ISE 2.0 Initial Configuration - Creating Certificate Authentication Profiles

In this next post, we are going to create the Certificate Authentication Profiles. This profile is necessary for our authentication methods that we will create in later posts. Since we will be using an EAP certificate-based authentication method in our policy, ISE will compare the certificate received from a client with the one in the server to verify the authenticity of a user or computer. This is considered a much more secure method than the traditional username and password method. 

ISE 2.0 Initial Configuration - Adding Certificates to ISE

Certificates are crucial to the operation of Identity Services Engine. Some of the uses that ISE for certificates include the following: dot1x authentication, Pxgrid communication, adding and communicating with new ISE nodes, BYOD, etc. Unless you are using a single ISE node on the network with only a Guest portal and basic profiling, this is going to be a post that you'll want to follow along with as much as possible.

ISE 2.0 Initial Configuration - Bootstrapping and Joining to AD Domain

Now that we have Active Directory configured, we're going to start setting up ISE. I'm going to walk through basic bootstrapping of ISE and how to join it to the Active Directory domain in this post. I'm using ISE 2.0 in my lab which is the latest version of ISE as of this post but the process for bootstrapping and joining to an Active Directory domain remains unchanged from previous versions. 

Server 2012 Configuration - pxGrid Identity Mapping/PassiveID Settings

When configuring ISE Pxgrid integration with Active Directory, there are certain audit settings and permissions that need to be set in order to allow the information to pass to ISE. If you've ever configured Cisco Context Directory Agent, you're about to receive a blast from the past. This is because the settings and permissions are exactly the same.

Server 2012 Configuration - Group Policy Creation

This is where we're going to create our group policy to push down to our clients. The idea of pushing the settings down to users via GPO is to make security mandatory but also try to make it as transparent to a user as possible. Little things such as pushing the dot1x SSID information and enabling the users to auto-connect to the SSID when in range goes a long way to user experience. Likewise, having your users automatically be enrolled with a user certificate and their NIC card settings automatically configured increases the transparency of ISE from a user perspective. Ideally, the users should never know ISE is there authenticating and authorizing their corporate computers and acting as the gatekeeper between them and the rest of the network UNLESS a policy is violated somehow. 

Server 2012 Configuration - Certificate Templates

Certificate Templates will play a big role in ISE and Pxgrid integration in our lab and most likely in any production rollout of ISE. While recent versions of ISE do support using ISE as a certificate authority, most implementations of ISE that I've seen implemented leverage an Active Directory Certificate Authority. In later blog posts, I might end up going through a lot of these same steps using the ISE CA instead but I'd rather cover what's going to be used in the majority of implementations first. 

Server 2012 Configuration - Adding and Configuring Roles

If you're implementing any of this in production, you probably have a domain controller and Certificate Authority in place already. Depending on what you plan on using ISE for though, there are settings that you might need to adjust. Since this is a lab environment that I'm setting up, I'm going to make an assumption that you might be setting up a lab as well and walk you through some of the things I do as I'm setting it up.