1. Introduction
, , ( ). , RADIUS, TACACS+ DIAMETER. , : BYOD , , .
NAC (Network Access Control) - . , Cisco ISE (Identity Services Engine) - NAC , , , .
, Cisco ISE :
WLAN;
BYOD (, , );
SGT ( TrustSec);
(posturing);
;
;
logon/logoff , (identity) NGFW user-based ;
.
Cisco ISE , : Cisco ISE, Cisco ISE.
2.
Identity Services Engine 4 (): (Policy Administration Node), (Policy Service Node), (Monitoring Node) PxGrid (PxGrid Node). isco ISE (standalone) (distributed) . Standalone (Secure Network Servers - SNS), Distributed - .
Policy Administration Node (PAN) - , Cisco ISE. , . ( ) PAN - Active/Standby .
Policy Service Node (PSN) - , , , , . PSN . , PSN , , . , , .
Monitoring Node (MnT) - , , . MnT , , . Cisco ISE MnT , - Active/Standby . , , , .
PxGrid Node (PXG) - , PxGrid , PxGrid.
PxGrid - , - - : , , . Cisco PxGrid API, TrustSec (SGT ), ANC (Adaptive Network Control) , - , , .
PxGrid PAN. , PAN , PxGrid , .
Cisco ISE .
3.
Cisco ISE , .
Cisco ISE SNS (Secure Network Server). : SNS-3615, SNS-3655 SNS-3695 , . 1 SNS.
1. SNS
SNS 3615 (Small) | SNS 3655 (Medium) | SNS 3695 (Large) | |
Standalone | 10000 | 25000 | 50000 |
PSN | 10000 | 25000 | 100000 |
CPU (Intel Xeon 2.10 ) | 8 | 12 | 12 |
RAM | 32 (2 x 16 ) | 96 (6 x 16 ) | 256 (16 x 16 ) |
HDD | 1 600 | 4 600 | 8 600 |
Hardware RAID | RAID 10, RAID | RAID 10, RAID | |
| 2 10Gbase-T 4 1Gbase-T | 2 10Gbase-T 4 1Gbase-T | 2 10Gbase-T 4 1Gbase-T |
, VMware ESXi ( VMware 11 ESXi 6.0), Microsoft Hyper-V Linux KVM (RHEL 7.0). , , . , : 2 CPU 2.0 , 16 RAM 200 HDD.
4.
Cisco, ISE :
dcloud – ( Cisco);
GVE request – Cisco ( ). : Product type [ISE], ISE Software [ise-2.7.0.356.SPA.x8664], ISE Patch [ise-patchbundle-2.7.0.356-Patch2-20071516.SPA.x8664];
1) , ISO , OVA , , ISE . "setup"!
: ISE OVA , admin / MyIseYPass2 ( ).
2) , IP-, DNS, NTP .
3) , - IP-.
4) Administration > System > Deployment , () . PxGrid .
5) Administration > System > Admin Access > Authentication , ( ), .
6) Administration > System > Admin Access > Administrators > Admin Users > Add .
7) . Admin Groups. 2 ISE, .
2. Cisco ISE, ,
| ||
Customization Admin | , , | , |
Helpdesk Admin | , , | , , |
Identity Admin | , , , | , |
MnT Admin | , , , |
|
Network Device Admin | , ISE, , , | , |
Policy Admin | , , , | , ISE |
RBAC Admin | Operations, ANC , | ANC , |
Super Admin | , , | , Super Admin |
System Admin | Operations, , ANC, | ANC , |
External RESTful Services (ERS) Admin | REST API Cisco ISE | , , (SG) |
External RESTful Services (ERS) Operator | REST API Cisco ISE | , , (SG) |
8) Authorization > Permissions > RBAC Policy .
9) Administration > System > Settings (DNS, NTP, SMTP ). , .
5.
. NAC Cisco ISE, , , .
, Microsoft Active Directory, .
(Telegram, Facebook, VK, TS Solution Blog, .).