Cisco ISE Fundamentals

ISE or ICE ? haha ..Well, it just for fun.

Okay, before we talking about the ISE, let’s review one of the security function that we called them triple A.

AAA Services

The first A stands for Authentication
Example: Who you are?
– Verifying user’s identity or endpoint’s identity
Options: username/password and certificates, etc …

The second A stands for Authorization
Example: What your are allowed to do?
– Determining access-level of the user

Two parts:
– Network Access Control
VLAN, ACL, Encryption, SGT

– Network Device Administration
privilege-level
command sets

And the 3rd A is Accounting
Example: What you have done? It looks like an auditing or tracking user’s activity.

Cisco ISE
ISE stands for Identity Services Engine. By using Cisco ISE, we can implement centralized network access policies for devices that are connected to wired, wireless and VPN. ISE support AAA protocols, they are RADIUS and TACACS+. So we can configure AAA services for network device administration and network access control (NAC). Prior to Cisco ISE v2.0, it is only supports RADIUS protocol. But now TACACS+ protocol is supported in ISE v2.0.

Let me break down some components of ISE deployment.
– ISE (Authentication server)
– NAD (Authenticator, i.e Switch, WLC..)
– Supplicant (provides credentials)
– ID Store (Internal or external stores)

If you take a look at the above diagram, we can see that  RADIUS protocol takes place between authenticator and authentication server. And the EAPoL (EAP over LAN) between supplicant and authenticator.

Note:
RADIUS uses UDP port and encrypt only user’s password. And remember that RADIUS combines authentication and authorization in one process. Port 1812 for authentication and 1813 for accounting. TACACS+ uses TCP port and encrypt entire body of the packet. Also uses port 49.

So how they operate? Here is the diagram for you to understand.

EAPoL (802.1x) is a delivery mechanism and EAP type (i.e. PEAP with MS-CHAPv2 or EAP-TLS) provides the actual authentication mechanism. You can see PEAP method as an example in the above diagram. And I will discuss more about EAP types later.