inside cisco it: how cisco it deploy ise and trustsec ... · inside cisco it: how cisco it deploy...
TRANSCRIPT
Inside Cisco IT:
How Cisco IT Deploy ISE and TrustSec Throughout the Enterprise
Donald Gunn – Program Manager IT, Cisco
Adam Cobbsky – Senior Engineer IT, Cisco
BRKCOC-2279
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCOC-2279
• Designing ISE for Scale & High Availability [BRKSEC-3699]
• Deploying ISE in a Dynamic Environment [BRKSEC-2059]
• ISE under magnifying glass. How to troubleshoot ISE [BRKSEC-3229]
• Lets get practical with your network security by using Cisco Identity Services Engine (Cisco ISE) [BRKSEC-2464]
• Advanced Security Integration, Tips & Tricks [BRKSEC-3557]
Related ISE SessionsBRKCOC-2279
• Defending the Enterprise
• Addressing the Challenge
• Guest Access
• Production System Architecture
• Increasing Security Step by Step
• Enforcement
• Identity Based Differentiated Access
• Posture Based Differentiated Access
• Q&A
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco at a Glance
10,690UCS Servers
76,136Virtual Machines
28.1MW
Data Center
Capacity
87PBOverall Usable
Storage
72,354Employees
434Offices
94Countries
6,243Routers
8,415LAN Switches
133,361Connected
Stakeholders
192,770Connected
User Devices
100
Services
SJC
45%RTP
14%
AM Other
6%
EU/EM 7%
India
21%
AP Other
7%
Global
Distribution
of IT Staff
7.6 Billion
DNS Requests
per day
Data as of January 2018
500+Cloud ASPs
47TBDaily Bandwidth Usage
468WLCs
BRKCOC-2279 7
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8BRKCOC-2279
Cisco IT Network Security Requirements
Visibility + Attribution
Control
Consistency
Centralization
Automation
Simplification
Integration
Real-Time Defense
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9BRKCOC-2279
What is Identity Services Engine (ISE)?
Network ResourcesAccess Policy
TraditionalCisco
TrustSec®
BYOD Access
Threat Containment
Guest Access
Role-Based
Access
Identity Profiling
and Posture
A centralized security solution that enables context-aware access control and shares
contextual data
Network
Door
ISE pxGrid
Controller
Who
Compliant
What
When
Where
How
Context
Threat
Vulnerability
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10BRKCOC-2279
Cisco IT ISE Production Deployment Metrics
Guest Net (Internet)
Corporate Access
WLAN, CVO, VPN, LAN
ISE 1.2, 8 VMs, 2 DCs
ISE 2.1, 24 VMs, 8 DCs
1.5 Million active profiled “Endpoints”
Max ~450K Concurrent “Endpoints”
26K CVO x 2; ~60K EP
468 WLC; ~200K EP
70 ASA; ~90K EP
2K SW; ~200K EP
25 Sites; ~50K EP
~14K Guest/DayCWA
Central Web Auth
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11BRKCOC-2279
Seamless Connectivity and Integrated Security
Identity Services Engine
Wireless Devices
AnyConnect- VPN
- Umbrella - AMP For Endpoints
WSAESA
AMP For Network
Wired Network Devices
Adaptive Security
Appliance
Device Management
StealthWatch
AMP Threat-Grid
FireSight
Home Access (CVO)
UmbrellaCisco Core
Network
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12BRKCOC-2279
ISE As a Data Provider - Spark Board Locations
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14BRKCOC-2279
ISE Program Management Structure
ISE Program
Management
Desktop & Mobility
ServicesDevice Management,
Posture Compliance,
User Experience
ISE Architecture &
Design
Security model & ISE
Architecture
Network Infra &
Security ServicesAccess, Platform
management, Deployment
& Operations
ISE BU & TAC
ISE Best Practices,
Config Optimization,
Support
InfoSec
Security Policies,
Quarantine.
Directory
Services (AD)
DC & Hosting
Services (VMs)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15BRKCOC-2279
Sample ISE Basic Deployment Roadmap
Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Completion
Fine tune Optimize
FoundationISE 1.2
Install
ISE 1.3
Upgrade
ISE 1.4
Upgrade
Infra
Design, Proof of Concepts, Data Analysis
Apply
patches
Fine tune Optimize
Network
Guest
Wireless
Monitor
Endpoint Analysis: Wired dot1x MM & Profiling
VPN
Wired
Guest Access
Wireless (WLAN) Auth Deployment
CVO (Home Office) Wireless Auth
VPN AuthCVO Wired Auth
Limited Sites Wired Auth
Global Wired Auth Enforcement
Quarantine/Remediation
Posture Enforcement (ISE)
Security Group Tagging (SGT)Advanced Capabilities
ISE 2.1
Upgrade
Fine tune
Posture Assessment (DM)
PxGrid Integration
Wired 802.1X Monitor Mode Deployment
802.1x Authentication
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17BRKCOC-2279
Guest Access Deployment (ION)
Sponsor Portal GSSinternet.cisco.com
Guest Account Creation
Wireless access
Wired access
NADs AMER
Guest Portal Auth
Pri
mary
ion-mtv-sponsor
Wireless access
Wired access
NADs EMEA/APJC
Guest Portal Auth
PPAN Alias PAN MnT
MTV
PSN PSN
AER
PSN PSN
ion-aer-sponsor
Pri
mary
ION LB
VIPs
Visitor
Management
Tool (API
Integration)
Lobby Ambassadors
(Physical & Virtual)
Guest Account Creation
Integration With Reception
Secondary
Secondary
PAN MnT
ION LB
VIPs
ion-aer-guestion-mtv-guest
Account Creation
Authentication
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Top 4 cities by number of guest authentication on a typical business day
6,379 3,583
2,232
2,107
BRKCOC-2279
Cisco IT ISE Guest Network
18
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2279
Single Global ISE Deployment (WLAN, CVO, LAN, VPN)
AER
RTP
ALN
SNG
Secondary ISE PAN/M&T
ISE PSNs
Primary ISE PAN/M&T
24 ISE Nodes
20 PSNs; 8 DC (Node Groups)
TYO
HKG
BGL
20
MTV
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2279
Cisco IT ISE Global Deployment (WLAN, VPN, LAN)
ISE PSNs Data Center (8) Network Devices (sites/cities)
21
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22BRKCOC-2279
Authentication Statistics (24 hours)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23BRKCOC-2279
ISE Deployment High Availability Architecture
PS
N PS
N
MTV-VIPs
PS
N
PS
N PS
N
RTP-VIPs
Primary, Secondary
RADIUS Servers
NADs Proximity
HA NAD Configuration
MTV-WLAN
MTV-LAN
MTV-VPN
MTV-CVO
Modularity
ALN-VIPs
PPAN SPAN
Primary -> Secondary
Automatic Failover
PMnT SMnT
MTV ALN
ISE Product EvolutionHA SLB Configuration
Load Balancer
User-probe AuthVIP by Service
Is PSN Authenticating?
• Interval = 10 sec
• Down Time = 30 sec
• Retries = 3
PSN1
PSN2
PSN3
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24BRKCOC-2279
We Recommend You Use Load Balancers
• Ease of global configuration
• Overcome device limits for AAA servers
• Ease of migration, cluster split. No need to change thousands of network devices
Request for
service at
single host
‘psn-cluster’PSN
PSN
PSN
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
User
LB
Response from ise-psn-3.company.com
DNS Lookup = psn-cluster.company.com
DNS Response = 10.1.98.10
Request to psn-cluster.company.com
VIP: 10.1.98.10
PSN-CLUSTER
10.1.99.5
10.1.99.6
10.1.99.7
DNS
Server
VLAN 99 (10.1.99.0/24)VLAN 98 (10.1.98.0/24)
Access
Device
DNS
request sent
to resolve
psn.cluster
FQDN
Request sent to Virtual IP Address
(VIP) 10.1.98.10
Response received from real server
ise-psn-3 @ 10.1.99.7
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25BRKCOC-2279
Load Balancing Dashboard
Authentication, Accounting, and Profiling events over 24 hours.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26BRKCOC-2279
Consideration When Using Load Balancers
PSN
PSN
PSN
ISE-PSN-3
ISE-PSN-1
SLB10.1.98.10
10.1.99.5
10.1.99.6
10.1.99.7
ISE-PSN-2
CoA SRC=10.1.99.5
CoA SRC=10.1.98.10
aaa server radius dynamic-author
client 10.1.99.5 server-key cisco123
client 10.1.99.6 server-key cisco123
client 10.1.99.7 server-key cisco123
client 10.1.99.8 server-key cisco123
client 10.1.99.9 server-key cisco123
client 10.1.99.10 server-key cisco123
<…one entry per PSN…>aaa server radius dynamic-author
client 10.1.98.10 server-key cisco123
PSN
ISE-PSN-X
Before
After10.1.99.x
First Steps
In the Lab
Wired 802.1x
Identity Based Differentiated Access
Posture Based Differentiated Access
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29BRKCOC-2279
When You First Enable ISE
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
802.1X Wired - Monitor Mode
30
RADIUS Authentication & Accounting Logs:
• Passed / Failed 802.1X
(Who has bad credentials? Misconfigurations?)
• Passed / Failed MAB attempts
(What don’t I know?)
MONITOR MODE
AuthC without Enforcement
Prepares for Enforcement Mode
Evaluates Remaining Risk
Provides BaselineNAD ISE
.1X-Pass
Known
MAC
Unknown
MAC
.1X
Failures
BRKCOC-2279
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31BRKCOC-2279
IBNS 2.0 Concurrent AuthenticationFaster on-boarding of endpoints into the network
• You configure IBNS using the
Cisco Common Classification
Policy Language - CCCPL
• Faster on-boarding, good for
delay sensitive endpoints.
• An endpoint may be
authenticated by both methods,
but priority determines the
ultimate authorization.
authentication order dot1x mab
Flex Auth - Sequential Authentication
Campus LAN
.1x
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
IBNS 2.0 - Concurrent Authentication
Campus LAN
.1x
EAP
EAP RADIUS
CDP/DHCP
EAP
EAP RADIUS
CDP/DHCP
• Additional load to RADIUS
Server. Two authentication
requests sent for same client
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IBNS 2.0 Fine Tuning
MAB Devices (w/o supplicants) & minimal traffic Configure switch ports to initiate EAP transactions
“access-session control-direction in”
Dot1x timer adjustments Modify defaults per best practices, e.g.
“dot1x timeout quiet-period 300”
“dot1x timeout tx-period 10”
“dot1x timeout supp-timeout 5”
“dot1x timeout ratelimit-period 300”
Apple Thunderbolt ethernet adapter Dot1x authentication not automatically initiated
Resolved: Change network profile from System to User type
32BRKCOC-2279
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33BRKCOC-2279
Wired 802.1x AuthLearning
• Start with Monitor Mode
• Communicate !
• Evaluate – employee feedback
• Work with device teams ahead of enforcement
• Think User-Experience
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access-Accept
dACL: Permit IP any
35BRKCOC-2279
Wired Connection Authentication
Access-Accept (Restricted)
Access restricted by dACL
URL-Redirect
Redirect ACL (Called by ISE)
Deny traffic for: Laptop builds,
Support portal, PWD Reset
Port ACL Permit
DNS, DHCP, NTP
dACL Defined on ISE:
Permit DNS, TCP 80/443
ICMP, & Redirect Traffic
Access-Request
802.1x &
MAB
Permit Access
dACL Defined on ISE:
Permit IP
Access-Accept
Access-Request
Failed Auth
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
MAB Devices - Recommendations
• Manually add them to ISE Identity Group
• Create an Automated Request Process
• Enable Probes / Device Sensors
• Enable Profiling
• Be aware of challenges and monitor inconsistencies
• Create your own Custom Profiles
• Standard naming, OUI Data.
• Note: When CDP & LLDP concurrently enabled
Some older UCV 89xx & 9xxxx phones with firmware > 9.2.1 reboot
Simple workaround disable LLDP on the phone
36BRKCOC-2279
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37BRKCOC-2279
Minimizing Service Disruption – Wired
X
AuthC (automate-tester)
Access-Reject
Active DirectorySynthetic AuthC (test user)
Access-RejectService Disruption
Detected
EEM
X
Allow
Access
Temp.
EEM
AuthC
Restore
EEM
X
Access-Accept
Service Disruption
NOT Detected
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
EEM script provides assurance
End-to-end test of authentication process
If authentication fails:
1. Inserts "ip permit any any” as line 1 in the port ACL
2. Records which switch ports configured with dot1x
“sh run | i interface GigabitEthernet|dot1x timeout”
3. Removes commands under the Interface template
"no dot1x pae authenticator”, “no mab” …
Upon successful authentication:
802.1x restored
Users/devices must re-authenticate
38BRKCOC-2279
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39BRKCOC-2279
OnBoarding IoT Devices
• Franking Machines
• Coffee Machine
• Building Management (BMS)
• …
IoT Devices
Internet Only
Access
Full access
No
restrictions
Appropriate
Access
Provisioning
Web Tool + API to ISE:
• Auto approval for Internet
• InfoSec approval for Internal Access (Full/Appropriate)
Access Based
On
Endpoint Identity Group
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACLs Dependent Upon Device Profile
• Redirect-ACLs have size limitation Same as dACLs & per-user ACLs
Max 4000 ASCII characters (Switch)
Max 64 lines (WLC)
More apparent when we consider Remediation
41BRKCOC-2279
ACL By Endpoint Type, Profiling Based
Windows
Cisco Linux
Others
Windows
Cisco Linux
Others
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42BRKCOC-2279
Software Defined Segmentation Use Cases
Divestiture IoTPartnersDevelopment
Benefits:
• Maintain existing network topologies
• Simple, cost effective
• Centralize policy management
• Consistent, faster deployments
• Quicker response to threats
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP-SGT (TrustSec)
43BRKCOC-2279
Engr. App.
(1000)
10.10.0.0/16
10.20.0.0/15
10.30.96.0/20
10.40.0.0/14
cts role-based sgt-map 10.10.0.0/16 sgt 1000cts role-based sgt-map 10.3.5.0/28 sgt 1001cts role-based sgt-map 10.6.7.0/29 sgt 1003cts role-based set-map 10.50.1.0/28 sgt 1009
Static - SG Destination ACL
(1001)
10.3.5.0/28
10.70.24.0/28
10.80.64.0/28
10.90.32.0/28
DNS
(1003)
10.6.7.0/29
10.60.24.0/29
AD
(1009)
10.50.1.0/28
10.100.2.0/29
Divestiture Employee (2)
Dynamic - SGT Source
Printer(3)
AD Group /
Profiling
Tag assigned by
ISE at Authentication
Cisco Employee (1)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Matrix
44BRKCOC-2279
Destination SGT (Static SGT)
En
gin
ee
rin
g A
pp
(10
00
)
Ma
il
(10
01
)
MD
M
(1002)
DN
S
(1003)
Un
kn
ow
n
(10
05
)
Cis
co
Em
plo
ye
e
(1)
Div
es
titu
re E
mp
.
(2)
Part
ner
(3)
So
urc
e S
GT
(Dyn
am
ic) Divestiture Emp. (2) O SGACL SGACL SGACL SGACL O SGACL O
Partner (3) O O SGACL SGACL O O O SGACL
Untrusted (1810) O O O O O O O O
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45BRKCOC-2279
Example: DC Access Control with TrustSec
Voice Employee Suppliers Guest Quarantine
Employee Tag
Supplier Tag
Guest Tag
Quarantine Tag
Data Center
Firewall
Voice
Wireless
Campus Core
Data Center
Wired
Employee Quarantine
Access Layer
• IP-SGT mapping
• Policy creation
• Policy enforcement
• Policy deployment
Enforcement
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Where to Enforce Policy
IT Objective: • Enforce as close to user as possible
• Ideally on the access switches and WLCs
Challenges:• WLC 64 line ACL limit
• 3850 has a limit of 255 Destination SGTs
• 4510 could not enforce policies for destination subnets – only hosts
• ASAs configured to support Remote Access VPN (AnyConnect) could not enforce TrustSec policies
46BRKCOC-2279
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Solution: Install SXP and Enforce at 1st Hop Router
• SXP = SecureGroup Exchange Protocol
• Dynamically assigned SGT’s and SGACLs propagated to the policy enforcement point (PEP)
47BRKCOC-2279
Cisco User
Technicolor
SXP Listener
(Enforcement Point)
SXP Speaker
(NAD)
SXP Speaker
(NAD)
AD Group Membership
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAD
Enforcement
Point
Access based on
Policy Matrix from ISE
48BRKCOC-2279
Posture Based Differentiated Access Enforcement
Assign tag based on
device postureSend IP <-> SGT Mapping
& Policy Matrix
Internal
Network
& Internet
Remediation
& Internet
COMPLIANT
Non-COMPLIANT 21
20
COMPLIANT
Non-COMPLIANT 21
20
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49BRKCOC-2279
Differentiated Access For AnyConnect VPN
Problem• Different VPN solutions for
different user communities
• Overhead of HW and
management
Solution• Use consolidated VPN clusters
• Tag traffic and enforce policies as required
• Allows greater resiliency and availability
Before TrustSec
Employee High Risk Partner
With TrustSec
Employee Partner High Risk
Single Cluster
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAD
Policy
Enforcement
Point
SSH
ISE
PAN
Speaker Listener
51BRKCOC-2279
Configuring SXP IP <-> SGT Mapping Via SSH
Static Connection Dynamic Connection
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAD
Policy
Enforcement
Point
SXP
ISE PSN 1
ISE PSN 2
ISE PSN 3
52BRKCOC-2279
IP <-> SGT Mapping Via SXP
Speaker Listener
Speaker
Tip 1: SXP pushes IP-SGT mapping immediately upon configuration
Tip 2: IP-SGT mapping is lost if SXP connection drops!
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE
Reflector
Reflector
Enforcement
Point
53BRKCOC-2279
Best Of Both Alternatives – SXP Reflectors
Hybrid IP <-> SGT mapping via SSH and SXP
Speaker
Listener
Listener
Speaker
Speaker
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55BRKCOC-2279
What is Posture?
Security configuration of the device
Posture
Measure and check against
Company requirements
Assessment
Device Manager
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56BRKCOC-2279
Guiding Principles
Enablement MinimiseImpact
Remediationis key
Expect Complexity
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Trusted Device Standard
• Device to user attribution
• Encryption (Cisco Data)
• 6 character PIN / password
• 10 Minute Auto screen lock (Max)
• Jailbreak / Rooted device detection
• Approved Anti-malware
• Minimum OS version
• Software patching within 4 weeks.
• Remote Wipe for proprietary data
• Hardware/Software Inventory
57BRKCOC-2279
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58BRKCOC-2279
Policy Mapping
Anti-Malware Condition
Anti-Spyware Condition
Anti-Virus Condition
Application Condition
Compound Condition
Disk Encryption Condition
File Condition
Patch Management Condition
Registry Condition
Service Condition
USB Condition
Windows Update Condition
Device to user attribution
Encryption (Cisco Data)
6 character PIN / password
10 Minute Auto screen lock (Max)
Jailbreak / Rooted device detection
Approved Anti-malware
Minimum OS version
Software patching within 4 weeks.
Remote Wipe for proprietary data
Hardware/Software Inventory
Is device under Company Management?
Device Management
ISE AnyConnect
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59BRKCOC-2279
Issues for Posture – Desktop Example
Detection of Management Agent after device start-up
PWR
Windows Startup
AnyConnect PostureCheck
SCCM Service not detected. NOT COMPLIANT !
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Issues for Posture – Wired MAC address
60BRKCOC-2279
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Mobile Device Posture
Device
Management
Security
Policies
Pushed
Status and
Inventory
Read
Managed? Compliant?
Remediation
Processes
ISE
Get all non compliant devices
Actively
ManagedNot Actively
Managed
Internet
BRKCOC-2279
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62BRKCOC-2279
ISE vs MDM Deployment
AER
RTP
ALN
MTV
SNG
TYO
HKG
BGL
Many to One Relationship
MDM Server
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Managing Scale
Device
Management
Security
Policies
Pushed
Status and
Inventory
Read
Remediation
Processes
ISE
Get all non compliant devices
Actively
ManagedNot Actively
Managed
Internet
Enrollment job
Detects new devices
Managed? Compliant?
BRKCOC-2279
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Managing Scale
Device
Management
Security
Policies
Pushed
Status and
Inventory
Read
Remediation
Processes
ISE
Get all non compliant devices
Actively
ManagedNot Actively
Managed
Internet
Indicates Managed
Device.Set Custom
Attribute in ISEEnrollment job
Detects new devices
Managed? Compliant?
BRKCOC-2279
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Managing Scale
Device
Management
Security
Policies
Pushed
Status and
Inventory
Read
Remediation
Processes
ISE
Get all non compliant devices
Actively
ManagedNot Actively
Managed
Internet
Indicates Managed
Device.Set Custom
Attribute in ISEEnrollment job
Detects new devices
Managed? Compliant?
BRKCOC-2279
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66BRKCOC-2279
User Remediation Issues to Consider
When a device is not compliant and has restricted access:
• Is Device Management system accessible
• How to enrol a new device in management?
• How to re-image a device?
• How does a user remediate a restricted device?
• How does a user gets access after remediation?
• How to re-initiate a posture check?
• How do you ensure the change is recognised immediately?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67BRKCOC-2279
Evolving Our Capabilities – Future State?
123XXX
123XXX 123XXX + Status
123XXX ISE Query: Device ID & Status
AuthorisationAccessDecision
Device Management
Device Identity Store
ISE
Unique
ID
ISE Deployment Takeaways
• Focus on user experience first not technical capabilities
• Consider each platform type separately
• Phase your deployment - learn small and scale quickly.
• Speed and automation are critical to meeting challenges
• Work closely with your device teams
• Don’t forget remediation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69BRKCOC-2279
Come talk to our Cisco IT Experts!Cisco on Cisco will have 5 demo booths placed around the Cisco Campus showcasing how Cisco IT designs, deploys, and manages our own solutions. Through these IT success stories you’ll see how Cisco solutions are driving transformational business benefits.
CollaborationAppDynamics
ACI & TA
NSO
vBranch
World of Solutions
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCOC-2279
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
72BRKCOC-2279