Cisco ISE Certificate and Licensing Overview and Installation

Cisco ISE Certificate

• A certificate is an electronic document that identifies an individual, a server, a company, or another entity, and associates that entity with a public key. 
• A self-signed certificate is signed by its creator. Certificates can be self-signed or digitally signed by an external CA. A CA-signed digital certificate is considered an industry standard and more secure than a self-signed certificate.
• Certificates are used in a network to provide secure access. Certificates identify a Cisco ISE node to an endpoint and secure the communication between that endpoint and the Cisco ISE node.

Cisco ISE uses certificates for:

• Communication between Cisco ISE nodes.
• Communication between Cisco ISE and external servers such as the syslog and feed servers.
• Communication between Cisco ISE and end user portals such as guest, sponsor, and BYOD portals.

Cisco ISE relies on public key infrastructure (PKI) to provide secure communication with both endpoints and administrators and between Cisco ISE nodes in a multinode deployment. PKI relies on X.509 digital certificates to transfer public keys for encryption and decryption of messages, and to verify the authenticity of other certificates representing users and devices. Through the Cisco ISE administration portal, you can manage two categories of X.509 certificates:

• System Certificates: These are server certificates that identify a Cisco ISE node to client applications. Every Cisco ISE node has its own system certificates that are stored on the node along with the corresponding private keys.
• Trusted Certificates: These are CA certificates that are used to establish trust for the public keys that are received from users and devices. The Trusted Certificates store also contains certificates that are distributed by the Simple Certificate Enrolment Protocol (SCEP), which enables the registration of mobile devices into the enterprise network. Trusted certificates are managed on the primary PAN and are automatically replicated to all the other nodes in a Cisco ISE deployment.

In a distributed deployment, you must import the certificate only into the Certificate Trust List (CTL) of the PAN. The certificate gets replicated to the secondary nodes.
 To ensure certificate authentication in Cisco ISE is not impacted by minor differences in certificate-driven verification functions, use lowercase hostnames for all Cisco ISE nodes that are deployed in a network.
Note: Cisco ISE cannot import more than one certificate with the same private key. If the certificate is renewed and imported without changing the private key, then the existing certificate is replaced with the imported certificate.

 ISE System Certificates

When you import a certificate into Cisco ISE, specify the purpose for which the certificate is to be used. Choose Administration > System > Certificates > System Certificates and click Import.
Choose one or more of the following uses:

Admin: For internode communication and authenticating the administration portal.

• Admin certificate is a server certificate used to authenticate or secure communication with ISE Admin portal. It is also used to establish trust relationship and secure communication between ISE nodes in a multi-node deployment.
• Whenever you browse to ISE GUI on an endpoint, just like another HTTPS server, ISE will present its certificate to the client browser, if the client trusts the certificate, a TLS/SSL tunnel will be formed. The client will them send the required login credentials and further requests /response via the established tunnel. If the client did not trust the certificate, a warning will be displayed on the browser which in most cases will give the user the privilege of accepting the risk and proceed to establish communication with the server. But if the client did not trust the certificate and not willing to accept the risk, then the HTTPS connection to ISE will be terminated.

EAP Authentication: For TLS-based EAP authentication.

• EAP authentication certificate is a server certificate used for SSL/TLS tunnelling which is needed by EAP protocols for secure credential exchange.
• EAP protocols use TLS secure credential exchange between a dotlx endpoint (supplicant) and the RADIUS/AAA server. If the endpoint trusts the RADIUS server certificate (ISE EAP Authentication certificate), TLS tunnel will be established between the dotlx endpoint and ISE. The TLS tunnel will then be used for secure credential exchange. If the server certificate is not trusted by the client/supplicant/endpoint, TLS tunnel will not be formed with ISE. Therefore, client credentials will not be sent. That mean dotlx authentication will not be successful.

RADIUS DTLS (RADIUS Datagram Transport Layer Security): For RADIUS DTLS server authentication.

• RADIUS DTLS certificate is a server certificate used for RADIUS DTLS authentication. RADIUS DTLS is used for encrypting RADIUS traffic between a Network Access Device (NAD) and Radius DTLS server (ISE).
• Examples of Network Access device are Access switch, Wireless LAN controller (WLC), and Remote Access VPN Server.

Portal: For communicating with all Cisco ISE end-user portals.

• Portal certificate refers to the server certificate used to secure communication will all Cisco ISE web or end-user portals.
• Example of end-user portal are Guest or Central Web Authentication (CWA) portal, sponsor portal, Mydevice Portal, and so on 

SAML (Security Assertion Markup Language): For verifying that the SAML responses are being received from the correct identity provider.

• SAML certificate is used to secure communication between ISE and SAML identity provider (IdP).
• SAML is a open standard for exchanging authentication and authorization data between an identity provider and a service provider (i.e., ISE).
• A certificate designated for SAML use cannot be used for any other service such as EAP authentication, portal, Admin, etc.

pxGrid: For communicating with the pxGrid controller.

• pxGrid certificate is a client and server certificate used for establishing secure communication between pxGrid client and server.

Certificate Installation

1. Generate Certificate Signing Request (CSR)
2. Submit the CSR to the root CA server for signing
3. Download the signed certificate
4. Download the root CA certificate
5. Install the root CA certificate into ISE trusted certificate store.
6. Bind the CA signed certificate to the generated CSR on ISE.

Cisco ISE Licensing

The Cisco ISE licensing model allows you to purchase licensee based on your enterprise needs. There are two ways of consuming licenses. Traditional or Smart.

• Traditional licensing is where you import a license onto the appliance
• Smart licensing is where you manage a cisco account that holds all the information on the license purchased for your deployment.

Licenses are counted against concurrent, active sessions. An active session is one for which a RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.
The valid license options are:

ISE Base only: The base license is a perpetual license and is the only requirement for AAA and IEEE802.1x and covers guest services and Trustsec. A base license is consumed for every active device on the network.
Feature supported in Cisco ISE Base License

• Basic RADIUS authentication, authorisation, and accounting, including 802.1x, MAC Authentication Bypass
• Web authentication (local, central, device registration)
• MACsec (all)
• SSO, SAML, ODBC – based authentication
• Guest portal and sponsor services
• Representational state transfer (monitoring) APIs
• External RESTful services (CRUD)-capable APIs
• Security group tagging (Cisco TrustSec SGT)
• PassiveID (Cisco Subscribers)

ISE Base and Plus: A plus license is required for Bring Your Own Device (BYOD), Profiling, Adaptive Network Control (ANC) and PxGrid. A base license is required to install the plus license and the plus license is a subscription for 1,3 or 5 years.
Feature supported in Cisco ISE Plus License

• Passive ID (Non-Cisco Subscribers)
• Profiling
• Profiler feed service
• Device registration (My Devices portal) and provisioning for Bring Your Own Device (BYOD) with built-in Certificate Authority (CA)
• Context sharing pxGrid
• Endpoint Protection Services (EPS)
• TrustSec – ACI Integration
• Location based integration using CMX/MSE
• Rapid Threat Containment (RTC) (using ANC and pxGrid)

ISE Base and Apex: The Apex license is the same as the plus license in that it is a 1,3,5 year subscription, requires the base license but is used for Third Party Mobile Device Management & Posture Compliance.
Feature supported in Cisco ISE Apex License

• Posture (endpoint compliance and remediation)

ISE Base, Plus, and Apex
ISE Base, Plus, Apex and AnyConnect Apex

Note:

What is Trustsec?

The goal in idea of Trustec is to assign a TAG or Security Group Tag SGT to the users or devices traffic at the ingress point to the network. And then to apply restrictions or permit the traffic at other parts of the network based on this tag.

What is Mac Authentication Bypass?

MAC Authentication Bypass (MAB) is a way to give a whitelist to certain network devices. If you know the MAC address of a certain device, you know should get access to your network you can grant it access purely by its MAC address. This is used for devices that cannot have certificates loaded on them or are hard to profile.

What is Cisco ISE Profiling?

The profiling service allows the identity services engine to profile devices connected to the network and give them an identity based on numerous factors. These devices can then be granted access or denied access to the network based on the security policies. A typical network deployment would start by putting ISE into monitor mode. In monitor mode no enforcement takes place but the ISE administrator can start to see what devices are connecting to the network and what identity it has been given.

During this phase a lot of devices are normally discovered that the network administrator did not even know were connected to the network.