CINXE.COM

<!DOCTYPE html> <html xmlns:fb="//www.facebook.com/2008/fbml" xmlns:og="//opengraphprotocol.org/schema/" lang="en" xml:lang="en" class="no-touch no-js"> <head> <meta charset="utf-8"> <meta name="HandheldFriendly" content="True" /> <meta name="MobileOptimized" content="320" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="rei" content="3/2/2022 10.39am est" /> <script tyle="text/javascript" src="/content/dam/cdc/j/cdcrSwitch.js"></script> <script type="text/javascript"> if (typeof cdc === "undefined"){ cdc = {}; } cdc.localizedLang="en/us"; if (window.cdcext === undefined) { window.cdcext = {}; } cdcext.customEnvironment = "prod"; if (window.cdclocale === undefined) { window.cdclocale = {}; } cdclocale.locale = cdc.localizedLang=="en/us"?"en_us":cdc.localizedLang; </script> <script src="/c/dam/cdc/t/ctm-core.js"></script> <script> window['adrum-start-time'] = new Date().getTime(); window.environ = "prod" ; </script> <script> if (window.cpe === undefined) { window.cpe = {}; } cpe.accountName = "prod"; cpe.config = ["cinf","dsc","pps"]; cpe.hideMethod = "elements"; window.targetGlobalSettings = JSON.parse('{\x22timeout\x22:4000}'); window.targetPageParamsAll = () => JSON.parse('{\x22entity\x22:\x22{\\\x22id\\\x22:\\\x221678313172526654\\\x22,\\\x22categoryId\\\x22:\\\x22NetworkingSolutions,Solutions,Networking Solutions Island of Content Event\\\x22}\x22}'); const bullseyeLibrary = `/etc.clientlibs/cisco-cdc/clientlibs/clientlib-external/resources/external/bullseye.js`; import(bullseyeLibrary); </script> <script src="/etc.clientlibs/cisco-cdc/clientlibs/clientlib-external/resources/regional-mbox/regional-mbox.js"></script> <title>Solutions - Zero Trust: Network and Cloud Security Design Guide - Cisco</title> <meta name="format-detection" content="telephone=no"> <meta http-equiv="Content-type" content="text/html;charset=UTF-8" /> <meta name="description" content="This design guide provides deployment guidance for the Network and Cloud Security pillar of the Cisco Zero Trust Architecture. This document brings together a solution that includes: Cisco Catalyst 9300, Cisco Identity Services Engine (ISE), Cisco Secure Firewall, Cisco Secure Network Analytics and Cisco Telemetry Broker." /> <meta name="title" content="Solutions - Zero Trust: Network and Cloud Security Design Guide" /> <meta name="documentId" content="1674503952792282" /> <meta name="templateName" content="eot-toc" /> <meta property="fb:app_id" content="156494687694418" /> <meta name="ioContentSource" content="WEM" /> <meta name="concept" content="Solutions" /> <meta name="docType" content="Networking Solutions Island of Content Event" /> <meta name="iaPath" content="cisco.com#Networking Solutions#Solutions" /> <meta name="contentType" content="cisco.com#US#preSales" /> <meta name="locale" content="US" /> <meta name="language" content="en" /> <meta name="country" content="US" /> <meta name="CCID_Page" content="cc001777" /> <meta name="date" content="Wed Mar 08 14:05:46 PST 2023" /> <meta name="accessLevel" content="Customer" /> <meta name="accessLevel" content="Guest" /> <meta name="accessLevel" content="Partner" /> <meta name="entitlementExpression" content="contains( "0,1,2,3,4,7" , $profileField[3] )" /> <meta property="og:site_name" content="Cisco" /> <meta property="og:type" content="website" /> <meta property="og:title" content="Solutions - Zero Trust: Network and Cloud Security Design Guide" /> <meta property="og:description" content="This design guide provides deployment guidance for the Network and Cloud Security pillar of the Cisco Zero Trust Architecture. This document brings together a solution that includes: Cisco Catalyst 9300, Cisco Identity Services Engine (ISE), Cisco Secure Firewall, Cisco Secure Network Analytics and Cisco Telemetry Broker." /> <meta property="og:image" content="https://www.cisco.com/web/fw/i/logo-open-graph.gif" /> <meta property="og:url" content="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.html" /> <link rel="canonical" href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.html"/> <script src="/etc.clientlibs/clientlibs/granite/jquery.min.js"></script> <script src="/etc.clientlibs/clientlibs/granite/utils.min.js"></script> <script src="/etc.clientlibs/clientlibs/granite/jquery/granite.min.js"></script> <script src="/etc.clientlibs/foundation/clientlibs/jquery.min.js"></script> <script src="/etc.clientlibs/foundation/clientlibs/shared.min.js"></script> <script src="/etc.clientlibs/cq/personalization/clientlib/underscore.min.js"></script> <script src="/etc.clientlibs/cq/personalization/clientlib/personalization/kernel.min.js"></script> <script src="/etc.clientlibs/cq/personalization/clientlib/personalization/kernel.min.js"></script> <script type="text/javascript"> $CQ(function() { CQ_Analytics.SegmentMgr.loadSegments("\/etc\/segmentation"); CQ_Analytics.ClientContextUtils.init("\/c\/dnc\/etc\/clientcontext\/default", "\/content\/en\/us\/solutions\/collateral\/enterprise\/design\u002Dzone\u002Dsecurity\/zt\u002Dnetwork\u002Dcloud\u002Ddg"); }); </script> <link rel="stylesheet" href="/etc/designs/cdc/clientlibs/responsive/css/cisco-sans.min.css" type="text/css"> <script src="/etc/designs/cdc/clientlibs/responsive/js/foundation.min.js"></script> <link rel="stylesheet" href="/etc/designs/cdc/clientlibs/responsive/css/responsive.min.css" type="text/css"> <script> sessionStorage.setItem("logOutIntermediateMessage", 'You are being logged out.'); </script>  <script type="application/ld+json"> [ { "@context": "http://www.schema.org", "@type": "WebPage", "name": "Zero Trust: Network and Cloud Security Design Guide", "url": "https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.html", "description": "This design guide provides deployment guidance for the Network and Cloud Security pillar of the Cisco Zero Trust Architecture. This document brings together a solution that includes: Cisco Catalyst 9300, Cisco Identity Services Engine (ISE), Cisco Secure Firewall, Cisco Secure Network Analytics and Cisco Telemetry Broker.", "publisher": { "@type": "Corporation", "name": "Cisco" } }] </script>    <script>!function(e){var n="https://s.go-mpulse.net/boomerang/";if("False"=="True")e.BOOMR_config=e.BOOMR_config||{},e.BOOMR_config.PageParams=e.BOOMR_config.PageParams||{},e.BOOMR_config.PageParams.pci=!0,n="https://s2.go-mpulse.net/boomerang/";if(window.BOOMR_API_key="GKZXC-NS3SU-A7VFH-HKBHM-U7LKH",function(){function e(){if(!o){var e=document.createElement("script");e.id="boomr-scr-as",e.src=window.BOOMR.url,e.async=!0,i.parentNode.appendChild(e),o=!0}}function t(e){o=!0;var n,t,a,r,d=document,O=window;if(window.BOOMR.snippetMethod=e?"if":"i",t=function(e,n){var t=d.createElement("script");t.id=n||"boomr-if-as",t.src=window.BOOMR.url,BOOMR_lstart=(new Date).getTime(),e=e||d.body,e.appendChild(t)},!window.addEventListener&&window.attachEvent&&navigator.userAgent.match(/MSIE [67]\./))return window.BOOMR.snippetMethod="s",void t(i.parentNode,"boomr-async");a=document.createElement("IFRAME"),a.src="about:blank",a.title="",a.role="presentation",a.loading="eager",r=(a.frameElement||a).style,r.width=0,r.height=0,r.border=0,r.display="none",i.parentNode.appendChild(a);try{O=a.contentWindow,d=O.document.open()}catch(_){n=document.domain,a.src="javascript:var d=document.open();d.domain='"+n+"';void(0);",O=a.contentWindow,d=O.document.open()}if(n)d._boomrl=function(){this.domain=n,t()},d.write("<bo"+"dy onload='document._boomrl();'>");else if(O._boomrl=function(){t()},O.addEventListener)O.addEventListener("load",O._boomrl,!1);else if(O.attachEvent)O.attachEvent("onload",O._boomrl);d.close()}function a(e){window.BOOMR_onload=e&&e.timeStamp||(new Date).getTime()}if(!window.BOOMR||!window.BOOMR.version&&!window.BOOMR.snippetExecuted){window.BOOMR=window.BOOMR||{},window.BOOMR.snippetStart=(new Date).getTime(),window.BOOMR.snippetExecuted=!0,window.BOOMR.snippetVersion=12,window.BOOMR.url=n+"GKZXC-NS3SU-A7VFH-HKBHM-U7LKH";var i=document.currentScript||document.getElementsByTagName("script")[0],o=!1,r=document.createElement("link");if(r.relList&&"function"==typeof r.relList.supports&&r.relList.supports("preload")&&"as"in r)window.BOOMR.snippetMethod="p",r.href=window.BOOMR.url,r.rel="preload",r.as="script",r.addEventListener("load",e),r.addEventListener("error",function(){t(!0)}),setTimeout(function(){if(!o)t(!0)},3e3),BOOMR_lstart=(new Date).getTime(),i.parentNode.appendChild(r);else t(!1);if(window.addEventListener)window.addEventListener("load",a,!1);else if(window.attachEvent)window.attachEvent("onload",a)}}(),"".length>0)if(e&&"performance"in e&&e.performance&&"function"==typeof e.performance.setResourceTimingBufferSize)e.performance.setResourceTimingBufferSize();!function(){if(BOOMR=e.BOOMR||{},BOOMR.plugins=BOOMR.plugins||{},!BOOMR.plugins.AK){var n=""=="true"?1:0,t="",a="bdpnbeqxgy4r2z5te6ha-f-8b20021cb-clientnsv4-s.akamaihd.net",i="false"=="true"?2:1,o={"ak.v":"39","ak.cp":"61004","ak.ai":parseInt("271834",10),"ak.ol":"0","ak.cr":3,"ak.ipv":4,"ak.proto":"http/1.1","ak.rid":"19db5ddf","ak.r":37669,"ak.a2":n,"ak.m":"dsca","ak.n":"essl","ak.bpcip":"8.222.208.0","ak.cport":53234,"ak.gh":"23.53.33.124","ak.quicv":"","ak.tlsv":"tls1.2","ak.0rtt":"","ak.0rtt.ed":"","ak.csrc":"-","ak.acc":"reno","ak.t":"1739794318","ak.ak":"hOBiQwZUYzCg5VSAfCLimQ==ZvtpX6kBH9ahG+vn6uUcxkwE0Xee0DI6YnodllHABBimh4M4zSOEGPMgi3MlEEGGRgRaA2Wi+EmhIDk5rskZsZGT90xDtPA5IbgDsD6qP0V8zl70v9nQ7hHIUs2R/iKS6enNKgyR5gkM9ja9URSeCi7w2kug/ssi7Vu0BY1bhNdkQ4AbHVURFlyxWHQ8Nef+BD0txYiqZ0Qy+aRuFbirODkFhGf8dYecC8hVWofozOE7OUzW2s7fmsZ87CqgBkdp7J/F+eHQxMbVcjs5ZIZItGxIAuGTheIyXGiIJFx02WfnyxWS/+5h1Zy9btCTxQbC36Y0+H0ioWNyIlnY/YpqMOPkTVnL3ghPZRyRVPa0n2Prxcv1mk5tD5Iarbq2k8yyiN7OCYH2cjtNtOjb9Q3jtZ87k/fYgYRD+3+kALNLynE=","ak.pv":"521","ak.dpoabenc":"","ak.tf":i};if(""!==t)o["ak.ruds"]=t;var r={i:!1,av:function(n){var t="http.initiator";if(n&&(!n[t]||"spa_hard"===n[t]))o["ak.feo"]=void 0!==e.aFeoApplied?1:0,BOOMR.addVar(o)},rv:function(){var e=["ak.bpcip","ak.cport","ak.cr","ak.csrc","ak.gh","ak.ipv","ak.m","ak.n","ak.ol","ak.proto","ak.quicv","ak.tlsv","ak.0rtt","ak.0rtt.ed","ak.r","ak.acc","ak.t","ak.tf"];BOOMR.removeVar(e)}};BOOMR.plugins.AK={akVars:o,akDNSPreFetchDomain:a,init:function(){if(!r.i){var e=BOOMR.subscribe;e("before_beacon",r.av,null,null),e("onbeacon",r.rv,null,null),r.i=!0}return this},is_complete:function(){return!0}}}}()}(window);</script></head> <body id="wcq" class=" fw-res cdc-eot cdc-eot-toc cdc-transform networking-solutions-island-of-content-event "> <div id="fw-skiplinks"> <ul class="container"> <li><a id="skiplink-content" href="#fw-content">Skip to content</a></li> <li><a id="skiplink-search" href="#">Skip to search</a></li> <li><a id="skiplink-footer" href="#fw-footer-v2" class="last">Skip to footer</a></li> </ul> </div> <script type="module" src="/site/web-components/us/en/cdc-header.js"></script> <cdc-header></cdc-header> <nav class="fw-c-header__seo-links" aria-hidden="true" style="display:none"> <ul> <li><a tabindex="-1" href="https://www.cisco.com/site/us/en/index.html">Cisco.com Worldwide</a></li> <li><a tabindex="-1" href="/c/en/us/products/index.html">Products and Services</a></li> <li><a tabindex="-1" href="https://www.cisco.com/site/us/en/solutions/index.html">Solutions</a></li> <li><a tabindex="-1" href="/c/en/us/support/index.html">Support</a></li> <li><a tabindex="-1" href="/c/en/us/training-events.html">Learn</a></li> <li><a tabindex="-1" href="//www.cisco.com/c/en/us/about/sitemap.html">Explore Cisco</a></li> <li><a tabindex="-1" href="/c/en/us/buy.html">How to Buy</a></li> <li><a tabindex="-1" href="https://www.cisco.com/site/us/en/partners/index.html?dtid=odicdc001129">Partners Home</a></li> <li><a tabindex="-1" href="https://www.cisco.com/site/us/en/partners/cisco-partner-program/index.html?ccid=cc000864&dtid=odiprc001129">Partner Program</a></li> <li><a tabindex="-1" href="https://www.cisco.com/site/us/en/partners/support-help/index.html">Support</a></li> <li><a tabindex="-1" href="https://www.cisco.com/site/us/en/partners/tools/index.html?dtid=odiprc001129">Tools</a></li> <li><a tabindex="-1" href="https://locatr.cloudapps.cisco.com/WWChannels/LOCATR/pf/index.jsp#/">Find a Cisco Partner</a></li> <li><a tabindex="-1" href="https://www.cisco.com/site/us/en/partners/connect-with-a-partner/index.html?ccid=cc000864&dtid=odiprc001129">Meet our Partners</a></li> <li><a tabindex="-1" href="https://www.cisco.com/site/us/en/partners/index.html?dtid=odicdc001129">Become a Cisco Partner</a></li> </ul> </nav> <div id="fw-content" class="container grid"> <div class="row full" data-owner="ID"> <div class="col full "> <nav id="fw-breadcrumb" class="data-based" aria-label="breadcrumbs" data-owner="ID"> <ul itemscope itemtype="//schema.org/BreadcrumbList"> <li aria-hidden="true"><a href='#' class="skip"></a></li> <li itemprop='itemListElement' itemscope itemtype='//schema.org/ListItem'><a itemprop='item' href='/c/en/us/solutions/index.html'>Solutions<meta itemprop='position' content='1' /></a></li> </ul> </nav> <script> if (window.cdc === undefined) { window.cdc = {}; } if (cdc.breadcrumb === undefined) { cdc.breadcrumb = (function () { let clone = document.querySelector('#fw-breadcrumb').cloneNode(true); let appendClone = function () { let hasBreadcrumb = document.querySelector('#fw-breadcrumb') !== null, firstMarquee = document.querySelectorAll('.dmc-mq')[0]; if (!hasBreadcrumb && firstMarquee !== undefined) { firstMarquee.querySelector('.frame .inset').insertBefore(this.clone, firstMarquee.querySelector('.frame .inset').firstElementChild); } }; return { clone: clone, appendClone: appendClone } }()); } //DE380224 var anchorChild = document.getElementsByTagName("a"); for(var i=0; i<anchorChild.length; i++){ if(anchorChild[i].getAttribute("itemprop")=="item") { if ( anchorChild[i].href.includes("%3Clocale%3E") ){ let anchorChildHREF = anchorChild[i].href; let docLocale = document.querySelector('meta[name="locale"]').getAttribute('content'); let docLanguage = document.querySelector('meta[name="language"]').getAttribute('content'); var docSeparator; if ((docLocale.toLowerCase() == "us") && (docLanguage.toLowerCase() == "en")) { docSeparator="/"; } else { docSeparator="_"; } let anchorURLReplace = docLanguage.toLowerCase() + docSeparator + docLocale.toLowerCase(); anchorChildHREF = anchorChildHREF.replace("%3Clocale%3E", anchorURLReplace); anchorChild[i].setAttribute('href', anchorChildHREF); } } } </script> <h1 id="fw-pagetitle" class="" data-owner="ID">Zero Trust: Network and Cloud Security Design Guide</h1> </div> </div>  <script type="text/javascript"> // initialize dictionary for i18n var pagelanguage = "en_us".replace("_","-"); var pagelocale = pagelanguage; Granite.I18n.setLocale(pagelocale.toLowerCase()); Granite.I18n.setUrlPrefix("/etc/designs/cdc/fw/w/responsive_components/eot/i18n/"); Granite.I18n.setUrlSuffix(".1.json"); cdc.util.ensureNamespace("cdc.rc"); cdc.rc.isEotToc = true; </script> <div class="row full blowout"> <div class="col full"> </div> </div> <div class="row full"> <div class="col full top docId"> <script> if (typeof(cdc) == "undefined") cdc={}; if (typeof(cdc.translations) == "undefined") cdc.translations={}; </script> <div class="docHeaderComponent base-blowout"> <div class="linksRow"> <div class="toolbar"> <div class="noprint" id="saveModule"> <script type="text/javascript"> cdc.util.ensureNamespace("cdc.rc.savedoc"); cdc.rc.savedoc.isLoggedIn = false; cdc.rc.savedoc.save = "Save"; cdc.rc.savedoc.saved = "Saved"; </script> <button class="save" aria-expanded="false" aria-label="Save"> <label>Save</label> </button> </div> <div class="saveDocumentMessage login cdc-expandPanel" role="region" aria-live="polite"> <a href="/c/login/index.html?referer=/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.html">Log in</a> to Save Content </div>   <div class="noprint downloadDocument"><button type="button" class="view-download-list-link anchor" aria-expanded="false"><div class="toolbarIcon downloadIcon"></div><label class="iconLabel">Download</label></button></div> <div class="noprint printDocument js-only"><button type="button" class="anchor printPage" aria-label="Print"><div class="toolbarIcon printIcon"></div><label class="iconLabel">Print</label></button></div> </div> </div>  <script language="javascript"> cdc.translations.map = "{en-us=https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.html, x-default=https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.html}";//storing the map for use in the JS cdc.translations.locale="en_us"; </script> <div class="availableLanguagesList"> <h3>Available Languages</h3> <ul id="translationsList"> </ul> </div> <div id="download-list-container" class="noprint panelRow" role="region" aria-live="polite"> <div class='download-list' aria-label="Download Options"> <h3>Download Options</h3> <ul> <li> <div class="fileText"> <a href="/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.pdf" class="download-pdf"><div class="fileIcon pdfIcon"></div>PDF</a> (30.0 MB) View with Adobe Reader on a variety of devices </div> </li> </ul> </div> </div> <div class="infobarClearFix"> <div class="infobar"> <div class="updatedDate">Updated:March 9, 2023</div> </div> </div> </div> <script> jQuery(document).ready(function(){ if(jQuery("body").hasClass("cdc-eot-toc") && jQuery(".cdc-eot-toc").find(".DocumentHistory").length > 0){ jQuery(".cdc-eot-toc .seeRevisions").show(); if(jQuery(window).width() >= 768){ jQuery(".cdc-eot-toc .updatedDate").nextAll(".bullet").show(); } }else{ jQuery(".cdc-eot-toc .infobar .bullet").hide(); jQuery(".cdc-eot-toc .seeRevisions"); jQuery(".cdc-eot-toc .updatedDate"); } }) </script> <div class="disclaimers marketing"> <div class="disclaimerButtons"> <div class="aboutBias"> <button aria-expanded="false" >Bias-Free Language</button> </div> </div> <div class="biasfreeContent panel"> <h3>Bias-Free Language</h3> The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. <a href="https://www.cisco.com/c/en/us/about/social-justice/inclusive-language-policy.html">Learn more</a> about how Cisco is using Inclusive Language. </div> </div> <div id="luh-holder" class="dmc-inpage-nav noprint"> <link rel="stylesheet" href="/etc/designs/cdc/dmr/mbox/mbox.min.css" type="text/css"> <div class="dmc-mbox " data-version="DM:components/target/mbox:V1.5.1"> <div class="mboxDefault"> <link rel="stylesheet" href="/etc/designs/cdc/dmr/section/clientLib.min.css" type="text/css"> <section class="dmc-section" id="section-geo-luh" data-config-metrics-group="Section" data-config-metrics-title="section-geo-luh" data-version="DM:components/section/section-container:V1.1.1"> <link rel="stylesheet" href="/etc/designs/cdc/dmr/text/base-v2.min.css" type="text/css"> <link rel="stylesheet" href="/etc/designs/cdc/dmr/letushelp/clientLib-v2.min.css" type="text/css"> <link rel="stylesheet" href="/etc/designs/cdc/dmr/libs/base.min.css" type="text/css"> <script src="/etc/designs/cdc/dmr/libs/base.min.js"></script> <link rel="stylesheet" href="/etc/designs/cdc/dmr/icons/dm-font-icons.min.css" type="text/css"> <script src="/etc/designs/cdc/dmr/libs/a11y/a11y-menu.min.js" defer></script><script src="/etc/designs/cdc/dmr/letushelp/clientLib-v2.min.js" defer></script>  <div class="dm0 dmc-letushelp-eot floating compact thmd-1" data-config-metrics-group="sm_luh"> <button class="btn" alt="Contact Cisco" title="Contact Cisco" id="luhrr-menubutton" aria-controls="inner-menu" aria-haspopup="true"> <div class="btn-icn anm"> </div> Contact Cisco </button> <ul class="no-bullets" id="inner-menu" tabindex="-1" role="menu" aria-label="Contact Cisco"> <li class="hd"> Contact Cisco <button class="cls" data-config-metrics-item="close : sm_luh"> </button> </li> <li class="c2c-no-margin"> <script> var cocoaBotTranslateObject={"Cisco_Proactive_Chat_Intro":"Welcome to Cisco!","Cisco_Chat_Now":"Chat with Sales","Cisco_Proactive_Chat_Content":"How can I help you?","Cisco_Proactive_Chat_Decline_Title":"Decline the chat invitation","Cisco_Proactive_Chat_Metrics_Group":"pop up chat","Cisco_Proactive_Chat_Decline":"No Thanks","Cisco_Proactive_Chat_Intro_Title":"Cisco:","Cisco_Proactive_Chat_Accept_Metrics_Item":"accept the chat invitation","Cisco_Proactive_Chat_Decline_Metrics_Item":"decline the chat invitation","Cisco_Proactive_Chat_Title":"Chat live with a Cisco representative","Cisco_Proactive_Chat_Accept_Title":"Accept the chat invitation","Cisco_Proactive_Chat_Accept":"Chat Now"}; </script> <script type="text/javascript" src="/c/dam/cdc/j/chatbot/chatbot.js"></script> <div class="ancr"> <div id="nhbtn" data-metrics-title="right rail" class="c2c-component"> </div> </div> </li> <li class="lnk1"> <div class="ancr"> <a href="https://www.cisco.com/site/us/en/about/contact-cisco/index.html?linkclickid=luh-contactus">Get a call from Sales</a> </div> </li> <li class="luh-num"> <div class="ancr"> Call Sales: <a href="tel:18005536387"> 1-800-553-6387 </a> US/CAN | 5am-5pm PT </div> </li> <li class="lastlnk1"> <div class="ancr"> <a href="//www.cisco.com/c/en/us/support/index.html">Product / Technical Support</a> </div> </li> <li class="lastlnk2"> <div class="ancr"> <a href="https://www.cisco.com/site/us/en/learn/training-certifications/index.html">Training & Certification</a> </div> </li> </ul> </div> </section> </div> <script type="text/javascript"> // Use the additional parameters, if provided. mboxCreate('us_luhfloaty','type=default'); </script> </div> </div> </div> </div> <div class="row wide-narrow flip cdc-eot-toc-banner"> <div class="col wide"> <div class="defaultBrandImage"></div> <div data-version="DM:components/dgbanner/banner-mbox:V1.5.1"> <div class="mboxDefault"></div> <script type="text/javascript"> var test=""; if(test!=undefined && test.trim().length>0){ mboxCreate('en-us_dg_large_eot','type=default',''); }else{ mboxCreate('en-us_dg_large_eot','type=default'); } </script> </div> <script src="/etc/designs/cdc/dmr/libs/u.min.js"></script> <script src="/etc/designs/cdc/dmr/libs/nmsp.min.js"></script> <script src="/etc/designs/cdc/dmr/libs/log.min.js"></script> <script src="/etc/designs/cdc/dmr/libs/metrics.min.js"></script>  <style> /*First Level Bullet*/ .cdc-eot-toc #eot-doc-wrapper p.pBulletCMT{ text-indent: -16px !important; } .cdc-eot-toc #eot-doc-wrapper p.pBullet2CMT { text-indent: -29px !important; } .CellBullet2{ padding-left:15px; margin-top: -5pt; !important; } #eot-doc-wrapper img{ height: 100%; } thead tr{ border: 1px solid white; text-align: block; } thead td{ border: 1px solid white !important; text-align: center !important; } tbody tr{ border: 1px solid lightgrey; } tbody td{ border: 1px solid lightgrey !important; background-color: #ffffff; } td *{ vertical-align: middle !important; text-align: block !important; } tr *{ vertical-align: middle !important; text-align: block !important; } #eot-doc-wrapper p.pToC_Subhead1 a{ font-size: 24px !important; font-weight: bold !important; } .cdc-eot-toc #eot-doc-wrapper .pBody { text-align: justify; } #eot-doc-wrapper p.pToC_Subhead1 a{ font-size: 22px !important; font-weight: bold!important; } #eot-doc-wrapper p.pToC_Subhead2 a{ font-size: 22px !important; font-weight: bold !important; } p.pToC_Subhead2 { font-size: 22px !important; font-weight: bold !important; } #eot-doc-wrapper p.pToC_Subhead1 { font-size: 22px !important; font-weight: bold!important; } .cdc-eot-toc #eot-doc-wrapper p.pSubhead2CMT a{ font-size: 22px !important; font-weight: bold!important; } .cdc-eot-toc #eot-doc-wrapper p.pSubhead2CMT { font-size: 22px !important; font-weight: bold!important; } </style> <div id="overDocWrapper" class="doctool noprint"> <script type="text/javascript"> $( document ).ready(function() { var fwt_element = $("#fw-content").find(".fwt-fatfooter"); fwt_element.addClass("noprint"); }); if (window.cdc === undefined) { window.cdc = {}; } if (cdc.rac === undefined) { cdc.rac = {}; } if (cdc.rac.getOverrideConfig === undefined) { cdc.rac.getOverrideConfig = {}; } else { //var configData = { "ratingsOnly": false, "objId":31, "source":"dummy source" }; var configData = { "ratingsOnly": false}; cdc.rac.getOverrideConfig(configData); } </script> <script> if (typeof(cdc) == "undefined") cdc={}; if (typeof(cdc.translations) == "undefined") cdc.translations={}; </script> <div class="docHeaderComponent base-blowout"> <div class="linksRow"> <div class="toolbar"> <div class="noprint" id="saveModule"> <script type="text/javascript"> cdc.util.ensureNamespace("cdc.rc.savedoc"); cdc.rc.savedoc.isLoggedIn = false; cdc.rc.savedoc.save = "Save"; cdc.rc.savedoc.saved = "Saved"; </script> <button class="save" aria-expanded="false" aria-label="Save"> <label>Save</label> </button> </div> <div class="saveDocumentMessage login cdc-expandPanel" role="region" aria-live="polite"> <a href="/c/login/index.html?referer=/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.html">Log in</a> to Save Content </div>   <div class="noprint downloadDocument"><button type="button" class="view-download-list-link anchor" aria-expanded="false"><div class="toolbarIcon downloadIcon"></div><label class="iconLabel">Download</label></button></div> <div class="noprint printDocument js-only"><button type="button" class="anchor printPage" aria-label="Print"><div class="toolbarIcon printIcon"></div><label class="iconLabel">Print</label></button></div> </div> </div>  <script language="javascript"> cdc.translations.map = "{en-us=https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.html, x-default=https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.html}";//storing the map for use in the JS cdc.translations.locale="en_us"; </script> <div class="availableLanguagesList"> <h3>Available Languages</h3> <ul id="translationsList"> </ul> </div> <div id="download-list-container" class="noprint panelRow" role="region" aria-live="polite"> <div class='download-list' aria-label="Download Options"> <h3>Download Options</h3> <ul> <li> <div class="fileText"> <a href="/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.pdf" class="download-pdf"><div class="fileIcon pdfIcon"></div>PDF</a> (30.0 MB) View with Adobe Reader on a variety of devices </div> </li> </ul> </div> </div> <div class="infobarClearFix"> <div class="infobar"> <div class="updatedDate">Updated:March 9, 2023</div> </div> </div> </div> <script> jQuery(document).ready(function(){ if(jQuery("body").hasClass("cdc-eot-toc") && jQuery(".cdc-eot-toc").find(".DocumentHistory").length > 0){ jQuery(".cdc-eot-toc .seeRevisions").show(); if(jQuery(window).width() >= 768){ jQuery(".cdc-eot-toc .updatedDate").nextAll(".bullet").show(); } }else{ jQuery(".cdc-eot-toc .infobar .bullet").hide(); jQuery(".cdc-eot-toc .seeRevisions"); jQuery(".cdc-eot-toc .updatedDate"); } }) </script> </div> </div> <div class="col narrow sticky noprint"> <section id="eotTocNav"> <div id="navWrapper"> </div> <div id="tocSearch"></div> <div id="eotListWrapper" data-config-metrics-group="Table of Contents"> <script type="text/javascript"> cdc.util.ensureNamespace("cdc.rc"); cdc.rc.toctitle = "Table of Contents"; </script> <h4 id="eotTocToc">Table of Contents</h4> <ul> <li><a class="head1" href="#Introduction" title="Introduction">Introduction</a></li> <li><a class="head1" href="#Scope" title="Scope">Scope</a> <ul> <li><a class="head2" href="#ZeroTrustCompanionDocuments" title="ZeroTrustCompanionDocuments">Zero Trust Companion Documents</a></li> <li><a class="head2" href="#ZeroTrustSecurityFrameworkMap" title="ZeroTrustSecurityFrameworkMap">Zero Trust Security Framework Map</a></li></ul> <li><a class="head1" href="#SolutionOverview" title="SolutionOverview">Solution Overview</a> <ul> <li><a class="head2" href="#EstablishTrust" title="EstablishTrust">Establish Trust</a></li> <li><a class="head2" href="#EnforceTrustBasedAccess" title="EnforceTrustBasedAccess">Enforce Trust-Based Access</a></li> <li><a class="head2" href="#ContinuouslyVerifyTrust" title="ContinuouslyVerifyTrust">Continuously Verify Trust</a></li> <li><a class="head2" href="#RespondtoChangeinTrust" title="RespondtoChangeinTrust">Respond to Change in Trust</a></li></ul> <li><a class="head1" href="#ZeroTrustNetworkandCloudSecurityBusinessFlows" title="ZeroTrustNetworkandCloudSecurityBusinessFlows">Zero Trust: Network and Cloud Security Business Flows</a></li> <li><a class="head1" href="#ProductOverview" title="ProductOverview">Product Overview</a> <ul> <li><a class="head2" href="#CiscoCatalyst9000Series" title="CiscoCatalyst9000Series">Cisco Catalyst 9000 Series</a> <ul> <li><a class="head3" href="#8021X" title="8021X">802.1X</a></li> <li><a class="head3" href="#Netflow" title="Netflow">Netflow</a></li> <li><a class="head3" href="#SXP" title="SXP">SXP</a></li> <li><a class="head3" href="#TrustSec" title="TrustSec">TrustSec</a></li></ul> <li><a class="head2" href="#CiscoISE" title="CiscoISE">Cisco ISE</a> <ul> <li><a class="head3" href="#8021XAuthenticationandAuthorization" title="8021XAuthenticationandAuthorization">802.1X Authentication and Authorization</a></li> <li><a class="head3" href="#ActiveDirectoryIntegrationwithPassiveID" title="ActiveDirectoryIntegrationwithPassiveID">Active Directory Integration with PassiveID</a></li> <li><a class="head3" href="#ChangeofAuthorizationCoA" title="ChangeofAuthorizationCoA">Change of Authorization (CoA)</a></li> <li><a class="head3" href="#pxGrid" title="pxGrid">pxGrid</a></li> <li><a class="head3" href="#TrustSec" title="TrustSec">TrustSec</a></li></ul> <li><a class="head2" href="#CiscoSecureFirewall" title="CiscoSecureFirewall">Cisco Secure Firewall</a> <ul> <li><a class="head3" href="#ApplicationVisibilityandControl" title="ApplicationVisibilityandControl">Application Visibility and Control</a></li> <li><a class="head3" href="#DynamicSGT" title="DynamicSGT">Dynamic SGT</a></li> <li><a class="head3" href="#IntrusionPrevention" title="IntrusionPrevention">Intrusion Prevention</a></li> <li><a class="head3" href="#Netflow" title="Netflow">Netflow</a></li> <li><a class="head3" href="#NetworkAntiMalware" title="NetworkAntiMalware">Network Anti-Malware</a></li> <li><a class="head3" href="#pxGrid" title="pxGrid">pxGrid</a></li> <li><a class="head3" href="#SXP" title="SXP">SXP</a></li> <li><a class="head3" href="#URLControl" title="URLControl">URL Control</a></li></ul> <li><a class="head2" href="#CiscoSecureNetworkAnalytics" title="CiscoSecureNetworkAnalytics">Cisco Secure Network Analytics</a> <ul> <li><a class="head3" href="#AdaptiveNetworkControlANC" title="AdaptiveNetworkControlANC">Adaptive Network Control (ANC)</a></li> <li><a class="head3" href="#pxGrid" title="pxGrid">pxGrid</a></li></ul> <li><a class="head2" href="#CiscoTelemetryBrokerCTB" title="CiscoTelemetryBrokerCTB">Cisco Telemetry Broker (CTB)</a> <ul> <li><a class="head3" href="#Netflow" title="Netflow">Netflow</a></li></ul> </li></ul> <li><a class="head1" href="#ZeroTrustDesign" title="ZeroTrustDesign">Zero Trust Design</a> <ul> <li><a class="head2" href="#BranchEmployeeTrustedDevice" title="BranchEmployeeTrustedDevice">Branch – Employee, Trusted Device</a> <ul> <li><a class="head3" href="#PrivateApplicationPrivateDC" title="PrivateApplicationPrivateDC">Private Application (Private DC)</a></li></ul> <li><a class="head2" href="#BranchContractorUntrustedDevice" title="BranchContractorUntrustedDevice">Branch – Contractor, Untrusted Device</a> <ul> <li><a class="head3" href="#PrivateApplicationPrivateDC" title="PrivateApplicationPrivateDC">Private Application (Private DC)</a></li></ul> <li><a class="head2" href="#BranchGuestUser" title="BranchGuestUser">Branch – Guest User</a> <ul> <li><a class="head3" href="#Internet" title="Internet">Internet</a></li></ul> </li></ul> <li><a class="head1" href="#AdditionalGuidesandResources" title="AdditionalGuidesandResources">Additional Guides and Resources</a> <ul> <li><a class="head2" href="#PortsandProtocols" title="PortsandProtocols">Ports and Protocols</a></li> <li><a class="head2" href="#GuestWirelessConfiguration" title="GuestWirelessConfiguration">Guest Wireless Configuration</a></li></ul> <li><a class="head1" href="#OverviewofIntegrations" title="OverviewofIntegrations">Overview of Integrations</a></li> <li><a class="head1" href="#ZeroTrustNetworkandCloudSecurityDeployment" title="ZeroTrustNetworkandCloudSecurityDeployment">Zero Trust: Network and Cloud Security Deployment</a> <ul> <li><a class="head2" href="#IntegrateISEwithActiveDirectory" title="IntegrateISEwithActiveDirectory">Integrate ISE with Active Directory</a> <ul> <li><a class="head3" href="#ISEandADPrerequisites" title="ISEandADPrerequisites">ISE and AD: Prerequisites</a></li> <li><a class="head3" href="#ISEJointheADDomain" title="ISEJointheADDomain">ISE: Join the AD Domain</a></li> <li><a class="head3" href="#ISEImportActiveDirectoryGroups" title="ISEImportActiveDirectoryGroups">ISE: Import Active Directory Groups</a></li></ul> <li><a class="head2" href="#ConfigurePassiveID" title="ConfigurePassiveID">Configure PassiveID</a> <ul> <li><a class="head3" href="#ISEEnablePassiveIdentityandpxGridServicesonthePolicyServerPSN" title="ISEEnablePassiveIdentityandpxGridServicesonthePolicyServerPSN">ISE: Enable Passive Identity and pxGrid Services on the Policy Server (PSN)</a></li> <li><a class="head3" href="#ISEAddDomainControllers" title="ISEAddDomainControllers">ISE: Add Domain Controllers</a></li> <li><a class="head3" href="#ISEConfigureMicrosoftRemoteProcedureCallMSRPCforPassiveID" title="ISEConfigureMicrosoftRemoteProcedureCallMSRPCforPassiveID">ISE: Configure Microsoft Remote Procedure Call (MSRPC) for PassiveID</a></li> <li><a class="head3" href="#ISEMapDomainControllerswithMSRPCAgents" title="ISEMapDomainControllerswithMSRPCAgents">ISE: Map Domain Controllers with MSRPC Agents</a></li> <li><a class="head3" href="#ISEValidatethePassiveIDDeployment" title="ISEValidatethePassiveIDDeployment">ISE: Validate the PassiveID Deployment</a></li></ul> <li><a class="head2" href="#pxGridConfigurationandIntegration" title="pxGridConfigurationandIntegration">pxGrid Configuration and Integration</a> <ul> <li><a class="head3" href="#ISEVerifypxGridisEnabled" title="ISEVerifypxGridisEnabled">ISE: Verify pxGrid is Enabled</a></li> <li><a class="head3" href="#ISEConfigureSubscriberSettings" title="ISEConfigureSubscriberSettings">ISE: Configure Subscriber Settings</a></li> <li><a class="head3" href="#CertificateRequirementsforpxGridSubscribers" title="CertificateRequirementsforpxGridSubscribers">Certificate Requirements for pxGrid Subscribers</a></li> <li><a class="head3" href="#ISEIdentifythePrimaryMonitoringMnTNode" title="ISEIdentifythePrimaryMonitoringMnTNode">ISE: Identify the Primary Monitoring (MnT) Node</a></li> <li><a class="head3" href="#ISEReviewCertificateDetails" title="ISEReviewCertificateDetails">ISE: Review Certificate Details</a></li> <li><a class="head3" href="#pxGridClientCertificateMethodology" title="pxGridClientCertificateMethodology">pxGrid Client Certificate Methodology</a></li> <li><a class="head3" href="#ISEModifytheISEpxGridCertificateTemplate" title="ISEModifytheISEpxGridCertificateTemplate">ISE: Modify the ISE pxGrid Certificate Template</a></li> <li><a class="head3" href="#ISEGeneratepxGridClientCertificateforSecureFirewall" title="ISEGeneratepxGridClientCertificateforSecureFirewall">ISE: Generate pxGrid Client Certificate for Secure Firewall</a></li> <li><a class="head3" href="#SecureFirewallInstallpxGridClientCertificate" title="SecureFirewallInstallpxGridClientCertificate">Secure Firewall: Install pxGrid Client Certificate</a></li> <li><a class="head3" href="#ISEImportSecureFirewallpxGridClientCertificateCA" title="ISEImportSecureFirewallpxGridClientCertificateCA">ISE: Import Secure Firewall pxGrid Client Certificate CA</a></li> <li><a class="head3" href="#SecureFirewallAddtheRootCertificatefortheISEMnTServerandpxGridCertstotheFMCTrustStore" title="SecureFirewallAddtheRootCertificatefortheISEMnTServerandpxGridCertstotheFMCTrustStore">Secure Firewall: Add the Root Certificate for the ISE MnT Server and pxGrid Certs to the FMC Trust Store</a></li> <li><a class="head3" href="#SecureFirewallConfigureISEasanIdentitySource" title="SecureFirewallConfigureISEasanIdentitySource">Secure Firewall: Configure ISE as an Identity Source</a></li> <li><a class="head3" href="#SecureFirewallVerifyISESubscriberData" title="SecureFirewallVerifyISESubscriberData">Secure Firewall: Verify ISE Subscriber Data</a></li> <li><a class="head3" href="#SecureNetworkAnalyticsConfigurepxGridIntegration" title="SecureNetworkAnalyticsConfigurepxGridIntegration">Secure Network Analytics: Configure pxGrid Integration</a></li> <li><a class="head3" href="#ActiveDirectoryandSecureAnalyticsExportCARootCertificate" title="ActiveDirectoryandSecureAnalyticsExportCARootCertificate">Active Directory and Secure Analytics: Export CA Root Certificate</a></li> <li><a class="head3" href="#SecureAnalyticsImportRootCACertificateintotheTrustStore" title="SecureAnalyticsImportRootCACertificateintotheTrustStore">Secure Analytics: Import Root CA Certificate into the Trust Store</a></li> <li><a class="head3" href="#SecureAnalyticsandActiveDirectoryGenerateandSignapxGridClientCertificate" title="SecureAnalyticsandActiveDirectoryGenerateandSignapxGridClientCertificate">Secure Analytics and Active Directory: Generate and Sign a pxGrid Client Certificate</a></li> <li><a class="head3" href="#SecureAnalyticsandISEConfigurepxGridandANC" title="SecureAnalyticsandISEConfigurepxGridandANC">Secure Analytics and ISE: Configure pxGrid and ANC</a></li></ul> <li><a class="head2" href="#AdaptiveNetworkControlConfiguration" title="AdaptiveNetworkControlConfiguration">Adaptive Network Control Configuration</a> <ul> <li><a class="head3" href="#ISEAddSecureAnalyticstoAdaptiveNetworkControlANCClientGroup" title="ISEAddSecureAnalyticstoAdaptiveNetworkControlANCClientGroup">ISE: Add Secure Analytics to Adaptive Network Control (ANC) Client Group</a></li> <li><a class="head3" href="#ISEConfigureANCPolicyList" title="ISEConfigureANCPolicyList">ISE: Configure ANC Policy List</a></li> <li><a class="head3" href="#ISEAddANCPolicytoISEAuthorizationPolicy" title="ISEAddANCPolicytoISEAuthorizationPolicy">ISE: Add ANC Policy to ISE Authorization Policy</a></li></ul> <li><a class="head2" href="#ConfigureNetflow" title="ConfigureNetflow">Configure Netflow</a> <ul> <li><a class="head3" href="#SwitchConfigureNetflow" title="SwitchConfigureNetflow">Switch: Configure Netflow</a></li> <li><a class="head3" href="#SecureFirewallConfigureNetflow" title="SecureFirewallConfigureNetflow">Secure Firewall: Configure Netflow</a></li> <li><a class="head3" href="#CTBManagerVerifyNetflowSources" title="CTBManagerVerifyNetflowSources">CTB Manager: Verify Netflow Sources</a></li> <li><a class="head3" href="#CTBManagerConfigureNetflowDestinations" title="CTBManagerConfigureNetflowDestinations">CTB Manager: Configure Netflow Destinations</a></li> <li><a class="head3" href="#SecureAnalyticsValidateFlowData" title="SecureAnalyticsValidateFlowData">Secure Analytics: Validate Flow Data</a></li></ul> <li><a class="head2" href="#ConfigureTrustSec" title="ConfigureTrustSec">Configure TrustSec</a> <ul> <li><a class="head3" href="#ISEAddSwitchesasNetworkDevices" title="ISEAddSwitchesasNetworkDevices">ISE: Add Switches as Network Devices</a></li> <li><a class="head3" href="#ISEAssignTrustSecSwitchestoTrustSecSecurityGroup" title="ISEAssignTrustSecSwitchestoTrustSecSecurityGroup">ISE: Assign TrustSec Switches to TrustSec Security Group</a></li> <li><a class="head3" href="#ISEDisableProtectedAccessCredentialPACOptional" title="ISEDisableProtectedAccessCredentialPACOptional">ISE: Disable Protected Access Credential (PAC) (Optional)</a></li> <li><a class="head3" href="#SwitchConfigureAAA" title="SwitchConfigureAAA">Switch: Configure AAA</a></li> <li><a class="head3" href="#SwitchConfigureLocalAuthenticationOptional" title="SwitchConfigureLocalAuthenticationOptional">Switch: Configure Local Authentication (Optional)</a></li> <li><a class="head3" href="#SwitchEnableTrustSec" title="SwitchEnableTrustSec">Switch: Enable TrustSec</a></li> <li><a class="head3" href="#SwitchandISEVerifyingSuccessfulTrustSecConnection" title="SwitchandISEVerifyingSuccessfulTrustSecConnection">Switch and ISE: Verifying Successful TrustSec Connection</a></li></ul> <li><a class="head2" href="#ConfigureSXP" title="ConfigureSXP">Configure SXP</a> <ul> <li><a class="head3" href="#ISEConfirmSXPServiceisEnabled" title="ISEConfirmSXPServiceisEnabled">ISE: Confirm SXP Service is Enabled</a></li> <li><a class="head3" href="#ISEConfigureSXPSettings" title="ISEConfigureSXPSettings">ISE: Configure SXP Settings</a></li> <li><a class="head3" href="#ISECreateSXPDomains" title="ISECreateSXPDomains">ISE: Create SXP Domains</a></li> <li><a class="head3" href="#ISEConfigureSXPDevices" title="ISEConfigureSXPDevices">ISE: Configure SXP Devices</a></li> <li><a class="head3" href="#SwitchConfigureSXP" title="SwitchConfigureSXP">Switch: Configure SXP</a></li> <li><a class="head3" href="#FirewallConfirmSXPConfiguration" title="FirewallConfirmSXPConfiguration">Firewall: Confirm SXP Configuration</a></li></ul> <li><a class="head2" href="#Configure8021X" title="Configure8021X">Configure 802.1X</a> <ul> <li><a class="head3" href="#SwitchConfigure8021X" title="SwitchConfigure8021X">Switch: Configure 802.1X</a></li></ul> <li><a class="head2" href="#ConfigureISESecurityGroupsandStaticMapping" title="ConfigureISESecurityGroupsandStaticMapping">Configure ISE Security Groups and Static Mapping</a> <ul> <li><a class="head3" href="#ISEConfigureSecurityGroups" title="ISEConfigureSecurityGroups">ISE: Configure Security Groups</a></li> <li><a class="head3" href="#SwitchValidation" title="SwitchValidation">Switch: Validation</a></li> <li><a class="head3" href="#ISEConfigureSecurityGroupStaticMapping" title="ISEConfigureSecurityGroupStaticMapping">ISE: Configure Security Group Static Mapping</a></li></ul> <li><a class="head2" href="#ConfigureTrustSecSGACLs" title="ConfigureTrustSecSGACLs">Configure TrustSec SGACLs</a> <ul> <li><a class="head3" href="#SwitchConfigureCTSRoleBasedEnforcement" title="SwitchConfigureCTSRoleBasedEnforcement">Switch: Configure CTS Role-Based Enforcement</a></li> <li><a class="head3" href="#ISEConfigureSecurityGroupACLs" title="ISEConfigureSecurityGroupACLs">ISE: Configure Security Group ACLs</a></li> <li><a class="head3" href="#ISEConfigureTrustSecMatrix" title="ISEConfigureTrustSecMatrix">ISE: Configure TrustSec Matrix</a></li></ul> <li><a class="head2" href="#ISEAuthenticationandAuthorizationPolicyPreparation" title="ISEAuthenticationandAuthorizationPolicyPreparation">ISE Authentication and Authorization Policy Preparation</a> <ul> <li><a class="head3" href="#ISEConfigureEAPCertificate" title="ISEConfigureEAPCertificate">ISE: Configure EAP Certificate</a></li> <li><a class="head3" href="#ISEConfigureEAPChainingSettings" title="ISEConfigureEAPChainingSettings">ISE: Configure EAP Chaining Settings</a></li> <li><a class="head3" href="#ISEVerifyCertificateAuthenticationProfileSettings" title="ISEVerifyCertificateAuthenticationProfileSettings">ISE: Verify Certificate Authentication Profile Settings</a></li> <li><a class="head3" href="#WindowsConfirmMachineAuthCertificateDetails" title="WindowsConfirmMachineAuthCertificateDetails">Windows: Confirm Machine Auth Certificate Details</a></li> <li><a class="head3" href="#ISEConfigureTrustedCertificatesforClientAuthentication" title="ISEConfigureTrustedCertificatesforClientAuthentication">ISE: Configure Trusted Certificates for Client Authentication</a></li> <li><a class="head3" href="#ISEConfirmMachineAuthenticationisEnabled" title="ISEConfirmMachineAuthenticationisEnabled">ISE: Confirm Machine Authentication is Enabled</a></li></ul> <li><a class="head2" href="#ConfigureISEPolicySets" title="ConfigureISEPolicySets">Configure ISE Policy Sets</a> <ul> <li><a class="head3" href="#ISECreateNewPolicy" title="ISECreateNewPolicy">ISE: Create New Policy</a></li> <li><a class="head3" href="#ISECreateAuthenticationPolicyRules" title="ISECreateAuthenticationPolicyRules">ISE: Create Authentication Policy Rules</a></li> <li><a class="head3" href="#ISECreateAuthorizationPolicyRules" title="ISECreateAuthorizationPolicyRules">ISE: Create Authorization Policy Rules</a></li> <li><a class="head3" href="#ISEEnableGuestWirelessRules" title="ISEEnableGuestWirelessRules">ISE: Enable Guest Wireless Rules</a></li></ul> <li><a class="head2" href="#SecureFirewallAccessControlwithDynamicSGT" title="SecureFirewallAccessControlwithDynamicSGT">Secure Firewall Access Control with Dynamic SGT</a> <ul> <li><a class="head3" href="#SecureFirewallCreateAccessControlPolicy" title="SecureFirewallCreateAccessControlPolicy">Secure Firewall: Create Access Control Policy</a></li> <li><a class="head3" href="#SecureFirewallRuleCreationWalkthrough" title="SecureFirewallRuleCreationWalkthrough">Secure Firewall: Rule Creation Walkthrough</a></li> <li><a class="head3" href="#SecureFirewallCompleteAccessControlPolicyRuleCreation" title="SecureFirewallCompleteAccessControlPolicyRuleCreation">Secure Firewall: Complete Access Control Policy Rule Creation</a></li></ul> </li></ul> <li><a class="head1" href="#ValidationTests" title="ValidationTests">Validation Tests</a> <ul> <li><a class="head2" href="#ISEValidateMachineandUser8021XAuthenticationandAuthorization" title="ISEValidateMachineandUser8021XAuthenticationandAuthorization">ISE: Validate Machine and User 802.1X Authentication and Authorization</a> <ul> <li><a class="head3" href="#MachineAuthenticationandAuthorization" title="MachineAuthenticationandAuthorization">Machine Authentication and Authorization</a></li> <li><a class="head3" href="#MachineUserAuthenticationandAuthorization" title="MachineUserAuthenticationandAuthorization">Machine + User Authentication and Authorization</a></li></ul> <li><a class="head2" href="#SecureFirewallValidateAccessControlwithSGTs" title="SecureFirewallValidateAccessControlwithSGTs">Secure Firewall: Validate Access Control with SGTs</a></li> <li><a class="head2" href="#ISEandSecureAnalyticsValidateUserQuarantine" title="ISEandSecureAnalyticsValidateUserQuarantine">ISE and Secure Analytics: Validate User Quarantine</a></li></ul> <li><a class="head1" href="#Appendix" title="Appendix">Appendix</a> <ul> <li><a class="head2" href="#AppendixAAcronymsDefined" title="AppendixAAcronymsDefined">Appendix A – Acronyms Defined</a></li> <li><a class="head2" href="#AppendixBSoftwareVersions" title="AppendixBSoftwareVersions">Appendix B – Software Versions</a></li> <li><a class="head2" href="#AppendixCSecureMalwareAnalyticsIntegration" title="AppendixCSecureMalwareAnalyticsIntegration">Appendix C – Secure Malware Analytics Integration</a> <ul> <li><a class="head3" href="#CreateaFilePolicy" title="CreateaFilePolicy">Create a File Policy</a></li> <li><a class="head3" href="#AssociateFMCtoSecureMalwareAnalyticsCloud" title="AssociateFMCtoSecureMalwareAnalyticsCloud">Associate FMC to Secure Malware Analytics Cloud</a></li></ul> <li><a class="head2" href="#AppendixDReferences" title="AppendixDReferences">Appendix D – References</a></li> <li><a class="head2" href="#AppendixEFeedback" title="AppendixEFeedback">Appendix E - Feedback</a></ul> </div>  <script type="text/javascript"> cdc.util.ensureNamespace("cdc.rc.innerSearch"); cdc.rc.innerSearch.hintText = "Search"; cdc.util.ensureNamespace("cdc.rc.tableOfContents"); cdc.rc.tableOfContents.label = "Table of Contents"; </script> </section> </div> </div> <div class="row narrow-wide">  <div class="col narrow noprint" style="position: relative;z-index: -1;">   </div> <div class="col wide document"> <div id="eot-doc-wrapper"> <html> <head> <script>!function(e){var n="https://s.go-mpulse.net/boomerang/";if("False"=="True")e.BOOMR_config=e.BOOMR_config||{},e.BOOMR_config.PageParams=e.BOOMR_config.PageParams||{},e.BOOMR_config.PageParams.pci=!0,n="https://s2.go-mpulse.net/boomerang/";if(window.BOOMR_API_key="GKZXC-NS3SU-A7VFH-HKBHM-U7LKH",function(){function e(){if(!o){var e=document.createElement("script");e.id="boomr-scr-as",e.src=window.BOOMR.url,e.async=!0,i.parentNode.appendChild(e),o=!0}}function t(e){o=!0;var n,t,a,r,d=document,O=window;if(window.BOOMR.snippetMethod=e?"if":"i",t=function(e,n){var t=d.createElement("script");t.id=n||"boomr-if-as",t.src=window.BOOMR.url,BOOMR_lstart=(new Date).getTime(),e=e||d.body,e.appendChild(t)},!window.addEventListener&&window.attachEvent&&navigator.userAgent.match(/MSIE [67]\./))return window.BOOMR.snippetMethod="s",void t(i.parentNode,"boomr-async");a=document.createElement("IFRAME"),a.src="about:blank",a.title="",a.role="presentation",a.loading="eager",r=(a.frameElement||a).style,r.width=0,r.height=0,r.border=0,r.display="none",i.parentNode.appendChild(a);try{O=a.contentWindow,d=O.document.open()}catch(_){n=document.domain,a.src="javascript:var d=document.open();d.domain='"+n+"';void(0);",O=a.contentWindow,d=O.document.open()}if(n)d._boomrl=function(){this.domain=n,t()},d.write("<bo"+"dy onload='document._boomrl();'>");else if(O._boomrl=function(){t()},O.addEventListener)O.addEventListener("load",O._boomrl,!1);else if(O.attachEvent)O.attachEvent("onload",O._boomrl);d.close()}function a(e){window.BOOMR_onload=e&&e.timeStamp||(new Date).getTime()}if(!window.BOOMR||!window.BOOMR.version&&!window.BOOMR.snippetExecuted){window.BOOMR=window.BOOMR||{},window.BOOMR.snippetStart=(new Date).getTime(),window.BOOMR.snippetExecuted=!0,window.BOOMR.snippetVersion=12,window.BOOMR.url=n+"GKZXC-NS3SU-A7VFH-HKBHM-U7LKH";var i=document.currentScript||document.getElementsByTagName("script")[0],o=!1,r=document.createElement("link");if(r.relList&&"function"==typeof r.relList.supports&&r.relList.supports("preload")&&"as"in r)window.BOOMR.snippetMethod="p",r.href=window.BOOMR.url,r.rel="preload",r.as="script",r.addEventListener("load",e),r.addEventListener("error",function(){t(!0)}),setTimeout(function(){if(!o)t(!0)},3e3),BOOMR_lstart=(new Date).getTime(),i.parentNode.appendChild(r);else t(!1);if(window.addEventListener)window.addEventListener("load",a,!1);else if(window.attachEvent)window.attachEvent("onload",a)}}(),"".length>0)if(e&&"performance"in e&&e.performance&&"function"==typeof e.performance.setResourceTimingBufferSize)e.performance.setResourceTimingBufferSize();!function(){if(BOOMR=e.BOOMR||{},BOOMR.plugins=BOOMR.plugins||{},!BOOMR.plugins.AK){var n=""=="true"?1:0,t="",a="bdpnbeqxgy4r2z5te6ha-f-8b20021cb-clientnsv4-s.akamaihd.net",i="false"=="true"?2:1,o={"ak.v":"39","ak.cp":"61004","ak.ai":parseInt("271834",10),"ak.ol":"0","ak.cr":3,"ak.ipv":4,"ak.proto":"http/1.1","ak.rid":"19db5ddf","ak.r":37669,"ak.a2":n,"ak.m":"dsca","ak.n":"essl","ak.bpcip":"8.222.208.0","ak.cport":53234,"ak.gh":"23.53.33.124","ak.quicv":"","ak.tlsv":"tls1.2","ak.0rtt":"","ak.0rtt.ed":"","ak.csrc":"-","ak.acc":"reno","ak.t":"1739794318","ak.ak":"hOBiQwZUYzCg5VSAfCLimQ==ZvtpX6kBH9ahG+vn6uUcxkwE0Xee0DI6YnodllHABBimh4M4zSOEGPMgi3MlEEGGRgRaA2Wi+EmhIDk5rskZsZGT90xDtPA5IbgDsD6qP0V8zl70v9nQ7hHIUs2R/iKS6enNKgyR5gkM9ja9URSeCi7w2kug/ssi7Vu0BY1bhNdkQ4AbHVURFlyxWHQ8Nef+BD0txYiqZ0Qy+aRuFbirODkFhGf8dYecC8hVWofozOE7OUzW2s7fmsZ87CqgBkdp7J/F+eHQxMbVcjs5ZIZItGxIAuGTheIyXGiIJFx02WfnyxWS/+5h1Zy9btCTxQbC36Y0+H0ioWNyIlnY/YpqMOPkTVnL3ghPZRyRVPa0n2Prxcv1mk5tD5Iarbq2k8yyiN7OCYH2cjtNtOjb9Q3jtZ87k/fYgYRD+3+kALNLynE=","ak.pv":"521","ak.dpoabenc":"","ak.tf":i};if(""!==t)o["ak.ruds"]=t;var r={i:!1,av:function(n){var t="http.initiator";if(n&&(!n[t]||"spa_hard"===n[t]))o["ak.feo"]=void 0!==e.aFeoApplied?1:0,BOOMR.addVar(o)},rv:function(){var e=["ak.bpcip","ak.cport","ak.cr","ak.csrc","ak.gh","ak.ipv","ak.m","ak.n","ak.ol","ak.proto","ak.quicv","ak.tlsv","ak.0rtt","ak.0rtt.ed","ak.r","ak.acc","ak.t","ak.tf"];BOOMR.removeVar(e)}};BOOMR.plugins.AK={akVars:o,akDNSPreFetchDomain:a,init:function(){if(!r.i){var e=BOOMR.subscribe;e("before_beacon",r.av,null,null),e("onbeacon",r.rv,null,null),r.i=!0}return this},is_complete:function(){return!0}}}}()}(window);</script></head> <body> <code><script type="text/javascript"></script> <link rel="stylesheet" href="wemdcmt.css"/> <link rel="stylesheet" href="/etc/designs/cdc/transformation/wemdcmt.css"/></code> <div class="WordSection1">   <a name="_Toc128645162"></a><a name="_Toc125461614">Introduction</a> The Security industry is currently blessed with an abundance of Zero Trust frameworks and guidance. This guide seeks to contribute to the conversation by outlining a framework of capabilities that are necessary for the implementation of Zero Trust in any network, then provide specific design and configuration examples for achieving a strong Zero Trust posture. The Zero Trust framework used throughout this guide is built on the four Key Zero Trust Strengths shown below. <img width="1045" height="437" id="Picture 309628630" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_0.jpg" alt="page5image64798144"/> <div class=" pDefault"> Figure 1.            Cisco Zero Trust Framework </div> These four strengths can be mapped to broad general controls. To start, we can Establish Trust by having strong device posture  and effective user authentication. We can Enforce Trust-Based Access by utilizing Role Based Access Control (RBAC) to provide Least Privilege access to users, machines, and applications. We can Continuously Verify Trust by having end-to-end network visibility and monitoring of each connection across the network, and by persistently validating the posture of connected endpoints. We can Respond to Change in Trust by building the capability to restrict or revoke access for any network connected user or device based on malicious activity or degradation in trust. The broad capabilities in the last paragraph are a scale, just like Zero Trust is a scale—we don’t have an on/off switch for something like RBAC, but rather a layered approach that can bring us closer to the ideal that is Zero Trust. An entry-level RBAC solution could entail assigning all end users to specific Active Directory (AD) groups that cover their roles and access needs in accordance with a Least Privilege philosophy. The capabilities to achieve this entry-level RBAC solution could include requiring AD login to access the network, and then restricting access at platform or application login based on the AD group of the user. A stronger solution could validate user identity and machine posture upon login and then utilize TrustSec and Dynamic Security Group Tags (SGTs) to enforce least privilege at the network level, restricting user and group connectivity to only the needed IPs, applications, URLs, and ports necessary. Adding network access control to an RBAC solution brings several benefits that move us closer to that Zero Trust ideal: we restrict the connectivity of any potential insider threats or compromised users, limiting their capability to perform scans or other recon, footprint, or fingerprint the network; we limit the exposure of internal systems that could have known or unknown security vulnerabilities that allow unauthenticated access; we reduce the risk of an unauthorized user accessing a system with compromised break-glass (static admin credentials used for emergency access) or other local credentials. These capabilities don’t lessen the need for strong patch management or secure storage of break-glass accounts, but they do eliminate trust that can be abused and bring us closer to Zero Trust. In the Solution Overview section of this guide, we’ll utilize the four Key Zero Trust Strengths to review scenarios like the RBAC example in the last paragraph. We’ll establish what a strong security baseline should be for each Key Strength and specify the platforms and capabilities necessary to bring each Key Strength closer to a Zero Trust ideal. The four Zero Trust Key Strengths will then be combined into an overall Zero Trust design, and extensive configuration examples will be given for implementation guidance. <a name="_Toc123930166"></a><a name="_Toc128645163"></a><a name="_Toc125461615"></a><a name="_Toc123930164">Scope</a> <a name="_In_Scope"></a>In Scope Cisco Zero Trust for Network and Cloud Security design guide covers the following platforms and features: ●    Cisco Catalyst 9300 Switch o   Netflow o   TrustSec o   802.1X o   SXP ●    Cisco Identity Services Engine (ISE) o   Active Directory Integration with PassiveID o   Dynamic Security Group Tag (SGT) o   pxGrid o   TrustSec o   802.1X Authentication and Authorization o   ISE Profiling ●    Cisco Secure Firewall o   Application Visibility & Control (AVC) o   Dynamic SGT o   Intrusion Protection (IPS) o   Netflow Configuration o   Network Anti-Malware o   URL Filtering o   Application Filtering o   Next Gen Firewall (NGFW) Rules o   pxGrid Integration o   Secure Malware Analytics integration ●    Cisco Secure Network Analytics (formerly Stealthwatch) o   Adaptive Network Control (ANC) o   pxGrid integration ●    Cisco Telemetry Broker o   Netflow Source and Destination Configuration Out of Scope ●    SD-WAN configuration is covered in our SASE guides for <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/sase-meraki-cvd.html">Meraki</a> and <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/sase-viptela-cvd.html">Viptela</a> ●    Router configuration ●    Wireless Access Point and WLC configuration ●    Guest Portal ●    VPN ●    MacOS devices ●    Windows 8 and earlier devices ●    DNA Center is planned for the next revision <a name="_Toc128645164"></a><a name="_Toc125461616">Zero Trust Companion Documents</a> While the number of Zero Trust capabilities and controls we can implement in the network and cloud is extensive, it is only one component necessary for a full approach to Zero Trust. This Zero Trust guide for Network and Cloud Security is presented as one part in a series that also covers Zero Trust capabilities for Users, Devices, and Applications. To help understand the architecture, Cisco has broken it down into three pillars: ●    User and Device Security: making sure users and devices can be trusted as they access systems, regardless of location ●    Network and Cloud Security: protect all network resources on-prem and in the cloud, and ensure secure access for all connecting users ●    Application and Data Security: preventing unauthorized access within application environments irrespective of where they are hosted   The three guides complement each other and provide multiple integration points. For example, device management capabilities covered in the User and Device guide provide AnyConnect clients and profile configuration that are used to perform 802.1X authentication against ISE in this guide. The User and Device guide also covers remote clientless access to application resources within the network. Integration points between the guides are noted in the sections where they occur, along with hyperlinks to the relevant sections in the other guides. <a name="_Toc128645165"></a><a name="_Toc125461617"></a><a name="_Toc123930167">Zero Trust Security Framework Map</a> The following table shows how common Zero Trust Frameworks map to the Cisco Zero Trust Framework. <div> <table border="1" cellpadding="6" cellspacing="0" width="100%" bordercolor="#ADADAD"> <thead> <tr valign="top" align="left"> <td> Cisco </td> <td> NIST Cyber Security Framework  </td> <td> CISA  </td> <td> Common  </td> </tr> </thead> <tbody> <tr valign="top" align="left"> <td rowspan="2"> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">User and Device Security </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">User </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Identity </td> <td rowspan="5"> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Visibility & Analytics <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Automation & Orchestration Governance </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Devices </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Device </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Network and Cloud Security </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Networks/Hybrid Multi-Cloud </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Network/ Environment </td> </tr> <tr valign="top" align="left"> <td rowspan="2"> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Application and Data Security </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Application </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Application Workload </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Data </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Data </td> </tr> </tbody> </table> </div> For additional information, please refer to the <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-frameworks.html">Zero Trust Frameworks</a> document. <a name="_Toc128645166"></a><a name="_Toc125461618"></a><a name="_Toc123930168"></a><a name="_Toc98245085"></a><a name="_Toc83125678"></a><a name="_Toc82683295">Solution Overview</a> <a name="_Toc98245086"></a><a name="_Toc83125679"></a><a name="_Toc82683296">As covered in the introduction, Cisco has created a set of four Key Zero Trust Strengths as a model for evaluating Zero Trust capabilities:</a> <img border="0" width="1043" height="225" id="Picture 309628075" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_1.png" alt="Graphical user interface, textDescription automatically generated"/> This guide uses the four Key Zero Trust Strengths as a framework to build out a solution for securing network and cloud environments using the systems and capabilities listed in the <a href="#_In_Scope">In Scope</a> section. <a name="_Toc128645167"></a><a name="_Toc125461619"></a><a name="_Toc123930169">Establish Trust</a> Establishing Trust serves as a checkpoint when determining whether a user should be allowed access to the network, and the information gathered during this step is used to facilitate the next Key, Enforcing Trust-Based Access. As with all elements of Zero Trust, this area is a matter of degrees. Enforcing authentication at all network access points is the foundation. For the authentication itself, using static credentials to establish trust falls short of many frameworks, except for break-glass scenarios. Utilizing external authentication and an identity store like AD is an improvement. Adding multi-factor authentication (MFA) is an additional safeguard against lost or compromised external auth credentials that is increasingly seen as a required security guidance. Adding machine authentication using client certificates provides validation of the device alongside the user. Verifying the health and security status of the device adds an additional check that the device is not only known but also in an acceptable security state. The authentication standard covered in this guide involves 802.1X authentication using an encrypted EAP-FAST connection that performs a client auth certificate check against the endpoint followed by an AD login. Based on the results of the two checks—client certificate and AD login—a Dynamic SGT is assigned to the user which is then used to enforce trust-based access, as covered in the next section. The <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-user-device-dg.html">Cisco Zero Trust: User and Device Security Design Guide</a> covers additional layers of Establishing Trust for endpoints, including the following: ●    MFA with Duo ●    Deployment of Duo Device Health Monitoring ●    Deployment of certificates via Meraki Mobile Device Management (MDM) ●    Deployment of AnyConnect, Network Access Manager (NAM), and associated profiles via Meraki MDM <a name="_Toc128645168"></a><a name="_Toc125461620"></a><a name="_Toc123930170">Enforce Trust-Based Access</a> After a user and machine have been securely authenticated to the network, the user should only be permitted to access the minimum resources needed to perform their job functions. The general principles supporting Enforce Trust-Based Access are RBAC—assigning access based on user role(s)—and Least Privilege—restricting all access that is not necessary for a given user. It is common to enforce RBAC and Least Privilege upon login. For example, if a user attempts to access a switch, they could be prompted for a MFA login that would only succeed if valid credentials were presented and a check of the user against a Network Admins or Network Operations Center (NOC) AD group was also successful. Upon successful login, a user associated with either the Network Admins or NOC AD group could be assigned access to specific commands using TACACS. If we add network security capabilities to the example, we can utilize TrustSec and Dynamic SGT to prevent any users who are not members of the Network Admin and NOC AD groups from even connecting to the switch for a login attempt. This additional layer of security can prevent an unauthorized and unauthenticated user from leveraging a vulnerability to do harm to a system, and mitigates the risk that compromised break-glass credentials that could be exploited for access, to give just two examples. This guide enforces network based RBAC by assigning a Dynamic source SGT to each authenticated user that captures the user’s AD group and whether their device is trusted (passed a machine auth cert check) or untrusted (failed a machine auth cert check). The source SGT assigned by ISE is then attached to each frame generated by the user; TrustSec enforcement switches and Secure Firewall then use the source SGT to perform RBAC alongside static destination SGT assignments that are distributed via SGT Exchange Protocol (SXP). The example traffic flows used in this guide utilize the ISE TrustSec matrix to perform micro-segmentation via TrustSec access switches, denying unneeded connections between hosts connected to the same access switch. Secure Firewall performs granular Access Control and inspection for connections permitted by micro-segmentation that also pass through a firewall boundary. For complex RBAC scenarios, such as when a single user is in multiple AD groups that all require discrete access to resources that cannot be easily represented by a single SGT, the SGT can be supplemented by AD group mappings on the firewall. This configuration has the downside of not being enforceable at the switch. The assignment of multiple SGTs to one Authorization attempt is currently a road mapped feature for ISE. The <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-user-device-dg.html">Cisco Zero Trust: User and Device Security Design Guide</a> covers additional layers of Enforcing Trust-Based Access: ●    Authenticated remote clientless connections to internal applications with Duo Network Gateway (DNG) <a name="_Toc128645169"></a><a name="_Toc125461621"></a><a name="_Toc123930171">Continuously Verify Trust</a> The prior sections outline how a user can securely connect to the network and then be permitted a successful connection using RBAC and Least Privilege principles. However, once any successful connection is made, that connection needs to be continuously monitored both for visibility and to ensure that malicious activity does not occur in a session that passed all initial security checks. For trusted devices, the endpoint also needs to be monitored to ensure that health and security posture does not degrade. This design utilizes Secure Network Analytics, which can perform heuristic detection for both encrypted and unencrypted flows. Switches and firewalls in the deployment are configured to export Netflow data to Cisco Telemetry Broker, which aggregates the Netflow data and forwards it to Secure Analytics for analysis. Secure Analytics will then use the flow data to detect malicious activity such as reverse shell attacks or data exfiltration and generate a corresponding alert. In addition, Secure Firewall performs Intrusion Detection and Malware Inspection on allowed connections. The <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-user-device-dg.html">Cisco Zero Trust: User and Device Security Design Guide</a> covers additional layers of Enforcing Trust-Based Access: ●    Monitoring of endpoint posture using the Duo Health Application <a name="_Toc128645170"></a><a name="_Toc125461622"></a><a name="_Toc123930172">Respond to Change in Trust</a> The security mechanisms covered in the prior sections raise significant barriers against a potential breach or compromise of the network, but modern security best practices recommend assuming that breaches are not only possible but have already occurred. Any viable Zero Trust design requires the capability to revoke access for suspicious or malicious actors. This design utilizes the ANC feature within Secure Analytics to assign a Quarantine SGT to suspicious or malicious hosts. ISE will receive the Quarantine designation from Secure Analytics, then leverage Change of Authorization ICoA) to force a re-authentication of the user. Upon reauthentication, ISE will match the host to an Authorization rule that denies access at the TrustSec access switch (alternatively, a Quarantine SGT can be assigned to still permit some restricted access). Secure Firewall also inspects traffic for Intrusion events or Malware and can automatically terminate a previously allowed connection if subsequent malicious activity is detected. <a name="_Toc128645171"></a><a name="_Toc125461623"></a><a name="_Toc123930173">Zero Trust: Network and Cloud Security Business Flows</a> The <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-arch-guide.html">Cisco Zero Trust Architecture Guide</a> introduced the concept of SAFE business flows. Cisco SAFE uses the concept of business flows to simplify the analysis and identification of threats, risks, and policy requirements for effective security. This enables the selection of specific capabilities necessary to secure each business flow. This design guide addresses the Zero Trust Network and Cloud Security aspects of the following business flows: ●    An on-prem employee with a trusted device at a branch office accessing a private application ●    An on-prem contractor with an untrusted device at a branch office accessing a private application ●    An on-prem guest with an untrusted device at a branch office accessing a public website on the Internet ●    A remote employee with a trusted device accessing a private application   <img border="0" width="1044" height="485" id="Picture 309628079" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_2.png" alt="Graphical user interface, application, TeamsDescription automatically generated"/> <div class=" pDefault"> Figure 2.           Zero Trust Network and Cloud Security Business Flows </div>   Not all business flows have the same requirements. Some use cases have a smaller attack surface and therefore require less security to be applied. Other use cases have more severe attack vectors and require additional security controls. Evaluating the business flow by analyzing the attack surfaces provides the information needed to determine and apply the correct capabilities for effective flow specific security. This process also allows for the application of capabilities to address risk and administrate policy requirements. In the following figure, the yellow security capabilities are covered within this Zero Trust for Network and Cloud Security design guide, while the green security capabilities are covered in the existing <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-user-device-dg.html">Zero Trust: User and Device Security Design Guide</a> and the blue security capabilities in the upcoming Zero Trust for Application and Data Security design guide. <img border="0" width="1033" height="582" id="Picture 16" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_3.png" alt="TimelineDescription automatically generated"/> <div class=" pDefault"> Figure 3.           Zero Trust Network and Cloud Security Business Flows with required capabilities </div> <a name="_Toc128645172"></a><a name="_Toc125461624"></a><a name="_Toc123930174"></a><a name="_Product_Overview"></a>Product Overview This Cisco Validated Design guide covers the following platforms for Zero Trust Network and Cloud Security: ●    Cisco Catalyst 9000 Series Switch ●    Cisco ISE ●    Cisco Secure Firewall ●    Cisco Secure Network Analytics ●    Cisco Telemetry Broker Short descriptions of each product and an outline of features deployed in the <a href="#_Zero_Trust_Network">Zero Trust Network and Cloud Security Deployment</a> <a name="_Int_WlADAYtX">section</a> of this guide <a name="_Int_spbuiu1s">are</a> given in the following sections. All the products have many other functionality areas that are beneficial or necessary to many customers, but only features explicitly deployed in this guide are listed in this section. <a name="_Toc128645173"></a><a name="_Toc125461625"></a><a name="_Toc123930175">Cisco Catalyst 9000 Series</a> The Catalyst 9300 serves as the access switch for the deployment, functioning as both a TrustSec and 802.1X enforcement point. The switch performs an integral role in authentication, access control, monitoring, and enforcement. <a name="_Toc128645174"></a><a name="_Toc125461626"></a><a name="_Toc123930176">802.1X</a> The Catalyst 9300 serves as the wired 802.1X enforcement point for the network. The switch integrates with ISE to force Authentication and Authorization checks before network access is granted. If an endpoint exhibits suspicious or malicious activity, the switch can send a CoA to force the endpoint to reauthenticate, at which point the endpoint can be quarantined or receive restricted access based on a new evaluation of the device posture against the ISE AA policies. <a name="_Toc128645175"></a><a name="_Toc125461627"></a><a name="_Toc123930177">Netflow</a> The Catalyst 9300 generates Netflow logs based on the traffic that passes through it. The Netflow logs can then be used for end-to-end connectivity troubleshooting and threat monitoring. The Catalyst 9300 serves as one of many Netflow collection points throughout the network. The Netflow data sent by the Catalyst 9300 and other platforms is aggregated via Cisco Telemetry Broker and then fed to Secure Network Analytics for end-to-end traffic visibility and heuristic analysis. <a name="_Toc128645176"></a><a name="_Toc125461628"></a><a name="_Toc123930178">SXP</a> The Catalyst 9300 receives static destination SGTs from ISE via SXP. This configuration allows SGACLs (Security Group Access Control Lists) to be distributed to the TrustSec enforcement capable switch closest to the traffic destination, allowing for scaling of SGACLs across large environments without exhausting switch resources. <a name="_Toc128645177"></a><a name="_Toc125461629"></a><a name="_Toc123930179">TrustSec</a> The Catalyst 9300 serves as part of an end-to-end TrustSec network. The switch attaches dynamic source SGTs to all frames originating from 802.1X authenticated endpoints, which can be used by both TrustSec enforcement switches and Secure Firewall for RBAC. Micro-segmentation is accomplished through source and destination SGTs and the TrustSec Matrix in ISE. For more information on TrustSec terminology, definitions, and capabilities, please see the <a href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-16/sec-usr-cts-xe-16-book/sec-usr-cts-xe-16-book_chapter_01101.html">Cisco TrustSec Configuration Guide</a>. <a name="_Toc128645178"></a><a name="_Toc125461630"></a><a name="_Toc123930180">Cisco ISE</a> Cisco ISE is the linchpin for the deployment, serving as the backbone of AA for the network alongside Microsoft Active Directory, acting as a configuration hub and distribution point for TrustSec static SGTs and SGACLs, and functioning as an intermediary for revoking network access for end hosts utilizing pxGrid and CoA. <a name="_Toc128645179"></a><a name="_Toc125461631"></a><a name="_Toc123930181">802.1X Authentication and Authorization</a> ISE receives 802.1X login attempts from access switches and evaluates them against Authentication and Authorization policies. Both machine and user logins are covered in this guide. <a name="_Toc128645180"></a><a name="_Toc125461632"></a><a name="_Toc123930182">Active Directory Integration with PassiveID</a> ISE is joined to the AD domain to retrieve AD group information and to send AD login requests to Active Directory as part of the Authorization process. PassiveID is leveraged to distribute user to IP maps for AD authentications that don’t pass through ISE (such as VPN-less connections like DNG) to Secure Firewall and Secure Analytics. <a name="_Toc128645181"></a><a name="_Toc125461633"></a><a name="_Toc123930183">Change of Authorization (CoA)</a> ISE can send a CoA request to an access switch to force a user to reauthenticate. If the user’s posture has degraded or they have been quarantined, their access will be restricted accordingly upon reauthentication. <a name="_Toc128645182"></a><a name="_Toc125461634"></a><a name="_Toc123930184">pxGrid</a> ISE integrates with Secure Firewall and Secure Network Analytics via pxGrid, sending destination SGTs to Secure Firewall, and user to IP maps to both devices. ISE also receives quarantine requests from Secure Analytics over pxGrid. <a name="_Toc128645183"></a><a name="_Toc125461635"></a><a name="_Toc123930185">TrustSec</a> When users are evaluated against the ISE Authentication and Authorization policies as part of the 802.1X login process, ISE will assign a dynamic source SGT to the user based on the matched Authorization rule. ISE also serves as the configuration point for static SGT assignments for devices that do not authenticate and <a name="_Int_6kUgkhjE">distributes</a> those SGT assignments to switches and firewalls throughout the network. Finally, configuration of SGACLs is performed in ISE via the TrustSec Matrix, with SGACLs distributed through SXP. <a name="_Toc128645184"></a><a name="_Toc125461636"></a><a name="_Toc123930186">Cisco Secure Firewall</a> Cisco Secure Firewall acts as an enforcer of RBAC, combining its extensive Next Gen Firewall (NGFW) capabilities with the clear user and device tracking provided by the ISE and TrustSec network. Cisco Secure Firewall is deployed alongside the Firewall Management Center (FMC). Configuration examples in this guide are performed on the FMC, which in turn pushes configurations and integration resources to firewalls throughout the network. <a name="_Toc128645185"></a><a name="_Toc125461637"></a><a name="_Toc123930187">Application Visibility and Control</a> Secure Firewall performs deep packet inspection to detect the network activity of layer 7 applications. This allows for strong control of network sessions where both the port and application must match an expected value for a session to be allowed. <a name="_Toc128645186"></a><a name="_Toc125461638"></a><a name="_Toc123930188">Dynamic SGT</a> Secure Firewall can import Security Group lists from ISE, eliminating the need for <a name="_Int_CR1PoTOh">firewall</a> side group configuration and allowing ISE to act as <a name="_Int_3FClPQda">a single source</a> of truth for user and device groupings for the network. As users connect to resources in the local network and in the cloud, Secure Firewall can act on the Source and Destination SGT criteria in its Access Control Policy (ACP) to allow or block traffic based on the Source SGTs attached by the TrustSec network and the static Destination SGT mappings received from ISE via SXP. <a name="_Toc128645187"></a><a name="_Toc125461639"></a><a name="_Toc123930189">Intrusion Prevention</a> After a session is allowed by the Secure Firewall ACP, each subsequent packet in the session can be subjected to intrusion inspection. If a session packet matches an intrusion rule set to block, the firewall will block the offending packet and any additional packets in the session will be block listed. <a name="_Toc128645188"></a><a name="_Toc125461640"></a><a name="_Toc123930190">Netflow</a> Secure Firewall generates Netflow data that is aggregated by the Cisco Telemetry Broker and sent to Secure Network Analytics for heuristic analysis. <a name="_Toc128645189"></a><a name="_Toc125461641"></a><a name="_Toc123930191">Network Anti-Malware</a> After a session is allowed by the Secure Firewall ACP, each subsequent packet in the session can be subjected to malware inspection. Packets that are part of a file transfer are stored in memory and reassembled when the final file-packet reaches the firewall. If the file matches a known malicious hash or fails a Threat Grid sandbox analysis, the file can be blocked. <a name="_Toc128645190"></a><a name="_Toc125461642"></a><a name="_Toc123930192">pxGrid</a> pxGrid serves as the communication channel with ISE. In this guide, it is used for receiving Security Groups and user to IP mappings from ISE. <a name="_Toc128645191"></a><a name="_Toc125461643"></a><a name="_Toc123930193">SXP</a> SXP is used to distribute Destination SGTs to the Secure Firewall from ISE. <a name="_Toc128645192"></a><a name="_Toc125461644"></a><a name="_Toc123930194">URL Control</a> Secure Firewall can restrict access based on specific URLs or URL categories. <a name="_Toc128645193"></a><a name="_Toc125461645"></a><a name="_Toc123930195">Cisco Secure Network Analytics</a> Cisco Secure Network Analytics performs extensive monitoring of network traffic using data collected from Netflow devices across the network. Secure Analytics performs heuristic inspection of encrypted and unencrypted flows, acting as a complement to the string based IPS detection of Secure Firewall. In this guide, Secure Network Analytics is deployed as two devices, a Flow Collector and a Management Center. Configuration examples in this guide are performed via the Management Center. <a name="_Toc128645194"></a><a name="_Toc125461646"></a><a name="_Toc123930196">Adaptive Network Control (ANC)</a> Security Operations Center (SOC) analysts can respond to Secure Network Analytics alerts by issuing a quarantine action against a host using ANC. Once the quarantine action is initiated, Secure Network Analytics communicates the action to ISE over the pxGrid channel. ISE then sends a CoA request to the appropriate access switch, which forces a reauthentication of the host. When the host reauthenticates, it is matched to an ANC quarantine rule within the ISE Authorization policy. Quarantine designations can also be lifted from Secure Network Analytics. <a name="_Toc128645195"></a><a name="_Toc125461647"></a><a name="_Toc123930197">pxGrid</a> Serves as the communication channel between ISE and Secure Network Analytics. User to IP maps <a name="_Int_XOZZIvhZ">are</a> transmitted from ISE to Secure Network Analytics, and quarantine designations are transmitted from ANC to ISE. <a name="_Toc128645196"></a><a name="_Toc125461648"></a><a name="_Toc123930198">Cisco Telemetry Broker (CTB)</a> Telemetry Broker functions as a Netflow aggregation tool. It allows for the deployment or replacement of Netflow ingestors without reconfiguring Netflow sources to point to the new destination. For example, CTB can be deployed to collect all Netflow data in a network and send it (filtered or unfiltered) to a SIEM; if a SIEM competitor were evaluated, CTB could easily be configured to send the same Netflow data to both the new SIEM and the existing SIEM, without time consuming reconfiguration of Netflow source devices. In this guide, CTB is deployed as two devices, a Node and a Manager. Configurations shown are for the Manager. <a name="_Toc128645197"></a><a name="_Toc125461649"></a><a name="_Toc123930199">Netflow</a> In this deployment, Telemetry Broker receives Netflow data from the Catalyst switch and Secure Firewall and dispenses the Netflow data to the Secure Analytics Flow Collector. <a name="_Toc128645198"></a><a name="_Toc125461650"></a><a name="_Toc123930200"></a><a name="_Toc98245099"></a><a name="_Toc83125680"></a><a name="_Toc82683297"></a><a name="_Zero_Trust_Design"></a>Zero Trust Design <img border="0" width="1045" height="999" id="Picture 309628081" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_4.png" alt="DiagramDescription automatically generated"/> <div class=" pDefault"> Figure 4.           Cisco Zero Trust Design </div>   <a name="_Toc98245115"></a><a name="_Toc83125699"></a><a name="_Toc82683316"></a><a name="_Toc128645199"></a><a name="_Toc125461651"></a><a name="_Toc123930201">Branch – Employee, Trusted Device</a> The employee’s device is provisioned with AnyConnect and NAM as covered in the <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-user-device-dg.html">Zero Trust: User and Device Security Design Guide</a>. A local client authentication certificate is provisioned to the endpoint via Active Directory (AD) Group Policy Object (GPO). <a name="_Toc128645200"></a><a name="_Toc125461652"></a><a name="_Toc123930202">Private Application (Private DC)</a> Login Procedures and Network Access The employee connects a computer to the network via a wired ethernet port at the branch. The ethernet port is connected to a TrustSec capable access switch. Upon connection, power on, or user sign-on, the NAM installation on the endpoint attempts an 802.1X machine authentication to the switch using an encrypted EAP-FAST connection. <img border="0" width="460" height="380" id="Picture 309628617" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_5.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 5.           Employee to Access Switch using EAP-FAST </div>   The access switch receives the 802.1X request and transmits it to ISE for processing. The connection is permitted by the Branch <a name="_Int_khScgm4b">firewall</a>, transmitted across the SD-WAN, and permitted again at the Datacenter boundary <a name="_Int_O5l8lbRP">firewall</a>. The Core/Distribution switches act as TrustSec Passthrough devices (not TrustSec Enforcement) and forward the connection. The Datacenter Access Switch permits the connection through its TrustSec SGACL, as configured in the TrustSec Matrix. <img border="0" width="1046" height="693" id="Picture 309628635" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_6.png" alt="DiagramDescription automatically generated"/> <div class=" pDefault"> Figure 6.           Branch Access Switch sends Employee’s 802.1X request to ISE </div>   ISE matches the machine authentication request against its AA policies. During the AA process, the endpoint checks the EAP server certificate presented by ISE and verifies that the ISE EAP certificate matches a trusted certificate in the NAM configuration. ISE also prompts the endpoint to provide a machine auth certificate. Both certificate checks succeed, and the endpoint passes AA. ISE assigns a dynamic SGT based on the machine authentication, then returns the AA verdict to the switch along with the SGT assignment (the SGT will restrict the connectivity of the endpoint until it passes user authentication). The return connection is permitted by the Branch and Datacenter access switch SGACLs and allowed as stateful response traffic through the firewalls. When the user attempts to access the computer, the user is presented with a prompt to enter their AD credentials. NAM initiates a new 802.1X request that uses EAP-Chaining to submit both machine and AD credentials as part of a single authorization request. The switch forwards the 802.1X request to ISE. The connection is permitted through the firewall, SD-WAN, and Datacenter access switch infrastructure as in the prior 802.1X machine authentication connection. ISE processes the 802.1X request, new checks are made against the machine and server certificate, and ISE forwards the AD credentials to a Domain Controller (DC) for validation. <img border="0" width="1045" height="364" id="Picture 309628641" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_7.png" alt="A picture containing timelineDescription automatically generated"/> <div class=" pDefault"> Figure 7.           ISE forwards Active Directory Credentials to Domain Controller for validation </div>   The DC returns authentication success to ISE. ISE also checks what AD group(s) the user belongs to and confirms the Employee group. ISE uses the Employee group criteria in conjunction with validating the user and machine authentication to match the 802.1X attempt against an Authorization rule for Employee Trusted Device. The rule has an associated Dynamic SGT named Employee_Trusted_Device, and both the AA result and the SGT assignment are sent to the Branch access switch. Return traffic is allowed as in the prior 802.1X connection. The switch will then append the Employee_Trusted_Device source SGT to all frames originating from the end host. Distribution of Destination SGTs and SGACLs via SXP After logging on, the employee attempts to access an on-premises private application hosted at the datacenter. The private application is accessed via URL, with the URL resolving to a cluster of application servers with a static SGT assignment of DC_Application_Servers. This static SGT was previously distributed from ISE to the FMC via SXP. The FMC then distributed the static SGT to the firewalls across the network. <img border="0" width="1046" height="678" id="Picture 309628637" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_8.png" alt="DiagramDescription automatically generated"/> <div class=" pDefault"> Figure 8.           ISE sends static SGTs to the FMC, which distributes the SGTs to the FTDs </div>   ISE has also distributed the DC_Application_Servers static SGT to the TrustSec enforcement switches throughout the network, also via SXP. <img border="0" width="1045" height="673" id="Picture 309628656" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_9.png" alt="Diagram, timelineDescription automatically generated"/> <div class=" pDefault"> Figure 9.           ISE sends SGTs to enforcement switches via SXP </div>   Lastly, ISE has distributed the SGACLs associated with the DC_Application_Servers to the TrustSec switch closest to the application servers (it is best practice that each switch maintains the SGACLs only for connected and closest devices to keep rule tables lean in large environments). The SGACLs are configured via the TrustSec Matrix in ISE. <img border="0" width="1045" height="363" id="Picture 309628624" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_10.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 10.        ISE sends SGACL to DC Application Switch </div>   Employee to Application Server Connection The employee initiates an HTTPS connection to the Private Application. The branch access switch receives the employee to application server connection first and appends the Employee_Trusted_Device source SGT to the frame. The branch access switch checks both the source SGT assigned to the user and the destination SGT mapped to the destination IP against its SGACL. <img border="0" width="460" height="325" id="Picture 309628625" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_11.png" alt="Shape, polygonDescription automatically generated"/> <div class=" pDefault"> Figure 11.        Employee initiates HTTPS connections to private application </div>   The access switch is not closest to the destination SGT and so has not received SGACL assignments for the destination SGT via SXP, so the access switch forwards the packet to the next hop, the Secure Firewall. <img border="0" width="460" height="330" id="Picture 309628626" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_12.png" alt="Shape, polygonDescription automatically generated"/> <div class=" pDefault"> Figure 12.        Access switch forwards packet to next hop </div>   Secure Firewall evaluates the connection against its Access Control Policy using the source SGT, destination SGT, URL, application, destination port, and source and destination zones. All criteria match an allow rule permitting access to the private application. Secure Firewall allows the connection and flags the allowed packet and all subsequent packets in the connection for Intrusion and Malware inspection. Secure Firewall then sends the allowed connection to the SD-WAN router. <img border="0" width="460" height="330" id="Picture 309628628" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_13.png" alt="Shape, polygonDescription automatically generated"/> <div class=" pDefault"> Figure 13.        Secure Firewall sends allowed connection to Branch SD-WAN Router </div>   The SD-WAN router permits the connection and uses TrustSec Passthrough to preserve the source SGT across the IPSec tunnel between sites. The SD-WAN router routes the connection across the SD-WAN to the datacenter. (In a deployment without SD-WAN, SXP can be used to re-attach the SGT at the datacenter.) <img border="0" width="1046" height="675" id="Picture 309628629" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_14.png" alt="DiagramDescription automatically generated"/> <div class=" pDefault"> Figure 14.        Branch SD-WAN Router permits connection to DC SD-WAN Router </div>   The datacenter SD-WAN router receives the connection from the branch SD-WAN router and routes it to the boundary firewall. <img border="0" width="700" height="284" id="Picture 309628631" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_15.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 15.        Data Center SD-WAN Router sends connection to Secure Firewall </div>   The boundary firewall permits the connection based on the same criteria used by the branch firewall and forwards the connection to the core switch infrastructure. <img border="0" width="700" height="284" id="Picture 309628632" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_16.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 16.        Boundary Firewall forwards connection to Core switch infrastructure </div>   The core switch infrastructure does not enforce TrustSec Inline Tagging, but uses TrustSec passthrough to deliver the packet with attached source SGT to the access switch in the network's Applications segment. <img border="0" width="700" height="284" id="Picture 309628633" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_17.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 17.        Core infrastructure sends connection to DC enforcement switch </div>   The access switch evaluates the source SGT and destination SGT against its SGACL. Because the access switch in the Applications segment of the network is the closest TrustSec device to the application servers, it has received SGACL rules for the destination SGT. The SGACL permits the connection, and the packet successfully reaches its destination of the private application server. <img border="0" width="700" height="284" id="Picture 309628634" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_18.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 18.        Data Center access switch permits the connection as it is allowed in the SGACL </div>   Netflow Collection The routers, firewalls, and switches all generate a Netflow record of the connection and send Netflow data to the datacenter CTB node. Note:      The granularity of Netflow data can be a question of design. Collecting at every point delivers more point-to-point visibility for platforms like Secure Analytics. However, only collecting Netflow closest to the source and destination reduces log storage requirements. <img border="0" width="1045" height="674" id="Picture 309628639" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_19.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 19.        All Network devices are configured to send Netflow to Cisco Telemetry Broker </div>   CTB aggregates the Netflow data and sends it to a Secure Network Analytics Flow Collector for analysis and session tracking. <img border="0" width="1045" height="363" id="Picture 309628640" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_20.png" alt="TimelineDescription automatically generated with medium confidence"/> <div class=" pDefault"> Figure 20.        CTB aggregates Netflow traffic and sends to Secure Network Analytics </div>   Secure Network Analytics collects the flow data and generates flow events. Monitoring of Allowed Connections As additional packets are sent over the allowed connection, the data for each packet is added to end of session logging for Secure Firewall and sent to Secure Analytics through additional Netflow logs.  Each additional packet is also subjected to Intrusion Protection and Malware blocking, depending on protocol. If an intrusion event or malware is detected by the Secure Firewall, the connection is terminated, and an event is generated. If Secure Network Analytics detects malicious activity over the session, it will generate an alert based on the activity observed. If the malicious activity warrants a response action, the SOC can use the ANC feature of Secure Network Analytics to send a quarantine request to ISE. <img border="0" width="1046" height="363" id="Picture 309628643" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_21.png" alt="TimelineDescription automatically generated with low confidence"/> <div class=" pDefault"> Figure 21.        Secure Network Analytics sends quarantine request to ISE </div>   ISE receives the quarantine request and sends a CoA request to the access switch of the target host. <img border="0" width="1034" height="671" id="Picture 309628644" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_22.png" alt="DiagramDescription automatically generated"/> <div class=" pDefault"> Figure 22.        ISE sends Change of Authorization request to Branch Access Switch </div>   The switch performs the CoA against the host, forcing the host to reauthenticate via 802.1X. <img border="0" width="460" height="346" id="Picture 309628645" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_23.png" alt="Shape, polygonDescription automatically generated"/> <div class=" pDefault"> Figure 23.        Branch Access Switch forces Employee’s host to reauthenticate </div>   When the host reauthenticates, the ANC assignment matches the reauthentication attempt against a Quarantine rule in the ISE Authorization policy, with a result of Deny Access. <img border="0" width="1046" height="675" id="Picture 309628646" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_24.png" alt="DiagramDescription automatically generated"/> <div class=" pDefault"> Figure 24.        CoA forces the host to reauthenticate via 802.1x. A quarantine rule is matched in ISE </div>   The switch blocks all network access for the host until the quarantine is lifted and the host completes a successful 802.1X user authentication. <img border="0" width="460" height="369" id="Picture 309628647" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_25.png" alt="Shape, polygonDescription automatically generated"/> <div class=" pDefault"> Figure 25.        Branch access switch blocks network access for Employee </div>   Additional security for the user to private application is provided in the companion Zero Trust guides. For Duo MFA for the user to application connection, please see the <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-user-device-dg.html">Zero Trust: User and Device Security Design Guide</a>. For security specific to the application, please see the upcoming Zero Trust: Application Security Design Guide. <a name="_Toc128645201"></a><a name="_Toc125461653"></a><a name="_Toc123930203">Branch – Contractor, Untrusted Device</a> Depending on the organization's security policy, the contractor’s device may or may not be provisioned with all of the same applications as an employee. In this example, no applications are installed on the contractor’s device, and it is considered untrusted. However, the device has been joined to the AD domain and configured for 802.1X. While the Contractor with Untrusted Device has different application access than the Employee with Trusted Device, the methodology for validating the user and device and then granting access to a permitted application is the same as in the prior section. <a name="_Toc128645202"></a><a name="_Toc125461654"></a><a name="_Toc123930204">Private Application (Private DC)</a> Login Procedures and Network Access The contractor connects a computer to the network via a wired ethernet port at the branch. The ethernet port is connected to a TrustSec capable access switch. When the user attempts to access the computer, the user is presented with a prompt to enter their AD credentials. The AD credentials are sent to the switch as part of an 802.1X request. <img border="0" width="460" height="389" id="Picture 309628648" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_26.png" alt="Shape, polygonDescription automatically generated"/> <div class=" pDefault"> Figure 26.        Contractor to Access Switch using 802.1X </div>   The switch receives the 802.1X request and transmits it to ISE for processing. The connection is permitted by the Branch firewall, transmitted across the SD-WAN, and permitted again at the Datacenter boundary firewall. The Core/Distribution switches act as TrustSec Passthrough devices (not TrustSec Enforcement) and forward the connection. The Datacenter Access Switch permits the connection through its TrustSec SGACL, as configured in the TrustSec Matrix. <img border="0" width="1046" height="698" id="Picture 309628649" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_27.png" alt="DiagramDescription automatically generated"/> <div class=" pDefault"> Figure 27.        Branch Access Switch sends Contractor’s 802.1X request to ISE </div>   ISE processes the 802.1X request and forwards the AD credentials to a Domain Controller for validation. <img border="0" width="1044" height="363" id="Picture 309628650" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_28.png" alt="A picture containing timelineDescription automatically generated"/> <div class=" pDefault"> Figure 28.        ISE forwards AD Credentials to Domain Controller for validation </div>   The Domain Controller returns an auth success to ISE. ISE also checks what AD group(s) the user belongs to and confirms the Contractor group. While the user has successfully authenticated against AD, they have not presented a certificate for machine authentication. ISE uses the Contractor group criteria, the AD auth success, and the machine authentication failure to match the 802.1X attempt against an Authorization rule for Contractor Untrusted Device. The rule has an associated Dynamic SGT named Contractor_Untrusted_Device, and both the AA result and the SGT assignment are sent to the Branch access switch. The return connection is permitted by the Branch and Datacenter access switch SGACLs and allowed statefully as response traffic through the firewalls. The switch will then append the Contractor_Untrusted_Device source SGT to all frames originating from the end host. Distribution of Destination SGTs and SGACLs via SXP After logging on, the contractor attempts to access an on-premises private application hosted at the datacenter. The private application is accessed via URL, with the URL resolving to a cluster of application servers with a static SGT assignment of DC_Application_Servers. This static SGT was previously distributed from ISE to the FMC via SXP. The FMC then distributed the static SGT to the firewalls across the network. <img border="0" width="1046" height="674" id="Picture 309628654" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_29.png" alt="DiagramDescription automatically generated"/> <div class=" pDefault"> Figure 29.        ISE sends static SGTs to the FMC, which distributes the SGTs to the FTDs </div>   ISE has also distributed the DC_Application_Servers static SGT to the TrustSec enforcement switches throughout the network, also via SXP. <img border="0" width="1045" height="674" id="Picture 22" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_30.png" alt="DiagramDescription automatically generated"/> <div class=" pDefault"> Figure 30.        ISE sends SGTs to enforcement access switches via SXP </div>   Lastly, ISE has distributed the SGACLs associated with the DC_Application_Servers to the TrustSec switch closest to the application servers (it is best practice that each switch maintains the SGACLs only for connected and closest devices to keep rule tables lean in large environments). The SGACLs are configured via the TrustSec Matrix in ISE. <img border="0" width="1045" height="363" id="Picture 309628653" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_31.png" alt="TimelineDescription automatically generated"/> <div class=" pDefault"> Figure 31.        ISE sends SGACL to DC Application Switch </div>   Contractor to Application Server Connection The contractor initiates an HTTPS connection to the Private Application. The branch access switch receives the contractor to application server connection first and appends the Contractor_Untrusted_Device source SGT to the frame. The branch access switch checks both the source SGT assigned to the user and the destination SGT mapped to the destination IP against its SGACL. <img border="0" width="460" height="358" id="Picture 309628657" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_32.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 32.        Contractor initiates HTTPS connections to private application </div>   The access switch is not closest to the destination SGT and so has not received SGACL assignments for the destination SGT via SXP, so the access switch forwards the packet to the next hop, the Secure Firewall. <img border="0" width="460" height="360" id="Picture 309628658" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_33.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 33.        Access switch forwards packet to next hop </div>   Secure Firewall evaluates the connection against its Access Control Policy using the source SGT, destination SGT, URL, application, destination port, and source and destination zones. All criteria match an allow rule permitting access to the private application. Secure Firewall allows the connection and flags the allowed packet and all subsequent packets in the connection for Intrusion and Malware inspection. Secure Firewall then sends the allowed connection to the SD-WAN router. <img border="0" width="460" height="357" id="Picture 309628659" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_34.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 34.        Secure Firewall sends allowed connection to Branch SD-WAN Router </div>   The SD-WAN router permits the connection and uses TrustSec Passthrough to preserve the source SGT across the IPSec tunnel between sites. The SD-WAN router routes the connection across the SD-WAN to the datacenter. <img border="0" width="1046" height="674" id="Picture 309628660" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_35.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 35.        Branch SD-WAN Router permits connection to DC SD-WAN Router </div>   The datacenter SD-WAN router receives the connection from the branch SD-WAN router and routes it to the boundary firewall. <img border="0" width="700" height="284" id="Picture 309628661" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_15.png" alt="Funnel chartDescription automatically generated with low confidence"/> <div class=" pDefault"> Figure 36.        Data Center SD-WAN Router sends connection to Secure Firewall </div>   The boundary firewall permits the connection based on the same criteria used by the branch firewall and forwards the connection to the core switch infrastructure. <img border="0" width="700" height="284" id="Picture 309628662" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_16.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 37.        Boundary Firewall forwards connection to Core switch infrastructure </div>   The core switch infrastructure does not enforce TrustSec Inline Tagging, but uses TrustSec passthrough to deliver the packet with attached source SGT to the access switch in the network's Applications segment. <img border="0" width="700" height="284" id="Picture 309628663" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_17.png" alt="Timeline, TeamsDescription automatically generated"/> <div class=" pDefault"> Figure 38.        Core infrastructure sends connection to DC enforcement switch </div>   The access switch evaluates the source SGT and destination SGT against its SGACL. Because the access switch in the Applications segment of the network is the closest TrustSec device to the application servers, it has received SGACL rules for the destination SGT. The SGACL permits the connection, and the packet successfully reaches its destination of the private application server. <img border="0" width="700" height="284" id="Picture 309628664" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_18.png" alt="TimelineDescription automatically generated with low confidence"/> <div class=" pDefault"> Figure 39.        DC access switch permits the connection as it is allowed in the SGACL </div>   Netflow Collection The routers, firewalls, and switches all generate a Netflow record of the connection and send Netflow data to the datacenter CTB node. Note:      The granularity of Netflow data can be a question of design. Collecting at every point delivers more point-to-point visibility for platforms like Secure Analytics. However, only collecting Netflow closest to the source and destination reduces log storage requirements.   <img border="0" width="1046" height="676" id="Picture 309628666" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_36.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 40.        All Network devices are configured to send Netflow to Cisco Telemetry Broker </div>   CTB aggregates the Netflow data and sends it to a Secure Network Analytics Flow Collector for analysis and session tracking. <img border="0" width="1044" height="362" id="Picture 309628667" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_37.png" alt="TimelineDescription automatically generated with medium confidence"/> <div class=" pDefault"> Figure 41.        CTB aggregates Netflow traffic and sends to Secure Network Analytics </div>   Secure Network Analytics collects the flow data and generates flow events. Monitoring of Allowed Connections As additional packets are sent over the allowed connection, the data for each packet is added to end of session logging for Secure Firewall and sent to Secure Analytics through additional Netflow logs. Each additional packet is also subjected to Intrusion Protection and Malware blocking, depending on protocol. If an intrusion event or malware is detected by the Secure Firewall, the connection is terminated, and an event is generated. If Secure Network Analytics detects malicious activity over the session, it will generate an alert based on the activity observed. If the malicious activity warrants a response action, the SOC can use the ANC feature of Secure Network Analytics to send a quarantine request to ISE. <img border="0" width="1046" height="363" id="Picture 309628671" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_38.png" alt="TimelineDescription automatically generated with low confidence"/> <div class=" pDefault"> Figure 42.        Secure Network Analytics sends quarantine request to ISE </div>   ISE receives the quarantine request and sends a CoA request to the access switch of the target host. <img border="0" width="1046" height="677" id="Picture 23" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_39.png" alt="DiagramDescription automatically generated"/> <div class=" pDefault"> Figure 43.        ISE sends Change of Authorization request to Branch Access Switch </div>   The switch performs the CoA against the host, forcing the host to re-authenticate via 802.1X. <img border="0" width="460" height="342" id="Picture 309628258" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_40.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 44.        Branch Access Switch forces Contractor’s host to reauthenticate </div>   When the host reauthenticates, the ANC assignment matches the reauthentication attempt against a Quarantine rule in the ISE Authorization policy, with a result of Deny Access. <img border="0" width="1046" height="676" id="Picture 309628259" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_41.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 45.        CoA forces the host to reauthenticate via 802.1x. A quarantine rule is matched in ISE </div>   The switch blocks all network access for the host until the quarantine is lifted and the host completes a successful 802.1X user authentication. <img border="0" width="460" height="327" id="Picture 309628260" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_42.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 46.        Branch access switch blocks network access for Contractor </div>   Additional security for the user to private application is provided in the companion Zero Trust guides. For Duo MFA for the user to application connection, please see the <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-user-device-dg.html">Zero Trust: User and Device Security Design Guide</a>. For security specific to the application, please see the upcoming Zero Trust: Application Security Design Guide. <a name="_Toc128645203"></a><a name="_Toc125461655"></a><a name="_Toc123930205">Branch – Guest User</a> The guest user has a BYOD with no organization-controlled software or trusted certificates. <a name="_Toc128645204"></a><a name="_Toc125461656"></a><a name="_Toc123930206">Internet</a> Login Procedures and Network Access The guest user attempts a connection to an open Guest WI-FI SSID. The wireless access point (WAP) that hosts the SSID forwards the connection request to a Wireless LAN Controller (WLC). <img border="0" width="460" height="325" id="Picture 309628277" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_43.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 47.        Branch Guest to WLC </div>   The WLC in turn forwards the connection request to ISE. <img border="0" width="1046" height="695" id="Picture 309628283" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_44.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 48.        Branch WLC sends connection request to ISE </div>   ISE authenticates the connection against its AA policies, returning a URL redirect and URL redirect ACL to the WLC. The guest user receives the URL redirect, which sends them to the ISE guest access portal. The guest user performs the Register for Guest Access action and creates an account, after which they are assigned a username and password, then prompted to log in. After the guest successfully logs in to the ISE guest portal, ISE sends a CoA to the WLC. <img border="0" width="1046" height="676" id="Picture 309628369" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_45.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 49.        Branch Guest is sent URL redirect to the ISE guest portal for registration </div>   The WLC responds to the CoA by prompting the user to re-authenticate using their new credentials. <img border="0" width="460" height="337" id="Picture 309628371" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_46.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 50.        Branch Access WLC prompts the user to authenticate with new credentials </div>   The user reauthentication is sent to ISE. <img border="0" width="1046" height="695" id="Picture 309628373" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_44.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 51.        Branch Guest is reauthenticated by ISE </div>   ISE matches the access request against an Authorization rule that assigns the Guest SGT and returns the access result and the SGT to the WLC. <img border="0" width="1046" height="676" id="Picture 309628374" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_45.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 52.        ISE sends Guest authorization SGT and access to the Branch WLC </div>     The WLC will then append the Guest SGT to each frame generated by the guest user. Guest to Internet Connection The guest user then attempts to access the internet. The destination public IP in the connection matches the Unknown static SGT (best practice for SGACL configuration has been followed with all internal subnets mapped to SGACLs, with the Unknown SGT used as a catch all for IP spaces outside the network). The WLC permits the connection as traffic to the Unknown SGT is not blocked by SGACL. <img border="0" width="460" height="348" id="Picture 309628375" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_47.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 53.        Branch Guest initiates connection to Internet starting with WLC </div>   The connection is sent to the Secure Firewall, where it is evaluated against the Access Control Policy. <img border="0" width="460" height="345" id="Picture 309628381" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_48.png" alt="Shape, polygonDescription automatically generated"/> <div class=" pDefault"> Figure 54.        Branch Secure Firewall determines if policy allows guest to access Internet </div>   Secure Firewall evaluates the connection using the source SGT, destination SGT, and source and destination zones. All criteria match an allow rule permitting the Guest SGT to connect to the Unknown SGT from a guest wireless zone to an outside zone. Secure Firewall allows the connection and flags the allowed packet and all subsequent packets in the connection for Intrusion inspection to mitigate the risk of outbound attacks launched by a guest to an internet target from the company public IP space. <img border="0" width="460" height="347" id="Picture 309628390" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_49.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 55.        Branch Secure Firewall allows connection to Internet </div>   The SD-WAN router receives the connection from the firewall outside zone and routes the connection to the internet. <img border="0" width="460" height="271" id="Picture 309628396" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_50.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 56.        Branch SD-WAN Router sends connection to Internet </div>   The switch, firewall, and router all generate a Netflow record of the packet and send the Netflow to a CTB node at the datacenter over the SD-WAN connection. <img border="0" width="1046" height="673" id="Picture 309628409" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_51.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 57.        Branch network devices all send Netflow to the Cisco Telemetry Broker </div>   CTB aggregates the Netflow records and sends it to a Secure Network Analytics Flow Collector for analysis and session tracking. <img border="0" width="1044" height="362" id="Picture 309628440" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_52.png" alt="TimelineDescription automatically generated with medium confidence"/> <div class=" pDefault"> Figure 58.        Cisco Telemetry Broker sends aggregated Netflow records to Secure Network Analytics </div>   Secure Network Analytics collects the flow data and generates flow events. Monitoring of Allowed Connections As additional packets are sent over the allowed connection, the data for each packet is added to end of session logging for Secure Firewall and sent to Secure Analytics through additional Netflow logs.  Each additional packet is also subjected to Intrusion inspection, depending on protocol. If an Intrusion event is detected by the Secure Firewall, the connection is terminated, and an event is generated. If Secure Network Analytics detects malicious activity over the session, it will generate an alert based on the activity observed. If the malicious activity warrants a response action, the SOC can use the ANC feature of Secure Network Analytics to quarantine the host through its integration with ISE. <img border="0" width="1068" height="371" id="Picture 309628451" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_53.png" alt="TimelineDescription automatically generated with low confidence"/> <div class=" pDefault"> Figure 59.        Secure Network Analytics alerts ISE to quarantine the host </div>   After the SOC initiates the ANC quarantine action, Secure Analytics will transmit the request to ISE. ISE will then force a CoA request for the associated host. <img border="0" width="1046" height="678" id="Picture 309628453" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_54.png" alt="DiagramDescription automatically generated"/> <div class=" pDefault"> Figure 60.        ISE sends a CoA to Branch WLC to quarantine host </div>   The WLC performs the CoA against the host, forcing the host to re-authenticate. <img border="0" width="460" height="337" id="Picture 309628457" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_55.png" alt="Shape, polygonDescription automatically generated"/> <div class=" pDefault"> Figure 61.        Branch WLC initiates the Change of Authorization (CoA) of the Guest’s Untrusted device </div>   When the host reauthenticates, the ANC assignment matches the reauthentication attempt to a Quarantine rule in the ISE Authorization policy, with a result of Deny Access. <img border="0" width="1046" height="678" id="Picture 309628458" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_56.png" alt="Related image, diagram or screenshot"/> <div class=" pDefault"> Figure 62.        Branch Guest reauthenticates and matches a Quarantine rule </div>   The switch blocks all network access for the host until the quarantine is lifted and the host completes a successful authentication. <img border="0" width="460" height="339" id="Picture 309628459" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_57.png" alt="Shape, polygonDescription automatically generated"/><a name="_Zero_Trust_Network"></a> <div class=" pDefault"> Figure 63.        Branch Guest access is blocked, no network access </div>   <a name="_Toc128645205"></a><a name="_Toc125461657"></a><a name="_Toc123930207">Additional Guides and Resources</a> <a name="_Toc128645206"></a><a name="_Toc125461658"></a><a name="_Toc123930208">Ports and Protocols</a> The Firewall Access Control and TrustSec SGACL configuration sections of this guide focus on the Employee, Contractor, and Guest connections covered in the prior <a href="#_Zero_Trust_Design">Zero Trust Design</a> section. However, additional connections must be allowed for the different integrations covered in the Deployment section, depending on network topology. For a list of ports required for RADIUS (used in this guide for 802.1X), pxGrid, CoA, SXP, PassiveID (the AD Agent is deployed in this guide), and TrustSec, please see the <a href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/install_guide/b_ise_InstallationGuide31/b_ise_InstallationGuide31_chapter_7.pdf">Cisco ISE Ports Reference</a> guide. ISE will initiate outbound LDAP, SMB, and KDC connections to AD, which are also covered in the ISE Ports Reference guide. Lastly, Netflow connections between multiple platforms are covered in the Deployment section; the default Netflow port is UDP 2055. <a name="_Toc128645207"></a><a name="_Toc125461659"></a><a name="_Toc123930209">Guest Wireless Configuration</a> This guide covers the handling of Guest connections through the ISE AA policies, the TrustSec Matrix, and Secure Firewall rules utilizing Dynamic and Static SGTs. For comprehensive guidance on setup and configuration of a Guest Wireless deployment, please see the <a href="https://community.cisco.com/t5/security-knowledge-base/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475">ISE Guest Access Prescriptive Deployment Guide</a>. <a name="_Toc128645208"></a><a name="_Toc125461660"></a><a name="_Toc123930210"></a><a name="_Zero_Trust_Network_1"></a>Overview of Integrations The Zero Trust Network and Cloud Security Deployment section covers many different product configurations, and it may be helpful for some users to review dependencies between the different configuration topics. A high level overview of how the different configurations support and integrate with each other is provided below. <a name="_Toc123930211">Integrate ISE with Active Directory</a> ●    AD user groups are utilized in the configuration of Authorization rules in the Configure ISE Policy Sets section ●    During 802.1X logins (the Configure 802.1X section), ISE uses AD for machine and user lookups and AD credential validation <a name="_Toc123930212">Configure PassiveID</a> ●    The pxGrid Configuration and Integration section establishes Secure Firewall and Secure Network Analytics as pxGrid Subscribers, which can receive PassiveID user to IP maps from ISE <a name="_Toc123930213">pxGrid Configuration and Integration</a> ●    User to IP mappings are transmitted from ISE to Secure Firewall and Secure Network Analytics. These user to IP maps come directly from ISE for 802.1X logins and from the PassiveID for AD logins that do not go through ISE (the VPN-less connection through the DNG) ●    Secure Network Analytics uses the Adaptive Network Control Configuration to send quarantine requests to ISE over the pxGrid channel ●    The Configure ISE Security Groups and Static Mapping section covers creation of new Security Groups which are sent to Secure Firewall via pxGrid. The Security Groups are used in Secure Firewall policy creation in the Secure Firewall Access Control with Dynamic SGT section ●    pxGrid Configuration and Integration can be found in the <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/safe-ops-dg-mgmt-certs.html">SAFE Certificate Management Design Guide</a>. <a name="_Toc123930214">Adaptive Network Control Configuration</a> ●    Secure Network Analytics will use the pxGrid channel created in the pxGrid Configuration and Integration section to send host quarantine designations to ISE via ANC <a name="_Toc123930215">Configure Netflow</a> ●    The Netflow logs generated and transmitted to Secure Network Analytics in the Configure Netflow section form the basis for the security events used to make ANC quarantine designations <a name="_Toc123930216">Configure TrustSec</a> ●    The Configure ISE Security Groups and Static Mapping section sets the Security Groups that will be used for TrustSec SGTs ●    The Configure TrustSec SGACLs section sets access control that is enforced by TrustSec access switches ●    Source SGTs are assigned on 802.1X login (Configure 802.1X) via Authorization rules from the Configure ISE Policy Sets section. The source SGTs are then attached to host frames by TrustSec switches and used for TrustSec enforcement <a name="_Toc123930217">Configure SXP</a> ●    ISE uses SXP to assign destination SGTs to the TrustSec switch closest to the destination host. The TrustSec switches then retrieve the SGACLs (Configure TrustSec SGACLs) that apply to the destination SGTs ●    ISE uses SXP to distribute the static IP to Security Group mappings to the FMC, which are necessary for the Secure Firewall Access Control with Dynamic SGT section <a name="_Toc123930218">Configure 802.1X</a> ●    802.1X logins require ISE to perform user and machine checks against AD (Integrate ISE with Active Directory) ●    802.1X logins are evaluated against AA rules from the Configure ISE Policy Sets section ●    ISE assigns SGTs upon 802.1X Authorization that are drawn from Security Groups in the Configure ISE Security Groups and Static Mapping section <a name="_Toc123930219">Configure ISE Security Groups and Static Mapping</a> ●    Security Groups are used to assign SGTs upon 802.1X login ●    Security Groups are distributed to firewalls and TrustSec switches via the Configure SXP section ●    Security Groups are used to build SGACLs in the Configure TrustSec SGACLs section ●    Security Groups are used for the SGT assignments in the Configure ISE Policy Sets section ●    Security Groups are used as rule criteria in the Secure Firewall Access Control with Dynamic SGT section <a name="_Toc123930220">Configure TrustSec SGACLs</a> ●    SGACLs are used by TrustSec switches (Configure TrustSec) to enforce network-based access control ●    SGACLs are created using the groups from the Configure ISE Security Groups and Static Mapping section <a name="_Toc123930221">ISE Authentication and Authorization Policy Preparation</a> ●    This section sets certificates and configurations that are necessary for 802.1X login and for the Configure ISE Policy Sets section <a name="_Toc123930222">Configure ISE Policy Sets</a> ●    ISE policies use groups from the Configure ISE Security Groups and Static Mapping section ●    802.1X logins are evaluated against the Authentication and Authorization policies configured in this section ●    The Authorization policy configured in this section assigns SGTs that are used by the switches in the Configure TrustSec section and by the Secure Firewall Access Control with Dynamic SGT section <a name="_Toc123930223">Secure Firewall Access Control with Dynamic SGT</a> ●    This section uses Security Groups from the Configure ISE Security Groups and Static Mapping section ●    This section receives static IP to Security Group maps from ISE via the Configure SXP section that are used for destination SGTs in the Access Control policy <a name="_Toc128645209"></a><a name="_Toc125461661"></a><a name="_Toc123930224">Zero Trust</a>: Network and Cloud Security Deployment This deployment section can be followed linearly to accomplish the capabilities outlined in the <a href="#_Zero_Trust_Design">Zero Trust Design</a> section. Required platforms and platform capabilities are listed in the <a href="#_Product_Overview">Product Overview</a> section. An outline of how the configuration in the following subsections interact with each other is included in the preceding Overview of Integrations section. <a name="_Toc128645210"></a><a name="_Toc125461662"></a><a name="_Toc123930225">Integrate ISE with Active Directory</a> ISE leverages Active Directory (AD) for multiple methods of authentication, including the 802.1X configuration in this guide. Groups imported from AD will also be used later in the AA rules for 802.1X. AD is also used to retrieve user to IP mappings for PassiveID. <a name="_Toc128645211"></a><a name="_Toc125461663"></a><a name="_Toc123930226">ISE and AD: Prerequisites</a> Step 1.         Before integrating AD with ISE, confirm that you have admin access available for both AD and ISE and then perform the following checks. Step 2.         Verify the clocks of the AD server and ISE are synced, preferably via a common NTP server. The time for an ISE node can be verified with the show clock command: <img border="0" width="388" height="51" id="Picture 309628243" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_58.png" alt="Related image, diagram or screenshot"/> Step 3.         On the AD server, click the time and date on the right side of the task bar to see the current time in seconds. <img border="0" width="326" height="368" id="Picture 309628225" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_59.png" alt="Related image, diagram or screenshot"/> Step 4.         From the ISE CLI, confirm DNS name resolution for the AD server via the nslookup command: <img border="0" width="1044" height="408" id="Picture 18" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_60.png" alt="TextDescription automatically generated"/> <a name="_Toc128645212"></a><a name="_Toc125461664"></a><a name="_Toc123930227"></a><a name="_ISE:_Join_the"></a>ISE: Join the AD Domain Step 1.         From the ISE GUI, click the Menu icon (<img border="0" width="19" height="12" id="Picture 309628262" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_61.jpg" alt="page21image42869280"/>) and navigate to Administration à Identity Management à External Identity Sources. <img border="0" width="131" height="29" id="Picture 204" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_62.png" alt="Related image, diagram or screenshot"/> <img border="0" width="1043" height="608" id="Picture 205" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_63.png" alt="Graphical user interface, textDescription automatically generated"/> Step 2.         Click on Active Directory. <img border="0" width="1044" height="259" id="Picture 309628278" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_64.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Click the Add button. <img border="0" width="1043" height="216" id="Picture 309628281" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_65.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 4.         Enter a name for the Join Point and specify the domain of the target AD server. Click the Submit button. <img border="0" width="1044" height="440" id="Picture 192" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_66.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 5.         A prompt appears asking whether to join immediately. Click Yes. Note: if you accidentally click No, the domain can be joined from the Connection page. <img border="0" width="460" height="188" id="Picture 196" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_67.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 6.         Enter an AD administrator username and password. ISE recommends checking the Store Credentials box. Click OK. <img border="0" width="672" height="404" id="Picture 46" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_68.png" alt="Graphical user interface, textDescription automatically generated"/> Step 7.         If everything is in order, ISE will join the domain. Click Close. <img border="0" width="736" height="492" id="Picture 309628033" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_69.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> <a name="_Toc128645213"></a><a name="_Toc125461665"></a><a name="_Toc123930228">ISE: Import Active Directory Groups</a> Active Directory groups will be needed for Authentication and Authorization policy rules in a later section, and it makes sense to import them here. Step 1.         From the last screen in the prior section, click the Groups tab (or navigate to Administration à External Identity Management à External Identity Sources à Active Directory à edit à select the Groups tab). Click Add, then click Select Groups from Directory. <img border="0" width="1043" height="259" id="Picture 212" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_70.png" alt="Related image, diagram or screenshot"/> Step 2.         The domain will auto-populate. Enter any desired filter criteria or leave the default asterisks and click the Retrieve Groups option. <img border="0" width="1044" height="307" id="Picture 309628098" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_71.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Select the desired groups and click the OK button. Note: if 100 groups were retrieved then the list may be truncated. Filter the search if the needed groups are not in the list. For this example, we’ll retrieve groups associated with Employees, Contractors, Guests, and a Computers group that will be used later for machine authentication. <img border="0" width="1043" height="286" id="Picture 309628426" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_72.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 4.         The retrieved AD groups are displayed. Click Save. <img border="0" width="1043" height="438" id="Picture 213" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_73.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> <a name="_Toc128645214"></a><a name="_Toc125461666"></a><a name="_Toc123930229">Configure PassiveID</a> PassiveID can be used to collect AD logins that do not pass through ISE and redistribute them to security platforms like Secure Analytics and Secure Firewall. As covered in the introduction, a key recommendation is to have end-to-end 802.1X and TrustSec across the network. When this is in place, all initial user connections to the network will be forwarded from a TrustSec capable device to ISE for authentication, rendering PassiveID unnecessary. However, the reality of modern networks is that other types of connections—such as VPN-less—still pass over network architecture and have AD based authentication that does not go through ISE. One example of this is the DNG reverse proxy covered in the <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-user-device-dg.html">Cisco Zero Trust: User and Device Security Design Guide</a>, which provides strong security for access to internet facing resources. Another example is network segments that are not yet TrustSec capable. For such examples, PassiveID can serve as a valuable source of supplementary data, allowing additional tracking of user activity in centralized monitoring tools such as Secure Analytics. However, PassiveID cannot provide the strong access control and remediation capabilities of 802.1x and TrustSec, and both should be used wherever possible. If PassiveID is not desired for deployment, skip to the pxGrid Configuration and Integration section. <a name="_Toc128645215"></a><a name="_Toc125461667"></a><a name="_Toc123930230">ISE: Enable Passive Identity and pxGrid Services on the Policy Server (PSN)</a> Step 1.         From the ISE GUI, click the Menu icon (<img border="0" width="19" height="12" id="Picture 309628245" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_74.jpg" alt="page21image42869280"/>) and navigate to Administration à System à Deployment. Select the PSN that will be connecting to AD then click Edit. <img border="0" width="1044" height="349" id="Picture 309628250" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_75.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 2.         Scroll down and check the box next to Enable Passive Identity Service. While you’re here, you can also verify that SXP and pxGrid are enabled since they will be used in later sections. Click Save. <img border="0" width="1043" height="462" id="Picture 236" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_76.png" alt="Graphical user interface, application, TeamsDescription automatically generated"/> <a name="_Toc128645216"></a><a name="_Toc125461668"></a><a name="_Toc123930231">ISE: Add Domain Controllers</a> Step 1.         Click the Menu icon (<img border="0" width="19" height="12" id="Picture 197" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_61.jpg" alt="page21image42869280"/>) and navigate to Work Centers à PassiveID à Providers. Step 2.         Select Active Directory from the left menu and check the box next to the Join Point created previously. Click Edit. <img border="0" width="940" height="340" id="Picture 309628036" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_77.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 3.         Review the connection details and confirm the Status is Operational. Click the PassiveID tab. <img border="0" width="796" height="422" id="Picture 207" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_78.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 4.         Click the Add DCs link. <img border="0" width="1044" height="331" id="Picture 209" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_79.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 5.         Click the boxes next to each DC you would like to add to the join point for monitoring and then click the OK button. <img border="0" width="866" height="398" id="Picture 309628040" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_80.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> The PassiveID page should now display the added DCs. <img border="0" width="1043" height="467" id="Picture 127" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_81.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> <a name="_Toc128645217"></a><a name="_Toc125461669"></a><a name="_Toc123930232">ISE: Configure Microsoft Remote Procedure Call (MSRPC) for PassiveID</a> ISE 3.0 and above supports MSRPC for Passive Identity. Note that while Windows Management Instrumentation (WMI) can still be used, there are some complications associated with Windows DCOM Server Security per <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414">CVE-2021-26414</a>. This guide will use an agent and MSRPC as the Passive Identity source. Note that this requires the installation of an agent on the Domain Controller(s). Step 1.         Click the Menu icon (<img border="0" width="19" height="12" id="Picture 309628034" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_61.jpg" alt="page21image42869280"/>) and navigate to Work Centers à PassiveID à Providers. Step 2.         Click the Agents tab, then click Add. <img border="0" width="1044" height="284" id="Picture 214" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_82.png" alt="Graphical user interface, text, application, websiteDescription automatically generated"/> Step 3.         Select Deploy New Agent and populate the FQDN, AD admin username and password, set MS-RPC as the protocol, and specify High Availability settings (a Primary + Secondary is recommended if a suitable AD deployment is available). Click Deploy. <img border="0" width="862" height="808" id="Picture 309628054" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_83.png" alt="Graphical user interface, applicationDescription automatically generated"/> <img border="0" width="884" height="264" id="Picture 309628056" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_84.png" alt="Graphical user interface, text, application, chat or text messageDescription automatically generated"/> The new agent is shown after successful deploy. The prior steps can be repeated to deploy a secondary agent, if desired (when selecting the Secondary agent option, an additional field will populate to specify the primary agent). <img border="0" width="1044" height="314" id="Picture 216" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_85.png" alt="Graphical user interface, applicationDescription automatically generated"/> <a name="_Toc128645218"></a><a name="_Toc125461670"></a><a name="_Toc123930233">ISE: Map Domain Controllers with MSRPC Agents</a> Step 1.         From the prior section, click on Active Directory (or navigate to Work Centers à PassiveID à Providers à Active Directory). The domain that was joined previously should be visible. Select the Join Point and click Edit. <img border="0" width="1038" height="298" id="Picture 219" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_86.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 2.         Click the PassiveID tab. <img border="0" width="1044" height="163" id="Picture 220" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_87.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 3.         This deployment has an active and secondary DC. In this example, we select the primary DC added in the prior section and click Use Existing Agent. <img border="0" width="1044" height="415" id="Picture 222" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_88.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 4.         Select the primary DC agent and click OK. <img border="0" width="864" height="392" id="Picture 309628064" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_89.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Repeat the process to associate the secondary agent with the secondary DC, if applicable. <a name="_Toc128645219"></a><a name="_Toc125461671"></a><a name="_Toc123930234">ISE: Validate the PassiveID Deployment</a> Step 1.         To verify the DC providers and agents from the PassiveID Work Center, click on Overview à Dashboard. Provider and Agent counts should match the prior configuration. <img border="0" width="1043" height="266" id="Picture 309628065" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_90.png" alt="Graphical user interface, text, application, chat or text messageDescription automatically generated"/> Step 2.         User to IP associations can be viewed either from Work Centers à PassiveID à Overview à Live Sessions or via Operations à RADIUS à Live Sessions. <img border="0" width="702" height="306" id="Picture 309628066" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_91.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> The Live Sessions page shows active user to IP mappings. Note that you’ll need a successful user authentication to one of the monitored DCs before entries will populate. <img border="0" width="1044" height="368" id="Picture 227" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_92.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> <a name="_Toc128645220"></a><a name="_Toc125461672"></a><a name="_Toc123930235"></a><a name="_pxGrid_Configuration_and"></a>pxGrid Configuration and Integration For this design, pxGrid functions as the communication channel between ISE and Secure Firewall, and between ISE and Secure Network Analytics. pxGrid is used to transmit user to IP mappings from ISE to pxGrid clients, and for ISE to receive quarantine designations that ISE can then use to revoke network access via connected switches. Quarantine functionality for one pxGrid client, Secure Network Analytics, is covered in the <a href="#_Adaptive_Network_Control">Adaptive Network Control</a> section. <a name="_Toc128645221"></a><a name="_Toc125461673"></a><a name="_Toc123930236">ISE: Verify pxGrid is Enabled</a> Steps to enable pxGrid were covered in the PassiveID section. Step 1.         To confirm the settings, click the Menu icon (<img border="0" width="19" height="12" id="Picture 239" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_61.jpg" alt="page21image42869280"/>) <a name="_Int_QtBjS2OM">and</a> navigate to Administration à System à Deployment. Step 2.         Check the box next to the relevant node(s) and then click Edit. <img border="0" width="1044" height="349" id="Picture 244" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_75.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Scroll down and verify that pxGrid is enabled, then click Save if changes were made. <img border="0" width="1043" height="462" id="Picture 240" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_93.png" alt="Graphical user interface, application, TeamsDescription automatically generated"/> <a name="_Toc128645222"></a><a name="_Toc125461674"></a><a name="_Toc123930237">ISE: Configure Subscriber Settings</a> Step 1.         Click the Menu icon (<img border="0" width="19" height="12" id="Picture 246" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_61.jpg" alt="page21image42869280"/>) and navigate to Administration à pxGrid Services à Settings. <img border="0" width="1044" height="409" id="Picture 104" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_94.png" alt="Graphical user interface, text, application, chat or text messageDescription automatically generated"/> The settings page offers two options: (1) automatically approve new clients that present the pxGrid certificate, or (2) manually approve accounts based on username and password. This guide will use the password option, but the automatic option can be selected for ease of use. Step 2.         Select an option then click Save. <a name="_Toc128645223">Certificate Requirements for pxGrid Subscribers</a> Secure Firewall Management Center (FMC) and Secure Network Analytics have different requirements for the pxGrid connection. ·       The FMC requires an FMC client certificate + private key pair for the connection from the FMC to ISE, and the client certificate must be signed by a root CA that is trusted within ISE. In addition, the FMC must have the root certificate(s) used to sign the ISE pxGrid certificate and the ISE MnT server certificate. The ISE pxGrid certificate and the ISE MnT server certificates cannot be self-signed. ·       Secure Network Analytics requires a client certificate for the connection to ISE, signed by a root CA that is trusted within ISE for authentication. The certificates to collect for the above connections can vary depending on ISE deployment and ISE certificate configuration. This section will cover certificate identification steps for building the pxGrid connection. Steps for installing pxGrid client certificates created through both ISE and AD are included in this section. Steps for creating and installing CA signed certs and creating CA templates for client and server auth certificates in Active Directory are included in the <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/safe-ops-dg-mgmt-certs.html">SAFE Certificate Management Design Guide</a>. <a name="_Toc128645224">ISE: Identify the Primary Monitoring (MnT) Node</a> MnT node configuration can vary by ISE deployment. To verify which node has MnT functionality, perform the following steps. Step 1.         Click the Menu icon (<img border="0" width="18" height="12" id="Picture 5" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_95.jpg" alt="page51image131180496"/>) and navigate to Administration à System à Deployment. Step 2.         Expand the dropdown arrow next to Deployment and review the available nodes. Click on the available nodes and verify which one has the primary Monitoring role, as shown below. <img border="0" width="1044" height="775" id="Picture 12" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_96.png" alt="Graphical user interface, applicationDescription automatically generated"/> <a name="_Toc128645225"></a><a name="_Toc125461676"></a><a name="_Toc123930239"></a><a name="_Generate_pxGrid_Certificates"></a>ISE: Review Certificate Details The steps for meeting the pxGrid certificate requirements in the prior section will vary depending on the ISE deployment and the certificates in use. This section covers how to review the certificates deployed; steps to export certificates for different deployment scenarios are covered in the <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/safe-ops-dg-mgmt-certs.html">SAFE Certificate Management Design Guide</a>. Step 3.         Click the Menu icon (<img border="0" width="18" height="12" id="Picture 215" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_97.jpg" alt="page51image131180496"/>) and navigate to Administration à System à Certificates. Step 4.         Identify the Admin certificate issued to the primary MnT node and the pxGrid certificate via the Used By column. Note:      The certificates are both on the same ISE node in this example, but they could be on separate nodes depending on the deployment. Note:      The default starting configuration for ISE will assign multiple areas of functionality to a single certificate. <img border="0" width="1044" height="522" id="Picture 252" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_98.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 5.         After identifying the Admin certificate for the MnT server and the pxGrid certificate, confirm whether the Issued To and Issued By fields are different. If the Issued To and Issued By fields are different for a certificate, then the certificate was signed by a CA and is not self-signed (reminder that a self-signed certificate cannot be used for the FMC connection). In the example below, both certificates have been issued to the ISE node by an external CA. <img border="0" width="1044" height="348" id="Picture 254" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_99.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 6.         If needed, select a certificate and click the View or Export options to see additional details on the certificate. <img border="0" width="738" height="336" id="Picture 309628334" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_100.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> The certificate example below shows the root certificate at the top of the hierarchy. This root certificate corresponds to the Issued By column in the prior screenshots, and the second entry corresponds to the Issued To column in the prior screenshots. <img border="0" width="326" height="504" id="Picture 309628336" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_101.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> The root certificate highlighted in red above (and appearing in the Issued By columns for both certificates in the prior screenshots) needs to be exported for the Secure Firewall pxGrid connection. In this example the root certificate for both the Admin and pxGrid certificates is the same, so we only need to export one root certificate instead of two (if the Admin and pxGrid certificates were signed by different root certificates then we would need to export both). The root certificate in the Issued By column could be from an external CA, an ISE CA, or be self-signed. The companion <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/safe-ops-dg-mgmt-certs.html">SAFE Certificate Management Design Guide</a> has procedures for certificate management of different deployment scenarios. For steps to retrieve a root certificate from an AD server CA, please see the section <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/safe-ops-dg-mgmt-certs.html#ActiveDirectoryCertificateAuthorityExportaRootCertificate">Active Directory Certificate Authority: Export a Root Certificate</a>. For steps to retrieve an ISE root certificate, please see the section <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/safe-ops-dg-mgmt-certs.html#ISEExportanISERootCertificate">ISE: Export an ISE Root Certificate</a>. If the Issued To and Issued By fields are the same for either certificate, then the certificate is self-signed; the pxGrid integration with Secure Firewall will fail if either certificate is self-signed. If it is necessary to import externally signed certificates into ISE to replace self-signed certificates, please see the sections starting with <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/safe-ops-dg-mgmt-certs.html#ISEGenerateCertificateSigningRequestforthepxGridRole">ISE: Generate Certificate Signing Request for the pxGrid Role</a> and ending with the section <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/safe-ops-dg-mgmt-certs.html#ISEBindCertificatestoCSRRequestsandAssignCertstoRoles">ISE: Bind Certificates to CSR Requests and Assign Certs to Roles</a>. Step 7.         Once the root certificate for the MnT Server and pxGrid certificates have been obtained, save them in an accessible folder. Procedures for generating and importing the client certificates for Secure Firewall and Secure Network Analytics are covered in the following sections. <a name="_Toc128645226"></a><a name="_Toc125461677"></a><a name="_Toc123930240"></a><a name="_Generate_Client_Certificates"></a>pxGrid Client Certificate Methodology In addition to the root certificate(s) covered in the prior section, Secure Firewall and Secure Network Analytics both require client certificates for the pxGrid connection. The sections following this one detail two methods for generating and installing the pxGrid client certificate. ●    For Secure Firewall, methodology is provided for creating a pxGrid client certificate template in ISE, and using the template to create a pxGrid client certificate signed by an ISE CA. o   Some users will prefer to generate a Certificate Signing Request (CSR) via OpenSSL and sign with an external CA; if you’re one of them, skip ahead to the <a href="#_Secure_Firewall:_Install">Secure Firewall: Install pxGrid Client Certificate</a> section. ●    For Secure Network Analytics, methodology is provided to generate a CSR within Secure Network Analytics and then create a certificate using the CSR via an Active Directory CA. o   This method is recommended to ensure the CSR is generated with the specific fields required by Secure Network Analytics. An external CA is also recommended to ease future maintenance of the Secure Network Analytics Trust Store. <a name="_Toc128645227"></a><a name="_Toc125461678"></a><a name="_Toc123930241"></a><a name="_Export_Root_Certificate"></a><a name="_Export_an_ISE"></a>ISE: Modify the ISE pxGrid Certificate Template ISE has a built-in portal that can be used for generating ISE CA signed certificates for pxGrid clients. While this section can be ignored for users who prefer to generate CSRs via OpenSSL, it is worth filling out the template for any user who will use ISE to create pxGrid client certificates on an ongoing basis. Step 1.         In the Cisco ISE GUI, click the Menu icon (<img border="0" width="18" height="12" id="Picture 208" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_97.jpg" alt="page51image131180496"/>) and choose Administration à System à Certificates. Step 2.         On the left menu, select expand Certificate Authority and then click Certificate Templates. <img border="0" width="1043" height="359" id="Picture 309628462" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_102.png" alt="Related image, diagram or screenshot"/> Step 3.         Check the box next to pxGrid_Certificate_Template and then click Edit. <img border="0" width="1044" height="520" id="Picture 199" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_103.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 4.         Fill in the certificate details as applicable and change the Key Size and Valid Period if desired. Click Save when finished. <img border="0" width="1044" height="619" id="Picture 309628460" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_104.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> The template will be used in the next section. <a name="_Toc128645228"></a><a name="_Toc125461679"></a><a name="_Toc123930242"></a><a name="_Generate_pxGrid_Client"></a><a name="_ISE:_Generate_pxGrid"></a>ISE: Generate pxGrid Client Certificate for Secure Firewall Step 1.         In the Cisco ISE GUI, click the Menu icon (<img border="0" width="18" height="12" id="Picture 202" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_97.jpg" alt="page51image131180496"/>) and choose Administration à pxGrid Services à Client Management. Step 2.         Select Certificates from the left menu. <img border="0" width="1044" height="221" id="Picture 309628461" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_105.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Populate all the required fields and Subject Alternative Name (SAN) entries for the client device, if desired. The example below specifies the Common Name (CN), Fully Qualified Domain Name (FQDN), and SAN field entries for a FMC. The ‘I want to’ field is set to generate a certificate without a CSR, but this field also has an option to import a previously generated CSR file. Note that the pxGrid Certificate Template configured in the last section is used here. Finally, the option to generate the certificate in PKCS8 PEM format has been selected. This will generate a group of certificates and a key in a format that can be uploaded to the FMC. Note:      The password, which will be used when importing the key file later. Step 4.         Click Create. <img border="0" width="1044" height="716" id="Picture 210" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_106.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> The files will download as a zip folder. <img border="0" width="1044" height="113" id="Picture 211" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_107.png" alt="Related image, diagram or screenshot"/> Extracting the zip file will display a certificate, four ISE chain certificates, and a key. The highlighted certs and key can be used to add ISE as an identity source in the FMC. <img border="0" width="1044" height="246" id="Picture 309628128" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_108.png" alt="TableDescription automatically generated"/> The first highlighted entry is the root certificate (note the RootCA text) that ISE used to sign the generated pxGrid client certificate. The second highlighted entry is the pxGrid client certificate itself. The last highlighted entry is the key associated with the pxGrid client certificate. <a name="_Toc128645229"></a><a name="_Toc125461680"></a><a name="_Toc123930243"></a><a name="_Import_ISE_Certificates"></a><a name="_Install_pxGrid_Client"></a><a name="_Secure_Firewall:_Install"></a>Secure Firewall: Install pxGrid Client Certificate Step 1.         In the FMC GUI, navigate to Objects à Object Management. <img border="0" width="1043" height="118" id="Picture 150" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_109.png" alt="Related image, diagram or screenshot"/> Step 2.         Expand the dropdown for PKI in the left side menu, then click Internal Certs. Click the Add Internal Cert button. <img border="0" width="1043" height="672" id="Picture 309628130" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_110.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Enter a name for the new internal cert and upload the certificate file and associated private key file generated in the prior section (<a href="#_ISE:_Generate_pxGrid">Generate pxGrid Client Certificate for Secure Firewall</a>). Check the Encrypted box and enter the password set during the .pvk file's creation. Remove any text that appears before the BEGIN line or after the END line for either file (the Save option will be greyed out if there is any text before the BEGIN line or after the END line). Click Save. <img border="0" width="652" height="542" id="Picture 155" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_111.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 4.         Confirm the new certificate is added. <img border="0" width="918" height="790" id="Picture 157" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_112.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> <a name="_Toc128645230"></a><a name="_Toc125461681"></a><a name="_Toc123930244">ISE: Import Secure Firewall pxGrid Client Certificate CA</a> This step is not necessary if the pxGrid client certificate was generated by ISE (as it was in the prior sections, in which case the CA is already trusted by ISE), or if the CA that signed the pxGrid client cert is already imported into ISE as a trusted CA. If neither of those scenarios apply, acquire the root certificate for the pxGrid client certificate and follow the steps in the <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/safe-ops-dg-mgmt-certs.html#ISEAddanExternalCertificatetotheTrustedCertificateStore">ISE: Add an External Certificate to the Trusted Certificate Store</a> section. <a name="_Toc128645231"></a><a name="_Toc125461682"></a><a name="_Toc123930245"></a><a name="_Add_the_Root"></a><a name="_Secure_Firewall:_Add"></a>Secure Firewall: Add the Root Certificate for the ISE MnT Server and pxGrid Certs to the FMC Trust Store Step 1.         Return to the FMC Objects page and click on the Trusted CAs section under PKI, then click the Add Trusted CA button. <img border="0" width="1044" height="567" id="Picture 309628149" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_113.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 2.         Enter a name for the certificate, then upload the root certificate (or certificates) collected in the <a href="#_Generate_pxGrid_Client">Generate pxGrid Client Certificate for Secure Firewall</a> section. The uploaded certificate(s) must be the root certificate(s) used to sign the ISE MnT Server and pxGrid certificates. Click Save. <img border="0" width="626" height="536" id="Picture 309628151" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_114.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 3.         If desired, search for the uploaded certificate to confirm successful upload. <img border="0" width="1043" height="567" id="Picture 309628152" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_115.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> <a name="_Toc128645232"></a><a name="_Toc125461683"></a><a name="_Toc123930246"></a><a name="_Secure_Firewall:_Configure"></a>Secure Firewall: Configure ISE as an Identity Source Step 1.         From the FMC, navigate to Integration à Other Integrations. <img border="0" width="1043" height="148" id="Picture 113" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_116.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 2.         Click on Identity Sources, then select the Identity Services Engine radio button. <img border="0" width="1044" height="279" id="Picture 309628153" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_117.png" alt="Graphical user interface, application, emailDescription automatically generated"/> Step 3.         Enter the IP or hostname of the primary ISE pxGrid node, and the secondary pxGrid node if applicable. For the pxGrid Client Certificate, select the certificate uploaded in the <a href="#_Import_ISE_Certificates">Install pxGrid Client Certificate</a> section. For the MnT Server CA and pxGrid Server CA, select the certificate(s) uploaded in the <a href="#_Secure_Firewall:_Add">Add the Root Certificate for the ISE MnT Server and pxGrid Certs to the FMC Trust Store</a> section. Ensure that Session Directory Topic and SXP Topic are selected. Click the Test button to verify connectivity. <img border="0" width="1043" height="699" id="Picture 309628155" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_118.png" alt="Graphical user interface, text, emailDescription automatically generated"/> The Test output will show success or failure for the pxGrid connection. The example below shows a connection failure, however expanding the Additional Logs drop down shows that the connection failed because the Subscriber request is pending approval in ISE (this error will not occur if Subscriber requests are automatically approved in ISE). <img border="0" width="430" height="380" id="Picture 309628157" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_119.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> The Test connection can also fail if the FMC does not have a route to ISE, if DNS name resolution for the ISE node fails, if ISE services are not running, or if the three certificates are not correct. For the error above, we only need to approve the Subscriber request in ISE. Step 4.         If approval is needed, return to the ISE GUI, click the Menu icon (<img border="0" width="19" height="12" id="Picture 309628463" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_61.jpg" alt="page21image42869280"/>) and navigate to Work Centers à PassiveID à Subscribers. Step 5.         Click on Clients. There should be a Pending request from the FMC. <img border="0" width="1043" height="479" id="Picture 309628159" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_120.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 6.         Check the box next to the pending entry and then click Approve. Note: this approval is only for the test connection. The FMC will generate a separate request for the saved config. <img border="0" width="1043" height="473" id="Picture 309628160" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_121.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 7.         A prompt appears asking for confirmation. Click OK. <img border="0" width="434" height="258" id="Picture 309628161" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_122.png" alt="Graphical user interface, text, application, chat or text messageDescription automatically generated"/> Step 8.         Verify the Status changes to Enabled. <img border="0" width="1044" height="480" id="Picture 309628162" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_123.png" alt="Graphical user interface, text, application, TeamsDescription automatically generated"/> Step 9.         Return to the FMC and run the Test again. <img border="0" width="1043" height="699" id="Picture 309628163" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_118.png" alt="Graphical user interface, text, emailDescription automatically generated"/> Step 10.      Status should show Success. If it does not, click the Additional Logs dropdown to troubleshoot. <img border="0" width="432" height="268" id="Picture 309628164" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_124.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 11.      Click OK, then click the Save button to submit the configuration. <img border="0" width="1043" height="298" id="Picture 309628165" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_125.png" alt="Graphical user interface, textDescription automatically generated"/> Step 12.      The saved configuration will also need approval as a Subscriber in ISE. If manual approval is needed, return to the ISE GUI, and navigate to Work Centers à PassiveID à Subscribers. Step 13.      Click on Clients. There should be a new Pending request from the FMC. <img border="0" width="1043" height="514" id="Picture 309628171" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_126.png" alt="Graphical user interface, application, TeamsDescription automatically generated"/> Step 14.      Check the box next to the pending entry and then click Approve. <img border="0" width="1043" height="507" id="Picture 309628173" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_127.png" alt="Graphical user interface, application, TeamsDescription automatically generated"/> Step 15.      A prompt appears asking for confirmation. Click OK. <img border="0" width="434" height="258" id="Picture 309628169" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_122.png" alt="Graphical user interface, text, application, chat or text messageDescription automatically generated"/> Step 16.      Verify the status changes to Enabled. <img border="0" width="1043" height="516" id="Picture 309628174" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_128.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> <a name="_Toc128645233"></a><a name="_Toc125461684"></a><a name="_Toc123930247">Secure Firewall: Verify ISE Subscriber Data</a> Now that Secure Firewall is configured as an ISE Subscriber, the FMC will receive ISE Security Groups for use in Dynamic SGT and user session information that provides user to IP mapping. Step 1.         In the FMC, navigate to Policies à Access Control. <img border="0" width="758" height="134" id="Picture 309628175" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_129.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 2.         Click the pencil icon to edit the applied policy or create a new one. <img border="0" width="1043" height="170" id="Picture 309628176" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_130.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Click the Add Rule button. <img border="0" width="1043" height="168" id="Picture 309628177" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_131.png" alt="Graphical user interface, text, application, chat or text messageDescription automatically generated"/> Step 4.         Click on Dynamic Attributes. <img border="0" width="1044" height="574" id="Picture 309628179" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_132.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 5.         Click the dropdown arrow underneath Available Attributes, then select Security Group Tag. <img border="0" width="1044" height="605" id="Picture 309628181" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_133.png" alt="Graphical user interface, applicationDescription automatically generated"/> The Available Attributes list will display groups retrieved from ISE that can be used for dynamic SGT. <img border="0" width="1044" height="801" id="Picture 309628182" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_134.png" alt="Graphical user interface, applicationDescription automatically generated"/> <a name="_Toc128645234"></a><a name="_Toc125461685"></a><a name="_Toc123930248">Secure Network Analytics: Configure pxGrid Integration</a> This section will create a client certificate that the SMC will use to connect to ISE. While a Secure Network Analytics deployment will run fine with default self-signed certificates, external CA signed certificates are recommended as a best practice and are required for advanced security features such as FIPS. This guide will cover the import of a root CA certificate into the Secure Analytics Trust Store and the creation of an externally signed pxGrid client certificate. Note:      It is possible to use ISE as a CA for this process if another external CA is not available, but a domain wide CA is recommended. <a name="_Toc128645235"></a><a name="_Toc125461686"></a><a name="_Toc123930249"></a><a name="_Active_Directory_and"></a>Active Directory and Secure Analytics: Export CA Root Certificate You should already have the CA root certificate from a prior step, but if not retrieve it now. To export a root certificate from an Active Directory CA, Access the CA server by appending /certsrv/ to the AD server hostname, e.g. ·       adserver.example.com ·       adserver.example.com/certsrv/   <img border="0" width="1044" height="344" id="Picture 309628186" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_135.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 1.         Click the Download a CA certificate, certificate chain, or CRL option. <img border="0" width="1044" height="344" id="Picture 309628187" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_136.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 2.         Set the encoding method if desired, then click Download CA certificate. <img border="0" width="1044" height="649" id="Picture 309628188" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_137.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> <a name="_Toc128645236"></a><a name="_Toc125461687"></a><a name="_Toc123930250">Secure Analytics: Import Root CA Certificate into the Trust Store</a> Note:      This section will result in an appliance reboot. If necessary, schedule a change window before performing these steps. Step 1.         From the SMC GUI, click the gear icon and select Central Management. <img border="0" width="1043" height="74" id="Picture 309628183" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_138.png" alt="Related image, diagram or screenshot"/> Step 2.         Identify the primary Manager, click the ellipses, and select Edit Appliance Configuration. <img border="0" width="1043" height="333" id="Picture 309628184" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_139.png" alt="Graphical user interface, application, TeamsDescription automatically generated"/> Step 3.         Click the General tab and scroll down to the Trust Store. Click Add New. <img border="0" width="1042" height="382" id="Picture 309628185" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_140.png" alt="Graphical user interface, application, TeamsDescription automatically generated"/> Step 4.         Enter a friendly name for the certificate, select the certificate file, then click Add Certificate. <img border="0" width="1044" height="149" id="Picture 309628189" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_141.png" alt="Graphical user interface, application, websiteDescription automatically generated"/> Step 5.         The new certificate will immediately appear in the Trust Store. Click Apply Settings. <img border="0" width="1042" height="355" id="Picture 309628190" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_142.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 6.         Note the reboot warning, then click Apply Changes again if the change can proceed. <img border="0" width="658" height="322" id="Picture 309628191" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_143.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 7.         Wait for Appliance Status to change from Config Changes Pending to Up before proceeding. <img border="0" width="1043" height="381" id="Picture 309628192" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_144.png" alt="Graphical user interface, application, TeamsDescription automatically generated"/>   <img border="0" width="1043" height="387" id="Picture 309628193" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_145.png" alt="Graphical user interface, application, TeamsDescription automatically generated"/> While not required, it is recommended to import the root certificate into the Trust Stores of the other Secure Analytics appliances for future use. <a name="_Toc128645237"></a><a name="_Toc125461688"></a><a name="_Toc123930251">Secure Analytics and Active Directory: Generate and Sign a pxGrid Client Certificate</a> Note:      This section uses an AD CA certificate template with the Client Authentication and Server Authentication fields. If you don’t have one already, please see the section <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/safe-ops-dg-mgmt-certs.html#ActiveDirectoryCreateaClientandServerAuthenticationTemplate">Active Directory: Create a Client and Server Authentication Template</a> before proceeding. Step 1.         From the SMC GUI, click the gear icon and select Central Management. <img border="0" width="1043" height="74" id="Picture 309628194" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_146.png" alt="Related image, diagram or screenshot"/> Step 2.         Identify the primary Manager, click the ellipses, and select Edit Appliance Configuration. <img border="0" width="1043" height="333" id="Picture 309628195" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_147.png" alt="Graphical user interface, application, TeamsDescription automatically generated"/> Step 3.         From the Appliance tab, scroll down to the Additional SSL/TLS Client Identities section, then click Add New. <img border="0" width="1043" height="585" id="Picture 309628196" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_148.png" alt="Graphical user interface, application, TeamsDescription automatically generated"/> Step 4.         Select the radio button for Yes to generate a CSR, then click Next. <img border="0" width="1042" height="136" id="Picture 309628197" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_149.png" alt="A picture containing graphical user interfaceDescription automatically generated"/> Step 5.         Select an RSA Key Length and fill in certificate details as desired. Click Generate CSR. <img border="0" width="1043" height="296" id="Picture 309628198" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_150.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 6.         When the generation process completes, click the Download CSR button, and save the file. <img border="0" width="1043" height="143" id="Picture 309628199" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_151.png" alt="Graphical user interface, application, websiteDescription automatically generated"/> Step 7.         Access the CA server and click on Request a certificate. <img border="0" width="1042" height="348" id="Picture 309628200" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_152.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 8.         Select the advanced certificate request option. <img border="0" width="648" height="256" id="Picture 309628201" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_153.png" alt="TextDescription automatically generated"/> The advanced certificate request page prompts for entry of a CSR in text format. <img border="0" width="648" height="631" id="Picture 309628202" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_154.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 9.         Locate the CSR file to upload and open with a text editor (right-click the CSR file and select ‘Open with…’ if the CSR is not associated with a text editor by default). <img border="0" width="1044" height="203" id="Picture 309628207" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_155.png" alt="Graphical user interfaceDescription automatically generated with medium confidence"/> Step 10.      Copy the entire block of text starting with the BEGIN line and ending with the END line. <img border="0" width="530" height="1006" id="Picture 309628208" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_156.png" alt="Background patternDescription automatically generated"/> Step 11.      Return to the CA server and paste the copied text into the Request field. The certificate must be generated with Client Authentication and Server Authentication fields. If needed, create a suitable template using the steps in the <a href="#_Active_Directory:_Create">Create a Client and Server Authentication Template</a> section. Click Submit. <img border="0" width="648" height="633" id="Picture 309628209" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_157.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 12.      Select Base 64 encoded and click Download certificate. It is recommended to give the certificate a clear name that describes its device and purpose. <img border="0" width="648" height="287" id="Picture 309628206" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_158.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 13.      Return to the Additional SSL/TLS Client Identities for the SMC. Enter a friendly name for the certificate, choose the file, and click Add Client Identity. <img border="0" width="1042" height="542" id="Picture 309628210" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_159.png" alt="Graphical user interface, application, TeamsDescription automatically generated"/> Step 14.      The new identity will appear. Click Apply Settings. <img border="0" width="1042" height="585" id="Picture 309628211" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_160.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 15.      Click Apply Changes. <img border="0" width="648" height="317" id="Picture 309628212" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_161.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 16.      Wait for Appliance Status to change from Config Changes Pending to Up. <img border="0" width="1043" height="381" id="Picture 309628213" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_144.png" alt="Graphical user interface, application, TeamsDescription automatically generated"/>   <img border="0" width="1043" height="387" id="Picture 309628214" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_145.png" alt="Graphical user interface, application, TeamsDescription automatically generated"/> <a name="_Toc128645238"></a><a name="_Toc125461689"></a><a name="_Toc123930252">Secure Analytics and ISE: Configure pxGrid and ANC</a> Step 1.         From the SMC, click on Deploy à Cisco ISE Configuration. <img border="0" width="1043" height="146" id="Picture 309628216" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_162.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 2.         Click the ‘Add new configuration’ button. <img border="0" width="1042" height="138" id="Picture 309628217" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_163.png" alt="A picture containing timelineDescription automatically generated"/> Step 3.         Under Certificate, select the certificate that was added in the prior section. Enter IP or host information for the pxGrid node(s) and name the cluster and client. Under Integrated Product, select the Cisco ISE radio button and check the boxes for Adaptive Network Control, Static SGT Classifications, and Sessions. If desired, check the box for Track sessions derived from machine authentication. Click Save. <img border="0" width="1043" height="438" id="Picture 309628464" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_164.png" alt="Related image, diagram or screenshot"/> Step 4.         Review Status. The Status will show as yellow if the client request is pending approval in ISE. <img border="0" width="1043" height="233" id="Picture 309628219" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_165.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 5.         In ISE, navigate to Administration à pxGrid Services à Client Management. <img border="0" width="1043" height="166" id="Picture 309628220" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_166.png" alt="A screenshot of a computerDescription automatically generated"/> Step 6.         A new client for the SMC should be visible. In this example, the client is pending approval. <img border="0" width="1043" height="553" id="Picture 309628221" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_167.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 7.         Select the SMC client request and click Approve. <img border="0" width="1043" height="557" id="Picture 309628222" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_168.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 8.         Verify the client is enabled. <img border="0" width="1043" height="547" id="Picture 309628223" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_169.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 9.         Return to the SMC and click refresh. <img border="0" width="1043" height="242" id="Picture 309628224" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_170.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 10.      Client status should turn to green, confirming successful integration. <img border="0" width="1043" height="240" id="Picture 309628226" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_171.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> <a name="_Toc128645239"></a><a name="_Toc125461690"></a><a name="_Toc123930253"></a><a name="_Adaptive_Network_Control"></a>Adaptive Network Control Configuration The pxGrid communication channel between Secure Analytics and ISE was configured in the prior section with the ANC feature. Additional ISE side configuration is necessary to fully utilize the ANC functionality. The configuration is covered in the following sections. <a name="_Toc128645240"></a><a name="_Toc125461691"></a><a name="_Toc123930254">ISE: Add Secure Analytics to Adaptive Network Control (ANC) Client Group</a> Step 1.         Click the Menu icon (<img border="0" width="19" height="12" id="Picture 309628465" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_61.jpg" alt="page21image42869280"/>) and navigate to Administration à pxGrid Services à Client Management. Step 2.         Check the box next to the SMC client added previously and then click Edit. <img border="0" width="1043" height="555" id="Picture 309628229" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_172.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Click the drop-down arrow for Client Groups and select ANC. Click Save. <img border="0" width="1043" height="864" id="Picture 309628231" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_173.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 4.         ANC will now appear under the Client Groups column for the SMC. <img border="0" width="1043" height="560" id="Picture 309628232" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_174.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> <a name="_Toc128645241"></a><a name="_Toc125461692"></a><a name="_Toc123930255">ISE: Configure ANC Policy List</a> Step 1.         Click the Menu icon (<img border="0" width="19" height="12" id="Picture 309628466" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_61.jpg" alt="page21image42869280"/>) and navigate to Operations à Adaptive Network Control. Step 2.         Click the Add button. <img border="0" width="1043" height="321" id="Picture 309628235" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_175.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Name the Policy List and add QUARANTINE under actions. Note: it is recommended to name this policy ‘Quarantine’; there are several steps involved in tying the action to the network isolation outcome. Click Submit. <img border="0" width="404" height="440" id="Picture 309628237" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_176.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 4.         The Policy Name and ANC Action will populate. <img border="0" width="1044" height="357" id="Picture 309628266" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_177.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> <a name="_Toc128645242"></a><a name="_Toc125461693"></a><a name="_Toc123930256">ISE: Add ANC Policy to ISE Authorization Policy</a> Step 1.         Navigate to Policy à Policy Sets. <img border="0" width="830" height="176" id="Picture 309628241" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_178.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Click on > to view the desired policy. <img border="0" width="1044" height="184" id="Picture 309628242" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_179.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 2.         The ANC policies can be added to either the Authorization Policy Local or Global exceptions. This guide uses the Global example. Click the > icon to expand Global Exceptions, then click the + button to add a new rule. <img border="0" width="1044" height="563" id="Picture 309628248" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_180.png" alt="Graphical user interface, application, TeamsDescription automatically generated"/> Step 3.         Give the rule a name (once again, Quarantine is recommended) and then click the + icon in the middle of the rule to open the Conditions Studio. <img border="0" width="1043" height="671" id="Picture 309628249" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_181.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 4.         Click the top line that has the text ‘Click to add an attribute’. Search ‘anc’ in the Attribute Column and click on ANCPolicy. <img border="0" width="1" height="1" id="Picture 309628252" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_182.png" alt="Related image, diagram or screenshot"/> <img border="0" width="1043" height="462" id="Picture 309628253" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_183.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 5.         Leave the first value as Equals, click the second dropdown arrow, and select Quarantine. Click the Use button. <img border="0" width="1043" height="1088" id="Picture 309628267" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_184.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 6.         Finally, click the dropdown under Profiles and associate the Quarantine action with the DenyAccess profile. Note: some deployments may prefer not to deny all access with the Quarantine action. If that is the case, the profile can be set to PermitAccess (or another profile) and a Quarantine SGT assigned. Click Save. <img border="0" width="1043" height="453" id="Picture 309628264" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_185.png" alt="Graphical user interface, application, email, TeamsDescription automatically generated"/> <a name="_Toc128645243"></a><a name="_Toc125461694"></a><a name="_Toc123930257">Configure Netflow</a> Netflow serves as a monitoring backbone for network traffic. A well-designed Netflow architecture can provide data on the origination and termination of every network connection, along with capturing data at intermediary points in the traffic path. This connection data can be used both for connectivity troubleshooting and Secure Analytics. In this guide we’ll aggregate Netflow logs from a switch and firewall into the Cisco Telemetry Broker, then send Netflow data from CTB to Secure Network Analytics for heuristic security analysis. This guide demonstrates Netflow configuration for the Secure Firewall and Catalyst 9300 platforms. <a name="_Toc128645244"></a><a name="_Toc125461695"></a><a name="_Toc123930258">Switch: Configure Netflow</a> Step 1.         From the GUI, navigate to Configuration à Services à Netflow. <img border="0" width="684" height="434" id="Picture 2" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_186.png" alt="Related image, diagram or screenshot"/> Step 2.         Click the Add button. <img border="0" width="576" height="170" id="Picture 8" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_187.png" alt="Related image, diagram or screenshot"/> Step 3.         Since we intend to use this Netflow for Secure Analytics, we’ll use the StealthWatch Netflow Template. Enter the IP of the Telemetry Broker Node’s telemetry interface (the CTB node has two interfaces, one for management and one to receive telemetry data), the standard Netflow port of 2055, specify an Export Interface for the switch, and select a Sampling Method. For this example we’re using Full Netflow, but we could change this to Deterministic or Random for a heavily utilized switch. Select all interfaces for which Netflow should be collected and click Apply to Device. <img border="0" width="744" height="690" id="Picture 309628467" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_188.png" alt="Related image, diagram or screenshot"/> Step 4.         Confirm the details for the new Netflow config. <img border="0" width="1044" height="127" id="Picture 309628469" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_189.png" alt="Related image, diagram or screenshot"/> Step 5.         To review or save the added running-config, click the Save Configuration icon. <img border="0" width="524" height="80" id="Picture 56" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_190.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 6.         Click the Show Diff button to review configuration changes made since the last time running-config was copied to startup. <img border="0" width="496" height="146" id="Picture 57" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_191.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 7.         Scroll down and review config additions listed in green. <img border="0" width="1044" height="501" id="Picture 309628470" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_192.png" alt="Related image, diagram or screenshot"/> <img border="0" width="1044" height="350" id="Picture 309628476" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_193.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 8.         When satisfied, click Apply to Device to copy the running-config to startup-config. <a name="_Toc128645245"></a><a name="_Toc125461696"></a><a name="_Toc123930259">Secure Firewall: Configure Netflow</a> Step 1.         Navigate to Objects à Object Management. <img border="0" width="1045" height="177" id="Picture 69" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_194.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 2.         Select FlexConfig à Text Objects from the left menu. <img border="0" width="1043" height="399" id="Picture 309628045" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_195.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 3.         Enter the word ‘netflow’ in the search bar and click the pencil icon to edit the netflow_Destination object. <img border="0" width="1043" height="150" id="Picture 309628082" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_196.png" alt="Graphical user interface, text, application, email, TeamsDescription automatically generated"/> Step 4.         Set the count to 3, specify the interface that will send Netflow data, and set the IP address and port for the Netflow collector. In this example, Netflow is sent from a data interface for a management network to the Cisco Telemetry Broker node telemetry interface over the default Netflow port of 2055. Click Save. <img border="0" width="536" height="644" id="Picture 309628063" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_197.png" alt="Graphical user interface, text, applicationDescription automatically generated"/>  Step 5.         Navigate to Devices à FlexConfig. <img border="0" width="866" height="270" id="Picture 70" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_198.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 6.         Click the New Policy button in the upper right. <img border="0" width="410" height="124" id="Picture 309628086" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_199.png" alt="Graphical user interfaceDescription automatically generated with medium confidence"/> Step 7.         Set a name and add the target device to the policy. Click Save <img border="0" width="688" height="596" id="Picture 309628087" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_200.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 8.         From the left side menu, select Netflow_Add_Destination and Netflow_Set_Parameters, then use the > button to append them to the FlexConfig. <img border="0" width="1044" height="1172" id="Picture 309628088" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_201.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 9.         Click Save, then Deploy. <img border="0" width="1044" height="437" id="Picture 309628090" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_202.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 10.      Click to deploy changes. <img border="0" width="648" height="109" id="Picture 309628091" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_203.png" alt="A picture containing chartDescription automatically generated"/> Step 11.      A validation warning appears when deploying a FlexConfig policy. Click on it to review the message. <img border="0" width="648" height="104" id="Picture 309628092" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_204.png" alt="Graphical user interface, applicationDescription automatically generated with medium confidence"/> Step 12.      Review the message about FlexConfig validation, then click Proceed with Deploy when ready. <img border="0" width="648" height="314" id="Picture 309628093" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_205.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 13.      Confirm successful deployment. <img border="0" width="648" height="101" id="Picture 309628094" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_206.png" alt="A picture containing graphical user interfaceDescription automatically generated"/> Step 14.      Flex Config is intended as a one-time change, and the Flex Config objects should be removed from the Flex Config policy after they are applied. This will also free up generic objects to be modified and applied to other firewalls, as needed. Return to the Flex Config policy and click the trash icons to remove the Netflow_Add_Destination and Netflow_Set_Parameters objects. <img border="0" width="1044" height="418" id="Picture 309628344" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_207.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Note:      This does not overwrite the previously applied configuration. Step 15.      Click Save, then Deploy the changes again. <img border="0" width="1043" height="422" id="Picture 309628345" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_208.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Note:      If there is ever a need to clear the applied Flex Config objects, use the Netflow_Clear_Parameters and Netflow_Delete_Destination objects on the left side menu. <img border="0" width="396" height="405" id="Picture 309628346" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_209.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> <a name="_Toc128645246"></a><a name="_Toc125461697"></a><a name="_Toc123930260">CTB Manager: Verify Netflow Sources</a> In the prior sections, the Secure Firewall and Catalyst switch were configured to send Netflow data to the CTB Node telemetry interface. These flows can be verified from the Sources tab of the CTB Manager. <img border="0" width="1044" height="478" id="Picture 309628077" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_210.png" alt="Graphical user interface, applicationDescription automatically generated"/> Confirm all configured Netflow sources have the green check mark and show Active status in the CTB Manager, then continue to the next section. <a name="_Toc128645247"></a><a name="_Toc125461698"></a><a name="_Toc123930261">CTB Manager: Configure Netflow Destinations</a> CTB is now aggregating Netflow data from two devices. The first destination for that Netflow will be the Secure Network Analytics Netflow Collector. Step 1.         In the CTB Manager GUI, navigate to Destinations, click the Add Destination button, and select UDP Destination. <img border="0" width="1043" height="498" id="Picture 60" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_211.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 2.         Enter a name for the Netflow destination, set the IP for the Secure Analytics Flow Collector, and set the default Netflow port of 2055. Leave the option to Check Destination Reachability checked so that CTB can verify that the destination is reachable. Click Save. <img border="0" width="552" height="434" id="Picture 61" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_212.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 3.         With the Netflow destination added, we need to configure a rule that specifies what source logs will be fed to that destination. First, verify that CTB can reach the Netflow destination by confirming the green Reachable box highlighted below. If the destination is reachable, click on Add Rule.   <img border="0" width="1044" height="209" id="Picture 63" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_213.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 4.         Set the receiving port to the Netflow default of 2055. For the ‘Include sources in these subnets’ field, enter subnets that include the hosts that are sending Netflow data to the CTB (in this example, the Secure Firewall and Catalyst switch). The subnets specified can either be broad to capture an entire network site or limited to specific hosts. Click Save. <img border="0" width="502" height="380" id="Picture 309628478" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_214.png" alt="Graphical user interface, applicationDescription automatically generated"/> We now have a created destination and rule. Note:      The destination IP and port is listed in the top left (the Secure Analytics Flow Collector), and the rule for Netflow sources is in the lower left (this also shows the number of sources that are matching the rule, the switch and firewall). Step 5.         Confirm that the Sent Rate (the blue line) begins populating after the rule is created. <img border="0" width="1" height="1" id="Picture 309628083" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_215.png" alt="Related image, diagram or screenshot"/> <img border="0" width="1" height="1" id="Picture 309628084" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_215.png" alt="Related image, diagram or screenshot"/> <img border="0" width="1044" height="283" id="Picture 309628050" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_216.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> <a name="_Toc128645248"></a><a name="_Toc125461699"></a><a name="_Toc123930262"></a><a name="_Configure_pxGrid_for"></a>Secure Analytics: Validate Flow Data In the last section, the CTB shows that the Secure Analytics Flow Collector is reachable, and that flow data is being sent. Step 1.         To confirm that flow data is being received, connect to the Secure Analytics Manager, and navigate to Dashboards à Network Security. <img border="0" width="1044" height="141" id="Picture 309628078" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_217.png" alt="Graphical user interface, text, application, chat or text messageDescription automatically generated"/> The Network Security page has a Flow Collection Trend chart that will display flows per second. <img border="0" width="1043" height="929" id="Picture 309628089" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_218.png" alt="Graphical user interface, application, tableDescription automatically generated"/> Step 2.         Confirm that flows per second are > 0. <a name="_Toc128645249"></a><a name="_Toc125461700"></a><a name="_Toc123930263">Configure TrustSec</a> ISE: Create TrustSec AAA Server Step 1.         Click the Menu icon (<img border="0" width="19" height="12" id="Picture 309628479" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_61.jpg" alt="page21image42869280"/>) and navigate to Work Centers à TrustSec à Components. Step 2.         Expand the Trustsec Servers dropdown arrow, then click on Trustsec AAA Servers. <img border="0" width="1044" height="353" id="Picture 50" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_219.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 3.         Click on an existing AAA server to confirm details or click the Add button to create one. <img border="0" width="1044" height="344" id="Picture 51" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_220.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 4.         Set a name, specify the IP of the ISE node that will serve as the TrustSec AAA server (this will probably be the primary node, and some deployments will want to configure multiple nodes), set the port to 1812, then click Save. <img border="0" width="1044" height="329" id="Picture 52" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_221.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> <a name="_Toc128645250"></a><a name="_Toc125461701"></a><a name="_Toc123930264"></a><a name="_ISE:_Add_Switches"></a>ISE: Add Switches as Network Devices Step 1.         Click the Menu icon (<img border="0" width="19" height="12" id="Picture 309628672" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_61.jpg" alt="page21image42869280"/>) and navigate to Administration à Network Resources à Network Devices. Step 2.         Click the Add button (or select an existing switch and click Edit). <img border="0" width="1043" height="302" id="Picture 309628273" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_222.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Enter a name, set the IP address of the interface or VLAN that will connect to Cisco ISE, select Cisco as the Device Profile, set model and software information if desired, and set Location, IPSEC, and Device Type values. <img border="0" width="1042" height="975" id="Picture 309628311" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_223.png" alt="Graphical user interface, application, TeamsDescription automatically generated"/> Note:      New locations and device types can be created by clicking the dropdown arrows and then clicking the gear icon, as shown below. <img border="0" width="1044" height="189" id="Picture 309628132" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_224.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 4.         Check the box for RADIUS Authentication Settings and expand the dropdown arrow. <img border="0" width="1042" height="853" id="Picture 309628320" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_225.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 5.         Enter a Shared Secret and record it for later use, as it will be needed for the switch side configuration. Leave the CoA Port with the default value of 1700. DTLS can be configured for additional security if desired, and KeyWrap should be used for FIPS deployments. <img border="0" width="1042" height="1113" id="Picture 309628043" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_226.png" alt="Graphical user interface, application, TeamsDescription automatically generated"/> Step 6.         Collapse the RADIUS dropdown and check the box next to Advanced TrustSec Settings, then click the dropdown arrow to expand the settings. <img border="0" width="1043" height="255" id="Picture 309628047" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_227.png" alt="Related image, diagram or screenshot"/> Step 7.         Check the box for “Use Device ID for TrustSec Identification”, set a Device ID (the example below uses the Device Name), and create a password for the device authentication to ISE. Again, record the password for the later switch configuration. <img border="0" width="1043" height="348" id="Picture 309628285" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_228.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 8.         Scroll down and check the box for ‘Other TrustSec devices to trust this device’. Also check the box for ‘Send configuration changes to device’ and select the radio button for CoA. <img border="0" width="1043" height="821" id="Picture 309628286" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_229.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 9.         Scroll further down and check the box for ‘Include this device when deploying Security Group Tag Mapping Updates’. Set an EXEC Mode username and password that can access the switch, then click Submit. Note:      It is recommended to use a service account for this connection in production networks. <img border="0" width="1043" height="690" id="Picture 3" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_230.png" alt="Related image, diagram or screenshot"/> Step 10.      Confirm the new entry populates. <img border="0" width="1042" height="328" id="Picture 309628324" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_231.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 11.      Repeat the above steps to add additional switches. <a name="_Toc128645251"></a><a name="_Toc125461702"></a><a name="_Toc123930265">ISE: Assign TrustSec Switches to TrustSec Security Group</a> Step 1.         Click the Menu icon (<img border="0" width="19" height="12" id="Picture 309628673" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_61.jpg" alt="page21image42869280"/>) and navigate to Work Centers à TrustSec à TrustSec Policy. Step 2.         Click on Network Device Authorization. <img border="0" width="1044" height="364" id="Picture 309628291" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_232.png" alt="Graphical user interface, applicationDescription automatically generated with medium confidence"/> Step 3.         On the Default Rule, click the dropdown arrow near Edit and select ‘Insert new row above’. <img border="0" width="1043" height="279" id="Picture 309628292" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_233.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 4.         Set the Security Group to TrustSec_Devices, change the name if desired, click the dropdown arrow under Conditions and select Create New Condition. <img border="0" width="1044" height="384" id="Picture 309628294" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_234.png" alt="Graphical user interface, textDescription automatically generated"/> Step 5.         Set the Condition to Device Type, leave the Expression on Equals, and select the switch device type configured previously. <img border="0" width="1043" height="448" id="Picture 309628293" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_235.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Note:      In this example all devices of type switch are added to the TrustSec_Devices Security Group. Step 6.         Additional criteria can be set as needed by clicking the gear icon and selecting ‘Add Attribute/Value’ to create another condition. <img border="0" width="1043" height="481" id="Picture 309628295" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_236.png" alt="Graphical user interfaceDescription automatically generated"/> Step 7.         Click the main page to collapse the Condition window. If the Default rule is set to the TrustSec_Devices Security Group, set the rule to Unknown. Click Save. <img border="0" width="1044" height="501" id="Picture 309628296" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_237.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> <a name="_Toc128645252"></a><a name="_Toc125461703"></a><a name="_Toc123930266">ISE: Disable Protected Access Credential (PAC) (Optional)</a> PAC provisioning can fail and remain in a hung state if an invalid device ID is provided. As a workaround to this failure point, the PAC feature can be disabled. See ‘Restrictions for Cisco TrustSec’ in the <a href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-6/configuration_guide/cts/b_176_cts_9300_cg/cisco_trustsec_overview.html">Cisco TrustSec Configuration Guide</a>. Step 1.         Click the Menu icon (<img border="0" width="19" height="12" id="Picture 309628674" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_61.jpg" alt="page21image42869280"/>) and navigate to Administration à System à Settings. Step 2.         On the left side menu, click the dropdown for Protocols, click the dropdown for EAP-FAST, and click EAP FAST Settings. <img border="0" width="1044" height="405" id="Picture 309628675" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_238.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 3.         If desired, set a recognizable value for the Authority Identity Info Description, tick the box for ‘Enable PAC-less Session Resume’, then click Save. <img border="0" width="1044" height="344" id="Picture 15" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_239.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> <a name="_Toc128645253"></a><a name="_Toc125461704"></a><a name="_Toc123930267"></a><a name="_Switch:_Configure_AAA"></a>Switch: Configure AAA Note:      This section will configure the switch to authenticate via AAA, which can change the local auth configuration on the switch for CLI access. It is recommended to save configuration and open an SSH session before starting this configuration from the GUI. Optional steps for re-enabling local CLI access are provided at the end of this section. Step 1.         Navigate to Configuration à Security à AAA. <img border="0" width="648" height="263" id="Picture 111" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_240.png" alt="Related image, diagram or screenshot"/> Step 2.         Click the AAA Wizard button. <img border="0" width="648" height="263" id="Picture 112" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_241.png" alt="Graphical user interface, text, application, chat or text messageDescription automatically generated"/> Step 3.         Populate the ISE server details and tick the box for PAC Key. Enter the PAC Key and CoA Server Keys (these must both match the key configured for the switch in ISE under Administration à Network Resources à Network Devices à Add/Edit Device à RADIUS Authentication Settings à Shared Secret in the <a href="#_ISE:_Add_Switches">ISE: Add Switches as Network Devices</a> section). Ensure RADIUS is checked in the upper left and Support for CoA is enabled. Click Next. <img border="0" width="1044" height="589" id="Picture 153" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_242.png" alt="Graphical user interfaceDescription automatically generated"/> Step 4.         Enter a name for the RADIUS group and add the RADIUS server configured on the prior page to the Assigned Servers box. Click Next. <img border="0" width="1044" height="691" id="Picture 115" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_243.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 5.         We’ll now create a series of mappings for the RADIUS server. From the Authentication tab, set the Type to dot1x and add the group created on the prior page to the Assigned Server Groups box. Note: do not click Apply to Device until all three AAA sections are completed. <img border="0" width="1044" height="635" id="Picture 156" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_244.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 6.         Click the Authorization tab, set the Type to network, and add the zt-ise-group to Assigned Server Groups. <img border="0" width="1044" height="673" id="Picture 144" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_245.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 7.         Click the Accounting tab, select identity as the Type, set the zt-ise-group to the Assigned Server Groups, enter a name, and click Apply to Device. <img border="0" width="1" height="1" id="Picture 125" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_246.png" alt="Related image, diagram or screenshot"/> <img border="0" width="1042" height="547" id="Picture 30" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_247.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 8.         The configuration changes can be confirmed by clicking on the save icon in the top right and then the Show Diff button. <img border="0" width="648" height="81" id="Picture 14" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_248.png" alt="Graphical user interface, application, WordDescription automatically generated"/> <img border="0" width="648" height="188" id="Picture 26" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_249.png" alt="Graphical user interface, application, WordDescription automatically generated"/> The above configuration adds the following lines to running-config. AAA configuration is replaced. <img border="0" width="1043" height="298" id="Picture 31" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_250.png" alt="Graphical user interface, application, tableDescription automatically generated"/> RADIUS server is configured, and PAC key is set. <img border="0" width="1043" height="111" id="Picture 28" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_251.png" alt="Related image, diagram or screenshot"/> Local login is disabled. <img border="0" width="1043" height="131" id="Picture 53" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_252.png" alt="Graphical user interfaceDescription automatically generated with medium confidence"/> Below are notes on the functionality of each command. aaa new-model – Create a new AAA instance. aaa group server radius zt-ise-group – Create a group of RADIUS servers. server name zt-ise – Assign a previously created RADIUS server to the group. deadtime 5 – marks the RADIUS server as dead if 5 minutes pass without communication from the RADIUS server. aaa authentication dot1x default group zt-ise-group – Assigns the created zt-ise-group as the authentication method for 802.1X ports. aaa authorization network default group zt-ise-group – Specifies the authorization RADIUS server group for all network related service requests. aaa accounting identity default start-stop group zt-ise-group – Configures the switch to send AAA Accounting logs to the configured RADIUS group when an 802.1X session begins or ends. radius server zt-ise – Create a new RADIUS server. address ipv4 10.0.4.17 auth-port 1812 acct-port 1813 – Specifies the IP address of the RADIUS server and port numbers for Authorization and Accounting. pac key Admin123 – Sets the PAC key used to retrieve the PAC from the RADIUS server. Below are the commands in a format that can be pasted into the CLI: conf t aaa new-model radius server zt-ise address ipv4 10.0.4.17 auth-port 1812 acct-port 1813 pac key radiusSecretKey exit aaa group server radius zt-ise-group server name zt-ise exit aaa server radius dynamic-author client 10.0.4.17 server-key radiusSecretKey exit aaa authentication dot1x default group zt-ise-group aaa authorization network default group zt-ise-group aaa accounting identity default start-stop group zt-ise-group end <a name="_Toc128645254"></a><a name="_Toc125461705"></a><a name="_Toc123930268">Switch: Configure Local Authentication (Optional)</a> The configuration in the prior section set up AAA, which automatically disables local authentication on the VTY lines. This section can optionally be used to re-enable local CLI access after configuring AAA. Note:      In a production environment it is preferable that all CLI access use TACACS, with static credentials being reserved for break-glass scenarios. Step 1.         From the switch GUI, navigate to Configuration à Security à AAA. <img border="0" width="662" height="276" id="Picture 309628058" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_253.png" alt="A screenshot of a computerDescription automatically generated with medium confidence"/> Step 2.         Click on AAA Method List, select Authorization, then click the Add button. <img border="0" width="648" height="260" id="Picture 309628074" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_254.png" alt="Graphical user interface, text, application, chat or text messageDescription automatically generated"/> Step 3.         Leave the name as default, set Type to exec, set Group Type to local, and click the Apply to Device button. <img border="0" width="1044" height="609" id="Picture 77" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_255.png" alt="Graphical user interfaceDescription automatically generated"/> The above configuration adds the following config to running-config. <img border="0" width="1043" height="20" id="Picture 83" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_256.png" alt="Related image, diagram or screenshot"/> The above in text form. aaa authorization exec default local Step 4.         Use an SSH client to test a known local account and verify access. <img border="0" width="648" height="155" id="Picture 82" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_257.png" alt="TextDescription automatically generated"/> <a name="_Toc128645255"></a><a name="_Toc125461706"></a><a name="_Toc123930269"></a><a name="_Switch:_Enable_TrustSec"></a>Switch: Enable TrustSec Step 1.         Navigate to Configuration à Security à Trustsec. <img border="0" width="648" height="210" id="Picture 309628270" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_258.png" alt="Graphical user interface, applicationDescription automatically generated"/><a name="_Configure_pxGrid_for_1"></a> Step 2.         Click Modify next to CTS Credentials. <img border="0" width="1044" height="251" id="Picture 29" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_259.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Enter the CTS Device ID and the password from the Device Authentication Settings configured previously in ISE [under Administration à Network Resources à Network Devices à Add/edit device à Advanced TrustSec Settings à Device Authentication Settings (as covered in the <a href="#_ISE:_Add_Switches">ISE: Add Switches as Network Devices</a> section)]. Click Apply. <img border="0" width="1043" height="158" id="Picture 35" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_260.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 4.         Click on Add AAA Method List. <img border="0" width="1043" height="390" id="Picture 17" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_261.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 5.         Give the RADIUS server a name, enter the IP address of the ISE node, and create names for the RADIUS Server Group and Method List Name. For the PAC Key, enter the RADIUS Shared Secret configured previously in ISE under Administration à Network Resources à Network Devices à Add device à RADIUS Authentication Settings à Shared Secret. Click Apply to Device. <img border="0" width="1044" height="569" id="Picture 309628135" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_262.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 6.         The list name configured in the prior step will now populate in the CTS Authorization List dropdown. Click Apply. <img border="0" width="1042" height="223" id="Picture 24" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_263.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 7.         Click the floppy disk icon in the top right to review the applied configuration. <img border="0" width="648" height="99" id="Picture 309628676" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_264.png" alt="Graphical user interface, applicationDescription automatically generated"/> Click on Show Diff. <img border="0" width="648" height="191" id="Picture 309628677" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_265.png" alt="Graphical user interface, applicationDescription automatically generated"/> Review the modified running configuration and note that local login configuration may have been removed. It is recommended to verify successful SSH authentication before saving the config to startup. AAA auth object cts-list is added under the AAA config. <img border="0" width="1043" height="19" id="Picture 309628139" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_266.png" alt="Related image, diagram or screenshot"/> The cts-list is defined. <img border="0" width="1043" height="20" id="Picture 59" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_267.png" alt="Related image, diagram or screenshot"/> Below is the applied configuration in text form: aaa authorization network cts-list group zt-ise-group cts authorization list cts-list <a name="_Toc128645256"></a><a name="_Toc125461707"></a><a name="_Toc123930270">Switch and ISE: Verifying Successful TrustSec Connection</a> The configuration in the prior section will cause the switch to initiate a connection to ISE for TrustSec authentication. Successful authentication can be verified via the CLI or ISE logs. Step 1.         From the switch CLI, run the following command: # show cts pacs If the switch to ISE connection was successful, then the PAC will be displayed. <img border="0" width="720" height="238" id="Picture 309628055" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_268.png" alt="TextDescription automatically generated"/> Step 2.         In addition to the PAC, also verify the CTS environment data via the following command: # show cts environment-data The output should show information from ISE, including the Security Group Name Table. <img border="0" width="720" height="616" id="Picture 309628057" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_269.png" alt="TextDescription automatically generated"/> Step 3.         If the PAC or environment data is not available on the switch, access the ISE GUI and check the RADIUS Live Logs via Operations à RADIUS à Live Logs. <img border="0" width="720" height="211" id="Picture 309628068" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_270.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> There should be successful authentication logs from the configured switch, as shown below. <img border="0" width="1044" height="677" id="Picture 309628061" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_271.png" alt="Graphical user interface, applicationDescription automatically generated"/> Drilling down on the logs will show that the PAC was successfully provisioned. <img border="0" width="1043" height="302" id="Picture 309628070" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_272.png" alt="Graphical user interface, application, WordDescription automatically generated"/> Note:      After the switch registers to ISE for TrustSec, ISE will attempt to send a Dynamic Authorization connection to the switch over UDP port 1700. This will fail as shown in the screenshots below until 802.1X is configured on the switch, which we will configure in a later section. <img border="0" width="1044" height="800" id="Picture 309628071" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_273.png" alt="Graphical user interface, text, emailDescription automatically generated"/>   <img border="0" width="1044" height="528" id="Picture 309628072" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_274.png" alt="Graphical user interface, applicationDescription automatically generated"/> <a name="_Toc128645257"></a><a name="_Toc125461708"></a><a name="_Toc123930271">Configure SXP</a> SXP is used to deliver SGT mappings to different areas of the network. SXP can be used to bridge gaps in the network left by devices that are not TrustSec compatible (either for enforcement or passthrough) and can also be used to send specific static SGTs to only the switches that need them for destination SGT enforcement—a must to conserve memory for TrustSec devices in large networks with many IP to SGT maps and SGACLs. For this guide, SXP is used to deliver static SGT assignments to the Secure Firewall for enforcement. SXP is also used to segment SGACLs into different SGT Domains for the Branch and Data Center switches. In this example, ISE serves the role as speaker for all devices, with the switch and firewall acting as receivers. <a name="_Toc128645258"></a><a name="_Toc125461709"></a><a name="_Toc123930272">ISE: Confirm SXP Service is Enabled</a> Step 1.         Click the Menu icon (<img border="0" width="19" height="12" id="Picture 309628678" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_61.jpg" alt="page21image42869280"/>) and navigate to Administration à System à Deployment. Step 2.         Select a node that will be serving as SXP speaker, then click Edit. <img border="0" width="1044" height="356" id="Picture 309628353" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_275.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Scroll down and confirm that SXP is enabled. If configuration changes are made, click Save in the lower right. <img border="0" width="1044" height="1100" id="Picture 309628354" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_276.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 4.         Repeat the above steps for any other ISE nodes that will serve as SXP speakers. <a name="_Toc128645259"></a><a name="_Toc125461710"></a><a name="_Toc123930273"></a><a name="_ISE:_Configure_SXP"></a>ISE: Configure SXP Settings Step 1.         Click the Menu icon (<img border="0" width="19" height="12" id="Picture 309628679" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_61.jpg" alt="page21image42869280"/>) and navigate to Work Centers à TrustSec à Settings. Step 2.         Click on SXP Settings. <img border="0" width="1043" height="243" id="Picture 309628329" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_277.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 3.         Check the box to ‘Publish SXP bindings on PxGrid’, set a global password and record it for the switch configuration in the next section, then click Save. <img border="0" width="1042" height="998" id="Picture 309628331" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_278.png" alt="Graphical user interface, applicationDescription automatically generated"/> <a name="_Toc128645260"></a><a name="_Toc125461711"></a><a name="_Toc123930274">ISE: Create SXP Domains</a> SXP domains are used for two purposes in this design. (1) They serve as a mechanism to push Destination SGT mappings to the FMC managed firewalls across the network. (2) Pushing static SGT mappings to the TrustSec access switch closest to the end device that the SGT is mapped to. For the primary traffic path example used in this guide there are three groups of endpoints, two of which are statically mapped. (1) The user (employee or contractor) endpoint that initiates a connection to the application server; (2) the application server that receives the connection from the user endpoint; and (3) the DNS server that resolves the lookup for the application server URL on behalf of the user endpoint. The user endpoint is dynamically assigned an SGT upon 802.1X authentication, at which point the authenticating switch (in this example, the branch switch) will see whatever SGT the user was assigned as a connected Security Group. The application server and DNS server are both virtual machines that do not authenticate to the TrustSec network, so they must be statically mapped to a Security Group (this is covered in the next section) and manually associated with their nearest access switch; for the application server this is the DC application switch, and for the DNS server this is the DC management switch. Once a static destination Security Group has been assigned to a switch, ISE will also distribute it to the FMC which we registered via pxGrid earlier in this guide, and the FMC will in turn distribute the static IP to Security Group map to its firewalls. Destination Security Groups are not pushed to the FMC unless their associated SXP domain is associated with at least one SXP device. Step 1.         From the TrustSec Work Center, click on SXP then click on Assign SXP Domain. <img border="0" width="1044" height="287" id="Picture 309628337" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_279.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 2.         Click on Create New SXP Domain. <img border="0" width="720" height="230" id="Picture 309628338" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_280.png" alt="Graphical user interface, text, application, chat or text messageDescription automatically generated"/> Step 3.         Enter a name for the SXP domain, then click create. For this example, we’ll create an SXP domain for the application servers in the data center. <img border="0" width="720" height="364" id="Picture 309628358" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_281.png" alt="Graphical user interface, websiteDescription automatically generated"/> Step 4.         Repeat the above steps to create SXP domains for different areas of the network. For this example, we’ll create a second SXP domain for the DC management network. This will cover Security Group assignments for all three devices in our workflow (endpoint, DNS server, application server), as the endpoint SGT is dynamically assigned. When finished, click Close. <img border="0" width="720" height="370" id="Picture 309628359" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_282.png" alt="A picture containing timelineDescription automatically generated"/> <a name="_Toc128645261"></a><a name="_Toc125461712"></a><a name="_Toc123930275">ISE: Configure SXP Devices</a> We’ll now add TrustSec switches as SXP devices and associate them with the applicable SXP domains. For this example, the datacenter access switch closest to the application servers will be associated with the DC Application Servers domain, and the datacenter access switch closest to the DNS server will be associated with the DC Management domain. Step 1.         From the SXP section of the TrustSec Work Center, click on Add. <img border="0" width="1044" height="288" id="Picture 309628335" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_283.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 2.         Enter a name for the switch and set an IP address; set the Peer Role (here it is set as a Listener to ISE, but it can also be set to Both if the switch will perform a speaker function to other switches); specify one of the SXP domains configured in the prior section; leave the password type as default to use the password configured in the TrustSec SXP settings (note: you don’t enter a password on this screen when selecting default); click Save. <img border="0" width="1043" height="1162" id="Picture 309628360" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_284.png" alt="Related image, diagram or screenshot"/> Step 3.         Review the saved configuration and note that the status shows OFF. <img border="0" width="1043" height="312" id="Picture 309628361" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_285.png" alt="Graphical user interface, textDescription automatically generated"/> Step 4.         The switch will reach an ON status after the configuration in the next section. Repeat the above steps to add additional switches and associate them to SXP domains. For this example, we’ll add a second switch associated with the DC Management domain. <img border="0" width="1042" height="355" id="Picture 309628362" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_286.png" alt="Graphical user interface, text, emailDescription automatically generated"/> <a name="_Toc128645262"></a><a name="_Toc125461713"></a><a name="_Toc123930276">Switch: Configure SXP</a> Step 1.         Navigate to Configuration à Security à TrustSec. <img border="0" width="1044" height="434" id="Picture 309628332" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_287.png" alt="Related image, diagram or screenshot"/> Step 2.         Click on SXP. <img border="0" width="1043" height="211" id="Picture 309628333" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_288.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 3.         Set SXP Status to Enabled, enter the IP of the switch interface or VLAN that will connect to ISE, and enter the password that was configured in the ISE SXP settings in the <a href="#_ISE:_Configure_SXP">Configure SXP Settings</a> section. Click Apply in the top right, then click the Add button beneath Peer Connections. <img border="0" width="1044" height="246" id="Picture 309628349" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_289.png" alt="Graphical user interface, application, TeamsDescription automatically generated"/> Step 4.         Set the Mode to listener (or both, if this switch will also function as a speaker), set the Peer IP to the IP of the ISE node, set the Source IP that the switch will use to connect to ISE, and leave the password as default to use the password configured in the last screenshot. Set a VRF if applicable, then click Apply to Device. <img border="0" width="720" height="325" id="Picture 309628682" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_290.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 5.         To review or save the added running-config, click the Save Configuration icon. <img border="0" width="720" height="110" id="Picture 309628680" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_291.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 6.         Click the Show Diff button to review configuration changes made since the last time <a name="_Int_IGFAJFXq">running-config</a> was copied to startup. <img border="0" width="720" height="212" id="Picture 309628681" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_292.png" alt="Graphical user interface, applicationDescription automatically generated"/> The above adds the following configuration to running-config. <img border="0" width="1043" height="91" id="Picture 309628684" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_293.png" alt="Related image, diagram or screenshot"/> Step 7.         To save the running-config to startup-config, click Apply to Device. <a name="_Toc128645263"></a><a name="_Toc125461714"></a><a name="_Toc123930277">Firewall: Confirm SXP Configuration</a> This step was already covered in the prior <a href="#_Secure_Firewall:_Configure">pxGrid</a> configuration section. Step 1.         To verify the configuration, navigate to Integration à Other Integrations from the FMC. <img border="0" width="1042" height="150" id="Picture 309628325" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_294.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 2.         Click on Identity Sources. <img border="0" width="1044" height="118" id="Picture 309628326" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_295.png" alt="Related image, diagram or screenshot"/> Step 3.         Confirm that SXP topic is checked under the Identity Services Engine configuration. <img border="0" width="1044" height="719" id="Picture 309628327" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_296.png" alt="Graphical user interface, text, emailDescription automatically generated"/> <a name="_Toc128645264"></a><a name="_Toc125461715"></a><a name="_Toc123930278">Configure 802.1X</a> <a name="_Toc128645265"></a><a name="_Toc125461716"></a><a name="_Toc123930279">Switch: Configure 802.1X</a> The Authentication and Authorization servers necessary for 802.1X were configured in the prior <a href="#_Switch:_Configure_AAA">Configure AAA</a> section. Step 1.         With the AAA configuration in place, navigate to Configuration à Interface à Ethernet to configure interfaces. <img border="0" width="720" height="472" id="Picture 309628073" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_297.png" alt="Related image, diagram or screenshot"/> Step 2.         Click a single interface or select multiple interfaces and click the Multi Port Configuration button (note: Multi Port Configuration will return the selected interfaces to a default configuration and is best used for initial setup). For this example, we will modify the Te1/0/1 interface. <img border="0" width="1044" height="175" id="Picture 81" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_298.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 3.         Click Advanced. <img border="0" width="720" height="331" id="Picture 78" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_299.png" alt="Graphical user interfaceDescription automatically generated"/> Step 4.         Scroll down to the 802.1X Configuration section. In the below example, Authenticator Enabled configures the port for 802.1X and sets it to Access Port; Access-Session is set to closed for pre-authentication access; Authentication Order is set to use dot1x only, without MAB as a fallback option; Port Mode is set to Auto, which enables 802.1X authentication and sets the port to closed until an authentication is made; Host Mode is set to allow only a single host to access the port at any given time; finally, IP Device Tracking is set to enabled in order to maintain a table of IP and MAC addresses that access the port. After setting the config, click Update & Apply to Device. <img border="0" width="1044" height="1303" id="Picture 79" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_300.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 5.         We also need to enable 802.1X globally, which can only be done via command entry. To run the command from the GUI, navigate to Administration à Command Line Interface. <img border="0" width="720" height="502" id="Picture 309628178" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_301.png" alt="A screenshot of a computerDescription automatically generated with low confidence"/> Step 6.         Select the Configure radio button and enter the following configuration to globally enable Dot1x: dot1x system-auth-control Step 7.         Click the Run Command button. <img border="0" width="1044" height="361" id="Picture 309628203" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_302.png" alt="Graphical user interface, applicationDescription automatically generated"/> The above configuration adds the following lines in green to running-config. <img border="0" width="1043" height="18" id="Picture 309628180" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_303.png" alt="Related image, diagram or screenshot"/> <img border="0" width="1043" height="74" id="Picture 88" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_304.png" alt="Related image, diagram or screenshot"/> <img border="0" width="1043" height="207" id="Picture 93" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_305.png" alt="Graphical user interface, text, application, chat or text messageDescription automatically generated"/> <a name="_Toc128645266"></a><a name="_Toc125461717"></a><a name="_Toc123930280"></a><a name="_Configure_ISE_Security"></a>Configure ISE Security Groups and Static Mapping We’ll now configure the ISE Security Groups (SGs) that will be used for the TrustSec Matrix, 802.1X, ISE AA policies, and Secure Firewall source and destination SGTs. These groups will form the backbone of the RBAC configuration in the remainder of the guide. <a name="_Toc128645267"></a><a name="_Toc125461718"></a><a name="_Toc123930281">ISE: Configure Security Groups</a> Step 1.         From the Cisco ISE GUI, click the Menu and choose Work Centers à TrustSec à Components. <img border="0" width="131" height="29" id="Picture 9" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_62.png" alt="Related image, diagram or screenshot"/> <img border="0" width="1044" height="243" id="Picture 309628051" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_306.png" alt="A screenshot of a computerDescription automatically generated with medium confidence"/> The Components page should open with the Security Groups tab selected. Note:      ISE has default groups for Contractors, Employees, and Guests. <img border="0" width="1043" height="623" id="Picture 309628276" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_307.png" alt="Graphical user interface, applicationDescription automatically generated"/> To give more granular control of user access and improve device validation, we’ll create Trusted and Untrusted groups for employees and contractors. We’ll also create a Machine Security Group that allows restricted access for devices that pass machine authentication but have not yet passed user authentication, and a Guest_Registration Security Group to cover the initial guest to ISE connection that occurs during guest registration, but before the Guest SGT is assigned. We’ll also create static destination SGs for ISE, DNS servers, and application servers. Step 2.         Click the Add button. <img border="0" width="1043" height="623" id="Picture 309628095" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_308.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 3.         Name the group Employee_Trusted_Device, select an Icon, and enter a Description if desired. Click Submit at the bottom of the page. <img border="0" width="1043" height="628" id="Picture 64" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_309.png" alt="Graphical user interface, text, application, WordDescription automatically generated"/> Step 4.         Repeat the steps to create trusted and untrusted groups for employees and contractors. <img border="0" width="1043" height="659" id="Picture 309628355" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_310.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 5.         Create an additional SGT for machine authentication. Note:      The NAM endpoint deployment will attempt an initial machine authentication, at which point we can assign an SGT. If a user then attempts a user login using the same endpoint, they will be assigned one of the Contractor or Employee SGTs based on the results of their combined machine and user auth. <img border="0" width="1043" height="545" id="Picture 309628246" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_311.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 6.         Create SGTs for Guest_Registration and ISE, which will give us a cleaner <a name="_Int_nOKPOY0t">firewall</a> rule for the initial guest redirect to ISE during guest registration. SGs for Guest_Registration, the default Guests <a name="_Int_1onbTfQR">SG</a>, ISE, and Machine_Authenticated are shown below. <img border="0" width="1043" height="466" id="Picture 309628205" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_312.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 7.         Create an SGT to statically assign to our application servers, which will be the destination used in Dynamic SGT connection testing, and to our DNS servers, which will be needed to resolve the URLs associated with the application servers.       Repeat the Add steps to create a DC_Application_Servers group and a DC_DNS_Servers group (the DC naming convention reflects that both resources are in the datacenter for this example). <img border="0" width="1043" height="590" id="Picture 309628356" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_313.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 8.         Push the updated groups to connected devices. <img border="0" width="1044" height="284" id="Picture 67" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_314.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> <a name="_Toc128645268"></a><a name="_Toc125461719"></a><a name="_Toc123930282">Switch: Validation</a> Step 1.         To confirm the security groups are populated to the switches, run the cts show environment data command. <img border="0" width="723" height="648" id="Picture 309628215" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_315.png" alt="TextDescription automatically generated"/> Step 2.         If the expected security groups have not synced yet, run the following command to prompt the switch to retrieve the security groups from ISE: # cts refresh environment-data <a name="_Toc128645269"></a><a name="_Toc125461720"></a><a name="_Toc123930283">ISE: Configure Security Group Static Mapping</a> The application servers configured in the last section have a reserved pool of IP addresses, which we can statically map now. In addition, the ISE servers needed for Guest registration and the DNS servers needed to resolve the hostnames of the applications have static IP assignments. Step 1.         Click the IP SGT Static Mapping tab, then click Add. <img border="0" width="1043" height="280" id="Picture 309628280" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_316.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 2.         Specify the IP address(es), leave the radio selection on Map to SGT Individually, select the DC_Application_Servers SGT, send the mapping to the DC Application Servers SXP domain, and select TrustSec devices to deploy the mapping to. Click Save. <img border="0" width="1043" height="768" id="Picture 309628032" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_317.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Repeat the steps to add the DNS servers. <img border="0" width="1043" height="767" id="Picture 309628042" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_318.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 4.         Repeat the steps to add static mappings for ISE. Review the mapping details, then click Deploy. <img border="0" width="1043" height="359" id="Picture 130" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_319.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 5.         Confirm the applicable switches are checked, then click Apply. <img border="0" width="792" height="340" id="Picture 85" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_320.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 6.         Click OK at the warning. <img border="0" width="576" height="143" id="Picture 86" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_321.png" alt="A picture containing textDescription automatically generated"/> Step 7.         Confirm successful mappings, then click Close. <img border="0" width="792" height="401" id="Picture 87" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_322.png" alt="Graphical user interface, application, WordDescription automatically generated"/> <a name="_Toc128645270"></a><a name="_Toc125461721"></a><a name="_Toc123930284">Configure TrustSec SGACLs</a> The example flows we covered at the start of this document include employees and contractors accessing private applications, and guest users accessing the internet. The employee and contractor connections will both be made over HTTPS and require an internal DNS resolution. Prospective guest users will also need to make an initial connection to the ISE Guest Registration portal to complete registration before accessing the internet. In this section we’ll add basic rules to allow the necessary HTTPS, DNS, guest portal, and internet connectivity, and set an implicit deny for all other connections. <a name="_Toc128645271"></a><a name="_Toc125461722"></a><a name="_Toc123930285">Switch: Configure CTS Role-Based Enforcement</a> In addition to the prior TrustSec configuration, there is an additional configuration necessary for the switch to receive and enforce SGACLs. Step 1.         From the GUI, navigate to Configuration à TrustSec. <img border="0" width="720" height="298" id="Picture 183" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_323.png" alt="Related image, diagram or screenshot"/> Step 2.         Click on CTS Policies. <img border="0" width="792" height="214" id="Picture 188" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_324.png" alt="Graphical user interface, text, application, chat or text messageDescription automatically generated"/> Step 3.         Enter the VLAN associated with the SGACL (note: this can be set to include all VLANs on the CLI, if needed) and toggle the Global setting to Enabled. Click Apply. <img border="0" width="1044" height="228" id="Picture 309628302" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_325.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 4.         Click the save icon to review the configuration change details. <img border="0" width="576" height="77" id="Picture 309628238" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_326.png" alt="Graphical user interface, application, WordDescription automatically generated"/> Step 5.         Click Show Diff. <img border="0" width="576" height="166" id="Picture 309628239" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_327.png" alt="Graphical user interface, text, application, chat or text messageDescription automatically generated"/> The above config applies the following change to the backend. <img border="0" width="1043" height="37" id="Picture 309628301" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_328.png" alt="Related image, diagram or screenshot"/> Step 6.         Click Apply to Device to copy the running-config to startup-config. <img border="0" width="1043" height="42" id="Picture 309628257" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_329.png" alt="Related image, diagram or screenshot"/> Note: it’s also possible to configure TrustSec switches in a monitor only mode to verify connections are permitted and denied as expected. For configuration steps, please see the <a href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-9/configuration_guide/cts/b_179_cts_9300_cg/configuring_security_group_acl_policies.html#task_q42_rpl_2gb">Cisco TrustSec Configuration Guide</a>. <a name="_Toc128645272"></a><a name="_Toc125461723"></a><a name="_Toc123930286">ISE: Configure Security Group ACLs</a> Step 1.         Navigate to Work Centers à TrustSec à Components. <img border="0" width="1043" height="196" id="Picture 137" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_330.png" alt="Related image, diagram or screenshot"/> Step 2.         On the left side, click on Security Group ACLs. <img border="0" width="1044" height="206" id="Picture 139" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_331.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Click the Add button. <img border="0" width="1044" height="258" id="Picture 97" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_332.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 4.         Create a basic rule to allow an outbound HTTPS connection. Name the rule Permit_HTTPS_Request and enter ‘permit tcp dst eq 443’ for the rule content. Click Submit. <img border="0" width="1044" height="423" id="Picture 109" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_333.png" alt="Graphical user interface, applicationDescription automatically generated"/> Note:      SGACLs are not stateful, so <a name="_Int_xLjUWbEV">we’ll</a> also need a rule to allow the return traffic. Step 5.         Click Add again to create an ACL for the return traffic. <img border="0" width="1043" height="329" id="Picture 110" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_334.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 6.         Name this rule Permit_HTTPS_Response and give it criteria ‘permit tcp src eq 443’. Click Submit. <img border="0" width="1043" height="420" id="Picture 117" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_335.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 7.         Click Add again. <img border="0" width="1043" height="385" id="Picture 55" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_336.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 8.         Name the rule Permit_DNS_Request and add ‘permit udp dst 53’ in the content area. Click Submit. Note:      DNS can also use TCP for requests or responses that exceed UDP byte limits; while this <a name="_Int_nfwMgpRN">isn’t</a> common, DNS over TCP can also be allowed here if desired. <img border="0" width="1043" height="421" id="Picture 62" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_337.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 9.         Click Add again and create a rule titled Permit_DNS_Response with content ‘permit udp src 53’. Click Submit. <img border="0" width="1044" height="426" id="Picture 309628041" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_338.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 10.      Confirm the created rules appear, then click on TrustSec Policy. <img border="0" width="1043" height="460" id="Picture 309628046" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_339.png" alt="Graphical user interface, text, applicationDescription automatically generated"/>  <a name="_Toc128645273"></a><a name="_Toc125461724"></a><a name="_Toc123930287">ISE: Configure TrustSec Matrix</a> Step 1.         From the TrustSec Policy page, click Matrix. <img border="0" width="1044" height="218" id="Picture 135" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_340.png" alt="Related image, diagram or screenshot"/> Step 2.         It can save time to create a custom view with only groups we will be modifying. Click the dropdown on the right side and select ‘Create custom view’. <img border="0" width="1043" height="160" id="Picture 140" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_341.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Give the view a name and add the Security Groups created previously to both Source and Destination. Choose Name in the Sort Matrix By dropdown. Click Save. <img border="0" width="504" height="563" id="Picture 176" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_342.png" alt="Related image, diagram or screenshot"/> Step 4.         The custom view will load automatically and can be selected from the right dropdown. Click the box for source Contractor_Trusted_Device and destination DC_Application_Servers, then click the pencil icon to edit. <img border="0" width="1044" height="215" id="Picture 143" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_343.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 5.         Set the ACL to Permit_HTTPS_Request, then click Save. Note:      In this example we leave the Catch All rule set to None for the rules and rely on a Default Deny for the policy, but the Catch All rule can be configured by rule if preferred. <img border="0" width="576" height="506" id="Picture 147" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_344.png" alt="Graphical user interface, applicationDescription automatically generated"/> The matrix updates the cell with a blue color and the text of the applied ACL. <img border="0" width="576" height="334" id="Picture 149" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_345.png" alt="Graphical user interfaceDescription automatically generated with medium confidence"/> Step 6.         Repeat the steps to allow HTTPS requests for all four contractor and employee Security Groups. <img border="0" width="576" height="648" id="Picture 168" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_346.png" alt="Related image, diagram or screenshot"/> Step 7.         Permit DNS requests from the four employee and contractor Security Groups to the DC_DNS_Servers Security Group. <img border="0" width="720" height="648" id="Picture 169" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_347.png" alt="Graphical user interface, tableDescription automatically generated"/> Step 8.         Allow the return traffic for the HTTPS and DNS requests. These connections will have the DNS and Application servers as the source, the employee and contractor groups as the destination, and use the DNS_Response and HTTPS_Response ACLs. <img border="0" width="1044" height="535" id="Picture 175" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_348.png" alt="Related image, diagram or screenshot"/> Step 9.         Permit the Guest_Registration Security Group to connect to the ISE Security Group over HTTPS and permit the HTTPS Response from ISE to Guest_Registration. <img border="0" width="1043" height="505" id="Picture 179" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_349.png" alt="Application, table, timelineDescription automatically generated"/> Allow the Guests and Machine_Authenticated Security Groups to access the Unknown Security Group. Rather than map all public IP spaces to an Internet Security Group, common practice is to map all internal IP space to Security Groups and then use the Unknown Security Group to represent ‘not internal’. Step 10.      Click the cell for Guests to Unknown, then click the pencil to edit. <img border="0" width="1043" height="378" id="Picture 182" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_350.png" alt="Application, table, timelineDescription automatically generated with medium confidence"/> Step 11.      Set the Final Catch All Rule to Permit IP, then click Save. <img border="0" width="648" height="569" id="Picture 185" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_351.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 12.      Repeat the process to permit traffic from the Machine_Authenticated Security Group to the Unknown Security Group and permit the return traffic from Unknown to Guests and Machine_Authenticated. <img border="0" width="1043" height="423" id="Picture 187" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_352.png" alt="Application, table, timelineDescription automatically generated"/> Note:      Although the Matrix allows all traffic from Unknown IPs to Guest and Machine_Authenticated SGTs, stateful firewalls will deny any inbound connections to the Guest and Machine_Authenticated Security Groups. Only return traffic to outbound connections will be permitted by the firewall. Step 13.      Click on the Default link and set the default SGACL to Deny_IP_Log. Click Deploy. <img border="0" width="1044" height="479" id="Picture 191" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_353.png" alt="TimelineDescription automatically generated"/> <a name="_Toc128645274"></a><a name="_Toc125461725"></a><a name="_Toc123930288">ISE Authentication and Authorization Policy Preparation</a> In addition to the ISE Profile checks, we will also perform both user and machine authentication for each 802.1X connection. Combining user and machine authentication requires EAP Chaining, which <a name="_Int_vuOSshkt">we’ll</a> accomplish using the AnyConnect NAM and EAP-FAST. Our AA configuration will leverage several certificates and endpoint configurations, specifically: ●    A CA signed ISE certificate used for EAP connections. This will serve the function of server validation for the endpoint. Configuration is given in this section. o   The EAP certificate must be trusted by the endpoint. Steps to upload the certificate to the NAM profile configuration and distribute via Meraki MDM are provided in the <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-user-device-dg.html">Zero Trust User and Device</a> guide. ●    Trusted devices have a CA signed client authentication certificate installed. o   Steps to distribute machine certificates via <a name="_Int_BQlQCHwU">GPO</a> from an Active Directory CA are provided in the companion Certificate Guide under the section <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/safe-ops-dg-mgmt-certs.html#ActiveDirectoryDistributeMachineCertificatesviaGroupPolicyObject">Active Directory: Distribute Machine Certificates via Group Policy Object</a>. ●    ISE must trust the root and any intermediary certificates in the client auth certificate chain on the endpoint. These will be used to validate the client certificate during EAP-FAST negotiation. Configuration is given in this section. ●    Trusted devices have the NAM AnyConnect module installed with a profile that specifies server and client certificate validation. The NAM and profile settings are provisioned via Meraki MDM as covered in the Zero Trust: User and Device Security Design Guide. o   The NAM configuration will supersede any existing 802.1X configuration on the endpoint. NAM will initiate 802.1X connections using EAP-FAST. <a name="_Toc128645275"></a><a name="_Toc125461726"></a><a name="_Toc123930289">ISE: Configure EAP Certificate</a> Step 1.         Navigate to Administration à System à Certificates. <img border="0" width="1043" height="265" id="Picture 309628389" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_354.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 2.         Click on Certificate Signing Requests. <img border="0" width="1043" height="272" id="Picture 309628392" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_355.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Click on the Generate Certificate Signing Requests button. <img border="0" width="1043" height="273" id="Picture 309628393" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_356.png" alt="Graphical user interface, text, application, websiteDescription automatically generated"/> Step 4.         Set the Usage to EAP Authentication and select the node(s) to generate the CSR for. Set Subject, SAN, and Key settings. Click the Generate button. <img border="0" width="1044" height="768" id="Picture 309628394" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_357.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/>   <img border="0" width="1044" height="699" id="Picture 309628395" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_358.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 5.         Click the Export button and save the CSR. <img border="0" width="575" height="224" id="Picture 309628397" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_359.png" alt="Graphical user interface, text, application, chat or text messageDescription automatically generated"/>   Step 6.         Use a CA server to generate a Base 64 encoded certificate in a format that will be accepted by ISE, such as .cer. For a Windows CA, the Web Server template is adequate. For full certificate generation procedures using a Windows CA, please refer to the <a href="#_Create_Certificates_from">Create Certificates from CSRs using an AD Certificate Authority</a> section in the Appendix. Step 7.         Return to the Certificate Signing Requests page in ISE. Check the box next to the CSR request, then click Bind Certificate. <img border="0" width="1044" height="408" id="Picture 309628400" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_360.png" alt="Related image, diagram or screenshot"/> Step 8.         Upload the certificate file retrieved from Active Directory, set a Friendly Name, confirm the EAP Authentication box is checked, then click Submit. <img border="0" width="1043" height="280" id="Picture 309628401" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_361.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 9.         A prompt will appear if there is a prior EAP certificate (ISE generates a default self-signed certificate, which this certificate will replace for EAP connections). Click Yes to replace the prior certificate. <img border="0" width="576" height="242" id="Picture 309628402" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_362.png" alt="Graphical user interface, application, websiteDescription automatically generated"/> Step 10.      To verify certificate install, click on the System Certificates link. <img border="0" width="1043" height="188" id="Picture 309628404" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_363.png" alt="Graphical user interface, text, application, websiteDescription automatically generated"/> Step 11.      Confirm the uploaded certificate is associated with EAP Authentication. <img border="0" width="1043" height="629" id="Picture 309628405" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_364.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> <a name="_Toc128645276"></a><a name="_Toc125461727"></a><a name="_Toc123930290">ISE: Configure EAP Chaining Settings</a> Step 1.         Click the Menu icon (<img border="0" width="19" height="12" id="Picture 309628685" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_61.jpg" alt="page21image42869280"/>) and navigate to Policy à Policy Elements à Results. Step 2.         From Authentication à Allowed Protocols, click on Default Network Access. <img border="0" width="864" height="295" id="Picture 309628447" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_365.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Scroll down to the EAP-FAST section and verify the following settings are enabled. <img border="0" width="865" height="556" id="Picture 309628448" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_366.png" alt="Related image, diagram or screenshot"/> Step 3.         Scroll down and click Save when finished. <a name="_Toc128645277"></a><a name="_Toc125461728"></a><a name="_Toc123930291">ISE: Verify Certificate Authentication Profile Settings</a> Step 1.         Click the Menu icon (<img border="0" width="19" height="12" id="Picture 309628686" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_61.jpg" alt="page21image42869280"/>) and navigate to Work Centers à Network Access à Ext Identity Sources. Step 2.         Click on Preloaded_Certificate_Profile. <img border="0" width="1043" height="332" id="Picture 309628450" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_367.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Verify that the Certificate Attribute is set to the Subject Common Name. Click Save when finished. <img border="0" width="1043" height="495" id="Picture 309628455" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_368.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 4.         Click the Identities tab, then click Identity Source Sequences. Edit All_User_ID_Stores. <img border="0" width="1043" height="345" id="Picture 309628452" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_369.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 5.         Confirm that the Preloaded_Certificate_Profile configured in the prior step is selected for Certificate Based Authentication. Click Save. <img border="0" width="1043" height="678" id="Picture 309628454" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_370.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> <a name="_Toc128645278"></a><a name="_Toc125461729"></a><a name="_Toc123930292">Windows: Confirm Machine Auth Certificate Details</a> Instructions for deploying certificates for machine authentication via Group Policy Object (GPO) are given in the companion Certifcate Guide under the <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/safe-ops-dg-mgmt-certs.html#ActiveDirectoryDistributeMachineCertificatesviaGroupPolicyObject">Acitve Directory: Distribute Machine Certificates via Group Policy Object</a> section. Steps to verify the location and details of a machine certificate are given below. Step 1.         From a Windows workstation, search for the term ‘cert’ and select the ‘Manage computer certificates’ entry to review local certificates that apply to all users on the endpoint. <img border="0" width="432" height="922" id="Picture 309628442" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_371.png" alt="A picture containing textDescription automatically generated"/> Step 2.         Click the dropdown arrow next to Personal, then click the Certificates subfolder. Any certificates in the folder appear in the right window pane. Note that the certificate is personalized for the specific endpoint it is installed on (in this example, computer name J0PDU4H). Double click the certificate to open it. <img border="0" width="720" height="208" id="Picture 309628443" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_372.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 3.         Click the Details tab and then scroll down and click on Enhanced Key Usage. Verify there is an entry for Client Authentication. <img border="0" width="576" height="450" id="Picture 309628444" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_373.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 4.         Click on the Certification Path tab and review the certificate chain details. Click OK when finished. <img border="0" width="504" height="645" id="Picture 309628445" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_374.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> In this case our certificate is signed by only a root CA, which was already added to the ISE Trusted Certificates store in a prior section. For steps to export an AD root certificate (or intermediary certificate) and add it to the ISE Trusted Certificates store, see the <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/safe-ops-dg-mgmt-certs.html#ActiveDirectoryDistributeMachineCertificatesviaGroupPolicyObject">Export a Root Certificate</a> section in the companion Certificate Guide. Step 5.         Continue to the next section for steps to verify the certificates in the ISE Trusted Certificates store and configure them for client authentication. <a name="_Toc128645279"></a><a name="_Toc125461730"></a><a name="_Toc123930293">ISE: Configure Trusted Certificates for Client Authentication</a> With the NAM profile configuration set in the Zero Trust User and Device guide, each endpoint will present a client certificate during 802.1X machine authentication. For ISE to accept the client certificate presented by an endpoint, the root and any intermediate certificates in the client certificate chain must be set to trust for client authentication within ISE. Step 1.         Click the Menu icon (<img border="0" width="19" height="12" id="Picture 309628687" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_61.jpg" alt="page21image42869280"/>) and navigate to Administration à System à Certificates. Step 2.         Click on Trusted Certificates. <img border="0" width="1043" height="217" id="Picture 100" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_375.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Select the root certificate that signed the client certificate used by the endpoint then click Edit. <img border="0" width="1044" height="742" id="Picture 309628100" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_376.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 4.         Check the box for ‘Trust for client authentication and Syslog’, then click Save. <img border="0" width="1042" height="684" id="Picture 309628104" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_377.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 5.         Repeat the process above for any intermediate CAs in the client certificate chain. <a name="_Toc128645280"></a><a name="_Toc125461731"></a><a name="_Toc123930294">ISE: Confirm Machine Authentication is Enabled</a> Machine Authentication must be enabled for ISE to validate the endpoint based on the client certificate. Step 1.         Click the Menu icon (<img border="0" width="19" height="12" id="Picture 309628688" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_61.jpg" alt="page21image42869280"/>) and navigate to Work Centers à Network Access à Ext Id Sources. Step 2.         Select an Active Directory instance. <img border="0" width="1044" height="309" id="Picture 309628407" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_378.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Click Advanced Settings. <img border="0" width="1044" height="301" id="Picture 309628408" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_379.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 4.         Confirm that Enable Machine Authentication is checked. <img border="0" width="1044" height="373" id="Picture 309628456" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_380.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Note:      Machine Access Restrictions (MAR) is not needed for this configuration because EAP-FAST can perform the client authentication and machine authentication together; this allows us to reliably authorize the user, even if there is not a machine authentication cached via MAR within the Aging Time window. <a name="_Toc128645281"></a><a name="_Toc125461732"></a><a name="_Toc123930295">Configure ISE Policy Sets</a> Configure the Authentication and Authorization rules that will be used to provide AA for 802.1X connections (configured in the next section), and assign dynamic SGTs to permitted 802.1X connections for enforcement via Secure Firewall and SGACLs. <a name="_Toc128645282"></a><a name="_Toc125461733"></a><a name="_Toc123930296">ISE: Create New Policy</a> Step 1.         Click the Menu icon (<img border="0" width="19" height="12" id="Picture 309628689" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_61.jpg" alt="page21image42869280"/>) and navigate to Policy à Policy Sets. Step 2.         Edit an existing policy or click the + icon to create a new one. <img border="0" width="1043" height="177" id="Picture 309628411" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_381.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 3.         Name the policy and set the Allowed Protocols to Default Network Access, then click the + icon. <img border="0" width="1043" height="173" id="Picture 309628413" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_382.png" alt="Graphical user interface, application, TeamsDescription automatically generated"/> Step 4.         Drag the Wired_802.1X library condition to the NEW | AND | OR box. <img border="0" width="1042" height="538" id="Picture 309628414" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_383.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 5.         Drag the Wireless_802.1X library condition to the NEW | AND | OR box. <img border="0" width="1042" height="533" id="Picture 309628415" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_384.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 6.         Set the condition to OR. If desired, mouse over the Wired_802.1X and Wireless_802.1X and click edit to change the premade conditions to their expanded format. <img border="0" width="1043" height="390" id="Picture 309628416" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_385.png" alt="Graphical user interface, applicationDescription automatically generated"/> The expanded conditions are shown below for reference (the behavior will be the same regardless of whether they are expanded). Click Use at the bottom of the page. <img border="0" width="1043" height="1091" id="Picture 309628417" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_386.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 7.         Click Save. <img border="0" width="1044" height="170" id="Picture 309628418" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_387.png" alt="Graphical user interface, text, application, TeamsDescription automatically generated"/> Step 8.         Click on the > icon for the new policy. <img border="0" width="1044" height="170" id="Picture 309628419" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_388.png" alt="Graphical user interface, text, application, TeamsDescription automatically generated"/> <a name="_Toc128645283"></a><a name="_Toc125461734"></a><a name="_Toc123930297">ISE: Create Authentication Policy Rules</a> Step 1.         Expand the Authentication Policy, then click the + icon. <img border="0" width="1043" height="547" id="Picture 309628420" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_389.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 2.         Name the rule and set the Use column to All_User_ID_Stores (other options can be selected with more narrow criteria, if desired). Click the + icon to set conditions. <img border="0" width="1044" height="348" id="Picture 65" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_390.png" alt="Graphical user interface, text, application, email, TeamsDescription automatically generated"/> Step 3.         Click to add an attribute. <img border="0" width="1043" height="248" id="Picture 48" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_391.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 4.         Select Protocol (highlighted in blue), set the Dictionary to Network Access, and select the EapAuthentication attribute. <img border="0" width="648" height="314" id="Picture 309628608" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_392.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 5.         With the Network Access-EapAuthentication criteria set, click the drop-down and select EAP-TLS (this will match our NAM configuration for machine and user auth). <img border="0" width="864" height="384" id="Picture 309628609" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_393.png" alt="Graphical user interface, text, application, chat or text messageDescription automatically generated"/> Step 6.         Click the New option. <img border="0" width="1043" height="319" id="Picture 309628610" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_394.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 7.         Click to add an attribute. <img border="0" width="1044" height="460" id="Picture 309628611" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_395.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 8.         As with the prior step, set the Dictionary to Network Access and the Attribute to EapAuthentication. <img border="0" width="648" height="314" id="Picture 309628612" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_392.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 9.         Set the condition to OR and select EAP-MSCHAPv2 for this EapAuthentication (this will allow untrusted devices that do not have the NAM installed to pass Authentication, while restricting less secure protocols). <img border="0" width="1043" height="464" id="Picture 309628613" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_396.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 10.      Scroll down to the bottom of the page and click Use. Verify the rule details and set the Default rule to DenyAccess. Click Save. <img border="0" width="1042" height="411" id="Picture 309628615" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_397.png" alt="Graphical user interface, text, application, email, TeamsDescription automatically generated"/> <a name="_Toc128645284"></a><a name="_Toc125461735"></a><a name="_Toc123930298"></a><a name="_ISE:_Create_Authorization"></a>ISE: Create Authorization Policy Rules Expand the Authorization Policy – Global Exceptions section and note that there is a default rule from the ANC Policy that sets a Quarantine match to Deny Access. This is the mechanism that will block endpoints that are quarantined in Secure Analytics using the ANC feature. <img border="0" width="1042" height="374" id="Picture 309628424" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_398.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 1.         Expand the Authorization Policy and click the + icon to create a new rule. <img border="0" width="1043" height="727" id="Picture 309628619" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_399.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 2.         Name the rule and click the + icon under the Conditions column to modify the rule criteria. <img border="0" width="864" height="291" id="Picture 309628622" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_400.png" alt="Graphical user interface, application, emailDescription automatically generated"/> Step 3.         Click to add an attribute. <img border="0" width="1043" height="251" id="Picture 309628620" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_401.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 4.         Select the Protocol set, select Network Access under Dictionary, then click the EapTunnel attribute. <img border="0" width="648" height="355" id="Picture 309628623" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_402.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 5.         Click the dropdown and select EAP-FAST. This will match the 802.1X connection initiated by the NAM installation. <img border="0" width="864" height="273" id="Picture 309628627" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_403.png" alt="Related image, diagram or screenshot"/> Step 6.         Click on NEW. <img border="0" width="1043" height="319" id="Picture 309628636" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_404.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 7.         Click to add an attribute. <img border="0" width="1043" height="468" id="Picture 309628638" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_405.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 8.         Select Protocol, filter the Dictionary by Network Access, and click on EapChainingResult. <img border="0" width="648" height="366" id="Picture 309628642" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_406.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 9.         Click the drop-down and select ‘User and machine both succeeded’. This will restrict rule matches to only 802.1X attempts that submit both a machine and user auth and pass both. <img border="0" width="1044" height="505" id="Picture 309628651" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_407.png" alt="Related image, diagram or screenshot"/> Step 10.      Click New again. <img border="0" width="1043" height="463" id="Picture 309628652" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_408.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 11.      Select the Identity category and click on the AD join point under Dictionary and ExternalGroups as the Attribute. <img border="0" width="648" height="297" id="Picture 309628665" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_409.png" alt="Related image, diagram or screenshot"/> Step 12.      Click the drop-down and select the Employee group. <img border="0" width="1044" height="605" id="Picture 309628668" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_410.png" alt="Related image, diagram or screenshot"/> Step 13.      Scroll down and click Use. Verify the Conditions, set the Profile to PermitAccess, and set the Security Group to Employee_Trusted_Device. Finally, click the gear icon and select ‘Duplicate below’. <img border="0" width="1043" height="264" id="Picture 309628669" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_411.png" alt="Related image, diagram or screenshot"/> Step 14.      Click the Conditions of the duplicate rule to edit. <img border="0" width="1044" height="388" id="Picture 309628670" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_412.png" alt="Related image, diagram or screenshot"/> Step 15.      Click the x to remove the Employees group. <img border="0" width="1044" height="567" id="Picture 309628227" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_413.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 16.      Click the drop-down and select the Contractors group. This will perform a Trusted Device check against users in the Contractor group. <img border="0" width="1043" height="566" id="Picture 309628236" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_414.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 17.      Scroll down and click Use. Change the rule name to Contractor Trusted Device and change the Security Group to Contractor_Trusted_Device. Click Save. <img border="0" width="1044" height="346" id="Picture 309628240" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_415.png" alt="Related image, diagram or screenshot"/> Step 18.      Create two new rules that use only the AD group criteria and assign the Untrusted SGTs to Employees and Contractors. These should be placed below the Trusted rules so that users are evaluated against the Trusted rules first, then drop down to the Untrusted rules if they fail the Trusted rule checks. <img border="0" width="1043" height="335" id="Picture 309628244" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_416.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> Step 19.      Create a new rule for the Machine authentication. This will be the same format as the Untrusted Device rules, but it will perform a check against an AD group for computers rather than users. The final policy configuration is shown below. Note that the policy order should be Trusted Devices at the top and Machine Authentication at the bottom. Because ISE policies are evaluated top to bottom, this allows us to match a login to a Trusted User if that criteria is met, then an Untrusted User if that criteria is met, and then finally a Machine Authentication if no user login is provided. If the login attempt is not from a user or machine in an accepted AD group, then the Default of DenyAccess is applied. Step 20.      After reviewing the policy details, click Save. <img border="0" width="1043" height="442" id="Picture 309628265" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_417.png" alt="Graphical user interface, applicationDescription automatically generated"/> <a name="_Toc128645285"></a><a name="_Toc125461736"></a><a name="_Toc123930299"></a><a name="_ISE:_Enable_Guest"></a>ISE: Enable Guest Wireless Rules The Default policy has two rules for Guest Wireless access that we’ll use, with one modification. Step 1.         Return to the Policy Sets page and view the Default policy. <img border="0" width="1043" height="205" id="Picture 128" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_418.png" alt="Related image, diagram or screenshot"/> Step 2.         Expand the Authorization Policy and locate the rules for Wi-Fi_Guest_Access and Wi-Fi_Redirect_to_Guest_Login. Enable both rules and set the Security Group for Wi-Fi_Redirect_to_Guest_Login to Guest_Registration. <img border="0" width="1044" height="262" id="Picture 129" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_419.png" alt="Graphical user interface, applicationDescription automatically generated with medium confidence"/> Step 3.         Click Save when finished. <a name="_Toc98245154"></a><a name="_Toc83125716"></a><a name="_Toc82683333"></a><a name="_Toc128645286"></a><a name="_Toc125461737"></a><a name="_Toc123930300"></a><a name="_Secure_Firewall:_Access"></a>Secure Firewall Access Control with Dynamic SGT We previously configured Secure Firewall to receive Dynamic SGT information from ISE via pxGrid, and to receive destination SGT mappings via SXP domain. Now that we have end users successfully authenticating via 802.1X and receiving SGT assignments upon login, we can use both source and destination SGT assignments in Secure Firewall rules. The example rules given below are for outbound connections leaving a branch without a local DNS or ISE server destined for applications hosted at a data center over SD-WAN. We’ll create rules to allow the following connections. 1.     Employees with the Trusted Device SGT can connect to an internal case portal. Because the portal contains sensitive customer information, only users with trusted devices are allowed access. 2.     Users with the Contractor Untrusted Device SGT can connect to an internal Sock Shop app that offers premium, discounted socks to users regardless of device trust. <img border="0" width="1043" height="588" id="Picture 118" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_420.png" alt="Related image, diagram or screenshot"/> 3.     Allow guests to access the internet regardless of device trust. Supplementary rules to permit DNS resolution for the internal apps and to allow prospective guest users to access an ISE registration portal are also covered. While these rules are intentionally overfitted to their respective allowed users, they serve as clear examples of applying least privilege to different connections. The example rules below are all configured with an allow by exception, deny by default philosophy. <a name="_Toc128645287"></a><a name="_Toc125461738"></a><a name="_Toc123930301">Secure Firewall: Create Access Control Policy</a> Step 1.         From the FMC GUI, navigate to Policies à Access Control. <img border="0" width="1044" height="213" id="Picture 21" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_421.png" alt="Graphical user interface, text, application, chat or text messageDescription automatically generated"/> Step 2.         Either edit a currently applied policy or click the New Policy button to create one. <img border="0" width="648" height="149" id="Picture 309628234" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_422.png" alt="Graphical user interface, text, application, chat or text messageDescription automatically generated"/> Step 3.         Enter a name for the policy and assign a Secure Firewall device as the target using the Add to Policy button. As a best practice this guide uses the ‘Block all traffic’ option as the Default Action, meaning that any traffic that is not allowed by a rule will be blocked (implicit deny, permit by exception). Click Save. <img border="0" width="648" height="785" id="Picture 309628230" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_423.png" alt="Graphical user interface, applicationDescription automatically generated"/> <a name="_Toc128645288"></a><a name="_Toc125461739"></a><a name="_Toc123930302">Secure Firewall: Rule Creation Walkthrough</a> Step 1.         From the edited or newly created policy, click the Add Rule button. Note that the following screenshots use the new <a name="_Int_WaoSdvGT">UI</a> layout set by the toggle switch highlighted below. <img border="0" width="576" height="267" id="Picture 119" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_424.png" alt="Graphical user interface, text, application, chat or text messageDescription automatically generated"/> Step 2.         Enter a name for the rule and select where in the policy to Insert it. Step 3.         On the left side, set the action to Allow so that matching connections will be permitted with subsequent inspection. Step 4.         Set the Intrusion Policy (the default Balanced policy is shown below) Step 5.         Set a default or custom Variable Set Step 6.         Select a File Policy (for steps to create a file policy and integrate it with Secure Malware Analytics Cloud, please see Appendix D) Step 7.         It is recommended to enable beginning of connection logging for initial testing, after which logging can be switched to end of connection to collect more connection details. Alternatively, both beginning and end of connection logging can be enabled if storage of duplicate logs is not a concern. Step 8.         Finally, click the middle of the page to add object and group criteria. <img border="0" width="1044" height="507" id="Picture 181" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_425.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> The Network page loads first by default. We can follow two different philosophies for networks when using SGTs: 1.     Specify network criteria in addition to SGTs for <a name="_Int_7Vra01iB">firewall</a> policy auditing purposes 2.     Utilize SGTs exclusively to reduce network object maintenance and overhead across the <a name="_Int_xrgePrgc">firewall</a> deployment For this example, we will supplement our SGT criteria by also adding a source object that defines the host subnet allocated to user endpoints. The effect of this is an AND condition—the <a name="_Int_VxG7m0Bs">firewall</a> rule will match a session that is sourced from an IP within the host subnet AND which also has a designated SGT attached to the packet, confirming a successful auth and device validation. We’ll leave the destination network blank and rely strictly on destination SGT attributes from ISE to reduce IP groups maintenance and use ISE as a single source of truth. The screenshot below shows the action of searching for a premade network range object and adding it as Source criteria. Step 9.         Alternatively, new objects can be created by clicking the Create Network Object link in the lower left. When finished, click the Zone tab. <img border="0" width="1044" height="521" id="Picture 309628275" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_426.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Security Zones are mapped to <a name="_Int_EX4kbqMD">firewall</a> interfaces and serve as a mechanism to specify traffic flow for a rule. Step 10.      In this example, we want to allow end users to connect to the data center over SD-WAN, so we will set the Workstations Security Zone (which is connected to the access switch) as the source, and the SD-WAN Security Zone (which is connected to the edge router) as the destination. Step 11.      When finished, click on the Port tab. <img border="0" width="1043" height="519" id="Picture 309628282" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_427.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 12.      Search for 443 and add the HTTPS TCP/443 object as a destination port (or use the Create Port Object link in the lower left, if needed). The source port for HTTPS connections is drawn from the ephemeral port range, and these are typically left as ‘any’ criteria in practice. However, a port range of 1024-65535 can be added for the Source port if desired. Step 13.      When finished, click on App. Note:      HTTPS destination ports other than 443 can also be added here, such as 8443. <img border="0" width="1044" height="519" id="Picture 309628289" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_428.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 14.      From the Application page, search for HTTPS and add the HTTPS application to the Destination column. Step 15.      When finished, click on the URL tab. Note:      While there is some redundancy to specifying destination port 443 and HTTPS application detection in the same rule, there are some beneficial security outcomes in doing so. Specifying only port 443 will allow protocols other than HTTPS to match the rule and be allowed, which isn’t our intent here. Alternatively, specifying only HTTPS with no destination port also has a drawback. Application detection typically relies on a unique packet or string for identification, and for a TCP session this will occur at least after the three-way handshake and perhaps even later in the session. Specifying both 443 and HTTPS application tells the <a name="_Int_1ZbNyubG">firewall</a> to only wait for HTTPS application detection for sessions that have destination port 443, and to deny the session if the port 443 connection turns out to be something other than HTTPS (for an HTTPS session the earliest that application detection can occur is on the 4th packet, the Client Hello). <img border="0" width="1044" height="519" id="Picture 309628330" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_429.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 16.      From the URL page, enter the URL and click the Add URL button to add it to the Destination column (or use an object, if preferred). The example below shows a case portal address. URL matching is done via string match, and we want to be as specific as possible without leaving out any wanted matches. For example, if we wanted to match both HTTPS and HTTP, we could remove the https:// from the start of the URL string, but that isn’t our intent here. When finished, click on the Dynamic Attributes tab. <img border="0" width="1043" height="520" id="Picture 309628340" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_430.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 17.      Use the search bar to find the Dynamic SGTs from ISE and add them to the Source and Destination columns. For this example, we use source of Employee_Trusted_Device and Destination of DC_Application_Servers. When finished, click Apply. <img border="0" width="1044" height="521" id="Picture 309628341" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_431.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 18.      Review the rule, then click Save. <img border="0" width="1043" height="164" id="Picture 309628342" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_432.png" alt="Graphical user interface, applicationDescription automatically generated"/> <a name="_Toc128645289"></a><a name="_Toc125461740"></a><a name="_Toc123930303">Secure Firewall: Complete Access Control Policy Rule Creation</a> Step 1.         Click Add Rule to configure additional rules and click Save when finished. Complete criteria for each rule are shown below. <img border="0" width="1044" height="228" id="Picture 132" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_433.png" alt="Graphical user interface, applicationDescription automatically generated"/> Notes on the criteria used in each of the above rules: 1.     Configuration and logic of the first rule were given in the prior section 2.     The second rule allows users who were assigned the Contractor_Untrusted_Device SGT during the ISE AA process to access a sock-shop URL hosted by the application servers mapped to the DC_Application_Servers SGT. This rule is very similar to rule 1, with the only differences being selection of a different source SGT and destination URL. 3.     The third rule permits users assigned the Guests SGT during the ISE AA process to access destinations that have the Unknown SGT, which will match any IP space not used by the internal network. Zones are used to force the traffic path of Guest_Wireless to Internet—while the configuration is not shown in this guide, the separation of an Outside <a name="_Int_kcHnEOoX">firewall</a> interface into internet and SD-WAN Security Zones could be accomplished via a logical sub-interface and separate VRF, with corresponding sub-interface and VRF on the edge router. Alternatively, both SD-WAN and internet traffic can be sent to a single edge router interface, with routing decisions left to the router. The rest of the rule is left intentionally broad, as the intention is to provide general web access to guest users without restriction. However, the Intrusion Policy has been enabled to provide some visibility and protection against the possibility of users launching malicious activity from the company IP space. The File policy has been disabled to reduce <a name="_Int_p3y9Pi7U">firewall</a> resource overhead on guest connections. 4.     The fourth rule allows the four Contractor and Employee SGTs to access internal DNS servers over TCP and UDP ports. This rule allows end users to perform name resolution for the URLs allowed in rules one and two. As with rules one and two, a destination SGT is specified, in this case corresponding to the DC_DNS_Servers static SGT assignment performed in the <a href="#_Configure_ISE_Security">Configure ISE Security Groups and Static Mapping</a> section. 5.     The fifth rule permits the connection for a prospective guest user to connect to ISE and complete the Guest Portal process. The allowed URL is in the default format used by the Cisco_WebAuth profile, which was used in the <a href="#_ISE:_Enable_Guest">ISE: Enable Guest Wireless Rules</a> section. Because the connection is HTTPS, matching port and application criteria is used. Note that decryption capabilities are needed to match on path beyond the URL (e.g. /portal/gateway). Step 2.         With the policy saved, click Deploy. <img border="0" width="432" height="64" id="Picture 309628268" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_434.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Click the Deploy button for the <a name="_Int_CDh7giHX">firewall</a> associated with the saved Access Control Policy from this section. <img border="0" width="648" height="108" id="Picture 309628269" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_435.png" alt="A picture containing graphical user interfaceDescription automatically generated"/> Step 4.         Verify that the Deployment completes successfully. <img border="0" width="792" height="203" id="Picture 309628274" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_436.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> <a name="_Toc128645290"></a><a name="_Toc125461741"></a><a name="_Toc123930304">Validation Tests</a> Validation and verification steps are given throughout this guide for individual sections and configurations. The tests below incorporate multiple areas of integration and should be performed when all areas of configuration are complete. <a name="_Toc128645291"></a><a name="_Toc125461742"></a><a name="_Toc123930305">ISE: Validate Machine and User 802.1X Authentication and Authorization</a> In the <a href="#_ISE:_Create_Authorization">ISE Authorization Policy</a> section we created five rules to track AA for Employees, Contractors, and device posture. We’ll test the most complex sequence of Machine AA à Trusted Employee/Contractor + Machine AA in this section. To start, we want to force a new Machine AA attempt from a Trusted device. The easiest way to force a new Machine AA attempt is to have the user sign out and then sign back in again (note: a user resuming a locked session won’t trigger a new Machine AA attempt). After the endpoint signs on, from ISE navigate to Operations à RADIUS à Live Logs. <img border="0" width="720" height="215" id="Picture 309628271" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_437.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> ISE RADIUS logs show a sequence of machine auth (host/Desktop in the screenshot below) followed by machine + user auth (lee,host/Desktop in the screenshot below), both from the same Endpoint ID. Click the view icon under the Details column to view the machine auth report. <img border="0" width="1044" height="581" id="Picture 309628085" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_438.png" alt="Graphical user interface, applicationDescription automatically generated"/> <a name="_Toc128645292"></a><a name="_Toc125461743"></a><a name="_Toc123930306">Machine Authentication and Authorization</a> The Overview section of the report shows the username as the desktop name of the endpoint, which is expected for machine authentication. <img border="0" width="504" height="126" id="Picture 66" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_439.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> The Username field in the above screenshot matches the name of the issued computer certificate on the endpoint. <img border="0" width="792" height="226" id="Picture 68" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_440.png" alt="Graphical user interface, applicationDescription automatically generated"/> The Authentication and Authorization fields in the overview section also match the expected AA policy rules we configured previously, with result of Permit Access. <img border="0" width="576" height="343" id="Picture 71" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_441.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Reviewing the Authentication Details section of the report, we can see that the Authentication Protocol is the EAP-FAST configured on the NAM install, and the Machine_Authenticated SGT has been assigned. <img border="0" width="432" height="499" id="Picture 73" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_442.png" alt="Graphical user interface, applicationDescription automatically generated"/> The Other Attributes section shows an EapChainingResult of ‘User failed and machine succeeded’—this is expected, as the host has submitted machine credentials via certificate but no user credentials. We also see that matched AD group is the Computers group, not a user group. <img border="0" width="648" height="286" id="Picture 74" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_443.png" alt="Graphical user interface, applicationDescription automatically generated"/> Going through a few points of the Steps section of the report, after initial EAP-FAST and TLS negotiation we see EAP chaining begin for the user type, which the client rejects and prompts for machine type instead. <img border="0" width="504" height="460" id="Picture 75" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_444.png" alt="Graphical user interface, applicationDescription automatically generated with medium confidence"/> Later logs show the extraction and evaluation of the client certificate. <img border="0" width="504" height="915" id="Picture 76" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_445.png" alt="TextDescription automatically generated"/> A check of the machine is also performed against Active Directory, which succeeds. <img border="0" width="504" height="469" id="Picture 309628105" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_446.png" alt="Related image, diagram or screenshot"/> Return to the Live Log page and drill down on the user + machine log. <img border="0" width="1044" height="581" id="Picture 126" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_447.png" alt="Graphical user interface, applicationDescription automatically generated"/> <a name="_Toc128645293"></a><a name="_Toc125461744"></a><a name="_Toc123930307">Machine + User Authentication and Authorization</a> The Overview section is like the machine auth results, with two notable differences—the username (lee) appears before the host details, and the Authorization Policy match is the Employee Trusted Device rule. <img border="0" width="576" height="329" id="Picture 309628118" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_448.png" alt="Related image, diagram or screenshot"/> In the Authentication Details we see that both EAP-TLS and EAP-MSCHAPv2 were used as inner methods by EAP-FAST, and the assigned SGT is Employee_Trusted_Device. <img border="0" width="576" height="562" id="Picture 309628129" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_449.png" alt="Graphical user interface, applicationDescription automatically generated"/> Reviewing additional Authentication Details, we see that the EapChainingResult is now successful for both user and machine, and AD queries were performed for both the user and machine. <img border="0" width="576" height="555" id="Picture 309628133" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_450.png" alt="Related image, diagram or screenshot"/> Reviewing the Steps section, the client this time proceeds with the user auth rather than suggesting machine auth; the user auth succeeds. <img border="0" width="576" height="1118" id="Picture 309628154" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_451.png" alt="Graphical user interfaceDescription automatically generated with medium confidence"/> A check of the machine against AD is then performed. <img border="0" width="576" height="532" id="Picture 309628150" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_452.png" alt="Graphical user interface, textDescription automatically generated with medium confidence"/> <a name="_Toc128645294"></a><a name="_Toc125461745"></a><a name="_Toc123930308">Secure Firewall: Validate Access Control with SGTs</a> With the rules configured and successfully applied, use an endpoint to generate traffic that matches one of the allow rules. Once the traffic has been generated, Navigate to Analysis à Connections à Events, then click on Edit Search. <img border="0" width="720" height="218" id="Picture 309628364" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_453.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> For this example, we’ll search for a DNS query to our caseportal.lab1six1.com application server. Click the Networking category on the left side, enter search criteria in the DNS Query field, then click Search. <img border="0" width="1044" height="130" id="Picture 309628365" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_454.png" alt="Background patternDescription automatically generated with medium confidence"/> The default search results show us most of the fields we’d expect for this connection. Note that there are two connection events, one that has a Last Packet field and another that only has a First Packet field. These two events are due to us checking both beginning and ending Connection Event logging. In this case, the beginning log was generated when the DNS request was seen, then the ending log was generated after the DNS response was seen and Secure Firewall detected that the DNS session was complete. Click on Table View of Connection Events for more details. <img border="0" width="1042" height="379" id="Picture 309628368" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_455.png" alt="Graphical user interface, text, application, emailDescription automatically generated"/> The Table View of Connection Events has many columns. We only need some of them to confirm a solid match of our expected Access Rule, and it can be helpful to collapse those useful columns into one view. Click the ‘x’ on any column, then uncheck any columns that are not needed. Click Apply. Note: disabling columns is a temporary change and will reset when the FMC session ends. <img border="0" width="576" height="584" id="Picture 309628370" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_456.png" alt="Graphical user interfaceDescription automatically generated"/> From the Table View we can confirm that the traffic matched the previously configured DNS rule, that the DNS Application was successfully detected for the port 53 traffic, and that the Source and Destination SGTs are both correct for the flow. Also note that our End of Connection event has an additional Responder Packet and associated Responder Bytes—by waiting until the end of the connection (DNS Request + DNS Response) to generate an event, additional packet information was collected.   <img border="0" width="1044" height="231" id="Picture 309628372" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_457.png" alt="Graphical user interface, application, tableDescription automatically generated"/> <a name="_Toc128645295"></a><a name="_Toc125461746"></a><a name="_Toc123930309">ISE and Secure Analytics: Validate User Quarantine</a> We can test a quarantine block by manually setting an authenticated user to quarantine in Secure Analytics and then re-attempting a connection. Step 1.         From Secure Analytics, navigate to Analyze à Flow Search. <img border="0" width="1043" height="117" id="Picture 309628376" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_458.png" alt="Related image, diagram or screenshot"/> The ANC quarantine action is performed from the host page, so we’ll search for the source IP seen in the last section. Step 2.         Enter the IP address, change the time window if necessary, then click Search. <img border="0" width="1044" height="304" id="Picture 309628377" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_459.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 3.         Click the IP address in any flow event. <img border="0" width="1043" height="507" id="Picture 309628378" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_460.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 4.         Scroll down the page to verify the target user is still logged into the host, then click Edit next to ISE ANC Policy. <img border="0" width="504" height="883" id="Picture 309628379" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_461.png" alt="Graphical user interfaceDescription automatically generated"/> Step 5.         Reconfirm the username, select Quarantine from the ANC Policy dropdown, then click Save. <img border="0" width="432" height="1370" id="Picture 309628380" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_462.png" alt="A picture containing shapeDescription automatically generated"/> Generate some traffic on the quarantined user’s endpoint. The expected result is that all traffic fails. Step 6.         From ISE, navigate to Operations à RADIUS à Live Logs. <img border="0" width="720" height="257" id="Picture 309628382" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_463.png" alt="A screenshot of a computerDescription automatically generated with medium confidence"/> Step 7.         Confirm an auth event for the quarantined user with result DenyAccess. Click on the details option. <img border="0" width="1043" height="419" id="Picture 309628618" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_464.png" alt="Graphical user interface, text, application, websiteDescription automatically generated"/> Step 8.         Review the Overview details. The connection should match the ANC Quarantine rule, which has the result DenyAccess. <img border="0" width="576" height="341" id="Picture 309628621" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_465.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> The Steps section provides a detailed breakdown of the ANC evaluation. <img border="0" width="418" height="200" id="Picture 309628204" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_466.png" alt="TextDescription automatically generated"/> Step 9.         Return to Secure Analytics. To restore access to the quarantined user, navigate to Monitor à ISE ANC Assignments. <img border="0" width="719" height="175" id="Picture 309628386" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_467.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 10.      Click the ellipses underneath the Assign ANC Policy column and select None. <img border="0" width="1044" height="231" id="Picture 309628387" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_468.png" alt="Graphical user interface, application, websiteDescription automatically generated"/> Step 11.      Reload the page and confirm that the quarantine entry is removed. <img border="0" width="1043" height="325" id="Picture 309628388" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_469.png" alt="Graphical user interface, applicationDescription automatically generated"/> The method of quarantine used in this guide results in an 802.1X attempt with result of DenyAccess, so there is not an active 802.1X session for the host after the quarantine is removed. In Operations à RADIUS à Live Sessions, ISE will show the Session Status as Terminated. <img border="0" width="1044" height="381" id="Picture 309628614" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_470.png" alt="Graphical user interface, applicationDescription automatically generated"/> There are no CoA actions available for a terminated session. <img border="0" width="1044" height="394" id="Picture 309628616" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_471.png" alt="Graphical user interface, applicationDescription automatically generated"/> The end user will need to initiate a new login event to restore access. <a name="_Toc128645296"></a><a name="_Toc125461747"></a><a name="_Toc123930310">Appendix</a><a name="_Create_Externally_Signed"></a> <a name="_Toc128645297"></a><a name="_Toc125461748"></a><a name="_Toc123930311">Appendix A – Acronyms Defined</a> <div> <table border="1" cellpadding="6" cellspacing="0" width="100%" bordercolor="#ADADAD"> <thead> <tr valign="top" align="left"> <td> Acronym </td> <td> Definition </td> </tr> </thead> <tbody> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">ACP </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Access Control Policy </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">AVC </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Application Visibility and Control </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">BYOD </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Bring Your Own Device </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">CA </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Certificate Authority </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">CN </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Common Name </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">CoA </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Change of Authorization </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">CSR </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Certificate Service Request </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">CTB </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Cisco Telemetry Broker </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">CTS </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Cisco TrustSec </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">DC </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Data Center </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">DNG </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Duo Network Gateway </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">DNS </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Domain Name System </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">FMC </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Firewall Management Center </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">FQDN </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Fully Qualified Domain Name </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none"><a name="_Int_0t3kKmTU">FTD</a> </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Firepower Threat Defense </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">GUI </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Graphical User Interface </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">HTTPS </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Hypertext Transfer Protocol Secure </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">ISE </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Identity Services Engine </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">MAR </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Machine Access Restriction </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">MDM </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Mobile Device Management </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">MFA </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Multi-Factor Authentication </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">MnT </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">ISE node with Monitoring designation </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">MSRPC </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Microsoft Remote Procedure Call </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">NGFW </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Next Generation FireWall </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">OS </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Operating System </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">PAC </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Protected Access Credential </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">RADIUS </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Remote Authentication Dial-In User Service </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">RBAC </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Role Based Access Control </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">SAN </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Subject Alternative Name </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">SD-WAN </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Software Defined Wide Area Network </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">SOC </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Security Operations Center </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">SG </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Security Group </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">SGT </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Security Group Tag </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">SGACL </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Security Group Access Control List </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">SXP </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">SGT Exchange Protocol </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">TLS </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Transport Layer Security </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">URL </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Uniform Resource Locator </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">WMI </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Windows Management Instrumentation </td> </tr> </tbody> </table> </div> <a name="_Toc128645298"></a><a name="_Toc125461749"></a><a name="_Toc123930312">Appendix B – Software Versions</a> <div> <table border="1" cellpadding="6" cellspacing="0" width="100%" bordercolor="#ADADAD"> <thead> <tr valign="top" align="left"> <td> Product </td> <td> Platform </td> <td> Version </td> </tr> </thead> <tbody> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Cisco Catalyst 9300 </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Hardware Switch </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">17.9.1 </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Cisco Identity Services Engine </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Virtual Machine </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">3.1 </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Cisco Firepower Threat Defense 4140 </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Hardware Firewall </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">7.2 </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Cisco Secure Firewall Management Center </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Virtual Machine </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">7.2 </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Cisco Secure Network Analytics Flow Collector </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Virtual Machine </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">7.4 </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Cisco Secure Network Analytics Management Center </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Virtual Machine </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">7.4 </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Cisco Telemetry Broker Manager </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Virtual Machine </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">1.2.3 </td> </tr> <tr valign="top" align="left"> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Cisco Telemetry Broker Node </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">Virtual Machine </td> <td> <p class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 3pt; margin-left: 3pt; margin-right: 3pt; margin-top: 3pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none">1.2.3 </td> </tr> </tbody> </table> </div> <a name="_Toc128645299"></a><a name="_Toc125461750"></a><a name="_Toc123930313"></a><a name="_Appendix_C_-"></a><a name="_Trust_an_AD"></a><a name="_Active_Directory_Certificate"></a><a name="_ISE:_Add_an"></a><a name="_Active_Directory:_Create"></a><a name="_Generate_CSRs_in"></a><a name="_ISE:_Generate_Certificate"></a><a name="_Create_Certificates_from"></a><a name="_ISE:_Bind_Certificates"></a><a name="_ISE_Client_Provisioning"></a><a name="_Windows:_Create_and"></a><a name="_Active_Directory:_Distribute"></a><a name="_Configure_TrustSec_SGACLs"></a><a name="_Appendix_D_–"></a>Appendix C – Secure Malware Analytics Integration Secure Malware Analytics is a cloud and on-prem malware sandbox that performs dynamic analysis on submitted files. In this guide, we configure Secure Firewall to automatically send files to Secure Malware Analytics for sandbox analysis. Note: these steps require a Secure Malware Analytics cloud account. <a name="_Toc128645300"></a><a name="_Toc125461751"></a><a name="_Toc123930314">Create a File Policy</a> Step 1.         Navigate to Policies à Malware & File. <img border="0" width="1043" height="261" id="Picture 136" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_472.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 2.         Clink on New File Policy. <img border="0" width="1044" height="97" id="Picture 148" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_473.png" alt="Related image, diagram or screenshot"/> Step 3.         Enter a name for the File Policy, and a description if desired. Click Save. <img border="0" width="432" height="340" id="Picture 151" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_474.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 4.         Click on Add Rule. <img border="0" width="1043" height="217" id="Picture 154" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_475.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Step 5.         Set the Action to Block Malware, which will block the final packet of an identified malware file, resulting in transfer failure. Step 6.         Check the box for Dynamic Analysis so that eligible files can be submitted to Secure Malware Analytics for further analysis. Step 7.         Add file categories for malware inspection—for this example, we’ve added the file types that are eligible for Dynamic Analysis. Set the other options as desired. Step 8.         Click Save. <img border="0" width="1043" height="712" id="Picture 160" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_476.png" alt="Graphical user interface, applicationDescription automatically generated"/> Step 9.         Click Save again to save the File Policy. <img border="0" width="1044" height="239" id="Picture 161" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_477.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> The File Policy will be associated to an Access Control Policy in the Creating Access Control Policies section. <a name="_Toc128645301"></a><a name="_Toc125461752"></a><a name="_Toc123930315">Associate FMC to Secure Malware Analytics Cloud</a> Step 1.         Navigate to <a name="_Int_dLp8SO5E">AMP</a> à Dynamic Analysis Connections. <img border="0" width="1044" height="141" id="Picture 162" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_478.png" alt="A picture containing timelineDescription automatically generated"/> The cloud connection to Secure Malware Analytics is preconfigured, but you’ll need to associate it to a cloud account to view details of sandbox analysis in the Malware Analytics cloud portal. Step 2.         Click the Associate button (chain icon) on the right side. <img border="0" width="1043" height="144" id="Picture 163" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_479.png" alt="Graphical user interfaceDescription automatically generated with medium confidence"/> Step 3.         Click Yes on the prompt. <img border="0" width="432" height="318" id="Picture 164" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_480.png" alt="Graphical user interface, text, application, chat or text messageDescription automatically generated"/> Step 4.         Enter credentials for the online portal and click Log In. <img border="0" width="1043" height="615" id="Picture 165" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_481.png" alt="Graphical user interfaceDescription automatically generated"/> Step 5.         Click the green Submit button to associate (scroll to the right to see the full association ID). <img border="0" width="1043" height="542" id="Picture 166" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_482.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> Association may take up to 24 hours for the public cloud. <img border="0" width="1043" height="470" id="Picture 167" src="/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/zt-network-cloud-dg.docx/_jcr_content/renditions/zt-network-cloud-dg_483.png" alt="Graphical user interface, text, applicationDescription automatically generated"/> <a name="_Toc128645302"></a><a name="_Toc125461753"></a><a name="_Toc123930316"></a><a name="_Toc115036732">Appendix D – References</a> <a name="_Hlk100565292">●      </a><a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-arch-guide.html">Cisco Zero Trust Architecture Guide</a> ●      <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-frameworks.html">Zero Trust Frameworks Guide</a> ●      <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-user-device-dg.html">Cisco Zero Trust: User and Device Security Design Guide</a> ●      <a href="//www.cisco.com/go/safe">Cisco SAFE</a> ●      <a href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/safe-ops-dg-mgmt-certs.html">Cisco SAFE Certificate Management Design Guide</a>   <a name="_Toc128645303"></a><a name="_Toc125461754"></a><a name="_Toc123930317"></a><a name="_Toc115036733"></a><a name="_Toc86448807"></a><a name="_Toc86357858">Appendix E - Feedback</a> If you have feedback on this design guide or any of the Cisco Security design guides, please send an email to <a href="mailto:ask-security-cvd@cisco.com">ask-security-cvd@cisco.com</a>. </div> </body> </html> <cdc:do action="com.cisco.wem.framework.service.command.eotcontent.EOTResponsiveContent@3edce254" returnTypedAs="eotResponsiveContainerVo" id="eotResponsiveContainerVo" /> <div class="row full visitedlinks" style="padding: 0px; margin:0px"> <div class="col full" > </div> </div> </div> <script> if (window.cdc === undefined) { cdc = {}; } if (cdc.eot === undefined) { cdc.eot = {}; } cdc.eot.isEot = true; cdc.eot.isToc = true; jQuery(document).ready(function () { if (jQuery('.unpublished').length > 0) { let lastRel = "1.0"; if (jQuery('.published').length > 0) { lastRel = Number(jQuery('.published td')[0].innerText) + 1 + ".0"; } jQuery('.preview_revision').text(lastRel); } const linkItemsLen = jQuery("#eot-doc-wrapper link[rel='stylesheet']").length; function addNewTocStyleSheet() { let fileName="/etc/designs/cdc/transformation/wemdcmt_responsive.css", $head = jQuery("head"), linkElement = "<link rel='stylesheet' href='"+fileName+"' type='text/css' >"; $head.append(linkElement); } if (cdc.eot.isToc && !linkItemsLen) { addNewTocStyleSheet(); } else if (cdc.eot.isEot) { jQuery("#eot-doc-wrapper link[rel='stylesheet']").each(function () { const linkTag = jQuery(this), hrefVal = jQuery(linkTag).attr("href"); if (hrefVal != undefined && hrefVal.indexOf("support-responsive.css") == -1 && hrefVal.indexOf("_responsive.css") == -1) { let fileName = hrefVal.substr(hrefVal.lastIndexOf("/") + 1, hrefVal.length).split(".css")[0]; const filePath = "/etc/designs/cdc/transformation/"; if (fileName == "ccimr") { fileName = "techdocs_responsive"; } else if (fileName == "support-docs") { fileName = "support-responsive"; } else if (fileName == "framework") { fileName = "responsiveframework"; } else if (fileName == "dcmt") { fileName = "wemdcmt_responsive"; } else if (fileName == "techdocs_85_11_word") { fileName = "techdocs_85_11_word"; if (cdc.eot.isToc) { addNewTocStyleSheet(); } } else { fileName += "_responsive"; } jQuery(linkTag).attr("href", filePath + fileName + ".css"); } if (hrefVal.indexOf("support-responsive.css") > -1) { jQuery(linkTag).attr("href", "/etc/designs/cdc/transformation/support-responsive.css"); } }); jQuery("#eot-doc-wrapper > table").wrap("<div></div>"); jQuery("#eot-doc-wrapper table:not('.olh_note')").parent().css({ overflowX: "auto" }); } }); </script> <div class="noprint"> </div> <div class="noprint"> <script> console.log("Getting INVALID_TAGs from data object") </script> </div> <div id="learnMore" class="noprint"> <h3>Learn more</h3> </div> <div class="row halves noprint"> <div class="col half showComponent"> <div class="eot-vav"> <ul> </ul> </div> </div>  <div class="col half"></div> </div> <div class="noprint"> </div> </div> </div>   </div> <script type="module" src="/site/web-components/us/en/cdc-footer.js"></script> <cdc-footer></cdc-footer> <script type="text/javascript"> if(document.querySelector('#privacy-manager')!=null){ document.querySelector('#privacy-manager').href='#cookies'; } </script> <div id="fw-overlay"></div> <script src="/etc/designs/cdc/clientlibs/responsive/js/responsive.min.js"></script>  <script src="/etc/designs/cdc/fw/m/eot_metricsrule.js" type="text/javascript"></script> <script src="/etc/designs/cdc/fw/lib/jqmodal.js" type="text/javascript"></script>  <noscript><img src="//cisco.112.2o7.net/b/ss/cisco-mobile/5/12345" width="2" height="2" border="0" alt=""/></noscript> </body> </html>