Initial Cisco ISE Configuration

This post will describe the basic steps in order to install Cisco ISE 2.4 from ISO image, build a cluster and integrate with Active Directory.

  • Initial ISE Configuration
    • Installing ISE 2.4 from ISO image file
    • Initial configuration from CLI
  • Certificates
    • Admin and EAP Authentication Certificates
  • Deployment Roles
    • Minimum 1 x PAN (Policy Administration Node), 1 MnT (Management) and 1 x PSN (Policy Service Node)
    • Valid DNS entry for each ISE nodes
    • Valid certificates (Admin for establishing a secure connection for build the cluster)
  • External Identity Source Integration
    • Integration with Active Directory
  • Network Access Devices
  • Policy Sets

Continue reading “Initial Cisco ISE Configuration”

Advertisements

Allow ICMP/Traceroute through Cisco ASA

By default the ASA does permit ICMP replies TO any ASA interface, but does not
permit ICMP THROUGH the ASA. In other words you need to specifically configure the ASA to permit the ICMP replies. This can be achieved in 2 ways, either by enabling icmp inspection or by configuring an ACL inbound on the outside interface, permitting echo-reply.

From an LAN switch on the inside of the ASA we ping a device on the outside, with no specific configuration this should fail.


Continue reading “Allow ICMP/Traceroute through Cisco ASA”

ISE Dynamic Variables

Using Cisco ISE you can apply variables such Downloadable ACL (DACL) or VLAN from an External Identity Source (e.g Active Directory) and apply these values during authorization. For example instead of defining multiple authorization rules such as – If AD:ExternalGroup membership equals “GroupName” then assign static attributes”DACL_1″ and “VLAN_1”.


The same can be achieved by extracting the attributes from an External Identity Source such as AD, resulting in 1 authorization rule instead of multiple.


Continue reading “ISE Dynamic Variables”

FTD VPN with Certificate authentication

Using certificates to authenticate VPN peers is the most scalable authentication method. As of FTD 6.2.2 certificate enrolment is either via SCEP or manually using PKCS12. When using SCEP the FTD must have direct communication with the SCEP server in order to request the certificate, this may not be possible if the FTD is already deployed onsite. This leaves a PKCS12 file to import the signed certificate; this is a manual process, access to the console via SSH is all that is required.

This post will describe how to create a Certificate Template on a Windows CA, how to generate a certificate private key, csr and PKCS12 file and how to configure the VPN on the FMC.

Continue reading “FTD VPN with Certificate authentication”

FTD registration with FMC

If using the Cisco Firepower Management Center (FMC) to manage sensors such as the FTD, secure communication must be established between the FMC and the FTD. A registration key is defined on the FTD via the CLI, the device is then added within the FMC, specifying the same registration key entered on the CLI of the FTD. If successful secure connectivity between the 2 devices is established, the registration key is no longer used from this point on. This post will describe the steps to setup connectivity between the FTD and FMC, as well as some basic troubleshooting steps.

Configuration

Step 1 – Define the Manager and Registration Key on the FTD

On the CLI of the FTD enter the command configure manager add

 

 
Step 2 – Configure the Device on the FMC

  • Navigate to Devices > Device Management
  • Click Add > Add Device
  • Configure the FTD IP address, Display Name, Registration Key (the same key configured on the CLI of the FTD), select ACP and Smart Licensing options


  • Finally click the Register button

If successful, the device will be added to the FMC, ready to be configured for use.
Continue reading “FTD registration with FMC”

MACsec with Cisco AnyConnect and ISE

MACsec provides secure communication on wired networks; it encrypts each packet on the wire so that communication cannot be monitored. There are 2 deployment types:- User facing/downlink MACsec or switch-to-switch MACsec.

When using downlink MACsec a supplicant that supports 802.1x with MACsec is required, Cisco AnyConnect version 3.0+ supports this functionality. When AnyConnect is configured with MACsec it authenticates the user/computer using 802.1x and then encrypts all traffic using MACsec that is sent to the directly attached Access Layer switch. Once the packet has been received by the Access Layer switch the packet is decrypted, this allows the possibility to apply QoS polices or monitor with Netflow. The switch could then route packet in clear text or if switch-to-switch MACsec is enabled re-encrypt the traffic.

Switch-to-Switch MACsec secures the packets on a hop by hop basis, decrypting and encrypting on each network device (meaning all traffic inside the switches are in clear text). The MACsec sessions are completely independent as they are routed through the network.

Continue reading “MACsec with Cisco AnyConnect and ISE”

Cisco ISE pxGrid integration with Firepower

Cisco ISE and Firepower can exchange attributes such as TrustSec SGT (Security Group Tag), endpoint profile information and IP address via pxGrid. These attributes can then be used in Firepower Access Control Policies to permit/deny access as required. In addition, this integration can also be used to quarantine users/hosts in the event the user performs a malicious activity. When Firepower detects the malicious activity this will match a correlation rule on the FMC, which instructs ISE to perform a remediation action such as sending a CoA (Change of Authorization) and quarantining the user by apply a DACL and/or applying a new SGT.

This post will describe how to configure the pxGrid integration between the FMC and ISE, it is assume that you already have a working ISE environment with users/computers authenticating using dot1x and a working Firepower FMC/FTD environment.

Refer to these previous ISE posts on how to configure ISE, dot1x authentication and more information about configuring TrustSec.

The following software versions were used:-

  • Firepower Management Centre 6.2.2.2
  • Firepower Threat Defence Virtual 6.2.2.2
  • Identity Services Engine 2.4
  • Windows Server 2008 R2 (Domain Controller and PKI)
  • Windows 7 Enterprise

Continue reading “Cisco ISE pxGrid integration with Firepower”