IoT Security Integration Guide
    : Set up Cisco ISE to Identify IoT Devices
    Focus
    Download PDF
    Focus
    1. Home
    2. IoT
    3. IoT Security Integration Guide
    4. Network Access Control
    5. Set up Cisco ISE to Identify IoT Devices
    Download PDF

    IoT Security Integration Guide

    Set up Cisco ISE to Identify IoT Devices

    Table of Contents

    Set up Cisco ISE to Identify IoT Devices

    Integrate IoT Security with Cisco ISE to identify IoT devices for VLAN segmentation.
    To send IoT device data to ISE, configure the following on your Cisco ISE system:
    • Enable External RESTful Services (ERS) with read/write permission
    • Create an ERS admin user account that the XSOAR engine will use to authenticate itself to ISE when sending it data
    • Create custom endpoint attributes for the IoT device data IoT Security sends
    Cisco ISE configuration instructions are based on Cisco Identity Services Engine version 2.4.
    1. Enable External RESTful Services.
      Log in to the Cisco Identity Services Engine management interface, click
      Administration
      System
      Settings
      ERS Settings
      , select
      Enable ERS for Read/Write
       in the ERS Setting for Primary Administration Node section, and then click
      Save
      .
      The setting in ERS Setting for All Other Nodes is not relevant to IoT Security integration.
    2. Create an ERS admin account.
      1. Click
        Administration
        System
        Admin Access
        Administrators
        Admin Users
         and then click
        Add
        Create an Admin User
        .
      2. Enter the following on the New Administrator page and leave the other settings as they are:
        Name
        : Enter a name for the admin user account. This is the account that the XSOAR engine will use when making an HTTPS connection to the Cisco ISE system.
        Status
        :
        Enabled
        Password
         and
        Re-Enter Password
        : Enter a password for the admin user account.
        Admin Groups
        :
        ERS Admin
         (This is a predefined admin group.)
      3. Submit
         the configuration.
    3. Create custom IoT Security attributes.
      1. Click
        Administration
        Identity Management
        Settings
        Endpoint Custom Attributes
        , enter
        PanwIoTProfile
         in the Attribute name field, choose
        String
         from the Type drop-down list, and then click
        Save
        .
        If you want to enter a different attribute name for the profile here, change the attribute name for the profile in Cortex XSOAR so they match each other. Similarly, if you customize any other attribute names in ISE, change the default names for their corresponding attributes in XSOAR. The attribute names are editable in the incremental and bulk export job settings for Cisco ISE in the Cortex XSOAR module. See Configure IoT Security and Cortex XSOAR.
      2. Add the more endpoint custom attributes, such as the following:
        PanwIoTProfile, PanwIoTIP, PanwIoTCategory, PanwIoTRiskScore, PanwIoTConfidence, PanwIoTTag, PanwIoTHostname, PanwIoTOS, PanwIoTModel, PanwIoTVendor, PanwIoTSerial, PanwIoTEPP, PanwIoTInternetAccess, PanwIoTAET
      3. Continue adding more custom endpoint attributes to ISE with names that match the attributes that IoT Security sends through Cortex XSOAR.
      4. When done,
        Save
         the configuration.

    Example: Assign VLANs by Device Type

    Segmenting, or microsegmenting, your network into VLANs by device type creates barriers that can thwart intruders from moving laterally and slow down their reconnaissance efforts, giving yourself more time to discover and respond to the intrusion. IoT Security can assist in microsegmentation by coordinating with Cisco ISE. IoT Security formulates IoT device profiles and then shares them with ISE so that it can assign devices to VLANs based on these profiles.
    1. Download a list of IoT device profiles.
      1. In the IoT Security profile, click
        Profiles
        , optionally apply filters to display the device profiles you want to use, select them all by selecting the check box in the heading column, and then click
        Download
        .
      2. Save the downloaded .csv file and open it so you can copy IoT device profile names and paste them into the Cisco ISE interface.
    2. Log in to Cisco ISE and create a condition for an exception rule.
      1. Click
        Policy
        Policy Elements
        Conditions
        Library Conditions
        , enter the following in Editor:
        Click to add an attribute
        :
        Endpoints
        PanwIoTProfile
        Operator
        :
        Equals
        Attribute value
        : Paste the IoT device profile name.
      2. Save
         the configuration.
      3. In the Save condition dialog box, select
        Save as a new Library Condition
        , paste the profile name in the Condition Name field, and then
        Save
         the condition.
        The name of a library condition can contain letters, numbers, hyphens, underscores, periods, and spaces. If the IoT device profile name has any other characters such as parentheses, either remove or replace them with characters that are supported.
      4. Repeat these steps for all the other IoT device profiles.
    3. Create authorization profiles that allow IoT devices to access the network, permit them to send and receive network traffic, and associate their device profiles with unique VLAN IDs.
      1. Click
        Policy
        Policy Elements
        Results
        Authorization
        Authorization Profiles
         and then click
        Add
        .
      2. Enter settings like those described below and leave the other settings at their default values:
        Name
        : Enter a name for the authorization profile; for example,
        Crestron Touch Screen Device
        .
        Access Type
        :
        ACCESS_ACCEPT
        DACL Name
        :
        PERMIT_ALL_TRAFFIC
        VLAN
        : (select); Tag ID: 1;
        ID/Name
        :
        2001
        , where 2001 is the ID number of the VLAN to which you want to assign all Crestron touch screen devices.
      3. Submit
         the settings.
      4. Repeat these steps to create authorization profiles that assign each IoT device profile to a unique VLAN.
    4. Create authorization policy exception rules to assign devices to VLANs based on IoT device profile data.
      1. Click
        Policy
        Policy Sets
         and then click the
        Arrow
         icon (
        >
         ) to modify your existing policy set.
      2. Expand
        Authorization Policy - Local Exceptions
        , click the
        Plus
         icon (
        +
         ) to add an exception rule, and then click the
        Plus
         icon (
        +
         ) to add a condition.
      3. Click-drag one of the conditions you created from the Library into the Editor and then click
        Use
        .
      4. In Results-Profiles, choose the authorization profile you created for this condition.
      5. Repeat these steps to add more exception rules. When devices with these IoT device profiles join the network and request access permission from Cisco ISE, ISE will automatically assign them to appropriate VLANs.
      6. When done,
        Save
         the configuration.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.