Network access control with Cisco's Identity Services Engine

The Magic Gate

Architecture as a Function of Network Size

Architectures differ depending on the size and geographical arrangement of the corporate or government network. On small networks, standalone deployment comes into play, which means you have a redundant pair of ISE nodes on which all personas run. All settings are replicated to the second node. AAA requests always reach the primary node through network components. The secondary is therefore available as a fail-safe and normally has up-to-date data.

Split deployment means two servers on which all persona run. The AAA requests from switches, routers, and firewalls are distributed to the two nodes for load-balancing purposes. The question is whether you prefer load balancing or deterministic behavior with a clear-cut distribution of roles.

For a medium-sized deployment, AAA requests are processed on dedicated policy services nodes. Logging is handled by two centralized nodes that only support central administration and logging. The policy service persona is disabled on the two central servers. For large deployments, redundant load balancers can be deployed upstream of the policy service nodes to distribute the load.

Cisco's three physical platforms are referenced as an example of the maximum number of parallel sessions. For simplicity's sake, I am showing the numbers of standalone deployments. A maximum of 10,000 sessions is supported on the SNS 3615, with 25,000 on the SNS 3655 and 50,000 on the SNS 3695.


The ISE licensing model changed fundamentally in version 3.0 (currently 3.1; see the "New Features in Versions 3.0 and 3.1" box). Cisco offers three different license subscriptions for the NAC features: Essentials, Advantage, and Premier. These subscriptions are based on other platforms (e.g., switches). Each model has a possible term of one, three, or five years. Even the small Essentials license includes authentication based on legacy 802.1X, including MACSec encryption; MAC authentication bypass; guest portal solutions; and API access for monitoring and create, read, update, and delete (CRUD) operations. Even a passive ID feature is on board – but only if the recipient of the information provided is a Cisco model. If a third-party system is used, an Advantage license must be in place.

New Features in Versions 3.0 and 3.1

For administrators who already use ISE, some new features were introduced in version 3.0, such as a debug wizard that can be used for error analysis on ISE nodes. For organizations that use Security Assertion Markup Language (SAML) as an authentication service, multifactor authentication and a SAML-based admin login to ISE are now available. Also, a new ISE API gateway bundles API requests centrally and forwards them in line with a stored ruleset. The Passive Identity service now also supports the Microsoft Remote Procedure Call (MSRPC) protocol, and an on-demand health check of all nodes in the ISE is present. Additionally, a bidirectional posture flow is now available, which means the AnyConnect Secure Mobility client proactively queries ISE for its posture status to avoid mistakenly remaining in restricted mode.

Since version 3.1, when connecting to an Active Directory, you have an option of specifying a list of preferred domain controllers, which provides a clear sequence in the event of a failure. A new differentiated upgrade is also interesting. Split upgrades allow you to select individually the nodes for which an upgrade will be performed, which means ISE services can remain active for users and administrators; however, it requires more time. A full upgrade means that all nodes are upgraded in parallel, which translates to service downtime, but it is faster. Last but not least, you now have zero-touch provisioning of ISE virtual machines.

This extended license initially includes all the features of Essentials and offers the option of provisioning bring-your-own-device (BYOD) devices with an integrated certification authority (CA). On top of this, you have the option of using the My Device portal, through which users can provision and manage their devices themselves for authentication and also lock them (e.g., in case of theft). TrustSec and profiling, features that I present later, are also available from this level. If you want to go one step further and trigger actions as a function of the collected profiling data, such as isolating a host from the rest of the network if an infection is detected, you need to use the Premier license, which would then also make the integration of mobile device management an option.

Administrators who want to use Terminal Access Controller Access Control Server (TACACS+) with ISE can get a device administration license. However, this license is permanent and must be in place for each ISE server with an active TACACS+ role. The number of managed network components is irrelevant. The same model is used for the IPsec license and supports IPsec encryption for up to 150 network components per Policy Services node. This arrangement provides better protection for data transferred during the AAA processes.

Licensing is handled by the Smart Licensing feature, which matches numbers against a Cisco license server. Support for an on-premises smart licensing server was introduced in ISE version 3.0 patch 2. The advantage is that only this server needs to be able to communicate directly with the Cisco license server in the cloud and not the ISE itself.

AAA Interfaces

The ISE provides various interfaces for AAA. TACACS+ is usually used to control administration access and command authorization for network components. Introduced in version 2.0, this licensed function, known as Device Administration, provides a way of structuring a very granular authorizations and role concept.

Command sets can be used to control exactly which command-line interface (CLI) commands are available to individual users and user groups on a group of network components. The authorization for each command is checked on the ISE, and the command is then allowed or denied. However, routers and switches must be parameterized accordingly for this purpose.

ISE offers numerous ways initially to authenticate end devices or users. The most important authentication framework for enterprise networks is IEEE 802.1X. ISE supports a variety of protocols, including Extensible Authentication Protocol/Transport Layer Security (EAP-TLS), EAP/Tunneled TLS (EAP-TTLS), and Protected EAP/Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2), and therefore allows for a high level of flexibility to support different types of devices.

It should be mentioned that IEEE 802.1X now also has known attack vectors that can be addressed by adding MACSec, which not only involves authenticating the end device, user, or both, but even link encryption between the end device and the switch. However, this requires a MACSec supplicant such as the Cisco AnyConnect Secure Mobility Client on the terminal device; this function does not currently exist for printers or phones.

For end devices that do not support 802.1X, the far less secure MAC authentication bypass (MAB; i.e., authentication on the basis of the MAC address of the device) can of course be used. Because this address is often printed on the devices and because it is easy to spoof, admins really need to ask themselves if they still want to use this method. If this is the lowest common denominator, profiling could be used as an additional factor. In this case, further attributes for the authentication and authorization decision are possible. For example, it could be some part of the content in DHCP requests to raise the barriers for a potential attacker. Therefore, it is possible to combine this profiling information together with lower value authentication methods such as MAB to obtain a more reliable basis for an authorization decision.

Another interesting approach is the fairly new Passive Identity [3] feature. Instead of the terminal device or user actively authenticating against ISE by 802.1X, MAB, or web authentication, ISE obtains the username and IP address from external sources (e.g., Active Directory) and makes this information available with pxGrid so that it can be used, for example, on firewalls.

If you want to go a bit further and control access to the network on the basis of dynamic client properties, such as the patch level, antivirus software, or characteristics of potential malware (e.g., certain signatures or registry keys), you can use the Posture feature, which can be used to grant temporary restricted access to return to the required state (e.g., by updating the virus signatures). A change of authorization (CoA) can then be used to change the restricted access to the actual access required. This CoA is sent by ISE to the active network component but requires appropriate configuration.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=