Cisco Identity Services Engine 2.7 v1 Instant Demo · 2020. 2. 14. · Cisco Identity Services...

Cisco dCloud

dCloud: The Cisco Demo Cloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. of 17

Cisco Identity Services Engine 2.7 v1 – Instant Demo

Last Updated: 17- January-2020

About This Demonstration

This guide for the preconfigured demonstration includes:

• About this Demonstration

• Requirements

• About this Solution

• Get Started

• Scenario 1. Network Visibility

• Scenario 2. Search for a User or Endpoint

• Scenario 3. What are the Unknown Endpoints on my Network?

• Scenario 4. View Live Authentications

• Scenario 5. Network Device Management

• Scenario 6. ISE Authentication and Authorization Policy

• Scenario 7. Scalable Group Tags (SGTs) and Software Defined Access (SDA)

• Summary

Limitations

Certain features of ISE 2.7 are not possible because the demonstration uses simulated traffic rather than real endpoints and users:

• BYOD registered endpoints and certificate provisioning

• EMM/MDM Compliance and Posture workflows

• Security integrations for threat assessments

Customization Options

This is a Read-Only demo to prevent configuration changes that would break future demo options.

You are highly encouraged to explore the ISE interface and features beyond the scripted demos contained here.

Cisco dCloud



Requirements

The table below outlines the requirements for this preconfigured demonstration.

Required Optional

A Computer with ISE Admin interface supported browsers:

◦ Mozilla Firefox 6x and earlier versions

◦ Google Chrome 7x and earlier versions

◦ Microsoft Internet Explorer 10.x and 11.x

About This Solution

Cisco’s Identity Services Engine (ISE) simplifies the delivery of a single policy for wired, wireless and VPN secure access control

multivendor networks. With far-reaching, intelligent sensor and profiling capabilities, Cisco ISE can reach deep into the network to

deliver superior visibility into who and what is accessing enterprise networks. ISE enables you to see who and what is on your

network, and to share across network solutions while stopping and containing threats by dynamically controlling network access.

ISE can be used to provide the following capabilities for customers:

For more information you encouraged to visit:

• ISE Product Page: http://cisco.com/go/ise

• ISE Resources: http://cs.co/ise-resources

• ISE Public Community: http://cs.co/ise-community

• ISE Sales Community: http://cs.co/selling-ise

• ISE Demos: http://cs.co/selling-ise-demos

http://cisco.com/go/ise

http://cs.co/ise-resources

http://cs.co/ise-community

http://cs.co/selling-ise

http://cs.co/selling-ise-demos

Cisco dCloud



• ISE Sales Training: http://cs.co/selling-ise-training

• ISE Videos (YouTube): http://cs.co/ise-videos

• ISE Licensing: http://cs.co/ise-licensing

http://cs.co/selling-ise-training

http://cs.co/ise-videos

http://cs.co/ise-licensing

Cisco dCloud



Get Started

BEFORE PRESENTING

Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front

of a live audience. This will allow you to become familiar with the structure of the document and content.

It may be necessary to schedule a new session after following this guide in order to reset the environment to its original

configuration.

PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.

Follow the steps to schedule a session of the content and configure your presentation environment.

1. Initiate your dCloud session. [Show Me How]

2. Click Catalog, search for “ise” and select Instant Demo from the side bar to filter your options.

3. Click the appropriate View button to launch the Instant Demo.

4. You should automatically be logged in to the ISE Instant Demo as user amdemo1.

It may take up to 30 seconds for the ISE dashboard to appear, depending on the demo load.

https://dcloud-cms.cisco.com/help/initiate-your-dcloud-session

Cisco dCloud



Scenario 1. Network Visibility

The first step to securing any network is to understand what exists. Once you understand this, you can take steps to further

educate yourself or your team in order to make informed decisions about what you should do next.

Steps

1. After launching the ISE Instant demo, you will be presented with the login banner reminding you that you have Read-Only

access. Simply Accept and Close the dialog.

2. When we first login into the system we are presented with the ISE Home > Summary dashboard which has metrics for the

Total number of unique endpoints ISE has ever seen, how many of those are currently Active on the network and how many

are Guests.

3. Next, review the Summary panels to see the percentage breakdowns of Authentications, Network Devices and Endpoints.

4. Hover over the donut wedges and labels to see the count of each category or type.

Cisco dCloud



5. Use the tabs within the panels to pivot to different views of the same information.

6. If you see anything interesting – like unexpected Entertainment Device.

and want to know the specifics like What and Where they are, click on the donut wedges or categories to drill down and Filter on

the Details behind the summary data:

7. There are other Dashboard tabs for Endpoints, Guests, Vulnerability, and Threat.

But remember that Vulnerability and Threat dashboards will NOT be populated because the Instant demo does not have these

security integrations. You may still want to show these to your customers and discuss how integrating ISE with these types of

security products could let them see these devices and even Quarantine them with Rapid Threat Containment.

Using these dashboard views, you can get a baseline understanding of your network in terms of being able to both Who and What

is Where on the network. Once you have this level of visibility, you can begin to make educated policy decisions about unexpected

devices, unregistered assets, potential risks and the need for segmentation.

Cisco dCloud



Scenario 2. Search for a User or Endpoint

One of the most common tasks that administrators or helpdesk personnel need is the ability to quickly find and troubleshoot a

particular user or endpoint on the network. ISE has a convenient Search feature to do this.

Steps

1. ISE provides an extremely simple Search interface from the menu bar.

2. You must enter a minimum of only three (3) characters to quickly find matching Usernames, MAC addresses, IP addresses.

3. Search for a string like ‘cda’ above and you should see several matches for both MAC addresses and Users that you can

select and begin to see matching endpoints, connectivity status, and even what kinds of policies and authorizations were

recently applied.

4. Bring up the search field again and search for the user Thomas. If the user thomas was calling the Help Desk to find out why

his iPhone was not getting onto the network, you could filter on the Failed attempts and see the most recent Failure Reason

was a Wrong Password!

Cisco dCloud



5. The list of endpoints associated with his username would even show which one(s) had the problem and that he may need to

change any stored passwords on that device.

>>

6. Instant access to all of this relevant information as a result of a quick Search and a few clicks!

Cisco dCloud



Scenario 3. What are the Unknown Endpoints on my Network?

Steps

1. Everyone wants to know if there are Unknown Endpoints connected to their network right now. These unknown endpoints

may simply be the result of previously overlooked and unregistered assets or potential threats attached to your network.

2. To see the complete inventory of endpoints that the system knows about, simply navigate to Context Visibility > Endpoints.

3. On the Authentications panel, select the Identity Group tab to see the breakdown by groups including Unknown

endpoints! Hover on the Unknown donut slice to see the total count of Unknown endpoints.

4. Click on the Unknown donut slice to filter all endpoints for just the Unknowns.

NOTE: You may need to scroll right to see that the assigned Authorization Profile was most likely the Default, because the

devices did not match of the existing policy rules and should have little to no access.

Cisco dCloud



5. Click on the MAC address to drill down and get all known attributes about the endpoint including the OUI vendor to begin the

process of registration, classification or investigation:

Cisco dCloud



Scenario 4. View Live Authentications

ISE allows you to view live authentication to your network in real time using the Live Log capability. This allows you to not only see

what and what is coming in but you can drill down to understand how and why if something is failing or unexpected.

1. In ISE, navigate to Operations > RADIUS > Live Logs:

2. You can adjust the update frequency, number of records and window that you view:

NOTE: setting the update frequency too low can make it difficult to filter items due to the screen refreshes.

3. Notice all of the details about When, What, Who, Where and How subjects were authenticated to the network!

4. If you want to know Why something matched a specific Authentication or Authorization Policy, simply click on the

Authentication Details icon ( ) to get the Overview, Authentication Details, Attributes, Authorization Result and view

the Steps that ISE completed when evaluating its policies. This can be extremely helpful for troubleshooting!

5. If you wonder why a particular user or endpoint failed ( ) click on the details and ISE should tell you the reason and what

resolution you can take to fix it.

Cisco dCloud



Scenario 5. Network Device Management

1. In ISE, navigate to Administration > Network Resources > Network Devices to view all of the network devices that ISE

knows about:

2. By default, network access devices - or NADs – are listed by name but you can change the sort order by clicking on any

column title. Typically NAD attributes such as IP address, Profile (vendor, hardware, software), Location (theater, city,

building, floor, etc.) or Type (switch, wireless, VPN, etc.) are important for helping to define custom authentication and

authorization policies that apply to specific hardware functionality, government regulations, or access methods.

3. You can even Export all them to a CSV file using the Export > Export All option:

4. If you click on a network device name, you can see all of the configurable Network Device Profile and Protocol options

NOTE: the Network Device Groups cannot be viewed in Read-Only Admin mode.

5. Alternatively, if you want to see all of the endpoints connected through a specific network device, go to Context Visibility >

Network Devices and you can browse who or what is connected to which ports!

Cisco dCloud



Scenario 6. ISE Authentication and Authorization Policy

In ISE 2.7, all policies were converted to Policy Sets because this is a more scalable and efficient way to build large numbers of

policies. Drill down into the ISE authentication and authorization policies for examples of many common policies, how Scalable

Group Tags (SGTs) are assigned and how many Hits they have in the hit counter.

1. In ISE, navigate to Policy > Policy Sets to see all policy sets. We only use the Default policy set for this demo to keep things

simple!

2. Click on the View arrow ( ) for the Default policy set to see its Authentication policies and Authorization policies.

3. Authentication Policies can be made very granular with Conditions - down to a specific user or endpoint! They generally

are used to filter authentications by NAD profiles (hardware functionality), access methods (wired, wireless, VPN),

authentication types (802.1X, MAB), authentication protocols (PEAP-MSCHAPv2, EAP-TLS), or Identity Stores (internal, AD,

token, etc.).

4. Review some of the Authorization Profiles to understand how the NAD attributes, Authentication method, Identity groups,

endpoint attributes and other information can all be tied together to result in a specific Authorization Profile. IOT endpoints

like surveillance cameras:

Employees in Active Directory:

And note the Default authorization if there are no other policy matches:

Cisco dCloud



Scenario 7. Scalable Group Tags (SGTs) and Software Defined Access (SDA)

In the ISE Policy Sets you could see Scalable Group Tags (SGTs) being assigned to specific users or endpoints. To understand

how these tags relate to each another, you need to see the TrustSec Matrix. This will show how you can limit malware outbreaks

with a single SGACL.

1. In ISE, navigate to Work Centers > TrustSec > Components to see the list of configured Scalable Group Tags (SGTs).

2. Each SGT has a Name and Number (0-65535) representing a group of users or endpoints. By default ISE has 18 SGTs

defined and this demo has 21 SGTs defined.

3. In the side menu, choose Security Group ACLs to view all configured SGACLs. We have only defined one SGACL called

BlockMalware which blocks the typical ports (SMB/445) used for spreading malware such as WannaCry.

4. Click on the BlockMalware SGACL name if you want to see the complete ACL list. Notice that it is agnostic of IPv4 or IPv6

addresses which makes it topology-independent and far more efficient and scalable than traditional IP-based ACLs.

Cisco dCloud



5. Navigate to Work Centers > TrustSec > TrustSec Policy to see the TrustSec Matrix. The matrix is a scrollable matrix of cells

representing Contracts (SGACLs) between the Source (rows) and Destination (columns) tags where they intersect. The

matrix is a logical and compact way to express port-based access between these groups.

6. Configured SGACLs – like our BlockMalware – are represented with the blue cell color. The default catch-all rule Permit IP

are green and Deny IP are red. This gives you a quick visual assessment of what access is granularly configured or

completely allowed or blocked.

7. To edit a Contract, click on cell, then click on the pencil ( ) in the upper right corner of the cell. You can see Permit All and

Deny All in the Final Catch-All Rules.

NOTE: You will not be able to save any changes because this is a Read-Only administrative login!

Cisco dCloud



Summary

ISE helps you get answers to Who, What, Where, When, Why and How a user or endpoint got access to your network. You can

manage access for any kind of network device whether Wired, Wireless or VPN and with any hardware that can talk RADIUS. ISE

policy creation can be as simple or as granular as you need it to be and scale to hundreds of policies. Finally, ISE allows you to

use group-based policy and with contracts to create and enforce a simpler, more efficient access control policy in our intent-based

networking future!

Cisco dCloud



Cisco Identity Services Engine 2.7 v1 Instant Demo · 2020. 2. 14. · Cisco Identity Services...

Documents

Transcript of Cisco Identity Services Engine 2.7 v1 Instant Demo · 2020. 2. 14. · Cisco Identity Services...