close

Endpoint Security Yogurt

test aaa group radius user it1 cisco new-code

ISE Policies: Authentication, Authorization, Profiling, Posture, Client Provisioning, SGA

Policy Elements: Dictionaries, Conditions, Results

If Condition Then Result

Dictionary is a predefined set of conditions <-> result

ISA Authentication

Authentication Policy

Types

Components:

External authentication:

ISE PSNs need to be joined to the Active Directory, so it will relay on DNS and local Domain Controllers depending on the Site configuration.

ISA Authorization

Top-Down list of rules.

Default rule allows all access.

Downloadable ACLs

 Cisco TrustSec (CTS)

Security Group Access – Security Group Tagging

Cisco Proprietary

Tags are added after the 802.1Q information in the Ethernet frame.

Network Access Device will tag the L2 packets from the endpoint based on the ISE authorization policy. The tags will be used in Security Group ACLs around the network to allow or block access to the resources.

SXP – Secure Exchange Protocol (TCP). It’s used when middle devices don’t support SGT. A tunnel is created between SGT supported devices bypassing the non supported device.

Cisco TrustSec switch configuration:

radius server ISE-PAC

endpoint security checklist     endpoint security console

TAGS

CATEGORIES