Jeremy Wood

Chapter 8 – ISE Profiling

This chapter will take you through the configuration of the profiling subsystem that can be used to provide extra context to make AuthZ decisions. We’ll cover recommended settings for different NAD types to account for feature support within different platforms and best practices for those features. The inner workings of profiling “certainty” will be covered as well as child policies, custom profiling, and example AuthZ rules.

Chapter 5 – Authentication

This chapter will focus on the authentication portion of ISE starting off with configuring the protocols used within the authentication policy and then moving into recommended changes that should be made to the default policy. PAC provisioning options for EAP-FAST are covered as well as setting up certificates/trusts for EAP-TLS.

Chapter 6 – Authorization

This chapter will discuss the authorization (AuthZ) portion of ISE which is used to assign network access permissions to clients based on a set of criteria. We’ll talk about recommended ways to format and order rules so that clients go through the policy in the intended order. For wired connections we’ll cover topics such as overriding VLANs, applying dACLs, and assigning voice domain access to phones; wireless connections will cover overriding airspace interfaces and applying airspace ACLs and finally VPN connections will cover applying dACLs and overriding group policies for remote access.

Network Access Device Configuration

This chapter will cover the configuration of the network devices that will talk to ISE to grant network access. We’ll start off going over the ISE features that are supported by the most commonly deployed platforms and then move into recommended setup for wired and wireless devices. At the end of the chapter you should have all your network devices properly configured to support ISE/802.1x.

ISE Policy Design Practices

This chapter will cover policy design within ISE and is the cumulative effect of information presented in previous chapters along with the introduction to the following two chapters concentrating on bringing everything together. We’ll go over scenarios that businesses are facing, why ISE is different in what it provides, and start steering toward the end goal. We focus on Bring Your Own Device (BYOD) descriptions but in doing so we will differentiate it from normal corporate device access.

Chapter 10 – Deployment Strategies

This chapter will cover methods for taking a non-ISE network and starting from the ground up to deploy ISE throughout your organization. Since the process can be complex and/or organization like to divide the process between wired and wireless, each media type is covered individually using best practices for the different media types. We start with wired first, covering the pilot phase and moving from there to monitoring, low impact, and then fully enforcing authentication. A similar process is covered for wireless but adjusted to take into account that wireless typically already has 802.1x built-in/enabled.

ISE Portals and Guest Access

This chapter will cover guest access with ISE as well as the different types of portals used by ISE. We start with an overview of the portal types, their possible use cases, and a list of pros/cons for each case. From there we’ll move on to configuration examples of each guest portal type and some recommendations for each one. Finally we’ll go over common methods of portal customization and some of the more common guest access scenarios and their matching portal types.

ISE Clustering and Basic Setup

This chapter talks about cluster sizing and hardware requirements as well as basic installation steps. Secure Sockets Layer (SSL) certificate setup for the cluster will be discussed in depth because it’s a critical component of the product and will impact end users if done incorrectly. We’ll also talk about the different licensing levels of Identity Services Engine (ISE) and what each one provides as well as migration paths between license levels.

Chapter 3 – Authentication Methods

This chapter provides an overview of the different options available for authenticating users/endpoints in ISE as well as pros/cons and important considerations for each different method. Each method also includes a step-by-step description of the process to aid in troubleshooting and give readers a clearer understanding of what ISE is doing.

Chapter 4 – Policy Elements

This chapter provides an overview of the different components that are used to build rules within ISE before diving into each component’s dedicated chapter. Dictionaries and conditions will be described and broken down so the reader understands the basics before moving on. Results for each separate component of ISE will be described if applicable.