Cisco Identity Services Engine (ISE)

By /

Cisco Identity Services Engine (ISE) and Dynamic Access Policies (DAP) in the context of network access control, particularly as they relate to the ASA LDAP authentication and group policy implementation discussed earlier. I’ll explain what Cisco ISE is, how it can enhance the setup, and what DAP is, including how it can be explored as an alternative or complementary approach to LDAP attribute mapping on a Cisco ASA. I’ll also provide a critical perspective on their use in real-world scenarios, building on the TechCorp case study.

What is Cisco ISE?

Overview

Cisco Identity Services Engine (ISE) is a comprehensive network access control (NAC) and identity management platform that provides centralized policy enforcement for wired, wireless, and VPN connections. It’s designed to secure enterprise networks by authenticating and authorizing users and devices, ensuring they comply with security policies before granting access. ISE integrates with various identity sources (like Active Directory) and network devices (like Cisco ASA, switches, and wireless controllers) to enforce granular access policies.

Key Features of Cisco ISE

  1. Authentication and Authorization:
  • Supports multiple protocols: RADIUS, TACACS+, LDAP, SAML, and more.
  • Authenticates users against AD, LDAP, or internal databases, and authorizes access based on roles, groups, or device attributes.
  1. Posture Assessment:
  • Checks device compliance (e.g., antivirus installed, OS updates applied) before granting access.
  • Can quarantine non-compliant devices or redirect them to a remediation portal.
  1. Profiling:
  • Identifies and classifies devices on the network (e.g., laptops, IoT devices) using attributes like MAC address, DHCP fingerprinting, or HTTP headers.
  1. Guest Access:
  • Provides a self-service portal for guest users, with customizable access policies (e.g., time-limited access).
  1. Policy Enforcement:
  • Enforces policies via downloadable Access Control Lists (dACLs), VLAN assignment, or Security Group Tags (SGTs) in a Cisco TrustSec environment.
  1. Integration with Cisco ASA:
  • Acts as a RADIUS server for ASA VPN authentication, allowing more advanced policy enforcement than LDAP alone.

How Cisco ISE Enhances the TechCorp Scenario

In the TechCorp case study, the ASA uses LDAP to authenticate VPN users against AD and assign group policies based on group membership (VPN_Employees or VPN_Contractors). While this works, it has limitations (e.g., no nested group support, basic policy mapping). Cisco ISE can enhance this setup by acting as a RADIUS server between the ASA and AD, providing more granular control and additional security features.

  1. Setup with Cisco ISE:
  • ISE Configuration:
    • Add the ASA as a Network Access Device (NAD) in ISE under Administration > Network Devices.
    • Configure ISE to integrate with AD (Administration > Identity Management > External Identity Sources > Active Directory).
    • Create an authentication policy in ISE to use AD for VPN users (e.g., If Protocol = RADIUS AND Network Access:Service-Type = Framed, then use AD).
    • Create authorization policies:
    • Rule 1: If user is in VPN_Employees, return Group-Policy=Employee_Policy.
    • Rule 2: If user is in VPN_Contractors, return Group-Policy=Contractor_Policy.
    • Default Rule: Deny access.
  • ASA Configuration:
    • Replace the LDAP server group with a RADIUS server group pointing to ISE:
      plaintext aaa-server ISE_RADIUS protocol radius aaa-server ISE_RADIUS (inside) host 192.168.1.20 key SharedSecret123! tunnel-group VPN_Tunnel general-attributes authentication-server-group ISE_RADIUS default-group-policy NoAccess
    • ISE returns the Group-Policy attribute in the RADIUS response, which the ASA uses to assign the appropriate policy.
  1. Benefits for TechCorp:
  • Granular Policies: ISE can enforce policies based on more than just group membership. For example, it can check if a user’s device is corporate-owned (via profiling) or compliant (via posture assessment) before granting access.
  • Nested Group Support: Unlike the ASA’s LDAP mapping, ISE fully supports nested AD groups, so TechCorp can organize users in a more hierarchical structure (e.g., VPN_Employees > IT_Staff).
  • Posture Assessment: ISE can ensure VPN users have up-to-date antivirus software, adding an extra layer of security.
  • Centralized Management: ISE provides a single dashboard to manage policies across all network access methods (VPN, wired, wireless), simplifying administration as TechCorp grows.
  • Scalability: ISE can handle thousands of users and devices, making it suitable for future expansion.
  1. Challenges:
  • Complexity: ISE is more complex to set up than LDAP on the ASA, requiring additional infrastructure (e.g., an ISE server or VM) and expertise.
  • Cost: ISE licensing can be expensive, especially for smaller organizations like TechCorp. Licenses are typically per-endpoint or per-user, and advanced features like posture assessment require higher-tier licenses.
  • Performance: Introducing ISE adds a layer of latency, as the ASA must query ISE, which then queries AD. TechCorp would need to ensure ISE is deployed on a robust server (e.g., 16 GB RAM, 8 vCPUs for 500 users).

What is Dynamic Access Policies (DAP) and How to Explore It?

Overview of DAP

Dynamic Access Policies (DAP) is a feature on Cisco ASA (and Firepower Threat Defense) that allows for more advanced access control for remote access VPN users. Unlike LDAP attribute mapping, which assigns group policies based solely on AD group membership, DAP evaluates multiple attributes (or “endpoints”) at connection time to dynamically determine access rights. DAP is configured on the ASA and can be used with or without Cisco ISE, making it a flexible alternative for TechCorp.

Key Features of DAP

  1. Multi-Attribute Evaluation:
  • DAP can evaluate user attributes (e.g., AD group membership), device attributes (e.g., OS type, certificate presence), and connection attributes (e.g., source IP, time of day).
  1. Dynamic Policy Assignment:
  • Based on the evaluation, DAP can assign group policies, apply Access Control Lists (ACLs), or terminate the connection.
  1. Integration with Authentication:
  • DAP works after the initial authentication (e.g., via LDAP or RADIUS), allowing it to complement existing setups.
  1. Granular Control:
  • DAP can enforce complex conditions, such as “Allow access only if the user is in VPN_Employees AND the device is running Windows 11 AND the connection is from a specific IP range.”

Exploring DAP in the TechCorp Scenario

TechCorp can explore DAP as an alternative or complement to LDAP attribute mapping, especially if they want more control without deploying Cisco ISE.

  1. Enable DAP on the ASA:
  • DAP is configured via the Cisco Adaptive Security Device Manager (ASDM) or CLI. ASDM is more user-friendly for DAP setup.
  • In ASDM:
    • Go to Configuration > Remote Access VPN > Dynamic Access Policies.
    • Ensure DAP is enabled (default in most ASA versions).
  1. Create DAP Policies:
  • Policy for Employees:
    • Name: DAP_Employees.
    • Conditions:
    • AAA Attribute: memberOf contains CN=VPN_Employees,OU=Groups,DC=techcorp,DC=local.
    • Endpoint Attribute: Operating System is Windows.
    • Action: Continue.
    • Group Policy: Employee_Policy.
  • Policy for Contractors:
    • Name: DAP_Contractors.
    • Conditions:
    • AAA Attribute: memberOf contains CN=VPN_Contractors,OU=Groups,DC=techcorp,DC=local.
    • Endpoint Attribute: Operating System is Windows or macOS.
    • Action: Continue.
    • Group Policy: Contractor_Policy.
  • Default Policy:
    • Name: DAP_Default.
    • Conditions: None (applies to all unmatched users).
    • Action: Terminate (denies access).
    • Message: “Access denied: You are not in an authorized VPN group.”
  1. CLI Configuration (Alternative to ASDM):
    If using the CLI, the equivalent DAP configuration might look like this:
   dap-dflt DAP_Default
   dap-dflt DAP_Default terminate "Access denied: You are not in an authorized VPN group."

   dap-record DAP_Employees
   dap-record DAP_Employees aaa-attribute memberOf "CN=VPN_Employees,OU=Groups,DC=techcorp,DC=local"
   dap-record DAP_Employees endpoint-attribute os "Windows"
   dap-record DAP_Employees group-policy Employee_Policy
   dap-record DAP_Employees action continue

   dap-record DAP_Contractors
   dap-record DAP_Contractors aaa-attribute memberOf "CN=VPN_Contractors,OU=Groups,DC=techcorp,DC=local"
   dap-record DAP_Contractors endpoint-attribute os "Windows" "macOS"
   dap-record DAP_Contractors group-policy Contractor_Policy
   dap-record DAP_Contractors action continue
  1. Test DAP Policies:
  • Test with the same users as before (jdoe, jsmith, jblack).
  • Use the ASA’s DAP debug commands to verify:
    plaintext debug dap trace
    Output will show which DAP policy is applied and why (e.g., “Matched DAP_Employees for user jdoe”).
  • Check the VPN session:
    plaintext show vpn-sessiondb anyconnect filter name jdoe
    Confirm the correct group policy is applied.
  1. Enhance DAP with Additional Conditions:
    TechCorp can explore more advanced DAP rules, such as:
  • Time-Based Access: Allow contractors to connect only during business hours (e.g., 9 AM to 5 PM).
    plaintext dap-record DAP_Contractors time-range "Business_Hours"
  • Device Posture: Require a specific AnyConnect module (e.g., posture module) to be present.
    plaintext dap-record DAP_Employees endpoint-attribute anyconnect-module "posture"
  • Geo-Restriction: Deny access if the connection originates from a specific country (requires GeoIP database integration).

Benefits of DAP for TechCorp

  • More Granular Control: DAP allows TechCorp to enforce policies based on multiple criteria (e.g., group membership AND device type), which LDAP attribute mapping can’t do.
  • No Additional Infrastructure: Unlike ISE, DAP is a native ASA feature, requiring no extra servers or licenses.
  • Flexibility: DAP can terminate connections, apply ACLs, or redirect users to a portal, offering more options than static group policy assignment.
  • Complementary to LDAP: TechCorp can keep their LDAP authentication setup and use DAP for additional policy enforcement.

Challenges with DAP

  • Complexity: DAP policies can become complex to manage, especially with many conditions. TechCorp must document their policies carefully to avoid conflicts.
  • Performance Impact: Evaluating multiple DAP conditions for each connection can introduce latency, though this is minimal on a modern ASA (e.g., 5510 handles 500 users with negligible impact).
  • Limited Posture Assessment: DAP can check basic endpoint attributes (e.g., OS, AnyConnect modules), but it lacks the advanced posture assessment of ISE (e.g., antivirus status, patch level).

Critical Evaluation: ISE vs. DAP in the TechCorp Scenario

Cisco ISE

  • Strengths:
  • Centralized policy management across all network access methods (VPN, wired, wireless).
  • Advanced features like posture assessment, profiling, and guest access.
  • Full support for nested AD groups and complex authorization rules.
  • Scalable for large enterprises with thousands of users.
  • Weaknesses:
  • High cost (licensing can be $50–$100 per user annually, depending on features).
  • Requires additional infrastructure and expertise to deploy.
  • Potential latency due to the extra hop (ASA → ISE → AD).
  • Best For: Organizations like TechCorp that plan to grow significantly or need advanced features (e.g., posture assessment, BYOD support). However, for a 500-user company, the cost and complexity might outweigh the benefits unless they need ISE for other use cases (e.g., wireless authentication).

DAP

  • Strengths:
  • Native to the ASA, requiring no additional infrastructure or cost.
  • More flexible than LDAP attribute mapping, allowing multi-attribute policies.
  • Easy to implement for small to medium-sized environments like TechCorp.
  • Can be used alongside LDAP or ISE for layered policy enforcement.
  • Weaknesses:
  • Limited to the ASA’s capabilities (e.g., no advanced posture assessment).
  • Managing complex DAP policies can be error-prone without careful documentation.
  • Doesn’t scale as well as ISE for large, multi-device environments.
  • Best For: TechCorp’s current needs, as it provides sufficient control without the overhead of ISE. It’s a good starting point, and they can transition to ISE later if needed.

Recommendation for TechCorp

Given TechCorp’s size (500 users) and relatively straightforward requirements (group-based VPN access control), DAP is the better immediate choice. It leverages their existing ASA infrastructure, avoids the cost and complexity of ISE, and provides the additional control they need (e.g., OS-based policies). However, if TechCorp anticipates significant growth, needs posture assessment, or wants to manage other access methods (e.g., wireless), investing in Cisco ISE would be a strategic long-term decision. They could start with DAP now and integrate ISE later, using DAP for specific ASA policies and ISE for broader network access control.

Critical Perspective

Both ISE and DAP address limitations of the LDAP attribute mapping approach, but they come with trade-offs. ISE’s cost and complexity can be overkill for smaller organizations, and its reliance on RADIUS introduces a dependency on network stability—if the ISE server goes down, VPN access could be disrupted unless a fallback is configured. DAP, while simpler, lacks the depth of ISE’s features, particularly for device profiling and posture assessment, which are increasingly critical in 2025 as cyber threats evolve (e.g., ensuring devices aren’t compromised before granting access). Additionally, both solutions require careful policy design to avoid unintended access (e.g., overly permissive rules). TechCorp should also consider the broader security landscape—neither ISE nor DAP addresses threats like phishing or malware on user devices, so they should complement this setup with endpoint protection (e.g., Cisco Secure Endpoint) and user training.

Conclusion

Cisco ISE is a powerful NAC platform that enhances the TechCorp scenario by providing centralized, granular policy enforcement, posture assessment, and scalability, but it’s complex and costly. DAP, a native ASA feature, offers a simpler, cost-effective way to achieve more dynamic access control than LDAP attribute mapping, making it a better fit for TechCorp’s current needs. Exploring DAP allows TechCorp to implement multi-attribute policies (e.g., group membership plus OS type) without additional infrastructure, while keeping the door open for ISE in the future.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top