Cisco Day Hotel Mons Wednesday

Similar documents
What do you want for Christmas?

Cisco ISE Ports Reference

Cisco ISE Ports Reference

Cisco ISE Ports Reference

Identity Based Network Access

Set Up Cisco ISE in a Distributed Environment

Set Up Cisco ISE in a Distributed Environment

Cisco ISE Ports Reference

ISE Identity Service Engine

Network Deployments in Cisco ISE

Network Deployments in Cisco ISE

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

ONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013

2012 Cisco and/or its affiliates. All rights reserved. 1

Cisco ISE Features Cisco ISE Features

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo

Tech update security 30 /

How-To Threat Centric NAC Cisco AMP for Endpoints in Cloud and Cisco Identity Service Engine (ISE) Integration using STIX Technology

Configuring F5 LTM for Load Balancing Cisco Identity Service Engine (ISE)

Universal Wireless Controller Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series

Cisco Secure Access Control

Introduction to ISE-PIC

Exam Questions Demo Cisco. Exam Questions

Reports. Cisco ISE Reports

Guest Access User Interface Reference

Cisco ISE pxgrid App 1.0 for IBM QRadar SIEM. Author: John Eppich

Cisco TrustSec How-To Guide: Central Web Authentication

How to securely connect user endpoints to network access wireless or wired. Gyorgy Acs Consulting Systems Engineer Cisco

User Identity Sources

Manage Administrators and Admin Access Policies

Cisco TrustSec How-To Guide: Monitor Mode

Compare Security Analytics Solutions

P ART 3. Configuring the Infrastructure

Cisco Exam Questions & Answers

BYOD: Management and Control for the Use and Provisioning of Mobile Devices

CertKiller q

Integrating Meraki Networks with

Wireless BYOD with Identity Services Engine

Support Device Access

Cisco Network Admission Control (NAC) Solution

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Configure Guest Flow with ISE 2.0 and Aruba WLC

What Is Wireless Setup

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

ISE Express Installation Guide. Secure Access How -To Guides Series

K.I.T.T. Know ISE Through Training

Support Device Access

Cisco Exam Questions & Answers

Manage Administrators and Admin Access Policies

Configuring Network Admission Control

Manage Administrators and Admin Access Policies

Cisco TrustSec How-To Guide: Cisco ISE Base Configuration and Bootstrapping

ISE Version 1.3 Self Registered Guest Portal Configuration Example

Identity Firewall. About the Identity Firewall

ISE with Static Redirect for Isolated Guest Networks Configuration Example

A. Post-Onboarding. the device wit be assigned the BYOQ-Provision firewall role in me Aruba Controller.

ISE Primer.

Configure Guest Access

Stop Threats Before They Stop You

Monitor Mode Deployment with Cisco Identity Services Engine. Secure Access How -To Guides Series

Using ISE 2.2 Internal Certificate Authority (CA) to Deploy Certificates to Cisco Platform Exchange Grid (pxgrid) Clients

Cisco Identity Services Engine (ISE) Mentored Install - Pilot

ForeScout Extended Module for MaaS360

Cisco TrustSec How-To Guide: Phased Deployment Overview

Borderless Networks. Tom Schepers, Director Systems Engineering

Configuring Network Admission Control

Yes, You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com

Deploying ISE in a Dynamic Public Environment

Cisco Day Hotel Mons Wednesday

Using ANM With Virtual Data Centers

There are two ways for a sensor device to detect the Security Group Tag (SGT) assigned to the traffic:

Manage Authorization Policies and Profiles

Implementing Cisco Edge Network Security Solutions ( )

User Identity Sources

Cisco Identity Services Engine Installation Guide, Release 2.2

Central Web Authentication on the WLC and ISE Configuration Example

UDP Director Virtual Edition

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Device Administration with TACACS+ using ISE 2.X

Cisco Expressway Cluster Creation and Maintenance

Setup Adaptive Network Control

ISE Version 1.3 Hotspot Configuration Example

Manage Certificates. Certificate Management in Cisco ISE. Certificates Enable Cisco ISE to Provide Secure Access

Take the Hassel out of your ISE deployment! K.I.T.T. Know ISE Through Training. BRKSEC Deploying ISE in a Dynamic Public Environment

ForeScout CounterACT. Configuration Guide. Version 4.3

Advanced Designing ISE for Scale and High Availability

User Guide for Cisco Secure ACS to Cisco ISE Migration Tool, Release 2.2

Business Resiliency Through Superior Threat Defense

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

ACCP-V6.2Q&As. Aruba Certified Clearpass Professional v6.2. Pass Aruba ACCP-V6.2 Exam with 100% Guarantee

Data Center Security. Fuat KILIÇ Consulting Systems

Cisco dan Hotel Crowne Plaza Beograd, Srbija.

Realms and Identity Policies

WHY YOUR NAC PROJECTS KEEP FAILING: ADDRESSING PRODUCTS, PEOPLE, PROCESSES

Logging into the Firepower System

Deploying Cisco ISE for Guest Network Access

Configure Client Posture Policies

UDP Director Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0)

Transcription:

Cisco Day 2016 20.4.2016 Hotel Mons Wednesday

Why Identity is so important? - Identity Services Engine update György Ács IT Security Consulting Systems Engineer 20 April 2016 ISE Champion

Agenda Best Practices, Tips and Tricks on these selected topics: Hardware, infrastructure review Authentication and Authorization Policies Certificates Guest, Profiling, Posture pxgrid, Fire & ISE TACACS+ REST API

Hardware, infrastructure review

Scaling by Deployment/Platform/Persona Determining Minimum Appliance Quantity and Platform Type Determining Minimum MnT PAN PAN Appliance Quantity and Platform PSN MnT Type Persona Deployment Max Nodes by Type Max Endpoints for Entire Deployment All Personas running on single or redundant nodes 2 Admin+MnT+PSN nodes 5k with SNS-3415 7.5k with SNS-3515 10k with SNS-3495 20k with SNS-3595 Administration and Monitoring colocated on single or redundant nodes Dedicated Policy Service nodes 2 Admin+MnT nodes 5 Policy Service nodes 5k with SNS-3415 PAN+MnT 7.5k with SNS-3515 PAN+MnT 10k with SNS-3495 PAN+MnT 20k with SNS-3595 PAN+MnT PSN PAN MnT PSN Dedicated Administration node(s) Dedicated Monitoring node(s) Dedicated Policy Service nodes 2 Admin nodes 2 MnT nodes 40 Policy Service nodes (3495s) 50 Policy Service nodes (3595s) 250k with SNS-3495 for PAN and MnT 500k with SNS-3595 for PAN and MnT Note: Max Endpoints = Max Active Sessions; ISE supports 1M Endpoints in DB 5

Policy Service Node Sizing Physical and Virtual Appliance Guidance Max Endpoints Per Appliance for Dedicated PSN Form Factor Physical Platform Size Appliance Maximum Endpoints Small SNS-3415 5,000 Large SNS-3495 20,000 Small (New) SNS-3515 * 7,500 Large (New) SNS-3595 * 40,000 Virtual S/L VM *5,000-40,000 General VM appliance sizing guidance: 1) Select physical appliance that meets required persona and scaling requirements * Under ISE 2.0.x, scaling for Small & Large 35x5 appliance same as Small & Large 34x5 appliance. 2) Configure VM to match or exceed the ISE physical appliance specifications 6

ISE VM Provisioning & Disk IO Guidance VMotion officially supported in ISE 1.2 Thin Provisioning officially supported in ISE 1.3 (recommend Thick Provisioning for MnT) Hyper-Threading not required, but can TPS IO Performance Requirements: Read 300+ MB/sec Write 50+ MB/sec Recommended disk/controller: 10k RPM+ disk drives Caching RAID Controller RAID mirroring (Slower writes using RAID 5*) Starting in ISE 1.3: No more storage media and file system restrictions. For example, VMFS is not required and NFS is allowed provided storage is supported by VMware and meets ISE IO performance requirements. Customers with VMware expertise may choose to disable resource reservations and over-subscribe, but do so at own risk. *RAID performance levels: http://www.datarecovery.net/articles/raid-level-comparison.html http://docs.oracle.com/cd/e19658-01/820-4708-13/appendixa.html 7

ISE Bandwidth Calculator (Multi-Site) Note: Bandwidth required for RADIUS traffic is not included. Calculator is focused on inter-ise node bandwidth requirements. Now available to customers @ https://communities.cisco.com/docs/doc-64317 8

Location Based Authorization Authorize User Access to the Network Based on Their Location UI to Configure MSE MSE 8.0 ISE 2.0 I have Location Data Campus:Building:Floor:Zone

Tracking Location in Authorization Policy Limit Location Tracking to Critical Locations and Resource Access Track Movement of the endpoint after authentication using MAC address Query MSE every 5 minutes to verify current location. If no change, do nothing If change, update endpoint info and issue CoA. Best Practice: Do NOT track every session! Limit tracking to critical access based on location. Excessive tracking can lead to lookup failures. (Max 150 TPS)

Authentication, Authorization Policies Optimization

Search Speed Test Find the object where Total stars = 10 Total green stars = 4 Total red stars = 2 Outer shape = Red Circle 12

AuthZ Policy Optimization Avoid Unnecessary External Store Lookups Policy Logic: o First Match, Top Down o Skip Rule on first negative condition match More specific rules generally at top Try to place more popular rules before less used rules. Example of a Poor Rule: Employee_MDM All lookups to External Policy and ID Stores performed first, then local profile match! 13

AuthZ Policy Optimization (Good Examples) Example #1: Employee 1. Endpoint ID Group Rule Sequence and Condition Order is Important! 2. Authenticated using AD? 3. Auth method/protocol 4. AD Group Lookup Example #2: Employee_CWA 1. Location (Network Device Group) 2. Web Authenticated? 3. Authenticated via LDAP Store? 4. LDAP Attribute Comparison 14

AD Integration Best Practices (from 1.3) DNS servers in ISE nodes must have all relevant AD records (A, PTR, SRV) Ensure NTP configured for all ISE nodes and AD servers Configure AD Sites and Services (with ISE machine accounts configured for relevant Sites) Configure Authentication Domains (Whitelist domains used) (ISE 1.3) Use UPN/fully qualified usernames when possible to expedite use lookups Use AD indexed attributes* when possible to expedite attribute lookups Run Diagnostics from ISE Admin interface to check for issues. * Microsoft AD Indexed Attributes: http://msdn.microsoft.com/en-us/library/ms675095%28v=vs.85%29.aspx http://technet.microsoft.com/en-gb/library/aa995762%28v=exchg.65%29.aspx 15

Authorization Policies Pro Tip: Combining AND & OR

Combining AND with OR in AuthZ Policies Cannot Mix??

Combining AND with OR in AuthZ Policies Advanced Editing Advanced Editor

Combining AND with OR in AuthZ Policies Advanced Editing Simple Conditions

Certificates

Pro Tip: Always Add the Root & Sub CA s Import All Certificates in Trust Path, One at-a-time Root CA Subordinate CA Subordinate CA ISE Cert If you must use a PKCS chain, it needs to be in PEM format (not DER)

Simple URL for My Devices & Sponsor Portals In 1.3+: Sponsor Portal and My Devices Portal must be accessed via a userfriendly URL and selectable port. Ex: http://mydevices.company.com Automatic redirect to https://fqdn:port FQDN for URL must be added to DNS and resolve to the Policy Service node(s) used for Guest Services. Recommend populating Subject Alternative Name (SAN) field of PSN local cert with this alternative FQDN or Wildcard to avoid SSL cert warnings due to name mismatch.

ISE Certificate without SAN Certificate Warning - Name Mismatch http://sponsor.company.com DNS Lookup = sponsor.company.com DNS Response = 10.1.99.5 DNS Server ISE-PSN-1 100.1.100.5 SPONSOR http://sponsor.company.com https://sponsor.company.com:8443/sponsorportal Load Balancer 100.1.99.5 ISE-PSN-2 100.1.100.6 100.1.100.7 Name Mismatch! Requested URL = sponsor.company.com Certificate Subject = ise-psn-3.company.com ISE-PSN-3

ISE Certificate with SAN No Certificate Warning http://sponsor.company.com DNS Lookup = sponsor.company.com DNS Response = 10.1.99.5 DNS Server ISE-PSN-1 100.1.100.5 SPONSOR http://sponsor.company.com https://sponsor.company.com:8443/sponsorportal Load Balancer 100.1.99.5 ISE-PSN-2 100.1.100.6 Certificate OK! Requested URL = sponsor.company.com Certificate SAN = sponsor.company.com ISE-PSN-3 100.1.100.7

ISE Certificate with SAN CN must also exist in SAN Other FQDNs as DNS Names IP Address is also option

Traditional Wildcard Certificates Wildcard Certificates are used to identify any secure web site that is part of the domain: e.g.: *.woland.com works for: www.woland.com mydevices.woland.com sponsor.woland.com AnyThingIWant.woland.com!= psn.[ise].woland.com Position in FQDN is fixed

Wildcard Certificates Why use with ISE? Use of all portals & friendly URL s without Certificate Match Errors. Most Importantly: Ability to host the exact same certificate on all ISE PSNs for EAP authentications Why, you ask?...

Clients Misbehave! Example education customer: ONLY 6,000 Endpoints (all BYOD style) 10M Auths / 9M Failures in a 24 hours! 42 Different Failure Scenarios all related to clients dropping TLS (both PEAP & EAP-TLS). Supplicant List: Kyocera, Asustek, Murata, Huawei, Motorola, HTC, Samsung, ZTE, RIM, SonyEric, ChiMeiCo, Apple, Intel, Cybertan, Liteon, Nokia, HonHaiPr, Palm, Pantech, LgElectr, TaiyoYud, Barnes&N 5411 No response received during 120 seconds on last EAP message sent to the client This error has been seen at a number of Escalation customers Typically the result of a misconfigured or misbehaving supplicant not completing the EAP process.

Recreating the Issue

Clients Misbehave: Apple Example ISE-1 ISE-2 Multiple PSNs Each Cert signed by Trusted Root Apple Requires Accept on all certs! Results in 5411 / 30sec retry Cert Authority ise1.ise.local ise2.ise.local 1 5 SSID NAD Apple ios & MacOS WiFi Profile 1. Authentication goes to ISE-1 2. ISE-1 sends certificate 3. Client trusts ISE-1 4. Client Roams 5. Authentication goes to ISE-2 6. Client Prompts for Accept

Solution: Common Cert, Wildcard in SAN Allows anything ending with The Domain Name. - Same EXACT Priv / Pub Key May be installed on all PSNs

Coining a New Term

Solution: Common Cert, Wildcard in SAN Cert Authority psn.ise.local ISE-1 ISE-2 psn.ise.local CN= psn.ise.local SAN contains all PSN FQDNs psn.ise.local *.ise.local Tested and works with: comodo.com CA SSL.com CA Microsoft 2008 CA 1 5 NAD Failed with: GoDaddy CA -- they don t like * in SAN -- they don t like non-* in CN SSID Apple ios & MacOS WiFi Profile Already Trusted 1. Authentication goes to ISE-1 2. ISE-1 sends certificate 3. Client trusts ISE-1 4. Client Roams 5. Authentication goes to ISE-2 6. Client Already Trusts Cert

Scaling Guest

Scaling Web Authentication Remember Me Guest Flows Device/user logs in to hotspot or credentialed portal MAC address automatically registered into GuestEndpoint group Prior to ISE 1.3, can chain CWA+DRW or NSP to autoregister web auth users, but no auto-purge Authz policy for GuestEndpoint ID Group grants access until device purged 35

Endpoint Purging Examples Matching Conditions Purge by: # Days After Creation # Days Inactive Specified Date On Demand Purge 36

Best Practices for Profiling

ISE Profiling Best Practices Whenever Possible Use Device Sensor on Cisco switches & Wireless Controllers to optimize data collection. Ensure profile data for a given endpoint is sent to a single PSN (or maximum of 2) Do NOT send profile data to multiple PSNs! Sending same profile data to multiple PSNs increases inter-psn traffic and contention for endpoint ownership. For redundancy, consider Load Balancing and Anycast to support a single IP target for RADIUS or profiling using DHCP IP Helpers SNMP Traps DHCP/HTTP with ERSPAN (Requires validation) DO send profile data to single and same PSN or Node Group! DO use Device Sensor! Ensure profile data for a given endpoint is sent to the same PSN Same issue as above, but not always possible across different probes DO enable the Profiler Attribute Filter! Use node groups and ensure profile data for a given endpoint is sent to same node group. Node Groups reduce inter-psn communications and need to replicate endpoint changes outside of node group. Avoid probes that collect the same endpoint attributes Example: Device Sensor + SNMP Query/IP Helper Enable Profiler Attribute Filter

ISE Profiling Best Practices General Guidelines for Probes HTTP Probe: Use URL Redirects instead of SPAN to centralize collection and reduce traffic load related to SPAN/RSPAN. Avoid SPAN. If used, look for key traffic chokepoints such as Internet edge or WLC connection; use intelligent SPAN/tap options or VACL Capture to limit amount of data sent to ISE. Also difficult to provide HA for SPAN. DHCP Probe: Use IP Helpers when possible be aware that L3 device serving DHCP will not relay DHCP for same! Avoid DHCP SPAN. If used, make sure probe captures traffic to central DHCP Server. HA challenges. Do NOT enable all probes by default! SNMP Probe: Avoid SPAN, SNMP Traps, and NetFlow probes! Be careful of high SNMP traffic due to triggered RADIUS Accounting updates as a result of high re-auth (low session/re-auth timers) or frequent interim accounting updates. For polled SNMP queries, avoid short polling intervals. Be sure to set optimal PSN for polling in ISE NAD config. SNMP Traps primarily useful for non-radius deployments like NAC Appliance Avoid SNMP Traps w/radius auth. NetFlow Probe: Use only for specific use cases in centralized deployments Potential for high load on network devices and ISE. 39

Best Practices for Posture

Posture Lease Once Compliant, user may leave/reconnect multiple times before re-posture 7 41

MDM Scalability and Survivability What Happens When the MDM Server is Unreachable? Scalability 30 Calls per second per PSN. Cloud-Based deployment typically built for scale and redundancy For cloud-based solutions, Internet bandwidth and latency must be considered. Premise-Based deployment may leverage load balancing ISE 1.4+ supports multiple MDM servers could be same or different vendors. Authorization permissions can be set based on MDM connectivity status: MDM:MDMServerReachable Equals UnReachable MDM:MDMServerReachable Equals Reachable All attributes retrieved & reachability determined by single API call on each new session. 42

pxgrid

pxgrid Bulk Downloads (peer-to-peer) WWW 1. I need Bulk Session Data 3. Direct Data Transfer Splunk > Controller ISE Node 2. Get it From MnT FMC MnT ISE

pxgrid Topic Extensibility Topic Publisher Subscribers WWW Session_Directory MnT Splunk, FMC, WSA ISE Admin Vulnerable Hosts Rapid7 Splunk > Controller FMC 1. Req: Add New Topic: Vulnerable Hosts 4. Announce: New Topic Available 3. Publish Topic MnT

pxgrid Topic Extensibility Topic Publisher Subscribers WWW Session_Directory MnT Splunk, FMC, WSA ISE Admin Vulnerable Hosts Rapid7 FMC Splunk > Controller FMC 1. Subscribe Vulnerable Hosts 2. Direct Transfer MnT

How to we Certificate-ify This Scenario? 1. Use a Single Certificate Authority 2. Each pxgrid Participant Trust That Certificate Authority 3. Each pxgrid Client use a pxgrid Certificate from that CA 4. *Controller Must still Authorize the Communication pxgrid Cert = Client Auth Policy Server Auth Policy X.509 X.509 X.509 X.509 pxgrid X.509 pxgrid pxgrid pxgrid pxgrid Splunk > WWW Controller Instant Full Mesh Trust! MnT FMC

ISE and Fire

Rapid Threat Containment with Firepower Management Center and ISE Fully Supported on FMC 5.4 and ISE 1.3+ Uses pxgrid + Endpoint Protection Services (EPS) Note: ANC is Next Gen version of the older EPS EPS functions are still there for Backward Compatibility Loads as a Remediation Module on FMC Remediation Module Takes Action via the EPS call through pxgrid

Rapid Threat Containment with Firepower Management Center and ISE WWW Controller MnT NGFW i-net 1. Security Events / IOCs Reported FMC 3. pxgrid EPS Action: Quarantine + Re-Auth 2. Correlation Rules Trigger Remediation Action

Rapid Threat Containment with Firepower Management Center and ISE 4. Endpoint Assigned Quarantine + CoA- Reauth Sent WWW Controller MnT NGFW i-net FMC

Cisco StealthWatch: System Overview (Earlier : Lancope) Non-NetFlow Capable Device SPAN StealthWatch FlowSensor Generate NetFlow StealthWatch FlowCollector NetFlow / NBAR / NSEL Network Devices Collect and analyze Up to 4,000 sources Up to 240,000 FPS sustained StealthWatch Management Console (SMC) Management and reporting Up to 25 FlowCollectors Up 6 million FPS globally

Network as a Sensor: Cisco StealthWatch Context Information NetFlow Cisco ISE pxgrid Mitigation Action ISE pxgrid for Remediation Real-time visibility at all network layers Data Intelligence throughout network Assets discovery Network profile Security policy monitoring Anomaly detection Accelerated incident response

Device Admin TACACS+

A long time ago in a development lab far, far away

AuthC Once + AuthZ Many TACACS+ SSH to Network Device START (authentication) User trying to connect REPLY (authentication) request username AuthC CONTINUE (authentication) username REPLY (authentication) request password Authentication is Complete CONTINUE (authentication) password REPLY (authentication) Pass Shell AuthZ Command AuthZ # show run EXEC is Authorized Command is Authorized REQUEST (authorization) service = shell RESPONSE (authorization) PASS_ADD REQUEST (accounting) START / RESPONSE - SUCCESS REQUEST (authorization) service = command RESPONSE (authorization) Pass_ADD REQUEST (accounting) CONTINUE / RESPONSE - SUCCESS

ISE Deployment Node Configuration Policy Service Node for Protocol Processing Session Services (e.g. Network Access/RADIUS) On by default Device Admin Service (e.g. TACACS+) MUST BE ENABLED FOR DEVICE ADMINISTRATION!!

Some Device Admin Best Practices USE NDG S! Different Policy Sets for IOS than AireSpace OS Different for Security Apps than Routers Different for ASA Differentiate based on location of Device

Device Administration Policy Set Policy Set Ordered List Provides both Management AND Execution order Policy Set Condition For Policy Set How Policy Set is engaged

Use Policy Sets Based on Device Type Cisco IOS Switches Airespace WLCs

Best Practices for Policy Sets Organization Optimal Size Mix for Policy Set breakdown in ISE 2.0: 6-10 Policy Sets 60-100 rules Divide Complete Policy into robust Silos representing Use Cases e.g. By Device Type By Region

ISE Authorization Processing Policy Set Selection Identity Selection Authorization Policy Evaluation Evaluation (Command Set or Profile) Reply

TACACS+ example: Wireless LAN Controllers

TACACS+ example: Cisco IOS

Best Practice: Use Prefixes for Your Results Results are often specific to the NAD-Type. Different results for AirOS than IOS than NX-OS. Results are not differentiated in GUI by Default

T+ Command Sets: Wildcard vs. Regex

Command Sets May Be Stacked! A Permit Below will take priority over a Deny above. Except with a Deny_Always IOS-SecOps-NoConfig Deny_Always Config * Permit Everything Else IOS-PermitAllCommands Permit *

REST API

ISE REST API : ERS: External RESTfull Services Session API (from mnt node) REST API : From ISE 1.0.4 ISE 1.3 : added Guest ISE 2.0 : added TrustSec (SGT, SXP, SGACL), internal users Default : ERS is Not enabled XML based Supported resources : End points End point identity groups Guest users Identity groups Internal users Portals Profiler policies Network devices Network device groups Security groups Currently : no Authentication /authorization policies <activesession> <user_name>sfadmin</user_name> <calling_station_id>sfadmin-10.1.1.66</calling_station_id> <framed_ip_address>10.1.1.66</framed_ip_address> </activesession>

Enable ERS and Add ERS Admin User Admin or operator based on the READ/WRITE rights Admin: Full access to all ERS API requests such as GET, POST, DELETE, PUT Operator: Read-only access to ERS API, only GET 10.1.1.1.

GET internal users

Summary Best Practices, Tips and Tricks on these selected topics: Hardware, infrastructure review Authentication and Authorization Policies Guest, Profiling, Posture Certificates pxgrid, Fire & ISE TACACS+ REST API

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback