The document provides best practices for Cisco Identity Services Engine (ISE) configurations. It discusses recommendations for wired and wireless dot1x configurations, redirected flows, upgrading to ISE 2.0, and configuring mobile device management (MDM) authorization policies across different ISE versions. Key recommendations include enabling radius server dead detection, using policy sets to optimize policy lookups, and configuring separate authorization policies for MDM redirection and registered devices.
2. Quick start
1. Wired and Wireless dot1x best practices.
2. Redirected flows recommendations.
3. Upgrade to ISE 2.0, TAC recommendations.
4. MDM authorization policies configuration with different
ISE versions.
Symbol of device/product to which slide content belongs
Hidden slide with additional information
4. Wired dot1x high availability world
Time, it is all about the time – Understating of EAP and Radius
timers on NAD and supplicant is critical when we’re talking about ISE
PSNs high availability.
NAD
SWITCHPORT
PSNEAP RADIUS
eap tx-period – how long
NAD waiting response
from client
eap retries- how many
times NAD is retrying
before moving to next
method
radius timeout– how
long NAD waiting
response from AAA server
radius retransmit - how
many times NAD is
retrying before moving to
next AAA server
Supplicant is often a black box for us from timers perspective
5. Let’s look on potential problems
The best way to understand any best practice is to think what may happen
wrong here
NAD
SWITCHPORT
PSN
PSN
PSN1
PSN2
Radius server PSN1
Radius server PSN2
EAP Identity request
Starting New Session
EAP Identity response
Access-Request
Starting Radius Timeout
Access-Request
Retries Limit reached
Access-Request
Starting Radius Timeout
Access-Request
Starting Radius Timeout
Access-Challenge
Session Timeout
.
.
.
EAP Identity request
Starting New Session
EAP Identity response
Access-Request
6. How to avoid this?
Correct client side EAP timers – preferred method, allow us to avoid to
aggressive radius timers.
Decreasing Radius timers – Windows 7 supplicant is able to continue
session on next available PSN with following radius timers 4*3
For 10k+ endpoints deployments 5s* radius timeout more preferred
* - default value.
30 seconds EAP session timeout. 2 times more than
default switch Radius timeout (3*5)
Anyconnect
NAM
7. Radius Server dead detection
Allow switch to skip querying of AAA server for specified amount of
time if Radius Dead criteria are met.
NAD
SWITCHPORT
PSN
PSN
PSN1
PSN2
Radius server PSN1
Radius server PSN2
Access-Request
Access-Request
Access-Request
Access-Request
Failed request qty=X
Detected during=Y
Enable Dead Interval
8. Radius Server dead detection considerations
Should be enabled always.
Two commands only:
Without specifying deadtime server won’t be marked as dead at all. Default
deadtime = 0
Using of Radius server dead detection is extremely important when
supplicant timers cannot be changed, also this will help you to minimize time
to connect when primary AAA server is unavailable.
9. Radius Server automated tester
NAD
SWITCHPORT
Radius server PSN1
Radius server PSN2
PSN
PSN1
Test Access-Request
Access-Accept/Access-Reject
PSN
PSN2
Test Access-Request
Access-Accept/Access-Reject
Counting Dead criteria
Counting Dead criteria
Might be used together with Radius Server Dead Detection to correctly identify outage
even in time of authentication inactivity.
10. Radius Server automated tester avoiding noise
To avoid receiving of authentication “noise” in live authentication/reports Collection
Filter in ISE logging configuration can be used.
Filter may be created to suppress logging for specific username (automated tester
user)
11. Radius Server automated tester and dead time
Let's assume that following timers/retries counts were configured
radius timeout – 4 (5-7)
radius retransmit – 3 (3-5)
dead-criteria time – 60 (120)
dead-criteria tries – 3 (5-15)
automated tester idle-time – 5
Specified timers should be good enough for detecting server outage during both working and non
working hours. Also 4/3 for radius timeout/retries allow windows supplicant switch-over during first
authentication attempt.
Values in parenthesis recommended for big deployments
NAD
SWITCHPORT
Automated
tester wake up
5min
Access-Request
Access-Request
Access-Request
Failed request qty=3
Detected during=60s
4s
4s
12. Other wired dot1x best practices
held-period – For how long switch should not accept EAP frames
from supplicant after failed attempt. Help to avoid authentication
flooding from misconfigured supplicants.
Recommended value = 300 seconds
quiet-period – For how long switch should not start querying
supplicant for authentication after failed attempt.
Recommended value = 300 seconds
13. Other wired dot1x best practices (continue)
Inactivity Timer – how many seconds of inactivity switch will allow for client before
re-authentication attempt
Recommended value = disable, only exception is situation when supplicant is
connected behind non Cisco IP phone.
Re-authentication – after what amount of time client need to be re-authenticated
(defined locally on the switch, or pushed from AAA server)
Recommended value = 10 hours, except situation when
shorter value required by security policy
14. Wireless word AAA server aggressive failover
By default WLC will go to the next server after 5 retransmissions for 'a client‘
One misbehaving client may cause entire WLAN switch-over to next Radius
server
With disabled aggressive failover 3 consequent request for 3 clients need
to fail before switching to next AAA server
PSN
EAP Identity response Access-Request
Access-challenge sent
Awaiting next dateStarting New Session
EAP Identity response
Access-Request
Ignore request. Previous one
still in progress
Retries
15. Wireless word AAA server High Availability
Three possible modes:
Off (Default)– first server in SSID setting is in use till it will be marked us
unresponsive. After first server marked as “unresponsive” WLC will use next
server and won’t return to previous one,
Passive – after first server marked as unresponsive it is moved to dead
server list for predefined amount of time (default is 300s), after dead timer will
expire this server will be retried by WLC
Active – of automated tester. WLC is marking server as dead and after dead
timer expire will try to query this server with probe username
16. Wireless word AAA server High Availability (continue)
Passive or Active mechanism are recommended. In scenarios when MAR
cash are in use it could protect from huge quantity of failed authentication at
time of switch-over.
Machine authentication is normally triggered at time of reboot or user
logoff/login event. In case of short PSN outage in the middle of a day all
subsequent user authentication will fail against new PSN
17. Radius servers configuration recommendations
Server timeout – recommended value
between 5-10 seconds. Avoid using of
default 2s, it is too aggressive
RFC 3576 – enable COA support for
this server. For ISE keep it always
enabled
18. WLAN configuration recommendations
Use the same server for Authentication and Accounting
This will ensure that single PSN will
be an exclusive holder of
session/endpoint data
Accounting Start/Stop/Update won’t
trigger endpoint ownership change
19. WLAN configuration recommendations (continue)
AAA Override – allow applying of authorization attributes returned by server
Session Timeout – 10 hours is recommended value
Client Exclusion – ignore
client authentication attempts
after failed one. Recommended
value is 180 seconds
NAC State – Enable COA
support for WLAN
20. ISE side best practices - Suppression
Suppression for Anomaly clients and for logging should always be enabled.
Anomaly client suppression – send access-reject to client immediately
(during reject interval) if two or more unsuccessful attempts with the same
scenario being detected from the same client during detection interval
Log suppression– logging only first
successful authentication for client, for
all subsequent authentication only
authentication count will be updated.
21. Suppression might be disabled per endpoint for troubleshooting purposes.
Suppression should be never disabled globally due to performance degradation,
The only one reason for short time global disabling of suppression might be critical
intermittent issue
Disabling Suppression
22. ISE side best practices – Policy sets
Using of policy sets allows to make policy selection process much more
effective. No need to do a policy lookup over entire policy list. Lookup will be
always localized inside of selected policy set.
How to organize your policies:
Based on authentication type (dot1x/MAB)
Based on NAD type (Wireless/Wired/3rd Party)
Based on Device dictionary (Device
Type/Location/Software)
24. What is redirected flow.
Any kind of services provided by ISE to end client where redirection of client
or client application is required to one of the ISE portals
List of Redirected flows:
Guest authentication
BYOD onboarding
Posture
MDM
25. Redirect general logic
As a result of authentication ISE returning Access-Accept message with two
specific AV pairs if Authorization profile with redirect action being selected:
url-redirect-acl – name of ACL that should exist locally on NAD, this ACL
instruct NAD which traffic should be redirected to ISE (only http/https can
be redirected) and what traffic should cross NAD without redirection
url-redirect – normally PSN fqdn (client need to have possibility to resolve
it) + portal id + session id
When client initiate http session NAD is intercepting and returning
url-redirect as new page location
26. Redirect best practices Wired
http server – enabled, default port 80 should be used except situation
when proxy is involved
IPDT – enabled, IP device tracking is critical component for applying ACLs,
(required for multi-domain and maulti-auth)
SVI in client subnet - otherwise traffic flow between client and switch need
to be planned very carefully
DACL and redirect ACL – recommendation is to apply only Redirect ACL.
DACL & Redirect ACL combination behaves differently on different
platforms. Redirect ACL provide enough level of security as traffic will be
either redirected, permitted or dropped
27. Redirect best practices Wireless
AAA override enabled – this will allow WLC to apply Redirect ACL and
Redirect URL to client
NAC=Radius NAC – without this option COA won’t be supported for WLAN,
and this will prevent applying of redirect attributes
Redirect ACL/Airspace ACL – the same recommendation as for switches.
Protection provided by redirect ACL is enough
28. Short term guest access best practices
Typical requirement – redirect user to guest portal each time when
device disconnected for providing credentials
Session timeout – authorization profile applied
to guest user after COA contain session
timeout. This will cause user disconnect from
WLC and new MAB request will be sent to ISE
Session Attributes– attributes like User Identity Group/Guest Flow belong to session.
After endpoint disconnects session attributes are cleared. Losing of these attributes force
ISE to select policy with redirect.
29. Long term guest access best practices
Typical requirement – user should be redirected to guest portal at time
of first connect. After this redirect should not happen for X days
Guest device registration – configured under guest portal.
Guest device will be assigned to specific endpoint identity
group (Group name need to be configured under
corresponding Guest-Type)
Endpoint Based policy – Endpoint identity group can be used as condition for guest
access policy after portal authentication. Session attributes should not be used there
This approach is most effective from resource usage perspective
30. Admin certificate and redirect (BYOD use case)
For BYOD and Posture flows software provided to end client by ISE are
establishing connection to PSN over TCP port 8905
BYOD – this port is in use for certificate provisioning
Posture – this port is in use for posture Requirements push/ Posture
report retrieval
For connection over port 8905 ISE is always using Admin certificate
PSN
Connection to
MyDevice Portal
Portal Certificate
Issuer - VeriSign
psn1.xyz.comDo I trust
VeriSign
Do CN/SAN
match FQDN
Connection 8905 Admin Certificate
Issuer – ca.xyz.com
This is not causing any issues
normally except …
31. Admin certificate, redirect and two interfaces (BYOD
use case)
PSN
psn1.xyz.com
G0G1
guest1.xyz.com
Portal Certificate
CN= guest1.xyz.com
Issuer - VeriSign
Admin Certificate
CN= psn1.xyz.com
Issuer – ca.xyz.com
Access-Request
Access-Accept
url=guest1.xyz.com
Connection to MyDevice Portal
Do I trust
VeriSign
Do CN/SAN
match FQDN
Connection 8905
CN from
Certificate
doesn’t match
FQDN
Recommendation – Add FQDN of second interface as SAN to Admin certificate
32. Redirection to static FQDN
Misunderstanding of this option is common reason for guest/BYOD/posture redirect
issues in distributed deployment
What customers expect: PSN
PSN
G0
10.1.1.10
DNS
10.1.1.20
G0
A=byod.xyz.com
10.1.1.10
10.1.1.20
Access-Request
Access-Accept
url=byod.xyz.com
byod.xyz.com?
10.1.1.20
Connection to MyDevice Portal
When this option should be used – only in situation when PSNs located behind LB and
radius and SSL session binding is configured on LB
34. Upgrade drivers
1. Bug fixes – fix of affecting bug exist in 2.0
2. New features needed:
TACACS+ Device Administration
Third-Party Device Support
TrustSec Dashboard, Matrix Enhancements, Work
Center, Support for SXP
Location Based Authorization
Support for EAP-TTLS Protocol
KVM Hypervisor Support
Cisco ISE Telemetry
35. Upgrade preparation tasks
1. Backup collection – both configuration and operational backups need to be
collected
2. Certificate backup – certificates export with private keys to secured location
from your ISE nodes. During export process certificate roles need to be
documented
3. Upgrade path discover – can I upgrade directly, if no what should be done?
36. New ISE version testing
1. Create two VMs – install clear version of ISE 2.0 on this VMs, restore your
current backup and build distributed deployment (each ISE installation supplied
with 90 days trial license)
2. Prepper testing scope – one test SSID one test switch, ensure that all flows
that you’re using working as expected
3. Read upgrade guide carefully to avoid problems
41. ISE 1.3 MDM
Single MDM server support – administrator could define multiple MDM servers
in configuration but only one server can be active
Redirection to MDM portal not a “Must” - actual redirection may be used only
for the “new” endpoints which have not been registered on MDM server. Due to
this multiple customers don't have redirect policies at all.
PSN
Endpoint registered to
MDM server
Connect to Network MDM server query
Registered/Compliant
42. MDM ISE 1.4 and higher enhancements
Multi MDM support – administrator can select which MDM server should be used in authorization
profile
Endpoint Attribute MDM Server – As a result of multi MDM support ISE should know which MDM
server need to be queried for each endpoint. To allow storing of this information new attribute being
added to endpoint attribute list
MDM redirect is a “Must” starting from ISE 1.4
How to specify to which MDM server redirect should be done – AD group/SSID, or any other significant
attribute may be used for MDM server selection
PSN
Endpoint registered to
MDM server
Connect to Network
Unknown to ISE
Policy Selection=Redirect
to Meraki MDM
Write Meraki as an MDM
server to endpoint
MDM server query
Registered/Compliant
43. ISE MDM best practices
At least two MDM authorization policies –
1. Lower policy for MDM redirect. Prior ISE 1.4 you can avoid using of this policy if all
endpoint are externally on boarded but to avoid problems after upgrade it is highly
recommended to have this policy in All ISE versions.
2. Upper policy for Compliant/Registered devices
Compound condition for endpoint deletion detection
When endpoint deleted from MDM server ISE is getting empty message as a an API
response. If endpoint previously been marked as compliant ISE will reuse this information.
Registration status
never reused
44. Useful links
Demystifying RADIUS Server Configurations
TECSEC-3672 - Identity Services Engine 1.3 Best Practices
ISE Traffic Redirection on the Catalyst 3750 Series Switch
BRKSEC-2059 - Deploying ISE in a Dynamic Public Environment
Configure the RADIUS Server Fallback Feature on Wireless LAN Controllers
Wired 802.1X Deployment Guide
Cisco Identity Services Engine Upgrade Guide, Release 2.0
Cisco CLI Analyzer