Network access control with Cisco's Identity Services Engine

The Magic Gate

Integrating Guest Devices

In addition to their own devices, most companies also need to integrate guest devices or support BYOD. For onboarding these devices, you need web portals like those used by public hotspots in train stations or other public places. The portals can also be used for wired guest networks.

ISE offers three approaches for guest portals. First is the simple hotspot portal, wherein you redirect the guest to a portal on the basis of parameters transferred by ISE to switches or WLAN controllers. The portal prompts for confirmation of the terms of use before access is granted (Figure 3). This privacy-friendly variant has no record of the name, cell phone number, or email address to determine the originator in the event of a violation of the terms of use.

Figure 3: Example of a guest portal with a prompt to confirm the terms of use. A preview is available in the right pane.

If you want a little more control over access and want to allow tracking but don't want the overhead of additional staff to manage user accounts, you can use a self-registration portal. Users first need to register in compliance with the attributes required by the administrator, such as first and last name, email address, or mobile phone number.

If you prefer to keep full control, you can make use of a "sponsor portal," which means that guests are issued vouchers by internal staff. Guests need the generated credentials on the vouchers to be able to log in with a username and password on the authentication page provided by ISE for access to the guest network. Internal users are routed to a separate web-based portal where they can authenticate (e.g., with the internal Active Directory) and be authorized as a function of their group memberships.

In addition to the guest portals, however, you can implement onboarding of other terminal devices through a portal that pushes WLAN profiles or certificates to the devices. Another option is a blacklist portal, to which users of blocked devices are redirected. A notice about the blocking is then displayed by the portal. All portals can be adapted to match the corporate design with an integrated WYSIWYG editor.

Configuration, Logging, Reporting

The web graphical user interface (GUI) is primarily used as the configuration interface in everyday practice and involves no dedicated administration software. The initial configuration takes place at the command line, where parameters like the IP address or network time protocol server are stored. An SSH-based CLI is also present that can be used to query service status, troubleshooting, backups, or updates. The structure is based on routers and switches, so you have an EXEC mode and a configuration mode. Additionally, various APIs connect to your management systems or integrate scripts. If, for example, you want to assign client groups automatically or read, create, change, or delete network components, you can use the external RESTful services (ERS) API.

Logging is a central component of any NAC solution, and ISE initially offers comprehensive retrospective reporting for this purpose. Reports can also be exported regularly. Admins can evaluate RADIUS and TACACS reports at various levels of detail with filters for certain network components, the authentication status, or individual hosts by specifying certain time intervals. Guest data evaluations are also no problem.

ISE also offers live reporting to gather information about current authentications and authorizations at short intervals (Figure 4). This feature has proven to be very useful in practice, and the statistics provide a good starting point in the event of mis-authentication. An overview of live sessions can be used to terminate or re-authenticate sessions.

Figure 4: The masked MAC addresses, usernames, and IP addresses are visible in four live sessions in the display and can be terminated or re-authenticated there.

Cisco developed its TrustSec technology to apply appropriate policies consistently for authorized and prohibited communication relationships throughout the network on the basis of access controls and without a dependency on the IP address. This proprietary process uses what are known as security group tags to control authorizations on this basis. This abstraction makes it possible to control clearly who is allowed to communicate with whom according to a communication matrix, with groups such as Development, Finance, or HR. However, this means having TrustSec support on the components involved, such as the switches, routers, and firewalls.

Troubleshooting, Backup, and Patching

One decisive strength of the ISE is its wide range of troubleshooting options. The first thing to mention here is the clear-cut live log, which gives you a great overview very quickly, thanks to filters per column. This option is available for both RADIUS and, if the appropriate license is in place, TACACS+. If you want to perform analysis at the package level, you can create a TCP Dump with corresponding filters from the Cisco ISE dashboard; also, a configuration validation tool for the active network component and endpoint debugging is available. On the standard dashboard, indicators for more serious alerts are directly visible, such as high authentication latency, unknown active network components, or replication problems.

On-going and configuration backups can be scheduled (daily, weekly, monthly) or pushed to external targets as needed. Note that the backup does not include certificates. Any backup of the certificates must be dedicated. Backup targets can be network file sharing (NFS) or Secure File Transfer Protocol (SFTP) servers.

On the basis of menu and data access permissions, there can be a rights and roles model for managing the server itself. The menu permissions support showing and hiding complete menus and submenus, which allows first-level support to have a view filtered to pertinent and required data. Data access permissions grant control over individual elements, such as end device groups or specific user groups.

In current versions of ISE, patches and updates can be made both on the command line and from the web-based GUI. The ability to roll back patches is interesting if problems occur. However, access to patches and updates means subscribing to the vendor's support service.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=