Building an Enterprise
Access Control
Architecture Using ISE
and TrustSec
•
This session will focus on ISE use cases including
Visibility, Guest Access, 802.1X & MAB, Compliance
(Posture & MDM Integration), BYOD, Device
Administration, and TrustSec. The session will also cover
integration with 3rd party NAD, pxGrid, SXP, and other
newly introduced features in ISE 2.0. The session will
start with basic use cases using 802.1X/MAB and
progress into advanced use case whereby providing
overview of ISE & TrustSec.
•
ISE Primer
•Visibility
•Guest Access
•Secure
Access
•BYOD
Agenda
•Compliance
•TrustSec
•Device Administration
•Additional Features
•
3
rdParty NAD Support
• Gain visibility into who and what is on your network • Grant access on a “need to
know” basis
• Get better forensics and prepare for the next attack by sharing information with ecosystem partners
Context Enhances Protection Across the Attack Continuum
BEFORE
• Provide threat context to behavioral analysis
• Contain through network elements and security ecosystem
DURING AFTER
ISE
Network Resources
Role-Based Access
Introducing Cisco Identity Services Engine
A centralised security solution that automates context-aware access tonetwork resources and shares contextual data
Network Door Identity Profiling and Posture Who What When Where How Compliant Context
Traditional Cisco TrustSec®
Role-Based Policy Access
Physical or VM Guest Access BYOD Access Secure Access ISE pxGrid Controller
The Different Ways Customers Use ISE
Guest Access Management
Easily provide visitors secure guest Internet access
BYOD and Enterprise Mobility
Seamlessly classify & securely onboard devices with the right levels of access
Secure Access across the Entire Network
Streamline enterprise network access policy over wired, wireless, & VPN
Software-Defined Segmentation with Cisco TrustSec®
Simplify Network Segmentation and Enforcement to Contain Network Threats
Visibility & Context Sharing with pxGrid
Share endpoint and user context to Cisco and 3rd party system
Network Device Administration
ISE Nodes and Personas
ISE ISE
Policy Service Monitoring
Admin Inline Posture
Persona—one or more of: • Administration • Monitoring • Policy service • pxGrid
Single ISE node (appliance or VM)
Single inline posture node (appliance only)
What is the ISE 2.0 feature to replace
Extensive Context Awareness
Make Fully Informed Decisions with Rich
Contextual Awareness
Poor Context Awareness
Context: Bob IP address 192.168.1.51 Who Tablet Unknown What
Building 200, first floor Unknown
Where
11:00 a.m. EST on April 10 Unknown
When
Wireless Unknown
How
The right user, on the right device, from the right place is granted the right access
Any user, any device, anywhere gets on the network
Enabling Visibility Inside Your Network
192.168.19.3 10.85.232.4 10.4.51.5 192.168.132.99 10.43.223.221 10.200.21.110 10.51.51.0/24 10.51.52.0/24 10.51.53.0/24 InternetCryptic network addresses that may change constantly
Difficult to manage policy without any context
Many Different Visibility Variables
Trust Gradient •Authentication •Certificate •Managed/Unmanaged •Compliance/Posture Threat/Risk •Threat score •Fidelity Reach•What services can be accessed
•What other entities can be impacted
Behaviour
•Historical versus active. Now or before •Was I doing the
expected or unexpected Users •Role •Permissions/rights •Importance Devices •Ownership – managed or unmanaged •Type of device •Function •Applications Connectivity •Medium (Wired/Wireless/VPN) •NAD/NAD Details •State (active session)
Location •Physical •Logical Time •Time of Day •Day of week •Connection duration
Cisco Confidential 15 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Visibility Technologies
ISE Description
Technology and Use Cases
Profiling Technology Device Identification by Cisco ISE
SIEM -- Threat Detection with a Netflow Analyser
SIEM and threat detection analyses network traffic and tells ISE to take action
NaaS/ NaaE Network as a Sensor Network as an Enforcer
Rapid Threat Containment
Firepower and Identity Services Engine
ISE can take action on Threats detected by Source Fire
The Architecture PxGrid - SACM
(Security Automation and Continuous Monitoring)
Cisco pxGrid provides a unified framework that enables ecosystem partners to integrate.
Recap - Profiling Technology
How Do We Classify a Device?
• Profiling uses signatures (similar to IPS)
• Probes are used to collect endpoint data
RADIUS DHCP DNS HTTP SNMP Query NetFlow DHCPSPAN SNMP Trap NMAP DEVICE PROFILING FEED SERVICE
Better with Cisco Router and Switches
Device Sensor
• The Network IS the Collector!
• Automatic discovery for most common devices (printers, phones, Cisco devices)
• Collects the data at point closest to endpoint
• Topology independent
• Profiling based on:
• CDP/LLDP
• DHCP
• HTTP (WLC only)
• mDNS, H323,
MSI-Proxy (4k only)
Device Sensor Distributed Probes
ISE
Device Sensor Support 3k/4k/WLC
CDP/LLDP/DHCP DHCP HTTP
CDP/LLDP/DHCP/CDP/LLDP/DHCP
http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/compatibility/ise_sdt.html
IPv6 Device Sensor
IPv6 Device Sensor is supported
DHCP SENSOR
RADIUS HTTP SENSOR
•
RADIUS
i.e. Framed-IPv6-Address accounting
• HTTP sensor – e.g. REMOTE_HOST, REMOTE_ADDR
Quiz : Which probe is hacker-proof?
SIEM - Threat Detection with a Netflow Analyser
NetFlow Analyser
Cisco® ISE provides context:
Identity, device type, posture, authorisation level, and location
SIEM and threat detection analyses network traffic and tells ISE to take action,
Correlate Identity & Device To Security Events
“This breach event is 10.1.10.55
“…and it is connected to router 10.100.1.4
“…and the endpoint is 10.100.14.2
Take Network Mitigation Action
“This breach event is associated with
Allan
“…and it is from Allan’s Microsoft Workstation
connected to router
“…and Allan is connected to HR Server (and
shouldn’t be)
I need session information to correlate to users
See How Endpoints Act On The Network With Better
Visibility
Network as a Sensor
• Cisco ISE
• Cisco Networking Portfolio • Cisco NetFlow
• Lancope StealthWatch
ADMIN ZONE ENTERPRISE ZONE POS ZONE VENDOR ZONE
And Make Visibility Actionable Through Segmentation
And Automation
Network as an Enforcer
• Cisco ISE
• Cisco Networking Portfolio • Cisco NetFlow
• Lancope StealthWatch
• Cisco TrustSec Software-Defined Segmentation
EMPLOYEE ZONE
DEV ZONE
Rapid Threat Containment with Firepower
Management Centre and ISE
FW Policy Server ISE 1.3+ Contractor Portal Corp Network
Source Destination Action
IP SGT IP SGT Service Action
Any SGT_Contractor_Clients Any Contractor_Portal HTTPS Allow
Any SGT_Infected Any Internet Any Deny
Event: Suspicious Source IP: 10.10.10.10/32 Response: Quarantine OS Type:Windows 8 User: Brad AD Group: Contractor
Asset Registration: Yes
MAC Address: 00:0C:29:45:6E:12
Policy Mapping SGT: SGT_Infected
pxGrid: ANC Quarantine: 10.10.10.10
FMC 5.4 Set SGT to Suspicious Contractor Compromised Endpoint 10.10.10.10
Fully Supported on FMC 5.4 and ISE 1.3+
Uses pxGrid + Endpoint Protection Services (EPS)
Note: ANC is Next Gen version of the older EPS
Just in case you didn’t have enough acronyms in your soup
EPS functions are still there for Backward Compatibility
Loads as a Remediation Module on FMC
Remediation Module Takes Action via the EPS call through pxGrid
Rapid Threat Containment with Firepower
Management Centre and ISE
For Your Reference For Your Reference
Context is the Currency of the Solution Integration Realm
…But It’s Not Easy To ExecuteI have NBAR info!
I need identity…
I have firewall logs!
I need identity…
I have sec events!
I need reputation…
I have NetFlow!
I need entitlement…
I have MDM info!
I need location…
I have app inventory info!
I need posture…
I have identity & device-type!
I need app inventory & vulnerability…
I have threat data!
I need reputation… I have location! I need identity… But Integration Burden is on IT Departments We Need to Share Context & Take Network Actions
I have reputation info!
I need threat data…
I have application info!
I need location & auth-group…
Enable Unified Threat Response By Sharing Contextual Data
Cisco Platform Exchange Grid (pxGrid)
Cisco and Partner Ecosystem When Where Who How What 3 2 1 ISE 4 5 Cisco Network pxGrid controller
ISE collects contextual data from network 1
Contextual data is shared via pxGrid technology
2
Partners use ISE data to quickly identify and classify threats 3 Partners take remediation actions through ISE 4
ISE fine tunes access policies with security event data
5
Vulnerability Assessment Packet Capture & Forensics SIEM & Threat Defense
IAM & SSO
pxGrid
SECURITY THRU INTEGRATION
pxGrid – Industry Adoption Critical Mass
June ’15: 18 Partner Platforms and 9 Technology Areas
Nov ’15: 25 Partners anticipated with Firewall integration
Net/App Performance
IoT Secutity
Access Control Web Access
Cloud Access Security
?
e.g. Ping Identity, NetiIQ, SecureAuth
e.g. Emulex
e.g. SkyHigh, Elastica e.g. Splunk
e.g.
LancopeLogrhythm, NetIQ, FortScale
e.g. Cisco ISE e.g. Cisco WSA
e.g. Cisco FireSIGHT Management Centre
e.g. Tenable, Rabid 7
pxGrid-Enabled Partners:
• Cloud: Elastica, SkyHigh Networks
• Net/App: LiveAction, Savvius
• SIEM/TD: Splunk, Lancope, NetIQ,
LogRhythm, FortScale, Rapid7 • IAM: Ping, NetIQ, SecureAuth • Vulnerability: Rapid7, Tenable
• IoT Security: Bayshore Networks
• P-Cap/Forensics: Emulex
• Cisco: WSA, Sourcefire FireSIGHT
Other ISE Partners:
• SIEM/TD: ArcSight, IBM QRadar,
Tibco LogLogic, Symantec
• MDM/EMM: Cisco Meraki, MobileIron,
AirWatch, Symantec, Citrix, IBM, Good, SAP, Tangoe, JAMF, Globo, Absolute & more …..
Improve Guest Experiences Without
Compromising Security
Guest Guest Guest Sponsor Internet Internet Internet and Network Immediate, Uncredentialed Internet Access with Hotspot Simple Self-RegistrationRole-Based Access with Employee Sponsorship
ISE Built-in Portal Customisation?
Create Accounts Print Email SMS Mobile and Desktop Portals Notifications Approved! credentials username: trex42 password: littlearmsWhich Portals Are Customisable
All Except The Admin Portal
1. Guest2. Sponsor
3. BYOD (Device Registration) 4. My Devices
5. Client Provisioning (Desktop Posture) 6. MDM (Mobile Device Management) 7. Blacklist
• 17 languages • All portal support
(hotspot, self
Access your portals to manage and share
Choose from Pre-Built Portal Layouts
Supports all languages (plus RTL – Arabic & Hebrew) Supports all portal types
ISE Express offers the
same
dynamic Guest
features of the
market-leading Cisco ISE
in an
entry-level bundle
at an aggressive
70-80% discount
over the
competition.
Features / Capabilities?
Platform Included w/Licensing?
List Price?
Cisco ISE Base vs. Cisco ISE Express
Same
YES – Bundle includes 1
ISE VM + 150 Licenses
$2,500 US
Cisco ISE Express
Guest Access; RADIUS/AAA
NO – Purchase HW or VM
and licensing
$6,990 US
(ISE VM:$5,990 + Base: $1,000, for 200 licenses)
Where Can I Get ISE Express
Download
http://cisco.com/go/iseexpress
Install guide
http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html
Guest and Web Authentication
ISE Express Installation Guide for ISE 1.4 for Wireless Guest
Access (PDF - 3 MB)
For Your Reference For Your Reference
What’s New
ISE Express Installation Wizard
Free, downloadable application
Simplifies ISE and wireless controller installation
Provisions Hotspot, Self-Registered or Sponsor services
Modifies guest portals with logo and colours
Go to ISE Cisco Software Download
Demo
ISE Express Wizard
• Can be used on Any flavor of ISE running 1.4p3 and above
• Windows & MacOSX
• May work on existing setup but only supported on newly setup environment
• Prerequisite:
• IP Connectivity to ISE and WLC from the PC
• DHCP and user interfaces are preconfigured
• DNS for ISE and FQDN alias is already created
During the Wizard operation, the WLC was rebooted. What command required
Secure Access Use Cases
Good
• Mac Authentication
Bypass (MAB)
• Whitelist
• Central Web
Authentication
(CWA)
• No supplicant
Better
• Roll out 802.1x in
Phases (Monitor
Mode)
Best
• 802.1x (Low
Impact, Closed
Mode)
• Certificates
• EAP etc..
• Supplicant on
endpoint
• Switch
configuration
ISE is a Standards-Based AAA Server
Access Control System Must Support All Connection Methods
ISE Policy Server
VPN
Cisco Prime
Wired
Wireless
VPN
Supports Cisco and 3rd-Party solutions via
standard RADIUS, 802.1X, EAP, and VPN Protocols .. more to come …
RADIUS
802.1X = EAPoLAN
802.1X = EAPoLAN
Building the Architecture in Phases
47
Access-Prevention Technology
– A Monitor Mode is necessary
– Must have ways to implement and see who will succeed and who will fail
Determine why, and then remediate before taking 802.1X into a stronger enforcement mode.
Solution = Phased Approach to Deployment:
Monitor Mode
Low Impact Mode
Closed Mode
What part of the network does phased
Monitor Mode
A Process, Not Just a Command
48
SWITCHPORT
KRB5 HTTP
TFTP
DHCP
EAPoL Permit All
SWITCHPORT
KRB5 HTTP
TFTP
DHCP
EAPoL Permit All
Traffic always allowed
Pre-AuthC Post-AuthC
interface GigabitEthernet1/0/1 authentication host-mode multi-auth authentication open
authentication port-control auto mab
dot1x pae authenticator
Interface Config • Enables 802.1X authentication on the switch,
but even failed authentication will gain access • Allows network admins to see who would have
failed, and fix it, before causing a Denial of
Service
AuthC = Authentication AuthZ = Authorisation
Low-Impact Mode
If Authentication Is Valid, Then Specific Access!
49 SWITCHPORT KRB5 HTTP TFTP DHCP EAPoL SWITCHPORT KRB5 HTTP RDP DHCP EAPoL Role-Based ACL Permit Some Pre-AuthC Post-AuthC SGT
• Limited access prior to authentication • AuthC success = Role-specific access
• dVLAN Assignment/ dACLs
• Secure Group Access
• Still allows for pre-AuthC access for Thin Clients, WoL & PXE boot devices, etc…
interface GigabitEthernet1/0/1 authentication host-mode multi-auth
authentication open
authentication port-control auto mab
dot1x pae authenticator
ip access-group default-ACL in Interface Config Can dACL enforce L3 traffic on switches without L3 interface? What is the switch feature that finds IP address on a L2 switch?
Closed Mode
No Access Prior to Login, Then Specific Access!
50
• Default 802.1X behaviour
• No access at all prior to AuthC
• Still use all AuthZ enforcement types • dACL, dVLAN, SGA
• Must take considerations for Thin Clients, WoL, PXE devices, etc…
interface GigabitEthernet1/0/1 authentication host-mode multi-auth
authentication port-control auto mab
dot1x pae authenticator Interface Config SWITCHPORT DHCP TFTP KRB5 HTTP EAPoL SWITCHPORT KRB5 HTTP EAPoL DHCP TFTP Pre-AuthC Post-AuthC Permit
EAP Permit All
Role-Based ACL
- or -
ISE Deployment for Wired Networks
Phased Deployment
51
Monitor Mode
Low-Impact Mode
Closed Mode
What could beISE Deployment for Wired Networks
Phased Deployment
52
Monitor Mode
Low-Impact Mode
Closed Mode
- dVLAN will be used for Authorization
- Fail-Open in legacy
environment is required
- Want phased deployment; Monitor -> Low-Impact mode - WoL and/or PXE Boot will
be used
What is the issue with
Fail-Open in Low-Impact Mode?
Monitor mode process
Address risks before enforcement
Monitor
ISE Logs
Address
supplicant
issues
Add new
profiles
Update
MAB list
Advance to Low-Impact
Authentication
should have high
% of success rate
ISE Deployment Assistant
Go to ISE Cisco Software Download on CCO
Internal Employee Intranet
www
Enable Faster and Easier Device Onboarding
Without Any IT Support
Confidential HR Records
?
Device Profiling
Employee
Simplified Device Management from Self-Service Portal
Automated Authentication and Access to Business Assets Rapid Device Identification with
Out-of-the-Box Profiles
Supports 1M Registered Endpoints and 250K ACTIVE, Concurrent Endpoints
Streamlining BYOD and Enterprise Mobility
Reducing the Complexity of Managing BYOD and Device Onboarding
Integrated Native Certificate Authority for Devices
Customisable Branded Experiences
Easy User Onboarding with Self-Service Device Portals
Improved Device Recognition Desktop
& Mobile Ready!
Single Versus Dual SSID Provisioning
• Single SSID
• Start with 802.1X on one SSID using PEAP
• End on same SSID with 802.1X using EAP-TLS
• Dual SSID
• Start with CWA on one SSID
• End on different SSID with 802.1X using PEAP or EAP-TLS
SSID = BYOD-Open (MAB / CWA) SSID = BYOD-Closed (802.1X) WLAN Profile SSID = BYOD-Closed PEAP or EAP-TLS (Certificate=MyCert) SSID = BYOD-Closed (802.1X) WLAN Profile SSID = BYOD-Closed EAP-TLS Certificate=MyCert Which flow provides better user experience?
Onboarding Personal Devices
Registration, Certificate and Supplicant Provisioning
Device Onboarding Certificate Provisioning Supplicant Provisioning Self-Service Model iOS Android Windows MAC OS MyDevices Portal
Provisions device Certificates.
‒ Based on Employee-ID & Device-ID.
Provisions Native Supplicants:
‒ Windows: XP, Vista, 7, 8, 8.1, 10
‒ Mac: OS X 10.6, 10.7, 10.8, 10.9, 10.10. 10.11
‒ iOS: 4, 5, 6, 7, 8, 9
‒ Android – 2.2 and above
‒ 802.1X + EAP-TLS, PEAP & EAP-FAST
Employee Self-Service Portal
‒ Lost Devices are Blacklisted
What Makes a BYOD Policy?
Sample Complete BYOD Policy
Internet Only
Employee Guest
Access-Reject
i-Device Registered?
Access-Accept MAC address lookup to AD/LDAP
Profiling Posture
Machine certificates
Non-exportable user certificate Machine auth with PEAP-MSCHAPv2’ EAP chaining Y N N Y Y N
Works Comments Before Expiry iOS Android Windows MAC-OSX After Expiry iOS Android
Windows Supplicant will not use an expired cert
MAC-OSX Not tested yet
Certificate Renewals
Redirect Expired Certs
Everything Else Windows
ISE CA: Dual Root Phenomenon
PSN PSN PSN P-PAN PAN S-PAN Subordinate CA SCEP RA Subordinate CA SCEP RA OCSP Subordinate CA SCEP RA OCSP Subordinate CA SCEP RA OCSP Promoted • The 4th PSN added to Cube while S-PAN temporarily the root.• Now is a different chain of trust! Different Chain of Trust
ISE CA: Dual Root Phenomenon
PSN PSN PSN P-PAN PAN S-PAN PSN Subordinate CA SCEP RA OCSP Subordinate CA SCEP RA OCSP Subordinate CA SCEP RA OCSP Subordinate CA SCEP RA OCSP Promoted• Export Root CA & Import into S-PAN
• The 4th PSN added to Cube while S-PAN temporarily the root.
• S-PAN has same Chain of Trust
atw-lab-ise/admin# application configure ise Selection ISE configuration option
<Snip>
[7]Export Internal CA Store [8]Import Internal CA Store </Snip>
[12]Exit
Single Chain of Trust
•
A new certificate type called
NODE_CA has been introduced
- ROOT_CA – The Root CA for the entire
ISE PKI Hierarchy
- NODE_CA – Responsible for issuing the
subordinate EP_CA certificate and the OCSP certificate
- EP_CA – Responsible for issuing the
Endpoints their identity and device certificates
- OCSP – Responsible for signing the
OCSP responses
- EP_RA – Registration Authority for SCEP
to external CA’s
CA Hierarchy in 2.0
• Multi Node Deployment with 2 PANs and a Single PSN
• The NODE_CA on the Primary and Secondary PAN are signed by the ROOT_CA on the Primary PAN
• The NODE_CA on the Primary PAN is also responsible for signing the EP_CA and OCSP certificate for the PSNs
CA Hierarchy in 2.0
P-PAN
S-PAN
PSN1 PSN2 PSN3
Revoke Certificates from ISE
Automatically Revoked when an Endpoint is marked as “Stolen”
Certificates may be Manually Revoked
ISE is OCSP Responder for cert validation – no CRL Lists !
What is the difference between device LOST &
STOLEN from the ISE perspective?
In ISE 1.4, added the Certificate provisioning API.
Now, in 2.0 – we have a customisable portal.
Customise it to look like the guest portals
Configure which templates may be used like you would sponsor groups to a
portal page..
What Is the Cisco ISE Posture Service?
ISE Node
PSN MnT PAN
Posture Service
in ISE allows you to check the state
(posture) for ALL the endpoints that are connecting to your
ISE-enabled network.
The
Posture Agents
, which are installed on the clients,
interact with the Posture Service to enforce security
policies on all the endpoints that attempt to gain access to
your protected network.
Posture Agents enforce security policies on noncompliant endpoints by blocking network access to your protected network.
Posture Assessment
Does the Device Meet Security Requirements?
•
Posture
= The state-of-compliance with the company’s security policy.
•
Extends the user / system Identity to include Posture Status.
Posture
Microsoft Updates
Antivirus/
Antispyware
Misc
Service Packs Hotfixes OS/Browser versionsInstallation/Signatures File data
Services
Applications / Processes Registry Keys
Patch Management
Disk Encryption
What is the main difference between Profiling
Posture Enhancements
Mac OSx Support Added for Custom Checks: File / Service / Application / Disk Encryption
• File, Service (daemon, User Agent), and
Application (process) checks
• File condition, file path can have home or root follow with path.
• SHA 256 Check
• Property List (plist) Check
Posture Enhancements -
OSx Daemon Check
• A daemon is a program that runs in
the background as part of the overall system (not tied to user)
• A user agent is a process that runs in the background on behalf of a
particular user.
• ISE 2.0 supports feature to check user
Disk Encryption
• Based on Opswat OESIS library, which is the same library we use for antivirus, antispyware and patch management applications.
• Administrator would be able to Import the new disk encryption support chart from the update server
• Checks can be based on
• Installation of specified disk encryption application.
ISE Posture – Disk Encryption State
Posture for all Devices
Desktop Posture vs Mobile Posture
Focused on Mobile Devices Posture ONLY Requires devices to comply with MDM policy PINLock, JailBroken, APP check and More …
ISE + MDM
Together
Mobile Posture
SOLUTION
Desktop Compliance checks for Windows and OSx Variety of Checks ranging from OS, Hotfix, AV / AS, Patch Management and More…
ISE can enforce
Network Access based on Compliance
Desktop Posture
ISE can enforce
Multiple MDM Support
New MDM dictionary attributes UDID MEID MDM Server Name
MDM Dictionary Attributes
MDM Authorisation Profiles
Redirection authorisation profile example for
MobileIron and Meraki
MDM Server Selection added to Authorisation Profile
Sample Authorisation Policy
Combining BYOD + MDM
85
If Employee but not registered with ISE, (Endpoints: BYODRegistration EQUALS No), then start NSP flow
If Employee and registered with ISE (Endpoints: BYODRegistration EQUALS Yes), then start MDM flow
MDM Flow
86
ISE Policy Server
VPN
If MDM Registration Status EQUALS UnRegistered, then Redirect to MDM for Enrollment
If MDM Compliance Status EQUALS NonCompliant, then Redirect to MDM for Compliance
Authentication
MDM Compliance Status != Compliant Redirect to ISE landing page for MDM
enrollment or compliance status
https://ise.company.com:8443/guestportal/gateway?sessionId=0A010A...73691A&action=mdm
MDM API
Connect to WLAN=Corp
Redirect browser to ISE
Cloud MDM Google
MDM Remediation
87
ISE Policy Server
VPN
CoA allows re-authentication to
be processed based on new endpoint identity context (MDM enrollment/compliance status).
ReAuth
MDM Status = Compliant
Remove Redirection and apply access permissions for compliant endpoints
CoA
MDM Agents downloaded directly from MDM
Server or Internet App Stores
Periodic recheck via API; CoA if not compliant
ASA
MDM API
Cloud MDM
ReAuth after Comply
Policy and Segmentation
Voice Data Suppliers Guest
Quarantine
Access Layer Aggregation Layer
VLAN Addressing DHCP Scope Redundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated to multiple locations, buildings, floors
• Simplicity: consistent policy enforcement on all networks • Agility: reduce attack surface,
keep pace with business • Ready: secure, comply today
Software-Defined Segmentation with Cisco
TrustSec/ SGT
Campus & DC
Segmentation
User to DC
Access Control
How TrustSec/ SGT is used today
Server Segmentation Application Protection Secure Contractor Access BYOD Security Machine-Machine Control Threat Defence Fast Server Provisioning Firewall Rule Reduction
PCI & PHI Compliance Network & Role
Segmentation with Security Group
Data Centre Firewall
Voice Data Suppliers Guest Quarantine
Retaining initial VLAN/Subnet Design Regardless of topology or location,
policy (Security Group Tag) stays with users, devices, and servers
Access Layer Data Tag Supplier Tag Guest Tag Quarantine Tag Aggregation Layer DC-RTP (VDI) Production Servers DC-MTV (SRV1) DC-MTV (SAP1) DC-RTP (SCM2) Destination
Enforcing Policy Downstream
Context Telemetry: • Manager • Windows PC • Compliant Cisco ISE Timecard application server Credit Card transaction server Firewall EnforcementClassify Mark, Propagate, Enforce
• IP Precedence and DiffServ code points • 802.1Q User Priority • MPLS VPN • TrustSec Classify & Mark Enforce Propagation
Dynamic Classification
Static Classification
• IP Address • VLANs • Subnets • L2 Interface • L3 Interface• Virtual Port Profile • Layer 2 Port Lookup
Pre-fix learning
Common Classification for Mobile Devices
Common Classification for Servers, Topology-based policy, etc.
802.1X/ RAS VPN Authentication
MAC Auth Bypass
Web Authentication
SGT
Classification Summary
SGT Assignment
SGT to Port Profile
Nexus 1000v version 2.1
Dynamic Classification Process in Detail
Layer 2
Supplicant
Switch / WLC
ISE
Layer 3
EAP Transaction
Authorisation
DHCP
EAPoL Transaction RADIUS Transaction
SGT Authenticated Authorised
0
EvaluationPolicy DHCP Lease: 10.1.10.100/24ARP Probe IP Device
Tracking Authorised MAC: 00:00:00:AB:CD:EF SGT = 5 Binding: 00:00:00:AB:CD:EF = 10.1.10.100/24 1 2 3 SRC: 10.1.10.1= SGT 5 00:00:00:AB:CD:EF cisco-av-pair=cts:security-group-tag=0005-01
Make sure that IP
Device Tracking
is TURNED ON
3560X#show cts role-based sgt-map all details Active IP-SGT Bindings Information
IP Address Security Group Source
============================================= 10.1.10.1 3:SGA_Device INTERNAL 10.1.10.100 5:Employee LOCAL
DC Access WLC FW Inline SGT Tagging CMD Field ASIC ASIC Optionally Encrypted SXP SRC: 10.1.100.98 IP Address SGT SRC 10.1.100.98 50 Local Hypervisor SW
SXP IP-SGT Binding Table
ASIC
L2 Ethernet Frame SRC: 10.1.100.98 (No CMD)
Inline Tagging (data plane):
If Device supports SGT in its ASIC
SXP (control plane): Shared between devices that do not have SGT-capable hardware
IP Address SGT 10.1.100.98 50
Campus Access Distribution Core DC Core EOR
SXP
Enterprise Backbone
How is the SGT Classification Shared?
Propagation
Traditional TrustSec Tag Assignment & SXP
Propagation
Access Switch Router DC FW DC Switch HR ServersEnforcement Fin Servers
ISE Directory
Classification
User / Endpoint
ISE as SXP Speaker
Access Switch Router DC FW DC Switch HR Servers Fin Servers ISE Directory Classification User / Endpoint SXP Tag IP Addr 5 10.10.10.10 5 Fin Servers 10 HR Servers Propagation Enforcement SXP PropagationDoes Access Switch need to understand TrustSec?
Cat3750X Cat6500 Nexus 2248
WLC5508 ASA5585 Enterprise
Backbone
Nexus 2248 Cat6500 Nexus 7000 Nexus 5500
End user authenticated
Classified as Employee (5) FIB Lookup
Destination MAC/Port SGT 20 DST: 10.1.100.52 SGT: 20 ISE SRC: 10.1.10.220 5 SRC:10.1.10.220 DST: 10.1.100.52 SGT: 5 DST: 10.1.200.100 SGT: 30 Web_Dir CRM SRC\DST Web_Dir (20) CRM (30) Employee (5) SGACL-A SGACL-B
BYOD (7) Deny Deny
Destination Classification
Web_Dir: SGT 20 CRM: SGT 30
How is Policy Enforced with SGACL
SGACL Policy on ISE for Switches
2 1
Security Group Based Access Control for Firewalls
Security Group Firewall (SGFW)
115
Source Tags Destination Tags
SXP Capability in ISE 2.0
Routers ISE DC Firewall Application Servers Wireless (ANY) Switch (ANY) DC Switch Application Servers MSFT Active Directory 802.1X Network 8 SGT 7 SGT• Propagate SGTs from ISE directly to Enforcement devices (SXP Speaker) • Access layer device does not need SGT understanding for this User-DC
use-case
• ISE can learn about DC/network SGTs as an SXP Listener
SXP 10SGT
For Your Reference For Your Reference
Anatomy of a Typical Device Administration
Session with TACACS+
• TACACS+ Separates
Authentication, Authorisation and Accounting
• Flexible and extensible
• TCP for more reliable accounting
• Built-in Goodies such as User Change Password
Refresh on a Typical TACACS+ Session
• Two Main Authorisation
stages
• SESSION:
What can user do during this session?
• COMMAND:
Can the user perform this command?
Which TCP port does T+ listen on as default?
TACACS+ Authorisation: Protocol Level
• Authorisation is a single request/response: Header + Attributes
• Result is FAIL, PASS_ADD, PASS_REPLACE
• Fail: Request is not Permitted
• PASS_ADD: The permissions asked for are valid, but the operation must also apply these extra attributes (Response Profile)
• PASS_REPLACE: The request is permitted, but with this alternative attribute profile
Device ISE Type Author user admin rem_add r office Result PASS_AD D priv-lvl 15
Introducing
The ISE Device Administration Work Centre
• Starting point for all TACACS+ Activities in ISE • One exception in ISE 2.0
• Policy Service Node for Protocol Processing
• Session Services (e.g. Network Access/RADIUS) On by default
• Device Admin Service (e.g. TACACS+)
MUST BE ENABLED
FOR DEVICE ADMINISTRATION!!
142
ISE Deployment Node
Supported Migration paths using Migration Tools
Path Segments Tools
ACS 4.x to ISE ACS 4.x -> ACS 5.6 ACS 4 Migration Tool
ACS 5.6 -> ISE ACS 5 Migration Tool
ACS 5.0 – ACS 5.4 to ISE ACS 5.x -> ACS 5.6 ACS 4 Migration Tool
ACS 5.6 -> ISE ACS 5 Migration Tool
ACS 5.5 - ACS 5.6 to ISE ACS 5.5 - ACS 5.6 to ISE ACS 5 Migration Tool
Device Administration ACS 5 to ISE Feature Map
ISE Element ACS 5 Element Caveats
Internal Users/Groups Internal Users/Groups
Network Devices/NDG Network Devices/NDG
-Default Network Device Default Network Device ISE must have RADIUS enabled.
Shell Profiles TACACS Profiles Name Conflicts (shared namespace in ISE)
Command Sets TACACS Command Sets Name Conflicts (shared namespace in ISE)
External Proxy Servers TACACS Proxy Servers
-Proxy Service TACACS Proxy Sequence+
Device Admin Policy Set
-Device Admin Service Device Admin Policy Set Policy Model differences, Group map Policy
ACS 4.x vs. ACS 5.x vs. ISE 2.0
Migration Best Practices
• Follow recommendations from Migration tool Reports
• Rename ACS objects using ISE legal chars
• Move Group Map Policy to Authorisation
• Consider ACS 5 to ISE migration as opportunity to review and refresh Policy
• Especially if Migrating from ACS 4
147
• ISE currently supports 30k NAD vs. ACS which supports 100k!
• TACACS+ over IPv6 is not supported on ISE 2.0
• For complete list of comparison go to:
3
rdParty Device (NAD) Support
Customers can now deploy ISE services such as Profiling, Posture, Guest and BYOD (on top of the already-working 802.1x) with Network
Access Devices (NADs) manufactured by non-Cisco third party
The Recipe – Key Ingredients
Session ID
URL Redirect
Cisco Session ID & Redirect
NAD: “show authentication session”
ISE: Detailed Authentication Report
https://ise14.example.com:8443/guestportal/gateway?C0A8013C00000618B3C1CAFB&portal=&action=cwa
Browser: URL-redirect for Web Auth
C0A8013C00000618B3C1CAFB
My 3rd Party NAD does not have a Session ID ??
ISE 2.0 can Generate a “Synthesised” Cisco Session ID
C0A8013C00000618B3C1CAFB
Step 4: Apply Base64 encoding to the session ID
Step 1:
Concatenate RADIUS attributes: Resulting value is a 24-byte ASCII string Calling-Station-ID (31), NAS-Port (5), NAS-IP-Address (4)
Step 2: Encryption key using a SHA256:
Hash of RADIUS KeyWrap key/Shared secret + NAD Profile ID
Step 3: Calculate the encrypted session ID:
HMAC-SHA256 of string in step 1 and key from step 2
Step 5:
Prepend the value with ISE node IP address in hexadecimal ASCII format.
• Type: None / Static / Dynamic
• None– NAD does not have usable redirection
method
• Static – NAD requires ISE generated URL to be
applied to local device config
• Dynamic – NAD can receive redirect via RADIUS
authorisation
URL Parameter Names • Defines the format of
vendor redirect
• Allows ISE to parse needed information from redirected requests
URL Redirection
What is Change of Authorisation (CoA)
The EndPoint needs a new Policy ( ISE 2.0 = RFC 3576 & RFC 5176)
Example Cisco CoA operations
Terminate session
Terminate session with port bounce
Re-authenticate session
Disable host port
Session Query
– For Active Services – For Complete Identity – Service Specific
Service Activate
Service De-activate
Service Query
CoA options are NAD-specific
COA Ports
Port 1700, type = Cisco COA
RFC 5176
What is Change of Authorisation (CoA)
The EndPoint needs a new Policy (RFC 3576 & RFC 5176)
• Disconnect Message (DM)
• Also known as “Packet of Disconnect (PoD)” or “CoA Session Terminate”
• Terminate user session(s) on a NAS and discard all associated session context.
• Change-of-Authorisation (CoA) Messages
• Also known as “Authorise Only” or “CoA Push”
• CoA-Request packets contain information for dynamically changing session authorisations.
Disconnect-Request
Disconnect-ACK/NAK
CoA-Request
My 3rd Party NAD does not support COA ReAuth/ COA Push
ISE 2.0 can perform “COA Stiching”
Web Auth: Enter Credentials
Full Access
PSN
CWA Success
CoA Terminate
New Auth Request
Employee Access
Hold session open for 20 seconds Matching request received < 20 sec;
return policy for employee user Session 002 Session 001 Accntg Stop 1 2 3 4 5 6
3
rd-Party NADs – Supported Features
• AAA
• 802.1X (since 1.0) • MAB (since 1.2.)
• LWA to local portal (since 1.0)
• CoA
• Profiling (with CoA)
• Guest
• Hotspot
• Central Web Authentication (CWA)
• Sponsored guest flow
• Self-Registration guest flow
• ISE hosted portals
Features Vary By Vendor, Platform, and Versions!
Posture
BYOD
Device registration
Supplicant Provisioning
Certificate Provisioning
Self-Service device management (MyDevices)
Single/Dual SSID
TrustSec
Wait There’s More!!!
MAB and 3rd-Party
3rd-Party RADIUS Dictionary
ISE 2.0 Smart Configuration
• NAD Profiles
• Smart Conditions
• Authorisation Profiles
• Authorisation Policy
Adding 3
rd-Party NADS
• Administration > Network Resource > Network Devices
• Be sure to set the Device Profile correctly !!
• Enter Network Device Type and Location info to facilitate policy management
Network Access Device Configuration
Optional:
Override default CoA Port per NAD
Current Vendor Test Results
Vendor Verified Series Tested Model / Firmware
Supported / Validated use cases
CoA Profiler Posture Guest
/BYOD
Aruba Wireless 7000, InstantAP 7005-US/6.4.1.0 ✔ ✔ ✔ ✔
Motorola Wireless RFS 4000 Wing v5.5 ✔ ✔ ✔ ✔
HP Wireless 830 (H3C) 8P/3507P35 ✔ ✔ ✔ ✔ HP Wired HP 5500 HI Switch Series (H3C) A5500-24G-4SFP HI/5.20.99 ✔ ✖ ✖ ✖ HP Wired HP 3800 Switch Series (ProCurve) 3800-24G-POE-2SFP (J9573A) KA.15.16.000. 6 ✖ ✖ ✖ ✖
Brocade Wired ICX 6610 24/08.0.20aT7f3 ✔ ✔ ✖ ✖
Ruckus Wireless ZD1200 9.9.0.0 build 205 ✔ ✔ ✖ ✖
Additional 3rdparty NAD Support:
Requires identification of device properties/capabilities and to creation of a custom NAD profile in ISE. More detailed guide to be published.
✔ Requires CoA support
Requires CoA & url-redirect support
Requires CoA & url-redirect support
Location Based Authorisation
Authorise User Access To The Network Based On Their Location
ISE 2.0
MSE 8.0
UI to Configure MSE
I have Location Data
Enhance Control With Location-based Authorisation
Location-based authorisation
Admin defines location hierarchy and grants users specific access rights based on their location.
Benefits
What’s new for ISE 2.0?
The integration of Cisco Mobility Services Engine (MSE) allows administrators to leverage ISE to authorise network access based on user location.
Enhanced policy enforcement
with automated location check and reauthorisation
Simplified management
by configuring authorisation with ISE management tools
Granular control
of network access with
location-based authorisation for individual users
Capabilities
• Enables configuration of location hierarchy across all location entities • Applies MSE location attributes in authorisation policy
• Checks MSE periodically for location changes (5 mins), one way communication from ISE to MSE. • Reauthorises access based on new location (i.e. if the location changes apply COA)
• Requires a PLUS license in ISE
With The Integration Of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER Doctor No access to patient data Access to patient data No access to patient data Access to patient data Patient data Patient data access locations Patient room ER Lab Lobby Location • Physical • Logical
Complete Your Online Session Evaluation
Learn online with Cisco Live!
Visit us online after the conference for full access to session videos and presentations.
www.CiscoLiveAPAC.com
Give us your feedback and receive a
Cisco 2016 T-Shirt
by completing the
Overall Event Survey and 5 Session
Evaluations.
– Directly from your mobile device on the Cisco Live Mobile App
– By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/ciscolivemelbourne2016/
– Visit any Cisco Live Internet Station located throughout the venue
T-Shirts can be collected Friday 11 March
at Registration