300-208 SISAS – What Is Cisco ISE?

In my earlier post about the Cisco 300-208 SISAS (Implementing Cisco Secure Access Solutions) exam, I gave a brief overview of the exam and listed the exam topics as laid out by the Cisco Learning Community.  However, I felt that these largely boil down to a few key concepts related to Cisco ISE (Identity Services Engine):

  1. Understand what ISE is.
  2. Understand why you might use ISE in a wired or wireless network.
  3. Understand what ISE does at a protocol level.
  4. Understand how ISE interacts with Network Access Devices and other systems.
  5. Understand how to configure ISE and the Network Access Devices.

This post will deal with Concept 1, Understand what Cisco ISE is.


A Little History

Before you can really understand what ISE is, I feel that you need to know where it came from.  Cisco’s NAC (Network Access Control) offerings have been fairly scattershot over the years.  They even tried unsuccessfully to market their own meaning of NAC for several years, attempting to sell their services as Network Admission Control.  Thankfully, they’ve given in and joined the rest of us in Network Access Control land.

Cisco ACS (Access Control Server) was the direct predecessor to ISE, and still exists today.  It provides RADIUS and TACACS services, and is able to integrate with central Identity Stores such as Active Directory or another LDAP speaking software.  This means that you would often find ACS in an enterprise network serving to authenticate VPN and wireless users, or control access to network devices.  Over time ACS evolved, as most Cisco applications have, from something you installed on top of Windows, to a full blown Linux based appliance (as of ACS 5.0 in 2009).  The common “appliance” model in use today, means that without a little (non-Cisco approved) tinkering you don’t have access to the Linux guts of Cisco ACS, or ISE for that matter, you’re simply presented an application.

At the same time that ACS was growing and advancing in capabilities, there was also the burst of BYOD onto the market and a growing market in servers/services to manage and administer user Identity on the network.  Cisco saw an opportunity to forklift the capabilities of ACS into a new product that was targeted directly at the “new” Identity Management market, not just traditional “access control”.  They took the underlying operating system from ACS, a RHEL/CentOS based distribution that they call ADE-OS (Application Deployment Engine), and added in a few new capabilities and features to the application.  This creation is what we know today as Cisco ISE.  Essentially, you can think of ISE as ACS version 6.0.

The only thing left out of ISE (until the recent release of Cisco ISE v2.0) was TACACS, as it was intended that you still purchase ACS to control network device administrative access.  For the purposes of the 300-208 SISAS exam today, you can consider TACACS to be out of scope for ISE, and to be the sole purview of ACS, although you still have to understand TACACS for the exam.

What Is Identity Management?

A full discussion of what Identity and Identity Management is, could take up many pages and posts (see wikipedia), however for the purposes of the 300-208 SISAS exam it can be summed up as this from the Official Cert Guide:

An identity is a representation of who a user or device is. Cisco ISE uses an endpoint’s MAC address to uniquely identify that endpoint. A username is one method of uniquely identifying an end user. Although SSIDs and IP addresses can be used as conditions or attributes in ISE policies, they are not identities.

Woland, Aaron; Redmon, Kevin (2015-04-27). CCNP Security SISAS 300-208 Official Cert Guide (Certification Guide) (Kindle Locations 13023-13026). Cisco Press. Kindle Edition.

An Identity Management system can then be defined as a way to keep track of Identity information for many users or devices, as well as the associated Authorization and Authentication information for those entities.  This is precisely what Cisco ISE is and does.  It provides all manner of services related to managing who users and devices are, and what network resources they may access.  Cisco ISE does not directly stop an entity from accessing a portion of the network (there are sometimes Inline Policy Nodes, but they are not common).  The Network Access Devices themselves handle the heavy lifting of granting/denying access by utilizing IEEE 802.1x which I will discuss in a subsequent post.  ISE simply provides a centralized location to set policy, gather reporting, and then interact with the NAD via Radius.

In the next post I will delve into Concept 2, the Whys surrounding Cisco ISE, as well as give a few example use cases.

300-208 SISAS – How to Tackle the Beast

The best way to finish something, is to begin it.  So I decided I would begin my prep for the 300-208 SISAS (Implementing Cisco Secure Access Solutions) exam, by laying out my personal study plan against the exam topics, found here on the Cisco Learning Community.

The exam topics are broken into five broad categories, and Cisco also gives a general indication of what percentage of the exam is on each topic:

1.0 Identity Management/Secure Access – 33%
2.0 Threat Defense – 10%
3.0 Troubleshooting, Monitoring and Reporting Tools – 7%
4.0 Threat Defense Architectures – 17%
5.0 Identity Management Architectures – 33%

Each of those broad topics has several sub-categories; 1.0 Identity Management/Secure Access, for example, is broken down into over 60 sub-sections.  This depth of expected knowledge can seem quite daunting at first, especially given the vague nature of some of the topics.  However, I’ve found that the exam really breaks down into 5 key areas, and are all focused primarily on Cisco ISE (Identity Services Engine):

  1. Understand what ISE is.
  2. Understand why you might use ISE in a wired or wireless network.
  3. Understand what ISE does at a protocol level.
  4. Understand how ISE interacts with Network Access Devices and other systems.
  5. Understand how to configure ISE and the Network Access Devices.

This is why my primary focus in these exam preparations is getting hands on with Cisco ISE.  I have been spending at least 10 minutes per night, getting familiar with both the GUI itself and the operations that ISE can do.  10 minutes may not seem like much, but getting any hands on time with a complex system matters.  You have to keep yourself sharp and fresh when preparing for an exam.  Especially if, like in my current job, you do not interact with ISE at all on a day-to-day basis.

In the next few posts I’ll dig further into each of these 5 key areas, as well as discuss how to setup an ISE test lab for yourself and talk through some of the scenarios I’m using for my lab.

 

CCNP Security – Halfway There

I am halfway towards my CCNP Security, and am finally gearing up to finish it.  When I completed the 642-618 FIREWALL and 642-648 VPN exams in the beginning of 2014, I was promptly sidetracked with the little things in life.  (Such as moving across the country, starting a new job, and finishing my BSIT at WGU.)  Knowing that the old CCNP Security exams had cycled out in April of 2014, I used Cisco’s CCNP Security Migration Path tool to validate that I was left with these two exams:

  • 300-207 SITCS (Implementing Cisco Threat Control Solutions)
  • 300-208 SISAS (Implementing Cisco Secure Access Solutions)

I am starting first with the 300-208 SISAS exam as it covers a range of topics, such as 802.1x, Cisco ISE, and Radius, that I am very familiar with.  However, from everything I’ve read, it goes into great depth on minutia of the ISE interface.  As I haven’t touched ISE in a production environment in over a year now, I’ve been spending time most evenings in my lab spinning up and down many different scenarios.

My lab for this study is entirely virtual, and is really a dry run for building my CCIE Security lab.  It currently consists of the following, largely coordinated and controlled via GNS3:

  • ISE 1.2 – VMWare Fusion on my MacBook
  • ACS 5.6 – VMWare Fusion on my MacBook
  • CentOS test boxes (x2) – VMWare Fusion on my MacBook
  • IOU L2 Image (x2) – Rackspace Cloud Server
  • IOU L3 Image (x6) – Rackspace Cloud Server
  • ASA 8.4 (x2) – QEMU on a Rackspace Cloud Server

In the weeks to come I’ll be posting more about my exam preparations, including lab scenarios and links.  This is mostly for myself, but if anyone else gets some use out of it too, even better.