3P ISE Study Deployment

#CiscoLive
ISE Design, Deploy & Best Practices

BRKSEC-2091
Pavan Gupta – Technical Marketing Engineer

BRKSEC-2091
#CiscoLive BRKSEC-2091 2
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this BRKSEC-2091 in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
4 Enter messages/questions in the Webex space
Webex spaces will be moderated

by the speaker until June 9, 2023.
https://ciscolive.ciscoevents.com/ciscolivebot/#BRKSEC-2091
#CiscoLive BRKSEC-2091 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex Space for Q&A
https://ciscolive.ciscoevents.com
/ciscolivebot/#BRKSEC-2091
Enter your personal notes here
#CiscoLive BRKSEC-2091
BRKSEC-2091 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 4
Join at
slido.com
#BRKSEC-2091
A Word About Myself
• 10+ years of experience in

Network & Security
• Different Roles in ISE
Team
• Been with ISE team from
beginning
• 2+ years in TME Role
Pavan Gupta
‣Never assume trust
Zero Trust
principles ‣Always verify
‣Enforce least privilege
BRKSEC-2091 7
Cisco Secure Zero Trust
A comprehensive approach to securing all access across your
people, applications, and environments.
Workforce Workplace Workloads

Ensure only the right users and secure Secure all user and device Secure all connections within your
devices can access applications. connections across your network, apps, across multi-cloud.
including IoT.
ISE Releases at Glance Latest
Future
Latest Suggested
3.3
EOL/EOS
Suggested 3.2
Future Release 3.1
3.0
2.7
2.6
2.4
2.3
2.2
2.1
2.0
Jan May Jan Jul Mar Feb Nov Sep Aug Oct Jul
2015 2016 2017 2017 2018 2019 2019 2020 2021 2022 2023
Time
Why ISE? ISE 3.X UI navigation and UX was revamped. The Navigation is aligned with other cisco products to give
Enhanced UX same kind of experience across all cisco products.
TACACS+ Migrating from Cisco Secure ACS or building a new Device Administration Policy Server, this
Device Administration allows for secure, identity-based access to the network devices
Allow wired, wireless, or VPN access to network resources based upon the identity of the
Secure Access user and/or endpoint. Use RADIUS with 802.1X, MAB, Easy Connect, or Passive ID
Differentiate between Corporate and Guest users and devices. Choose from Hotspot, Self-Registered
Guest Access Guest, and Sponsored Guest access options
Use the probes in ISE and Cisco network devices to classify endpoints and authorize them
Asset Visibility appropriately with Device Profiling. Automate access for many different IoT devices
Use agentless posture, AnyConnect, MDM, or EMM to check endpoints to verify

Compliance & Posture compliance with policies (Patches, AV, AM, USB, etc.) before allowing network access
pxGrid is an ecosystem that allows any application or vendor to integrate with ISE for endpoint identity and
Context Exchange context to increase Network Visibility and facilitate automated Enforcement.
ISE Segmentation
Group-based Policy allows for segmentation of the network through the use of Scalable Group Tags
(SGT) and Scalable Group ACLs (SGACL) instead of VLAN/ACL segmentation.
ISE integrates with DNA Center to automate the network fabric and enforces the policies throughout the
Cisco SDA/DNAC entire network infrastructure using Software-Defined Access (SDA)
Allow employees to use their own devices to access network resources by registering their device and
BYOD downloading certificates for authentication through a simple onboarding process
Using a Threat Analysis tool, such as Cisco Cognitive Threat Analytics, to grade an endpoints threat score
Threat Containment and allow network access based upon the results
Finally, ISE provides enhanced reporting capabilities inhouse for better operations and reporting purposes.
Enhanced Reporting Cisco ISE provides you log analytics and infrastructure monitoring and connecting to operational DB and
create your dashboards
Deploying any Network Access Control
requires proper Design, Planning and
phased approach.
Cisco ISE Deployment
ISE Deployment
Supported Platforms
ISE 3.X Platforms – At Glance 3.0 3.1 3.2
Cisco SNS 3515 Cisco SNS 3515 Cisco SNS 3515

EOL P6
Cisco SNS 3595 EOL Cisco SNS 3595 EOL
Cisco SNS 3595 P2
Appliance
Cisco SNS 3615 Cisco SNS 3615 Cisco SNS 3715 Cisco SNS 3615 Cisco SNS 3715
Virtual
Hyper-V Hyper-V Hyper-V
AWS | Azure AWS | Azure AWS | Azure
Natively in AWS
Cloud
Natively in AWS
Natively in Azure
Natively in OCI
Free, 90-day ISE Evaluation License
Premier
Advantage
100 x
Essentials
Device Admin Appliance License

1x TACACS+
Which ISE Version are
you using?
Join at slido.com
#BRKSEC-2091
ISE Deployment
Personas
ISE Personas Max 2 Max 2
Policy Administration Node (PAN) Monitoring & Troubleshooting Node (MNT)
• Administrative GUI • Receives logs from all nodes
• Policy configuration • Handles remote logging targets
• Policy replication • Generates summary Dashboard Views
• Deployment Management • Performs scheduled reports
• Configuration REST APIs • Handles reporting and operations
Policy Service Node (PSN) ISE

• TACACS requests Platform Exchange Grid Node (PXG)
• RADIUS requests • Runs pxGrid controller
• Endpoint profiling probes • Authorizes pxGrid Pubs/Subs
• Identity store queries • Publishes pxGrid topics to subscribers
• Hosts Guest/BYOD/CP portals • Handles ANC/EPS requests
• MDM/Posture queries • REST APIs
• TC-NAC & SXP services
Max 50 Max 4
ISE Deployment
Models
ISE Deployment Scale
No. of Endpoints Support - Deployment Wise Large
cs.co/ise-scale <=50: PSNs + <= 4 PXGs)
Medium
Lab and Small
Evaluation
1 x (PAN + MNT + PSN + PXG) 2 x (PAN+MNT+PSN) 2 x (PAN+MNT+PXG), <= 6 PSN 2 PAN, 2 MNT, <=50: PSNs + <= 4 PXGs
ISE Deployment
Standalone
ISE Deployment – Standalone
ISE
(Demos & Testing!)
ISE Deployment
Small
ISE Deployment - Small
ISE ISE
ISE
2 x (PAN+MNT+PSN+PXG) + 1 x PSN/PXG
ISE Small Deployment Scale
cs.co/ise-scale
ISE ISE
ISE
Deployment
Cisco SNS Cisco SNS Cisco SNS Cisco SNS Cisco SNS Cisco SNS Cisco SNS
Scale
3615 3715 3595 3655 3755 3695 3795
(PAN/MnT)
Small 10,000 25,000 20,000 25,000 50,000 50,000 50,000
ISE Deployment
Configuring ISE Small Deployment – Primary Node
ISE
ISE Small Deployment
Configuring ISE Small Deployment
Primary Secondary
ISE ISE
PPAN SPAN
SMNT PMNT
ISE
ISE Deployment
Medium
ISE Deployment: Medium
ISE ISE
ISE ISE ISE ISE ISE ISE
2 x (PAN+MNT+PXG), <= 6 PSN

ISE Medium Deployment Scale
cs.co/ise-scale
ISE ISE
Deployment
Scale
3615 3715 3595 3655 3755 3695 3795
(PAN/MnT)
Medium 10,000 75,000 20,000 25,000 150,000 50,000 150,000
ISE Medium Deployment
Small to Medium Deployment Transition
From Small to Medium
ISE ISE
ISE
Small
Small to Medium Deployment Transition(Contd.)
ISE ISE
ISE

Small to Medium Deployment Transition(Contd.)
ISE ISE

ISE Medium Deployment - Models
ISE ISE

Region A Region B

ISE Medium Deployment - Models
ISE ISE

Region A Region C Region B

ISE Deployment
Large
ISE Deployment: Large 2 PAN, 2 MNT, <=50: PSNs + <= 4 PXGs
ISE ISE ISE ISE
ISE ISE ISE ISE ISE ISE ISE ISE ISE ISE
ISE Large Deployment Scale 2 PAN, 2 MNT, <=50: PSNs + <= 4 PXGs
cs.co/ise-scale
ISE ISE ISE ISE
ISE ISE ISE ISE ISE ISE ISE



Deployment
Scale
3615 3715 3595 3655 3755 3695 3795
(PAN/MnT)
Large Unsupported Unsupported 500,000 500,000 750,000 2,000,000 2,000,000
ISE Deployment Scale <=50: PSNs + <= 4 PXGs)
No. of Endpoints Support - Deployment Wise

cs.co/ise-scale
Small HA Deployment Medium Deployment Large Deployment
Deployment Cisco SNS 3615 Cisco SNS 3715 Cisco SNS 3595 Cisco SNS 3655 Cisco SNS 3755 Cisco SNS 3695 Cisco SNS 3795
Large Unsupported Unsupported 500,000 500,000 750,000 2,000,000 2,000,000

Medium 10,000 75,000 20,000 25,000 150,000 50,000 150,000
Small 10,000 25,000 20,000 25,000 50,000 50,000 50,000
ISE Deployment
Centralized or Distributed
Large Deployment: Centralized or Distributed
DC1 DC2
Primary PAN & MNT Secondary PAN &
MNT
• Separate PAN and MNT nodes

• Max 50 PSN+PXG per deployment
• Max 300ms latency between PAN
and other ISE nodes (not NADs)
• Co-locate PSNs with AD or other
dependencies
ISE Deployment
Services
ISE Node Services Partner Eco System
External ID Stores
SIEM, MDM, NBA, IPS, IPAM, etc.
Admin
SIEM
ISE PSN IP address* =

AAA RADIUS server
Configure
Context (pxGrid)
RADIUS, TACACS+,
Profiling, etc.,
Config Sync Context

Optional
PSN PXG
PAN
Authorization Policy UI Exchange Topics
If Employee then VLAN-100 TrustSecMetaData

Logs Context SGT Name: Employee = SGT-10
SGT Name: Contractor = SGT-20
If Contractor then SGT-20
MNT ...
SessionDirectory
If Things then ACL-300
Bob with Win10 on CorpSSID
*PSNs can optionally be behind a load-balancer and can be accessed via Load Balancer Virtual IP address (VIPs)
ISE Deployment
Automation
3.1
ISE Policy Management & Lifecycle Orchestration
P1 P1
1. Zero Touch 2. Patch/Hot- 3. Certificate 4. Deployment

Provisioning patch installation Management Automation
ISE Zero-touch provisioning and P1

Lifecyle management via APIs
5. Policy 6. License 7. Configuration

Management Management Backup and
Restore
P1 = ISE 3.1 Patch 1

cs.co/ise-webinars cs.co/ise-videos 46
Cisco ISE Design
• Considerations & Approach
• NDGs & NADs
• Certificates
• Network Access
• Guest
ISE Design • BYOD

• Profiling
• Compliance
BRKSEC-2091 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Which Cisco ISE Services
do you use?
Join at slido.com
#BRKSEC-2091
• NDGs & NADs
• Certificates
• Network Access
• Guest
ISE Design • BYOD

• Profiling
• Compliance
ISE Capabilities
Device Administration
Secure Access
Guest Access
Asset Visibility
Compliance & Posture
Context Exchange
ISE
Segmentation
Cisco SDA/DNAC
BYOD
Threat Containment
Enhanced Reporting
Everyone Has Different Needs
Government Financials Healthcare Retail Education
Transportation Services Utilities Technology Manufacturing
Cisco ISE High Level Design (HLD)
cs.co/ise-hld
Business Objectives
Environment
Scenarios
Policy Details
Operations & Management
Scale & High Availability
A Typical Customer Journey
No standard or required approach - each use case may be the end goal
Use Case
Visibility Visibility
Wireless Guest Wired Posture Segmentation RTC
Customer Corporate
Start with Secure Wired See Apps & Use SGTs for Integrate with
Wireless Access HW inventory segmentation eco-system
partners
Non-disruptive 802.1X / MAB Enforce system Enforce Group
due to SSIDs (with Profiling) compliance based policies Contain threats
BYOD
• NDGs & NADs
• Certificates
• Network Access
• Guest
ISE Design • BYOD

• Profiling
• Compliance
Default Network Device Groups (NDGs)
Default NDGs
Organizing Your Network Devices by Groups
Network Access Type Location
• Wired • Theaters
• Wireless • Country
• VPN • City
• Branch • Building / Floor /
Room
Organization
• Regions
ISE Vendor / Model
• Cisco
• Line of Business • Catalyst
• Departments • Meraki
• IT / OT • Aruba
• Juniper
• NDGs & NADs
• Certificates
• Network Access
• Guest
ISE Design • BYOD

• Profiling
• Compliance
CWA (Guest)
Azure
Directory
NSP (BYOD)
Feed Server
CPP (Posture)
MDM
Sponsor/Mydevices
802.1X
Log Server
pxGrid Clients
ISE Certificate architecture #CiscoLive BRKSEC-2091 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
ISE Certificates
ISE
CWA (Guest)
Azure
Directory
NSP (BYOD)
Feed Server
CPP (Posture)
MDM
Sponsor/Mydevices
802.1X
Log Server
pxGrid Clients
CWA (Guest)
Azure
Directory
NSP (BYOD)
Feed Server
CPP (Posture)
MDM
Sponsor/Mydevices
802.1X
Log Server
pxGrid Clients
• NDGs & NADs
• Certificates
• Network Access
• Guest
ISE Design • BYOD

• Profiling
• Compliance
Access Control Context
Who … is requesting access?
What … is their role, profile, compliance?
Where … are they attempting access from?
When … are they allowed access?
Why … are they allowed access?
How … much access are they allowed?
Policy Sets Conditions
• HQ
• Regions • Branch
• Line of Business • Cisco Catalyst
• Departments • Cisco Meraki
• IT / OT • Aruba
• Vendor Specific Attributes
Type
• Flow-Type
• Theaters • SSID
• Country • Calling-Station-ID
• City Location RADIUS • NAS-IP-Address
• Building/Floor/Room • NAS-ID
• NAS-Port-ID
Medium
• NAS-Port-Type
• Service-Type
• SSID
• Access-hours • WLAN ID
• Tunnel-Group-name • NAS-Port-ID
• Client-type • Access point
• Wired • Interface
• Wireless
• VPN
Example ISE Policy Sets
ISE Policy evaluation NAD Evaluation
Policy sets
Policy
Pass evaluation
set
based on
conditions match
RADIUS failed
Access-Request PSN
Request Drop
▿ RADIUS Protocol
Code: Access-Request (1)
Packet identifier: x0 (0)
Length: 153
▿RADIUS Protocol
Authenticator:29eb293b3a40ea740a8fd33bdb18f1d7
Code: Access-Accept (2)
▿Attribute Value Pairs
Packet identifier: Oxd (13)
› AVP: t=User-Name (1) 1=8 val=pavan Send RADIUS
Length: 428
› AVP: t=NAS-IP-Address(4) (=6 val=6.86.227.108 Access-Accept
Authenticator: 66403608336c3e77859116d46cd0d65f
› AVP: t=Calling-Station-Id(31) 1=19 val=02-00-00-00-00-01
[This is a response to a request in frame 34891 using authz profile
› AVP: t=Called-Station-Id(30) 1=27 val=2C-3F-0B-56-E3-6C: Employee
[Time from request: 0.011658000 seconds]
› AVP: t=Framed-MTU(12) (=6 val=1400
▿Attribute Value Pairs
› AVP: t=NAS-Port-Type(61) (=6 val=Wireless-802.11(19)
› AVP: t=User-Name (1) 1=8 val=pavan
› AVP: t=Service-Type(6) 1=6 val=Framed (2)
› AVP: =Class (25) 1=75 val=434143533a6336313238353162724344a2f7767443633147… Send RADIUS
› AVP: t=Connect-Info(77) (=24 val=CONNECT 11Mbps 802.11b Access-Reject
› AVP: t=Session-Timeout (27) l=6 val=1800
› AVP: t=EAP-Message (79) 1=13 Last Segment [1]
› AVP: t=Termination-Action(29) (=6 val=RADIUS-Request(1)
› AVP: t=Message-Authenticator(80) 1=18
› AVP: t=Tunnel-Type (64) (=6 Tag=0x01 val=VLAN(13)
val=26f047af6a9a82279dfd6d19b477c31b
› AVP: t=Tunnel-Medium-Type(65) 1=6 Tag=0x01 val=IEEE-802(6)
› AVP: t=EAP-Message (79) 1=6 Last Segment [1]
› AVP: t=Message-Authenticator (80) (=18 val=1cb417480820021d54882fcaea90308c
› AVP: t=Tunnel-Private-Group-Id(81)(=7 Tag=0x01 val=DATA
▿ AVP: t=Vendor-Specific (26) 1=36 vnd=ciscoSystems (9)
Type: 26
Length: 36
Vendor ID: ciscoSystems (9)
› VSA: t=Cisco-AVPair(1) (=30 val=linksec-policy=should-secure
▿ AVP: t=Vendor-Specific(26) 1=80 vnd=ciscoSystems(9) 11007 Could not locate Network Device or AAA Client
Type: 26 5405 RADIUS Request dropped
Length: 80 5413 RADIUS Accounting-Request dropped
Vendor ID: ciscoSystems (9)
› VSA: t=Cisco-AVPair(1) (=74 val=ACS: CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_
#CiscoLive IPV4 TRAFFIC-57f6b0d3
Authentication and Authorization
PROTECTED SHARED PUBLIC
SERVERS SERVICES NETWORK
NETWORK ACCESS
Employee
Contractor alice
*****
AUTHENTICATION AUTHORIZATION
Who are you? What you can do?
Enforce Trust-Based Access: Authorization
Beyond RADIUS Access-Accept / Access-Reject
Catalyst Meraki
VLANs Dynamic VLANs ACLs:

Security
DL, Group
Named,Tags
DNS Named/Group VLANs
ACLs Downloadable
ACL(Wired), Named ACL(Wired + Cisco Group-Based Policy Named ACLs
Wireless)
Printers Printers
VLAN 5 VLAN 5
Guest Guest
Employee Employee VLAN 4
permit ip any any VLAN 4 16-bit SGT assignment and
SGT based Access Control
Per port / Per Domain /
Per MAC
cs.co/trustsec-compatibility
ISE Design
Other Factors
cs.co/ise-compatibility
ISE Compatibility
RFC2865 : RADIUS
RFC2866 : Accounting
RFC3579 : EAP Support
RFC5176 : CoA Support
Cisco ISE supports protocol standards like RADIUS,

its associated RFC Standards, and TACACS+. For
more information, see the ISE Community
Resources.
Cisco ISE supports interoperability with any Cisco or

non-Cisco RADIUS client network access device
(NAD) that implements common RADIUS behavior
for standards-based authentication.
Cisco ISE interoperates fully with third-party

TACACS+ client devices that adhere to the
governing protocols. Support for TACACS+ functions
depends on the device-specific implementation.
#CiscoLive © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
• NDGs & NADs
• Certificates
• Network Access
• Guest
ISE Design • BYOD

• Profiling
• Compliance
Guest Solution Overview
1
million API
EMAIL PRINT SMS

# of supported Portal language Social Media Manage guest
Guest accounts Guest account notification customization Login support accounts via REST
options
The 3 types of guest access

Sponsored Guest
Hotspot Self Registered
Access
Immediate, un-credentialed Self-registration by guests, Sponsors Authorized sponsors create account

Internet access may approve access and share credentials
• NDGs & NADs
• Certificates
• Network Access
• Guest
ISE Design • BYOD

• Profiling
• Compliance
ISE BYOD Solution
Public
Device Support EMM/MDM Integrations
Single / Dual Access based

iDevice SSID provisioning on
MDM policy
Android
Resources
✕✓✕✓✓✓
Devices
macOS ✓✓✕✓✕✕
✕✓✓✕✕✕
Windows
Native supplicant ISE internal CA for

ChromeOS & cert provisioning BYOD certificates
Corporate
EMM: Enterprise Mobility Management | MDM: Mobile Device Management
cisco.com/go/csta
• NDGs & NADs
• Certificates
• Network Access
• Guest
ISE Design • BYOD

• Profiling
• Compliance
Endpoint Profiling
The profiling service in Cisco ISE identifies the devices that connect to your network
ISE Data Collection Methods for Device Profiling

Active Probes: Netflow | DHCP | DNS | HTTP | RADIUS | NMAP | SNMP | AD
DS Device Sensor: CDP| LLDP | DHCP | HTTP | H323 | SIP | MDNS
Cisco Secure Client (formerly AnyConnect): ACIDex

Endpoints send
interesting data,
that reveal their
device type Feed Service
(Online/Offline)
DS ISE
ACIDex
Cisco Secure Client Identity Extensions (ACIDex) | Device Sensor (DS)
Profiling Packages and Integrations
Medical Devices IOT Building & Automation
Library
XM
L
250+ Medical
Hospital device profiles
pxGrid ISE pxGrid
Factory
Cisco
Industrial Devices CyberVision Cisco AI Endpoint Analytics
Profiles IOT devices and sends endpoint labels via pxGrid to ISE for authorization
https://community.cisco.com/t5/tag/ise-endpoint-profile/tg-p/board-id/4561-docs-security
Cisco AI Endpoint Analytics and ISE
Cisco ISE
Web Interface Cisco DNAC+EA
Context
Classifications ISE
Policy
Endpoint Analytics shows
device classification results
associated with endpoints Distribution
SPAN
Layer
Wireless LAN
NBAR Telemetry Traffic Controller
(SD-AVC Agent) Appliance (TTA)
Catalyst 9000
Legacy Cisco Switches / 3rd party devices
• NDGs & NADs
• Certificates
• Network Access
• Guest
ISE Design • BYOD

• Profiling
• Compliance
Agent Types
Persistent Agent installed/running
Runs as a service in background

AnyConnect/Secure Client
Temporary agent
AnyConnect Temporal
No UI/user interaction required

AnyConnect Stealth
Agentless
✅ Supported
Agent & Agentless Posture Options

❗ Limitations
❌ Not Supported
Capability AnyConnect AC Stealth Temporal Agentless
Anti-Malware Checks ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅
Firewall Installation Checks ✅ ✅ ❌ ✅ ✅ ✅ ✅ ✅ ✅
Application Inventory ✅ ✅ ❌ ✅ ✅ ✅ ✅ ✅ ✅
Hardware Inventory ✅ ✅ ❌ ✅ ✅ ✅ ✅ ✅ ✅
Process Checks ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅
Dictionary Conditions ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅
Application Checks ✅ ✅ ❌ ✅ ✅ ✅ ✅ ✅ ✅
File Checks ✅ ✅ ❗ ✅ ✅ ✅ ✅ ❗ ✅
Service Checks ✅ ✅ ❌ ✅ ✅ ✅ ❗ ✅ ❗
Disk Encryption ✅ ✅ ❌ ✅ ✅ ❗ ❗ ❗ ❗
Patch Management ✅ ✅ ❗ ✅ ✅ ❗ ❗ ❗ ❗
Registry Checks ✅ N/A N/A ✅ N/A ✅ N/A ❗ N/A
USB Checks ✅ ❌ ❌ ✅ ❌ ✅ ❌ ✅ ❌
WSUS remediation (legacy) ✅ N/A N/A ✅ N/A ❌ ❌ ❌ ❌
Auto,
Remediation Manual
Partial Partial Part Auto Partial Text Text ❌ ❌
Reassessment ✅ ✅ ✅ ✅ ✅ ❌ ❌ ❌ ❌
✅ Supported
Posture Deployment Options ❗ Limitations

❌ Not Supported
Capability AnyConnect AC Stealth Temporal Agentless
Anti-Malware Checks ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅
Firewall Installation Checks ✅ ✅ ❌ ✅ ✅ ✅ ✅ ✅ ✅
Application Inventory ✅ ✅ ❌ ✅ Visibility
✅(Effort) ✅ ✅ ✅ ✅
Hardware Inventory ✅ ✅ ❌ ✅ ✅ ✅ ✅ ✅ ✅
Process Checks ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅
Dictionary Conditions ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅
Application Checks ✅ ✅ ❌ ✅ ✅ ✅ ✅ ✅ ✅
File Checks ✅ ✅ ❗ ✅ ✅ ✅ ✅ ❗ ✅
Experience (Time)
Service Checks ✅ ✅ ❌ ✅ ✅ ✅ ❗ ✅ ❗
Disk Encryption ✅ ✅ ❌ ✅ ✅ ❗ ❗ ❗ ❗
Patch Management ✅ ✅ ❗ ✅ ✅ ❗ ❗ ❗ ❗
Registry Checks ✅ N/A N/A ✅ N/A ✅ N/A ❗ N/A
USB Checks ✅ ❌ ❌ ✅ ❌ ✅ ❌ ✅ ❌
WSUS remediation (legacy) ✅ N/A N/A ✅ N/A ❌ ❌ ❌ ❌
Auto,
Security (Protection)
Remediation Manual
Partial Partial Part Auto Partial Text Text ❌ ❌
Reassessment ✅ ✅ ✅ ✅ ✅ ❌ ❌ ❌ ❌
#CiscoLive © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
MDM Attributes
ActivityType
Posture/MDM Compliance
AdminAction
AdminActionUUID
AnyConnectVersion
DaysSinceLastCheckin
DetailedInfo
DeviceID
DeviceName
DeviceType
DiskEncryption
EndPointMatchedProfile
FailureReason
IdentityGroup
IMEI
Authorization IpAddress
Policy JailBroken
LastCheckInTimeStamp
IF JailBroken is No
ISE AND PinLock is Yes
MacAddress
Manufacturer
THEN Compliant MDMCompliantStatus
MDMFailureReason
MDMServerName
MEID
Model
OperatingSystem
PhoneNumber
PinLock
PolicyMatched
RegisterStatus
SerialNumber
cisco.com/go/csta
ServerType
SessionId
UDID
UserName
UserNotified
Continuous Trust Verification:TC-NAC
Tenable
Rapid 7 Scans for Threat
and Vulnerability
AMP Qualys
ISE Evaluates
John Doe EMM/UEM integration endpoint
health and
ISE shares endpoint and Compliance
Segmentation data with pxGrid
partners
NGFW
Secure Network Firepower Threat Tetration:

Analytics: Defense: Monitors
Analyzes Endpoint Inspects, filters traffic, application/process
behavioral and detects detect threats, flows, identifies threat,
threat segments network segments network
Other pxGrid Eco-system partners
ISE Design
Integrations
Cisco Security Technical Alliance Partners
September 2020
https://cisco.com/go/csta
Cisco ISE Best Practices
Recommended Release & Patches
ISE Recommended Release
Patches
EOL Latest
3.0 3.1 3.2
Apply Latest Patches
cs.co/ise-software cs.co/ise-eol cs.co/ise-rn

Performance and Scale Considerations
Shared vs Dedicated ISE Persona
Shared
Performance
Dedicated
Shared vs Dedicated ISE PSN
Performance increases if dedicated
Steady State versus Peak Demand
• You have a mix of Static Endpoints and Mobile Endpoints
• Some Endpoints are always on with long (8+ hours) session
expirations
• Mobile endpoints hibernate & roam causing a 3-10X+ larger load
• Misconfigured devices can have 100-1000X larger than average
auth load
3rd Party NADs
cs.co/ise-compatibility
ISE Compatibility
RFC2865 : RADIUS
RFC2866 : Accounting
RFC3579 : EAP Support
RFC5176 : CoA Support
Cisco ISE supports protocol standards like RADIUS,

its associated RFC Standards, and TACACS+. For
more information, see the ISE Community
Resources.
Cisco ISE supports interoperability with any Cisco or

non-Cisco RADIUS client network access device
(NAD) that implements common RADIUS behavior
for standards-based authentication.
Cisco ISE interoperates fully with third-party

TACACS+ client devices that adhere to the
governing protocols. Support for TACACS+ functions
depends on the device-specific implementation.
#CiscoLive © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Policies
Deny Access
• Provide
to unknown endpoints
in closed environment
• Provide highest
Policies privileges based on
Granular policies
• Provide least
privileges for general
access
Operations
Optimization
Enable to Suppress Repeated AAA Records
Optimization
• Enable to Identify Misconfigured Supplicants

• Enable to Suppress Repeated Failed Endpoints
• Rejects Repeated Failed Endpoints
Schedule Your Backup Regularly
Operational Data Purging
• By default, Data
Retention Period is
30 Days
• Adjust with caution
based on the Disk
Space availability
• Export to external
Repositories for your
old data before it
gets purged.
RADIUS Logs Data Retention
cs.co/ise-resources
No. of Endpoints 300 GB 600 GB 1024 GB 2048 GB

5,000 504 1510 2577 5154
10,000 252 755 1289 2577
25,000 101 302 516 1031
50,000 51 151 258 516
100,000 26 76 129 258
150,000 17 51 86 172
200,000 13 38 65 129
250,000 11 31 52 104
500,000 6 16 26 52
ISE 3.2
*The numbers are based on the following assumptions: Ten or more authentications per day per endpoint with logging suppression enabled.
TACACS Logs Data Retention
cs.co/ise-resources
No. of Authc 300 GB 600 GB 1024 GB 2048 GB

100 12,583 37,749 64,425 128,850
500 2,517 7,550 12,885 25,770
1,000 1,259 3,775 6,443 12,885
5,000 252 755 1,289 2,577
10,000 126 378 645 1,289
25,000 51 151 258 516
50,000 26 76 129 258
75,000 17 51 86 172
100,000 13 38 65 129
ISE 3.2
*Assumption: The script runs against all NADs, 4 sessions per day, and 5 commands per session.
Endpoint Purge Policies
Configure Policies that you don’t want

to purge eg., BYOD
Configure Policies that you want to

purge eg., Guest, Inactive Endpoints
Schedule the Purge Policies
Device Administration - RADIUS & TACACS
RADIUS & TACACS Deployment Options
RADIUS TACACS
RADIUS RADIUS/TACACS
RADIUS RADIUS RADIUS TACACS TACACS TACACS
RADIUS RADIUS RADIUS/TACACS RADIUS/TACACS RADIUS/TACACS

TACACS
Mixed ISE Cube Mixed ISE Cube

Separate ISE
with separate where PSNs are
Cubes for RADIUS
PSNs for RADIUS not dedicated to
& TACACS
and TACACS+ either
When do we separate TACACS+ and RADIUS?
RADIUS TACACS
RADIUS RADIUS/TACACS
RADIUS RADIUS RADIUS TACACS TACACS TACACS
RADIUS RADIUS RADIUS/TACACS RADIUS/TACACS RADIUS/TACACS

TACACS
1. How many network devices? 4. Network Management Tools

2. Number of TACACS+ & RADIUS 5. Increased log retention on both Deployments
sessions
6. Per-PSN utilization and load
3. Scripts?
What features would you
like to see in ISE future
releases?
Join at slido.com
#BRKSEC-2091
Fill out your session surveys!
Attendees who fill out a minimum of four session

surveys and the overall event survey will get
Cisco Live-branded socks (while supplies last)!
Attendees will also earn 100 points in the

Cisco Live Challenge for every survey completed.
These points help you get on the leaderboard and increase your chances of winning daily and grand prizes
• Visit the Cisco Showcase
for related demos
• Book your one-on-one

Meet the Engineer meeting
• Attend the interactive education

with DevNet, Capture the Flag,
Continue and Walk-in Labs
your education • Visit the On-Demand Library

for more sessions at
www.CiscoLive.com/on-demand
• ISE YouTube Channel
cs.co/ise-videos
• ISE Resources
cs.co/ise-resources
• ISE Webinars
cs.co/ise-webinars
• ISE Community
cs.co/ise-community
References • ISE Integration Guides
cs.co/ise-guides
• Network Access Device Capabilities
cs.co/nad-capabilities
• ISE
• ISE Licensing & Evaluations
cs.co/ise-licensing
Thank you
#CiscoLive
Gamify your Cisco Live experience!
Get points for attending this session!
How:
1 Open the Cisco Events App.
2 Click on 'Cisco Live Challenge’ in the side menu.
3 Click on View Your Badges at the top.
4 Click the + at the bottom of the screen and scan the QR code:
#CiscoLive

3P ISE Study Deployment

Uploaded by

Copyright:

Available Formats

3P ISE Study Deployment

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3P ISE Study Deployment

Uploaded by

Copyright:

Available Formats

#CiscoLive

ISE Design, Deploy & Best Practices

Pavan Gupta – Technical Marketing Engineer

2 Click “Join the Discussion”

4 Enter messages/questions in the Webex space

Webex spaces will be moderated

Enter your personal notes here

• 10+ years of experience in

Workforce Workplace Workloads

Use agentless posture, AnyConnect, MDM, or EMM to check endpoints to verify

Cisco SNS 3515 Cisco SNS 3515 Cisco SNS 3515

Hyper-V Hyper-V Hyper-V

AWS | Azure AWS | Azure AWS | Azure

Device Admin Appliance License

Policy Service Node (PSN) ISE

(Demos & Testing!)

Small 10,000 25,000 20,000 25,000 50,000 50,000 50,000

ISE ISE ISE ISE ISE ISE

2 x (PAN+MNT+PXG), <= 6 PSN

ISE ISE ISE ISE ISE ISE

Medium 10,000 75,000 20,000 25,000 150,000 50,000 150,000

2 x (PAN+MNT+PXG), <= 6 PSN

ISE ISE ISE ISE ISE ISE

2 x (PAN+MNT+PXG), <= 6 PSN

ISE ISE ISE ISE ISE ISE

2 x (PAN+MNT+PXG), <= 6 PSN

ISE ISE ISE ISE ISE ISE

2 x (PAN+MNT+PXG), <= 6 PSN

ISE ISE ISE ISE

ISE ISE ISE ISE

ISE ISE ISE ISE ISE ISE ISE

ISE ISE ISE ISE ISE ISE ISE

ISE ISE ISE ISE ISE ISE ISE

Large Unsupported Unsupported 500,000 500,000 750,000 2,000,000 2,000,000

No. of Endpoints Support - Deployment Wise

Small HA Deployment Medium Deployment Large Deployment

Large Unsupported Unsupported 500,000 500,000 750,000 2,000,000 2,000,000

• Separate PAN and MNT nodes

ISE PSN IP address* =

Config Sync Context

Authorization Policy UI Exchange Topics

If Employee then VLAN-100 TrustSecMetaData

1. Zero Touch 2. Patch/Hot- 3. Certificate 4. Deployment

ISE Zero-touch provisioning and P1

5. Policy 6. License 7. Configuration

P1 = ISE 3.1 Patch 1

ISE Design • BYOD

ISE Design • BYOD

Transportation Services Utilities Technology Manufacturing

Wireless Guest Wired Posture Segmentation RTC

ISE Design • BYOD

ISE Design • BYOD

ISE Design • BYOD

VLANs Dynamic VLANs ACLs:

Cisco ISE supports protocol standards like RADIUS,

Cisco ISE supports interoperability with any Cisco or

Cisco ISE interoperates fully with third-party

ISE Design • BYOD

EMAIL PRINT SMS

The 3 types of guest access