• No results found

Building an Enterprise Access Control Architecture Using ISE and TrustSec. Hosuk Won, Technical Marketing Engineer

N/A
N/A
Protected

Academic year: 2021

Share "Building an Enterprise Access Control Architecture Using ISE and TrustSec. Hosuk Won, Technical Marketing Engineer"

Copied!
130
0
0

Loading.... (view fulltext now)

Full text

(1)
(2)

Building an Enterprise

Access Control

Architecture Using ISE

and TrustSec

(3)
(4)

This session will focus on ISE use cases including

Visibility, Guest Access, 802.1X & MAB, Compliance

(Posture & MDM Integration), BYOD, Device

Administration, and TrustSec. The session will also cover

integration with 3rd party NAD, pxGrid, SXP, and other

newly introduced features in ISE 2.0. The session will

start with basic use cases using 802.1X/MAB and

progress into advanced use case whereby providing

overview of ISE & TrustSec.

(5)

ISE Primer

Visibility

Guest Access

Secure

Access

BYOD

Agenda

Compliance

TrustSec

Device Administration

Additional Features

3

rd

Party NAD Support

(6)
(7)

• Gain visibility into who and what is on your network • Grant access on a “need to

know” basis

• Get better forensics and prepare for the next attack by sharing information with ecosystem partners

Context Enhances Protection Across the Attack Continuum

BEFORE

• Provide threat context to behavioral analysis

• Contain through network elements and security ecosystem

DURING AFTER

ISE

(8)

Network Resources

Role-Based Access

Introducing Cisco Identity Services Engine

A centralised security solution that automates context-aware access to

network resources and shares contextual data

Network Door Identity Profiling and Posture Who What When Where How CompliantContext

Traditional Cisco TrustSec®

Role-Based Policy Access

Physical or VM Guest Access BYOD Access Secure Access ISE pxGrid Controller

(9)

The Different Ways Customers Use ISE

Guest Access Management

Easily provide visitors secure guest Internet access

BYOD and Enterprise Mobility

Seamlessly classify & securely onboard devices with the right levels of access

Secure Access across the Entire Network

Streamline enterprise network access policy over wired, wireless, & VPN

Software-Defined Segmentation with Cisco TrustSec®

Simplify Network Segmentation and Enforcement to Contain Network Threats

Visibility & Context Sharing with pxGrid

Share endpoint and user context to Cisco and 3rd party system

Network Device Administration

(10)

ISE Nodes and Personas

ISE ISE

Policy Service Monitoring

Admin Inline Posture

Persona—one or more of: • Administration • Monitoring • Policy service • pxGrid

Single ISE node (appliance or VM)

Single inline posture node (appliance only)

What is the ISE 2.0 feature to replace

(11)
(12)

Extensive Context Awareness

Make Fully Informed Decisions with Rich

Contextual Awareness

Poor Context Awareness

Context: Bob IP address 192.168.1.51 Who Tablet Unknown What

Building 200, first floor Unknown

Where

11:00 a.m. EST on April 10 Unknown

When

Wireless Unknown

How

The right user, on the right device, from the right place is granted the right access

Any user, any device, anywhere gets on the network

(13)

Enabling Visibility Inside Your Network

192.168.19.3 10.85.232.4 10.4.51.5 192.168.132.99 10.43.223.221 10.200.21.110 10.51.51.0/24 10.51.52.0/24 10.51.53.0/24 Internet

Cryptic network addresses that may change constantly

Difficult to manage policy without any context

(14)

Many Different Visibility Variables

Trust Gradient •Authentication •Certificate •Managed/Unmanaged •Compliance/Posture Threat/Risk •Threat score •Fidelity Reach

•What services can be accessed

•What other entities can be impacted

Behaviour

•Historical versus active. Now or before •Was I doing the

expected or unexpected Users •Role •Permissions/rights •Importance Devices •Ownership – managed or unmanaged •Type of device •Function •Applications Connectivity •Medium (Wired/Wireless/VPN) •NAD/NAD Details •State (active session)

Location •Physical •Logical Time •Time of Day •Day of week •Connection duration

(15)

Cisco Confidential 15 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Visibility Technologies

ISE Description

Technology and Use Cases

Profiling Technology Device Identification by Cisco ISE

SIEM -- Threat Detection with a Netflow Analyser

SIEM and threat detection analyses network traffic and tells ISE to take action

NaaS/ NaaE Network as a Sensor Network as an Enforcer

Rapid Threat Containment

Firepower and Identity Services Engine

ISE can take action on Threats detected by Source Fire

The Architecture PxGrid - SACM

(Security Automation and Continuous Monitoring)

Cisco pxGrid provides a unified framework that enables ecosystem partners to integrate.

(16)

Recap - Profiling Technology

How Do We Classify a Device?

• Profiling uses signatures (similar to IPS)

• Probes are used to collect endpoint data

RADIUS DHCP DNS HTTP SNMP Query NetFlow DHCPSPAN SNMP Trap NMAP DEVICE PROFILING FEED SERVICE

(17)

Better with Cisco Router and Switches

Device Sensor

• The Network IS the Collector!

• Automatic discovery for most common devices (printers, phones, Cisco devices)

• Collects the data at point closest to endpoint

• Topology independent

• Profiling based on:

• CDP/LLDP

• DHCP

• HTTP (WLC only)

• mDNS, H323,

MSI-Proxy (4k only)

Device Sensor Distributed Probes

ISE

Device Sensor Support 3k/4k/WLC

CDP/LLDP/DHCP DHCP HTTP

CDP/LLDP/DHCP/CDP/LLDP/DHCP

http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/compatibility/ise_sdt.html

(18)

IPv6 Device Sensor

IPv6 Device Sensor is supported

DHCP SENSOR

RADIUS HTTP SENSOR

RADIUS

i.e. Framed-IPv6-Address accounting

HTTP sensor – e.g. REMOTE_HOST, REMOTE_ADDR

(19)

Quiz : Which probe is hacker-proof?

(20)

SIEM - Threat Detection with a Netflow Analyser

NetFlow Analyser

Cisco® ISE provides context:

Identity, device type, posture, authorisation level, and location

SIEM and threat detection analyses network traffic and tells ISE to take action,

Correlate Identity & Device To Security Events

“This breach event is 10.1.10.55

“…and it is connected to router 10.100.1.4

“…and the endpoint is 10.100.14.2

Take Network Mitigation Action

“This breach event is associated with

Allan

“…and it is from Allan’s Microsoft Workstation

connected to router

“…and Allan is connected to HR Server (and

shouldn’t be)

I need session information to correlate to users

(21)

See How Endpoints Act On The Network With Better

Visibility

Network as a Sensor

• Cisco ISE

• Cisco Networking Portfolio • Cisco NetFlow

• Lancope StealthWatch

(22)

ADMIN ZONE ENTERPRISE ZONE POS ZONE VENDOR ZONE

And Make Visibility Actionable Through Segmentation

And Automation

Network as an Enforcer

• Cisco ISE

• Cisco Networking Portfolio • Cisco NetFlow

• Lancope StealthWatch

• Cisco TrustSec Software-Defined Segmentation

EMPLOYEE ZONE

DEV ZONE

(23)

Rapid Threat Containment with Firepower

Management Centre and ISE

FW Policy Server ISE 1.3+ Contractor Portal Corp Network

Source Destination Action

IP SGT IP SGT Service Action

Any SGT_Contractor_Clients Any Contractor_Portal HTTPS Allow

Any SGT_Infected Any Internet Any Deny

Event: Suspicious Source IP: 10.10.10.10/32 Response: Quarantine OS Type:Windows 8 User: Brad AD Group: Contractor

Asset Registration: Yes

MAC Address: 00:0C:29:45:6E:12

Policy Mapping SGT: SGT_Infected

pxGrid: ANC Quarantine: 10.10.10.10

FMC 5.4 Set SGT to Suspicious Contractor Compromised Endpoint 10.10.10.10

(24)

Fully Supported on FMC 5.4 and ISE 1.3+

 Uses pxGrid + Endpoint Protection Services (EPS)

 Note: ANC is Next Gen version of the older EPS

 Just in case you didn’t have enough acronyms in your soup

 EPS functions are still there for Backward Compatibility

Loads as a Remediation Module on FMC

 Remediation Module Takes Action via the EPS call through pxGrid

Rapid Threat Containment with Firepower

Management Centre and ISE

For Your Reference For Your Reference

(25)

Context is the Currency of the Solution Integration Realm

…But It’s Not Easy To Execute

I have NBAR info!

I need identity…

I have firewall logs!

I need identity…

I have sec events!

I need reputation…

I have NetFlow!

I need entitlement…

I have MDM info!

I need location…

I have app inventory info!

I need posture…

I have identity & device-type!

I need app inventory & vulnerability…

I have threat data!

I need reputation… I have location! I need identity… But Integration Burden is on IT Departments We Need to Share Context & Take Network Actions

I have reputation info!

I need threat data…

I have application info!

I need location & auth-group…

(26)

Enable Unified Threat Response By Sharing Contextual Data

Cisco Platform Exchange Grid (pxGrid)

Cisco and Partner Ecosystem When Where Who How What 3 2 1 ISE 4 5 Cisco Network pxGrid controller

ISE collects contextual data from network 1

Contextual data is shared via pxGrid technology

2

Partners use ISE data to quickly identify and classify threats 3 Partners take remediation actions through ISE 4

ISE fine tunes access policies with security event data

5

(27)

Vulnerability Assessment Packet Capture & Forensics SIEM & Threat Defense

IAM & SSO

pxGrid

SECURITY THRU INTEGRATION

pxGrid – Industry Adoption Critical Mass

June ’15: 18 Partner Platforms and 9 Technology Areas

Nov ’15: 25 Partners anticipated with Firewall integration

Net/App Performance

IoT Secutity

Access Control Web Access

Cloud Access Security

?

e.g. Ping Identity, NetiIQ, SecureAuth

e.g. Emulex

e.g. SkyHigh, Elastica e.g. Splunk

e.g.

LancopeLogrhythm, NetIQ, FortScale

e.g. Cisco ISE e.g. Cisco WSA

e.g. Cisco FireSIGHT Management Centre

e.g. Tenable, Rabid 7

pxGrid-Enabled Partners:

Cloud: Elastica, SkyHigh Networks

Net/App: LiveAction, Savvius

SIEM/TD: Splunk, Lancope, NetIQ,

LogRhythm, FortScale, Rapid7 • IAM: Ping, NetIQ, SecureAuth • Vulnerability: Rapid7, Tenable

IoT Security: Bayshore Networks

P-Cap/Forensics: Emulex

Cisco: WSA, Sourcefire FireSIGHT

Other ISE Partners:

SIEM/TD: ArcSight, IBM QRadar,

Tibco LogLogic, Symantec

MDM/EMM: Cisco Meraki, MobileIron,

AirWatch, Symantec, Citrix, IBM, Good, SAP, Tangoe, JAMF, Globo, Absolute & more …..

(28)
(29)

Improve Guest Experiences Without

Compromising Security

Guest Guest Guest Sponsor Internet Internet Internet and Network Immediate, Uncredentialed Internet Access with Hotspot Simple Self-Registration

Role-Based Access with Employee Sponsorship

(30)

ISE Built-in Portal Customisation?

Create Accounts Print Email SMS Mobile and Desktop Portals Notifications Approved! credentials username: trex42 password: littlearms
(31)

Which Portals Are Customisable

All Except The Admin Portal

1. Guest

2. Sponsor

3. BYOD (Device Registration) 4. My Devices

5. Client Provisioning (Desktop Posture) 6. MDM (Mobile Device Management) 7. Blacklist

(32)

• 17 languages • All portal support

(hotspot, self

(33)

Access your portals to manage and share

Choose from Pre-Built Portal Layouts

(34)

Supports all languages (plus RTL – Arabic & Hebrew) Supports all portal types

(35)

ISE Express offers the

same

dynamic Guest

features of the

market-leading Cisco ISE

in an

entry-level bundle

at an aggressive

70-80% discount

over the

competition.

(36)

Features / Capabilities?

Platform Included w/Licensing?

List Price?

Cisco ISE Base vs. Cisco ISE Express

 Same

 YES – Bundle includes 1

ISE VM + 150 Licenses

 $2,500 US

Cisco ISE Express

 Guest Access; RADIUS/AAA

 NO – Purchase HW or VM

and licensing

 $6,990 US

(ISE VM:$5,990 + Base: $1,000, for 200 licenses)

(37)

Where Can I Get ISE Express

Download

http://cisco.com/go/iseexpress

Install guide

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html

Guest and Web Authentication

ISE Express Installation Guide for ISE 1.4 for Wireless Guest

Access (PDF - 3 MB)

For Your Reference For Your Reference

(38)

What’s New

ISE Express Installation Wizard

 Free, downloadable application

 Simplifies ISE and wireless controller installation

 Provisions Hotspot, Self-Registered or Sponsor services

 Modifies guest portals with logo and colours

 Go to ISE Cisco Software Download

(39)

Demo

(40)
(41)

ISE Express Wizard

• Can be used on Any flavor of ISE running 1.4p3 and above

• Windows & MacOSX

• May work on existing setup but only supported on newly setup environment

• Prerequisite:

• IP Connectivity to ISE and WLC from the PC

• DHCP and user interfaces are preconfigured

• DNS for ISE and FQDN alias is already created

During the Wizard operation, the WLC was rebooted. What command required

(42)
(43)

Secure Access Use Cases

Good

• Mac Authentication

Bypass (MAB)

• Whitelist

• Central Web

Authentication

(CWA)

• No supplicant

Better

• Roll out 802.1x in

Phases (Monitor

Mode)

Best

• 802.1x (Low

Impact, Closed

Mode)

• Certificates

• EAP etc..

• Supplicant on

endpoint

• Switch

configuration

(44)

ISE is a Standards-Based AAA Server

Access Control System Must Support All Connection Methods

ISE Policy Server

VPN

Cisco Prime

Wired

Wireless

VPN

Supports Cisco and 3rd-Party solutions via

standard RADIUS, 802.1X, EAP, and VPN Protocols .. more to come …

RADIUS

802.1X = EAPoLAN

802.1X = EAPoLAN

(45)

Building the Architecture in Phases

47

 Access-Prevention Technology

– A Monitor Mode is necessary

– Must have ways to implement and see who will succeed and who will fail

 Determine why, and then remediate before taking 802.1X into a stronger enforcement mode.

 Solution = Phased Approach to Deployment:

Monitor Mode

Low Impact Mode

Closed Mode

What part of the network does phased

(46)

Monitor Mode

A Process, Not Just a Command

48

SWITCHPORT

KRB5 HTTP

TFTP

DHCP

EAPoL Permit All

SWITCHPORT

KRB5 HTTP

TFTP

DHCP

EAPoL Permit All

Traffic always allowed

Pre-AuthC Post-AuthC

interface GigabitEthernet1/0/1 authentication host-mode multi-auth authentication open

authentication port-control auto mab

dot1x pae authenticator

Interface Config • Enables 802.1X authentication on the switch,

but even failed authentication will gain access • Allows network admins to see who would have

failed, and fix it, before causing a Denial of

Service 

AuthC = Authentication AuthZ = Authorisation

(47)

Low-Impact Mode

If Authentication Is Valid, Then Specific Access!

49 SWITCHPORT KRB5 HTTP TFTP DHCP EAPoL SWITCHPORT KRB5 HTTP RDP DHCP EAPoL Role-Based ACL Permit Some Pre-AuthC Post-AuthC SGT

• Limited access prior to authentication • AuthC success = Role-specific access

• dVLAN Assignment/ dACLs

• Secure Group Access

• Still allows for pre-AuthC access for Thin Clients, WoL & PXE boot devices, etc…

interface GigabitEthernet1/0/1 authentication host-mode multi-auth

authentication open

authentication port-control auto mab

dot1x pae authenticator

ip access-group default-ACL in Interface Config Can dACL enforce L3 traffic on switches without L3 interface? What is the switch feature that finds IP address on a L2 switch?

(48)

Closed Mode

No Access Prior to Login, Then Specific Access!

50

• Default 802.1X behaviour

• No access at all prior to AuthC

• Still use all AuthZ enforcement types • dACL, dVLAN, SGA

• Must take considerations for Thin Clients, WoL, PXE devices, etc…

interface GigabitEthernet1/0/1 authentication host-mode multi-auth

authentication port-control auto mab

dot1x pae authenticator Interface Config SWITCHPORT DHCP TFTP KRB5 HTTP EAPoL SWITCHPORT KRB5 HTTP EAPoL DHCP TFTP Pre-AuthC Post-AuthC Permit

EAP Permit All

Role-Based ACL

- or -

(49)

ISE Deployment for Wired Networks

Phased Deployment

51

Monitor Mode

Low-Impact Mode

Closed Mode

What could be
(50)

ISE Deployment for Wired Networks

Phased Deployment

52

Monitor Mode

Low-Impact Mode

Closed Mode

- dVLAN will be used for Authorization

- Fail-Open in legacy

environment is required

- Want phased deployment; Monitor -> Low-Impact mode - WoL and/or PXE Boot will

be used

What is the issue with

Fail-Open in Low-Impact Mode?

(51)

Monitor mode process

Address risks before enforcement

Monitor

ISE Logs

Address

supplicant

issues

Add new

profiles

Update

MAB list

Advance to Low-Impact

Authentication

should have high

% of success rate

(52)

ISE Deployment Assistant

Go to ISE Cisco Software Download on CCO

(53)
(54)

Internal Employee Intranet

www

Enable Faster and Easier Device Onboarding

Without Any IT Support

Confidential HR Records

?

Device Profiling

Employee

Simplified Device Management from Self-Service Portal

Automated Authentication and Access to Business Assets Rapid Device Identification with

Out-of-the-Box Profiles

(55)

Supports 1M Registered Endpoints and 250K ACTIVE, Concurrent Endpoints

Streamlining BYOD and Enterprise Mobility

Reducing the Complexity of Managing BYOD and Device Onboarding

Integrated Native Certificate Authority for Devices

Customisable Branded Experiences

Easy User Onboarding with Self-Service Device Portals

Improved Device Recognition Desktop

& Mobile Ready!

(56)

Single Versus Dual SSID Provisioning

• Single SSID

• Start with 802.1X on one SSID using PEAP

• End on same SSID with 802.1X using EAP-TLS

• Dual SSID

• Start with CWA on one SSID

• End on different SSID with 802.1X using PEAP or EAP-TLS

SSID = BYOD-Open (MAB / CWA) SSID = BYOD-Closed (802.1X) WLAN Profile SSID = BYOD-Closed PEAP or EAP-TLS (Certificate=MyCert) SSID = BYOD-Closed (802.1X) WLAN Profile SSID = BYOD-Closed EAP-TLS Certificate=MyCert Which flow provides better user experience?

(57)

Onboarding Personal Devices

Registration, Certificate and Supplicant Provisioning

Device Onboarding Certificate Provisioning Supplicant Provisioning Self-Service Model iOS Android Windows MAC OS MyDevices Portal

 Provisions device Certificates.

‒ Based on Employee-ID & Device-ID.

 Provisions Native Supplicants:

‒ Windows: XP, Vista, 7, 8, 8.1, 10

‒ Mac: OS X 10.6, 10.7, 10.8, 10.9, 10.10. 10.11

‒ iOS: 4, 5, 6, 7, 8, 9

‒ Android – 2.2 and above

‒ 802.1X + EAP-TLS, PEAP & EAP-FAST

 Employee Self-Service Portal

‒ Lost Devices are Blacklisted

(58)

What Makes a BYOD Policy?

Sample Complete BYOD Policy

Internet Only

Employee Guest

Access-Reject

i-Device Registered?

Access-Accept MAC address lookup to AD/LDAP

Profiling Posture

Machine certificates

Non-exportable user certificate Machine auth with PEAP-MSCHAPv2’ EAP chaining Y N N Y Y N

(59)

Works Comments Before Expiry iOS Android Windows MAC-OSX After Expiry iOS Android

Windows Supplicant will not use an expired cert

MAC-OSX Not tested yet

Certificate Renewals

(60)

Redirect Expired Certs

Everything Else Windows

(61)

ISE CA: Dual Root Phenomenon

PSN PSN PSN P-PAN PAN S-PAN Subordinate CA SCEP RA Subordinate CA SCEP RA OCSP Subordinate CA SCEP RA OCSP Subordinate CA SCEP RA OCSP Promoted • The 4th PSN added to Cube while S-PAN temporarily the root.

• Now is a different chain of trust! Different Chain of Trust

(62)

ISE CA: Dual Root Phenomenon

PSN PSN PSN P-PAN PAN S-PAN PSN Subordinate CA SCEP RA OCSP Subordinate CA SCEP RA OCSP Subordinate CA SCEP RA OCSP Subordinate CA SCEP RA OCSP Promoted

• Export Root CA & Import into S-PAN

• The 4th PSN added to Cube while S-PAN temporarily the root.

• S-PAN has same Chain of Trust

atw-lab-ise/admin# application configure ise Selection ISE configuration option

<Snip>

[7]Export Internal CA Store [8]Import Internal CA Store </Snip>

[12]Exit

Single Chain of Trust

(63)

A new certificate type called

NODE_CA has been introduced

- ROOT_CA – The Root CA for the entire

ISE PKI Hierarchy

- NODE_CA – Responsible for issuing the

subordinate EP_CA certificate and the OCSP certificate

- EP_CA – Responsible for issuing the

Endpoints their identity and device certificates

- OCSP – Responsible for signing the

OCSP responses

- EP_RA – Registration Authority for SCEP

to external CA’s

CA Hierarchy in 2.0

(64)

• Multi Node Deployment with 2 PANs and a Single PSN

• The NODE_CA on the Primary and Secondary PAN are signed by the ROOT_CA on the Primary PAN

• The NODE_CA on the Primary PAN is also responsible for signing the EP_CA and OCSP certificate for the PSNs

CA Hierarchy in 2.0

P-PAN

S-PAN

PSN1 PSN2 PSN3

(65)
(66)

Revoke Certificates from ISE

 Automatically Revoked when an Endpoint is marked as “Stolen”

 Certificates may be Manually Revoked

ISE is OCSP Responder for cert validation – no CRL Lists !

What is the difference between device LOST &

STOLEN from the ISE perspective?

(67)

In ISE 1.4, added the Certificate provisioning API.

Now, in 2.0 – we have a customisable portal.

 Customise it to look like the guest portals

 Configure which templates may be used like you would sponsor groups to a

portal page..

(68)
(69)

What Is the Cisco ISE Posture Service?

ISE Node

PSN MnT PAN

Posture Service

in ISE allows you to check the state

(posture) for ALL the endpoints that are connecting to your

ISE-enabled network.

The

Posture Agents

, which are installed on the clients,

interact with the Posture Service to enforce security

policies on all the endpoints that attempt to gain access to

your protected network.

Posture Agents enforce security policies on noncompliant endpoints by blocking network access to your protected network.

(70)

Posture Assessment

Does the Device Meet Security Requirements?

Posture

= The state-of-compliance with the company’s security policy.

Extends the user / system Identity to include Posture Status.

Posture

Microsoft Updates

Antivirus/

Antispyware

Misc

Service Packs Hotfixes OS/Browser versions

Installation/Signatures File data

Services

Applications / Processes Registry Keys

Patch Management

Disk Encryption

What is the main difference between Profiling

(71)

Posture Enhancements

Mac OSx Support Added for Custom Checks: File / Service / Application / Disk Encryption

• File, Service (daemon, User Agent), and

Application (process) checks

• File condition, file path can have home or root follow with path.

• SHA 256 Check

• Property List (plist) Check

(72)

Posture Enhancements -

OSx Daemon Check

• A daemon is a program that runs in

the background as part of the overall system (not tied to user)

• A user agent is a process that runs in the background on behalf of a

particular user.

• ISE 2.0 supports feature to check user

(73)

Disk Encryption

• Based on Opswat OESIS library, which is the same library we use for antivirus, antispyware and patch management applications.

• Administrator would be able to Import the new disk encryption support chart from the update server

• Checks can be based on

• Installation of specified disk encryption application.

(74)
(75)

ISE Posture – Disk Encryption State

(76)

Posture for all Devices

Desktop Posture vs Mobile Posture

Focused on Mobile Devices Posture ONLY Requires devices to comply with MDM policy PINLock, JailBroken, APP check and More …

ISE + MDM

Together

Mobile Posture

SOLUTION

Desktop Compliance checks for Windows and OSx Variety of Checks ranging from OS, Hotfix, AV / AS, Patch Management and More…

ISE can enforce

Network Access based on Compliance

Desktop Posture

ISE can enforce

(77)

Multiple MDM Support

(78)

New MDM dictionary attributes  UDID  MEID  MDM Server Name

MDM Dictionary Attributes

(79)

MDM Authorisation Profiles

Redirection authorisation profile example for

MobileIron and Meraki

MDM Server Selection added to Authorisation Profile

(80)

Sample Authorisation Policy

Combining BYOD + MDM

85

If Employee but not registered with ISE, (Endpoints: BYODRegistration EQUALS No), then start NSP flow

If Employee and registered with ISE (Endpoints: BYODRegistration EQUALS Yes), then start MDM flow

(81)

MDM Flow

86

ISE Policy Server

VPN

 If MDM Registration Status EQUALS UnRegistered, then Redirect to MDM for Enrollment

 If MDM Compliance Status EQUALS NonCompliant, then Redirect to MDM for Compliance

Authentication

MDM Compliance Status != Compliant Redirect to ISE landing page for MDM

enrollment or compliance status

https://ise.company.com:8443/guestportal/gateway?sessionId=0A010A...73691A&action=mdm

MDM API

Connect to WLAN=Corp

Redirect browser to ISE

Cloud MDM Google

(82)

MDM Remediation

87

ISE Policy Server

VPN

 CoA allows re-authentication to

be processed based on new endpoint identity context (MDM enrollment/compliance status).

ReAuth

MDM Status = Compliant

Remove Redirection and apply access permissions for compliant endpoints

CoA

 MDM Agents downloaded directly from MDM

Server or Internet App Stores

 Periodic recheck via API; CoA if not compliant

ASA

MDM API

Cloud MDM

ReAuth after Comply

(83)
(84)

Policy and Segmentation

Voice Data Suppliers Guest

Quarantine

Access Layer Aggregation Layer

VLAN Addressing DHCP Scope Redundancy Routing Static Filtering

Simple Segmentation with 2 VLANsMore Policies using more VLANs

Design needs to be replicated to multiple locations, buildings, floors

(85)

• Simplicity: consistent policy enforcement on all networks • Agility: reduce attack surface,

keep pace with business • Ready: secure, comply today

Software-Defined Segmentation with Cisco

TrustSec/ SGT

(86)

Campus & DC

Segmentation

User to DC

Access Control

How TrustSec/ SGT is used today

Server Segmentation Application Protection Secure Contractor Access BYOD Security Machine-Machine Control Threat Defence Fast Server Provisioning Firewall Rule Reduction

PCI & PHI Compliance Network & Role

(87)

Segmentation with Security Group

Data Centre Firewall

Voice Data Suppliers Guest Quarantine

Retaining initial VLAN/Subnet Design Regardless of topology or location,

policy (Security Group Tag) stays with users, devices, and servers

Access Layer Data Tag Supplier Tag Guest Tag Quarantine Tag Aggregation Layer DC-RTP (VDI) Production Servers DC-MTV (SRV1) DC-MTV (SAP1) DC-RTP (SCM2) Destination

(88)

Enforcing Policy Downstream

Context Telemetry:ManagerWindows PCCompliant Cisco ISE Timecard application server Credit Card transaction server Firewall Enforcement

Classify Mark, Propagate, Enforce

• IP Precedence and DiffServ code points • 802.1Q User Priority • MPLS VPN • TrustSec Classify & Mark Enforce Propagation

(89)

Dynamic Classification

Static Classification

• IP Address • VLANs • Subnets • L2 Interface • L3 Interface

• Virtual Port Profile • Layer 2 Port Lookup

Pre-fix learning

Common Classification for Mobile Devices

Common Classification for Servers, Topology-based policy, etc.

802.1X/ RAS VPN Authentication

MAC Auth Bypass

Web Authentication

SGT

Classification Summary

SGT Assignment

(90)

SGT to Port Profile

Nexus 1000v version 2.1

(91)

Dynamic Classification Process in Detail

Layer 2

Supplicant

Switch / WLC

ISE

Layer 3

EAP Transaction

Authorisation

DHCP

EAPoL Transaction RADIUS Transaction

SGT Authenticated Authorised

0

EvaluationPolicy DHCP Lease: 10.1.10.100/24

ARP Probe IP Device

Tracking Authorised MAC: 00:00:00:AB:CD:EF SGT = 5 Binding: 00:00:00:AB:CD:EF = 10.1.10.100/24 1 2 3 SRC: 10.1.10.1= SGT 5 00:00:00:AB:CD:EF cisco-av-pair=cts:security-group-tag=0005-01

Make sure that IP

Device Tracking

is TURNED ON

3560X#show cts role-based sgt-map all details Active IP-SGT Bindings Information

IP Address Security Group Source

============================================= 10.1.10.1 3:SGA_Device INTERNAL 10.1.10.100 5:Employee LOCAL

(92)

DC Access WLC FW Inline SGT Tagging CMD Field ASIC ASIC Optionally Encrypted SXP SRC: 10.1.100.98 IP Address SGT SRC 10.1.100.98 50 Local Hypervisor SW

SXP IP-SGT Binding Table

ASIC

L2 Ethernet Frame SRC: 10.1.100.98 (No CMD)

Inline Tagging (data plane):

If Device supports SGT in its ASIC

SXP (control plane): Shared between devices that do not have SGT-capable hardware

IP Address SGT 10.1.100.98 50

Campus Access Distribution Core DC Core EOR

SXP

Enterprise Backbone

How is the SGT Classification Shared?

Propagation

(93)

Traditional TrustSec Tag Assignment & SXP

Propagation

Access Switch Router DC FW DC Switch HR Servers

Enforcement Fin Servers

ISE Directory

Classification

User / Endpoint

(94)

ISE as SXP Speaker

Access Switch Router DC FW DC Switch HR Servers Fin Servers ISE Directory Classification User / Endpoint SXP Tag IP Addr 5 10.10.10.10 5 Fin Servers 10 HR Servers Propagation Enforcement SXP Propagation

Does Access Switch need to understand TrustSec?

(95)

Cat3750X Cat6500 Nexus 2248

WLC5508 ASA5585 Enterprise

Backbone

Nexus 2248 Cat6500 Nexus 7000 Nexus 5500

End user authenticated

Classified as Employee (5) FIB Lookup

Destination MAC/Port SGT 20 DST: 10.1.100.52 SGT: 20 ISE SRC: 10.1.10.220 5 SRC:10.1.10.220 DST: 10.1.100.52 SGT: 5 DST: 10.1.200.100 SGT: 30 Web_Dir CRM SRC\DST Web_Dir (20) CRM (30) Employee (5) SGACL-A SGACL-B

BYOD (7) Deny Deny

Destination Classification

Web_Dir: SGT 20 CRM: SGT 30

How is Policy Enforced with SGACL

(96)

SGACL Policy on ISE for Switches

2 1

(97)

Security Group Based Access Control for Firewalls

Security Group Firewall (SGFW)

115

Source Tags Destination Tags

(98)
(99)
(100)
(101)

SXP Capability in ISE 2.0

Routers ISE DC Firewall Application Servers Wireless (ANY) Switch (ANY) DC Switch Application Servers MSFT Active Directory 802.1X Network 8 SGT 7 SGT

• Propagate SGTs from ISE directly to Enforcement devices (SXP Speaker) • Access layer device does not need SGT understanding for this User-DC

use-case

• ISE can learn about DC/network SGTs as an SXP Listener

SXP 10SGT

For Your Reference For Your Reference

(102)
(103)

Anatomy of a Typical Device Administration

Session with TACACS+

• TACACS+ Separates

Authentication, Authorisation and Accounting

• Flexible and extensible

• TCP for more reliable accounting

• Built-in Goodies such as User Change Password

(104)

Refresh on a Typical TACACS+ Session

• Two Main Authorisation

stages

• SESSION:

What can user do during this session?

• COMMAND:

Can the user perform this command?

Which TCP port does T+ listen on as default?

(105)

TACACS+ Authorisation: Protocol Level

• Authorisation is a single request/response: Header + Attributes

• Result is FAIL, PASS_ADD, PASS_REPLACE

• Fail: Request is not Permitted

• PASS_ADD: The permissions asked for are valid, but the operation must also apply these extra attributes (Response Profile)

• PASS_REPLACE: The request is permitted, but with this alternative attribute profile

Device ISE Type Author user admin rem_add r office Result PASS_AD D priv-lvl 15

(106)

Introducing

The ISE Device Administration Work Centre

• Starting point for all TACACS+ Activities in ISE • One exception in ISE 2.0

(107)

• Policy Service Node for Protocol Processing

• Session Services (e.g. Network Access/RADIUS) On by default

• Device Admin Service (e.g. TACACS+)

MUST BE ENABLED

FOR DEVICE ADMINISTRATION!!

142

ISE Deployment Node

(108)

Supported Migration paths using Migration Tools

Path Segments Tools

ACS 4.x to ISE ACS 4.x -> ACS 5.6 ACS 4 Migration Tool

ACS 5.6 -> ISE ACS 5 Migration Tool

ACS 5.0 – ACS 5.4 to ISE ACS 5.x -> ACS 5.6 ACS 4 Migration Tool

ACS 5.6 -> ISE ACS 5 Migration Tool

ACS 5.5 - ACS 5.6 to ISE ACS 5.5 - ACS 5.6 to ISE ACS 5 Migration Tool

(109)

Device Administration ACS 5 to ISE Feature Map

ISE Element ACS 5 Element Caveats

Internal Users/Groups Internal Users/Groups

Network Devices/NDG Network Devices/NDG

-Default Network Device Default Network Device ISE must have RADIUS enabled.

Shell Profiles TACACS Profiles Name Conflicts (shared namespace in ISE)

Command Sets TACACS Command Sets Name Conflicts (shared namespace in ISE)

External Proxy Servers TACACS Proxy Servers

-Proxy Service TACACS Proxy Sequence+

Device Admin Policy Set

-Device Admin Service Device Admin Policy Set Policy Model differences, Group map Policy

(110)

ACS 4.x vs. ACS 5.x vs. ISE 2.0

(111)

Migration Best Practices

• Follow recommendations from Migration tool Reports

• Rename ACS objects using ISE legal chars

• Move Group Map Policy to Authorisation

• Consider ACS 5 to ISE migration as opportunity to review and refresh Policy

• Especially if Migrating from ACS 4

147

ISE currently supports 30k NAD vs. ACS which supports 100k!

TACACS+ over IPv6 is not supported on ISE 2.0

For complete list of comparison go to:

(112)
(113)

3

rd

Party Device (NAD) Support

Customers can now deploy ISE services such as Profiling, Posture, Guest and BYOD (on top of the already-working 802.1x) with Network

Access Devices (NADs) manufactured by non-Cisco third party

(114)

The Recipe – Key Ingredients

Session ID

URL Redirect

(115)

Cisco Session ID & Redirect

NAD: “show authentication session”

ISE: Detailed Authentication Report

https://ise14.example.com:8443/guestportal/gateway?C0A8013C00000618B3C1CAFB&portal=&action=cwa

Browser: URL-redirect for Web Auth

C0A8013C00000618B3C1CAFB

(116)

My 3rd Party NAD does not have a Session ID ??

ISE 2.0 can Generate a “Synthesised” Cisco Session ID

C0A8013C00000618B3C1CAFB

Step 4: Apply Base64 encoding to the session ID

Step 1:

Concatenate RADIUS attributes: Resulting value is a 24-byte ASCII string Calling-Station-ID (31), NAS-Port (5), NAS-IP-Address (4)

Step 2: Encryption key using a SHA256:

Hash of RADIUS KeyWrap key/Shared secret + NAD Profile ID

Step 3: Calculate the encrypted session ID:

HMAC-SHA256 of string in step 1 and key from step 2

Step 5:

Prepend the value with ISE node IP address in hexadecimal ASCII format.

(117)

Type: None / Static / Dynamic

• None– NAD does not have usable redirection

method

• Static – NAD requires ISE generated URL to be

applied to local device config

• Dynamic – NAD can receive redirect via RADIUS

authorisation

URL Parameter Names • Defines the format of

vendor redirect

• Allows ISE to parse needed information from redirected requests

URL Redirection

(118)

What is Change of Authorisation (CoA)

The EndPoint needs a new Policy ( ISE 2.0 = RFC 3576 & RFC 5176)

Example Cisco CoA operations

 Terminate session

 Terminate session with port bounce

 Re-authenticate session

 Disable host port

 Session Query

– For Active Services – For Complete Identity – Service Specific

 Service Activate

 Service De-activate

 Service Query

CoA options are NAD-specific

COA Ports

Port 1700, type = Cisco COA

(119)

RFC 5176

What is Change of Authorisation (CoA)

The EndPoint needs a new Policy (RFC 3576 & RFC 5176)

Disconnect Message (DM)

• Also known as “Packet of Disconnect (PoD)” or “CoA Session Terminate”

• Terminate user session(s) on a NAS and discard all associated session context.

Change-of-Authorisation (CoA) Messages

• Also known as “Authorise Only” or “CoA Push”

• CoA-Request packets contain information for dynamically changing session authorisations.

Disconnect-Request

Disconnect-ACK/NAK

CoA-Request

(120)

My 3rd Party NAD does not support COA ReAuth/ COA Push

ISE 2.0 can perform “COA Stiching”

Web Auth: Enter Credentials

Full Access

PSN

CWA Success

CoA Terminate

New Auth Request

Employee Access

Hold session open for 20 seconds Matching request received < 20 sec;

return policy for employee user Session 002 Session 001 Accntg Stop 1 2 3 4 5 6

(121)

3

rd

-Party NADs – Supported Features

• AAA

• 802.1X (since 1.0) • MAB (since 1.2.)

• LWA to local portal (since 1.0)

• CoA

• Profiling (with CoA)

• Guest

• Hotspot

• Central Web Authentication (CWA)

• Sponsored guest flow

• Self-Registration guest flow

• ISE hosted portals

Features Vary By Vendor, Platform, and Versions!

 Posture

 BYOD

 Device registration

 Supplicant Provisioning

 Certificate Provisioning

 Self-Service device management (MyDevices)

 Single/Dual SSID

 TrustSec

(122)

Wait There’s More!!!

MAB and 3rd-Party

3rd-Party RADIUS Dictionary

ISE 2.0 Smart Configuration

• NAD Profiles

• Smart Conditions

• Authorisation Profiles

• Authorisation Policy

(123)

Adding 3

rd

-Party NADS

• Administration > Network Resource > Network Devices

• Be sure to set the Device Profile correctly !!

• Enter Network Device Type and Location info to facilitate policy management

Network Access Device Configuration

Optional:

Override default CoA Port per NAD

(124)

Current Vendor Test Results

Vendor Verified Series Tested Model / Firmware

Supported / Validated use cases

CoA Profiler Posture Guest

/BYOD

Aruba Wireless 7000, InstantAP 7005-US/6.4.1.0 ✔ ✔ ✔ ✔

Motorola Wireless RFS 4000 Wing v5.5

HP Wireless 830 (H3C) 8P/3507P35 ✔ ✔ ✔ ✔ HP Wired HP 5500 HI Switch Series (H3C) A5500-24G-4SFP HI/5.20.99 ✔ ✖ ✖ ✖ HP Wired HP 3800 Switch Series (ProCurve) 3800-24G-POE-2SFP (J9573A) KA.15.16.000. 6 ✖ ✖ ✖ ✖

Brocade Wired ICX 6610 24/08.0.20aT7f3 ✔ ✔ ✖ ✖

Ruckus Wireless ZD1200 9.9.0.0 build 205 ✔ ✔ ✖ ✖

Additional 3rdparty NAD Support:

 Requires identification of device properties/capabilities and to creation of a custom NAD profile in ISE. More detailed guide to be published.

✔ Requires CoA support

Requires CoA & url-redirect support

Requires CoA & url-redirect support

(125)

Location Based Authorisation

Authorise User Access To The Network Based On Their Location

ISE 2.0

MSE 8.0

UI to Configure MSE

I have Location Data

(126)

Enhance Control With Location-based Authorisation

Location-based authorisation

Admin defines location hierarchy and grants users specific access rights based on their location.

Benefits

What’s new for ISE 2.0?

The integration of Cisco Mobility Services Engine (MSE) allows administrators to leverage ISE to authorise network access based on user location.

Enhanced policy enforcement

with automated location check and reauthorisation

Simplified management

by configuring authorisation with ISE management tools

Granular control

of network access with

location-based authorisation for individual users

Capabilities

• Enables configuration of location hierarchy across all location entities • Applies MSE location attributes in authorisation policy

• Checks MSE periodically for location changes (5 mins), one way communication from ISE to MSE. • Reauthorises access based on new location (i.e. if the location changes apply COA)

• Requires a PLUS license in ISE

With The Integration Of Cisco Mobility Services Engine (MSE)

Lobby Patient room Lab ER Doctor No access to patient data Access to patient data No access to patient data Access to patient data Patient data Patient data access locations Patient room ER Lab Lobby Location • Physical • Logical

(127)
(128)

Complete Your Online Session Evaluation

Learn online with Cisco Live!

Visit us online after the conference for full access to session videos and presentations.

www.CiscoLiveAPAC.com

Give us your feedback and receive a

Cisco 2016 T-Shirt

by completing the

Overall Event Survey and 5 Session

Evaluations.

– Directly from your mobile device on the Cisco Live Mobile App

– By visiting the Cisco Live Mobile Site

http://showcase.genie-connect.com/ciscolivemelbourne2016/

– Visit any Cisco Live Internet Station located throughout the venue

T-Shirts can be collected Friday 11 March

at Registration

(129)
(130)
http://cisco.com/go/iseexpress http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html ISE Express Installation Guide for ISE 1.4 for Wireless Guest ISE Cisco Software Download www.CiscoLiveAPAC.com http://showcase.genie-connect.com/ciscolivemelbourne2016/

References

Related documents