ISE basic installation and configuration. Part 1

Ok since I have to do some activity on ISE I think would be nice to write a little journal that can be also used as a quick guideline.

ISE is the acronym for Identity Service Engine, an identity policy manager released by cisco, now in version 1.1 available also on cisco cco website.

It comes in different format, as appliances or as virtual machine on VMware, as well as as upgrade to other cisco engine.

I will not look at the other release I will play a bit with the appliance.

The Software Upgrade

First of all I have had to upgrade it to the latest release (1.1)

to do so you need an mastered ISO image of the software to put inside the ISE DVD reader. as simple as at, turn on the appliance and let the fun begin.

to connect to the appliance you have to use a serial connection (usual 8N1), of course since the serial port is not more available on most of our laptop (nor in mine) you will need an use-serial adapter.

Second advise, if you have a standard cisco serial cable you also need an adapter since the serial interface on ISE is the standard 9 pin interface.

so take a look at the front of the appliance:

here you can find:

1 Front USB port 1

2 Front USB port 2

3 Hard disk drive (HDD) bay 0

4 HDD bay 1

5 CD-ROM/DVD drive

It should not be hard for you to find the dvd bay where put the mastered dvd isn’t it?

Talking about led references is not the issue here but yes there are also some led blinking

On the rear panel we find:

1 AC Power supply cable socket

2 NIC 3 (eth2) add-on card

3 NIC 4 (eth3) add-on card

4 Serial port

5 Video port

6 NIC 2 (eth1) Gigabit Ethernet interface

7 NIC 1 (eth0) Gigabit Ethernet interface

8 Rear USB port 4

9 Rear USB port 3

so I used my serial connection and putty instead of monitor and keyboard, just because it would be easier .

After you installed the correct release the system will shut down and turn on again, please remember to remove the dvd otherwise you will start again the cycle of installation.

NOTE: I made a scratch installation of the appliance, and not the upgrade one. if you have an ISE with rules and other stuffs on would be better to run the upgrade iso dvd also available on cisco CCO website.

The First installation:

Now we can run the CLI wizard in order to make the first installation:

the data required will be

Hostname Must be not exceed 19 characters. Valid characters include
alphanumeric (A-Z, a-z, 0-9), hyphen (-), with a requirement that the
first character must be an alphabetic character.

(eth0) Ethernet interface address Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0) interface.

Netmask Must be a valid IPv4 netmask.

Default gateway Must be a valid IPv4 address for the default gateway.

DNS domain name Cannot be an IP address. Valid characters include ASCII characters,
any numbers, hyphen (-), and period (.).

Primary name server Must be a valid IPv4 address for the primary name server.

Add/Edit another name server Must be a valid IPv4 address for an additional name server. (Optional) Allows you to configure multiple Name servers. To do so, enter y to continue.

Primary NTP server Must be a valid IPv4 address or hostname of an NTP server. (example:clock.nist.gov)

Add/Edit another NTP server Must be a valid NTP domain. (Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue.

System Time Zone Must be a valid time zone. For details, see Cisco Identity Services
Engine CLI Reference Guide, Release 1.0.4, which provides a list of time zones that Cisco ISE supports. You can run the show timezones command from the Cisco ISE CLI for a complete list of supported time zones.

Note: Changing the time zone on a Cisco ISE appliance after installation causes the Cisco ISE application on that node to be unusable. For details about the impact of changing time zones, see “clock time zone” in Appendix A in the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4.

Username Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default (admin), you must create a new username. The username must be from 3 to 8 characters in length, and be composed of valid alphanumeric
characters (A-Z, a-z, or 0-9).

Password Identifies the administrative password that is used for CLI access to the Cisco ISE system. You must create this password (there is no default). The password must be a minimum of six characters in length and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9).

Database Administrator Password Identifies the Cisco ISE database system-level password. You must create this password (there is no default). The password must be a minimum of 11 characters in length and must include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9). The allowed list of characters also include underscore (_) and pound (#) keys.

Note: All nodes in a distributed environment require the same password, so you must be sure to configure all of them by using the same entry. After you configure this password, Cisco ISE uses it “internally”; that is, you do not have to enter it when logging into the system.

Database User Password Identifies the Cisco ISE database access-level password. You must create this password (there is no default). The password must be a minimum of 11 characters in length and must include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9). The allowed list of characters also includes underscore (_) and pound (#) keys.

Note: All nodes in a distributed environment require the same password, so you must be sure to configure all of them using the same entry. After you configure this password, Cisco ISE
uses it “internally”; that is, you do not have to enter it when logging into the system.

 

The wizard will perform the required operations creating the database and the needed object. Some reboot are needed so be patient.

At the end you should be able to see something like a prompt requiring your username and password.

I use always user admin (lazy one ) . just to check if everything goes smoothly check ISE status with:

ise-server/admin# show application status ise

you should see something like:

ISE Database listener is running, PID: 4845
ISE Database is running, number of processes: 27
ISE Application Server is running, PID: 6344
ISE M&T Session Database is running, PID: 4502
ISE M&T Log Collector is running, PID: 6652
ISE M&T Log Processor is running, PID: 6738
ISE M&T Alert Process is running, PID: 6542
ise-server/admin#

next post will cover the User interface and go through the rest of the installation process…

NOTE: do not forget that for the installation you need a (better if) gigabit switch port (no trunk or whatsoever) and an IP able to access the internet and reach dns and ntp otherwise you will fail the installation

Related articles

• ISE basic installation and configuration. Part 1 (aitechupdate.wordpress.com)
• ISE basic installation and configuration. Part 2 (aitechupdate.wordpress.com)
• Network Time Protocol daemon (wiki.archlinux.org)
• Time Settings on Cisco Devices using NTP (learnnetworkingwithme.wordpress.com)
• Demystifying Time in your Domain (robsilver.org)
• How to setup NTP on Windows Server 2008 (michaeljlynch.wordpress.com)
• quick review of NTP, DHCP, Syslog (ccarunas.wordpress.com)
• Setting up NTP on Server 2008 (skavenger0.wordpress.com)
• A New Slim 1U Rackmount Dual Time Server from Galleon Systems (prweb.com)
• What has two cable modems and a GPS receiver? (rachelbythebay.com)

ISE basic installation and configuration. Part 1

Ok since I have to do some activity on ISE I think would be nice to write a little journal that can be also used as a quick guideline.

ISE is the acronym for Identity Service Engine, an identity policy manager released by cisco, now in version 1.1 available also on cisco cco website.

It comes in different format, as appliances or as virtual machine on VMware, as well as as upgrade to other cisco engine.

I will not look at the other release I will play a bit with the appliance.

The Software Upgrade

First of all I have had to upgrade it to the latest release (1.1)

to do so you need an mastered ISO image of the software to put inside the ISE DVD reader. as simple as at, turn on the appliance and let the fun begin.

to connect to the appliance you have to use a serial connection (usual 8N1), of course since the serial port is not more available on most of our laptop (nor in mine) you will need an use-serial adapter.

Second advise, if you have a standard cisco serial cable you also need an adapter since the serial interface on ISE is the standard 9 pin interface.

so take a look at the front of the appliance:

here you can find:

1 Front USB port 1

2 Front USB port 2

3 Hard disk drive (HDD) bay 0

4 HDD bay 1

5 CD-ROM/DVD drive

It should not be hard for you to find the dvd bay where put the mastered dvd isn’t it?

Talking about led references is not the issue here but yes there are also some led blinking

On the rear panel we find:

1 AC Power supply cable socket

2 NIC 3 (eth2) add-on card

3 NIC 4 (eth3) add-on card

4 Serial port

5 Video port

6 NIC 2 (eth1) Gigabit Ethernet interface

7 NIC 1 (eth0) Gigabit Ethernet interface

8 Rear USB port 4

9 Rear USB port 3

so I used my serial connection and putty instead of monitor and keyboard, just because it would be easier .

After you installed the correct release the system will shut down and turn on again, please remember to remove the dvd otherwise you will start again the cycle of installation.

NOTE: I made a scratch installation of the appliance, and not the upgrade one. if you have an ISE with rules and other stuffs on would be better to run the upgrade iso dvd also available on cisco CCO website.

The First installation:

Now we can run the CLI wizard in order to make the first installation:

the data required will be

Hostname Must be not exceed 19 characters. Valid characters include
alphanumeric (A-Z, a-z, 0-9), hyphen (-), with a requirement that the
first character must be an alphabetic character.

(eth0) Ethernet interface address Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0) interface.

Netmask Must be a valid IPv4 netmask.

Default gateway Must be a valid IPv4 address for the default gateway.

DNS domain name Cannot be an IP address. Valid characters include ASCII characters,
any numbers, hyphen (-), and period (.).

Primary name server Must be a valid IPv4 address for the primary name server.

Add/Edit another name server Must be a valid IPv4 address for an additional name server. (Optional) Allows you to configure multiple Name servers. To do so, enter y to continue.

Primary NTP server Must be a valid IPv4 address or hostname of an NTP server. (example:clock.nist.gov)

Add/Edit another NTP server Must be a valid NTP domain. (Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue.

System Time Zone Must be a valid time zone. For details, see Cisco Identity Services
Engine CLI Reference Guide, Release 1.0.4, which provides a list of time zones that Cisco ISE supports. You can run the show timezones command from the Cisco ISE CLI for a complete list of supported time zones.

Note: Changing the time zone on a Cisco ISE appliance after installation causes the Cisco ISE application on that node to be unusable. For details about the impact of changing time zones, see “clock time zone” in Appendix A in the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4.

Username Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default (admin), you must create a new username. The username must be from 3 to 8 characters in length, and be composed of valid alphanumeric
characters (A-Z, a-z, or 0-9).

Password Identifies the administrative password that is used for CLI access to the Cisco ISE system. You must create this password (there is no default). The password must be a minimum of six characters in length and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9).

Database Administrator Password Identifies the Cisco ISE database system-level password. You must create this password (there is no default). The password must be a minimum of 11 characters in length and must include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9). The allowed list of characters also include underscore (_) and pound (#) keys.

Note: All nodes in a distributed environment require the same password, so you must be sure to configure all of them by using the same entry. After you configure this password, Cisco ISE uses it “internally”; that is, you do not have to enter it when logging into the system.

Database User Password Identifies the Cisco ISE database access-level password. You must create this password (there is no default). The password must be a minimum of 11 characters in length and must include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9). The allowed list of characters also includes underscore (_) and pound (#) keys.

Note: All nodes in a distributed environment require the same password, so you must be sure to configure all of them using the same entry. After you configure this password, Cisco ISE
uses it “internally”; that is, you do not have to enter it when logging into the system.

 

The wizard will perform the required operations creating the database and the needed object. Some reboot are needed so be patient.

At the end you should be able to see something like a prompt requiring your username and password.

I use always user admin (lazy one ) . just to check if everything goes smoothly check ISE status with:

ise-server/admin# show application status ise

you should see something like:

ISE Database listener is running, PID: 4845
ISE Database is running, number of processes: 27
ISE Application Server is running, PID: 6344
ISE M&T Session Database is running, PID: 4502
ISE M&T Log Collector is running, PID: 6652
ISE M&T Log Processor is running, PID: 6738
ISE M&T Alert Process is running, PID: 6542
ise-server/admin#

next post will cover the User interface and go through the rest of the installation process…

NOTE: do not forget that for the installation you need a (better if) gigabit switch port (no trunk or whatsoever) and an IP able to access the internet and reach dns and ntp otherwise you will fail the installation

Related articles

• ISE basic installation and configuration. Part 1 (aitechupdate.wordpress.com)
• ISE basic installation and configuration. Part 2 (aitechupdate.wordpress.com)
• Network Time Protocol daemon (wiki.archlinux.org)
• Time Settings on Cisco Devices using NTP (learnnetworkingwithme.wordpress.com)
• Demystifying Time in your Domain (robsilver.org)
• How to setup NTP on Windows Server 2008 (michaeljlynch.wordpress.com)
• quick review of NTP, DHCP, Syslog (ccarunas.wordpress.com)
• Setting up NTP on Server 2008 (skavenger0.wordpress.com)
• A New Slim 1U Rackmount Dual Time Server from Galleon Systems (prweb.com)
• What has two cable modems and a GPS receiver? (rachelbythebay.com)

Surviving Tips:Performance e DNS

Tra le cose piu spesso trascurate per quello che riguarda security e prestazioni, vi e’ sempre la struttura DNS.

I DNS sono un elemento fondamentale per garantire prestazioni sia per quello che concerne il trasferimento delle mail sia per quello che concerne la navigazione Web.

Anche utilizzando un SMTP Gateway o un Proxy non si puo’ prescidere dalle performance di un buon servizio di DNS. Paradossalmente poi in caso di uso di proxy un pessimo DNS puo’ dare origine ad una serie disparata di errori che, nei fatti, renderebbero la navigazione piu problematica e la use experience piu dura rispetto alla navigazione senza proxy.

Cerchiamo di capire a cosa serve e perche’ il servizio DNS e’ cosi importante, e come questo si integra nei servizi IronPort.

Come tutti sappiamo il servizio DNS (Domani Name System) serve per tradurre un nome nel relativo indirizzo IP.

da Wikipedia:

Domain Name System (spesso indicato con DNS) è un servizio utilizzato per la risoluzione di nomi di host in indirizzi IP e viceversa. Il servizio è realizzato tramite un database distribuito, costituito dai server DNS.

Il nome DNS denota anche il protocollo che regola il funzionamento del servizio, i programmi che lo implementano, i server su cui questi girano, l’insieme di questi server che cooperano per fornire il servizio.

I nomi DNS, o “nomi di dominio”, sono una delle caratteristiche più visibili diInternet.

C’è confusione in merito alla definizione dell’acronimo: la S spesso viene interpretata come service, ma la definizione corretta è system.

L’operazione di convertire un nome in un indirizzo è detta risoluzione DNS, convertire un indirizzo IP in nome è detto risoluzione inversa.

la struttura dei domini e’ ad albero, si parte dalla root (.) per poi creare DNS autoritativi sulle classiche zone .com, .net, .tv, .tel etc etc etc.

Vi rimando a Wikipedia per approfondire la questione. e per riferimento potete usare i seguenti link:

• DNS Security Extensions (DNSSEC)
• root-servers.org
• RFC 882
• RFC 883
• RFC 1034
• RFC 1035

 

Quando si crea un dominio si deve installare un DNS server che sia autoritativo per il proprio dominio, questa operazione viene fatta o in casa o dal providr che offre connettivita’.

Il DNS vienie quindi usato per offrire la risoluzione di nomi Host in IP, il problema e’ che tale risoluzione non e’ detto che sia veloce. tutti hanno sperimentato quanto possa durare la propagazione di un nome su internet (2448 ore) e tutti hanno sicuramente provato la lentezza derivante ad una cattiva risoluzione DNS, anche se spesso si attribuisce la lentezza di servizi e browsing a cause diverse.

Le soluzioni IronPort (ma non solo) usano pesantemente i servizi DNS in quanto questi sono essenziali per la corretta delivery dei servizi di Email e Web Browsing, inoltre il protocollo DNS viene utilizzato anche per interrogare Senderbase, lo scopo e’ quello di utilizzare un protocollo veloce, leggero, con una struttura ridondata.

Purtroppo la tendenza riguardo i DNS in italia e’ spesso quella di trascurarne l’importanza e la sicurezza, e questo si traduce nella cattiva abitudine di utilizzare il DNS come servizio secondario su macchine non sufficientemente performanti o, peggio, fare riferimento a DNS generici offerti piu o meno pubbicamente dai providers.

Questa cattiva abitudine porta spesso, come conseguenza, ad avere un calo sensibile di performance che viene, erroneamente, attribuita alle cause piu disparate.

Il problema

Sebbene sia necessario consentire la risoluzione pubblica ai domini su cui si ha autorita’ questo non significa necessariamente che dobbiamo porre in DMZ il nostro DNS principale.

Esistono diverse tecnologie che ci consentono di esporre solo la porzione di zona che siamo vincolati (o ci serve) esporre, tipicamente si espone su un DNS apposito in DMZ la porzione di zona interessata, che verra’ utilizzata su internet per poter permettere la risoluzione degli host esposti.

il problema nasce dal fatto che oltre ad esporre contenuti (la risoluzione degli host dei domini di cui si ha autorita’) il servizio DNS viene utilizzato anche da sorgenti interne ed in DMZ che richiedono o possono richiedere:

1) la risoluzione di host in domini pubblici non gestiti da voi

2) la risoluzione di host in domni privati che on e’ il caso di esporre pubblicamente (si pensi, ad esempio, alle esigenze di Active Directory).

Come gestire questa cosa?

Buona norma implementativa, sia che abbiate o meno un DNS autoritativo pubblico, e’ quella di mettere in DMZ un sistema ridondato di DNS Cache Only.

A questi DNS potrebbero puntare sia le macchine in DMZ che, eventualmente, le macchine interne che cercando di fare risoluzione.

Questo semplice accorgimento consente di effettuare una ottimizzazione sensibile in termini di latenze prestazionali legate ai DNS worldwide.

Innanzi tutto un chache only e’ molto facile da gestire, un minimo di hardening e’ ovviamente consigliabile, ma la cosa interessante e’ che, se si sfruttano anche meccanismi di virtualizzazione, la messa i opera in caso di problemi di tale oggetto e’ estremamente rapida.

L’uso di un cache only in DMZ vi consente, inoltre, di abbassare il rischio di DNS poisoning, infatti risulta ovvio che tale DNS e’ meno esposto sia di un autoritativo che di un DNS di un provider.

Un altro vantaggio di un DNS in casa di tipo cache only e’ anche legato al fatto che in cache potete mettere solo quello che effettivamente vi interessa, gestendo opportunamente TTL potete quindi ottimizzare pesantemente le risposte.

Sempre in termini di vantaggi vi e’ anche un evidente guadagno in termini di velocita’ di risposta alle query dovuto alla vicinanza del DNS cache server ai vostri client. Il vantaggio si sente, ovviamente, sia in termni di performance sulla DMZ che in termini di performance sulla LAN interna.

Il Dilemma di Active Directory e dei domini .local

Una delle osservazioni piu comuni cui vado incontro e’ legata alla considerazione che in ambiente AD esiste gia’ (ed e’ obbligatorio) un servizio DNS.

Active Directory, infatti, demanda alla risoluzione DNS la risoluzione dei nomi HOST e dei servizi, e quindi e’ un requisito fondamentale per la sua installazione. Ovviamente Microsoft offre un DNS integrato alla sua soluzione che serve a coprire egregiamente questa esigenza, offrendo anche, oltre alla integrazione in AD, il supporto dinamico di registrazione dei nomi e la capacita’ di rispondere a chiamate DNS standard.

Il risultato e’ che spesso ci si trova di fronte a realta’ in cui il dominio AD ha una estensione pubblica (.COM, .IT….)

Va da se che questa e’ una situazione poco gradevole in termni di security, in quanto nel caso, ad esempio, si forzi la sicurezza del DNS autoritativo si viene a conoscere l’intero indirizzamento delle macchine in AD. Non parliamo poi della sua diretta esposizione in DMZ (magari anche come global catalog….)

Una situazione piu prudente e’ quella di demandare al DNS interno di AD la gestione di un dominio non pubblico (.LOCAL, .BOH, .FATEVOI) e quindi non esporre semplicemente tale zona alla risoluzione su internet.

Nel caso le macchine interne debbano risolvere sia domini esterni che domini inetrni si pone allor ail problema di come configurare la cosa.

Dal punto di vista Ironpor il supporto dello split dns risolve il problema in maniera semplice ed efficace.

La idea di base e’ quella di puntare, per la risoluzione di un dominio pubblico generico, ad un DNS pubblico (o direttamente ai Root Server, in questo caso i Gateway Ironport si comportano come DNS chache only server, che pero’ accettano solo se stessi come client DNS), e per i domini privati a DNS opportunamente configurati per accettar query solo da un numero definito di macchine in DMZ (non aprite la porta a chiunque, MAI).

Nel caso abbiate soluzioni che non gestiscano lo split dns e’ possibile intervenire con DNS configurati in maniera ibrida (cache, forwarder….) in maniera che la risoluzione interna ed esterna sia possibile per le macchine che lo richiedano.

DNS cache Sempre e dovunque

In realta’ l’uso del DNS cache sarebbe da consigliare sempre e comunque, persino per l’uso domestico. Provate ad installare sulle vostre macchine un DNS service (si trovano free o opensource per qualsiasi piattaforma) e vedete se ci sono differenze rispetto all’appoggiarvi al DNS del vostro provider.

ciao

Antonio

Related articles

• How to install OpenDNS in Windows (or other DNS server services) [Tip]
• DNS Tunnelling
• Monitoring Home Web Traffic With A Local DNS Proxy
• Resolving an IP address from DNS in C#