ISE Authorization Methods - Basic

ISE authorization rules processing orderTakes place only after successful authenticationMatch condition (identity store type, profiling, etc)Assign authorization profile By default scans sequentially but can be changed to Multiple Matched Rules appliedTypical use case when you create rule per role (e.g. AD_DACL, NETWORK_DACL, SERVERS_DACL, etc)In this case, network engineer can get AD_DACL and NETWORK_DACLAnother option is to configure one DACL for network users, another DACL for server users, etcIts independent from authentication type (MAB, Dot1x or CWA)Authorization optionsVLAN AssignmentYou can assign Data VLAN and/or allow Voice VLAN accessData VLAN It will override the locally configured VLAN on the switch portVLAN is provided to NAD using VSA Tunnel-Private-Group-IDIf no dVLAN is configured, static switchport vlan will be usedVoice VLANIt will grant IP Phones access to connect to the n…

How ISE Profiling Works?

ISE Profiling is the service used to identify the type of endpoints connected to the network ISE Profiling service should be enabled to probe for endpoint attributes The attributes requested are depending on the type of probes enabled (for example dhcp probe will request for dhcp-class-identifier, http probe will request for user-agent, etc)Attributes gathered from probes are matched against profiling policiesProfiling policy is made of set of rulesEach rule matches a condition and assign certainty factor (CF)Certainty Factor (CF) is a weight defines how relevant this condition to decide the final endpoint profileThe SUM of matched CFs should be greater than or equal to minimum CF configured in the Profiling Policy to profile the endpointIn case the endpoint matches more than one profiling policy, the highest CF_SUM decides the final endpoint profileOnce Profiling Policy is matched , it can trigger e…

Change of Authorization

Radius Change of Authorization (CoA) Access-Request was introduced in order for ISE to issue new authorization policy to the endpoint based CoA triggersEndpoint authenticatedInitial Authorization Policy pushed to the switch (endpoint not yet profiled)Profiling data received and endpoint profile selectedISE triggers CoA for endpoint to reauthenticate (this is subject to configured CoA Type) Final Authorization Policy pushed to the switch based the endpoint profile (during reauthentication process)The following scenarios trigger CoAEndpoint profiling for 1st timeEndpoint statically assigned to device identity groupEndpoint removed from ISE databaseEndpoint dynamically change identity group membershipManual CoAfrom Context Visibility > Endpoints > Change Authorization

Enable ISE SSH Access

If you missed enabling SSH access during the initial setup of ISE, you can enable it using console by pasting the command  service sshd enable

How to find Unassigned Media Resource (No MRG)

To look at media resources and the allocated MRGs, use the sql query
run sql select as mrg, as resource from mediaresourcegroup mrg inner join mediaresourcegroupmember mgm on mgm.fkmediaresourcegroup=mrg.pkidinner join device d on mgm.fkdevice=d.pkid
To filter specific site
run sql select as mrg, as resource from mediaresourcegroup mrg inner join mediaresourcegroupmember mgm on mgm.fkmediaresourcegroup=mrg.pkidinner join device d on mgm.fkdevice=d.pkid where like '%AD1%' or like '%A01%'

Use this CLI command to find media resources in the default MRG (no assigned to any created MRG).

admin:run sql select as resource from device as d full outer join mediaresourcegroupmember as mgm on mgm.fkdevice=d.pkid where and mgm.pkid is NULL resource =========== AD1MTP-G711  AD1XCODER
You look for specific device type such as MTP
admin:run sql select as resource from device as d full outer join mediaresourcegroupmember a…

Bandwidth and Storage Requirements for Voice and Screen Recording in a Contact Center

We have recently been asked by a contact center to calculate the local network bandwidth and the HDD storage needed for implementing the PhoneUP Voice and Screen Recording solution for 300 agent seats.
Imagine 300 simultaneous audio/video streams recorded 18 hours a day (the agent utilization rate is 75%) 7 days a week and then stored for 1 year. Let’s neglect the voice part as the major load on both the LAN and the HDD storage is produced by the video (screen) recording.
Well... the most used screen resolution is 1366x768 (by w3schools) which is (roughly) corresponds to 720p movie format. And as we all know the file size per hour of 720p movie is about 2Gb. With this in mind thinking about 300 video streams recorded 18x7 could make your hair stand on end. But it’s not that bad.
Let’s examine parameters which influence the size of a screen recording video and how they can be optimized in the case of agent screen recording.
1.The codec. PhoneUP uses H.264 and here’s the first major sa…

AnyConnect VPN DTLS vs TLS

DTLS is used for delay sensitive applications (voice and video) as its UDP based while TLS is TCP based DTLS is supported for AnyConnect VPN not in IKEv2
How it works?
SSL−Tunnel is the TCP tunnel that is first created to the ASAWhen it is fully established, the client will then try to negotiate a UDP DTLS−TunnelDuring DTLS negotiation, traffic will be passing over TLS tunnelWhen the DTLS−Tunnel is fully established, all data now moves to the DTLS−tunnel and the SSL−tunnel is only used for occasional control channel trafficIn case of failures in establishing DTLS Tunnel, traffic will continue passing over TLS tunnelAfter establishing DTLS, in the event of failure in DTLS Tunnel, traffic will pass over TLS tunnel until DTLS tunnel is reestablished
How Data is Forwarded?
For each packet there is a part in AnyConnect client code which decides whether to send the packet over TLS or DTLSIf the DTLS tunnel is established, …