XtendISE is a user-friendly web application integrated with Cisco ISE and designed to simplify daily tasks and common challenges related to 802.1X without requiring extensive training on Cisco ISE. XtendISE helps manage MAC addresses, troubleshoot 802.1X authentication issues, and simplify the management of switch 802.1X configurations. It also validates configurations to ensure they are set up correctly and as intended.
We covered the basics of XtendISE in a previous article linked below. In this blog post, we will explore in detail three key features that XtendISE offers.
- MAC address management
- Enhanced Troubleshooting Capabilities
- Configuration and Auditing of the network access devices
Suresh Vina
Mac Address Management
Typically, when a device doesn’t support 802.1X, we collect its MAC address and add it to a specific group in ISE. This process can be time-consuming, especially with hundreds of devices on the network that don’t support 802.1X and need to be added to and managed in ISE.
While we could grant helpdesk staff access to ISE, we prefer to restrict their permissions to only what's necessary, ensuring access is limited to specific groups. XtendISE addresses these challenges, simplifying the workload for network engineers.
- A simple and user-friendly form to add a new MAC address with just a few clicks.
- Automatic deletion of time-based MAC address records from ISE upon expiration.
- Granular Role-Based Access Control (RBAC) to provide users with only the necessary privileges.
- Bulk import capability via file upload or web form.
- MAC address localization on the network.
Add New Endpoint
Adding a new MAC address is quick and straightforward. Users can manage only the groups they are authorized to access with no unnecessary steps, MAC addresses can be added in seconds, saving valuable time for IT staff.
Time-Based MAC Address Records
For scenarios where network access is needed only for a specific period, XtendISE provides an option to set an Endpoint Validity field. Once the specified time expires, the MAC address record is automatically deleted, preventing the device from accessing the network. Additionally, email notifications can be enabled to alert users before the MAC address is removed from the system.
Role-Based Access Control
XtendISE also provides granular control over access to Endpoint Groups by leveraging Active Directory membership for its users. Each Endpoint Group can be uniquely configured, allowing only specific user groups to manage it. This approach enhances control over user access while improving the user experience by ensuring users are not overwhelmed with groups they are not authorized to manage.
Bulk Import of Endpoints
If you need to add multiple MAC addresses to ISE, XtendISE offers a convenient bulk import feature. You can import data from a standard CSV file or input MAC addresses in text form, adding them to ISE with just a few clicks. This feature is particularly useful in scenarios where a large number of devices need to be onboarded quickly and efficiently.
Localize Mac
XtendISE can pinpoint where a device is connected within the network using its MAC address, IP address, or name. This feature is especially valuable in large environments where quick device localization is critical.
Enhanced Troubleshooting Capabilities
In any 802.1X-enabled environment, troubleshooting is a routine and often time-consuming task for network administrators, especially when addressing authentication failures.
In ISE, the Live Log provides a 24-hour view of authentication events, helping administrators check device authentication activity. However, the Live Log in ISE can sometimes be slow and complex. Additionally, it only provides partial information; the rest often requires logging into the switch to view the authentication status from the switch's perspective.
XtendISE addresses these challenges by enabling users to fully troubleshoot and monitor 802.1X-enabled environments without direct access to ISE or switches.
- A simplified and responsive Live Log for quick access to authentication events.
- An SSH connector to send predefined commands directly to the switch for real-time status updates.
XtendISE LiveLog
XtendISE simplifies the Live Log by focusing on the essential information needed to quickly identify failing authentications. It avoids overwhelming users with unnecessary details, highlighting only the key parameters related to authentication. For more in-depth troubleshooting, users can also drill down into the details of an authentication session.
SSH Connector
XtendISE can directly connect to switches or WLCs and execute predefined commands. This feature is accessible from the Live Log, allowing commands to be sent via SSH to the switch or WLC where the end device is connected.
This functionality helps troubleshooting by eliminating the need for users to manually connect to the switch or WLC to run commands. Additionally, XtendISE ensures that users have no direct access to the switch or WLC while still enabling effective troubleshooting in an 802.1X environment.
Configuration and Validation
Implementing 802.1X in a network is a time-consuming task, requiring every access port to be configured to enforce 802.1X authentication. Once this tedious process is complete, the real challenge begins: maintaining the network configuration to align with organizational standards and ensure security.
XtendISE supports network engineers throughout this process by allowing users to configure ports based on predefined templates directly within the application. After the configuration is applied, XtendISE periodically evaluates the configuration of every switch and port in the network to ensure compliance with the predefined templates and maintain security.
- The ability to configure ports using predefined templates.
- Periodic evaluation of port configurations across all switches in the network.
Template Definition
The first step is defining templates for configuring and evaluating switch ports. The logic is straightforward: if the configuration on a port matches every command in the template, the port’s status is assessed as Compliant, Partially Compliant, or Non-Compliant, based on the template criteria.
Configuration Validation
Every switch registered in Cisco ISE as a Network Access Device (NAD) is synchronized with XtendISE, and its configuration is validated. If all ports on a switch comply with the predefined template, the switch is marked as Compliant. However, if even a single port is identified as Non-Compliant, the entire switch is flagged as Non-Compliant.
If we drill down into the details of a switch, we can view information for each port, including its configuration, authenticated devices, the template that matches the port's configuration, and the result of the validation check.
Specific ports can be marked as "Exceptions" or "Bypass," which effectively skips the evaluation process for those ports. This allows the switch to be marked as Compliant, even if certain ports do not conform to the standard. Additionally, exceptions can be exported and validated periodically to ensure consistency and maintain security standards.
In Configuration mode, XtendISE users can select templates to apply, configure descriptions and VLANs, and push the configuration directly to the switch. Multiple ports can be configured simultaneously, which is particularly helpful during the implementation phase or when applying global configuration changes across the environment. To prevent potential network disruptions, sensitive ports can be marked as "Protected Interfaces," restricting regular XtendISE users from making changes to them.
Closing Up
XtendISE simplifies the management and troubleshooting of 802.1X environments, saving time and reducing complexity for network engineers. Its user-friendly features make it an excellent tool for maintaining secure and compliant networks.
If you like what you’ve seen and want to learn more, feel free to reach out to the friendly team for assistance.
Do You Want to Try XtendISE?
You can try the full trial version of the application for one month.
TRY FOR FREE
