ISE Setup and Operations Overview

Hi everyone, I'm Thomas Howard. I'm one of the Identity Services Engine Technical Marketing Engineers here at Cisco. And I'm excited to talk to you about some initial ICE setup and operations. So, lots of different things we're going to cover today. I'm going to try and go through basically what I think everyone should go through. Maybe like literally the first hour of setting up your ICE node. Trying to go through and get things set up the way you think you might use it. I'm not actually going to do any authentications per se, but just kind of all the settings and things you need to go through and kind of figure out where things are kept at so that you can get it set up operationally and ready to run and actually start doing some authentications and things. So we're going to cover all of these things here today. And before that, I wanted to go over the demo environment that I'm going to be using because I actually have very, very few slides today. I'm actually going to spend almost the entire time. live in a demo and hopefully things are going to go well for us as we do that. So I'm sitting here at home. I have my home network and I'm able to access ICE out in our Cisco demo cloud or dCloud, we call it. And I have access to the virtual wireless controller sitting out in dCloud. It can connect to my access point here in my office. I have the ability to access these. through a NAT port so I can actually do these demos without a VPN as well. I could directly connect to them and see the GUI and actually perform radius-based authentications through that NAT port. And I say this because we also have the ability to use Meraki access points from anywhere in the world. Being controlled by the Meraki cloud, it can actually send requests. requests into ICE and get authentications done that way. And we're actually going to see one of those happen tonight as part of our testing. And then, you know, almost every customer for ICE has Microsoft's Active Directory in order to authenticate their users and associate them with different groups and allow us to make authorization decisions based on those groups. So we have that available to us. We're going to be configuring that. And then, you know, I can use all these different endpoints and things to actually test everything I do. So this is how I actually run all of my labs. I also use Amazon Web Services with ICE, so I can test things there as well. But this is the basic setup. And many of you, if you've been watching the webinars, know that we have been doing a lot of things with REST APIs, automation, Ansible, Terraform, things like that. So we actually have a Linux box out there so we can. install anything we need to do that kind of automation as well. And I mention all of this partly to kind of let you visualize how I'm doing this demo or what I'm trying to set up ICE to do, but also because I know we have a lot of partners that watch these webinars, and I wanted them to know that this is something that's available to you to reserve in dCloud right now. And I wanted to also let you know that DCloud has recently added a feature so that Cisco partners and employees can authorize customers to play with this same DCloud environment. Now, you've got to provide all the gear in your home and everything to connect into the ICE or the virtual controller, things like that. But the ICE, the AD, the Linux box, all that's available to you in DCloud. And we also have another one available to you in Cisco's DevNet. We actually have some automation. labs and sandboxes there for you to play with as well. So if you're looking for a way to try ICE and play with it, we have a couple of options available for you. And I will also mention that if you just take ICE and you install it onto a virtual machine or onto an appliance that you have, or if you instantiate it in Amazon Web Services today, you get a free 90-day evaluation or trial licenses with 100 premier licenses. and a device admin appliance license. So if you want to be able to play with these things, just like I'm doing here today, you can install it and start playing with it. Use it in your lab as a test setup. So if you wanted to basically do everything I'm doing but in your lab, just install it, and you can go through all of this. And I always recommend customers doing that so that you have an opportunity to build policies, test them. try out integrations before actually putting it into your production network you can test your scenarios and things like that it's always a really good idea so with that it's time to start our demo So if we start off in ICE, if we go ahead and log in, one of the first things that you would want to do maybe for your first one, I mean, if you just installed, you should know what version it is. But we actually have this About ICE and Server menu item here. And you can see that I'm running version 3.1, which is our latest and our current suggested release for ICE. You can also see that we've installed patch number one on this, which is the very latest patch. One of the things that is good is. that you should we always recommend that you that you keep up with the latest patches because it has fixes and some security improvements and speaking of security and patches we recently released one for the log4j vulnerability and so i'm actually going to show you how to install that tonight i want everybody to make sure that you know basically how to install patches using repositories keeping up on all patches. So I'm going to show you how to do that. But I just thought, you know, let's start out, let you know what I'm running. And you can see some of the other information here that we have a standalone node. It's just a single ICE node. It doesn't, it's not in a deployment with any other nodes. And you can see the default services that I'm running right here. So the other thing that I will share with you is if you go up here, you will also notice we have this little make a wish button. And if you click on that, you can actually submit feedback to our team. So if you're trying something out and it's not working right, or you wish it had a feature that it doesn't have that you can't find, go ahead and tell us what it is. We'd love to hear from you. And our product managers can hopefully put it in our roadmap to give it to you. So with that, where I want to spend my time today is mostly over here in this. administration menu and we're going to start under deployment because when you first bring up a node you know you got a brand new ice node and if you look in your deployment over here we only have the one ice node if you had multiple ice nodes in the deployment you would see a list of all your nodes over here but we just have the one so let's go drill down into that and you can see that Currently, it's just standalone. That's the default, the way that it comes up. If you were going to start making a highly available ICE deployment with a primary and a secondary MNT, you'd probably go ahead and mark this as a primary, and then you would begin to register the other nodes to it. I'm not going to do that today because I don't want to have to spend the time waiting for it to restart. I don't want to waste your time waiting for that. But do know that it does a restart if you do that. Takes a few minutes for it to come back up. So you can see we have the different services available. We're going to run this as an administration node, monitoring, PSN. All these services are going to be combined together. And I'm actually going to go ahead and enable the device administration service. This is just a little warning that lets you know that TACACS and RADIUS are older protocols. They are not encrypted natively. They're pretty wide open. And so if you do run... radius over your network, you may want to encrypt it even within your own network. And if you run it across any cloud services or you think you want to run it over the open internet, you definitely need to do a DTLS secure tunnel or something like that to secure your traffic. So just keep that in mind that these protocols, these authentication protocols, ironically are insecure because they're just, they're much older and they just... Never added that on. You have the option to do it with something like DTLS, but that's something for another day. I'm not going to enable PX Grid, although you could run all these on the same node. But what I am going to do is come up to the profiling configuration and take a look at the different probes that are here. Now, by default, some of these are already turned on. DHCP is a really popular one. We get a lot of good information out of that when we want to profile endpoints. HTTP is another one I encourage you to turn on. This allows you to get the HTTP user agent information whenever a host connects to one of the ICE web portals. So that's a good thing to have. And then if you want to go ahead and turn on DNS, that's a good thing. ICE can actually do a DNS lookup and see if perhaps the endpoint that just connected and was assigned an IP address, if that's kind of a statically assigned IP address from your DHCP server. then we might know the specific fully qualified domain name from it and give us a little bit more information about that in our profiles. And other than that, you're pretty much ready to go. There isn't anything else to select by default, I don't think. So we can just save this, and that should be all there is to do in the deployment menu for right now. So the next one, obviously, would be licensing. Now, this node, because it's in our demo cloud, has already been licensed. So I'm not going to spend too much time in here. But just notice, as soon as we turned on that device admin service, that it immediately consumed one of those device administration appliance licenses. And once we started to do authentications on the network, it would start to consume additional licenses as well. That's as far as I'm going to go into licensing here today. We have a whole other webinar that we did maybe about six to eight months ago on iSmart licensing. If that's something that you want to know more about, then I highly encourage you to go. into our ICE webinars page or our ICE videos page on YouTube. And you can take a look at that webinar and watch it and come up to speed on how we do ICE licensing, especially if you're going to be migrating from ICE 2.x into ICE 3.x with the smart licensing. So the next thing is certificates. And you can see this node already has some certificates provisioned to it, again, because it's part of the demo. But don't worry, you have an opportunity to learn all about certificates, as Rigo said, coming up this Friday in the webinar we're doing with Pavan called Managing Digital Certificates with ICE. So he is going to go through everything. You're going to cover everything in this page. So if you want to know more about digital certificates, how they work in ICE, all that good stuff, I highly encourage you. to join that webinar later this week all right so then where i want to start really is with the logs so nothing really to see here on these basic logs keep this menu the same but i want to start with syslogs so we have the ability to add one or more remote syslog targets in ice and so i'm going to go ahead and i'm going to do that because i have a syslog server that i've set up on my Windows Active Directory box. So I'm going to go ahead and I want to set up a... We have a choice, actually, of different syslog servers. We can do the old-school UDP, a newer, more reliable TCP, or actually a secure syslog where it's TCP plus encryption. I didn't get the license. I just used the free Kiwi syslog server, so I can't do the secure syslog. So I'm just going to do the... the tcp for a little bit more reliability you do whatever whatever you have whatever works for you and then i'm just going to say this is my tcp syslog server and it's at this ip address and oh thomas needs to actually put periods not commas there we go uh and then whenever you change the different uh syslog target type it will change the port if you use udp it's port 514 the tcp uses 1468 and i think the uh the secure one uses yet another port 20 something i forget what it is the facility code is basically the severity level that we use and local six is uh the default kind of an informational level i mean you just leave it there the one thing you probably would want to change is the maximum length so we can send a lot of different messages from ice and some of them can be quite lengthy when it comes to the authentication messages and the data we give you so i'm going to go ahead and use 8192 i want to maximize all of that data that we get out of ice for those messages i do want to see some alarms go to my syslog server complying with rfc 3164 just means that none of the characters are escaped and there it goes it'll tell you um you know characters will be escaped there And then the greatest thing about using the TCP syslog is that you get this buffer, right? So if for some reason your connection to your syslog server goes down, we have the ability to buffer the logs, and we're going to buffer it up to 100 megabytes of logs. And the amount of time that lasts really is determined by how active your PSN nodes are, how many authentications they're doing, and how big those logs are. So... All of the ICE PSNs will send their logs directly to the syslog server. And we're just going to hit. submit. Yeah, so it's not secure. I know that, but it's going to be TCP, so at least it's reliable. So we're going to do that. And now that we've got our syslog server configured, we need to go into our logging categories. And we have all these different categories that we can potentially configure. And the way this works is we pick a category, and then we have one or more targets, one or more servers that we can assign it to. And you saw that ICE has a bunch of local targets on its own so this is all basically within the ice distributed deployment it has its own set of servers that it and collectors that it uses um so what we're going to do is basically add the new server that we just defined to these and the way we do is we come in here and we choose our server and we move it over and say yeah we want to get those category of logs sent to us so that's what i'm doing and so i'm going to pick this for several logs and did I just do past? No, okay, do past authentications. I might do one more and AAA. Yeah, let's get some AAA diagnostics in there. That's got to be good. And one, oh, actually one more for good measure. Administrator authentications. I want to see when I log in and out of ICE as well. Okay. all right so we got all those things checked off and you can see over here basically what we did is our tcp syslog server got added so it should now begin to receive those those log messages okay and so if we go over to our server okay oh look check it out it's already getting logs so just the fact that we were um Making changes, configuration changes. It says, yep, configuration changed. It was user admin. We changed these different categories, and those are exactly the categories you just saw me do. Now, what's more interesting is if we actually did an authentication, right? So what does an authentication look like? And for that, we're going to switch over, and we're going to try to do an authentication with Meraki. This is why I have Meraki over here. Okay, so this is my Meraki dashboard. I told you that I have Catalyst APs here in my home office as well as the Meraki APs. So what I'm going to do is I'm going to go in to edit the settings for my IceCorp SSID. And inside of there, they make it really easy to do a test. And so I've already pre-configured my IceRadius server IP address in the pre-shared secret. that i want to use and now i just need to test it so i'm going to try out thomas and my password and this is totally going to fail and the reason why is because we have not configured any meraki network devices any catalyst network devices no network devices right so the fact that it hasn't even been configured means that ice is going to deny it But that's okay because all we want to do is we just want to test the syslogs and see that the thing is working. So sometimes you just need to test it just to see that things are connected and talking to each other. And that should be fine. So it's trying and retrying. Okay, there we go. AP's failed. All right, that's cool. Let's go back over. And look at that. We now have our logs. And so you can see that we have a couple of different logs here where it tried to do. a radius authentication and it failed and the request was dropped and then it says you get another one up here that says then the network access server conducted several failed authentications of the same scenario so basically it retried right it tried to it failed authentication it tried again so it's just letting us know that it keeps trying it again and again and then you also get a message here that look hey we got an unknown network access device we've never seen this before So maybe it's misconfigured and now you get another syslog about it being misconfigured. So our alarms are definitely working. This is fantastic. It's exactly what we wanted. So it's that easy to configure your syslogs with ICE and do a quick test on it. All right. So that's the syslog stuff. If you want to know what some of these messages are, if you see one of the messages, you can go ahead and you can come down here and you can. uh filter on them in fact if i sorry i'm going to flip back and look at what was the actual number okay so i had a 5405 was the message id and 5435 was the message id so if i come back in and i filter on message 5405 there it is radius request dropped right it because it didn't know our network access device and then 54 35 nas conducted several failed authentication attempts okay so that's exactly what we saw there so this is just a message catalog i get i get questions about this regularly Hey, do you have a list of all the different messages that ICE will send to my syslog server? Yes, we do. And if you want to export them, you just click right there and you can download the CSV file with all those messages. Okay. Now, the last thing that I want to show you here with the logs is collection filters. You have the ability to filter out certain syslogs based on certain criteria. So if you are getting an excessive number of messages from a particular user, or on a policy set name, you don't care, you don't want to hear from it, or a particular NAS that's causing problems or something, you can filter these things out by going ahead and setting a value and then saying what log do you want to filter. And again, that will block it so that you don't get those sent to your syslog servers. So that's an option for you. I'm not going to configure anything here. I don't think you need to by default. I just wanted to show you that that was an option. So next. Let's get into patching and repositories. This is all considered maintenance of your ICE server. So you can see that we already have patch one installed. I told you about that. The way that we typically install patches is through repositories. So we're going to add a repository. The first one I like to add is called the local disk. This can actually be extremely convenient. I'm going to show you why here in a second. so i just used local disk root path very simple submit that there we go um i also have an ftp server sitting out here so i'm going to set up my ftp server repository and notice that we have lots of different options for you we just did the local disk i'm going to do ftp but you also have the options for sftp tftp also http and https are very convenient sometimes if i if i don't have if i haven't set up the ftp server i just want to go straight from my personal computer over vpn i can actually just set up a quick like python web server on my on my computer grab my ip address do a quick repository configuration and i can use you know serve up some http um some files over http it's simple enough right so we're going to do ftp on this one and again we're going to be going to my active directory server where i have the ftp server set up so there the path i always use the root and then my username is simply ice and my password okay i want to set that up all right so we got two repositories set up that was pretty quick and painless the next thing is we're actually going to go down into local disk management So if you have more than one ICE node, you would see all the different nodes here, and you could quickly go through and you could manage the files on that. So you can see previously we uploaded the patch bundle number one, and we're able to patch the system through here. So it's very easy to come in, perform an upload, and I'm actually going to submit the hot patch for the log4j vulnerability. I'm going to upload that right now, and we're going to apply it a little bit later. I'm not going to do it right now because if I did, it would restart the Icebox, and that would just be dead time for 10 minutes, and I don't want to bore you waiting for that, so we're going to wait until the very end of our webinar for that. So we have just installed our patch. It's not installed, but it's uploaded, I should say, in our local repository. uh we're going to come back to that but i just wanted to show you that real quick so i'm just kind of working across the screen here the other thing i will show you is operational data purging so if you ever want to see how much space your logs are using in your your ice node you can come in here you can take a look and you can see what the relative size is for radius and tacx you can purge them based on a timeline. Now you may get actually, depending upon how active your ICE deployment is, you may be able to store 30, 60, 90, 120, maybe more days worth of logs. And so you may want to, you know, change these numbers to be longer than 30 days. And so I'll leave that up to you, whatever you think the right number is. The other thing you can do is before you purge, you may actually want to export those logs to keep them. uh for a longer term so if you if you know that you're going to fill up your disk within 30 days you may want to export them and start fresh and so you can do that by exporting them to one of your repositories right and you can encrypt them and all that good stuff so that may be an option for you so i'm not going to do anything here i just wanted to show you that option before we move on to the next thing which is going to be upgrade now this is a fresh install It's on 3.1, patch one, it's got the latest stuff, so we don't need to do an upgrade. I just wanted to show you the screen because we're just working left to right. Nothing to do here, so we're going to keep going for now. Health checks. This is something that we started doing back in ICE 2.x. We had it as a separate tool called the URT, the Upgrade Readiness Tool. And in 3.x, we actually incorporated it. And so now all you have to do is come over here, trigger the health checks, and it's going to run through and check for all these things to see if there's any problems. Typically, we use this before we do an upgrade, but you can run it at any time, just like I did. Sometimes, you know, your digital certificates will expire in your trusted store or maybe your own system certificates, and it'll tell you that you've got a problem. Sometimes. There may be other issues, and so we're still running the check here. Okay, so all the services are running. We're all good. So health checks are complete. So if we were going to do an upgrade, we could go ahead and do that right now. The other thing that's interesting is you can actually download the report. I guess it's going to open it with Visual Studio Code. Let me see if I download it. It actually provides some pretty interesting data. Let me see if I can bring this over and show you really quick. This is what it looks like if I open it up. And you can just see basically what is it checking when it does these things? What kind of things is it looking for? It does things like disk throughput, disk IO, checks for deployment validations, FQDNs, DNS resolvability, all this kind of stuff. So it's fascinating to look through and see what it's checking for. It's just a general good thing to be looking at. You can run it at any time. just to see you know how your how your nodes are doing if you had a some problems you were wondering if maybe something else is screwed up you can you can try to run it and see if there's any problems maybe call tack have them take a look at it but that's health checks definitely run it before your upgrades next is backup and restore so always recommend doing a backup and restore you can do either configuration or operational which has your your logs in it configuration's much lighter this is the minimum one that you want to do and i'm going to go ahead and configure one right now and for that i'm just going to say this is my first backup and i'm not going to fill up my own local disk i want to use that ftp server for this i'm going to specify my password And note that it doesn't back up your certificates, so that's a totally separate thing that you will need to do. Always store your certificates in a safe place. And there we go. So it's going to start backing up to our FTP server, which is sitting out here. And so over here, oh, here he is over here. All right. Oh, there he goes. He's going right now. So he's already doing stuff. So there's our FTP server. It's progressing right now. And if I go back, okay, so it's taking all the files, basically zipping them up, compressing them, all that good stuff, and it's going to transfer them over. Typically it's about, I've seen it's around 200 megabytes. That's the size I get whenever I do it. So that's one way to do it. You can also do scheduled backups. I highly recommend you do a scheduled backup probably once a week. I don't know how active you are. Maybe when you're first playing with ice, you're doing lots of changes. You want to do it more frequently, maybe once a day. But it all depends on how active you are, how many changes you're making, how many backups you want to do. So I can't show you that right now because it's I should have shown you before I did the backup, sorry. But it's pretty straightforward to set a schedule. And your backups will just magically run and set it to run, you know, middle of the night so that it doesn't impact performance during the day. So there's that. The next thing, this is where it starts to get interesting and we start talking about administrative access. So the reason I did this is because the number one thing that we get that causes customers problems is this little checkbox down here for password lifetime. It's currently turned off because it's the number one thing. It's the first thing I do. I've already turned it off for this demo. I do not want this password to expire for this demo. But if you just did a brand new install, this box is checked. And what that says is 45 days after you install, if you didn't know that this was checked and this was a secure default that we put on there, you're going to get a little surprised when you try to log into ICE and it says... your password's expired. You need to go reset your password. And it's extremely annoying. And so this is like the number one thing to go do. Otherwise, if you want to have your local password stored here, you want to change it, do a password rotation every 45, 30 days, whatever your number is, go for it. But I just turn it off. I'm extremely annoyed by it. I know a lot of other customers are as well. In fact, what we've done is... we have i don't know if you guys have seen up here we have this uh interactive help that we put up here and it's actually one of the first tasks that we do so let me show you if i go back to my dashboard um if you haven't run any of these little tasks that we put up in here for you it's actually pretty cool i recommend you try it so we have it right there one of the very first things when you onboard is disable that 45 day password so it will actually guide you through so okay yeah let's disable that password timeout This is going to take us there, tell us where to go, guide us through, and it looks like it's already been disabled, right? We went through that. But otherwise, it would show us, go click, turn this button off, and then we would click save, and then we wouldn't have any surprises in 45 days, right, getting locked out of our account. So that's something important that I wanted to let you know about. Account Disable Policy. If you, again, these are all about secure defaults, right? The ICE is a security product. We want to have secure defaults. So if you want to disable any accounts that you have, if people don't log in after a certain period of time, they're inactive, you can go ahead and disable them. And you can also suspend accounts. So if you happen to have somebody that's trying to do a brute force password attack on your ICE box and trying to get in, you can actually... take three failures and then suspend it for 15 minutes. Now they got to wait 15 minutes before they can try to authenticate again. So that's a good thing that's on by default. I recommend keeping that one. So these are some different settings you can use. The next one is under authorization for permissions. This is all about the role-based access control policy inside of ICE. And the way that we do this is with... controlling access by the menus how you get to the data and then the actual data that you can actually read read in there so these are the different um menus that we've defined and the different types of data that we've defined and you can put these things together if you look at our administrators um sorry it was actually our back policy right here this is how we combine these roles and permissions together to define what each individual type of administrator in ice what they can do and so i'm actually going to try and show you that down here with just the default groups that we have inside of ice so these are the default groups we've tried to come up with different roles that we think would be typical so we have things like um we'll start at the top here ers admin and ers operator ers is our external restful services that's basically our rest apis and so the ers admin can do read and write operations with the rest apis and the ers operator can only read So it's read-only permissions for the APIs. Then we have a help desk admin. They can go look at the operations tab. They can run live logs, run reports, but they can't look at policy. They can't look at the network devices. They can't change anything there. Really, really basic. And then likewise with the network device admin, this is the person that goes in and adds, updates, changes the network devices, but they're not in charge of security policy, right? So they're not supposed to be doing anything there. Then there's a policy admin. Maybe you have a security person that comes in and they need to be able to change the policies. You don't want them updating the network devices. Their job is just to deal with the security policy. So you can let them change the policy, but not the network devices, right? So you've got all these different roles you can configure. And, of course, the super admin is the one that does it all. That's our default admin that we have in here. So what I want to do is rather than having to create, you could come in here and create. individual users, right? Maybe we want to give Rego, make him one of our admins. We can go ahead and specify a password for him. And then down here at the bottom, we could go ahead and choose what kind of admin we want to make Rego. Now, if you have a fairly large company, it doesn't make sense to go allocate individual passwords and accounts and passwords. when you probably already have an active directory or a SAML server or something like that. So it makes a lot more sense to just reuse those accounts. So that's what we're going to do. ICE supports either active directory or we can do SAML-based access. I'm going to show you active directory because that's what I have ready to go here. So I want to show you how to connect up your active directory. And I'm going to use this little... interactive help again I'm gonna onboard and I'm gonna join ice to a Microsoft Active Directory server so it's going to guide us through the process here how we add our ice to the Active Directory domain so I'm gonna do that put it there and it's just I'm gonna kind of skipping ahead of what the things telling me to do but if you didn't know how to do this it would just guide you through the process then yeah we do want to join all the ice nodes we only have one node but we're going to join all of them and after we put our password and username in we can submit that and we should get yeah we've joined the domain so ice is now part of the domain and click close And we've successfully added ourselves to the domain. Yay, cool. So that's how that little interactive help tool can work. So we've got other things that you can do in here for adding devices and creating repositories like we've already done, right, adding users. So if you're new to ICE and you want to learn some things, there's some great things, some great little skills you can learn right here. It will guide you through the whole process. Next thing is... now that we've joined the domain, the reason we've done it is because Active Directory has a bunch of groups that it puts all of its users into, and that's how we can control access or privileges to our network. And that's what we're going to do. So let's add groups from our directory. And if I just retrieve the groups, I'm going to get a whole bunch. And if you have a really large organization, you may have thousands or tens of thousands of groups. I only have 141, which is still a lot, right? In fact, where is it? There's domain. It's kind of hard to find them sometimes. There's just so many. So it's easier just to search. I did find domain admin, domain computers, domain users, maybe employees. Those might be some common ones that we would use in doing authentications with our authorization policies. in the network access rules so i'm going to go ahead and use those for right now but the real reason i came here right was for the ice administrators so i actually want to add groups and i actually created them i created ice administrator groups that map directly to those groups that we just saw so if you filter on that name check it out icrs admin ers operator help desk admin these all look familiar right network device admin so i'm going to choose all of these and i want to add them to my shortlist of groups Cool. So now that I have done that, let's make sure I saved it. Okay, yeah, we're all good. So now that I have these groups, this is my short list of groups in Active Directory that I can now use in my ICE policies. So if we go back to our admin access for administrators and we look at the admin groups. Oh, sorry, I missed one thing. First, you have to go back up to authentication, and notice we can do password or certs, or we can use an identity source. So we're normally doing internal users, right, like the admin. We're going to go use AD now. So let's save that. You still have the option to use the internal users, but now we can go into the groups, and we can map these groups to Active Directory groups. And so... If I had a help desk admin, I would say I want to map it to an external group. And so if I come over here and I look for my help desk admin, there it is. I could add an additional group potentially if I want to add more than one of those groups. And then I come down and save that. Cool. And then I want to add another one for my network device admin. Let's map them to. Find my network device admin. There they are. And of course, I'm probably going to have my super admins. Map that to an external group. Where are my super admins? Where are they? Super admins right there. Okay, so we've done three. That should be good enough. Just wanted to give you some variety. All right, now that I've done that, let's go back to those admin groups and take a look. So what we've done is we have mapped to external Active Directory groups. So if you look here, you can see we have just one group that we've matched, right, for our help desk admin. And we've done it for network device admins, and we've done it for super admins. You don't have to do them all, only the ones you want. And if you have multiple groups that would fit. You can use those however you do it in your Active Directory. So let's test it. So I'm going to go, let's pretend I'm a network device admin. I'm going to log out of ICE, check it out. Identity source is Active Directory now. We can always still log in as internal, but now I'm going to log in as network device admin. and my password, and let's see if this works. All right. Big deal, Thomas. What's different? Doesn't look like anything's changed, but check this out. Oh, I'm missing my policy menu. That's gone, and if I go under administration, I only have access to my network resources now. Because I'm a network device admin, so I only get to play with the network devices. I still get to look at some live logs and things like that, but I don't have access to change policies. And look, even work centers, right? I'm totally limited in what I can do to basically just troubleshooting and reports. That's all I get. So that's pretty cool. So that's how you can change people's access to ICE for role-based access control. And, oh. I'm going to need to log out of here because I can't do anything to keep showing you guys stuff in the administration menu. So I have to log out. And what I'm going to do now is I'm going to be Thomas, the super admin. I'm not going to be a regular admin. I'm just going to be Thomas now. I can just use my regular Active Directory username and password, log in, and hopefully because I'm a super admin, I should have all my menus back now. oh good there's policy okay there we go i got all my all my menus are back that's what i needed so with that i can actually go in and finish up any other settings my access settings oh this is a cool one um if you want to do little banners in your gui or whatever you can do that right tell people whenever they log into ice tell them to have a nice day right we can do that and one's a pre-login banner before you log in and one's after you log in so if you want to leave a message to somebody you can do it this way same thing with the cli so we can actually leave a fun little maybe some ASCII art or something for our CLI logins to ICE whenever we SSH into the terminal, because we're going to do that in a little bit here. So we can save that. There we go. All right. We'll check that out a little bit later. But anyway, we've got some we've got some ASCII art banners here. So the last menu. Oh, wait, I think I have sessions. Okay, there we go. A couple more security settings. So idle timeout, maybe 60 minutes is too long to leave your web browser open unattended. So it might be a good idea to log out of ICE maybe within 10 minutes instead if you're idle. And if you look at session info, you can actually see who you are or how many people are logged in right now. So you can see I'm Thomas. I just logged in. So that's admin access. And now we get into some other interesting settings. Client provisioning isn't something I think you're going to do day one. You can use it for profiling or for BYOD, but we're not going to get into that right now. FIPS mode, if you are a government customer or you have a need for really strong security, you can go ahead and enable FIPS mode. Basically what it does is it turns off certain protocols or ciphers that are not strong enough. to meet the FIPS criteria, the Federal Information Processing Standard criteria. So it's just going to disable those things. So be careful before you turn it on. Know what you're going to lose if you when you do that. So be aware of that. Then other security settings are for other protocols and ciphers such as TLS. So TLS 1.0 is pretty old, probably should not be doing it. So let's turn that off. If I were to do that though, It would try to restart. It's going to restart. I thought it was going to restart my server. I don't want to do it because I don't want to restart the server right now. And again, that would take too long and ruin our demo. But these are some things you can choose to turn on or off. So take a look through there. See if there's anything that you don't want to allow. Alarm settings. You can actually configure different alarms. If you want to go in and change threshold levels when it sends alarms, you can come through and do that. So there's lots of alarms to choose from. Go ahead and scroll through there, see if there's anything you want to do. Posture, that's more advanced. We're not going to cover that. Profiling, that's something that you would do on day one because as endpoints start to connect to your network, you do want to profile them. I think these are all good settings, and I probably wouldn't touch anything here. So just know that it's there. don't do anything with it just yet protocols more more interesting settings so if you want to do things like session resume that can potentially speed up things in your network so you might want to just come through and enable session resume on these things for the different protocols peep has session resume and a fast reconnect option so go ahead and save that if you're using ttls you may want to do it there as well Then we've got some interesting radius settings. This particular tab is a bit advanced. I wouldn't do anything with this, but know that it's here. If you get certain clients trying to authenticate and they're failing a lot or just causing a ridiculous number of failures and logs, you can suppress them, basically turn them off for a period of time. This can be really, really helpful to kind of ignore things for a while. So that's an option for you. I wouldn't do anything there on day one. And if for some reason you wanted to change your RADIUS authentication and authorization ports that we use, you could do that here. If you want to make it security by obscurity, you can do that. Otherwise, I don't recommend changing these. You want to stay to the standard ports that network devices know to talk RADIUS and TACACS on. DTLS, this is another option to... secure your traffic with Radius and TACACS. You can actually use DTLS tunnels between your network devices and ICE. Don't do anything here. Just keep it standard, my recommendation. And then some other things is you may need to configure a proxy for ICE to communicate out to the internet. You may need to do this so that it can get... the client provisioning packages so that it can get profiling updates so that it can get posture updates you may need to configure this proxy for your lab so if you do this is your option to go ahead and configure it and then the other thing i want to just show you guys real quick smtp server you're going to want to configure this if you want actually want to get messages sent out to your guests you're going to need to configure an smtp server I'm probably not going to go through and do this due to the time, but know that we do it. And then, of course, you're probably going to have to use some kind of username password authentication to do it. So we have the option to do this. You must configure this if you actually want to have iSend email notifications to you or your guests. So keep that in mind. SMS gateway, if you want to do that for guests, that's located here as well. System time, we recommend keeping this to... basically just utc if you have a a large worldwide deployment if you're only in a single time zone you have a smaller company then maybe you want to keep it one of your local time zones but otherwise we recommend keeping it at utc uh and not changing it uh ntp servers you know if you need some um was it pool.ntp.org or the nist um time.nist.gov that's what it is i can't talk and type at the same time right so if you wanted to add some ntp servers you can use those and then i love using the apis so that's the next thing i'm going to do is go into api settings and i want to enable these this will let us do the like i said the external wrestle services ers and our newer open apis that we have real quick we can turn those things on and then we're going to be able to do our patch max sessions we have the ability to control the maximum number of sessions for your local users and ice you cannot control active directory groups you can only control local groups in ice so keep that in mind if you want to do max sessions and then these other things light data distribution don't touch this this is a great optimization that we added i think back in like ice 2.6 so don't touch this leave it alone unless you know what you're doing interactive help this lets you turn off interactive help if you don't like it for some reason so that pretty much takes us through the entire administration setup so what i want to do now is my goal was to show you how to do patching with our um log4j hotfix and i wanted to do it through automation i wanted to do like run a script and show you guys how that works so the way i want to do this is i'm going to go over here to my terminal and i want to go ahead and ssh into my icebox admin and just i want to show you the patch you can actually get this in the gui to see if a hot patch was applied so that's what i'm going into into this ice okay cool so have a nice day so that's that banner that we configured previously so that's working that's good all right now if we want to do these patches what we do is we can we could run this command okay show logging application hot patch and basically nothing came back that means that no hot patches have been applied to this release and normal patch. So that means that it's probably a good idea to go ahead and apply our log4j hotfix on this ice node. So what you could do, I'm going to show you the command to do that. If you wanted to apply your hotfix, it would look like this. I'm not going to hit enter because I actually want to do it. using a API command. So I just want you to know that would be the command that we did if we were going to use it. I don't want to use this. I just want to backtrack on that. I just want to exit out of here. And when I exit out, there we go. We're good. So now I want to run the patch command using curl. I'm actually going to invoke the REST API to install. the patch using curl. So that command looks like this. I know you guys don't want to see me type it, so I'm just going to paste it in here real quick. So what we're doing is we're running curl. Don't care about security. I want to see the output I'm using. This is my username and password. So there's my super secure Cisco password I've been using all day long here today. And then I'm telling it that I'm going to... Accept JSON, and I'm going to send some JSON. This is the URL, the REST API endpoint that I'm going to be querying. It's the hotpatch install endpoint. And I'm installing this hotpatch that is in this repository local disk, which you saw me configure. And now what I can do is hit Enter. All right. And like that, hotpatch install task initiated. Take a look at the Task Service API to get the status. So I've got the task status command sitting right here. I'm going to go ahead and grab that. I'm going to put it here, paste it, and I've got to use that task ID to get the specific status of that task. Basically, I just do it like that and hit enter. Okay, so our patch install is in progress right now. So it's going to take... you know a few minutes for this whole thing to go through for ice node to restart and then we'll get a final status i did it this way because i wanted to show you that we actually have the ability to completely automate this using rest apis and if you had you know if you only have a few ice nodes doing it through the local disk on the command line very simple very easy to do but if you had 50 nodes how cool would it be to have that external repository and upload it once there and then you just run these commands um to all 50 ice nodes and it just does the hot patch install right all through like a scripted it um through a script so i wanted to let you know that that was a possibility we've done a lot of really cool things with ice apis and how we can help manage your deployments so that's really it that's everything i wanted to show you guys today when it comes to managing your ice nodes so with that um rego Oh, it's caught on air because my node's actually installing the hot patches. Nothing to see here until it restarts. So, Rigo, what's going on with our questions? Are we all good there? All right. Thank you, Thomas. Yeah, I think we are good to go with the questions. I just had a look at our Q&A panel here, and, yeah, we have no more outstanding questions. Our panelists have addressed all of those for our audience, so I think we're all set on that end. Okay, let me go through a couple more slides real quick, and then we'll let you wrap up. So I did talk about automation. I just wanted to give this little slide to you all to let you see all the things that we can do with respect to configuration, automation, getting your ICE nodes set up initially. So we have a lot of new things that we've done in ICE 3.1 with deployment, licensing, certificates, hot patch, repositories, all this backup restore. We've done all this in ICE 3.1. So once you get to that version, you can look forward to being able to do these kinds of automations. Not everything I showed you today can be automated with APIs. So I put those in that hot pink color to let you know that those can't be done. Even some of the settings, we have a few settings there, but a lot of them are still missing. So we're still working on improving those. But a lot of the things that I think you'd want from day-to-day operational management and even deployment, upgrade, patching, things like that. you can totally do with APIs today. And I want to remind you that we have an amazing community. Make sure that if you have troubleshooting questions or you want to know how to fix something, make sure you provide the necessary details so that our awesome partners and other customers in the community can help you answer your question. If you aren't very specific, they can't be very specific with their answers. So it helps to provide details. And then finally, these are the resources that hopefully Rego's already left you with these. And I have a few more here that I want to share with you. Some of the things that I didn't have time to go over today that some of you may want to know, like maybe you want to use an AWS S3 bucket as a repository, or maybe you want to do SFTP, or maybe you want to do SAML single sign-on with Azure AD for your ICE. admins rather than an active directory. So we support all those things and we have guides out there for you if you do an internet search for them. And with that, I think we don't have any more questions. And so I thank you for joining.

Hi everyone, I'm Thomas Howard. I'm one of the Identity Services Engine Technical Marketing Engineers here at Cisco. And I'm excited to talk to you about some initial ICE setup and operations.

So, lots of different things we're going to cover today. I'm going to try and go through basically what I think everyone should go through. Maybe like literally the first hour of setting up your ICE node. Trying to go through and get things set up the way you think you might use it.

I'm not actually going to do any authentications per se, but just kind of all the settings and things you need to go through and kind of figure out where things are kept at so that you can get it set up operationally and ready to run and actually start doing some authentications and things. So we're going to cover all of these things here today. And before that, I wanted to go over the demo environment that I'm going to be using because I actually have very, very few slides today.

I'm actually going to spend almost the entire time. live in a demo and hopefully things are going to go well for us as we do that. So I'm sitting here at home. I have my home network and I'm able to access ICE out in our Cisco demo cloud or dCloud, we call it. And I have access to the virtual wireless controller sitting out in dCloud.

It can connect to my access point here in my office. I have the ability to access these. through a NAT port so I can actually do these demos without a VPN as well. I could directly connect to them and see the GUI and actually perform radius-based authentications through that NAT port. And I say this because we also have the ability to use Meraki access points from anywhere in the world.

Being controlled by the Meraki cloud, it can actually send requests. requests into ICE and get authentications done that way. And we're actually going to see one of those happen tonight as part of our testing. And then, you know, almost every customer for ICE has Microsoft's Active Directory in order to authenticate their users and associate them with different groups and allow us to make authorization decisions based on those groups.

So we have that available to us. We're going to be configuring that. And then, you know, I can use all these different endpoints and things to actually test everything I do. So this is how I actually run all of my labs.

I also use Amazon Web Services with ICE, so I can test things there as well. But this is the basic setup. And many of you, if you've been watching the webinars, know that we have been doing a lot of things with REST APIs, automation, Ansible, Terraform, things like that.

So we actually have a Linux box out there so we can. install anything we need to do that kind of automation as well. And I mention all of this partly to kind of let you visualize how I'm doing this demo or what I'm trying to set up ICE to do, but also because I know we have a lot of partners that watch these webinars, and I wanted them to know that this is something that's available to you to reserve in dCloud right now.

And I wanted to also let you know that DCloud has recently added a feature so that Cisco partners and employees can authorize customers to play with this same DCloud environment. Now, you've got to provide all the gear in your home and everything to connect into the ICE or the virtual controller, things like that. But the ICE, the AD, the Linux box, all that's available to you in DCloud.

And we also have another one available to you in Cisco's DevNet. We actually have some automation. labs and sandboxes there for you to play with as well. So if you're looking for a way to try ICE and play with it, we have a couple of options available for you.

And I will also mention that if you just take ICE and you install it onto a virtual machine or onto an appliance that you have, or if you instantiate it in Amazon Web Services today, you get a free 90-day evaluation or trial licenses with 100 premier licenses. and a device admin appliance license. So if you want to be able to play with these things, just like I'm doing here today, you can install it and start playing with it. Use it in your lab as a test setup. So if you wanted to basically do everything I'm doing but in your lab, just install it, and you can go through all of this.

And I always recommend customers doing that so that you have an opportunity to build policies, test them. try out integrations before actually putting it into your production network you can test your scenarios and things like that it's always a really good idea so with that it's time to start our demo So if we start off in ICE, if we go ahead and log in, one of the first things that you would want to do maybe for your first one, I mean, if you just installed, you should know what version it is. But we actually have this About ICE and Server menu item here.

And you can see that I'm running version 3.1, which is our latest and our current suggested release for ICE. You can also see that we've installed patch number one on this, which is the very latest patch. One of the things that is good is. that you should we always recommend that you that you keep up with the latest patches because it has fixes and some security improvements and speaking of security and patches we recently released one for the log4j vulnerability and so i'm actually going to show you how to install that tonight i want everybody to make sure that you know basically how to install patches using repositories keeping up on all patches.

So I'm going to show you how to do that. But I just thought, you know, let's start out, let you know what I'm running. And you can see some of the other information here that we have a standalone node.

It's just a single ICE node. It doesn't, it's not in a deployment with any other nodes. And you can see the default services that I'm running right here. So the other thing that I will share with you is if you go up here, you will also notice we have this little make a wish button. And if you click on that, you can actually submit feedback to our team.

So if you're trying something out and it's not working right, or you wish it had a feature that it doesn't have that you can't find, go ahead and tell us what it is. We'd love to hear from you. And our product managers can hopefully put it in our roadmap to give it to you.

So with that, where I want to spend my time today is mostly over here in this. administration menu and we're going to start under deployment because when you first bring up a node you know you got a brand new ice node and if you look in your deployment over here we only have the one ice node if you had multiple ice nodes in the deployment you would see a list of all your nodes over here but we just have the one so let's go drill down into that and you can see that Currently, it's just standalone. That's the default, the way that it comes up.

If you were going to start making a highly available ICE deployment with a primary and a secondary MNT, you'd probably go ahead and mark this as a primary, and then you would begin to register the other nodes to it. I'm not going to do that today because I don't want to have to spend the time waiting for it to restart. I don't want to waste your time waiting for that.

But do know that it does a restart if you do that. Takes a few minutes for it to come back up. So you can see we have the different services available.

We're going to run this as an administration node, monitoring, PSN. All these services are going to be combined together. And I'm actually going to go ahead and enable the device administration service. This is just a little warning that lets you know that TACACS and RADIUS are older protocols.

They are not encrypted natively. They're pretty wide open. And so if you do run...

radius over your network, you may want to encrypt it even within your own network. And if you run it across any cloud services or you think you want to run it over the open internet, you definitely need to do a DTLS secure tunnel or something like that to secure your traffic. So just keep that in mind that these protocols, these authentication protocols, ironically are insecure because they're just, they're much older and they just...

Never added that on. You have the option to do it with something like DTLS, but that's something for another day. I'm not going to enable PX Grid, although you could run all these on the same node. But what I am going to do is come up to the profiling configuration and take a look at the different probes that are here. Now, by default, some of these are already turned on.

DHCP is a really popular one. We get a lot of good information out of that when we want to profile endpoints. HTTP is another one I encourage you to turn on. This allows you to get the HTTP user agent information whenever a host connects to one of the ICE web portals.

So that's a good thing to have. And then if you want to go ahead and turn on DNS, that's a good thing. ICE can actually do a DNS lookup and see if perhaps the endpoint that just connected and was assigned an IP address, if that's kind of a statically assigned IP address from your DHCP server. then we might know the specific fully qualified domain name from it and give us a little bit more information about that in our profiles.

And other than that, you're pretty much ready to go. There isn't anything else to select by default, I don't think. So we can just save this, and that should be all there is to do in the deployment menu for right now.

So the next one, obviously, would be licensing. Now, this node, because it's in our demo cloud, has already been licensed. So I'm not going to spend too much time in here. But just notice, as soon as we turned on that device admin service, that it immediately consumed one of those device administration appliance licenses.

And once we started to do authentications on the network, it would start to consume additional licenses as well. That's as far as I'm going to go into licensing here today. We have a whole other webinar that we did maybe about six to eight months ago on iSmart licensing.

If that's something that you want to know more about, then I highly encourage you to go. into our ICE webinars page or our ICE videos page on YouTube. And you can take a look at that webinar and watch it and come up to speed on how we do ICE licensing, especially if you're going to be migrating from ICE 2.x into ICE 3.x with the smart licensing. So the next thing is certificates. And you can see this node already has some certificates provisioned to it, again, because it's part of the demo.

But don't worry, you have an opportunity to learn all about certificates, as Rigo said, coming up this Friday in the webinar we're doing with Pavan called Managing Digital Certificates with ICE. So he is going to go through everything. You're going to cover everything in this page.

So if you want to know more about digital certificates, how they work in ICE, all that good stuff, I highly encourage you. to join that webinar later this week all right so then where i want to start really is with the logs so nothing really to see here on these basic logs keep this menu the same but i want to start with syslogs so we have the ability to add one or more remote syslog targets in ice and so i'm going to go ahead and i'm going to do that because i have a syslog server that i've set up on my Windows Active Directory box. So I'm going to go ahead and I want to set up a... We have a choice, actually, of different syslog servers.

We can do the old-school UDP, a newer, more reliable TCP, or actually a secure syslog where it's TCP plus encryption. I didn't get the license. I just used the free Kiwi syslog server, so I can't do the secure syslog. So I'm just going to do the... the tcp for a little bit more reliability you do whatever whatever you have whatever works for you and then i'm just going to say this is my tcp syslog server and it's at this ip address and oh thomas needs to actually put periods not commas there we go uh and then whenever you change the different uh syslog target type it will change the port if you use udp it's port 514 the tcp uses 1468 and i think the uh the secure one uses yet another port 20 something i forget what it is the facility code is basically the severity level that we use and local six is uh the default kind of an informational level i mean you just leave it there the one thing you probably would want to change is the maximum length so we can send a lot of different messages from ice and some of them can be quite lengthy when it comes to the authentication messages and the data we give you so i'm going to go ahead and use 8192 i want to maximize all of that data that we get out of ice for those messages i do want to see some alarms go to my syslog server complying with rfc 3164 just means that none of the characters are escaped and there it goes it'll tell you um you know characters will be escaped there And then the greatest thing about using the TCP syslog is that you get this buffer, right?

So if for some reason your connection to your syslog server goes down, we have the ability to buffer the logs, and we're going to buffer it up to 100 megabytes of logs. And the amount of time that lasts really is determined by how active your PSN nodes are, how many authentications they're doing, and how big those logs are. So... All of the ICE PSNs will send their logs directly to the syslog server.

And we're just going to hit. submit. Yeah, so it's not secure.

I know that, but it's going to be TCP, so at least it's reliable. So we're going to do that. And now that we've got our syslog server configured, we need to go into our logging categories.

And we have all these different categories that we can potentially configure. And the way this works is we pick a category, and then we have one or more targets, one or more servers that we can assign it to. And you saw that ICE has a bunch of local targets on its own so this is all basically within the ice distributed deployment it has its own set of servers that it and collectors that it uses um so what we're going to do is basically add the new server that we just defined to these and the way we do is we come in here and we choose our server and we move it over and say yeah we want to get those category of logs sent to us so that's what i'm doing and so i'm going to pick this for several logs and did I just do past? No, okay, do past authentications. I might do one more and AAA.

Yeah, let's get some AAA diagnostics in there. That's got to be good. And one, oh, actually one more for good measure. Administrator authentications.

I want to see when I log in and out of ICE as well. Okay. all right so we got all those things checked off and you can see over here basically what we did is our tcp syslog server got added so it should now begin to receive those those log messages okay and so if we go over to our server okay oh look check it out it's already getting logs so just the fact that we were um Making changes, configuration changes. It says, yep, configuration changed.

It was user admin. We changed these different categories, and those are exactly the categories you just saw me do. Now, what's more interesting is if we actually did an authentication, right? So what does an authentication look like?

And for that, we're going to switch over, and we're going to try to do an authentication with Meraki. This is why I have Meraki over here. Okay, so this is my Meraki dashboard.

I told you that I have Catalyst APs here in my home office as well as the Meraki APs. So what I'm going to do is I'm going to go in to edit the settings for my IceCorp SSID. And inside of there, they make it really easy to do a test. And so I've already pre-configured my IceRadius server IP address in the pre-shared secret.

that i want to use and now i just need to test it so i'm going to try out thomas and my password and this is totally going to fail and the reason why is because we have not configured any meraki network devices any catalyst network devices no network devices right so the fact that it hasn't even been configured means that ice is going to deny it But that's okay because all we want to do is we just want to test the syslogs and see that the thing is working. So sometimes you just need to test it just to see that things are connected and talking to each other. And that should be fine.

So it's trying and retrying. Okay, there we go. AP's failed. All right, that's cool. Let's go back over.

And look at that. We now have our logs. And so you can see that we have a couple of different logs here where it tried to do.

a radius authentication and it failed and the request was dropped and then it says you get another one up here that says then the network access server conducted several failed authentications of the same scenario so basically it retried right it tried to it failed authentication it tried again so it's just letting us know that it keeps trying it again and again and then you also get a message here that look hey we got an unknown network access device we've never seen this before So maybe it's misconfigured and now you get another syslog about it being misconfigured. So our alarms are definitely working. This is fantastic. It's exactly what we wanted. So it's that easy to configure your syslogs with ICE and do a quick test on it.

All right. So that's the syslog stuff. If you want to know what some of these messages are, if you see one of the messages, you can go ahead and you can come down here and you can.

uh filter on them in fact if i sorry i'm going to flip back and look at what was the actual number okay so i had a 5405 was the message id and 5435 was the message id so if i come back in and i filter on message 5405 there it is radius request dropped right it because it didn't know our network access device and then 54 35 nas conducted several failed authentication attempts okay so that's exactly what we saw there so this is just a message catalog i get i get questions about this regularly Hey, do you have a list of all the different messages that ICE will send to my syslog server? Yes, we do. And if you want to export them, you just click right there and you can download the CSV file with all those messages.

Okay. Now, the last thing that I want to show you here with the logs is collection filters. You have the ability to filter out certain syslogs based on certain criteria. So if you are getting an excessive number of messages from a particular user, or on a policy set name, you don't care, you don't want to hear from it, or a particular NAS that's causing problems or something, you can filter these things out by going ahead and setting a value and then saying what log do you want to filter.

And again, that will block it so that you don't get those sent to your syslog servers. So that's an option for you. I'm not going to configure anything here.

I don't think you need to by default. I just wanted to show you that that was an option. So next. Let's get into patching and repositories. This is all considered maintenance of your ICE server.

So you can see that we already have patch one installed. I told you about that. The way that we typically install patches is through repositories.

So we're going to add a repository. The first one I like to add is called the local disk. This can actually be extremely convenient.

I'm going to show you why here in a second. so i just used local disk root path very simple submit that there we go um i also have an ftp server sitting out here so i'm going to set up my ftp server repository and notice that we have lots of different options for you we just did the local disk i'm going to do ftp but you also have the options for sftp tftp also http and https are very convenient sometimes if i if i don't have if i haven't set up the ftp server i just want to go straight from my personal computer over vpn i can actually just set up a quick like python web server on my on my computer grab my ip address do a quick repository configuration and i can use you know serve up some http um some files over http it's simple enough right so we're going to do ftp on this one and again we're going to be going to my active directory server where i have the ftp server set up so there the path i always use the root and then my username is simply ice and my password okay i want to set that up all right so we got two repositories set up that was pretty quick and painless the next thing is we're actually going to go down into local disk management So if you have more than one ICE node, you would see all the different nodes here, and you could quickly go through and you could manage the files on that. So you can see previously we uploaded the patch bundle number one, and we're able to patch the system through here.

So it's very easy to come in, perform an upload, and I'm actually going to submit the hot patch for the log4j vulnerability. I'm going to upload that right now, and we're going to apply it a little bit later. I'm not going to do it right now because if I did, it would restart the Icebox, and that would just be dead time for 10 minutes, and I don't want to bore you waiting for that, so we're going to wait until the very end of our webinar for that.

So we have just installed our patch. It's not installed, but it's uploaded, I should say, in our local repository. uh we're going to come back to that but i just wanted to show you that real quick so i'm just kind of working across the screen here the other thing i will show you is operational data purging so if you ever want to see how much space your logs are using in your your ice node you can come in here you can take a look and you can see what the relative size is for radius and tacx you can purge them based on a timeline.

Now you may get actually, depending upon how active your ICE deployment is, you may be able to store 30, 60, 90, 120, maybe more days worth of logs. And so you may want to, you know, change these numbers to be longer than 30 days. And so I'll leave that up to you, whatever you think the right number is. The other thing you can do is before you purge, you may actually want to export those logs to keep them.

uh for a longer term so if you if you know that you're going to fill up your disk within 30 days you may want to export them and start fresh and so you can do that by exporting them to one of your repositories right and you can encrypt them and all that good stuff so that may be an option for you so i'm not going to do anything here i just wanted to show you that option before we move on to the next thing which is going to be upgrade now this is a fresh install It's on 3.1, patch one, it's got the latest stuff, so we don't need to do an upgrade. I just wanted to show you the screen because we're just working left to right. Nothing to do here, so we're going to keep going for now. Health checks.

This is something that we started doing back in ICE 2.x. We had it as a separate tool called the URT, the Upgrade Readiness Tool. And in 3.x, we actually incorporated it. And so now all you have to do is come over here, trigger the health checks, and it's going to run through and check for all these things to see if there's any problems.

Typically, we use this before we do an upgrade, but you can run it at any time, just like I did. Sometimes, you know, your digital certificates will expire in your trusted store or maybe your own system certificates, and it'll tell you that you've got a problem. Sometimes.

There may be other issues, and so we're still running the check here. Okay, so all the services are running. We're all good. So health checks are complete. So if we were going to do an upgrade, we could go ahead and do that right now.

The other thing that's interesting is you can actually download the report. I guess it's going to open it with Visual Studio Code. Let me see if I download it. It actually provides some pretty interesting data.

Let me see if I can bring this over and show you really quick. This is what it looks like if I open it up. And you can just see basically what is it checking when it does these things?

What kind of things is it looking for? It does things like disk throughput, disk IO, checks for deployment validations, FQDNs, DNS resolvability, all this kind of stuff. So it's fascinating to look through and see what it's checking for. It's just a general good thing to be looking at. You can run it at any time.

just to see you know how your how your nodes are doing if you had a some problems you were wondering if maybe something else is screwed up you can you can try to run it and see if there's any problems maybe call tack have them take a look at it but that's health checks definitely run it before your upgrades next is backup and restore so always recommend doing a backup and restore you can do either configuration or operational which has your your logs in it configuration's much lighter this is the minimum one that you want to do and i'm going to go ahead and configure one right now and for that i'm just going to say this is my first backup and i'm not going to fill up my own local disk i want to use that ftp server for this i'm going to specify my password And note that it doesn't back up your certificates, so that's a totally separate thing that you will need to do. Always store your certificates in a safe place. And there we go. So it's going to start backing up to our FTP server, which is sitting out here. And so over here, oh, here he is over here.

All right. Oh, there he goes. He's going right now.

So he's already doing stuff. So there's our FTP server. It's progressing right now.

And if I go back, okay, so it's taking all the files, basically zipping them up, compressing them, all that good stuff, and it's going to transfer them over. Typically it's about, I've seen it's around 200 megabytes. That's the size I get whenever I do it.

So that's one way to do it. You can also do scheduled backups. I highly recommend you do a scheduled backup probably once a week.

I don't know how active you are. Maybe when you're first playing with ice, you're doing lots of changes. You want to do it more frequently, maybe once a day.

But it all depends on how active you are, how many changes you're making, how many backups you want to do. So I can't show you that right now because it's I should have shown you before I did the backup, sorry. But it's pretty straightforward to set a schedule.

And your backups will just magically run and set it to run, you know, middle of the night so that it doesn't impact performance during the day. So there's that. The next thing, this is where it starts to get interesting and we start talking about administrative access.

So the reason I did this is because the number one thing that we get that causes customers problems is this little checkbox down here for password lifetime. It's currently turned off because it's the number one thing. It's the first thing I do.

I've already turned it off for this demo. I do not want this password to expire for this demo. But if you just did a brand new install, this box is checked. And what that says is 45 days after you install, if you didn't know that this was checked and this was a secure default that we put on there, you're going to get a little surprised when you try to log into ICE and it says...

your password's expired. You need to go reset your password. And it's extremely annoying.

And so this is like the number one thing to go do. Otherwise, if you want to have your local password stored here, you want to change it, do a password rotation every 45, 30 days, whatever your number is, go for it. But I just turn it off. I'm extremely annoyed by it. I know a lot of other customers are as well.

In fact, what we've done is... we have i don't know if you guys have seen up here we have this uh interactive help that we put up here and it's actually one of the first tasks that we do so let me show you if i go back to my dashboard um if you haven't run any of these little tasks that we put up in here for you it's actually pretty cool i recommend you try it so we have it right there one of the very first things when you onboard is disable that 45 day password so it will actually guide you through so okay yeah let's disable that password timeout This is going to take us there, tell us where to go, guide us through, and it looks like it's already been disabled, right? We went through that.

But otherwise, it would show us, go click, turn this button off, and then we would click save, and then we wouldn't have any surprises in 45 days, right, getting locked out of our account. So that's something important that I wanted to let you know about. Account Disable Policy. If you, again, these are all about secure defaults, right? The ICE is a security product.

We want to have secure defaults. So if you want to disable any accounts that you have, if people don't log in after a certain period of time, they're inactive, you can go ahead and disable them. And you can also suspend accounts.

So if you happen to have somebody that's trying to do a brute force password attack on your ICE box and trying to get in, you can actually... take three failures and then suspend it for 15 minutes. Now they got to wait 15 minutes before they can try to authenticate again. So that's a good thing that's on by default.

I recommend keeping that one. So these are some different settings you can use. The next one is under authorization for permissions.

This is all about the role-based access control policy inside of ICE. And the way that we do this is with... controlling access by the menus how you get to the data and then the actual data that you can actually read read in there so these are the different um menus that we've defined and the different types of data that we've defined and you can put these things together if you look at our administrators um sorry it was actually our back policy right here this is how we combine these roles and permissions together to define what each individual type of administrator in ice what they can do and so i'm actually going to try and show you that down here with just the default groups that we have inside of ice so these are the default groups we've tried to come up with different roles that we think would be typical so we have things like um we'll start at the top here ers admin and ers operator ers is our external restful services that's basically our rest apis and so the ers admin can do read and write operations with the rest apis and the ers operator can only read So it's read-only permissions for the APIs. Then we have a help desk admin.

They can go look at the operations tab. They can run live logs, run reports, but they can't look at policy. They can't look at the network devices. They can't change anything there.

Really, really basic. And then likewise with the network device admin, this is the person that goes in and adds, updates, changes the network devices, but they're not in charge of security policy, right? So they're not supposed to be doing anything there.

Then there's a policy admin. Maybe you have a security person that comes in and they need to be able to change the policies. You don't want them updating the network devices. Their job is just to deal with the security policy.

So you can let them change the policy, but not the network devices, right? So you've got all these different roles you can configure. And, of course, the super admin is the one that does it all.

That's our default admin that we have in here. So what I want to do is rather than having to create, you could come in here and create. individual users, right? Maybe we want to give Rego, make him one of our admins.

We can go ahead and specify a password for him. And then down here at the bottom, we could go ahead and choose what kind of admin we want to make Rego. Now, if you have a fairly large company, it doesn't make sense to go allocate individual passwords and accounts and passwords. when you probably already have an active directory or a SAML server or something like that. So it makes a lot more sense to just reuse those accounts.

So that's what we're going to do. ICE supports either active directory or we can do SAML-based access. I'm going to show you active directory because that's what I have ready to go here. So I want to show you how to connect up your active directory. And I'm going to use this little...

interactive help again I'm gonna onboard and I'm gonna join ice to a Microsoft Active Directory server so it's going to guide us through the process here how we add our ice to the Active Directory domain so I'm gonna do that put it there and it's just I'm gonna kind of skipping ahead of what the things telling me to do but if you didn't know how to do this it would just guide you through the process then yeah we do want to join all the ice nodes we only have one node but we're going to join all of them and after we put our password and username in we can submit that and we should get yeah we've joined the domain so ice is now part of the domain and click close And we've successfully added ourselves to the domain. Yay, cool. So that's how that little interactive help tool can work.

So we've got other things that you can do in here for adding devices and creating repositories like we've already done, right, adding users. So if you're new to ICE and you want to learn some things, there's some great things, some great little skills you can learn right here. It will guide you through the whole process. Next thing is... now that we've joined the domain, the reason we've done it is because Active Directory has a bunch of groups that it puts all of its users into, and that's how we can control access or privileges to our network.

And that's what we're going to do. So let's add groups from our directory. And if I just retrieve the groups, I'm going to get a whole bunch.

And if you have a really large organization, you may have thousands or tens of thousands of groups. I only have 141, which is still a lot, right? In fact, where is it?

There's domain. It's kind of hard to find them sometimes. There's just so many.

So it's easier just to search. I did find domain admin, domain computers, domain users, maybe employees. Those might be some common ones that we would use in doing authentications with our authorization policies.

in the network access rules so i'm going to go ahead and use those for right now but the real reason i came here right was for the ice administrators so i actually want to add groups and i actually created them i created ice administrator groups that map directly to those groups that we just saw so if you filter on that name check it out icrs admin ers operator help desk admin these all look familiar right network device admin so i'm going to choose all of these and i want to add them to my shortlist of groups Cool. So now that I have done that, let's make sure I saved it. Okay, yeah, we're all good.

So now that I have these groups, this is my short list of groups in Active Directory that I can now use in my ICE policies. So if we go back to our admin access for administrators and we look at the admin groups. Oh, sorry, I missed one thing. First, you have to go back up to authentication, and notice we can do password or certs, or we can use an identity source. So we're normally doing internal users, right, like the admin.

We're going to go use AD now. So let's save that. You still have the option to use the internal users, but now we can go into the groups, and we can map these groups to Active Directory groups.

And so... If I had a help desk admin, I would say I want to map it to an external group. And so if I come over here and I look for my help desk admin, there it is.

I could add an additional group potentially if I want to add more than one of those groups. And then I come down and save that. Cool.

And then I want to add another one for my network device admin. Let's map them to. Find my network device admin.

There they are. And of course, I'm probably going to have my super admins. Map that to an external group.

Where are my super admins? Where are they? Super admins right there.

Okay, so we've done three. That should be good enough. Just wanted to give you some variety. All right, now that I've done that, let's go back to those admin groups and take a look.

So what we've done is we have mapped to external Active Directory groups. So if you look here, you can see we have just one group that we've matched, right, for our help desk admin. And we've done it for network device admins, and we've done it for super admins. You don't have to do them all, only the ones you want.

And if you have multiple groups that would fit. You can use those however you do it in your Active Directory. So let's test it.

So I'm going to go, let's pretend I'm a network device admin. I'm going to log out of ICE, check it out. Identity source is Active Directory now.

We can always still log in as internal, but now I'm going to log in as network device admin. and my password, and let's see if this works. All right.

Big deal, Thomas. What's different? Doesn't look like anything's changed, but check this out.

Oh, I'm missing my policy menu. That's gone, and if I go under administration, I only have access to my network resources now. Because I'm a network device admin, so I only get to play with the network devices.

I still get to look at some live logs and things like that, but I don't have access to change policies. And look, even work centers, right? I'm totally limited in what I can do to basically just troubleshooting and reports.

That's all I get. So that's pretty cool. So that's how you can change people's access to ICE for role-based access control.

And, oh. I'm going to need to log out of here because I can't do anything to keep showing you guys stuff in the administration menu. So I have to log out.

And what I'm going to do now is I'm going to be Thomas, the super admin. I'm not going to be a regular admin. I'm just going to be Thomas now. I can just use my regular Active Directory username and password, log in, and hopefully because I'm a super admin, I should have all my menus back now. oh good there's policy okay there we go i got all my all my menus are back that's what i needed so with that i can actually go in and finish up any other settings my access settings oh this is a cool one um if you want to do little banners in your gui or whatever you can do that right tell people whenever they log into ice tell them to have a nice day right we can do that and one's a pre-login banner before you log in and one's after you log in so if you want to leave a message to somebody you can do it this way same thing with the cli so we can actually leave a fun little maybe some ASCII art or something for our CLI logins to ICE whenever we SSH into the terminal, because we're going to do that in a little bit here.

So we can save that. There we go. All right.

We'll check that out a little bit later. But anyway, we've got some we've got some ASCII art banners here. So the last menu. Oh, wait, I think I have sessions. Okay, there we go.

A couple more security settings. So idle timeout, maybe 60 minutes is too long to leave your web browser open unattended. So it might be a good idea to log out of ICE maybe within 10 minutes instead if you're idle.

And if you look at session info, you can actually see who you are or how many people are logged in right now. So you can see I'm Thomas. I just logged in.

So that's admin access. And now we get into some other interesting settings. Client provisioning isn't something I think you're going to do day one.

You can use it for profiling or for BYOD, but we're not going to get into that right now. FIPS mode, if you are a government customer or you have a need for really strong security, you can go ahead and enable FIPS mode. Basically what it does is it turns off certain protocols or ciphers that are not strong enough. to meet the FIPS criteria, the Federal Information Processing Standard criteria.

So it's just going to disable those things. So be careful before you turn it on. Know what you're going to lose if you when you do that. So be aware of that. Then other security settings are for other protocols and ciphers such as TLS.

So TLS 1.0 is pretty old, probably should not be doing it. So let's turn that off. If I were to do that though, It would try to restart.

It's going to restart. I thought it was going to restart my server. I don't want to do it because I don't want to restart the server right now. And again, that would take too long and ruin our demo. But these are some things you can choose to turn on or off.

So take a look through there. See if there's anything that you don't want to allow. Alarm settings. You can actually configure different alarms.

If you want to go in and change threshold levels when it sends alarms, you can come through and do that. So there's lots of alarms to choose from. Go ahead and scroll through there, see if there's anything you want to do. Posture, that's more advanced. We're not going to cover that.

Profiling, that's something that you would do on day one because as endpoints start to connect to your network, you do want to profile them. I think these are all good settings, and I probably wouldn't touch anything here. So just know that it's there. don't do anything with it just yet protocols more more interesting settings so if you want to do things like session resume that can potentially speed up things in your network so you might want to just come through and enable session resume on these things for the different protocols peep has session resume and a fast reconnect option so go ahead and save that if you're using ttls you may want to do it there as well Then we've got some interesting radius settings. This particular tab is a bit advanced.

I wouldn't do anything with this, but know that it's here. If you get certain clients trying to authenticate and they're failing a lot or just causing a ridiculous number of failures and logs, you can suppress them, basically turn them off for a period of time. This can be really, really helpful to kind of ignore things for a while. So that's an option for you.

I wouldn't do anything there on day one. And if for some reason you wanted to change your RADIUS authentication and authorization ports that we use, you could do that here. If you want to make it security by obscurity, you can do that.

Otherwise, I don't recommend changing these. You want to stay to the standard ports that network devices know to talk RADIUS and TACACS on. DTLS, this is another option to...

secure your traffic with Radius and TACACS. You can actually use DTLS tunnels between your network devices and ICE. Don't do anything here. Just keep it standard, my recommendation. And then some other things is you may need to configure a proxy for ICE to communicate out to the internet.

You may need to do this so that it can get... the client provisioning packages so that it can get profiling updates so that it can get posture updates you may need to configure this proxy for your lab so if you do this is your option to go ahead and configure it and then the other thing i want to just show you guys real quick smtp server you're going to want to configure this if you want actually want to get messages sent out to your guests you're going to need to configure an smtp server I'm probably not going to go through and do this due to the time, but know that we do it. And then, of course, you're probably going to have to use some kind of username password authentication to do it.

So we have the option to do this. You must configure this if you actually want to have iSend email notifications to you or your guests. So keep that in mind. SMS gateway, if you want to do that for guests, that's located here as well. System time, we recommend keeping this to...

basically just utc if you have a a large worldwide deployment if you're only in a single time zone you have a smaller company then maybe you want to keep it one of your local time zones but otherwise we recommend keeping it at utc uh and not changing it uh ntp servers you know if you need some um was it pool.ntp.org or the nist um time.nist.gov that's what it is i can't talk and type at the same time right so if you wanted to add some ntp servers you can use those and then i love using the apis so that's the next thing i'm going to do is go into api settings and i want to enable these this will let us do the like i said the external wrestle services ers and our newer open apis that we have real quick we can turn those things on and then we're going to be able to do our patch max sessions we have the ability to control the maximum number of sessions for your local users and ice you cannot control active directory groups you can only control local groups in ice so keep that in mind if you want to do max sessions and then these other things light data distribution don't touch this this is a great optimization that we added i think back in like ice 2.6 so don't touch this leave it alone unless you know what you're doing interactive help this lets you turn off interactive help if you don't like it for some reason so that pretty much takes us through the entire administration setup so what i want to do now is my goal was to show you how to do patching with our um log4j hotfix and i wanted to do it through automation i wanted to do like run a script and show you guys how that works so the way i want to do this is i'm going to go over here to my terminal and i want to go ahead and ssh into my icebox admin and just i want to show you the patch you can actually get this in the gui to see if a hot patch was applied so that's what i'm going into into this ice okay cool so have a nice day so that's that banner that we configured previously so that's working that's good all right now if we want to do these patches what we do is we can we could run this command okay show logging application hot patch and basically nothing came back that means that no hot patches have been applied to this release and normal patch. So that means that it's probably a good idea to go ahead and apply our log4j hotfix on this ice node. So what you could do, I'm going to show you the command to do that. If you wanted to apply your hotfix, it would look like this. I'm not going to hit enter because I actually want to do it.

using a API command. So I just want you to know that would be the command that we did if we were going to use it. I don't want to use this.

I just want to backtrack on that. I just want to exit out of here. And when I exit out, there we go. We're good. So now I want to run the patch command using curl.

I'm actually going to invoke the REST API to install. the patch using curl. So that command looks like this. I know you guys don't want to see me type it, so I'm just going to paste it in here real quick.

So what we're doing is we're running curl. Don't care about security. I want to see the output I'm using. This is my username and password. So there's my super secure Cisco password I've been using all day long here today.

And then I'm telling it that I'm going to... Accept JSON, and I'm going to send some JSON. This is the URL, the REST API endpoint that I'm going to be querying. It's the hotpatch install endpoint.

And I'm installing this hotpatch that is in this repository local disk, which you saw me configure. And now what I can do is hit Enter. All right.

And like that, hotpatch install task initiated. Take a look at the Task Service API to get the status. So I've got the task status command sitting right here. I'm going to go ahead and grab that.

I'm going to put it here, paste it, and I've got to use that task ID to get the specific status of that task. Basically, I just do it like that and hit enter. Okay, so our patch install is in progress right now.

So it's going to take... you know a few minutes for this whole thing to go through for ice node to restart and then we'll get a final status i did it this way because i wanted to show you that we actually have the ability to completely automate this using rest apis and if you had you know if you only have a few ice nodes doing it through the local disk on the command line very simple very easy to do but if you had 50 nodes how cool would it be to have that external repository and upload it once there and then you just run these commands um to all 50 ice nodes and it just does the hot patch install right all through like a scripted it um through a script so i wanted to let you know that that was a possibility we've done a lot of really cool things with ice apis and how we can help manage your deployments so that's really it that's everything i wanted to show you guys today when it comes to managing your ice nodes so with that um rego Oh, it's caught on air because my node's actually installing the hot patches. Nothing to see here until it restarts.

So, Rigo, what's going on with our questions? Are we all good there? All right. Thank you, Thomas. Yeah, I think we are good to go with the questions.

I just had a look at our Q&A panel here, and, yeah, we have no more outstanding questions. Our panelists have addressed all of those for our audience, so I think we're all set on that end. Okay, let me go through a couple more slides real quick, and then we'll let you wrap up.

So I did talk about automation. I just wanted to give this little slide to you all to let you see all the things that we can do with respect to configuration, automation, getting your ICE nodes set up initially. So we have a lot of new things that we've done in ICE 3.1 with deployment, licensing, certificates, hot patch, repositories, all this backup restore. We've done all this in ICE 3.1. So once you get to that version, you can look forward to being able to do these kinds of automations.

Not everything I showed you today can be automated with APIs. So I put those in that hot pink color to let you know that those can't be done. Even some of the settings, we have a few settings there, but a lot of them are still missing.

So we're still working on improving those. But a lot of the things that I think you'd want from day-to-day operational management and even deployment, upgrade, patching, things like that. you can totally do with APIs today. And I want to remind you that we have an amazing community.

Make sure that if you have troubleshooting questions or you want to know how to fix something, make sure you provide the necessary details so that our awesome partners and other customers in the community can help you answer your question. If you aren't very specific, they can't be very specific with their answers. So it helps to provide details.

And then finally, these are the resources that hopefully Rego's already left you with these. And I have a few more here that I want to share with you. Some of the things that I didn't have time to go over today that some of you may want to know, like maybe you want to use an AWS S3 bucket as a repository, or maybe you want to do SFTP, or maybe you want to do SAML single sign-on with Azure AD for your ICE.

admins rather than an active directory. So we support all those things and we have guides out there for you if you do an internet search for them. And with that, I think we don't have any more questions.

And so I thank you for joining.

Transcript for:ISE Setup and Operations Overview

Transcript for:
ISE Setup and Operations Overview