

Community
 English
FIND A COMMUNITY Cisco Register feedback
Login
Community

This board
 Options

Search Security Documents 

Cisco /  Technology and /  /  Security

Community Support Security Documents /  ISE High Level Design (HLD)

ISE High Level Design (HLD)

AAA and NAC AnyConnect Identity Services Engine… Policy and Access TrustSec VPN

10718 42 0
 VIEWS  HELPFUL  COMMENTS

thomas

05-07-2018 09:40 AM
Edited On: 03-05-2019 08:09 AM

Instructions
Introduction
Business Objectives
Business Objectives
Environment
Physical Network Topology
 Identity Sources
User Groups
Network Devices
Endpoints
ISE Cube
Device Administration (TACACS+)
Visibility
Secure Access
Wireless
Wired
VPN
Guest
HotSpot
Self-Registered
Sponsored
API
BYOD
Integration
Context Sharing
Threat Mitigation
APIs
Compliance
Segmentation
Containment
Operations & Management
Scale & High Availability
Policy Details
Resources

Instructions
1. Make a copy of this document

For an oine/printed copy of this document, simply choose Options > Printer Friendly Page. You may

then Print or Print to PDF or copy and paste to Word or any other document format you like.

2. Delete anything that does not pertain to your deployment

3. Fill in the rest with the appropriate details
4. Make it happen
5. Post any questions you have to the ISE Community

Introduction
 

An ISE High Level Design (HLD) is recommended to assist you with the design and planning of your ISE deployment.
Having a clearly written security policy - whether aspirational or active - is the rst step in assessing, planning and
deploying network access security.  Without this, it is hard to break down the deployment into phases by location or
capabilities. When seeking outside help, the HLD provides a huge time savings for education other teams, partners,
Cisco Sales representative, Technical Assistance Center (TAC) representative or even the ISE product and
engineering teams. Clearly state the desired solution capabilities, hardware and software environment and
integrations can quickly allow people to understand what you want and how to congure it or troubleshoot it.

Business Objectives
 

Identify the Customer Business Objectives that ISE must solve. Typically this involves regulations and compliance or
identied security threats and risks to smooth operation of the business or brand. But it also involves mitigating risks
with controlled network access for everyday IT processes. This is how you begin to craft your network access control
policy. The more specic you can be, the better.

Consider the following example business objectives that must translate into access control policy :

We want to provide sponsored guest access to our visitors

All network device administration commands must be authorized and logged for potential audit
We want to identify all endpoints on our network so we can begin to apply access control policies
We do not want our employees personal devices on our corporate network
We want our employees to any device they want but we want to manage it to ensure it and any information on it is
properly secured
Printers should only talk to print servers
We need to be able to re-image our workstations over the network via PXE
We must comply with [PCI, HIPAA, etc.] regulation
All Windows devices must be patched within the last 30 days to minimize known vulnerabilities
We want to automatically quarantine endpoints when [Stealthwatch, AMP, etc.] detects malicious behavior

 
Business Objectives
 1.  
2.  
3.  
4.  
5.

Environment
 

Physical Network Topology

<Insert image of your proposed ISE deployment here>

Identity Sources
List all of the products that ISE will need to integrate with or control. Please note any known issues or concerns with
their behavior or capabilities.

Note: Cisco strongly recommends server certicate, which is signed by in-house CA or other 3rd party Root CA
server, to be used for ISE. Self-signed server certicate should not be used for production deployment.

Scenario (one line per device to be validated) Vendor / Note

Version Cou s
nt

Identity Sources      
     
Certicate Authorities (CA)

How will ISE integrate with 3rd party CA?

Will ISE be issuing certicates for BYOD?
Utilize web based CA portal on ISE?
Utilize API for certicate management?
Utilize AnyConnect/ASA for SCEP enrollment?
 Microsoft #  
Active Directory:

How many AD domains / forests are to be integrated?

ISE requires AD forest DNS consolidated into central DNS servers. What method is used
to consolidate DNS information for the separate AD forests?
What version of AD is in use?
Are there any Read-Only domains in place?
AD Site & Services is recommended for ISE in all forests.
LDAP   #  
Token   #  
SAML   #  
ODBC   #  
Social Login Facebook? #  

User Groups
Identify the specic user groups that will require dierentiated access and for which scenarios.

Scenario (one line per device to be validated) Notes

 
Groups

   
   

Network Devices
Provide the general switch/controller model numbers/platforms deployed and Cisco IOS and AireOS Software
versions to be deployed to support ISE design. Please use the ISE Compatibility Guides to see our latest list of
Validated products and protocols. If you still don't believe that ISE supports heterogeneous networks and can support
your network devices, please read Does ISE Support My Network Access Device?

Vendor Notes
Hardware Model Count

@ Software Version

Wired      
Cisco 9300 @ 15.x.x #  
Wireless      
Cisco WLC xxxx @ 8.x #  
Cisco Meraki xxxx    
Aruba @ 7.x    
 VPN      
Cisco ASA 55xx @ x.x #  

Endpoints
List all of the unique endpoint types you expect to nd and apply policy to in your deployment.

Provide an approximate number of each of possible.

Note: For domain joined Windows machines to function properly, machine authentication is recommended.
Performing user only authentication may break critical functions such as machine GPO and other background services
such as backup and software push.

Note: State whether the deployment is using machine or user authentication, or both. If both machine and user
authentication are planned, are Machine Access Restrictions (MAR) planned? If so, review the Appendix information
on MAR caveats. For machine / user authentication details, please refer to 802.1X Authenticated Wired and Wireless
Access

Endpoints (one line per endpoint to be validated) Vendor Notes

Hardware Model Estimated
Count
@ Software Version

Workstations        
  Microsoft Windows XP #  
  Microsoft Windows 7.x #  
  Microsoft Windows 8.x #  
  Microsoft Windows 10 #  
  Microsoft Windows Embedded #  
  Apple MacOS 10.13 #  
Chromebook        
Linux   Linux #  
VDI        
Mobile Devices        
  Apple iOS 11.x    
  Android Android 8.x    
  Android Android 7.x    
  Android Android 6.x    
Oce        
Cisco   #  
Access Points
 Cisco 7xxx #  
IP Phones

    #  
Printers

IOT        
Cameras     #  
Lighting     #  
Badging     #  
HVAC     #  
Medical     #  
Manufacturing     #  
    #  
SCADA

    #  
Others

    Approximate Total: ###  

ISE Cube
List all of the nodes in your ISE deployment.

When deploying VMs:

The VM host should be sized comparably with the ISE hardware appliance(s)
The resources need to be reserved for each ISE node and cannot be shared among dierent ISE nodes or other
guest VMs on the host.
Hard disks with 10K or higher RPM are required. Average IO Write performance for the disk should be higher than
300MB/sec and IO Write performance should be higher than 50MB/sec. Please make sure to reserve the RAM and
CPU cycles for the ISE node deployed as VM.
If disk size needs to be resized, the node will need to be re-imaged from the ISO

Host Name (FQDN) Persona IP Address VM/HW Size Storage

ise1.example.com PAN+MnT   VM 3595 600GB
           
           
           
           

 
 

Device Administration (TACACS+)

Dierentiated access for network device administrators

Scenarios ✓ Done Notes

SuperAdmin    
Script    
Read-Only Admin    

Visibility
See what, when, where and how users and endpoints are on your network.

In the table below, list the primary endpoint devices (one per row) that need to be proled.

Identify the primary device types to be proled

Which probes/protocols will be used to collect the required data? Leverage Device Sensor to collect endpoint
attributes whenever possible and SNMP for other network devices. Uncommon devices may require collecting
additional protocol attributes to classify the endpoint properly.
ISE Probes: AD, DHCP, DNS, HTTP, NMAP, RADIUS, SNMP, Netow
Device Sensor: CDP, LLDP, DHCP, HTTP, H323, SIP, MDNS
AnyConnect: ACIDex
What is the endpoint attribute data required to classify each device type?
Is proling for visibility only or for use in authorization policy?
Leverage Device Sensor to collect endpoint attributes whenever possible and SNMP for other network devices
Uncommon devices may require collecting additional protocol attributes to classify the endpoint properly.
For Visibility with SPAN/RSPAN, use a dedicated interface on the ISE PSN for the DHCP SPAN or HTTP SPAN
probe.
If RSPAN or Netow is to be used:
does infrastructure support these technologies?
a dedicated interface should be used on the Policy Service Node for the DHCP SPAN or HTTP SPAN probe. Is
there sucient bandwidth between source SPAN/Netow exporter and ISE Policy Service node used for
proling?

Scenarios ✓ Note
Done s
Enable Proling Feed Service or retrieve oine update    
Create Custom Endpoint Proles for _____ Devices    
 Create Endpoint Purge Policies    
Move proled endpoints to static MAC-based endpoint lists and do not use endpoint proles in    
authorization rules
if you want to minimize Plus License consumption
     
     

Secure Access
Control authenticated endpoint & user access

Scenarios ✓ Note
Done s
Wireless    
Wireless 802.1X User Authentication & Authorization: Show Successful Login and Role-Based Access    
Wireless Machine Authentication and Authorization: use digital certicate for Corporate device    
Individual Pre-Shared Key (iPSK)    
Static Endpoint MAC Whitelisting: allow non-authenticating (no 802.1X) endpoints with MAB    
Wireless user with Passive Identity (No 802.1x)    
eduroam    
     

Wired    
   
ISE Wired Access Deployment Guide

Static Endpoint MAC Whitelisting: allow non-authenticating (no 802.1X) endpoints with MAB    
Static Endpoint MAC Blacklisting: block non-authenticating endpoints with MAB    
Dynamic Endpoint Proling and Authorization: List each endpoint prole and the desired authorization    
Easy Connect: Wired user with Passive Identity (No 802.1X supplicant)    
Wired Web Authentication (No 802.1X Supplicant. For Guest or Employees)    
EAP-Chaining: Wired machine+user authentication using EAP-FAST with AnyConnect    
Wired Machine Authentication and Authorization: use digital certicate for Corporate device    
 Wired User 802.1X Authentication: Show Successful Login and Role-Based Access    
Wired WebAuth Login: Show Login With No Supplicant    
Wired Authentication (user or machine) & Authorization on a Docking Station    
Wired Authentication for a user via an Windows Remote Desktop Protocol (RDP) Session    
Wired Authentication for Multi-User devices (Nurses Station, Call Center, etc.)    
Wired Authentication (user or machine) & Authorization on a Docking Station Behind IP-Phone    
Wired Authentication with Two-Factor Authentication (2FA)    

VPN    
VPN Authentication and Authorization with Username:Password: Show Successful Login and Role-    
Based Access
VPN Authentication and Authorization with Token/2FA: Show Successful Login and Role-Based Access    
VPN Access Attempt, Revoked Certicate (Testing OCSP)    

Guest
Internet access for visitors. Generally, you should only implement one type of Guest network.

Scenarios ✓ Done Notes

HotSpot    
   
Customize Portal

Behavior: Acceptable Usage Policy (AUP), Password, Auto-Login, Success URL, etc.
Presentation: Logo, Colors, Fonts
   
Demonstrate Hotspot with desired ow:

Self-Registered    
Create desired Guest Types    
Demonstrate Self-Service Guest registration    
Sponsored    
Customize Sponsor Portal Flow and Presentation    
Create Sponsor Groups    
Demonstrate Sponsor Portal (sponsored Guest access)    
Login with Sponsored Guest Credentials    
Concurrent Guest Logins    
API    
Guest API integration with external application(s)    

BYOD
Onboard & dierentiate personal & corporate devices. Consider the following topics when determining your
scenarios:

Is it Single SSID or Dual SSID?

Will Android be in the BYOD design? If so, please provide details of provisioning authorization prole
What devices will and will not be  provisioned?
What supplicant will be used? Native or AnyConnect or Other?
What access will unsupported device get? (i.e. Blackberry, Windows phones, Chromebooks)
Will EMM/MDM be integrated with BYOD design? If so, please provide details of MDM policy below in the
Authorization Policy section and whether or not redirection will be used for MDM agent installation

Scenarios ✓ Done Notes

   
Device Registration

Single SSID: Unregistered devices are redirected to a WebAuth portal and respective users    
Dual SSID: Unregistered devices are redirected to a WebAuth portal and respective users    
   
Certicate Provisioning

BYOD: Onboarding, Certicate Provisioning with Internal or External CA    

Certicate Expiration with Internal or External CA    
Certicate Renewal 2-4 weeks before Certicate Expiration    
   
Device Management

Certicate Revocation by Administrator    

End-User self management, Device Lost; Blacklist endpoint    
End-User self management, Device Stolen; revoke Certicate    

Integration
Share contextual information with other products

Scenarios ✓ Note
Done s
Context Sharing    
Demonstrate pxGrid integration with SIEM    
Share identity context with StealthWatch via pxGrid    
Cisco Industrial Network Director shares IOTAsset topic with ISE    
ISE brokers pxGrid topic sharing among partners    
...    
Threat Mitigation    
    
Rapid Threat Containment (RTC)

Threat-Centric NAC Integration with Vulnerability Scanner or AMP    

...    
APIs    
   
Integrate Guest Management workow from another application

   
Integrate DNA Center with ISE for Access Control Policy and software-dened Segmentation with
TrustSec

   
Integrate network management tool for adding/updating/removing network devices, endpoints, etc.

...    

Compliance
Ensure that endpoints meet security standards.

Review the list of currently supported packages for Windows and MacOSX.

Scenarios ✓ Note
Done s
   
Agent-less

Posture Windows with Temporal Agent    

Posture MacOS with Temporal Agent    
   
Agent-ed

Non-Compliant endpoints are quarantined and redirected to provision AnyConnect and the Posture    
Module via ISE
Non-Compliant endpoints are quarantined and redirected until provisioned by [WSUS, etc.]    
Compliant endpoints are properly authorized on the network    
   
Enterprise Mobility Management (EMM) / Mobile Device Management (MDM)

Integrate ISE with EMM/MDM vendor(s)    

Non-Compliant endpoints are quarantined and redirected until provisioned by [WSUS, etc.]    
Compliant endpoints are properly authorized on the network    

Posture Policies
Describe posture policy requirements for endpoint compliance. This may include many areas such as asset checking,
application and services checking, and antivirus and antispyware checks, as well as customized checks for specic
use cases. Describe remediation plans and include remediation servers that need to be integrated into the design.

Rule Name OS Conditions Posture Checks Remediation Enforcemen When

(Windows/M Agent t Assesse
acOSX) (Audit/Opt/ d
Mandatory) (Login/P
RA/Both)
Employee_AV Windows AD NAC Agent AV Rule: Live update Mandatory Both
XP/7 group= for Microsoft (Automatic)
Employee Windows Security
Essentials 2.x
Employee_Asset Windows AD NAC Agent Custom Link redirect Mandatory Login
XP/7 group= for registry check to policy page
Employee Windows (Manual)
Contractor_AV Windows ID Group= Web Agent AV_Rule: Local Message Mandatory Login
ALL Contractor Any AV regarding AV
w/current Policy
signatures

Client Provisioning Policies

Describe Client Provisioning policy requirements for posture and native supplicant provisioning.

Rule Name Identity Groups Operating Systems Other Conditions Results

Apple Any MAC OSX or Apple iOS   Native Supplicant:

EAP-TLS, SSID

Windows Any Windows All   Agent:

NAC Agent

Native Supplicant:

PEAP-MSCHAPv2, SSID

Android Any Android   Native Supplicant:

EAP-TLS, SSID

Segmentation
Limit exposure with pre-dened access segmentation

Scenarios ✓ Done Notes

   
Classication

Dynamically classify endpoints with SGTs via MAB (static or proled, e.g. IOT)    
Dynamically classify endpoints with SGTs via 802.1X Machine Authentication    
Dynamically classify users with SGTs via 802.1X Authentication    
Dynamically classify users with SGTs via Easy Connect (MAB+Passive Identity)    
Dynamically classify users with SGTs using WebAuth (e.g. Guests)    
   
Statically classify trac by VLAN

   
Statically classify trac by Subnet

   
Statically classify trac by L2 Interface

   
Statically classify trac by L3 Port

   
Statically classify trac by VM (port prole)

   
East-West Segmentation

Malware blocking between Employees    

Virtual machines in the data center    
   
Firewall Rule Reduction

Use group-based policies to reduce rewall rules by eliminating need to specify IPv4/IPv6 addresses    
   
User to Data Center

Use group-based policy to enforce access to resources in the data center    

Containment
Reduce risk with rapid threat containment.

Scenarios ✓ Done Notes

Scenario 1    
 Scenario 2    
Scenario 3    

Operations & Management

List the day-to-day operations you anticipate needing to do.

Scenarios ✓ Note
Done s
   
Monitoring

Real-Time Event Log (Live Log)    

Illustrate the Live Log Authentication Details    
Debug Endpoint (Working across entire ISE deployment)    
TCP Dump from Central Location    
Troubleshooting Active Directory - Basic and Detailed    
Policy Export    
Suppression Bypass    
Collection Filters    
NAD Syslog Correlation in Reports    
Time-Range Bound Support Bundles    
Guest Activity Monitoring    
   
Management

Create a Wildcard Certicate for an ISE deployment    

Centralized, Encrypted Backup    
Create and run Scheduled or On-Demand Backups    
RBAC, with predened roles, customize, add and remove options, Help desk accounts, super user    
account.
Centralized Monitoring of All ISE Nodes    
Simultaneous Admin Users Logged in & working with ISE    
Enable and use External RESTful Services (ERS) APIs    
Demonstrate the Upgrading of ISE Nodes with Zero Down Time    

 
Scale & High Availability
List the scale and HA scenarios you want to test.

Scenarios ✓ Done Notes

   
ISE Cube

Multi-Forest AD Join    
Multi-AD within Single Forest Joins    
Policy Admin Node (PAN) Down    
Policy Service Node (PSN) Down    
     
   
Survivability & High Availability

Identity Store (AD) Down/Unavailable    

Remote Site WAN Link Down    
Reinitialization once WAN is back up    
Fail Open    
Fail Half-Open (Critical ACL)    
Fail Closed    
     
     

Policy Details
List all security policies that are needed to implement the business requirements described above.

Authentication Policy
For each use case (wired, wireless, VPN), describe the authentication policies that will be implemented for all users
and endpoints whether managed or unmanaged.

Rule Name Condition Allowed Protocols ID Store / ID Sequence

Device Access Wired_MAB Default Network Access Internal EndPoints
Wired_802.1X Default Network Access AD_then_Local
802.1X Access

VPN NAS-Port-Type = Virtual Default Network Access AD

        
       
       
Default - Default Network Access Internal Users

Authorization Policy
For each use case (wired, wireless, VPN), describe the authorization policies that will be implemented for all users
and endpoints whether managed or unmanaged.

Rule Name Identity Groups Other Conditions Permissions

BYOD Unknown Mobile Devices Logical Group EAP Tunnel = PEAP NSP dACL

EAP Type = MSCHAPv2 NSP Redirect

BYOD Registered Registered EAP Type = EAP-TLS Registered dACL

SAN = Calling-StationID

IP_Phones Cisco-IP-Phones - Voice VLAN

Authz VVID
Printers Managed-Printers - Printer VLAN
Cameras Managed-Cameras - Camera VLAN
Workstation_Access Any Domain PC AD Access dACL
User_Role_1_Access Any Domain Member Role1 Role1 dACL
User_Role_2_Access Any Domain Member Role2 Role2 dACL
       
       
       
Guest_Access Guest - Internet Only dACL
Default - - Web Auth

Resources
 

ISE Performance & Scale

ISE Bill of Materials (BOM) Tool (https://sambt.cisco.com) is available to assist with creating BoMs
 Tags: checklist deployment design hld ise outline plan planning pov scenarios test-plan
testing

 42 Helpful

Share

Latest Contents

 Cisco AnyConnect on Windows 10, new issue - Could not connec...

Created by SimonWilliams415 on 05-30-2019 05:08 PM
0 0 
Hi We have been using Cisco AnyConnect 3.1.14018 without any issues on all of our PCs until the newest batch we're conguri
ng. I have veried: - we have internet connectivity- the rewall allows it- Windows Defender allows it- all Windows pat... view
more

 using WSA generated CSR to get sign via Public CA (GoDaddy) ...
Created by hashimwajid1 on 05-30-2019 04:59 PM

0 0 
Hi Team, can we use WSA own self generated CSR to get sign via Public CA (GoDaddy) and use it for all Users/Contractors/Mo
bile devices ?we dont have any Internal CA and want decryption for all Users Domain/Guest  Thanks

 ISE delivering wrong group?

Created by [email protected] on 05-30-2019 03:51 PM
0 0 
I have an ASA 5510 I'm testing. I have set up DHCP for two scopes. I always get the scope for the Default Group.In reviewing to
day (logs from ASA), it looks like the ISE Radius server is delivering the default group rather than the test user's group as de... vi
ew more

 ASA crashed when using context-sensitive help in rewall co...

Created by KarloskiG on 05-30-2019 03:14 PM
0 0 
When using context-sensitive help (via SSH) on one of our production contexts the entire ASA crashed.Has anyone experience
d something similar?See below for details. Cisco Adaptive Security Appliance Software Version 9.9(1)4 <context>Firepower E...
view more

 UDP PAT pool management statement?

Created by CiscoBlueBelt on 05-30-2019 02:39 PM

0 0 
I see this when doing "UDP PAT pool management, address X.X.X.X, range 1024-65535, allocated 5"show nat pool" on a Firep
ower but don't see any NAT statements for this under NAT.

Create Please login to create content

 Discussion  Video

 Blog

 Document
Related Content
 Discussions 

 Blogs 

 Events

 Videos

Recommended

06-13-2017
 ACS to ISE - High Level design question...  kthiruve
04:13 PM

11-05-2018
 ISE Proling Design Guide  thomas
05:56 PM

03-16-2018
 ISE Upgrades - Best Practices    kthiruve
08:24 PM

11-13-2015
 ISE Community Resources   thomas
03:48 PM

06-30-2016
 ISE Performance & Scale   howon
01:16 PM
 Top

Follow our Social Media Channels

    

Contacts Privacy Statement

Community Feedback Cookie Policy
Site Map Trademarks
Terms & Conditions Help