deploying ise in a dynamic public - clnv.s3.amazonaws.com · lessons learned (best practice) from...
TRANSCRIPT
![Page 1: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/1.jpg)
![Page 2: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/2.jpg)
Deploying ISE in a Dynamic Public Environment
Clark Gambrel, CCIE #18179
Technical Leader, Engineering, Core Software Group
BRKSEC-2059
![Page 3: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/3.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRKSEC-2059 - Deploying ISE in a Dynamic Public Environment
Take the Hassel out
of your ISE deployment!
K.I.T.T.
Know ISE Through Training
BRKSEC-2059 3
![Page 4: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/4.jpg)
Deploying ISE in a Dynamic Public Environment
Clark Gambrel, CCIE #18179
Technical Leader, Engineering, Core Software Group
BRKSEC-2059
![Page 5: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/5.jpg)
Managing a secure, yet flexible network in today's public access environments
can be very challenging. Public access networks in areas like universities,
hospitals and airports host a broad array of devices, both privately owned and
corporately managed. With the increasing importance of the Internet of Things,
the variety of devices that need to connect to these public networks is rapidly
increasing. Cisco Identity Services Engine (ISE) plays an integral role in
controlling the access to these dynamic public networks. This session will share
lessons learned (best practice) from an ISE escalation engineer in
troubleshooting complex customer environments.
Abstract
![Page 6: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/6.jpg)
Introduction
![Page 7: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/7.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Clark Gambrel, CCIE #18179
Technical Leader – Engineering
Core Software Group
@ClarkGambrel
BRKSEC-2059 7
![Page 8: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/8.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
KENTUCKY
BRKSEC-2059 8
![Page 9: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/9.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Here
BRKSEC-2059 9
![Page 10: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/10.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
KENTUCKY
Kentucky is known for…BRKSEC-2059 10
![Page 11: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/11.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
KENTUCKY
BRKSEC-2059 11
![Page 12: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/12.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
KENTUCKYIch bin ein “Redneck“
BRKSEC-2059 12
![Page 13: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/13.jpg)
• Introduction
• Public environments, Why are they so challenging?
• Advice – Words to live by in any environment (Best Practice!)
• Education – What we have learned
• Hospitals/Medical – Protecting the heart of your network
• Public Transportation – Tips for the thrifty traveler
• Conclusion
Agenda
![Page 14: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/14.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Please Fill Out The Survey!
BRKSEC-2059 14
![Page 15: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/15.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE & Software Defined Segmentation SessionsBRKSEC-2059 (2h)
Deploying ISE in a
Dynamic Public
Environment
Fri 24-Feb 11:30
BRKSEC-2203
(90m)
Enabling Software-
Defined
Segmentation with
TrustSec
Tue 21 Feb 16:45BRKSEC-2344 (2h)
Device
Administration with
TACACS+ using
Identity Services
Engine 2.X
Tue 21 Feb 14:15
BRKSEC-3690 (2h)
Advanced Security
Group Tags: The
Detailed Walk
Through
Wed 22 Feb 09:00
BRKSEC-3697 (2h)
Advanced ISE
Services, Tips and
Tricks
Thu 23 Feb 09:00
BRKSEC-3699 (2h)
Designing ISE for
Scale & High
Availability
Fri 24 Feb 09:00
TECSEC-2222
(4 h)
Securing Networks with
Cisco Trustsec
TECSEC-2404 (8 h)
ACI Security
You are here
TECSEC-2672 (8 h)
Intermediate - Network
Access Control with ISE
(Identity Services Engine)
BRKSEC-3014 (2h)
Security Monitoring
with StealthWatch:
The detailed
walkthrough
Wed 22 Feb 09:00
BRKSEC-2059 15
![Page 16: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/16.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Labs & Lunch and Learn Sessions
LABSEC-1007 (45m)
AnyConnect(4.2)
Posture with Identity
Services Engine
(ISE) 2.1
LABSEC-1300 (30m)
Configuring and
troubleshooting
TACACS+ in ISE 2.1
with Nx-OS devices,
IOS and WLC
LABSEC-2004
(30m)
Dot1x :
Troubleshooting
tips and tricks
LALSEC-2003
Lunch and Learn -
Cisco Identity
Services Engine
(ISE)
Tue 21 Feb
LALSEC-2006
Lunch and Learn -
Network as a
Sensor/Enforcer
Wed 22 Feb
LTRSEC-3400 (4h)
ISE
Troubleshooting
LAB
Tue 21 Feb 14:15
LTRSEC-2800 (90m)
Integrating TrustSec
and ACI Together
Thurs 23 Feb 14:00
BRKSEC-2059 16
![Page 17: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/17.jpg)
Public environments, Why are they so challenging?
![Page 18: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/18.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public environments, Why are they so challenging?
• On average each person carries 2.9devices
BRKSEC-2059 18
![Page 19: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/19.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public environments, Why are they so challenging?
• On average each person carries 2.9devices
• Each year new devices are introduced
Kenny Louie under Creative Commons License BRKSEC-2059 19
![Page 20: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/20.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public environments, Why are they so challenging?
• On average each person carries 2.9devices
• Each year new devices are introduced
• Devices add new technology enhancements, i.e. TLS versions, mini browsers
New and Improved - http://tvtropes.org
BRKSEC-2059 20
![Page 21: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/21.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public environments, Why are they so challenging?
• On average each person carries 2.9devices
• Each year new devices are introduced
• Devices add new technology enhancements, i.e. TLS versions, mini browsers
• Device behavior differs from one OS version to the next
Dilbert 2010
BRKSEC-2059 21
![Page 22: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/22.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public environments, Why are they so challenging?
• Devices are mostly unmanaged
Source – www.huffingtonpost.com
BRKSEC-2059 22
![Page 23: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/23.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public environments, Why are they so challenging?
• Devices are mostly unmanaged
• End users have different levels of knowledge when it comes to configuring their own devices
“Where’s the ANY key?”
BRKSEC-2059 23
![Page 24: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/24.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public environments, Why are they so challenging?
• Devices are mostly unmanaged
• End users have different levels of knowledge when it comes to configuring their own devices
• Users expect a simple experience, similar to home use
BRKSEC-2059 24
![Page 25: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/25.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public environments, Why are they so challenging?
• Devices are mostly unmanaged
• End users have different levels of knowledge when it comes to configuring their own devices
• Users expect a simple experience, similar to home use
• Lots of configuration parameters on ISE/Wireless Controller, which are correct?
BRKSEC-2059 25
![Page 26: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/26.jpg)
Advice – Words to live by in any environment(Best Practice)
![Page 27: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/27.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
PSN
PSN
PSN
NODE GROUP A
(JGROUP A)
L2 or L3
PAN PAN
PSN
PSN
PSNPSN4 PSN5
PSN6
Inter-Node CommunicationsRadius Flapping can be a real mess!
MnT MnT
PSN1 PSN2
PSN3
NODE GROUP B
(JGROUP B)
• Profiling sync leverages JGroup channels
• All replication outside node group must traverse
PAN—including Ownership Change!
• If Local JGroup fails, then nodes fall back to
Global JGroup communication channel.
WLC
PSN5 says “I own this mac address”
PSN3 says “Ok PSN5 owns this mac address”
![Page 28: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/28.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
PSN
PSN
PSN
NODE GROUP A
(JGROUP A)
L2 or L3
PAN PAN
PSN
PSN
PSNPSN4 PSN5
PSN6
Inter-Node CommunicationsRadius Flapping can be a real mess!
MnT MnT
PSN1 PSN2
PSN3
NODE GROUP B
(JGROUP B)
• Ok, now Radius flapping occurs.
• This could be due to timeouts received to WLC
or due to the “Radius NAC” accounting bug
• This will also happen if a PSN receives profiling
information for an endpoint that it doesn’t own
WLC
PSN5 says “Ok PSN3 owns this mac address”
PSN3 says “I own this mac address”
![Page 29: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/29.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Profiling and Data ReplicationBefore Tuning
PSNPSN PSNPSN PSN
PAN
MnT
MnT
PSNPSNPSN PSN
Node Group = DC1-group Node Group = DC2-group
RADIUS Auth
RADIUS Acctng
DHCP 1 DHCP 2
3
NMAP
NetFlow
14 5
#Ownership
Change
Global
Replication
2
BRKSEC-2059 29
![Page 30: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/30.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Impact of Ownership ChangesBefore Tuning
PSNPSNPSN PSNPSNPSNPSN PSN
Node Group = DC1-group Node Group = DC2-group
RADIUS Auth
RADIUS Acctng
DHCP 1 DHCP 2
NMAP
NetFlow
PSN
Owner? Owner? Owner? Owner? Owner?
BRKSEC-2059 30
![Page 31: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/31.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers
Displaying a Clock Collection - www.doityourself.com
BRKSEC-2059 31
![Page 32: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/32.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers
• Default timer value of 2 seconds is too short
WLC: Radius
BRKSEC-2059 32
![Page 33: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/33.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers
• Default timer value of 2 seconds is too short
• During busy times, Authentication latency may increase and exceed the default value
WLC: Radius
BRKSEC-2059 33
![Page 34: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/34.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers
• Default timer value of 2 seconds is too short
• During busy times, Authentication latency may increase and exceed the default value
• Use best practice value between 5-10 seconds, typically
WLC: Radius
BRKSEC-2059 34
![Page 35: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/35.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: TimersWLC: Radius
• Use timers appropriate to the environment (tune for your environment)
BRKSEC-2059 35
![Page 36: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/36.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: TimersWLC: Radius
• Use timers appropriate to the environment (tune for your environment)
• Some remote/cloud based radius servers may have higher authentication latency and require some tweaking.
BRKSEC-2059 36
![Page 37: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/37.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers
• Setting timers too long and the client might restart its session, retries from radius server will be dropped
• Avoid unnecessary radius server flaps with timers that are too short
• Radius flapping can have some major impacts on an ISE deployment
WLC: Radius - Continued
PSN1 PSN2
Superman II, Warner Brothers 1980
BRKSEC-2059 38
![Page 38: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/38.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers - Radius
Typically 5-10 seconds
BRKSEC-2059 39
![Page 39: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/39.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers - Radius
Typically 5-10 seconds
Usually matches Auth
server timeout value
BRKSEC-2059 40
![Page 40: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/40.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers
• Make sure that Aggressive Failover is disabled in the command line of the WLC
WLC: Radius - ContinuedThis can have a big impact
on ISE and Wireless Auths
in general
(Cisco Controller) >config radius aggressive-failover disable
BRKSEC-2059 41
![Page 41: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/41.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers - WLANs
Increase Session Timeout
to 2+ hours (7200+ sec), if
Enabled (recommended)
BRKSEC-2059 42
![Page 42: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/42.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers - WLANs
This can also be sent as a Radius attribute in ISE under the AuthZProfile
BRKSEC-2059 43
![Page 43: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/43.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers - WLANs
Increase Client Exclusion
to 180+ seconds (3+ mins)
BRKSEC-2059 44
![Page 44: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/44.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers - WLANs
For 802.1X SSIDs, Increase
Client Idle Timeout to
1 hour (3600 sec)
For Guest/Hotspot SSIDs, leave this low (300 sec) to free up resources (http redirect sessions) for clients that have disconnected
BRKSEC-2059 45
![Page 45: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/45.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers - WLANs
• WLC 7.6:
• Recommended setting: Disabled
• Behavior: Only send update on IP address change
• Ensures we get critical IP updates (Framed-IP-Address) and Device Sensor updates.
• Device Sensor updates not impacted
Interim Update
BRKSEC-2059 46
![Page 46: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/46.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers - WLANsInterim Update
• WLC 7.6:
• Recommended setting: Disabled
• WLC 8.0:
• Recommended setting: Enabled with Interval set to 0
• Behavior: Only send update on IP address change
• Device Sensor updates not impacted
• Settings mapped correctly on upgrades
BRKSEC-2059 47
![Page 47: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/47.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: VM ResourcesReservations
• To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance.
Specifications listed in ISE 1.3+ Installation Guide
BRKSEC-2059 48
![Page 48: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/48.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: VM ResourcesReservations
• To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance.
Specifications listed in ISE 2.0.1+ Installation Guide
BRKSEC-2059 49
![Page 49: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/49.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: VM ResourcesReservations
• To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance.
BRKSEC-2059 50
![Page 50: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/50.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: VM ResourcesReservations
• To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance.
BRKSEC-2059 51
![Page 51: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/51.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: VM ResourcesReservations
• To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance.
• In 1.3 we added OVA Templates for deploying SNS-3415 and SNS-3495 equivalent hardware. That has been expanded to include the SNS-3515 and SNS-3595 platforms as well.
• It is highly recommended that you use these templates!
BRKSEC-2059 52
![Page 52: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/52.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: VM ResourcesReservations
• Admin and MnT nodes rely heavily on disk usage (read/writes).
• Deploying ISE in VMware environments where shared disk storage is utilized may not give a like disk performance when compared to physical appliances
• Increasing the number of disk shares that a node is allocated can in most cases increase performance of the node.
BRKSEC-2059 53
![Page 53: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/53.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: VM ResourcesReservations - Before & After Chart
BRKSEC-2059 54
![Page 54: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/54.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: VM ResourcesReservations – Before & After Graph
BRKSEC-2059 55
![Page 55: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/55.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: VM SettingsSettings
• Snapshots are not supported!
BRKSEC-2059 56
![Page 56: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/56.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Avoid MeltdownsISE Settings
• Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications
BRKSEC-2059 57
![Page 57: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/57.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Avoid MeltdownsISE Settings
• Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications
AdministrationSettingsProtocolsRadius
BRKSEC-2059 58
![Page 58: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/58.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Avoid MeltdownsISE Settings
• Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications
• Only use the profiling probes/information that you need. Don’t have information overload. Avoid probes that use SPAN. Start with Radius only first. Use device sensors in network access device
AdministrationDeploymentProfilingBRKSEC-2059 59
![Page 59: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/59.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Avoid MeltdownsISE Settings
• Enable EndPoint Attribute Filter
AdministrationSettingsProfiling
BRKSEC-2059 60
![Page 60: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/60.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Load Balancing RADIUSSample Flow
PSN
PSN
PSN
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
User
Load Balancer
RADIUS AUTH response from 10.1.98.8
RADIUS AUTH request to 10.1.98.8
VIP: 10.1.98.8
PSN-CLUSTER
10.1.99.5
10.1.99.6
10.1.99.7
VLAN 99 (10.1.99.0/24)VLAN 98 (10.1.98.0/24)
Access
Device
RADIUS ACCTG request to 10.1.98.8
1. NAD has single RADIUS Server defined (10.1.98.8)
2. RADIUS Auth requests sent to VIP @ 10.1.98.8
3. Requests for same endpoint load balanced to different PSN because round-
robin(RR) load balancing is used without persistance (sticky).
4. RADIUS response received from VIP @ 10.1.98.8
(originated by real server ise-psn-3 @ 10.1.99.7 and source translated by LB)
5. RADIUS Accounting sent to/from different PSN based on RR and no sticky
2
4
5
1 radius-server host 10.1.98.8
3
RADIUS ACCTG response from 10.1.98.8
BRKSEC-2059 61
![Page 61: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/61.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Load Balancing RADIUSSample Flow
PSN
PSN
PSN
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
User
Load Balancer
RADIUS AUTH response from 10.1.98.8
RADIUS AUTH request to 10.1.98.8
VIP: 10.1.98.8
PSN-CLUSTER
10.1.99.5
10.1.99.6
10.1.99.7
VLAN 99 (10.1.99.0/24)VLAN 98 (10.1.98.0/24)
Access
Device
RADIUS ACCTG request to 10.1.98.8
1. NAD has single RADIUS Server defined (10.1.98.8)
2. RADIUS Auth requests sent to VIP @ 10.1.98.8
3. Requests for same endpoint load balanced to same PSN via sticky based on
RADIUS Calling-Station-ID and Framed-IP-Address
4. RADIUS response received from VIP @ 10.1.98.8
(originated by real server ise-psn-3 @ 10.1.99.7 and source translated by LB)
5. RADIUS Accounting sent to/from same PSN based on sticky
2
4 5
1 radius-server host 10.1.98.8
3
RADIUS ACCTG response from 10.1.98.8
BRKSEC-2059 62
![Page 62: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/62.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Profiling and Data ReplicationAfter Tuning
PSNPSN PSNPSN PSN
PAN
MnT
MnT
PSNPSNPSN PSN
Node Group = DC1-group Node Group = DC2-group
RADIUS Auth
RADIUS Acctng
DHCP 1
NMAP
NetFlow
1
#Ownership
Change
Global
Replication
2
BRKSEC-2059 63
![Page 63: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/63.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Impact of Ownership ChangesAfter Tuning
PSNPSN PSNPSN PSNPSNPSNPSN PSN
Node Group = DC1-group Node Group = DC2-group
NetFlow
RADIUS Auth
RADIUS Acctng
DHCP 1
NMAP
Owner
BRKSEC-2059 64
![Page 64: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/64.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Avoid MeltdownsISE Settings
• Enable EndPoint Attribute Filter
• Avoid Radius Flapping
BRKSEC-2059 65
![Page 65: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/65.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Bugs!!!
BRKSEC-2059 66
![Page 66: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/66.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Bugs!!!
BRKSEC-2059 67
![Page 67: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/67.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Bugs
• If “Radius NAC” is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets
CSCuu68490 - duplicate radius-acct update message sent while roaming
BRKSEC-2059 68
![Page 68: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/68.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Same data
Advice: Bugs
• If “Radius NAC” is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets
• These packets are unique (different radius IDs) but contain the same information
CSCuu68490 - duplicate radius-acct update message sent while roaming
≈ 47ms
Different
ID
BRKSEC-2059 69
![Page 69: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/69.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Bugs
• If “Radius NAC” is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets
• These packets are unique (different radius IDs) but contain the same information
• Currently resolved in 8.1.131.0+ and 8.2.100.0+ WLC code versions. 8.0 MR3+
CSCuu68490 - duplicate radius-acct update message sent while roaming
BRKSEC-2059 70
![Page 70: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/70.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: BugsCSCuz76370 - Purging of EP's dependency is on Oracle to determine EP Owner
BRKSEC-2059 71
![Page 71: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/71.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: BugsCSCvc52228 - ISE does not delete endpoint mapping in REDIS when endpoint group is deleted from GUI
BRKSEC-2059 72
![Page 72: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/72.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: BugsCSCvc40801 - ISE MnT sluggishness and high I/O when integrated with Prime Infrastructure
BRKSEC-2059 73
![Page 73: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/73.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Avoid Radius Flapping…
USE BEST PRACTICE!!!
BRKSEC-2059 74
![Page 74: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/74.jpg)
Education – What we have learned
![Page 75: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/75.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Education: High Authentication Latency
• eduroam allows users from participating organizations to use their local credentials while visiting other eduroam locations to access the internet.
• eduroam is a “cloud based” Radius proxy. It acts as a federation point between education/research based entities and their Radius servers.
• eduroam’s Radius proxy is accessed via the internet.
eduroam
BRKSEC-2059 76
![Page 76: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/76.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Education: High Authentication Latencyeduroam
username: [email protected] Radius: Accept
High Latency?
BRKSEC-2059 77
![Page 77: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/77.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Education: High Authentication Latency
• Due to the high authentication latency sometimes associated with cloud based radius servers, it may be necessary to adjust your radius timers.
• If using a load balancer, create a separate VIP for eduroam (can contain the same PSNs)
• If no load balancer, dedicate PSNs for eduroam (or other high latency SSIDs), if possible
eduroam
BRKSEC-2059 78
![Page 78: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/78.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Education: Students Converge at Lunch…High Density
• Student’s roaming patterns especially during meal times and events can cause an increased load on your wireless and ISE infrastructure.
• Make sure that you have enough wireless density to handle this converged access.
• Distribute the load across multiple PSNs to avoid overwhelming a single server.
BRKSEC-2059 79
![Page 79: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/79.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Education: User w/Multiple devices – PEAP ProblemGood reason to use EAP-TLS
• Students carry multiple devices
• PEAP-MSChapV2 as 802.1X Authentication Method may cause AD lockouts if not changed on all devices.
• Locked accounts generate Help desk calls.
• A single device with old password may cause repeated AD lockouts
BRKSEC-2059 80
![Page 80: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/80.jpg)
Hospitals/Medical – Protecting the heart of your network
![Page 81: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/81.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Medical DevicesSecuring and Profiling
• Most medical devices don’t support 802.1X
BRKSEC-2059 82
![Page 82: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/82.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Medical DevicesSecuring and Profiling
• Most medical devices don’t support 802.1X
• To protect patient data, use WPA2-PSK with Mac Filtering and Profiling
Encrypt!
BRKSEC-2059 83
![Page 83: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/83.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Medical DevicesSecuring and Profiling
• Most medical devices don’t support 802.1X
• To protect patient data, use WPA2-PSK with Mac Filtering and Profiling
• Use unique attributes to profile your medical devices
• Typical attributes that work well for medical devices are dhcp-class-identifier, dhcp-parameter-request-list and host-name
BRKSEC-2059 84
![Page 84: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/84.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesCauses for change
• OUI information changes and Device Feed Service updates.
Zebra Technologies Completes Acquisition of Motorola Solutions' Enterprise BusinessPress Releases 2014
ZIH Corp
BRKSEC-2059 85
![Page 85: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/85.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesCauses for change
• OUI information changes and Device Feed Service updates.
What this means…Before acquisition:
BRKSEC-2059 86
![Page 86: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/86.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesCauses for change
• OUI information changes and Device Feed Service updates.
What this means…After acquisition:
BRKSEC-2059 87
![Page 87: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/87.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesCauses for change
• OUI information changes and Device Feed Service updates.
• Device OS/Firmware updates
www.apple.com
BRKSEC-2059 88
![Page 88: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/88.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesCauses for change
• OUI information changes and Device Feed Service updates.
• Device OS/Firmware updates
• Spoofed MAC Addresses with new or different profiling attributes
BRKSEC-2059 89
![Page 89: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/89.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesCauses for change
• OUI information changes and Device Feed Service updates.
• Device OS/Firmware updates
• Spoofed MAC Addresses with new or different profiling attributes
BRKSEC-2059 90
![Page 90: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/90.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesAlternate Policy Match with Alarms
• It is possible to build a fallback policy
below your original policy that relies on
a static MAC Whitelist (No profiling)
BRKSEC-2059 91
![Page 91: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/91.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesAlternate Policy Match with Alarms
• It is possible to build a fallback policy
below your original policy that relies on
a static MAC Whitelist (No profiling)
• This policy would catch any device that
was in the configured whitelist and allow
network access, simple right?
BRKSEC-2059 92
![Page 92: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/92.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesAlternate Policy Match with Alarms
• It is possible to build a fallback policy
below your original policy that relies on
a static MAC Whitelist (No profiling)
• This policy would catch any device that
was in the configured whitelist and allow
network access, simple right?
• You can then add an alarm to send an
email, whenever a device matches that
policy. Currently we can enable for a
single policy only.
BRKSEC-2059 93
![Page 93: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/93.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesAlternate Policy Match with Alarms
• It is possible to build a fallback policy
below your original policy that relies on
a static MAC Whitelist (No profiling)
• This policy would catch any device that
was in the configured whitelist and allow
network access, simple right?
• You can then add an alarm to send an
email, whenever a device matches that
policy. Currently we can enable for a
single policy only.
BRKSEC-2059 94
![Page 94: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/94.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Paging Dr. IhatelogginginSuggestions for better user experience
• Doctors by nature are usually very busy
and the last thing they want to do is to
spend time logging into a webportal or
changing a PEAP password.
• Use EAP-TLS
BRKSEC-2059 95
![Page 95: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/95.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Paging Dr. IhatelogginginSuggestions for better user experience
• Doctors by nature are usually very busy
and the last thing they want to do is to
spend time logging into a webportal or
changing a PEAP password.
• Use EAP-TLS
• A better option, if available would be to
use EAP-TLS and CWA-Chaining to a
Single Sign On (SSO) server. This
would allow the end user to leverage the
SSO token for other portals as well. Add
an AUP check rule to stay logged in.
BRKSEC-2059 96
![Page 96: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/96.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Nurse Carts/IP PhonesAdvice on corporate devices
• Nurses typically use rolling computer
carts for charting patient information.
• To ensure continuous connections for
these devices, survey your wireless for
Voice applications.
• For ease of use and manageability, use
Active Directory Group Policy Objects
(GPO) to manage the supplicants and
certificates of AD joined devices.
BRKSEC-2059 97
![Page 97: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/97.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Medical NACProfiles custom built for medical devices
● Secure-access options for
healthcare-specific devices
● Identification and
classification of healthcare-
specific devices (250+
devices)
● Profiling methods and best
practices
● Segmentation of medical
devices
Thanks
Craig!
BRKSEC-2059 98
![Page 98: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/98.jpg)
Public Transportation – Tips for the thrifty traveler
![Page 99: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/99.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Airport: Hotspot setup with custom redirectUsing AP groups/names
• You can use ISE to target
advertising to your clients
BRKSEC-2059 100
![Page 100: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/100.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Airport: Hotspot setup with custom redirectUsing AP groups/names
• You can use ISE to target
advertising to your clients
• AP groups/names or some unique
Radius attributes returned from the
WLC during authentication can be
used as location
BRKSEC-2059 101
![Page 101: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/101.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Airport: Hotspot setup with custom redirectUsing AP groups/names
• You can use ISE to target
advertising to your clients
• AP groups/names or some unique
Radius attributes returned from the
WLC during authentication can be
used as location
• Matched policies based on these locations can send unique portals that advertise local businesses and shops near the user.
![Page 102: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/102.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Airport: Hotspot setup with custom redirectUsing AP groups/names
• You can use ISE to target
advertising to your clients
• AP groups/names or some unique
Radius attributes returned from the
WLC during authentication can be
used as location
• Matched policies based on these locations can send unique portals that advertise local businesses and shops near the user.
• Create unique portal pages for each area. Advertisements can be built into the portal page or referenced from an external server.
BRKSEC-2059 103
![Page 103: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/103.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Airport: Hotspot setup with custom redirectUsing MSE and ISE 2.0
• New to ISE 2.0, you can now
leverage Mobility Services Engine
(MSE) for physical location tracking
• Location information returned from
the MSE can be used in the
Authorization rule for directing
clients to the portal serving their
location.
![Page 104: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/104.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Soapbox: Buy Public CertificatesStop teaching users to accept Man-in-the-middle attacks!
![Page 105: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/105.jpg)
Conclusion
![Page 106: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/106.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ConclusionReview
• Public Environments can be challenging
• Avoid ISE “meltdowns”
• Keep up to date with versions and patches, be aware of software defects that might affect your environment
• Use advice in this guide to solve challenges in your environment
• Use Real Best Practice to ensure that you have a successful deployment.
BRKSEC-2059 107
![Page 107: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/107.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public ISE Community
• Public ISE Community: http://cs.co/ise-community
• Monitored and Responded to by TME’s on my Team
• Ask Questions There
• Get Answers by Cisco Experts & Partners
BRKSEC-2059 108
![Page 108: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/108.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Joins the Customer Connection ProgramCustomer User Group Program
19,000+
Members
Strong• Who can join: Cisco customers, service
providers, solution partners and training partners
• Private online community to connect with peers & Cisco’s Security product teams
• Monthly technical & roadmap briefings via WebEx
• Opportunities to influence product direction
• Local in-person meet ups starting Fall 2016
• New member thank you gift* & badge ribbon when you join in the Cisco Security booth
• Other CCP tracks: Collaboration & Enterprise Networks
Join in World of Solutions
Security zone Customer Connection stand
Learn about CCP and Join
New member thank-you gift*
Customer Connection Member badge ribbon
Join Online
www.cisco.com/go/ccp
Come to Security zone to get your new member gift*
and ribbon
* While supplies lastBRKSEC-2059 109
![Page 109: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/109.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
BRKSEC-2059 110
![Page 110: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/110.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKSEC-2059 111
![Page 111: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/111.jpg)
Q & A
![Page 112: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/112.jpg)
Thank You
![Page 113: Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments](https://reader031.vdocuments.mx/reader031/viewer/2022022011/5b15693a7f8b9a45448c0f4b/html5/thumbnails/113.jpg)