How XtendISE Helps with 802.1X Management in ISE?

XtendISE is a simple web application connected to your Cisco ISE, which helps with everyday routine tasks and common challenges related to 802.1X without the need to train everyone in Cisco ISE. XtendISE can help you manage MAC addresses and troubleshoot 802.1X authentications. It also helps with managing the switch's 802.1x configuration or validating the configurations to make sure that they are configured as intended.

All the mentioned features save time for us Network Engineers and help us to do our job efficiently as we do not waste our time on routine tasks. It also increases network security because it makes sure that our network is configured correctly and thus is safe and secured.

What Company Is XtendISE Intended For?

XtendISE is suitable for a company of any size with Cisco ISE and Cisco network devices. However medium or large companies will better use XtendISE features because they are more likely affected by the mentioned problems.

XtendISE helps the Helpdesk or IT Support with

• Easy to use MAC address management and troubleshooting
• They save time and there is no need for extra knowledge on ISE
• They can manage switch port configurations
• They do not need direct access to network switches or ISE

XtendISE also helps Network Engineers with switch port configuration management. Typically, you would configure each switch port with 802.1X configuration, which is a tedious task, but XTendISE simplifies this with interface templates.

XtendISE Dashboards and Reports

The dashboard in ISE can be overwhelming at times, and while more valuable information is often found in reports, it requires deeper knowledge to understand. We may also need to combine multiple reports to get the results we need.

XtendISE provides useful, easy-to-read widgets with graphs, tables, and data to help network engineers identify problematic endpoints and various authentication issues directly on the dashboard. Network engineers do not have to dive into complex ISE reports; they have everything they need directly on the XtendISE dashboard.

Mac Address Management

If you work in an 802.1X environment, you know that not all devices, such as printers, CCTV cameras, and televisions, support 802.1X. We rely on MAC Authentication Bypass (MAB) to allow these devices access to our network.

Typically, if a device doesn’t support 802.1X, we get the MAC address of the device and add it to a specific group in ISE. Since network engineers manage ISE, it becomes our responsibility, and again, it can be tedious. We could give helpdesk access to ISE, but we want to ensure we only grant necessary permissions and only allow access to specific groups.

XtendISE addresses these issues by acting as an external MAC address database for ISE. It allows you to manage the MAC database and perform basic tasks like adding, editing, or removing an endpoint (MAC address), and the whole process is greatly simplified to save time. Every administrator can also be authorized to only work with certain MAC address groups based on Active Directory groups. This increases security because it integrates role-based access control. This feature is excellent for helpdesk and site administrators to perform routine tasks without accessing ISE directly.

ISE Troubleshooting with XtendISE

Along with MAC address management, troubleshooting is a fundamental routine task that every administrator must perform to check whether a device was authenticated and why. In ISE, we typically use Live Log that shows the authentication events for the past 24 hours to quickly check the device’s authentication activity. However, the Live Log in ISE can be complex and slow at times.

The Live Log also provides only half the information; the other half is on the switch. Often, we have to log into the switch to see the authentication status from the switch’s point of view.

XtendISE greatly simplifies the Live Log; it contains only the information needed to quickly identify failing authentications. The Live Log provides authentication information from both ISE and network switches in one place, via the SSH connector. Right from XtendISE, you can run show commands directly on the switches and view the output. You can also bounce a port directly from XtendISE.

Compliance Module

Every network contains hundreds and thousands of switch interfaces, making it difficult to keep them all correctly configured and free of misconfigurations. Troubleshooting, switch replacements, configuration errors, or mistakes during 802.1X deployment can lead to situations where some switch interfaces do not have the correct 802.1X configuration, creating security vulnerabilities in the network.

In every network, there are switch interfaces that a customer may choose not to include in 802.1X for various reasons (e.g., a director does not want this in his office). These interfaces should be noted as exceptions and periodically reevaluated to confirm if the exception is still valid.

XtendISE can serve as a comprehensive auditing and configuration management tool that periodically scans and audits switch configurations to ensure they meet the customer’s standards. It scans all ISE-configured network switches daily to validate their configurations. XtendISE highlights switch interfaces that are missing 802.1X configurations (thus are unsecured) or are missing specific commands. Administrators can fix configurations directly from XtendISE with just a few clicks.

Intelligent VLANs

The Intelligent VLANs feature addresses two common issues in networks with 802.1X and dynamic VLAN assignment (where a VLAN is assigned to a device after it is authenticated).

First, some devices (IoT devices for example) are silent, they do not send any data until they are contacted. This makes it difficult to authenticate them using their MAC address (MAB method). Secondly, it can be a challenge to wake up computers remotely (Wake on LAN) in networks with 802.1X. The WoL system remembers the last VLAN assigned during authentication, but when the PC is turned off, it reverts to the VLAN configured on the switch interface, which may differ, causing the WoL system to attempt to wake the PC in an incorrect VLAN.

XtendISE uses a clever VLAN configuration on switch interfaces to ensure consistency with the VLAN assigned by ISE, effectively solving both problems. XtendISE monitors authentication logs and dynamically configures the access VLAN on a switch interface when a monitored device connects. If a device disconnects, it maintains the VLAN configuration for a specific period of time.

Do You Want to Try XtendISE?

If you’re interested in trying XtendISE in your environment or want to learn more about the product, feel free to reach out to our team, they’ll be happy to assist you. If you have any questions, please let me know in the comments.