Рет қаралды 3,094
ISE TME Thomas Howard shows how to use Configuration Management Databases with ISE for authorization rules and profiles.
Topics:
00:00 Intro & Agenda
00:48 ISE User Endpoint Custom Attributes Webinar: • ISE Custom User & Endp...
01:08 Why Custom Attributes?
02:38 ISE Endpoint Custom Attributes
03:14 Configuration Management Databases (CMDBs) and Configuration Items (CIs)
06:16 Cisco IT Device Registration Example
08:25 Poll: What CMDBs do you have that you want to integrate with ISE?
09:31 Service Now CMDB JSON Data Example
11:16 ISE 3.2 pxGrid Direct Feature Overview and Controlled Introduction
14:24 Demo: ISE pxGrid Direct in ISE 3.3
15:20 Demo: Create a pxGrid Direct Connector for a CMDB
18:55 Demo: CMDB as an ISE Data Dictionary
20:18 Demo: Context Visibility - pxGrid Direct Endpoints for CMDB CIs
21:28 Demo: ISE Authorization Profiles using CMDB Attributes for iPSK values
22:22 Demo: ISE Authorization Rules using CMDB Attributes
23:52 Demo: IOT MAB authentication of IOT endpoint in iPSK CMDB using EAPTest
26:46 Demo: ISE Configuration Change Audit Report for CMDBs
27:23 Demo: Live updates of Context Visibility - pxGrid Direct Endpoints for CMDB_100K
28:33 pxGrid Direct Scale
30:57 Internal vs External Databases Comparison for Custom Attributes
32:20 pxGrid Direct Connector REST API: cs.co/ise-api
32:48 Demo: ISE 3.2 Patch 2 importing 1 million Configuration Items
ISE 3.2 Patch 2 is available @ cs.co/ise-software
36:36 Question: What if a MAC address already added to the Unknown Endpoint Group? It depends on your policy sets and rule order.
37:48 Question: Will we get any alert or alarm if the CMDB did not import correctly? No alarm but it is recorded in the Audit Log.
39:36 Question: How is the attribute conflict handled with multiple CMDBs? Each CMDB is a separate, independent dictionary.
43:03 Question: If we purge the endpoints, should we exclude those from the CMDB? No, there is no exclusion for CMDB
45:06 Question: Are there any conditions that can be used to only pull certain endpoints into the local CMDB? No, you pull the entire table.
47:34 Question: Do we expect many devices could be deleted in ISE or is it tracking only devices learned from the connector? ISE tracks all devices requesting network access. The CMDB is a reference for correlating known endpoint data.
49:53 Question: Can we search by CMDB fields in LiveLogs? No, not today in LiveLogs or Search.