate to protect both administrative communication to
the PSNs as well as to secure the administrative GUI.

This is just a few example to try & solidify your understanding of where certificates are
being used.

92
More about Certificate…
Certificate Hierarchy
From the Admin portal, you can view the certificate hierarchy or the certificate trust chain of
all endpoint, system, and trusted certificates. The certificate hierarchy includes the certificate,
all intermediate Certificate Authority (CA) certificates, and the root certificate.
The certificate hierarchy appears at the top of the certificate. Click any of the certificates in
the hierarchy to view its details. The self-signed certificate does not have any hierarchy or
trust chain.

In the certificate listing pages, you will see one of the following icons in the Status column:
Green icon—Indicates a valid certificate (valid trust chain)
Red icon—Indicates an error (for example, trust certificate missing or expired)
Yellow icon—Warns that a certificate is about to expire and prompts renewal
Cisco ISE provides the Admin Portal to manage the following two categories of X.509
certificates:
System certificates—These are server certificates that identify a Cisco ISE node to client
applications. Every Cisco ISE node has its own system certificates, each of which are
stored on the node along with the corresponding private key.
Trusted certificates—These are certificate authority (CA) certificates used to establish trust
for the public keys received from users and devices. The Trusted Certificates Store also
contains certificates that are distributed by the Simple Certificate Enrolment Protocol
(SCEP), which enables registration of mobile devices into the enterprise network.
Certificates in the Trusted Certificates Store are managed on the Primary Administration
Node (PAN), and are automatically replicated to all other nodes in an Cisco ISE
deployment.
In a distributed deployment, you must import the certificate only in to the certificate trust
list (CTL) of the PAN. The certificate gets replicated to the secondary nodes
 Managing Local Certificates
ISE 1.0-1.2 EOL/EOS

PSN #1
• Generate CSR for PSN #1
• Bind CA-signed cert for PSN #1

PAN’s
• Generate CSR PSN #20
for PAN/MnT MnT’s • Generate CSR for PSN #20
• Bind CA-signed cert • Bind CA-signed cert for PSN #20
for PAN/MnT

• Generate CSR for

PSN #40
PSN #40 • Bind CA-signed cert
for PSN #40
 Centralized Certificate Management in 1.3+
PSN #1

Primary
PSN #20
• PAN
Generate CSRs for ALL NODES
at Primary PAN
• Bind CA-signed certs for ALL NODES
Primary PAN
• Manage System (Local) certs for ALL NODES
at primary PAN PSN #40
 Certificates your ISE Cube will “Trust”
• Trust for EAP, MDM, etc.
• These are copies of their Public Certs. I.e.: They Identify Other Systems

For security purpose

3
Trusted Certificates

• In 1.3+, trusted certificates have a new “Trusted For” attribute.

• Security Goal: to prevent the public certificates used for Cisco Services from being
used internally.
• When importing a trust certificate, the user must specify what the certificate is
trusted for.
• It is important to select at least one category, or the cert will not be used in any
trust store.
Certificate Chains • For Scalability, X.509 Certificate
Authorities may have hierarchy

Root CA • ISE will present full signing chain to

client during authentication
• Client must trust each CA within the chain

Subordinate
CA

Root -Sub -ISE

34
ISE for Root CA

• The Entire certificate chain can be re-generated if needed.

• Old CA certificates remain in the Trust store to ensure authentication of
previously provisioned endpoints work successfully.
ISE Certificate Authority (CA) Architecture
Root CA is Used to
Sign the certificates
for the Subordinate
CA’s.

Subordinate CA
signs the Actual
Endpoint Certs

Secondary PAN is
another Root CA!
Ensure you export
Primary PAN and
import on
Secondary
ISE as an Intermediate/Subordinate CA

• ISE’s internal CA can work seamlessly with an existing CA in your deployment.

• Just make it an intermediate CA (sub-ordinate CA) to your existing CA.
• Create a CSR for the ISE node and get a certificate issued by the existing CA.
ISE Subordinate Certificate Authority (CA) Configuring ISE to be a
Subordinate CA to an Existing
PKI

When considering the depths of

a PKI tree (also known as
branches), you must remember
that ISE’s CA by itself is three
branches deep on its own.

Many enterprise CAs allow the

administrator to limit the depth
of the PKI tree, so an
adjustment to the policy may
be required before you can sign
ISE’s certificate with the
existing PKI.
CSR generated at ISE is exported to Microsoft CA
Example:- certificate
portal on a Microsoft CA
signing the intermediate
CA CSR that was
exported from ISE.

Ensure the Existing

Root CA has a Tree
Size >= 3
(ISE is 2-tiers)

73
 Certificate Revocation
Certificates are normally comes with Validity. And sometimes you have to revoke the certs before
expiry, could be many reason like

• Detail needs to be modified/added

• Private Keys got compromised
• New CA contract
• Certificates got stolen from CA

Hence revoking certs is as important as

Publishing certs in timely manner.
There are 2 ways to accomplish it, In real there
are 3, but ISE supports 2.

1) OCSP (Preferred one) Online Certificate

Status Protocol
2) CRL – Certification Revocation List
3) OCSP Stapling :- Most efficient way but not yet supported in ISE
 OCSP CRL
• Preferred method • A signed document published on
website
• Provides near real-time updates
• Periodically downloaded and stored
• Allows near real-time request locally
• Think: Policeman checking from • The server examines the CRL to
laptop in squad-car, with live query see if the client’s cert was revoked
into DMV Database. already.

• Think: Policeman having a list of

suspended drivers in his squad car.
Note: ISE does not use the CRL field