dokucama

This is an old revision of the document!

---

CISCO ISE
Note that Cisco ISE (Identity Services Engine) is a RADIUS/TACACS+ Server + policy engine

• https://www.youtube.com/watch?v=ANbCfegrq9Y
• http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30/ac05hostscanposture.html

The posture services workflow is comprised of three main configuration sections:

• Client provisioning
• Posture policy
• Authorization policy

The posture policy defines the set of requirements for an endpoint to be deemed compliant based upon file presence, registry key, process, application, Windows, and anti−virus (AV)/anti−spyware (AS) checks and rules. Posture policy is applied to endpoints based upon a defined set of conditions such as user identity and client OS type. The compliance (posture) status of an endpoint can be:

• Unknown: No data was collected in order to determine posture state.
• Noncompliant: A posture assessment was performed, and one or more requirements failed.
• Compliant: The endpoint is compliant with all mandatory requirements.

---

TO CREATE A NEW POLICY:

Add the device we want to be Authorised with ISE:

Admin. > Network Devices > Add

Policy sets: They have all the policy type. Authoriz and Authentication

Create the Authorization profile:

Policy > Policy Elements > Results > Authorization > Authorization profiles

Add the corresponding authorization and authentication policies:

Policy > Policy Sets

VPN posture completed and testing done to complete TSHOOT:

updated the security policy before doing so (gpupdate /force) on each machine

PROFILING

POSTURING

---

ISE NODES TYPES AND ROLES

• Node type:
  • Admin (PAN)
  • Policy Service (PSN): handles traffic between network devices and ISE (its IP is used aS RADIUS for devices).
• Roles:
  • Primary
  • Secondary

In order to access the nodes simply browse to node using https. Active Directory account can be used for login.
For the PAN nodes, the concept of primary/secondary must be understood purely from the user management interface point of view. Operationally, the secondary node does exactly the same as the primary one. The only difference is that the primary one allows the user to access all the management features (like logging or policy configuration)

---

PAN FAILOVER
Cisco advises to have PAN failover disabled.
If one of the ISE PAN nodes fails and we want to have admin features available in the healthy one, we manually promote the secondary to primary: to do so, we log into the UI of the secondary node. Promote to primary takes 10-15 mins and implies restarting services in both nodes. There's no impact in end users, just the Admin UIs get momentary unreachable.

---

RAISE TAC CASE:

• Operations > Troubleshoot > Download Logs and under Appliance node list select the ISE node you have issues with > 'Support Bundle' tab
• tick: debug logs ; local logs ; mon and reporting logs ; system logs ; from date to date
• encryption : public key enc

---

CLI:

show version    # to check version and patch number
show disks
show application status ise    # application server must be in 'running' state