Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Cisco ISE Configuration for Third-Party Plug-in

 

Policy Enforcer's Cisco ISE Connector communicates with the Cisco Identity Services Engine server using the Cisco ISE API. As part of threat remediation, Policy Enforcer's Connector uses enforcement profiles. This section provides information for configuring Cisco ISE so that Policy Enforcer can invoke the appropriate enforcement profiles.

As part of the configuration, on Cisco ISE you will create two enforcement profiles, one for quarantine and one for terminate. Then you will use them in the Cisco ISE enforcement policy. Once Cisco ISE is configured, you will configure a Cisco ISE Connector on Policy Enforcer.

On Cisco ISE you will configure the following:

  • Change policy modes

  • Create an API client

  • Configure network profiles

  • Add a custom attribute

  • Configure authorization profiles

  • Set an authorization policy

On Cisco ISE, the Simple Mode policy model is selected by default. For creating an API client, Policy Sets should be enabled.

  • Navigate to Administration > System > Settings > Policy Sets and Enable Policy Sets mode.

    You are prompted to login again after changing the mode.

    Figure 1: Cisco ISE: Enable Policy Sets Mode
    Cisco Identity Services Engine interface showing Policy Sets configuration with Enabled option selected. Save and Reset buttons are visible.

Create an API Client:

  1. Using the Cisco ISE web UI, create an Admin User by navigating to Administration > System > Admin Access > Administrator > Admin User.
  2. Create an Admin User and assign it to the following Admin Groups: ERS Admin, MnT Admin.

    Make note of the username and password. You will need them when you configure the connector portion in Policy Enforcer later on.

    Figure 2: Cisco ISE: Create Admin User and Assign to Admin Groups
    Cisco ISE admin interface showing Administrators section under Admin Access. Lists admin accounts, statuses, roles, groups, and action buttons.

Enable the External RESTful Services API (ERS) for the Administration Node:

  1. Navigate to Administration > System > Settings >ERS Settings and select Enable ERS for Read/Write.
  2. Click Save.
    Figure 3: Cisco ISE: Enable ERS
    Cisco ISE ERS Settings page showing API configuration options, including enabling or disabling ERS and save or reset buttons.

Configure network profiles:

Devices managed by ISE must support RADIUS CoA and have the proper network profiles assigned to handle the CoA commands sent by the ISE server:

  1. Navigate to Administration > Network Resources > Network Device Profiles and verify the existing network device profile list.

    If you are creating a new profile, proceed to the next step for information.

    Figure 4: Cisco ISE: Network Device Profiles List
    Cisco Identity Services Engine ISE Network Device Profiles interface showing a table of profiles with names, descriptions, vendors, and sources, plus action buttons for managing profiles.
  2. If you are configuring a new profile, you must minimally set the following:

    • Enable RADIUS and add a corresponding dictionary in the supported protocol list.

      Figure 5: Cisco ISE: Network Device Profile, Enable RADIUS
      Cisco ISE Network Device Profile page showing a Juniper profile with RADIUS enabled, TACACS+ and TrustSec disabled.

    • Enable and configure the Change of Authorization (CoA) according to the figure below.

      Figure 6: Cisco ISE: Configure Change of Authorization (CoA)
      Configuration interface for Change of Authorization settings with RADIUS selected, port 3799, 5-second timeout, 2 retries, Message-Authenticator off.

    • Configure the Disconnection and Re-authenticate operation with the proper RADIUS attributes and vendor specific VSA to handle the standard disconnect and reauthenticate operations. Below is the sample configuration for Juniper’s EX devices.

      Figure 7: Sample Configuration for Juniper EX
      Configuration interface for managing RADIUS attributes and actions including Disconnect, Re-authenticate, and CoA Push options for network access control.

Configure a custom attribute.

  1. Navigate to Administration > Identity Management > Settings > Endpoint Custom Attribute and add attribute sdsnEpStatus with type string.
    Figure 8: Cisco ISE: Add Attribute sdsnEpStatus
    Cisco ISE interface showing Endpoint Custom Attributes page under Administration. Features navigation bar, predefined endpoint attributes, and options to add custom attributes with Reset and Save buttons.
  2. Verify the attribute under Policy > Policy Elements > Dictionaries > System > Endpoints.
    Figure 9: Cisco ISE: Verify Attribute
    Cisco ISE interface showing Policy Elements Dictionaries configuration with EndPoints dictionary selected and its attributes listed.
  3. Navigate to Policy > Policy Elements > Conditions > Authorization > Simple Conditions. Add there authorization simple conditions using the sdsnEpStatus attribute you created.

    In the screen below,, there are three conditions created using sdsnEpStatus attribute. The condition names do not need to be the same as in the screen here, but the expressions must be matched. These conditions will be used in Policy Sets to handle the threat remediation for managed endpoints as described later in the Policy Sets setting section. Only the sdsnEpStatus-blocked and sdsnEpStatus-quarantine conditions will be used there. sdsnEpStatus-healthy is created for fulfillment purpose and can be ignored for now.

    Figure 10: Cisco ISE: Configure Simple Conditions, Match Expression
    Cisco ISE Policy Elements screen showing Authorization Simple Condition named sdsnEpStatus-blocked with EndPoints sdsnEpStatus attribute, Equals operator, and blocked value.
    Figure 11: Cisco ISE: Configure Simple Conditions, Match Expression
    Cisco ISE Policy Elements screen showing Authorization Simple Condition: Name sdsnEpStatus-quarantine with attribute EndPoints:sdsnEpStatus equals quarantine.

Configure permission/authorization profiles.

You can create the authorization profiles corresponding to “block” and “quarantine” actions as fits your needs. In the sample configuration provided here, the block action will result as total denial access to the network, and the quarantine profile will move the endpoint to another designated VLAN.

  1. Navigate to From Policy > Policy Elements > Results > Authorization > Authorization Profiles.

    Refer to the figures below for sample configurations.

    Figure 12: Cisco ISE: Configure Authorization Profiles
    Cisco ISE interface showing Standard Authorization Profiles under Policy Elements with options to Edit, Add, Duplicate, or Delete profiles.
    Figure 13: Cisco ISE: Configure Authorization Profiles
    Cisco ISE Authorization Profile for quarantined endpoints: sdsn_quarantine_profile. Access type is ACCESS_ACCEPT. Network Device Profile set to Any. No ACL or VLAN applied. RADIUS attributes configured with Acct-Interim-Interval 60, Tunnel-Medium-Type 802, Tunnel-Private-Group-ID 200, Tunnel-Type VLAN.
    Note

    For blocking a host, the default ‘DenyAccess’ profile is used.

Set the authorization policy:

  1. Create two rules as Local Exceptions, applying the conditions and authorization/permission profiles we created in the previous step. Names may be different, but these two rules must be at the top of the Exception list.

    Refer to the figure below for a sample configuration.

    Figure 14: Cisco ISE: Local Exception Rules, Example
    Cisco ISE Policy Sets page showing the Default policy set with Authorization Rules like Wireless Black List Default and Profiled Cisco IP Phones.
    Note

    Find this under Policy > Policy Sets > Authorization Policy.

  2. Proceed to Creating a Policy Enforcer Connector for Third-Party Switches to finish the configuration with Policy Enforcer.

Related Documentation