ISE 2.0 Initial Configuration - Finishing Touches

This post is going to be focused on the rest of the initial configurations that I like to tweak on ISE as I'm setting it up and that don't warrant their own post. 

In my lab, I have only one ISE node so it has all the ISE personas on the same VM and acts as the Policy Services Node (PSN). In production or in a network, you would typically want to configure what kind of profiling your PSNs will accept. ISE will give you the option to configure one or any of the following probes:

  • Netflow Probe
  • DHCP Probe
  • DHCP SPAN Probe
  • HTTP Probe
  • RADIUS Probe
  • DNS Probe
  • SNMP Query Probe
  • SNMP Trap Probe
  • Active Directory Probe (New in ISE 2.1)

Each probe will provide additional information about an endpoint. In a production deployment, you probably won't have every probe turned on because a lot of the same redundant information can be sent and it can be reduced. We will get to that in later posts. 

To enable an interface of your ISE PSN to accept probes, navigate to Administration>System>Deployment and click on the hostname of your PSN. Under the Edit Node window, navigate to the the Profiling Configuration tab. Here you can check a box next to each probe type and choose an interface and port to accept these probes. Typically, I like to configure the following probes:

  • DHCP - This looks at the DHCP packets from IP Helper which helps ISE parse endpoint attributes 
  • HTTP - Checks the identity information that the browser sends that typically identifies the browser, application type, operating system, software vendor, and software revision by submitting a characteristic identification string to its operating peer. This add addition context to the endpoint to profile with. 
  • RADIUS - This collects attributes such as NAS-IP-Address, NAS-Port, Calling-Station-ID, Acct-Session-ID, Framed-IP-Address, Acct-Session-Time, and Acct-Terminate-Cause. I would say that this one is important to always have enabled. 
  • DNS - This probe allows the profiler to lookup an endpoint and get the FQDN of that endpoint. This adds a new attribute to the attribute list for an endpoint which can be used for endpoint profiling policy evaluation. 
  • SNMP Query - This allows querying to your Network Access Devices (NADs) for configurations such as link up and new MAC notifications, CDP SNMP on link up and new MAC notification, and the SNMP Query for once an hour for each switch by default
  • SNMP Trap - This allows the PSN to receive information from specific NADs that support MAC notification, linkup, linkdown, and informs. For SNMP Trap to be fully functional, you must enable SNMP Query as well. This is important for receiving information when ports go up and down and endpoints are connected and disconnected in your network
  • Active Directory Probe (Only in ISE 2.1 and later) - Improves fidelity of OS information for Windows endpoints since Active Directory details OS information for AD-joined computers including version and service pack levels. The AD probe retrieves this information directly using the AD Runtime connector to provide a highly reliable source of client OS information. It can also help you distinguish between corporate and non-corporate assets. 

For more details about each type of probe and to determine which ones would be beneficial to your environment, click here.

After you have completed your profiling configuration on your nodes, click Save.

The next thing that you should be aware of is how to add patches to ISE. ISE patches are cumulative so the latest patch should include the fixes in previous patches. If there is a patch that you need to install from Cisco.com, navigate to Administration>System>Maintenance>Patch Management and install the patch. After a successful installation, ISE should restart its services and you should be able to re-login without issue.

If you would like to create or schedule regular backups with ISE, you first need to create a Repository. In the Administration>System>Maintenance>Repository page, click Add to create a new Repository. After you have created the Repository, you may create either an operational or configuration backup of ISE by navigating to Administration>System>Backup & Restore. 

 

Another important thing to note is that by default, ISE utilizes a Cisco-branded page for the Guest/Sponsor/Hotspot/etc portals. You have the option to upload a CSS portal but if you're anything like me, you probably aren't the best with webpage design. Cisco made it really easy to create custom and branded portal pages very quickly. If you navigate to here and sign in with your Cisco CCO ID, you can create a customized page for each ISE Portal within minutes. To upload it to ISE, you will need to install the Firefox plugin following the instructions on the linked page and on your ISE GUI, you will need to enable Portal Customization with HTML and JavaScript. To do so, navigate to Administration>System>Admin Access>Settings>Portal Customization and change the radio dial to Enable Portal Customization with HTML and JavaScript and click Save.

 

While it might not be important in a lab environment, most prefer to be able to login to the ISE admin portal using AD credentials instead of local credentials. In order to configure this, navigate to Administration>System>Admin Access>Authentication and in the Identity Source drop-down, choose your AD server and click Save

Then navigate to Administration>System>Admin Access>Administrators>Admin Groups and choose to create a new group. Check the box for External and in the External Groups drop-down, choose the Domain Admins group (or whatever other group you prefer). Click Submit.

Navigate to Administrator>System>Admin Access>Authorization>Policy and click the gear sign next to any policy and choose Insert Policy. Name the policy a friendly name. Under the Admin Group field, choose the policy you just created and the appropriate permissions under the Permissions field. In my case, I'm giving the Domain Admins group access as a Super-Admin to give anyone part of that AD group full access to ISE:

After saving this RBAC policy, you can test it out by signing out of your ISE Admin portal and logging back in using the identity source. In the event that you AD server is not reachable, you can still login using the local login credentials by change the identity source in the new Identity Source drop-down on the login page:

Another good thing to note is that there is a default Help-Desk Menu Access permission that gives read-only access to certain menus in ISE. To reduce the administrative overhead of ISE, I would consider it a best practice to have your help desk staff have this permission and trained on how to read the RADIUS Livelog. That way your help desk could resolve issues like incorrect passwords or EAP timeouts without escalating it to your network or security team thinking there is an issue with ISE. It makes the day-to-day management of ISE easier and more seamless as well as creating a better user experience for all.

 

The next setting I would adjust in ISE is the Profiler setting. Navigate to Administration>System>Settings>Profiling and make sure that the CoA Type drop-down is set to Reauth. The profiler will implement the CoA in the following cases:

  • Static assignment of an endpoint
  • An exception action is configured (important for remediation tasks later)
  • An endpoint is profiled for the first time
  • An endpoint is deleted
  • Profiles updated for the endpoint

One thing to note: You don't have to change this if you don't want to. You might not want this in a large environment.

I would also recommend changing the SNMP strings to something that makes more sense to you since the default is public which I assume no one is using in production (I hope!).

For the purposes of this lab, we won't enable the Endpoint Attribute Filter because it's not needed for a lab this small. In a production environment, you might want to filter certain attributes to save on performance:

 

Next, navigate to Administration>System>Settings>Protocols>RADIUS and uncheck the Suppress Anomalous Clients box. This option is useful for troubleshooting if needed later on:

 

For the sake of making it easier to build my policy sets and making it more logical, I like to enable Policy Sets. By default, this is disabled. Without it enabled, you have a page for Authentication Policy and another for Authorization Policy. You would have to create your rules for each in both those places and the logic to create policies gets a little trickier. With Policy Sets enabled, it gives you the ability to logically group authentication and authorization policies within the same logical identity. It also makes reading and troubleshooting the policy much much easier. It's my personal philosophy to ALWAYS turn on Policy Sets. Friends don't let friends configure ISE without Policy Sets turned on. :)

 To enable this feature so you can follow along with my policy creation easier, navigate to Administration>System>Settings>Policy Sets and choose the radio button for Enabled:

 

If you have a proxy server in your environment and ISE will need to pass through it to get to the internet, configure it by navigating to Administration>System>Settings>Proxy

If you would like to configure ISE to send mail, configure the SMTP server by navigating to Administration>System>Settings>SMTP Server. ISE can use SMTP to send text and emails to guests to give them their credentials as well as sending alerts to the administrator. 

To enable the Client Provisioning feed to enable automatic download, ISE must have access to the internet and you must enable it by navigating to Administration>System>Settings>Client Provisioning and choose enable on the Enable Automatic Download drop-down:

 

To enable automatic updates for posture updates in ISE, navigate to Administration>System>Settings>Posture>Updates and check the box next to Automatically check for updates starting from initial delay and click Save. Optionally, you may manually start a download as well:

 

Optionally, if you would like to add an MSE instance to your ISE deployment so you can create policies based on location services, you may navigate to Administration>Network Resources>Location Services and click Add:

 

In order to continuously get updated profiles, I like to enable the Profiler Feed Service so I can regularly get downloads to any new profiles. To enable this service, navigate to Administration>Feed Service and check the box next to Enable Profiler Feed Service. Click Save when done:

 

Before I finish up this post, one awesome page I really like in ISE 2.0 that I would like to call attention to is the Endpoints page. This page will be really useful down the road while profiling or just checking what's on your network. You can navigate there by going to Administration>Identity Management>Endpoints:

On the Endpoints page, you can click on the host to drill down to view the attribute information that was collected by ISE for this particular endpoint. Depending on the probes configured, this list could provide a lot of detail. If this is a endpoint that doesn't match a profile and you would like to create a profile, you would use the information from this attribute list to create a custom profile. We will drill down into profile configuration in a later post but I wanted to call attention to it here:

In ISE 2.1, this page is replaced with the dashboards and Context Visibility which is even better in my honest opinion and gives you a lot more that you can track with. ISE 2.1 also gives you the ability to create custom dashboards as well which is pretty useful for different levels of access like Helpdesk or just having the information you want to see immediately available in a format that makes sense to you. 

With that, I'm going to wrap up this blog post. Thanks for checking this page out and feel free to leave any comments!