ISE Identity Service Engine

Transcription

1 CVP ISE Identity Service Engine Cisco Validated Profile (CVP) Series 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 10

2 Contents 1. Profile introduction Deployment profile Topology diagram Hardware profile Test environment Use case scenarios Test methodology Use cases System upgrade Access control Security compliance Endpoint segmentation and device administration Operation Context and visibility System resiliency and robustness Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 10

3 1. Profile introduction The Cisco Identity Services Engine (ISE) is a distributed identity and security policy management platform that Gathers, controls, and tracks enterprise users and devices to connect networks and access network applications based on rich and advanced criteria, such as user types, roles, and authentication methods; discovered devices, types, and locations; device compliance level and mitigation path; and vulnerability scores Provides network access control policies and device administration control to network policy enforcers such as access switches, Wireless LAN Controllers (WLCs) and VPN gateways Shares real-time contextual information with advanced security systems such as Next-Generation Firewalls (NGFW), StealthWatch, and Cisco Web Security Appliance (WSA) This document focuses on the validation of generic profiles of ISE deployments in the enterprise market segment. Following are some of the key considerations for validating ISE deployment profiles: Table 1. Profile areas Upgrade Profile feature summary Features and use cases Upgrade from previous releases and patches with customer configurations and databases, upgrade for different deployment sizes, backup and restore Access control Compliance Segmentation Operation Visibility System resiliency Dot1x, MAB, VPN, ACL, profiling, external identity stores, certificates, device onboarding and provisioning, Bring-Your-Own-Device (BYOD), Guest, Easy Connect, user-roaming, endpoint session reevaluation, Threat-Centric Network Access Control (NAC) Posture, Mobile Device Management (MDM) TrustSec classification, propagation, policy distribution, network-device administration, Cisco DNA Center integration License, certificates, logging, feed updates, purging, network settings, disk management, diagnostic tools, reports Context, endpoint visibility Failover of ISE nodes, failure of network-services reachability, failure of network connections, negative and bulk transactions 2. Deployment profile 2.1. Topology diagram Figure 1 shows the topology that is used for validating the generic ISE deployment profile. Disclaimer: The network devices and ISE platforms and their respective network connections shown in the topology are mainly to facilitate this profile validation, and the actual deployment could vary based on specific customer requirements. The Compatibility Matrix at and will provide the complete and latest view of the supported platforms and software versions from Cisco and third parties, and the endpoint devices. Based on research, customer feedback, and configuration samples, this profile is designed with a deployment topology that is generic and can easily be modified to fit any specific deployment scenario. More specifically, multiple ISE PAN and MnT nodes are deployed across two data centers while others are deployed at multiple sites. The campus site has typical 3-tier networks (access, distribution, and core) Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 10

4 Figure 1. Distributed ISE deployment 2.2. Hardware profile Table 2 defines the set of relevant hardware, servers (including Cisco Secure Network Servers (SNS) for ISE, test equipment, and endpoints shown in Figure 1 that are used to complete the end-to-end deployment. The ISE deployments in our testbeds have 6 to 20 ISE appliances, including both virtual-machine-based and hardware appliances. Table 2. Hardware profile Devices Software versions Description SNS-3595-K9 ISE 2.4 ISE Primary Administration Node (HW, VM) SNS-3595-K9 ISE 2.4 ISE Secondary Administration node (HW, VM) SNS-3595-K9 ISE 2.4 ISE Primary Monitoring Node (HW, VM) SNS-3595-K9 ISE 2.4 ISE Secondary Monitoring Node (HW, VM) SNS-3515-K9 ISE 2.4 ISE Active Cisco pxgrid Node (HW, VM) SNS-3515-K9 ISE 2.4 ISE Standby pxgrid Node (HW, VM) F5 Load Balancer Load balancer from F5 Cisco Catalyst C2960-CX 15.2(2)E8 Access switch Cisco Catalyst C3750-X 15.0(2)SE5 Access switch Cisco Catalyst C3850-XS 3.6.8, b & Access switch 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 10

5 Devices Software versions Description Cisco C ES & a Access switch Cisco 8540 Wireless LAN Controller, Cisco Virtual Wireless LAN Controller (vwlc) 8.5, 8.7 Wireless LAN controllers Cisco Nexus (3)D1(1) Cisco Nexus 7700 core switch with M3 linecards for TrustSec Cisco ASR / Cisco ISR , Border routers for TrustSec solution Cisco AP Access points Cisco ASA 5500-X VPN access Cisco Firepower Management Center / Firepower Threat Defense Next-Generation Firewall (NGF) in data center Cisco IND Cisco Industrial Network Director Cisco WSA Cisco Web Security Appliance in data center Cisco DNA Center 1.1, 1.2 Cisco Digital Network Architecture (Cisco DNA) automation application Cloud services: security Cloud services: management Virtual machines Servers Endpoints Android: 6.0 ios: 7 MacBook Pro: 10.x For threat detection: Cisco Cognitive Threat Analytics (CTA), Qualys Mobile Device Management (MDM): Meraki, MobileIron Hosted on Cisco UCS ESXi for DNS server, DHCP servers, Active Directory Domain Controllers, SQL servers, Oracle Database, PostgreSQL, Sybase, MySQL, RSA, SecureAuth, PingFederate server, Oracle Access Manager, Oracle Identity Federation, Syslog servers, StealthWatch, Win2016 Active Directory IP phones, mobile phones, laptops, printers Virtual machines Clients Win10 and CentOS( ) Endpoint and transaction simulators to generate load 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 10

6 2.3 Test environment Table 3 lists the scale for each respective use case in this profile. Disclaimer: The table below captures a sample set of scale values used in one of the use cases in a 6-node deployment. Please refer to the appropriate Cisco documentation / Datasheets ( for comprehensive scale and performance data for the supported deployment size. Table 3. Use-case scales exampled in this profile Use cases Wired dot1x and MAB (MAC Authentication Bypass) Wireless dot1x and MAB BYOD Guest self-registration Guest sponsored Posture Endpoint profiling DHCP Endpoint profiling DNS Endpoint profiling SNMP TRAP Endpoint profiling HTTP Endpoint profiling RADIUS Scale 20,000 endpoints 10,000 endpoints 10,000 endpoints 10,000 endpoints 10,000 endpoints 5000 endpoints 2000 endpoints 2000 endpoints 2000 endpoints 3000 endpoints 3000 endpoints 3. Use case scenarios 3.1. Test methodology The use cases listed in Table 4, below, are executed using the topology defined in Figure 1 with the test environment shown in Table 3. To validate a new release, the test topology is upgraded with the new software images and the existing configuration that comprises the use cases, authentication and authorization policies, and relevant traffic profiles. The addition of new use cases acquired from the field or from customer deployments will be added on top of the existing configuration. During each use-case execution, deployment would be monitored closely across the devices for any relevant system events, errors, alarms, notifications, and endpoint visibility. With respect to the longevity for this profile setup, the following would be monitored during the validation phase: CPU and memory, disk usage, endpoint purging, expired certificates, backup tasks, scheduled reports, regular feed updates, and license usage. Furthermore, to test the robustness of the software release and platform under test, typical networks and service transaction events would be triggered during the use-case execution process Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 10

7 3.2. Use cases Table 4 describes the use cases that were executed for this profile. These use cases are divided into buckets of technology areas so that the complete coverage of the deployment scenarios can be seen. Use cases continuously evolve based on feedback from the field. These technology buckets are composed of System upgrade, Access control (of end-to-end flows), Security compliance, Endpoint segmentation and device administration, Operation (including administration), Context and visibility, and System resiliency and robustness. Table 4. List of use cases No. Focus area Use cases System upgrade 1 Installation and upgrade Network administrator should be able to perform: URT: Upgrade Readiness Tool Upgrade system and upgrade paths from previous releases and patches with customer configurations and databases to current releases Upgrade for different deployment sizes Add and remove nodes Backup and restore FIPS mode Access control 2 Dot1x and MAB flows: wired and wireless Corporate users and endpoints network access control: dot1x, MAB, ACL, IPv4 and IPv6 Multiple external identity stores (AD forest, LDAP, ODBC, internal users) Endpoints: IP phones, Windows (and domain login), MacOS, shared access port, multi-interfaces Authentication methods: certificates, PEAP MS-CHAP2, PEAP-GTC, EAP-TLS, EAP-TTLS, EAP- FAST, EAP chaining, MAR, RADIUS proxy, RADIUS over IPSEC, two shared secrets with NAD, external load balancer and load balancing on NAD For wired ports, single-host, multi-host, multi-auth and multi-domains Endpoint profiling: DNS, DHCP, HTTP, SNMP, TRAP, RADIUS, AD, NMAP CoA: RADIUS, SNMP ANC IPv4 and IPv6 endpoints, IPv4 and IPv6 RADIUS communication Roaming: for wired, different ports, for wireless, different AP / WLC/flex-connect that go to different or same PSN group, location-based authorizations, endpoint disconnect, endpoint sleep 3 BYOD flows End users bring their own devices to the corporate network: Multiple external identity stores, SSO with SAML ID providers ios, Android, and Windows devices Single SSID and dual SSID, internal and external CA chains for portals, multiple wireless profiles, move between wired and wireless connections Device registration (including out-of-band registration) and onboarding and profiling, client provisioning, wireless BYOD flows, endpoint visibility Device roaming, device missing and blacklisting, EAP-TLS certificate expiration and renewal 4 Guest flows Network admin needs to provide temporary network access to guest users: Identity stores: internal, external AD, ODBC, social login, Kerberos SSO for sponsor portals Guest device onboarding and endpoint visibility: Windows, MacOS, Android devices Guest hotspot (with access code), self-registration, sponsored guest flows, portal certificates, SMS / notification Guest BYOD, single sign-on with SAML ID providers Device roaming, guest account expiration and time restriction, Max guest devices Guest endpoint visibility, profiling, and purging 5 VPN access Cisco AnyConnect VPN access: Internal and external CA, active directory as identity store VPN session on BYOD devices 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 10

8 No. Focus area Use cases 6 Easy Connect Easy Connect for Windows domain users: Security compliance MAB Session on / off Windows Domain login / logoff 7 Posture flows End user devices need to be compliant with corporate security policy to be granted full access: 8 Mobile-device compliance Define posture conditions based on application, file conditions, disk encryption, malware presence, USB condition, anti-malware, firewall settings E2E posture flows and respective posture agents: dot1x, VPN sessions, guest flows, BYOD flows Endpoint posture changes and remediation: online and offline Posture periodic reassessment and graceful period for noncompliant devices Posture reports Define mobile-device compliance policies from multiple MDM vendors: PIN lock, OS Versions, etc. Guest flow with BYOD and MDM MDM for BYOD flows, VPN flows 9 Cisco Threat Centric Network Access Control Dynamic access control, based on Threat CVSS score and threat- detected events from multiple threat detection services for dot1x, MAB, guest, BYOD, posture, and VPN flows Endpoint session and CVSS score reevaluation, disabling, deletion Adaptive network access control, quarantine, Cisco Rapid Threat Containment (RTC) Endpoint segmentation and device administration 10 Device administration TACACS+ based admin authentication along with AD and LDAP (IPv4 and IPv6 for TACACS communications) 11 Cisco DNA Center integration TrustSec Segmentation environment data Integration with Cisco DNA Center automation: Trust between Cisco DNA Center and distributed ISE deployment (certificate-based), NAD discovery, AAA configuration on NAD, SG policies and policy change from Cisco DNA Center into ISE Complete end-to-end policy enforcement tested by Cisco DNA Center automation solution 12 TrustSec TrustSec classification for dot1x, MAB, guest flows, BYOD flows, Posture flows, and VPN flows Operation Propagation: SXP, SSH for both IPv4 and IPv6 SGT mappings Policy distribution: SGACL downloads to network devices and verification Integration with NGFW FMC/FTD for SGT-based NGFW rules and enforcement Integration with ACI to map between EPG and SGT 13 Administration and operation With the deployment under the load with dot1x, MAB, guest, BYOD, and Posture flows: Validate legacy and Cisco Smart license counts and move between them Certificates, feed updates, diagnostic tools Logging, purging, disk management Network settings: firewall between ISE nodes, WAN links between ISE nodes, ISE node NIC teaming, ISE node NIC IPv4 and IPv6 settings Reports Context and visibility 14 Contextual information ISE shares contextual information about endpoints and user sessions (via pxgrid v1 and v2) with external products for dot1x, MAB, guest, BYOD, Posture flows, and VPN flows: Integration with FMC/FTD and passive identity for user identity based NGFW enforcement Integration with StealthWatch for mapping application flows to user identities and SG groups Integration with WSA Endpoint quarantine and scan 15 IND integration Integration with Cisco Industrial Network Director: Endpoint discovery and profiling based on information provided by IND Downloading of endpoints in bulk from IND Purging of endpoints Visibility of newly profiled endpoints 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 10

9 No. Focus area Use cases System resiliency and robustness 16 Failure triggers Verify system level resiliency under the load with the following events for existing dot1x, MAB, guest, BYOD, Posture flows: 17 Configuration change triggers 18 Bulk/duplicate transactions Connectivity Failures between switching ports and ISE node interfaces; NIC bonding Link for endpoint access flaps Link between NAD and ISE flaps Links within distributed ISE deployment flaps: within PSN groups, between PSN and MnT, between PAN and PSN, between PAN and MnT, between primary and secondary PAN, between pxgrid and other nodes, between load balancer and PSN, etc. Network access devices reboot Power outages Fuzzing traffic Latency Node failures: PAN, MnT, PSN (within a group and across groups), pxgrid nodes and SXP failovers External services failures and flaps (for example, Syslog server down, AD down, DNS down, SMTP server down, SMS server down, NTP server unreachable, MDM unreachable, SXP peers unreachable) Failovers of external components: LDAP failover, AD domain controller failovers. Configuration changes impact on end-to-end flows and portals, pxgrid, ISE nodes inter-communication, EAP-TLS: External devices (such as MDM servers, OCSP responders, NAD with DTLS, etc.): expired certificates, including deletion and replacement Policy changes: for example, stricter compliance requirements or certificate attributes based authorization Certificate chains: broken chains, wild card certificates, renewal Network change: the firewall blocks certain ports that are used for ISE nodes inter-communication, WAN bandwidth is throttled between ISE nodes Delay between NAD and ISE PSN that forces NAD retransmissions Delay between PSN and identity stores Not enough license counts to serve all flows Verify that the system holds good and recovers to working condition after the following events are triggered: Duplicates certificates, key size, bulk certificates, bulk-certificate revocation list download, bulk OCSP requests Duplicate and bulk RADIUS (without DTLS) packets, etc. TrustSec SG policy changes Bulk SNMP queries NMAP scanning AD probe scanning Bulk Syslog messages to MnT node Bulk IP-SGT mappings from and to SXP peers 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 10

10 ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, DESIGNS ) IN THIS MANUAL ARE PRESENTED AS IS, WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO. Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Printed in USA C / Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 10