Cisco CCNP Security 300-715 SISE – ISE Profiler

  1. Introducing Cisco ISE Profiler

The Cisco Identity Engine Profiler service is used to identify, locate and determine the capabilities of endpoints or identities which exist in the network. This is important in order to determine the appropriate network access allowed for particular device types. To accomplish this task, the Cisco Ice profiler function uses a sensor which relies on various probes to collect information from the endpoints. The sensor then forwards the data collected to the profile or analyzer within Cisco Ice.

The analyzer uses the information and classifies the endpoints based on associated policies and identity groups. Cisco Ice has preconfigured default policies which can be used for classification. However, custom endpoint profiling policies can also be created. The Cisco Ice probes can be enabled and disabled in the GUI. By default. DHCP radius, nap SNMP query and active directory probes are enabled. Let’s take a closer look at the various probes when using Radius for authentication. The Radius probe can collect various Radius attributes received from the NAD which can be useful for profiling the endpoints. The Switch and Wireless Controller Device.

Sensors are used to gather raw endpoint data using protocols such as CDP, LLDP, DHCP, Snooping and http the device sensor feature is available on both the iOS devices and wireless LAN controllers. The SNMP Trap probe receives information from specific network access devices or Nads, when certain traps are received, which can also trigger the SNMP Query probe to obtain additional information. The DHCP probe, when enabled, allows a Cisco Ice profiling service to profile endpoints based only on new requests and is generally used for third party Nads. The DNS probe allows a profiler to look up an endpoint to obtain the fully qualified domain name of the device.

With the Http probe, the profiler can capture the web browser information from the user agent attributes along with other attributes from the request messages. The NetFlow probe can collect NetFlow version nine attributes from NetFlow enabled NANDs. Cisco Ice also enables you to detect devices in a subnet using the Nmap probe security scanner. The Active Directory probe retrieves information using the ad runtime connector to provide a highly reliable source of client OS information. Finally, a PX Grid probe has been introduced for the integration with Internet of Things or IoT and other systems for sharing endpoint context. Using the Cisco Ice Profiler service with its various sensor probes is extremely helpful full for regulating network access and further assigning network authorization.

  1. Introducing Cisco ISE Profiler 2

Profiling policies configured in Cisco Identity Services engine are used to profile network devices after they’ve been identified using the various probes to analyze endpoint characteristics. After information is collected by the sensor probes, it is sent to the analyzer on Cisco Ice where the attributes are processed via a profiling policy in order to find a matching profile, the profiling policies categorize the endpoints into endpoint identity groups. Cisco Ice can then grant permission to the endpoints to authorize access to resources in the network. Based on the results of the policy evaluation, let’s look at an example of a user connecting to the network using an iPad.

The Cisco Ice probes collect the information about the device, including the DHCP hostname attribute, which happens to contain the value iPad. Of the many predefined profiling conditions in Cisco Ice, two of them match the string iPad. Both of these conditions also happen to be used in one of the many predefined profiler policies in Cisco Ice. Each matched condition increases the certainty factor by a value of 20 that the device is an iPad. In this example, the minimum certainty factor is 20 and the second condition is a match. Therefore, the device is determined to be an iPad.

The Cisco Ice profiler can be used whether without change of authorization or COA, which is disabled by default. When COA is enabled in Cisco Ice, the profiling service has more control over endpoints that have been authenticated. Using a COA request message, the profiler service can push customized authorization policies to the Network Access Device, or NAD, where the device connection originated. The authorization change instructs the NAD to apply the adjusted policy. There are two options to choose from when you decide to enable COA port bounce, which is used if the switch port exists with only one session. If the port exists with multiple sessions, then react options should be used. react is used to enforce authentication of an already authenticated endpoint when it is profiled. Next, Cisco Ice uses endpoint identity groups to categorize the discovered devices.

A device can only belong to one identity group, although custom endpoint identity groups can be configured. Cisco Ice contains default identity groups which include the following the Registered devices group includes the endpoints added by an employee through a device registration portal. They are statically assigned and cannot be dynamically reassigned to other groups. The guest endpoints group contains the endpoints which are used by guest users that have successfully joined a network via a hotspot or credentialed guest portal. The blacklist group contains endpoints that have been statically assigned in order to block them from accessing the network. The profiled group includes endpoints that have been profiled by Cisco Ice and has multiple associated endpoint identity groups. Lastly, the unknown group contains endpoints that do not match a profile.

  1. Introducing Cisco ISE Profiler 3

Now let’s explore how to manage a profiler configuration in Cisco Identity Services engine. After you log into Cisco Ice, you can access various Work Center menus from the homepage. First, to get to the Profiler Work Center menu, navigate to Work Centers Profiler and the overview page is automatically displayed. It illustrates an overview of the profiler, which includes preparation steps, defining endpoint groups, policies and endpoint access, as well as auditing and troubleshooting the configurations. The Profiler Work Center is designed to help you prepare network devices for profiling configure Active Directory settings, enable the Profiling service, configuring the Profiling feed service, and to check or change the profiler configuration settings.

From the Work Center screen, you can choose other options such as endpoint classification, where you are taken to a centralized monitoring tool for the endpoint profiles, categories and network devices. On this screen, there are dashboards that display information about the network. This includes endpoints by type or endpoint profiles, endpoint categories by Otis, OS types or identity groups, and network devices based on location, type and device name. Another example is choosing profiling policies from the profile work center menu. This page displays Cisco provided endpoint profiling policies with their names, type, description and status as to whether they are enabled or not.

Here you can create your own profiling policies to organize endpoints based upon an organization’s specific needs. For example, let’s say the company prefers specific tablets to be used in the network. A local profile called Approved Tablets could be created and the desired endpoint identity groups assigned as members. In this example, we are including Apple iPad and Microsoft Surface tablet. Then, by navigating to Work Centers and network Access and choosing policy sets, an authorization policy could be created that includes the custom profile you just created, named approved tablets.

  1. Lab Demo Configure Profiling

To start. From the Ice dashboard, we’ll navigate to Work Centers Profiler and then Overview to view the required configuration steps that we need to be able to enable and configure the profiler service. Here we see three primary steps prepare, Define and Go live and Monitor, with substeps listed below them under Prepare Network Devices and Active Directory configurations have already been accomplished in previous labs. However, there is some preparation required before we can enable the profiler service. Since I’m already under work centers and profiler, I’ll navigate to endpoint classification at the top of the page here. Optionally. I could have also reached this page via context visibility endpoint and then endpoint classification. On this page, I see a list of three endpoints. I can click on the Gear icon to determine what columns show and in which order they show in this list. For a large list of endpoints, I could also use the filter option. Here, I can either perform a Quick filter or I can perform an advanced filter to limit what shows on the list. With my list of only three endpoints, I’m not too concerned about filtering the list out. However, I could choose to filter this list based on any of these column headers in either ascending or descending order. I’m looking for my iPad so I’ll find the device that has an oui of Apple Inc. Clicking on the Mac address of my iPad opens another page. In this screen, we have tabs for applications, attributes, authentication threats, and vulnerabilities. To see more information around those topics, we’ll click on Attributes. Here we see a list of all the attributes that Ise knows for this device. For example, note that the airspace WLAN ID that this device is on is one. We also see that authentication status is passed and that the authorization policy matched is the Wireless Employee Access policy. Scrolling down a bit, we can see that the Endpoint policy is set to unknown. We also see the Endpoint profiler server is our Ise server, and that our endpoint source is a Radius probe. The framed IP address is the IP address of the device itself. Ten 10 two. As we can see, there are many more attributes which may be useful for us to review when we’re looking at this device for troubleshooting or security purposes. We’ll scroll back up to the top of the list and click on Endpoints to return to the Endpoints list. Next, we’ll return to the console of the iPad itself. I’ll click on Settings and then look at the WiFi parameters for the iPad. Here I see that the iPad is currently connected to the WPA two e SSIDs for my Pod, which happens to be Pod 20. I’ll click on the blue information icon to the right of the SSID name, and then I’ll click on Forget This Network to remove the iPad’s information that it has about the SSID. As a result of my actions, the iPad is now trying to connect to the 20 guest SSID because that’s the next network that it knows about. I’ll turn off WiFi altogether and then close the console to my iPad back to the list and endpoints. I will click on the checkbox to select the iPad endpoint, and then I’ll click the trashcan to delete it from Ise. From the dropdown menu, I’ll click on Selected to delete only the endpoints that I have selected. Finally, I’ll confirm the deletion. Now I see that one endpoint has been deleted successfully and it no longer appears in the list.

Next, I’ll click on the tab to return to the profiler overview. Underneath the prepare step, I’ll click on the deployment link. This will take me to the same page to where I could have reached if I had gone to Administration System and then Deployment. Underneath deployment and then deployment. Nodes. I will click on the hyperlink that has the name of my Ise server. In this case ise one near the bottom of the page that’s displayed. I’ll click on the check box to enable the profiling service.

Note that as I click the service now, I have a new tab next to General Settings at the top of the page. Profiling configuration. Clicking this tab shows me all of the specific probes that are enabled by default to allow profiling. I see one method of profiling is via DHCP probes. Another method that’s already selected is via Radius Probes. Scrolling down, I can also see that Network scan probes are allowed for profiling. And by scrolling down to the very bottom of the page, I can also see that SNMP queries and Active Directory Probes are also allowed for profiling.

By scrolling back up towards the middle of this page, I can see that Http is currently not enabled for profiling. We’ll click on the checkbox to enable it. After that, we’ll scroll all the way back up and then return to General Settings by clicking on that tab. Then I’ll scroll down to the very bottom of this page and then click on Save to save my changes because I’ve made changes to the policy service persona, I received this text box telling me that my update was successful, but that the system will restart and that the restart may take up to ten minutes. I’ll click on OK to accept this information and to initiate the restart. I’ll monitor the progress of this restart by opening up a putty session to the ISC console.

I’ve already logged on to the ISC server, but I will use the Show Application Status Ise command to continue to monitor the Ise processes. The process that I’m most concerned about at the moment is the application server process, which is third in the list. Note that it is currently shown in a state of not running. I’ll pause the video and then return once some progress has been made. While the video was paused, I reissued this command a few times and now the application server process shows us initializing. I’ve continued to wait for this process to be fully started up, and I will pause the video again until there’s further progress. It’s now been about ten minutes since the system restarted, and now the application server process shows as running. I’m now ready to return to the web console for the ISC server.

  1. Lab Demo Configure Feed Services

Hello. In this video, we will walk through the steps needed to configure the feed service in Cisco Ise so that we can retrieve new and updated endpoint profiling policies. These new and updated policies will be received from a designated Cisco feed server via a subscription from our Ise server. Once our feed service is configured and enabled, we’ll then force a manual update from the feed service. We will start from the main Ise dashboard by navigating to Work centers, then to Feeds under Profiler. Another way of going to this page would be to navigate to Administration and then to feed service under profiler. There on this page, we will verify that the checkbox to enable online subscription update has been checked. Note that the system will automatically check for updates on a daily basis. I can set the time for when that check will occur. It is currently set to run at 100 and 06:00, a. m. UTC time.

We want the administrator to be notified when the feed downloads occur, so we’ll check this box to do so, and then we will type in an email address for the notifications to be sent to. In my example, I will use admin at demo local as the email address. Note that for this email notification or any Ise email notification to work, we need it to configure an SMTP server on our Ise server. We already have an SMTP server configured on our system. I could have tested the feed service connection without entering an email address for notifications, but I will go back and test it now by clicking on the test button. My test was successful.

If for some reason the feed service connection were to fail, perhaps due to firewalls or some other issue, I can do a manual update where I would download an update file from Cisco and manually loaded into the system. To perform that action, I would click on the Offline Manual Update tab. From this tab, I can use the link to log in and register with the Cisco feed server. I’ll then be able to download the update file from Cisco once it’s downloaded. I would then use the Browse button to select the downloaded file and then click the Apply Update button here to apply the changes in the download update file to my Ise server database.

I’ll return to the Online Subscription update tab and then scroll to the bottom of the page to save my settings. To force an immediate update, I will scroll back up and click on the Update Now button. I see another popup window telling me that all endpoints will be reprofiled and that the process may increase the system load and also change the authorization policy for some endpoints. I’ll click on yes to confirm that I want to continue the process. Finally, I’ll see a server response message at the bottom right of the window telling me that the feed service update was successfully started. We will not wait for the process to finish, as it will take a significant amount of time to complete. I can verify the successes or failures of the feed service by reviewing received emails in the admin, demo, local email account or scroll to the bottom of the page to the latest update section.

  1. Nad Configuration for Profiling

Hello. In this video we’ll walk through the steps needed to modify the Network Access Device or NAD, definition for profiling in Cisco Ise. We’ll start from the main ise dashboard by navigating to work centers, then to network resources under network access. The Network Devices tab is already selected in the left Paint. Another way of getting to this page would be to navigate to Administration and then to Network Devices under Network Resources. There on this page we see two Network Devices listed the three K access switch and the Virtual WLC. We will start by clicking on the three K access switch to edit its settings. One method of profiling devices is by SNMP, so we will configure the SNMP settings on the three K access switch. We’ll start by scrolling down the page and then clicking the checkbox next to SNMP Settings. That will cause the SNMP Settings section to be expanded to allow us to configure our settings. The first setting is the SNMP version.

We will select two C from the drop down list. After that, we’ll set the SNMP Read Only or Ro Community to be ice is cool. The characters are hidden as I type, but I can click the Show button to verify that I type the community value correctly. SNMP version two C does not require username security levels, authorization settings, or privacy settings, so we’ll move down to the polling interval and set that to be more frequent than 28,800 seconds, which is equal to once every 8 hours. We’ll change the pulling interval to be 600 seconds, which is equal to once every ten minutes. Finally, we’ll disable the link trap query and the Mac trap query. We’ll leave originating Policy Services Node at Auto.

Since we have only a single Ise node in our lab. I’ll do a quick check on my settings and then click Save to save these new settings. Once I see that the save was successful, I’ll scroll back to the top of the page and then click the Network Devices list link to return to the list. From here, I’ll click on the Virtual WLC and follow the same steps as before to configure it with the same. SNMP settings. Now that my two Nads are configured with SNMP, I’ll modify the Ise profiler to use the same SNMP values. I’ll do that by navigating to Work Centers and then Settings under Profiler. I could have also reached the same page by navigating to Administration and then Settings under System in that menu. First I’ll set the radius change of authorization or COA type from no COA to reoff.

By selecting that from the drop down list of choices, this setting will enforce authentication of an already authenticated endpoint when it is profiled. After that I’ll change the custom SNMP Community string from its current value of public. To be Ice is cool, I need to type that value once and then confirm it by typing it a second time. After that, I’ll verify that the endpoint attribute filter is not enabled. Enabling the endpoint attribute filter causes the Cisco Ise profiler only to keep significant attributes, which are only those attributes used by the Cisco Ise system or those used specifically in an endpoint profiling policy or rule and discard all other attributes.

Again, I’ll verify my settings and then click on Save to make them permanent. Our final step for this video is to verify the profiler exception action. To do that, I will navigate to work centers and then policy elements under Profiler. Once on that page, I’ll click on Exception Actions in the left navigation pane. From this list, I’m interested in First Time Profile, which is when an endpoint profile changes from unknown and is profile for the first time. Here I’ll verify that the COA action is set to force COA. This means that a radius COA is issued when an endpoint is profiled in Cisco IRC for the first time.