Availability
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco ISE & TrustSec Sessions: Building Blocks
BRKSEC-2045 -
BRKCOC-2015 BRKSEC-3697
BRKSEC-3699 Mobile Devices and
Cisco IT's Assured Advanced ISE
Designing ISE for BYOD Security -
Network Access: (ISE) Services, Tips and
Scale & High Deployment and Best
Deployment and Best Tricks
Availability Practices
Practices (Wed 8:00am)…
(Thurs 8:00am) (Mon 4:00pm)
(Thurs 10:30am) . (Thurs 8:00am) …
(Tue 4:00pm)
Available on ciscolive.com
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Hear Me Now, Believe Me Later”
Source: “Pumping Up with Hans & Franz" - Saturday Night Live (1987-1991)
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda
PAN
Policy Administration Node (PAN)
– Interface to configure policies and manage ISE deployment
– Replication hub for all database config changes
MnT
Monitoring & Troubleshooting Node (MnT)
– Interface to reporting and logging
– Destination for syslog from other ISE nodes and optionally NADs
PXG pxGrid Controller
– Facilitates sharing of information between network elements
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Standalone Deployment
All Personas on a Single Node: PAN, PSN, MnT, pxGrid
• Maximum endpoints – Platform dependent
• 5,000 for 3415
• 7,500 for 3515
ISE Node
• 10,000 for 3495
PAN
• 20,000 for 3595 Policy Administration Node
MnT
Monitoring and Troubleshooting Node
PSN
Policy Service Node
PXG
pxGrid Node
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Basic 2-Node ISE Deployment (Redundant)
• Maximum endpoints – 20,000 (platform dependent—same as standalone)
• Redundant sizing – 20,000 (platform dependent—same as standalone)
ISE Node ISE Node
PSN PSN
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Basic 2-Node ISE Deployment (Redundant)
Maximum Endpoints = 20,000 (Platform dependent)
Branch A Branch B
Switch Switch
AP 802.1X AP 802.1X
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Distributed Persona Deployment
Admin + MnT on Same Appliance; Policy Service on Dedicated Appliance
PAN PAN
MnT MnT
• 2 x Admin+Monitor
• Max 5 PSNs
• Max endpoints – Platform dependent PSN
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Basic Distributed Deployment
Maximum Endpoints = 20,000 / Maximum 5 PSNs
Admin (P) Admin (S) Policy Services
MnT (P) MnT (S) Cluster Distributed
Policy Services
PSN PSN PSN
PSN PSN
AD/LDAP
(External ID/ AD/LDAP
Attribute Store) (External ID/
Data DC B Attribute Store)
Center A
WLC
ASA VPN 802.1X
w/ CoA
Switch
802.1X AP
WLC
802.1X Switch
AP 802.1X •Dedicated Management Appliances
•Primary Admin / Primary MnT
Branch B •Secondary MnT / Secondary Admin
Branch A
•Dedicated Policy Service Nodes—Up to 5 PSNs
Switch
802.1X
Switch •No more than 20,000 Endpoints Supported
802.1X
AP AP •3515 as Admin/MnT = Max 7.5k endpoints
•3595 as Admin/MnT = Max 20k endpoints
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Distributed Persona Deployment
Dedicated Appliance for Each Persona: Admin, Monitoring, pxGrid, Policy Service
• 2 x Admin and 2 x Monitoring Optional
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Fully Distributed Deployment
Maximum Endpoints = 500,000 / Maximum 50 PSNs
AD/LDAP
(External ID/ AD/LDAP
Attribute Store) (External ID/
Data DC B Attribute Store)
Center A
WLC
ASA VPN 802.1X
w/ CoA
Switch
802.1X AP
WLC
802.1X Switch
802.1X
AP
•Redundant, dedicated Administration and Monitoring nodes split
across data centers (P=Primary / S=Secondary)
Branch A Branch B •Policy Service cluster for Wired/Wireless services at main campus
•Distributed Policy Service clusters for DR sites or larger campuses
with higher-bandwidth, lower-latency interconnects.
AP
Switch
802.1X AP
Switch •Centralized PSN clusters for remote Wired/Wireless branch devices
802.1X
•VPN/Wireless (non-CoA) at main campus via HA Inline Posture nodes
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Sizing Guidance for ISE Nodes
34xx/35xx Scaling by Deployment/Platform/Persona
ISE 2.1 Max Concurrent Session Counts by Deployment Model and Platform
Max Active Sessions per Max # Dedicated
Deployment Model Platform
Deployment PSNs
3415 5,000 0
Standalone (all personas on
3495 10,000 0
same node)
(2 nodes redundant) 3515 7,500 0
3595 20,000 0
3415 as Admin+MNT 5,000 5
Admin + MnT on same node;
3495 as Admin+MNT 10,000 5
Dedicated PSN
(Minimum 4 nodes redundant) 3515 as Admin+MNT 7,500 5
3595 as Admin+MNT 20,000 5
Dedicated Admin and MnT nodes 3495 as Admin and MNT 250,000 40
(Minimum 6 nodes redundant) 3595 as Admin and MNT 500,000 50
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Policy Service Node Sizing
Physical and Virtual Appliance Guidance
• Max Endpoints Per Appliance for Dedicated PSN
Form Platform Size Appliance Maximum
General VM appliance
Factor Endpoints
sizing guidance:
Small SNS-3415 5,000
Large SNS-3495 20,000
Physical 1) Select physical
Small (New) SNS-3515 * 7,500 appliance that meets
Large (New) SNS-3595 * 40,000 required persona and
Virtual S/L VM *5,000-40,000 scaling requirements
2) Configure VM to match
* Under ISE 2.0.1, scaling for Small & Large 35x5 or exceed the ISE
appliance same as Small & Large 34x5 appliance. physical appliance
specifications
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Appliance Hardware Specifications
Basis for VMware Appliance Sizing and Redundancy
New SNS-3500 Series
• ISE SNS Appliance Specifications
SNS-3415 SNS-3495 SNS-3515 SNS-3595
Platform
(34x5 Small) (34x5 Large) (35x5 Small) (35x5 Large)
Processor 1 x QuadCore 2 x QuadCore 1 x 6-Core 1 x 8-Core
Intel Xeon CPU E5-2609 Intel Xeon CPU E5-2609 Intel Xeon CPU E5-2620 Intel Xeon CPU E5-2640
@ 2.40 GHz @ 2.40 GHz @ 2.30 GHz @ 2.60 GHz+20MB Cache
(4 total cores) (8 total cores) (6 total cores) (8 total cores)
Memory 16 GB 32 GB 16 GB 64 GB
Hard disk 1 x 600-GB 10k SAS HDD 2 x 600-GB 10k SAS HDDs 1 x 600-GB 10k SAS HDD 4 x 600-GB 10k SAS HDDs
(600 GB total disk space) (600 GB total disk space) (600 GB total disk space) (1.2 TB total disk space)
RAID No (1GB FBWC Yes (RAID 10)
No Yes (RAID 1)
Controller Cache) (1GB FBWC Cache)
Ethernet 2 x Integrated GE Ports 2 x Integrated GE Ports
NICs 4x Integrated Gigabit NICs 4 x Integrated Gigabit NICs 4x mLOM GE Ports 4x mLOM GE Ports
(6 total LAN ports) (6 total LAN ports)
Redundant
No (2nd PSU optional) Yes No (2nd PSU optional) Yes
Power?
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Sizing Production VMs to Physical Appliances
Summary
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
• “Mini” OVA for eval/lab testing up to 100 Endpoints
(no reservations)
ISE 2.1 OVA Templates • All 3xx5 templates reserve CPU and Memory
• OVA not recommended for MnT nodes
Summary • Min 600+ GB recommended for MnT (up to 2TB)
30,000 Assumptions:
40,000 32 63 95 162 323 • 10+ auths/day
26 51 76 129 258 per endpoint
50,000
13 26 38 65 129 • Logging
100,000 suppression
150,000 9 17 26 43 86 enabled
200,000 7 13 19 33 65
250,000 6 11 16 26 52
PSN PSN
PSN PSN PSN PSN
PSN PSN PSN PSN
PSN PSN PSN PSN
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
What if Distributed PSNs > 300ms RTT Latency?
< 200 ms
> 200 ms
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Option #1: Deploy Separate ISE Instances
Per-Instance Latency < 300ms
RADIUS
PAN MnT
PSN PSN
< 200 ms PSN PSN
> 200 ms WLC Switch
WLC Switch 32
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Option #2: Centralize PSNs Where Latency < 300ms
RADIUS
Switch
RADIUS
< 200 ms
> 200 ms
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
ISE Bandwidth Calculator (Multi-Site)
• ISE Personas:
• PAN
• MNT
• PSN
• pxGrid
• PSN Services
• Session • Avoid unnecessary
• Profiling overload of PSN
• TC-NAC services
• ISE SXP
• Device Admin • Some services
(TACACS+) should be dedicated
• Passive Identity to one/two PSNs
(Easy Connect)
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
ISE Personas and Services
Maximum Personas and PSN nodes running service
Maximum
Persona / Service Comments
Nodes
PAN 2 Admin UI restricts to 2
MnT 2 Admin UI restricts to 2
pxGrid 2 Admin UI restricts to 2
PSN 50
Session 50
Profiling 50 Typically enabled w/Session
TC-NAC 1 Admin UI restricts to 1
ISE SXP 4 2 SXPSN pairs
Device Admin 50 Typically 2 sufficient
Passive Identity Multiple Max 2 recommended
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Scaling RADIUS, Web, Profiling, and TACACS+ w/LB
• Policy Service nodes can be configured in a cluster behind a load balancer (LB).
• Access Devices send RADIUS and TACACS+ AAA requests to LB virtual IP.
PSNs
PSN
PSN PSN PSN PSN PSN PSN PSN PSN
(RADIUS
Servers)
Network
Access
Devices
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Auth Policy Optimization
Leverage Policy Sets to Organize and Scale Policy Processing
Policy Set
Condition
Authentication
Authorization
Policy
Sets
Administration > System > Settings > Policy Sets
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Search Speed Test
• Find the object where…
• Total stars = 10
• Total green stars = 4
• Total red stars = 2
• Outer shape = Red Circle
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Auth Policy Optimization • Policy Logic:
Avoid Unnecessary External Store Lookups o First Match, Top Down
o Skip Rule on first negative
condition match
• More specific rules generally at top
• Try to place more “popular” rules
before less used rules.
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Auth Policy Optimization
Rule Sequence and Condition Order is Important!
Example #1: Employee Example #2: Employee_CWA
1. Endpoint ID Group 1. Location (Network Device Group)
2. Authenticated using AD? 2. Web Authenticated?
3. Auth method/protocol 3. Authenticated via LDAP Store?
4. AD Group Lookup 4. LDAP Attribute Comparison
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Enable EAP Session Resume / Fast Reconnect
Major performance boost, but not complete auth so avoid excessive timeout value
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Scaling AD Integration
Scaling AD Integration w/ Sites & Services
How do I ensure Local PSN is connecting to Local AD controller?
Which AD
server should
I connect to?
I will connect
Which AD with local AD
server should server X!
AD ‘X’ AD ‘X’
I connect to?
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Authentication Domains (Whitelisting)
Enable r1.dom
And disable the rest
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Load Balancing
LDAP Servers
Lookup1
Lookup2 = ldap.company.com
10.1.95.7
Response = 10.1.95.6
10.1.95.5
15 minute reconnect timer
ldap1.company.com
LDAP Query to 10.1.95.7
10.1.95.6
PSN
10.1.95.6
10.1.95.6
LDAP Response from 10.1.95.7
ldap2.company.com
10.1.95.7
ldap3.company.com
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
BRKSEC-2132 What’s new in ISE
AD Integration Best Practices Active Directory Connector
(Cisco Live Online) by Chris Murray
• DNS servers in ISE nodes must have all relevant AD records (A, PTR, SRV)
• Ensure NTP configured for all ISE nodes and AD servers
• Configure AD Sites and Services
(with ISE machine accounts configured for relevant Sites)
Publish Session
AD Logins Topic to pxGrid
PSN
SXP PXG
Cisco ASA
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Easy Connect ISE Session Directory
MAC IP Uname Profile Method Source SGT
Consuming Both AD and RADIUS Logins Identity
1.2.3.4 chyps
Mapping
Windows Event log
Identity
2.3.4.5 imbashir
IP Address Username Mapping
1.2.3.4 imbashir 22:33:44: Samsung
3.4.5.6 hslai dot1x RADIUS 10
55:66:77 Galaxy
2.3.4.5 chyps
33:44:55:
5.6.7.8 zsariedd Apple-iPad mab RADIUS 20
66:77:88
44:55:66: Apple-
6.7.8.9 awoland dot1x RADIUS 10
77:88:99 anything
AD Logins WMI
AD Logins
PSN MnT
IdMap RADIUS Logins
SXP
Publish Session
Update SXP peers Topic to pxGrid
with SGT mappings
from RADIUS PXG
Cisco ASA
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Easy Connect Enforcement ISE Session Directory
MAC IP Uname Profile Method Source SGT
Merging RADIUS Identity with AD Login Identity 00:11:22: Windows7- Dot1x Identity
Id Map-
1.2.3.4 chyps 10
33:44:55 WS +PsvID Mapping
RADIUS
• Merge active RADIUS Windows Event log 11:22:33: Windows MAB Identity
Id Map-
2.3.4.5 imbashir 30
IP Address Username 44:55:66 10 +PsvID Mapping
RADIUS
Identity with passive AD
22:33:44: Samsung
Identity 1.2.3.4 imbashir
55:66:77
3.4.5.6 hslai
Galaxy
dot1x RADIUS 10
2.3.4.5 chyps 33:44:55:
• AuthZ = RADIUS + PassiveID 66:77:88
5.6.7.8 zsariedd Apple-iPad mab RADIUS 20
44:55:66: Apple-
6.7.8.9 awoland dot1x RADIUS 10
77:88:99 anything
Calling ID:
00:11:22:33:44:55
00:11:22:33:44:55 Framed IP: 1.2.3.4
AD Logins WMI
AD Logins
PSN MnT
IdMa RADIUS Logins
SXP p
MnT MnT
DNS Servers ISE-PSN-1 10.1.1.1
PAN PAN
ISE-PSN-2 10.1.1.2
ISE-PSN-3 10.1.1.3
ISE-PSN-4 10.2.1.4
ISE-PSN-5 10.2.1.5
ISE-PSN-6 10.2.1.6
PSN PSN PSN ISE-PSN-7 10.3.1.7
PSN PSN PSN
ISE-PSN-8 10.3.1.8
ISE-PSN-9 10.3.1.9
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Scaling Guest Authentications Using 802.1X
“Activated Guest” allows guest accounts to be used without ISE web auth portal
• Guests auth with 802.1X using EAP methods like PEAP-MSCHAPv2 / EAP-GTC
• 802.1X auth performance generally much higher than web auth
Note: AUP and Password Change cannot be enforced since guest bypasses portal flow.
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Scaling Web Authentication
“Remember Me” Guest Flows
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Automated Device Registration and Purge
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Endpoint Purging
Matching Conditions
Purge by:
# Days After
Creation
# Days Inactive
Specified Date
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Endpoint Purging Examples
Matching Conditions
Purge by:
# Days After
Creation
# Days Inactive
Specified Date
On Demand Purge BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Location Services Scaling
Location Based Authorization
Authorize User Access to the Network Based on Their Location
ISE 2.0
UI to Configure MSE
MSE 8.0
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Tracking Location in Authorization Policy
Limit Location Tracking to Critical Locations and Resource Access
• Track Movement of the endpoint after authentication using MAC address
• Query MSE every 5 minutes
to verify current location.
• If no change, do nothing
• If change, update endpoint
info and issue CoA.
• Best Practice: Do NOT
track every session!
• Limit tracking to critical access
based on location.
• Excessive tracking can lead
to lookup failures. (Max 150 TPS)
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Scaling Posture & MDM
Posture Lease
Once Compliant, user may leave/reconnect multiple times before re-posture
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
MDM Scalability and Survivability
What Happens When the MDM Server is Unreachable?
• ISE 1.4+ supports multiple MDM servers – could be same or different vendors.
• All attributes retrieved & reachability determined by single API call on each new session.
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
BRKSEC-2060
Device Administration with TACACS+ using Identity Services Engine
(Monday 8:00am) by Gennady Yakubovich
ISE Deployment
PSN-1
PAN
MNT
PSN-2
RAD
RADIUS & T+
T+
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Design #2 – RADIUS & T+ Use Dedicated PSNs
ISE Deployment
PSN-1
PSN-3
PSN-5
PAN
PSN-2 MNT
PSN-4
PSN-6
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Design #3 – Separate Deployments for RAD & T+
Dev Admin Only
PSN-1
PSN-3 MNT
PSN-5
PAN
RADIUS Only
PSN-2
PSN-4 MNT
PSN-6
T+ TACACS+ Only
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
RADIUS Only PSNs
Administration > System > Deployment > [ISE node]
TACACS+ Disabled
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
TACACS+ Only PSNs
Administration > System > Deployment > [ISE node]
Disable Network
Access Services
Device Admin = T+
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Options for Deploying Device Admin
https://communities.cisco.com/docs/DOC-63930
Separate Deployment Separate PSNs Mixed PSNs
Priorities
- According to Policy and
Business Goals
RADIUS TACACS RADIUS TACACS RADIUS/ TACACS
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
TACACS+ Multi-Service Scaling (RADIUS and T+)
Max Concurrent TACACS+ TPS by Deployment Model and Platform
Max # Max RADIUS Sessions Max TACACS+
Deployment Model Platform
Dedicated PSNs per Deployment TPS
3415 0 5,000 50
Standalone (all personas on
3495 0 10,000 50
same node)
(2 nodes redundant) 3515 0 7,500 50
3595 0 20,000 50
3415 as Admin+MNT * 5 / 3+2 5,000 100 / 500
Admin + MnT on same node;
3495 as Admin+MNT * 5 / 3+2 10,000 100 / 1,000
Dedicated PSN
(Minimum 4 nodes redundant) 3515 as Admin+MNT * 5 / 3+2 7,500 ** 100 / 1,000
3595 as Admin+MNT * 5 / 3+2 20,000 ** 100 / 1,500
Dedicated Admin and MnT nodes 3495 as Admin and MNT * 40 / 38+2 250,000 1,000 / 2,000
(Minimum 6 nodes redundant) 3595 as Admin and MNT * 50 / 48+2 500,000 ** 1,000 / 3,000
Max RADIUS Sessions Max TACACS+
Scaling per PSN Platform per PSN TPS
SNS-3415 5,000 500
Dedicated Policy nodes
SNS-3495 20,000 1,000
(Max Sessions Gated by
Deployment Maximums) SNS-3515 7,500 ** 1,000
SNS-3595 40,000 ** 1,500
* Device Admin service enabled on same PSNs also used for RADIUS OR Split RADIUS and T+ PSNs
76
** Under ISE 2.0.x, scaling for Small and Large 35x5 applianceBRKSEC-3699
same as ©Small andits affiliates.
2016 Cisco and/or Large 34x5
All rights reserved.appliance.
Cisco Public 76
TACACS+ Multi-Service Scaling (TACACS+ Only)
Max Concurrent TACACS+ TPS by Deployment Model and Platform
Max # Max RADIUS Sessions Max TACACS+
Deployment Model Platform
Dedicated PSNs per Deployment TPS
3415 0 N/A 500
Standalone (all personas on
3495 0 N/A 1,000
same node)
(2 nodes redundant) 3515 0 N/A 1,000
3595 0 N/A 1,500
3415 as Admin+MNT * 5 (2 rec.) N/A 2,500 (1,000)
Admin + MnT on same node;
3495 as Admin+MNT * 5 (2 rec.) N/A 5,000 (2,000)
Dedicated PSN
(Minimum 4 nodes redundant) 3515 as Admin+MNT * 5 (2 rec.) N/A 5,000 (2,000)
3595 as Admin+MNT * 5 (2 rec.) N/A ** 7,500 (3,000)
Dedicated Admin and MnT nodes 3495 as Admin and MNT * 40 (2 rec.) N/A ** 20,000 (2,000)
(Minimum 6 nodes redundant) 3595 as Admin and MNT * 50 (2 rec.) N/A ** 25,000 (3,000)
Max RADIUS Sessions Max TACACS+
Scaling per PSN Platform per PSN TPS
SNS-3415 N/A 500
Dedicated Policy nodes
SNS-3495 N/A 1,000
(Max Sessions Gated by
Deployment Maximums) SNS-3515 N/A * 1,000
SNS-3595 N/A * 1,500
* Device Admin service can be enabled on each PSN; minimally 2 for redundancy, but 2 often sufficient.
77
** Currently exceeds max log capacity for MNT. BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
TACACS+ MnT Scaling For Your
Reference
Human Versus Automated Device Administration
• Consider the “average” size syslog from TACACS+ based on following guidance:
Each TACACS+ Session Each Command Authorization (per session)
Authentication: 2kB Command authorization: 2kB
Session authorization: 2kB Command accounting : 1kB
Session accounting: 1kB
1 <1 <1 150 < 1MB <1 <1 650 1MB <1 <1 1.2k 2MB
5 <1 <1 750 1MB <1 <1 3.3k 4MB <1 <1 5.8k 9MB
10 <1 <1 1.5k 3MB <1 <1 6.5k 8MB <1 1 11.5k 17MB
Human
25 <1 <1 3.8k 7MB <1 1 16.3k 19MB <1 2 28.8k 43MB
50 <1 1 7.5k 13MB <1 2 32.5k 37MB 1 4 57.5k 86MB
100 <1 1 15k 25MB 1 4 65k 73MB 2 8 115k 171MB
# NADs Based on 4 Scripted Sessions per Day
500 <1 5 6k 10MB <1 22 26k 30MB 1 38 46k 70MB
Script Admin
1 <1 <1 150 < 1MB <1 <1 650 1MB <1 <1 1.2k 2MB
5 <1 <1 750 1MB <1 <1 3.3k 4MB <1 <1 5.8k 9MB
10 <1 <1 1.5k 3MB <1 <1 6.5k 8MB <1 1 11.5k 17MB
25 <1 <1 3.8k 7MB <1 1 16.3k 19MB <1 2 28.8k 43MB
50 <1 1 7.5k 13MB <1 2 32.5k 37MB 1 4 57.5k 86MB
100 <1 1 15k 25MB 1 4 65k 73MB 2 8 115k 171MB
# NADs Based on 4 Scripted Sessions per Day
500 <1 5 6k 10MB <1 22 26k 30MB 1 38 46k 70MB
Admin
ScriptAdmin
20,000 3 200 240k 400MB 12 867 1.04M 1.2GB 21 1.5k 1.84M 2.7GB
30,000 5 300 480k 600MB 18 1.3k 1.56M 1.7GB 32 2.3k 2.76M 4.0GB
50,000 7 500 600k 1GB 30 2.2k 2.6M 2.9GB 53 3.8k 4.6M 6.7GB
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Scaling Profiling and Database
Replication
Endpoint Attribute Filter and Whitelist Attributes
Reduces Data Collection and Replication to Subset of Profile-Specific Attributes
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Whitelist Attributes vs Significant Attributes
Sampling of All Endpoint Attributes
PolicyVersion UseCase ifDescr L4_DST_PORT mdns_VSM_txt_identifier
host-name
OUI UserType ifIndex L4_SRC_PORT sipDeviceName
domain-name
EndPointMACAddress
MatchedPolicy ExternalGroups Whitelist Attributes
GroupsOrAttributesProcessFailure ifOperStatus
cdpCacheAddress
dhcp-class-identifier
dhcp-client-identifier
LAST_SWITCHED
OUTPUT_SNMP
sipDeviceVendor
sipDeviceVersion
EndPointMatchedProfile Called-Station-ID cdpCacheCapabilities PROTOCOL device-platform
dhcp-message-type MDMPinLockSet SRC_MASK
EndPointPolicy Calling-Station-ID 161-udp cdpCacheDeviceId FirstCollection dhcp-parameter-request-list device-platform-version
Total Certainty Factor DestinationIPAddress AAA-Server cdpCachePlatform FQDN MDMProvider
dhcp-requested-address SRC_TOS device-type
DestinationPort AD-Host-Exists
EndPointProfilerServer cdpCacheVersion
AC_User_Agent Framed-IP-Addressdhcp-user-class-idMDMSerialNumberTCP_FLAGS
Device IP Address lldpSystemDescriptionhost-name AD-Join-Point
EndPointSource AUPAccepted dhcp-vendor-classMDMServerReachable SRC_VLAN
StaticAssignment MACAddress lldpSystemName AD-Operating-System
BYODRegistration hrDeviceDescr flags MDMUpdateTime DST_VLAN AD-OS-Version
StaticGroupAssignment MessageCode lldpCapabilitiesMapSupported giaddr IN_SRC_MAC
NADAddress CacheUpdateTime
lldpChassisId
IdentityGroup NADAddress AD-Service-Pack
UpdateTime OUT_DST_MAC
Description NAS-IP-Address Calling-Station-ID
cLApIfMacAddress IdentityGroupID hlen NAS-IP-Address MAX_TTL iotAssetDeviceType
hops
IdentityGroup NAS-Port cdpCacheAddress
cLApName IdentityStoreGUIDhtype NAS-Port-Id MIN_TTL iotAssetProductCode
ElapsedDays NAS-Port-Id cLApNameServerAddress
cdpCacheCapabilities IdentityStoreNameip NAS-Port-Type dst_as iotAssetProductName
InactiveDays NAS-Port-Type cLApSshEnable NmapScanCount src_as iotAssetRetrievedFrom
cdpCacheDeviceId ifIndex op
NetworkDeviceGroups NetworkDeviceName cLApTelnetEnable count iotAssetSerialNumber
cdpCachePlatform ip secs NmapSubnetScanID iotAssetTrustLevel
Location RequestLatency cLApTertiaryControllerAddress yiaddr flow_sequence
Device Type
IdentityAccessRestricted
Service-Type
Timestamp
cdpCacheVersion L4_DST_PORT
cLApTertiaryControllerAddressType
Expiration Date LastNmapScanTime
CertificatecLApUpTime
sysName
sysDescr
operating-system
OS Version Significant Attributes
source_id
sys_uptime
iotAssetVendorID
80-tcp
IdentityStoreName User-Name CertificatecLApWipsEnable
Issue Date lldpCacheCapabilities
sysContact
OUI unix_secs 110-tcp
ADDomain Egress-VLANID
Egress-VLAN-Name
cldcAssociationMode
Certificate Issuer Name lldpCapabilitiesMapSupported
sysLocation PhoneID MACADDRESS
version 135-tcp
139-tcp
AuthState cldcClientAccessVLAN
Certificate Serial Number lldpSystemDescription
hrDeviceDescr PhoneIDType MDMServerName
ISEPolicySetName Airespace-Wlan-Id
ciaddr
cldcClientIPAddress MACAddress LastNmapScanTime PolicyVersion MATCHEDVALUE
MDMUdid 143-tcp
IdentityPolicyMatchedRule Device Port cldcClientStatus MDMImei 443-tcp
EapTunnel CreateTime BYODRegistration
MatchedPolicy NmapScanCount PortalUser ENDPOINTPOLICY 445-tcp
AllowedProtocolMatchedRule MDMMeid
SelectedAccessService Framed-IP-Address Description MatchedPolicyID operating-system PostureApplicablePreviousDeviceR
DeviceRegistrationStatus MDMManufacturer 515-tcp
SelectedAuthenticationIdentityStores NAS-Identifier DestinationIPAddress
PortalUser
CLASS_ID
MDMCompliant DIRECTION ENDPOINTPOLICYVERSION
egistrationStatus MDMModel 3306-tcp
RadiusPacketType AUPAccepted MDMCompliantFailureReason Product 3389-tcp
AuthenticationIdentityStore
AuthenticationMethod Vlan
Device Identifier
LastAUPAcceptanceHoursMDMDiskEncrypted
DST_MASK STATICASSIGNMENT
MDMOSVersion
MDMPhoneNumber
RegistrationTimeStamp 5900-tcp
Device Name FIRST_SWITCHED
8080-tcp
AuthorizationPolicyMatchedRule
SelectedAuthorizationProfiles
VlanName
cafSessionAuthUserName
PostureAssessmentStatus
DeviceRegistrationStatus
FQDN
MDMEnrolled FLOW_SAMPLER_ID STATICGROUPASSIGNMENT
StaticAssignment MDMSerialNumber
MDMCompliant 9100-tcp
dhcp-class-identifier MDMImei FragmentOffset StaticGroupAssignment
CPMSessionID cafSessionAuthVlan
cafSessionAuthorizedBy
OpenSSLErrorMessage
dhcp-requested-address MDMJailBroken INPUT_SNMP sysDescr
NMAPSUBNETSCANID
MDMJailBroken 53-udp
67-udp
AAA-Server OpenSSLErrorStack IN_BYTES MDMPinLockSet
OriginalUserName cafSessionDomain EndPointPolicy
User-Agent MDMManufacturer IN_PKTS
TimeToProfile PORTALUSER
MDMDiskEncrypted 68-udp
DetailedInfo cafSessionStatus attribute-52
EndPointPolicyID MDMModel Total Certainty Factor
h323DeviceName 123-udp
OUT_BYTES
EapAuthentication dot1dBasePort attribute-53
EndPointProfilerServer MDMOSVersion IPV4_DST_ADDRUpdateTime DEVICEREGISTRATIONSTATUS
h323DeviceVendor 135-udp
NasRetransmissionTimeout dot1xAuthAuthControlledPortControl chaddr h323DeviceVersion 137-udp
EndPointSource MDMPhoneNumber IPV4_NEXT_HOPUser-Agent
TotalFailedAttempts dot1xAuthAuthControlledPortStatus ciaddr mdns_VSM_class_identifier 138-udp
IPV4_SRC_ADDR
TotalFailedTime dot1xAuthSessionUserName client-fqdn mdns_VSM_srv_identifier 139-udp
IPV4_IDENT
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Inter-Node Communications
JGroup Connections – Global Cluster TCP/12001 JGroups Tunneled
PSN3
*JGroups: Java toolkit for reliable multicast
communications
BRKSEC-3699 between
© 2016 Cisco group/cluster
and/or its affiliates. members.
All rights reserved. Cisco Public 85
Inter-Node Communications TCP/7800 JGroup Peer Communication
TCP/7802 JGroup Failure Detection
Local JGroups and Node Groups TCP/12001 JGroups Tunneled
MnT MnT
PAN PAN
PSN PSN
PSN3 PSN6
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Node Groups and Session Recovery
Dynamic Clean Up for Orphaned URL-Redirected Sessions
JGroup “Master”
CoA Session
Terminate
PSN PSN
PSN1 PSN2
RADIUS
Portal Redirect PSN
to PSN3
PSN3
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
ISE 2.1 Node Communications DNS: tcp-udp/53
NTP: udp/123
Repository: FTP, SFTP, NFS,
HTTP, HTTPS
For Your
Reference
pxGrid (Bulk Download): tcp/8910 File Copy: FTP, SCP, SFTP, TFTP
pxGrid: tcp/5222
pxGrid Client
Syslog: udp/20514, tcp/1468
PXG MnT Secure Syslog: tcp/6514
pxGrid: tcp/5222
Email/ NetFlow for TS: udp/9993
SMS
Gateways SMTP: RADIUS Auth: udp/1645,1812 NADs
Logging RADIUS Acct: udp/1646,1813
tcp/25
HTTPS: tcp/443 RADIUS CoA: udp/1700,3799
HTTPS; tcp/443
Syslog: udp/20514, tcp/1468 TACACS+: tcp/49
Syslog: udp/20514, tcp/1468
Secure Syslog: tcp/6514 WebAuth: tcp:443,8443
Secure Syslog: tcp/6514
CoA (REST API): udp/1700 OCSP: tcp/2560
pxGrid: tcp/5222 Oracle DB (Secure JDBC): tcp/1528
SMTP: tcp/25 SNMP: udp/161
JGroups: tcp/12001 JGroups: tcp/12001 (MnT to PAN)
(PPAN: email SNMP Trap: udp/162
expiry notifiy) NetFlow: udp/9996
TS CoA: udp/1700 DHCP:udp/67, udp/68
DHCPv6: udp/547
PAN HTTPS: tcp/443 SPAN:tcp/80,8080
Syslog: udp/20514, tcp/1468 PSN
JGroups: tcp/12001 (PSN to PAN) SXP: tcp/64999
Secure Syslog: tcp/6514
CoA (Admin/Guest Limit): udp/1700 SCEP: tcp/9090
SNMP Traps: udp/162
Query Attributes
MDM API: tcp/XXX LDAP: tcp-udp/389, tcp/3268 Inter-Node Communications
GUI: tcp/80,443 SMB:tcp/445
KDC:tcp-udp/88 Admin(P) - Admin(S): tcp/443,
Posture Updates/Smart SSH: tcp/22 Guest: tcp/8443
MDM Partner KPASS: tcp/464 tcp/12001(JGroups)
Licensing: tcp/443 Sponsor (PSN): tcp/8443 Discovery: tcp/8443, tcp/8905
Profiler Feed: tcp/8443 SNMP: udp/161 Agent Install: tcp/8443 SCEP: tcp/80, tcp/443 Monitor(P) - Monitor(S): tcp/443, udp/20514
REST API (MnT): tcp/443 NAC Agent: tcp/8905; udp/8905 NTP: udp/123
OCSP: tcp/80
PIP (Syslog)
ERS API: tcp/9060 PRA/KA: tcp/8905
CRL: tcp/80, tcp/443, tcp/389 Policy - Policy: tcp/7800, tcp/7802 (Node
Cloud Services
Admin->Sponsor: ODBC (configurable): Groups/JGroups); tcp/443 (PSN-SXPSN),
Cisco.com/Perfigo.com
tcp/9002 Microsoft SQL: tcp/1433 udp/1700 (Proxy CoA)
Profiler Feed Service
MDM & App Stores Sybase: tcp/2638
PortgreSQL: tcp/5432 pxGrid - pxGrid: tcp/5222
Push Notification
Admin /Sponsor Endpoint Oracle: tcp/1512
TC-NAC: tcp/443
BRKSEC-3699 WMI: tcp/135, tcp/5985, tcp/5986
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
ISE Profiling Best Practices
Whenever Possible…
• Use Device Sensor on Cisco switches & Wireless Controllers to optimize data collection.
• Ensure profile data for a given endpoint is sent to a single PSN (or maximum of 2)
•
Do NOT send profile data to multiple PSNs !
Sending same profile data to multiple PSNs increases inter-PSN traffic and contention for endpoint ownership.
• For redundancy, consider Load Balancing and Anycast to support a single IP target for RADIUS or profiling using…
• DHCP IP Helpers
• SNMP Traps
• DHCP/HTTP with ERSPAN (Requires validation)
•
DO send profile data to single and same PSN or Node
Ensure profile data for a given endpoint is sent to the same PSN
• Group ! above, but not always possible across different probes
Same issue as
• Use node groups and ensure profile data for a given endpoint is sent to same node
DO use Device Sensor !
group.
• Node Groups reduce inter-PSN communications and need to replicate endpoint changes outside of node group.
• DO probes
Avoid enable
thatthe Profiler
collect the same Attribute Filter
endpoint attributes !
• Example: Device Sensor + SNMP Query/IP Helper
• Enable Profiler Attribute Filter
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
ISE Profiling Best Practices
General Guidelines for Probes
• HTTP Probe:
• Use URL Redirects instead of SPAN to centralize collection and reduce traffic load related to SPAN/RSPAN.
• Avoid SPAN. If used, look for key traffic chokepoints such as Internet edge or WLC connection; use intelligent
SPAN/tap options or VACL Capture to limit amount of data sent to ISE. Also difficult to provide HA for SPAN.
• DHCP Probe:
• Use IP Helpers when possible—be aware that L3 device serving DHCP will not relay DHCP for same!
•
Do NOT enable all probes by default !
Avoid DHCP SPAN. If used, make sure probe captures traffic to central DHCP Server. HA challenges.
• Avoid
SNMP SPAN,
Probe: SNMP Traps, and NetFlow probes !
• Be careful of high SNMP traffic due to triggered RADIUS Accounting updates as a result of high re-auth (low
session/re-auth timers) or frequent interim accounting updates.
• For polled SNMP queries, avoid short polling intervals. Be sure to set optimal PSN for polling in ISE NAD config.
• SNMP Traps primarily useful for non-RADIUS deployments like NAC Appliance—Avoid SNMP Traps w/RADIUS auth.
• NetFlow Probe:
Use only for specific use cases in centralized deployments—Potential for high load on network devices and ISE.
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Profiling Redundancy – Duplicating Profile Data
Different DHCP Addresses
- Provides Redundancy but Leads to Contention for Ownership = Replication
• Common config is to duplicate IP helper
PSN
data at each NAD to two different PSNs or PSN-CLUSTER1 PSN1 (10.1.99.5)
PSN LB Clusters (10.1.98.8)
DC #1 PSN
PSN2 (10.1.99.6)
• Different PSNs receive data
Load PSN PSN3 (10.1.99.7)
Balancer
int Vlan10
DHCP Request PSN
PSN1 (10.2.101.5)
PSN-CLUSTER2
User (10.2.100.2)
PSN PSN2 (10.2.101.6)
DC #2
Load PSN PSN3 (10.2.101.7)
interface Vlan10
Balancer
ip helper-address <real_DHCP_Server>
ip helper-address 10.1.98.8
Note: LB depicted, but NOT required
ip helper-address 10.2.100.2 BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Scaling Profiling and Replication
Single DHCP VIP Address using Anycast
- Limit Profile Data to a Single PSN and Node Group
• Different PSNs or Load Balancer VIPs host
PSN
same target IP for DHCP profile data PSN-CLUSTER1 PSN1 (10.1.99.5)
(10.1.98.8)
• Routing metrics determine which PSN DC #1 PSN
PSN2 (10.1.99.6)
or LB VIP receives DHCP from NAD
Load PSN PSN3 (10.1.99.7)
Balancer
int Vlan10
DHCP Request PSN
PSN1 (10.2.101.5)
User PSN-CLUSTER2
(10.1.98.8)
PSN PSN2 (10.2.101.6)
DC #2
interface Vlan10 Load PSN PSN3 (10.2.101.7)
ip helper-address <real_DHCP_Server> Balancer
ip helper-address 10.1.98.8
Note: LB depicted, but NOT required
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Profiler Tuning for Polled SNMP Query Probe
• Set specific PSNs to
periodically poll
access devices for
SNMP data.
• Choose PSN closest
to access device.
PSN PSN2
(Asia)
PSN1 SNMP Polling
(Amer) (Auto) PSN
RADIUS
Switch
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Profiler Tuning for Polled SNMP Query Probe
Disable/uncheck SNMP Settings: Disables
all SNMP polling options [CSCur95329]
• Polling Interval
1.2 Default: 3600 sec
(1 hour)
1.3 Default: 28,800 sec
(8 hours) *Recommend
minimum for all releases
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Profiling and Data Replication PAN
MnT
Ownership
# Change
Global
Replication
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Impact of Ownership Changes
Before Tuning
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Profiling and Data Replication PAN
MnT
DHCP 1
RADIUS Auth
RADIUS Acctng NetFlow
NMAP
Ownership
# Change
Global
Replication
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Impact of Ownership Changes
After Tuning
Owner
Node Group = DC1-group Node Group = DC2-group
DHCP 1
RADIUS Auth
RADIUS Acctng NetFlow
NMAP
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Scaling MnT (Optimize Logging
and Noise Suppression)
When the Levee Breaks…
PSN
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
The Fall Out From the Mobile Explosion and IoT
Explosion in number and type of endpoints on the network.
High auth rates from mobile devices—many personal (unmanaged).
– Short-lived connections: Continuous sleep/hibernation to conserve battery power, roaming, …
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
A Few Bad Apples Can Spoil the Whole Bunch
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Clients Misbehave!
• Example education customer:
• ONLY 6,000 Endpoints (all BYOD style)
• 10M Auths / 9M Failures in a 24 hours!
• 42 Different Failure Scenarios – all related to
clients dropping TLS (both PEAP & EAP-TLS).
• Supplicant List:
• Kyocera, Asustek, Murata, Huawei, Motorola, HTC, Samsung, ZTE, RIM, SonyEric, ChiMeiCo,
Apple, Intel, Cybertan, Liteon, Nokia, HonHaiPr, Palm, Pantech, LgElectr, TaiyoYud, Barnes&N
• 5411 No response received during 120 seconds on last EAP message sent to the client
• This error has been seen at a number of Escalation customers
• Typically the result of a misconfigured or misbehaving supplicant not completing the EAP process.
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Challenge: How to reduce
the flood of log messages
while increasing PSN and
MNT capacity and tolerance
PSN
MnT
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Getting More Information With Less Data
Scaling to Meet Current and Next Generation Logging Demands
Rate Limiting at Source Filtering at Receiving Chain
Reauth period Heartbeat Detect and reject Count and discard
Quiet-period 5 min frequency misbehaving clients repeated events
Held-period / Exclusion 5 min
Log Filter Count and discard
Switch untrusted events
Reauth phones
Quiet LB PSN MNT
period
Unknown users
Quiet WLC LB Health
Period probes Filter health
Reject
bad probes from
Roaming Client supplicant logging
supplicant Exclusion Count and
discard
repeats and
unknown NAD
events
Misbehaving
supplicant BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Tune NAD Configuration BRKSEC-2059 Deploying ISE in a
Dynamic Public Environment
Rate Limiting at Wireless Source (Thursday 8:00am) by Clark Gambrel
Some fixes require escalation build. Contact TAC to obtain access to escalation builds.
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
TAC Recommended AireOS Builds
https://www.cisco.com/c/en/us/support/docs/wireless/
wireless-lan-controller-software/200046-TAC-Recommended-AireOS.html
• Recommended Releases: This document describes the way in which the customers can find the most
reliable Wireless LAN Controller software available. The Cisco Wireless TAC (Technical Assistance
Center) recommends AireOS builds from each train of released AireOS software. These
recommendations may be updated on a weekly basis.
• Escalation Builds: In some cases, the TAC recommended build may be an "escalation" build. Such
builds are not available on CCO (Cisco.com), but have important bugfixes (beyond what is available in
CCO code), and will have been operating in production at customer sites for several weeks. Such
builds are fully Business Unit (BU) and TAC supported.
• To request a TAC recommended escalation build, open a Cisco TAC case on your Wireless LAN
Controller contract.
• AireOS 7.6: TAC does not recommend any 7.6 CCO release, and Cisco does not plan to release any
more 7.6 maintenance releases on CCO.
• AireOS 8.0: TAC recommends 8.0.133.0 or 8.0.135.0 (latest CCO release AKA 8.0MR3).
• AireOS 8.1/8.2: TAC recommends 8.1.131.0 or 8.2.100.0 for deployments that require new features or
hardware support, such as 5520 & 8540 controllers, 1800 Series Access Points, Airtime Fairness, etc.;
8.2.100.0 is recommended for Mobility Express.
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Wireless Controllers Under Extreme Load (WLC 8.1)
• 5508 and WISM2
• 8 queues per server (max 17 servers configurable) Server 1 Server2
Queue 1 src port 1 src port 1
• 8510/7510 Queue 2 src port 2 src port 2
• 16 queues per server (max 17 servers configurable) Queue 3 src port 3 src port 3
Queue 4 src port 4 src port 4
• For all platforms, each queue = 0-255 unique IDs. Queue 5 src port 5 src port 5
So total 256*8 = 2048 requests/server. Queue 6 src port 6 src port 6
Queue 7 src port 7 src port 7
• Example using 5508/WISM2 :
Queue 8 src port 8 src port 8
• We will have unique source port per queue.
• Total 8 unique source ports. Related defects:
CSCus51456,CSCur33085
• Queue is selected based on MAC address Hashing. CSCue37368, CSCuj88508
Before 8.1, separate queues added for Auth and Accounting, but all servers share same two queues.
(CSCud12582, CSCul96254)
In 8.1, queues are not divvied or shared between Auth and Accounting–both will have separate queues
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Tune NAD Configuration
Rate Limiting at Wired Source
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
PSN - Collection Filters
Static Client Suppression
Administration > System > Logging > Collection Filters
• PSN static filter based on
single attribute:
• User Name
• Policy Set Name
• NAS-IP-Address
• Device-IP-Address
• MAC (Calling-Station-ID)
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
PSN Filtering and Noise Suppression
Misconfigured Client Dynamic Detection and Suppression
Administration > System > Settings > Protocols > RADIUS
Flag misbehaving supplicants when
fail auth more than once per Detection Interval
– Alarm sent inc. failure stats each Report Interval
– Stop sending logs for repeat auth failures
for same endpoint during Rejection Interval.
– Successful auth clears flag
Once flagged, if fail auth 5 more times of same
failure reason Access-Reject
– Match these • Calling-Station-ID (MAC Addr)
attributes: • NAS-IP-Address (NAD)
• Failure reason
– Excludes CoA messages / bad credentials
– Next request after interval is fully processed.
CSCuj03131 Lower "Request Rejection Interval" minimum to 5 minutes (from 30 minutes)
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
MnT Log Suppression and Smarter Logging
Drop and Count Duplicates / Provide Better Monitoring Tools
• Drop duplicates and increment counter in Live Log for “matching” passed
authentications Count and discard
• Display repeat counter to Live Sessions entries. repeated events
• Update session, but do not log RADIUS Accounting Interim Updates Count and discard
untrusted events
• Log RADIUS Drops and EAP timeouts to separate table for reporting
purposes and display as counters on Live Log Dashboard along with
Misconfigured Supplicants and NADs MNT
• Alarm enhancements
• Revised guidance to limit syslog at the source.
• MnT storage allocation and data retention limits
• More aggressive purging Count and discard
repeats and unknown
• Support larger VM disks to increase logging capacity and retention. NAD events
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
MnT Noise Suppression
Suppress Successful Auths and Accounting
Blue entry = Most current Live Sessions entry with repeated successful auth counter
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Authentication Suppression
Enable/Disable
• Global Suppression Settings: Administration > System > Settings > Protocols > RADIUS
Failed Auth Suppression Successful Auth Suppression
Caution: Do not disable suppression in deployments with very high auth rates.
It is highly recommended to keep Auth Suppression enabled to reduce MnT logging
• Selective Suppression using Collection Filters: Administration > System > Logging >
Collection Filters
Configure specific traffic to bypass
Successful Auth Suppression
Useful for troubleshooting authentication for a
specific endpoint or group of endpoints, especially
in high auth environments where global suppression
is always required.
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Per-Endpoint Time-Constrained Suppression New in ISE 1.3
Right
Click
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Minimize Syslog Load on MNT
Disable NAD Logging and Filter Guest Activity Logging
Guest Activity: Log only if required.
Rate Limiting at Source Filter and send only relevant logs
Disable NAD Logging unless
required for troubleshooting
Filter Syslog
at Source
switch
Reauth phones
LB PSN MNT
Unknown users
wlc
Roaming
supplicant Syslog
Forwarder
* Filter at Relay
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
High Availability
High Availability Agenda
• ISE Appliance Redundancy
• ISE Node Redundancy
• Administration Nodes
• Monitoring Nodes
• pxGrid Nodes
Ethernet
Yes* Yes* Yes* Yes*
4 GE NICs = 4 GE NICs = 6 GE NICs = 6 GE NICs =
Redundancy
Up to 2 bonded NICs Up to 2 bonded NICs Up to 3 bonded NICs Up to 3 bonded NICs
Redundant
No No
Power
(2nd PSU optional) Yes (2nd PSU optional) Yes
UCSC-PSU-650W UCSC-PSU1-770W
* ISE 2.1 introduces NIC Teaming support for High Availability only (not active/active)
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
NIC Redundancy Update
NIC Teaming / Interface Bonding
• For Redundancy only – NOT a Performance and Scale feature in 2.1.
• Allows one interface to serve as a hot backup for another primary interface.
• Up to (3) bonds in ISE 2.1. [Up to (6) Network Interfaces supported in ISE 2.0]
• NIC Teaming pairs specific interfaces into Bonded interfaces
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Bonding Pairs are Set
Bonds/Backup Interfaces are Preset and Non-Configurable
GE0 Primary
Bond 0
GE1 Backup GE4
Bond 2
GE5
GE2 Primary
Bond 1
GE3 Backup
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Bonded Interfaces for Redundancy
When GE0 is Down, GE1 Takes Over
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
NIC Teaming
NIC Teaming / Interface Bonding
• Configured using CLI only!
• GE0 + GE1 Bonding Example:
admin(config-GigabitEthernet0)# backup interface GigabitEthernet 1
• Requires service restart. After restart, ISE recognizes bonded interfaces for
Deployment and Profiling ; Guest requires manual config of eligible interfaces.
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
For Your
Reference
Virtual Appliance High Availability
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
ISE Node/Persona Redundancy
• Maximum two PAN
Administration HA and Synchronization nodes per deployment
• Active / Standby
PAN Steady State Operation
• Changes made to Primary Administration DB are automatically synced to all nodes.
Admin
PSN
User Policy Policy Service Node
Logging
Sync
MnT MnT
Note: Switchover is NOT immediate. Total time based on polling intervals and promotion time.
Expect ~ 15 - 30 minutes. BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
PAN Failover
Configuration
• Configuration using GUI only under Administration > System > Deployment > PAN Failover
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
HA for Monitoring and Troubleshooting • Maximum two MnT
nodes per deployment
Steady State Operation • Active / Active
• MnT nodes concurrently receive logging from PAN, PSN, IPN*, NAD, and ASA
• PAN retrieves log/report data from Primary MnT node when available
Monitoring
Node (Primary) PAN MnT data
Admin
MnT
User
Monitoring
Node (Secondary)
• Upon MnT node failure, PAN, PSN, NAD, and ASA continue to send logs to remaining MnT node;
• PAN auto-detects Active MnT failure and retrieves log/report data from Secondary MnT node.
• Full failover to Secondary MnT may take from 5-15 min depending on type of failure.
• Default UDP-based
audit logging does not
buffer data when MnT
is unavailable.
• TCP and Secure
Syslog options can be
used to buffer logs
locally
• Note: Overall log
performance will
decrease if use these
acknowledged options.
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
• Maximum two pxGrid
HA for pxGrid pxGrid
Clients nodes per deployment
(Publishers) • Active / Standby
Steady State
Primary Primary Secondary Secondary
PAN MnT PAN MnT
PAN Publisher Topics: PAN MnT PAN MnT
• Controller Admin
• TrustSec/SGA
• Endpoint Profile
TCP/12001
TCP/5222
TCP/5222
MnT Publisher Topics:
• Session Directory
• Identity Group Active PXG
Standby
PXG
• ANC (EPS) pxGrid pxGrid
Controller Controller
If active pxGrid
Controller fails, clients
automatically attempt
connection to standby TCP/5222
pxGrid
controller. Client
(Subscriber)
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
BRKSEC-3697 Advanced ISE Services, Tips and Tricks
(Wednesday and Thursday 8:00am) by Aaron Woland
ISE PSNs
PSN
PSN PSN PSN PSN PSN PSN PSN PSN
(RADIUS
Servers)
Network
Access
Devices
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
Configure Node Groups for LB Cluster
All PSNs in LB Cluster in Same Node Group
• Administration > System > Deployment
2) Assign name (and multicast address if ISE 1.2)
1) Create node group
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
Traffic Flow—Fully Inline: Physical Separation
Physical Network Separation Using Separate LB Interfaces Fully Inline Traffic Flow
recommended—
• Load Balancer is directly inline between PSNs and rest of network. physical or logical
• All traffic flows through Load Balancer including RADIUS,
PAN/MnT,Profiling, Web Services, Management, 10.1.99.5
Feed Services, MDM, AD, LDAP… VLAN 98 VLAN 99
(External) (Internal) ISE-PSN-1
Network
Switch
NAS IP: 10.1.50.2
10.1.98.1 10.1.98.2 10.1.99.1
10.1.99.6
Network Access ISE-PSN-2
Device Load
End User/Device
Balancer
DNS AD 10.1.99.7
External NTP LDAP
ISE-PAN ISE-MNT Logger SMTP ISE-PSN-3
MDM
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Traffic Flow—Fully Inline: VLAN Separation
Logical Network Separation Using Single LB Interface and VLAN Trunking
Load Balancer
• LB is directly inline between ISE PSNs
and rest of network. VIP: 10.1.98.8
10.1.98.2 10.1.99.1
• All traffic flows through LB including RADIUS, 10.1.99.5
VLAN 98 VLAN 99
PAN/MnT, Profiling, Web Services, Management, (External) (Internal)
ISE-PSN-1
Feed Services, MDM, AD, LDAP… 10.1.98.1
NAS IP: 10.1.50.2
10.1.99.6
Network Access ISE-PSN-2
End User/Device Device Network
Switch
DNS AD 10.1.99.7
External NTP LDAP
ISE-PAN ISE-MNT Logger ISE-PSN-3
SMTP MDM
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Partially Inline: Layer 2/Same VLAN (One PSN Interface)
Direct PSN Connections to LB and Rest of Network
Load Balancer
10.1.98.2
• All inbound LB traffic such RADIUS, Profiling,
and directed Web Services sent to LB VIP. 10.1.98.5
VIP: 10.1.98.8
• Other inbound non-LB traffic bypasses LB ISE-PSN-1
including redirected Web Services, PAN/MnT, VLAN 98
Management, Feed Services, MDM, AD, LDAP… 10.1.98.6
• All outbound traffic from PSNs NAS IP: 10.1.50.2 10.1.98.1 ISE-PSN-2
sent to LB as DFGW. 10.1.98.7
• Web Services:
• URL-Redirected: Posture (CPP) / Central WebAuth (CWA) / Native Supplicant Provisioning (NSP) /
Hotspot / Device Registration WebAuth (DRW), Partner MDM.
No LB Required! PSN that terminates RADIUS returns URL Redirect with its own certificate CN name substituted for ‘ip’
variable in URL.
Direct HTTP/S: Local WebAuth (LWA) / Sponsor / MyDevices Portal, OCSP
Single web portal domain name should resolve to LB virtual IP for http/s load balancing.
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Load Balancing
RADIUS
Load Balancing RADIUS
Sample Flow
VLAN 98 (10.1.98.0/24) VLAN 99 (10.1.99.0/24)
PSN
10.1.99.5
1 radius-server host 10.1.98.8
ISE-PSN-1
2 AUTH request
RADIUS ACCTG requesttoto10.1.98.8
10.1.98.8 Load Balancer
PSN
10.1.99.6
AUTH response
RADIUS ACCTG from
response 10.1.98.8
from 10.1.98.8
Access VIP: 10.1.98.8 ISE-PSN-2
User
4 5
Device PSN-CLUSTER
PSN
1. NAD has single RADIUS Server defined (10.1.98.8) 10.1.99.7
2. RADIUS Auth requests sent to VIP @ 10.1.98.8 3
3. Requests for same endpoint load balanced to same PSN via sticky based on ISE-PSN-3
RADIUS Calling-Station-ID and Framed-IP-Address
4. RADIUS response received from VIP @ 10.1.98.8
(originated by real server ise-psn-3 @ 10.1.99.7 and source translated by LB)
5. RADIUS Accounting sent to/from same PSN based on sticky
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Load Balancer Persistence (Stickiness) Guidelines
Persistence Attributes
• Common RADIUS Sticky Attributes
o Client Address
Calling-Station-ID MAC Address=00:C0:FF:1A:2B:3C
IP Address=10.1.10.101 PSN
Framed-IP-Address
Device
o NAD Address ISE-PSN-1
10.1.50.2 VIP: 10.1.98.8
NAS-IP-Address
Session: 00aa…99ff
Source IP Address PSN
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
LB Fragmentation and Reassembly
Be aware of load balancers that do not reassemble RADIUS fragments!
Also watch for fragmented packets that are too small. LBs have min allowed frag size and will drop !!!
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Allow NAT for PSN CoA Requests
Simplifying Switch CoA Configuration
• Before: • After
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
NAT Guidelines for ISE RADIUS Load Balancing
To NAT or Not To NAT?
ISE-PAN-1 ISE-MNT-1 No NAT
That is the Question!
PAN MnT
PSN
10.1.99.5
VLAN 98 VLAN 99
(10.1.98.0/24) (10.1.99.0/24)
ISE-PSN-1
ISE-PSN-1
Load Balancer
1 RADIUS request to psn-vip.company.com
PSN
10.1.99.6
RADIUS response from psn-vip.company.com
3
Access VIP: 10.1.98.8 ISE-PSN-2
Device https://ise-psn-3.company.com:8443/... PSN-CLUSTER
User
2
5 HTTPS response from ise-psn-3.company.com PSN
10.1.99.7
https://sponsor.company.com ISE-PSN-1
DNS
http://sponsor.company.com DNS Lookup = sponsor.company.com Server
PSN
DNS Response = 10.1.98.8 10.1.99.5
ISE-PSN-1
10.1.98.8
SPONSOR http://sponsor.company.com
PSN
10.1.99.6
https://sponsor.company.com:8443/sponsorportal
ISE Certificate Load ISE-PSN-2
Balancer
Subject =
ise-psn-3.company.com
PSN
Name Mismatch! 10.1.99.7
Requested URL = sponsor.company.com
Certificate Subject = ise-psn-3.company.com ISE-PSN-3
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
ISE Certificate with SAN
No Certificate Warning
DNS
http://sponsor.company.com DNS Lookup = sponsor.company.com Server
PSN
DNS Response = 10.1.98.8 10.1.99.5
ISE-PSN-1
10.1.98.8
SPONSOR http://sponsor.company.com
PSN
10.1.99.6
https://sponsor.company.com:8443/sponsorportal
Load ISE-PSN-2
ISE Certificate
Balancer
Subject =
ise-psn.company.com
PSN
SAN= Certificate OK! 10.1.99.7
ise-psn-1.company.com Requested URL = sponsor.company.com
ise-psn-2.company.com Certificate SAN = sponsor.company.com ISE-PSN-3
ise-psn-3.company.com
sponsor.company.com
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
“Universal Certs”
UCC or Wildcard SAN Certificates
ise-psn.company.com
L3 Switch
10.1.98.0/24 .5 .6 .7 .x
.1 .8 .1
PSN PSN PSN PSN
User
10.1.91.0/24
RADIUS session load-balanced to PSN @ 10.1.99.6 Guest Portals
URL Redirect automatically includes FQDN/Interface IP of Web Portal interface for same PSN @
10.1.91.6: https://ise-psn-2-guest.company.com:8443/guestportal/Login...
Source NAT web traffic from user networks destined to PSN web interfaces @ 10.1.91.x; translate to 10.1.91.x
(or any address block that can be statically added to PSN route table)
Ensures all Web requests received by PSN web interface are returned out same interface.
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
Dedicated Web Interfaces under ISE 1.3+
Direct Access and URL-Redirected Traffic with Dedicated PSN Web Interfaces
10.1.11.0/24 Load
.1 Balancer ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X
.1
User B .5 .6 .7 .x
10.1.12.0/24
10.1.91.0/24
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
Dedicated Web Interfaces under ISE 1.3+
Symmetric Traffic Flows
• Configure default routes for each interface to support symmetric return traffic
ise13-psn-x/admin# config t
Enter configuration commands, one per line. End with CNTL/Z.
ise13-psn-x/admin(config)# ip route 0.0.0.0 0.0.0.0 gateway 10.1.91.1
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
SSL Certificates for Internal Server Names
After November 1, 2015 Certificates for Internal Names Will No Longer Be
Trusted
In November 2011, the CA/Browser Forum (CA/B) adopted Baseline Requirements for the
Issuance and Management of Publicly-Trusted Certificates that took effect on July 1, 2012.
These requirements state:
CAs should notify applicants prior to issuance that use of certificates with a Subject
Alternative Name (SAN) extension or a Subject Common Name field containing a reserved
IP address or internal server name has been deprecated by the CA/B
CAs should not issue a certificate with an expiration date later than November 1, 2015 with a
SAN or Subject Common Name field containing a reserved IP address or internal server
Name
Source: Digicert – https://www.digicert.com/internal-names.htm
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
Use Publicly-Signed Certs for Guest Portals!
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
Interface Alias Example
DNS and Port Settings – Single Interface Enabled for Guest
Azure Example
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
Load Balancing SAML
Flow
• SAML IDP sends requests to LB
• LB forwards request to some
PSN in LB pool
• PSN reads
“SAML Relay State”
• If intended
target, then
process request
• If NOT intended
target, redirect
user to correct PSN
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 175
Load Balancing
ISE Profiling Services
Load Balancing Profiling Services
Sample Flow
4 PSN
10.1.99.7
1. Client OS sends DHCP Request
2. Next hop router with IP Helper configured forwards DHCP request to ISE-PSN-3
real DHCP server and to secondary entry = LB VIP
3. Real DHCP server responds and provide client a valid IP address
4. DHCP request to VIP is load balanced to PSN @ 10.1.99.7 based on
source IP stick (L3 gateway) or DHCP field parsed from request.
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 177
Load Balancing Simplifies Device Configuration
L3 Switch Example for DHCP Relay
• Before !
interface Vlan10
description EMPLOYEE
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.100 <--- Real DHCP Server
ip helper-address 10.1.99.5 <--- ISE-PSN-1
ip helper-address 10.1.99.6 <--- ISE-PSN-2
Settings
! apply to each
L3 interface
servicing
• After !
DHCP
interface Vlan10
description EMPLOYEE endpoints
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.100 <--- Real DHCP Server
ip helper-address 10.1.98.8 <--- LB VIP
!
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
Load Balancing Sticky Guidelines
Ensure DHCP and RADIUS for a Given Endpoint Use Same PSN
Persistence Cache:
11:22:33:44:55:66 -> PSN-3 PSN
10.1.99.5
PSN
10.1.99.5
1 tacacs-server host 10.1.98.18
ISE-PSN-1
2 TACACS+ Session
TACACS+ AUTHZ request to 10.1.98.18 Load Balancer
Session ACCTG
AUTHC
PSN
10.1.99.6
TACACS+
TACACS+ Session
TACACS+Session AUTHC
SessionAUTHZ reply
ACCTGreply from
replyfrom 10.1.98.18
from10.1.98.18
10.1.98.18
Access VIP: 10.1.98.18 ISE-PSN-2
Net Admin
4 5
Device ISE-CLUSTER
PSN
1. NAD has single TACACS+ Server defined (10.1.98.18) 10.1.99.7
2. TACACS+ Session Authentication requests sent to VIP @ 10.1.98.18 3
3. Requests from same Admin user load balanced to same PSN via sticky based on ISE-PSN-3
Source IP (NAD IP Address)
4. TACACS+ response received from VIP @ 10.1.98.18
(originated by real server ise-psn-3 @ 10.1.99.7 and source translated by LB)
5. TACACS+ Session Authorization & Accounting sent to/from same PSN per sticky
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 181
No session like RADIUS, so T+ requests
Load Balancing TACACS+ can go to different PSNs, but recommend
stick to same PSN for logging/trouble-
Command Authorization and Accounting
shooting and for single connect mode.
VLAN 98 (10.1.98.0/24) VLAN 99 (10.1.99.0/24)
PSN
10.1.99.5
1 tacacs-server host 10.1.98.18
ISE-PSN-1
2 TACACS+ CMD#2
CMD#1 AUTHZ
ACCTG request
request to 10.1.98.18 Load Balancer
to 10.1.98.18
PSN
10.1.99.6
TACACS+ CMD#2
TACACS+ CMD#2 AUTHZ reply from 10.1.98.18
CMD#1 ACCTG
CMD#1
Access VIP: 10.1.98.18 ISE-PSN-2
Net Admin
4 5
Device ISE-CLUSTER
PSN
1. Once Session Authenticated, Command Authorization/Accounting can begin. 10.1.99.7
2. TACACS+ Command Authorization request sent to VIP @ 10.1.98.18 3
3. Requests from same Admin user load balanced to same PSN via sticky based on ISE-PSN-3
Source IP (NAD IP Address)
4. TACACS+ response received from VIP @ 10.1.98.18
(originated by real server ise-psn-3 @ 10.1.99.7 and source translated by LB)
5. TACACS+ Command Accounting sent to/from same PSN per sticky
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
Load Balancing TACACS+ For Your
Reference
General Recommendations
• Load Balance based on TCP/49.
• Source NAT (SNAT) can be used – No CoA like RADIUS
• Recommend LB inline with TACACS traffic, else need to address TCP asymmetry.
• Without SNAT, make sure PSNs set default gateway to LB internal interface IP.
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 183
PSN HA Without Load Balancers
How can my
company get HA and
scalability without
load balancers?
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 185
Load Balancing Web Requests Using DNS
Client-Based Load Balancing/Distribution Based on DNS Response
• Examples:
Cisco Global Site Selector (GSS) / F5 BIG-IP GTM / Microsoft’s DNS Round-Robin feature
• Useful for web services that use static URLs including LWA, Sponsor, My Devices, OCSP.
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 186
Using Anycast for ISE Redundancy
Profiling Example
Provided dedicated
User interface or LB VIPs
used, Anycast may
be used for Profiling,
PSN
Web Portals
(Sponsor, Guest
LWA, and MDP) and
ISE-PSN-1
RADIUS AAA!
Ex: 10.10.10.10
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 187
ISE Configuration for Anycast
On each PSN that will participate in Anycast…
1. Configure PSN probes to profile
DHCP (IP Helper), SNMP Traps, or NetFlow
on dedicated interface
2. From CLI, configure dedicated interface with
same IP address on each PSN node.
ISE-PSN-1 Example:
#ise-psn-1/admin# config t
#ise-psn-1/admin (config)# int GigabitEthernet1
#ise-psn-1/admin (config-GigabitEthernet)# ip address 10.10.10.10 255.255.255.0
ISE-PSN-2 Example:
#ise-psn-1/admin# config t
#ise-psn-1/admin (config)# int GigabitEthernet1
#ise-psn-1/admin (config-GigabitEthernet)# ip address 10.10.10.10 255.255.255.0
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 188
NAD-Based RADIUS Server Redundancy (IOS)
Multiple RADIUS Servers Defined in Access Device
PSN
PSN2 (10.4.5.6)
User
PSN
PSN3 (10.7.8.9)
PSN
PSN2 (10.4.5.6)
User
PSN
PSN3 (10.7.8.9)
PSN
RADIUS PSN1 (10.1.2.3)
NAD controls the load
User 1 distribution of AAA
PSN
PSN2 (10.4.5.6) requests to all PSNs
in RADIUS group
without dedicated LB.
PSN
PSN3 (10.7.8.9)
User 2
Reasonable load
distribution across all PSNs
cat3750x# test aaa group radius radtest cisco123 new users 4 count 50
AAA/SG/TEST: Sending 50 Access-Requests @ 10/sec, 0 Accounting-Requests @ 10/sec
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 192
NAD-Based RADIUS Redundancy (WLC)
Wireless LAN Controller
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008098987e.shtml
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 193
NAD Fallback and Recovery
Inaccessible Authentication Bypass (IAB)
Also Known As “Critical Auth VLAN” for Data
Access VLAN
Critical VLAN WAN or PSN Down
PSN
WAN / Internet
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 196
Default Port ACL Issues with Critical VLAN
Limited Access Even After Authorization to New VLAN!
• Data VLAN reassigned to critical auth VLAN, but new (or reinitialized) connections are still
restricted by existing port ACL!
Access
Critical VLAN Voice VLAN WAN or PSN Down
Gi1/0/2
PSN
Default ACL
Only DHCP/DNS/PING/TFTP allowed !
https://supportforums.cisco.com/document/117596/cisco-eem-basic-overview-and-sample-configurations
https://supportforums.cisco.com/document/48891/cisco-eem-best-practices
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 198
Critical ACL using Service Policy Templates
Apply ACL, VLAN, or SGT on RADIUS Server Failure!
• Critical Auth ACL applied on Server Down
Access
Critical VLAN Voice VLAN WAN or PSN Down
Gi1/0/2
PSN
Default ACL
Only DHCP/DNS/PING/TFTP allowed !
Access
Critical VLAN Voice VLAN WAN or PSN Down
Gi1/0/2
PSN
Critical
Default ACL
Deny PCI networks; Permit Everything
Only DHCP/DNS/PING/TFTP allowed ! Else !
policy-map type control subscriber ACCESS-POLICY
event authentication-failure match-first ip access-list extended ACL-CRITICAL ACL-DEFAULT
10 class AAA_SVR_DOWN_UNAUTHD do-until-failure
permit udp
remark Deny any accesseq bootpc to PCI any zone eq bootps
scopes
10 activate service-template CRITICAL_AUTH_VLAN
20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE permittcp
deny udp any any any eq domain
172.16.8.0 255.255.240.0
30 activate service-template CRITICAL-ACCESS permitudp
deny icmp any any any
172.16.8.0 255.255.240.0
service-template CRITICAL-ACCESS permitipudp
deny anyany any eq tftp
192.168.0.0 255.255.0.0
access-group ACL-CRITICAL permit ip any any
!
service-template CRITICAL_AUTH_VLAN
vlan 10
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 200
Exiting Large Scale / HA Design Matrix…
Okay to Unplug
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 201
ISE Scalability and High Availability
• Summary Review
• Appliance selection and persona allocation impacts deployment size.
• VM appliances need to be configured per physical appliance sizing specs.
• Profiling scalability tied to DB replication—deploy node groups and optimize PSN collection.
• Leverage noise suppression to increase auth capacity and reduce storage reqs.
• ISE enhances scalability with multi-AD and auto-device registration & purge.
• Admin, MnT, and pxGrid based on a Primary to Secondary node failover.
• Load balancers can offer higher scaling and redundancy for PSN clusters.
• Non-LB options include “smart” DNS, AnyCast, multiple RADIUS server definitions in the
access devices, and IOS RADIUS LB.
• Special consideration must be given to NAD fallback and recovery options when no
RADIUS servers are available including Critical Auth VLANs for data and voice.
• IBNS 2.0 and EEM offer advanced local intelligence in failover scenarios.
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 202
Cisco Community Page on Sizing and Scalability
https://communities.cisco.com/docs/DOC-68347
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 203
Cisco and F5 Deployment Guide:
ISE Load Balancing using BIG-IP:
http://www.cisco.com/c/dam/en/us/td/docs/security/ise/
how_to/HowTo-95-Cisco_and_F5_Deployment_Guide-
ISE_Load_Balancing_Using_BIG-IP.pdf
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 204
Security Joins the Customer Connection Program
Customer User Group Program
19,000+
Members
• Who can join: Cisco customers, service Strong
providers, solution partners and training partners
• Private online community to connect with Join in World of Solutions
peers & Cisco’s Security product teams
Security zone Customer Connection stand
• Monthly technical & roadmap briefings via
WebEx Learn about CCP and Join
New member thank-you gift*
• Opportunities to influence product direction Customer Connection Member badge ribbon
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 206
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKSEC-3699 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 207
Thank you