Cisco ISE for Beginners - What it is and What does it do?
Cisco Identity Services Engine (ISE) is a tool that many Network and Security Engineers come across in their work. If you're new to it or haven't used it yet, this blog post is for you. We'll talk about what Cisco ISE is and what it does. We'll look at its uses, like 802.1X/NAC, TACACS+, and Guest Access. We'll also mention Profiling and Posturing. By the end, you'll have a clear understanding of Cisco ISE and its role in the network world. Let's get started.
What is Cisco ISE?
With so many technical articles out there about Cisco ISE, many of which delve deep into technical specifics or lean heavily on marketing language, it's essential to have a clear, straightforward understanding. Imagine the realm of cars for a moment. While there are many models and makes, a Ferrari is known for its exceptional performance and features. Similarly, Cisco ISE can be thought of as the "Ferrari" of Radius/TACACS+ servers.
At its core, Cisco ISE is all about the three A's: Authentication, Authorization, and Accounting. Whether you're looking to authenticate users on WiFi, give specific access to network equipment, or manage logins for guests on a portal, Cisco ISE has got you covered. It's flexible, capable, and ready to handle most network security tasks you throw at it.
Real World Example
Imagine a large company with thousands of employees and contractors. You need a way to authenticate everyone and provide them with the appropriate network access. Cisco ISE excels in this area, especially with its support for 802.1X. Employees on corporate devices can auto-join the wireless network, while guests have various options for access, ranging from simple captive portals to more complex self-registration or sponsor systems.
Cisco ISE is equally adept with wired 802.1X. It can assign users/devices to the right VLAN based on AD groups and enforce ACLs automatically. For example, IT staff can be placed on a specific VLAN with full network access, while Sales staff are on another VLAN with restricted access. No matter where they plug in, their access is consistent. For non-802.1X devices, ISE can identify (profile) the device type like printers, security cameras, IoT, phones or access points and assign them to appropriate VLANs.
Additionally, ISE can check devices for compliance with security policies before allowing network access. This process, known as posturing, ensures that devices, especially those with full network access, have the necessary security measures like updated antivirus, device encryption and active firewalls.
Picture an employee arriving at the office. They open their laptop in the canteen, and it automatically connects to the wireless network. This connection process isn't just about getting online; Cisco ISE is working in the background. It checks the employee's credentials and group membership in Active Directory. Based on this information, the employee gets the appropriate level of network access. So, if they're part of the IT department, they might have broader access compared to someone in a different department.
Now, when this employee walks to their desk and plugs into a wired port, the same process kicks in. The moment they connect, ISE authenticates and authorizes the session. Again, the employee is granted access levels appropriate to their role and group. ISE can even push an Access Control List (ACL) directly to the switch port. This means the network can dynamically adjust the access permissions based on who's connecting, ensuring security and appropriate access at all times regardless of the location.
Device Administration (TACACS+)
Now, let's dive into Device Administration using TACACS+, a crucial aspect for network engineers managing numerous network devices like routers, switches, firewalls, or load balancers. It's impractical, and frankly impossible, to manage local user accounts on each device. This approach simply doesn't scale well for large networks.
In an ideal setup, we want to use Active Directory (AD) credentials to log into these devices. However, we also need to ensure that different users get varying access levels depending on their role. This is where TACACS+ becomes invaluable. It's specifically designed for this purpose.
Cisco ISE isn't limited to functioning as just a RADIUS server; it also serves as a TACACS+ server. This means we can direct all our network devices to authenticate, authorize, and account (AAA) through ISE. So, when a user attempts to log into a switch, for instance, the switch communicates with ISE to verify if the user is allowed to log in and, if so, determine the level of access they should have.
For example, we can configure rules such that Network Engineers have the ability to run almost all commands, except the ones like 'reload', while interns or junior engineers are restricted to running only 'show' commands. ISE authenticates each command entered in the CLI. If an intern tries to execute 'conf terminal', the command authorization process will block it.
This functionality offers a clear picture of how TACACS+ in Cisco ISE enhances security and control over network device administration, tailoring access to the specific roles of users within the organization.
Guest Access
Moving on to Guest Access, it's vital for a company to provide WiFi not only for its employees but also for guests and the personal devices of employees. Using a Pre-Shared Key (PSK) for this purpose isn't ideal due to weaker security and the risk of PSKs falling into the wrong hands.
Captive Portals emerge as the best option for guest access. When someone tries to connect to the WiFi, they're greeted with a login page. You can set up different policies for different types of users. For instance, employees with personal devices can still use their AD credentials to access the guest WiFi, but they'll be placed on a completely isolated guest network that provides only Internet access, ensuring security and separation from the main corporate network.
For non-employees, Cisco ISE offers various flexible options. One approach is to allow guests to create their own accounts for WiFi access. Another more controlled method involves assigning sponsors, like receptionists or security personnel, who create accounts for guests. This ensures that random individuals can't just walk in and access the Internet, adding an extra layer of security and control over who gets access to the company's Guest WiFi.
Profiling and Posturing
Now, let's explore two more important features of Cisco ISE, Profiling and Posturing.
Profiling refers to the process used by ISE to identify the types of devices connecting to the network. It's not just about granting access; it's about understanding what's gaining access. For instance, ISE employs various methods to differentiate between an IP phone, a CCTV camera, a printer, and other devices. This identification is crucial for applying appropriate policies and ensuring that each type of device receives the correct level of network access and privileges.
On the other hand, Posture is about ensuring that devices comply with your network's security policies. With Posturing, ISE can check if devices accessing the network are up to date with the latest software, have antivirus programs running, or have encrypted disks. If a device doesn't meet these criteria, ISE doesn't necessarily block access outright. Instead, it can provide limited access or guide the device through a remediation process to resolve the issues. This ensures that only secure, compliant devices have full access to the network, while others are either restricted or brought up to compliance.
Further Reading on Cisco ISE
Before we close off, it's important to note that Cisco ISE has a lot more to offer than what we've covered in this post. The capabilities and features of ISE extend far beyond these basics. However, for someone who's new to Cisco ISE, this overview should provide a solid starting point and a clear understanding of its core functionalities and how it can be a game-changer in managing network access and security.
I've written a series of blog posts on Cisco ISE that cover 802.1X and TACACS+. Feel free to check it out below.