Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search...
Transcript of Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search...
![Page 1: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/1.jpg)
Cisco Day 2016
20.4.2016
Hotel Mons
Wednesday
![Page 2: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/2.jpg)
György Ács
IT Security Consulting Systems Engineer
20 April 2016
Why Identity is so important ? - Identity Services Engine update
ISE Champion
![Page 3: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/3.jpg)
• Best Practices, Tips and Tricks on these selected topics:
• Hardware, infrastructure review
• Authentication and Authorization Policies
• Certificates
• Guest, Profiling, Posture
• pxGrid, Fire & ISE
• TACACS+
• REST API
Agenda
![Page 4: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/4.jpg)
Hardware, infrastructure review
![Page 5: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/5.jpg)
• Determining Minimum Appliance Quantity and Platform
Type
5
Scaling by Deployment/Platform/Persona
Persona Deployment
• All Personas running on single or redundant nodes
• Administration and Monitoring co-located on single or redundant nodes
• Dedicated Policy Service nodes
• Dedicated Administration node(s) • Dedicated Monitoring node(s) • Dedicated Policy Service nodes
Max Nodes by Type
• 2 Admin+MnT+PSN nodes
• 2 Admin+MnT nodes • 5 Policy Service nodes
• 2 Admin nodes • 2 MnT nodes • 40 Policy Service nodes (3495s) • 50 Policy Service nodes (3595s)
Max Endpoints for Entire Deployment
• 5k with SNS-3415 • 7.5k with SNS-3515 • 10k with SNS-3495 • 20k with SNS-3595
• 5k with SNS-3415 PAN+MnT • 7.5k with SNS-3515 PAN+MnT • 10k with SNS-3495 PAN+MnT • 20k with SNS-3595 PAN+MnT
• 250k with SNS-3495 for PAN and MnT • 500k with SNS-3595 for PAN and MnT
PAN MnT PSN
PAN MnT
PSN PAN MnT PSN
Note: Max Endpoints = Max Active Sessions; ISE supports 1M Endpoints in DB
Determining Minimum Appliance Quantity and Platform Type
![Page 6: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/6.jpg)
• Max Endpoints Per Appliance for Dedicated PSN
Policy Service Node Sizing
6
• Physical and Virtual Appliance Guidance
Form Factor
Platform Size Appliance Maximum Endpoints
Physical
Small SNS-3415 5,000
Large SNS-3495 20,000
Small (New) SNS-3515 * 7,500
Large (New) SNS-3595 * 40,000
Virtual S/L VM *5,000-40,000
General VM appliance sizing
guidance:
1) Select physical appliance
that meets required
persona and scaling
requirements
2) Configure VM to match or
exceed the ISE physical
appliance specifications * Under ISE 2.0.x, scaling for Small & Large 35x5 appliance same as Small & Large 34x5 appliance.
![Page 7: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/7.jpg)
ISE VM Provisioning &
Disk IO Guidance
• VMotion officially supported in ISE 1.2
• Thin Provisioning officially supported in ISE 1.3 (recommend Thick Provisioning for MnT)
• Hyper-Threading not required, but can TPS
• IO Performance Requirements:
Read 300+ MB/sec
Write 50+ MB/sec
• Recommended disk/controller:
10k RPM+ disk drives
Caching RAID Controller
RAID mirroring
(Slower writes using RAID 5*)
*RAID performance levels: http://www.datarecovery.net/articles/raid-level-comparison.html
http://docs.oracle.com/cd/E19658-01/820-4708-13/appendixa.html
• Starting in ISE 1.3: No more storage media and file system restrictions. For example, VMFS is not required and NFS is allowed provided storage is supported by VMware and meets ISE IO performance requirements.
• Customers with VMware expertise may choose to disable resource reservations and over-subscribe, but do so at own risk.
7
![Page 8: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/8.jpg)
8
ISE Bandwidth Calculator (Multi-Site)
Now available to customers @ https://communities.cisco.com/docs/DOC-64317
Note: Bandwidth required for RADIUS traffic is not included. Calculator is focused on inter-ISE node bandwidth requirements.
![Page 9: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/9.jpg)
• Authorize User Access to the Network Based on Their
Location
Location Based Authorization
ISE 2.0
MSE 8.0
UI to Configure MSE
I have Location Data Campus:Building:Floor:Zone
![Page 10: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/10.jpg)
• Track Movement of the endpoint after authentication using MAC address
• Query MSE every 5 minutes to verify current location.
– If no change, do nothing
– If change, update endpoint info and issue CoA.
• Best Practice: Do NOT track every session!
– Limit tracking to critical access based on location.
– Excessive tracking can lead to lookup failures. (Max 150 TPS)
Tracking Location in Authorization Policy • Limit Location Tracking to Critical Locations and Resource Access
![Page 11: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/11.jpg)
Authentication, Authorization Policies Optimization
![Page 12: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/12.jpg)
Search Speed Test
• Find the object where…
– Total stars = 10
– Total green stars = 4
– Total red stars = 2
– Outer shape = Red Circle
12
![Page 13: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/13.jpg)
• Avoid Unnecessary External Store Lookups
AuthZ Policy Optimization
13
Example of a Poor Rule: Employee_MDM • All lookups to External Policy and ID Stores
performed first, then local profile match!
• Policy Logic: o First Match, Top Down o Skip Rule on first negative
condition match • More specific rules generally at top • Try to place more “popular” rules
before less used rules.
![Page 14: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/14.jpg)
• Rule Sequence and Condition Order is Important!
AuthZ Policy Optimization
(Good Examples)
14
Example #1: Employee 1. Endpoint ID Group 2. Authenticated using AD? 3. Auth method/protocol 4. AD Group Lookup
Example #2: Employee_CWA 1. Location (Network Device Group) 2. Web Authenticated? 3. Authenticated via LDAP Store? 4. LDAP Attribute Comparison
![Page 15: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/15.jpg)
• DNS servers in ISE nodes must have all relevant AD records (A, PTR, SRV)
• Ensure NTP configured for all ISE nodes and AD servers
• Configure AD Sites and Services
(with ISE machine accounts configured for relevant Sites)
• Configure Authentication Domains (Whitelist domains used) (ISE 1.3)
• Use UPN/fully qualified usernames when possible to expedite use
lookups
• Use AD indexed attributes* when possible to expedite attribute lookups
• Run Diagnostics from ISE Admin interface to check for issues.
15
AD Integration Best Practices
(from 1.3)
Microsoft AD Indexed Attributes: http://msdn.microsoft.com/en-us/library/ms675095%28v=vs.85%29.aspx http://technet.microsoft.com/en-gb/library/aa995762%28v=exchg.65%29.aspx
*
![Page 16: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/16.jpg)
Authorization Policies Pro Tip:
Combining AND & OR
![Page 17: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/17.jpg)
Combining AND with OR in AuthZ Policies
Cannot Mix??
![Page 18: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/18.jpg)
• Advanced Editing
Combining AND with OR in AuthZ Policies
Advanced Editor
![Page 19: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/19.jpg)
Simple Conditions
• Advanced Editing
Combining AND with OR in AuthZ Policies
![Page 20: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/20.jpg)
Certificates
![Page 21: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/21.jpg)
• Import All Certificates in Trust Path, One at-a-Time
Pro Tip: Always Add the Root & Sub CA’s
Root CA
Subordinate CA
ISE Cert
If you must use a PKCS chain, it needs to be in PEM format (not DER)
Subordinate CA
![Page 22: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/22.jpg)
• In 1.3+: Sponsor Portal and My Devices
Portal must be accessed via a user-
friendly URL and selectable port.
• Ex: http://mydevices.company.com
Automatic redirect to https://fqdn:port
• FQDN for URL must be added to DNS
and resolve to the Policy Service
node(s) used for Guest Services.
• Recommend populating Subject
Alternative Name (SAN) field of PSN
local cert with this alternative FQDN or
Wildcard to avoid SSL cert warnings due
to name mismatch.
Simple URL for My Devices
& Sponsor Portals
![Page 23: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/23.jpg)
• Certificate Warning - Name Mismatch
ISE Certificate without SAN
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
SPONSOR
Load Balancer
http://sponsor.company.com
https://sponsor.company.com:8443/sponsorportal
DNS Lookup = sponsor.company.com
DNS Response = 10.1.99.5
http://sponsor.company.com
100.1.99.5
100.1.100.5
100.1.100.6
100.1.100.7
Name Mismatch! Requested URL = sponsor.company.com
Certificate Subject = ise-psn-3.company.com
DNS
Server
![Page 24: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/24.jpg)
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
100.1.100.5
100.1.100.6
100.1.100.7
• No Certificate Warning
ISE Certificate with SAN
Load Balancer
http://sponsor.company.com
https://sponsor.company.com:8443/sponsorportal
DNS Lookup = sponsor.company.com
DNS Response = 10.1.99.5
http://sponsor.company.com
100.1.99.5
Certificate OK! Requested URL = sponsor.company.com Certificate SAN = sponsor.company.com
DNS
Server
SPONSOR
![Page 25: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/25.jpg)
ISE Certificate with SAN
CN must also exist in SAN
Other FQDNs as “DNS Names”
IP Address is also option
![Page 26: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/26.jpg)
Wildcard Certificates are used to identify any secure web site that is part of the domain:
e.g.: *.woland.com works for:
www.woland.com
mydevices.woland.com
sponsor.woland.com
AnyThingIWant.woland.com
“Traditional” Wildcard Certificates
!= psn.[ise].woland.com
Position in FQDN is fixed
![Page 27: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/27.jpg)
Use of all portals & friendly URL’s without Certificate Match Errors.
Most Importantly: Ability to host the exact same certificate on all ISE PSNs for EAP authentications
•Why, you ask?.......
Wildcard Certificates –
Why use with ISE?
![Page 28: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/28.jpg)
Clients Misbehave!
• Example education customer:
– ONLY 6,000 Endpoints (all BYOD style)
– 10M Auths / 9M Failures in a 24 hours!
– 42 Different Failure Scenarios – all related to
clients dropping TLS (both PEAP & EAP-TLS).
• Supplicant List:
– Kyocera, Asustek, Murata, Huawei, Motorola, HTC, Samsung, ZTE, RIM, SonyEric, ChiMeiCo,
Apple, Intel, Cybertan, Liteon, Nokia, HonHaiPr, Palm, Pantech, LgElectr, TaiyoYud, Barnes&N
• 5411 No response received during 120 seconds on last EAP message sent to the client
– This error has been seen at a number of Escalation customers
– Typically the result of a misconfigured or misbehaving supplicant not completing the EAP process.
![Page 29: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/29.jpg)
Recreating the Issue
![Page 30: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/30.jpg)
Clients Misbehave:
Apple Example
Apple iOS & MacOS
SSID
NAD
ISE-1 ISE-2
1
WiFi Profile
5
• Multiple PSNs • Each Cert signed by Trusted Root • Apple Requires Accept on all certs!
• Results in 5411 / 30sec retry
1. Authentication goes to ISE-1 2. ISE-1 sends certificate 3. Client trusts ISE-1 4. Client Roams 5. Authentication goes to ISE-2 6. Client Prompts for Accept
Cert Authority ise1.ise.local ise2.ise.local
![Page 31: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/31.jpg)
Solution: Common Cert, Wildcard in SAN
Allows anything ending with The Domain Name. - Same EXACT Priv / Pub Key May be installed on all PSNs
![Page 32: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/32.jpg)
Coining a New Term
![Page 33: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/33.jpg)
Solution: Common Cert, Wildcard in SAN
Apple iOS & MacOS
SSID
NAD
ISE-1 ISE-2
1
WiFi Profile
5
• CN= psn.ise.local • SAN contains all PSN FQDNs
psn.ise.local *.ise.local
• Tested and works with: comodo.com CA SSL.com CA Microsoft 2008 CA • Failed with: GoDaddy CA -- they don’t like * in SAN -- they don’t like non-* in CN
psn.ise.local
1. Authentication goes to ISE-1 2. ISE-1 sends certificate 3. Client trusts ISE-1 4. Client Roams 5. Authentication goes to ISE-2 6. Client Already Trusts Cert
Cert Authority
Already Trusted
psn.ise.local
![Page 34: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/34.jpg)
Scaling Guest
![Page 35: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/35.jpg)
• Device/user logs in to hotspot or credentialed portal
• MAC address automatically registered into GuestEndpoint group
• Authz policy for GuestEndpoint ID Group grants access until device purged
Scaling Web Authentication • “Remember Me” Guest Flows
Prior to ISE 1.3, can “chain” CWA+DRW or NSP to auto-register web auth users, but no auto-purge
35
![Page 36: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/36.jpg)
Endpoint Purging Examples
36 On Demand Purge
Matching Conditions Purge by: # Days After
Creation # Days Inactive Specified Date
![Page 37: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/37.jpg)
Best Practices for Profiling
![Page 38: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/38.jpg)
• Use Device Sensor on Cisco switches & Wireless Controllers to optimize data collection.
• Ensure profile data for a given endpoint is sent to a single PSN (or maximum of 2)
– Sending same profile data to multiple PSNs increases inter-PSN traffic and contention for endpoint
ownership.
– For redundancy, consider Load Balancing and Anycast to support a single IP target for RADIUS or profiling
using…
– DHCP IP Helpers
– SNMP Traps
– DHCP/HTTP with ERSPAN (Requires validation)
• Ensure profile data for a given endpoint is sent to the same PSN
– Same issue as above, but not always possible across different probes
• Use node groups and ensure profile data for a given endpoint is sent to same node group.
– Node Groups reduce inter-PSN communications and need to replicate endpoint changes outside of node
group.
• Avoid probes that collect the same endpoint attributes
– Example: Device Sensor + SNMP Query/IP Helper
• Enable Profiler Attribute Filter
ISE Profiling Best Practices • Whenever Possible…
38
Do NOT send profile data to multiple PSNs !
DO send profile data to single and same PSN or Node Group !
DO use Device Sensor !
DO enable the Profiler Attribute Filter !
![Page 39: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/39.jpg)
• HTTP Probe:
– Use URL Redirects instead of SPAN to centralize collection and reduce traffic load related to SPAN/RSPAN.
– Avoid SPAN. If used, look for key traffic chokepoints such as Internet edge or WLC connection; use
intelligent SPAN/tap options or VACL Capture to limit amount of data sent to ISE. Also difficult to provide HA
for SPAN.
• DHCP Probe:
– Use IP Helpers when possible—be aware that L3 device serving DHCP will not relay DHCP for same!
– Avoid DHCP SPAN. If used, make sure probe captures traffic to central DHCP Server. HA challenges.
• SNMP Probe:
– Be careful of high SNMP traffic due to triggered RADIUS Accounting updates as a result of high re-auth (low
session/re-auth timers) or frequent interim accounting updates.
– For polled SNMP queries, avoid short polling intervals. Be sure to set optimal PSN for polling in ISE NAD
config.
– SNMP Traps primarily useful for non-RADIUS deployments like NAC Appliance—Avoid SNMP Traps
w/RADIUS auth.
• NetFlow Probe:
Use only for specific use cases in centralized deployments—Potential for high load on network devices and ISE.
ISE Profiling Best Practices • General Guidelines for Probes
39
Do NOT enable all probes by default !
Avoid SPAN, SNMP Traps, and NetFlow probes !
![Page 40: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/40.jpg)
Best Practices for Posture
![Page 41: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/41.jpg)
• Once Compliant, user may leave/reconnect multiple
times before re-posture
Posture Lease
41
7
![Page 42: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/42.jpg)
• Scalability ≈ 30 Calls per second per PSN. – Cloud-Based deployment typically built for scale and redundancy
• For cloud-based solutions, Internet bandwidth and latency must be considered.
– Premise-Based deployment may leverage load balancing
• ISE 1.4+ supports multiple MDM servers – could be same or different vendors.
• Authorization permissions can be set based on MDM connectivity status:
– MDM:MDMServerReachable Equals UnReachable MDM:MDMServerReachable Equals Reachable
– All attributes retrieved & reachability determined by single API call on each new session.
MDM Scalability and Survivability
What Happens When the MDM Server is Unreachable?
42
![Page 43: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/43.jpg)
pxGrid
![Page 44: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/44.jpg)
FMC
pxGrid Bulk Downloads (peer-to-peer)
MnT
Controller
Splunk >
WWW
1. I need Bulk Session Data
2. Get it From MnT
3. Direct Data Transfer
ISE Node
ISE Node
![Page 45: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/45.jpg)
FMC
pxGrid Topic Extensibility
MnT
Controller
Splunk >
WWW
Topic Publisher Subscribers
Session_Directory MnT Splunk, FMC, WSA ISE Admin
1. Req: Add New Topic:
“Vulnerable Hosts”
3. Publish Topic
4. Announce: New Topic Available
Vulnerable Hosts Rapid7
![Page 46: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/46.jpg)
FMC
pxGrid Topic Extensibility
MnT
Controller
Splunk >
WWW
Topic Publisher Subscribers
Session_Directory MnT Splunk, FMC, WSA
Vulnerable Hosts Rapid7
ISE Admin
Vulnerable Hosts Rapid7 FMC
1. Subscribe Vulnerable
Hosts
2. Direct Transfer
![Page 47: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/47.jpg)
FMC
How to we “Certificate-ify”
This Scenario?
MnT
Controller
Splunk >
WWW
1. Use a Single Certificate Authority
2. Each pxGrid Participant Trust That Certificate Authority
3. Each pxGrid Client use a ‘pxGrid’ Certificate from that CA
4. *Controller Must still Authorize the Communication
X.509
pxGrid
X.509
pxGrid
X.509
pxGrid
X.509
pxGridX.509
pxGrid
X.509
pxGrid
pxGrid Cert = Client Auth Policy Server Auth Policy
Instant Full Mesh Trust!
![Page 48: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/48.jpg)
ISE and Fire
![Page 49: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/49.jpg)
• Fully Supported on FMC 5.4 and ISE 1.3+
– Uses pxGrid + Endpoint Protection Services (EPS)
• Note: ANC is Next Gen version of the older EPS
• EPS functions are still there for Backward Compatibility
• Loads as a Remediation Module on FMC
– Remediation Module Takes Action via the EPS call through
pxGrid
Rapid Threat Containment
with Firepower Management Center and ISE
![Page 50: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/50.jpg)
MnT
FMC
Rapid Threat Containment with Firepower
Management Center and ISE
Controller
WWW
NGFW
2. Correlation Rules Trigger Remediation
Action
3. pxGrid EPS Action: Quarantine + Re-Auth
1. Security Events / IOCs
Reported
i-Net
![Page 51: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/51.jpg)
MnT
FMC
Rapid Threat Containment with
Firepower Management Center and ISE
Controller
WWW
NGFW
4. Endpoint Assigned Quarantine + CoA-
Reauth Sent
i-Net
![Page 52: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/52.jpg)
Cisco StealthWatch: System Overview
(Earlier : Lancope)
NetFlow / NBAR / NSEL
Network Devices
StealthWatch FlowCollector
• Collect and analyze • Up to 4,000 sources • Up to 240,000 FPS sustained
SPAN
StealthWatch FlowSensor
Generate NetFlow
Non-NetFlow Capable Device
• Management and reporting • Up to 25 FlowCollectors • Up 6 million FPS globally
StealthWatch Management
Console (SMC)
![Page 53: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/53.jpg)
Network as a Sensor:
Cisco StealthWatch
pxGrid
Real-time visibility at all network layers • Data Intelligence throughout network • Assets discovery • Network profile • Security policy monitoring • Anomaly detection • Accelerated incident response
Cisco ISE
Mitigation Action
Context Information NetFlow
ISE pxgrid for Remediation
![Page 54: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/54.jpg)
Device Admin
TACACS+
![Page 55: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/55.jpg)
A long time ago in a development lab far,
far away…
![Page 56: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/56.jpg)
![Page 57: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/57.jpg)
AuthC Once + AuthZ Many
SSH to Network Device
REPLY (authentication) – request username
CONTINUE (authentication) – username
REPLY (authentication) – request password
CONTINUE (authentication) – password
REPLY (authentication) – Pass
START (authentication) – User trying to connect
Authentication
is Complete
TACACS+
REQUEST (authorization) – service = shell
RESPONSE (authorization) – PASS_ADD
REQUEST (accounting) – START / RESPONSE - SUCCESS
REQUEST (authorization) – service = command
RESPONSE (authorization) – Pass_ADD
# show run
EXEC is
Authorized
REQUEST (accounting) – CONTINUE / RESPONSE - SUCCESS
Command is
Authorized
AuthC
Shell AuthZ
Command AuthZ
![Page 58: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/58.jpg)
• Policy Service Node for Protocol Processing
– Session Services (e.g. Network Access/RADIUS) On by default
– Device Admin Service (e.g. TACACS+)
MUST BE ENABLED
FOR DEVICE ADMINISTRATION!!
58
ISE Deployment Node
Configuration
![Page 59: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/59.jpg)
• Different Policy Sets for IOS
than AireSpace OS
• Different for Security Apps
than Routers
• Different for ASA
• Differentiate based on
location of Device
Some Device Admin Best Practices
USE NDG’S!
![Page 60: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/60.jpg)
Device Administration Policy Set
Policy Set Ordered List
Provides both Management AND Execution order
Condition For Policy Set
How Policy Set is engaged
Policy Set
![Page 61: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/61.jpg)
Use Policy Sets Based on
Device Type
Cisco IOS Switches
Airespace WLCs
![Page 62: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/62.jpg)
Best Practices for Policy Sets
Organization
• Optimal Size Mix for Policy Set breakdown in ISE 2.0:
– 6-10 Policy Sets
– 60-100 rules
• Divide Complete Policy into robust Silos representing Use
Cases
– e.g.
• By Device Type
• By Region
62
![Page 63: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/63.jpg)
ISE Authorization Processing
Policy Set Selection Identity Selection Authorization Policy
Evaluation
Evaluation (Command Set or
Profile)
Reply
63
![Page 64: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/64.jpg)
TACACS+ example:
Wireless LAN Controllers
![Page 65: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/65.jpg)
TACACS+ example:
Cisco IOS
![Page 66: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/66.jpg)
• Results are often specific to the NAD-Type.
– Different results for AirOS than IOS than NX-OS.
• Results are not differentiated in GUI by Default
Best Practice: Use Prefixes for Your Results
![Page 67: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/67.jpg)
T+ Command Sets:
Wildcard vs. Regex
![Page 68: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/68.jpg)
• A Permit Below will take priority
over a Deny above.
• Except with a Deny_Always
Command Sets May Be Stacked!
IOS-SecOps-NoConfig Deny_Always Config * Permit Everything Else IOS-PermitAllCommands Permit *
![Page 69: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/69.jpg)
REST API
![Page 70: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/70.jpg)
• Session API (from mnt node)
• REST API : – From ISE 1.0.4
– ISE 1.3 : added Guest
– ISE 2.0 : added TrustSec (SGT, SXP, SGACL), internal users
• Default : ERS is Not enabled
• XML based
ISE REST API :
ERS: External RESTfull Services
<activeSession> <user_name>sfadmin</user_name> <calling_station_id>sfadmin-10.1.1.66</calling_station_id> <framed_ip_address>10.1.1.66</framed_ip_address> </activeSession>
Supported resources :
• End points
• End point identity groups
• Guest users
• Identity groups
• Internal users
• Portals
• Profiler policies
• Network devices
• Network device groups
• Security groups
Currently : no Authentication /authorization policies
![Page 71: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/71.jpg)
Enable ERS and Add
ERS Admin User
Admin or operator based on the READ/WRITE rights
Admin: Full access to all ERS
API requests such as GET, POST, DELETE, PUT
Operator: Read-only access to
ERS API, only GET
10.1.1.1.
![Page 72: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/72.jpg)
GET internal users
![Page 73: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/73.jpg)
• Best Practices, Tips and Tricks on these selected topics:
• Hardware, infrastructure review
• Authentication and Authorization Policies
• Guest, Profiling, Posture
• Certificates
• pxGrid, Fire & ISE
• TACACS+
• REST API
Summary
![Page 74: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/74.jpg)
74
Questions ?
![Page 75: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/75.jpg)
![Page 76: Cisco Day 2016 20.4.2016 Hotel Mons Wednesday · Caching RAID Controller RAID mirroring ... Search Speed Test ... • Policy Logic: o First Match, Top Down o Skip Rule on first negative](https://reader033.fdocuments.in/reader033/viewer/2022042108/5e889fe4bf28cd219b7636d4/html5/thumbnails/76.jpg)