Endpoint Security Yogurt

test aaa group radius user it1 cisco new-code

ISE Policies: Authentication, Authorization, Profiling, Posture, Client Provisioning, SGA

Policy Elements: Dictionaries, Conditions, Results

If Condition Then Result

Dictionary is a predefined set of conditions <-> result

ISA Authentication

Authentication Policy

Types

• Simple
• Rule Based

Components:

• Description
• Condition – Simple or Compound – Based on the dictionary
• Result – Allowed EAP Protocols
• Result – ID Sources to be used
• Action Options – [Reject/drop/continue] depending on type of results (user not found, authentication failed, process failed,…)

External authentication:

• Version 1.2 supports only 1 AD and many LDAPs
• Version 1.3 supports up to 50 ADs

ISE PSNs need to be joined to the Active Directory, so it will relay on DNS and local Domain Controllers depending on the Site configuration.

ISA Authorization

Top-Down list of rules.

• Description
• Condition ID Source (users or endpoints)
• Condition Attribute (posture, groups,…)
• Permissions – Authorization Profile dACLs VLANs SGA

Default rule allows all access.

Downloadable ACLs

 Cisco TrustSec (CTS)

Security Group Access – Security Group Tagging

Cisco Proprietary

Tags are added after the 802.1Q information in the Ethernet frame.

Network Access Device will tag the L2 packets from the endpoint based on the ISE authorization policy. The tags will be used in Security Group ACLs around the network to allow or block access to the resources.

• Classification: at ingress, dynamic (802.1x, MAB, Web Authentication) or static (based on IP, subnet, VLAN)
• Transport: SGT is propagated via inline tagging or SXP
• Enforcement: Policy is applied via SGACL or SGFW

SXP – Secure Exchange Protocol (TCP). It’s used when middle devices don’t support SGT. A tunnel is created between SGT supported devices bypassing the non supported device.

• SXP Speaker
• SXP Listener

Cisco TrustSec switch configuration:

radius server ISE-PAC

endpoint security checklist     endpoint security console



	

		

			

				
TAGS
				

				
				
	

	
	


		

		
CATEGORIES