Cisco FirePOWER and ISE Integration

Hi habr! Starting with FirePOWER version 6.0.0.0, the possibility of integration with the corporate server of centralized authentication and authorization of Cisco ISE has appeared. In this article we will briefly review what exactly Cisco FirePOWER communication with ISE provides and how this connection is configured.



FirePOWER integration with ISE provides, first of all, a new way to obtain user identification data. Prior to FirePOWER version 6.0.0.0, user authentication occurred in passive mode. This means that somewhere in the network an agent must be installed on the computer entering the domain or directly on the Active Directory (AD) server. This agent should monitor the AD logs for user login / logoff events and pass the matching IP address and user account to FirePOWER. The latest reincarnation of this agent from SourceFIRE is called the Cisco FirePOWER User Agent.
')

The advantage of using an agent for user authentication is the complete transparency of the authentication process. In other words, the User Experience for the end user does not change at all when implementing authentication on a network gateway. However, this method has several disadvantages. The obvious disadvantage is in the approach itself: you need to install additional software, which should monitor the AD logs around the clock. If for some reason AD logs are not available, the user will not be authorized on the network device. There may also be a problem with incorrect access rights. For example, if the PC was disconnected from the network at the time the user logged in, in theory, the new user would be able to get the access rights of the previous PC user if after some time he connected the PC back to the network.

Another approach is active authentication, in which the installation of an agent is not required, but users must independently enter their credentials upon request. The disadvantage of this method is obvious.

Active FirePOWER authentication was also introduced with the release of version 6.0.0.0.

Using Cisco ISE to identify users on FirePOWER solves the problems inherent in both passive authentication with the agent and active authentication. As it follows from the definition, Cisco ISE is a centralized system for authenticating and authorizing users when connected to a network. As soon as the user successfully passes the authentication and authorization procedures and gains access to the network, full information about this user appears on the Cisco ISE, including the user's IP address and account. Further, this information is sufficient to transfer to FirePOWER, and more specifically to the FirePOWER Management Center management system. The system will be able to map the IP address of a network transaction to a user account and apply customized access policies.

But the functionality of Cisco ISE is not limited to the authentication and authorization of users on the network. Cisco ISE allows you to profile user devices, i.e. Determine which device is connected to a specific port on a specific switch. Device information includes: manufacturer, OS version, device type (mobile / stationary), etc. This information can also be transferred to FirePOWER. This makes it possible to configure different access rules for different types of devices. For example, for Android and iOS more specific limitations than for Microsoft Workstation. An example of setting up a rule according to the type of device is presented below:



In addition to profiling, Cisco ISE devices allow you to implement Cisco TrustSec architecture. Very briefly, Cisco TrustSec allows you to differentiate network access by tags, called Security Group Tags (SGT). The label is an arbitrary number from 1 to 65535 transmitted within the Ethernet frame. Accordingly, devices through which SGT-tagged frames pass must support the TrustSec architecture. Otherwise, tag information for a network transaction can be transmitted via the Security Group Tag Exchange Protocol (SXP). Upon successful completion of the authentication and authorization procedures, the user is assigned a label indicating his access to network resources. The description, SGT tag assignment, and tag access rules (SGT ACL) are configured using Cisco ISE. Starting with FirePOWER version 6.0.0.0, it became possible to use SGT tags in FirePOWER access policies. An example of setting up a rule with an SGT tag is shown below:



The last ISE attribute that can be used in FirePOWER access policies version 6.0.0.0 is Location IP. This attribute indicates the IP address of the network device that authenticated the user through the Cisco ISE. Consequently, you can create different access rules for the same user, depending on which network device it is connected to (switch or WiFi access point, or, for example, a switch in the head office or a switch in a remote branch office, or, for example, user connection remotely via AnyConnect).

Before proceeding to setting up a FirePOWER connection with Cisco ISE, let's summarize. When integrating FirePOWER and Cisco ISE, we get the following benefits:

1. There is no need to use the Cisco FirePOWER User Agent to authenticate users. Also, there is no need for active authentication. All tasks of authentication and authorization of users in a network are assumed by Cisco ISE.
2. More accurate user identification on FirePOWER compared to using Cisco FirePOWER User Agent.
3. Using the attributes of Cisco ISE, as follows:
   
   • It is possible to use the results of Cisco ISE profiling in FirePOWER access rules.
   • It is possible to use TrustSec labels (SGT) in FirePOWER access rules.
   • It becomes possible to use the IP address of the authorizing device in FirePOWER access rules.
   
   

Configuring FirePOWER Communication with Cisco ISE

The configuration is for FirePOWER Management Center version 6.0.1 and Cisco ISE version 2.0.0.306. As mentioned earlier, Cisco ISE stores detailed information about users authorized on the network. The main task is to transfer the necessary information to FirePOWER.

Traditionally, when one system must communicate with another system, they use custom or proprietary APIs (Application Programing Interface). Cisco offers its own technology through which various Cisco products interact, as well as the connection of Cisco solutions with systems from other vendors. The technology is referred to as the Cisco Platform Exchange Grid (pxGrid). This technology offers a common interaction language for exchanging information between different systems, for example, FirePOWER, ISE, WSA, Cyber ​​Threat Defense (CTD), etc.

The core component of pxGrid is Cisco ISE. Other external systems act as clients or agents within pxGrid and subscribe to Cisco ISE for receiving or transmitting information. When external systems connect to pxGrid by registering with the Cisco ISE, they are able to exchange information using the “every with each” scheme using common methods. Registration of external systems on Cisco ISE in pxGrid is carried out by means of digital certificates. To use pxGrid on Cisco ISE, a PLUS license is required.

Let's go to the settings. First Cisco ISE.

1. Activate pxGrid Persona on Cisco ISE.

Administration tab -> System -> Deployment.



Choose an ISE server. Click on its name. Set checkbox in front of pxGrid:



Click Save.

2. Get a digital certificate for pxGrid. The pxGrid service requires advanced digital key usage, namely, authentication of both the server and the client. Therefore, the certificate used for standard ISE tasks (EAP Authentication, Admin portals, User Portals) is not suitable for pxGrid. It is necessary to generate and sign a certificate for pxGrid on the corporate certificate authority (hereinafter referred to as corporate CA). To do this, go to the Administration -> System -> Certificates tab and select Certificate Signing Requests in the menu on the left:



Click Generate Certificate Signing Request (CSR) and fill in the required fields. The example in the image below:



Click Generate and export the resulting CSR. Now we go to the corporate CA and sign the CSR certificate. At this moment I will not stop in detail, I’ll just insert screenshots:









Signed certificate received. We return to ISE, we bind the certificate to the CSR:





Now ISE has the required certificate for pxGrid:



3. You can check clients connected via pxGrid on the tab Administration -> pxGrid Services. Here we set the “Enable Auto Registration” setting:



ISE is configured. Now let's move on to the pxGrid settings on FirePOWER.

4. It is necessary to go to the System -> Integration -> Identity Sources tab and select the Identity Services Engine as the source of the identification information:



5. Fill in the required fields. You must specify the IP address or name of the ISE server:



6. Specify the certificates “pxGrid Server CA” and “MNT Server CA”. As these certificates, you can use the corporate CA root certificate:



7. Specify the certificate and key “FMC Server Certificate”. This FirePOWER Management Center certificate will be presented by Cisco ISE when attempting to connect to pxGrid. To get this certificate, you need to generate a CSR on FirePOWER, sign it on the corporate CA, and upload the signed certificate to FirePOWER. To do this, you need to generate a key pair and a CSR from the FMC command line using the openssl utility:



I used the following parameter string to create a CSR and Private Key:

req -batch -new -newkey rsa:2048 -nodes -keyout fp.key -subj '/C=RU/ST=Moscow/L=Moscow/O=CBS/OU=Computers/emailAddress=uskov@cbs.ru/CN=fmc/CN=cbs/CN=com/CN=ru' -out fp.csr 

Next, in CSR, you need to sign a certificate on the corporate CA. The procedure is absolutely similar to the process of obtaining the pxGrid certificate for ISE. Import the signed certificate into the FirePOWER Management Center. The Objects tab -> Object Management menu PKI -> Internal Certs:



Click Add Internal Cert, select signed certificate and Private Key:



Certificate and key “FMC Server Certificate” is ready. Go back to the System -> Integration -> Identity Sources tab and select the Identity Services Engine. Specify "FMC Server Certificate":



8. In the same menu, click Test. A “Success” window should appear:



9. Do not forget to click Save in the upper right corner:



10. Back to ISE, check the Administration tab -> pxGrid Services. We see new pxGrid clients:



Check the performance of the customized solution. Cisco ISE is configured to authenticate a wired network test segment. We will not discuss Cisco ISE policy settings as part of this note. Connect using a laptop to a wired network, as a supplicant we use Cisco AnyConnect Network Access Manager (NAM):



In the ISE logs, check Radius Livelog (Operations tab -> RADIUS Livelog):



Authentication was successful. Now let's check User Activity for FirePOWER (Analysis tab -> Users -> User Activity):



If you flush the User Activity output to the right, you can see that the FirePOWER Management Center received additional attributes from ISE: Security Group Tag, Endpoint Profile and Endpoint Location:



This concludes the description of the integration of ISE and FirePOWER. I hope this material will be useful to readers.

If you are interested in this topic, welcome to us at Cisco ISE , Cisco FirePOWER .