Building an Enterprise Access Control Architecture Using ISE and TrustSec. Hosuk Won, Technical Marketing Engineer

Transcription

1

2 Building an Enterprise Access Control Architecture Using ISE and TrustSec Hosuk Won, Technical Marketing Engineer

3 Recent Accolade

4 Session Abstract BRKSEC-2044 This session will focus on ISE use cases including Visibility, Guest Access, 802.1X & MAB, Compliance (Posture & MDM Integration), BYOD, Device Administration, and TrustSec. The session will also cover integration with 3rd party NAD, pxgrid, SXP, and other newly introduced features in ISE 2.0. The session will start with basic use cases using 802.1X/MAB and progress into advanced use case whereby providing overview of ISE & TrustSec.

5 Agenda ISE Primer Visibility Guest Access Secure Access BYOD Compliance TrustSec Device Administration Additional Features 3 rd Party NAD Support Location Based Authorisation

6 ISE Primer

7 Context Enhances Protection Across the Attack Continuum ISE When Where Who How What BEFORE DURING AFTER Gain visibility into who and what is on your network Grant access on a need to know basis Provide threat context to behavioral analysis Contain through network elements and security ecosystem Get better forensics and prepare for the next attack by sharing information with ecosystem partners

8 Introducing Cisco Identity Services Engine A centralised security solution that automates context-aware access to network resources and shares contextual data Physical or VM Identity Profiling and Posture Role-Based Policy Access Network Resources Who Traditional Cisco TrustSec Network Door What When Where How Guest Access BYOD Access Role-Based Access Context Compliant Secure Access ISE pxgrid Controller

9 The Different Ways Customers Use ISE Guest Access Management Easily provide visitors secure guest Internet access BYOD and Enterprise Mobility Seamlessly classify & securely onboard devices with the right levels of access Secure Access across the Entire Network Streamline enterprise network access policy over wired, wireless, & VPN Software-Defined Segmentation with Cisco TrustSec Simplify Network Segmentation and Enforcement to Contain Network Threats Visibility & Context Sharing with pxgrid Share endpoint and user context to Cisco and 3 rd party system Network Device Administration Device administration and Network Access on a single platform

10 ISE Nodes and Personas ISE ISE What is the ISE 2.0 feature to replace IPN function? Admin Monitoring Policy Service Inline Posture Persona one or more of: Administration Monitoring Policy service pxgrid Single ISE node (appliance or VM) Single inline posture node (appliance only)

11 Visibility

12 Make Fully Informed Decisions with Rich Contextual Awareness Poor Context Awareness Extensive Context Awareness Context: Who What Where When How Result IP address Unknown Unknown Unknown Unknown Any user, any device, anywhere gets on the network Bob Tablet Building 200, first floor 11:00 a.m. EST on April 10 Wireless The right user, on the right device, from the right place is granted the right access

13 Enabling Visibility Inside Your Network Cryptic network addresses that may change constantly Difficult to manage policy without any context / / / Internet

14 Many Different Visibility Variables Users Devices Connectivity Location Time Role Permissions/rights Importance Ownership managed or unmanaged Type of device Function Applications Medium (Wired/Wireless/VPN) NAD/NAD Details State (active session) Physical Logical Time of Day Day of week Connection duration Trust Gradient Threat/Risk Reach Behaviour Authentication Certificate Managed/Unmanaged Compliance/Posture Threat score Fidelity What services can be accessed What other entities can be impacted Historical versus active. Now or before Was I doing the expected or unexpected

15 Visibility Technologies ISE Profiling Technology SIEM -- Threat Detection with a Netflow Analyser NaaS/ NaaE Rapid Threat Containment Firepower and Identity Services Engine The Architecture PxGrid - SACM (Security Automation and Continuous Monitoring) Description Technology and Use Cases Device Identification by Cisco ISE SIEM and threat detection analyses network traffic and tells ISE to take action Network as a Sensor Network as an Enforcer ISE can take action on Threats detected by Source Fire Cisco pxgrid provides a unified framework that enables ecosystem partners to integrate Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

16 Recap - Profiling Technology How Do We Classify a Device? DEVICE PROFILING FEED SERVICE Profiling uses signatures (similar to IPS) Probes are used to collect endpoint data DHCP HTTP SNMP Query RADIUS SNMP Trap DHCPSPAN DNS NMAP NetFlow

17 Better with Cisco Router and Switches Device Sensor The Network IS the Collector! Automatic discovery for most common devices (printers, phones, Cisco devices) Collects the data at point closest to endpoint Topology independent Profiling based on: CDP/LLDP DHCP HTTP (WLC only) mdns, H323, MSI-Proxy (4k only) CDP/LLDP/DHCP/ CDP/LLDP/DHCP ISE Device Sensor Support 3k/4k/WLC CDP/LLDP/DHCP DHCP HTTP Device Sensor Distributed Probes

18 IPv6 Device Sensor RADIUS i.e. Framed-IPv6-Address accounting HTTP sensor e.g. REMOTE_HOST, REMOTE_ADDR DHCP sensor - DHCPv6 options RADIUS HTTP SENSOR DHCP SENSOR IPv6 Device Sensor is supported

19 Quiz : Which probe is hacker-proof? HTTP DHCP CDP RADIUS

20 SIEM - Threat Detection with a Netflow Analyser Cisco ISE provides context: Identity, device type, posture, authorisation level, and location SIEM and threat detection analyses network traffic and tells ISE to take action, NetFlow Analyser I need session information to correlate to users Correlate Take Identity Network & Device Mitigation To Security Action Events This This breach event event is is associated with Allan and and it it is is connected from Allan s to Microsoft router Workstation connected to router and Allan the endpoint is connected is to HR Server (and shouldn t be)

21 See How Endpoints Act On The Network With Better Visibility Network as a Sensor Cisco ISE Cisco Networking Portfolio Cisco NetFlow Lancope StealthWatch Data

22 And Make Visibility Actionable Through Segmentation And Automation Network as an Enforcer VENDOR ZONE ADMIN ZONE POS ZONE Cisco ISE Cisco Networking Portfolio Cisco NetFlow Lancope StealthWatch Cisco TrustSec Software-Defined Segmentation DEV ZONE EMPLOYEE ZONE ENTERPRISE ZONE

23 Rapid Threat Containment with Firepower Management Centre and ISE Contractor Portal Source Destination Action IP SGT IP SGT Service Action Any SGT_Contractor_Clients Any Contractor_Portal HTTPS Allow FW Contractor Compromised Endpoint Corp Network Any SGT_Infected Any Internet Any Deny FMC 5.4 Policy Server ISE 1.3+ Event: Suspicious Source IP: /32 Response: Quarantine pxgrid: ANC Quarantine: OS Type: Windows 8 User: Brad AD Group: Contractor Asset Registration: Yes MAC Address: 00:0C:29:45:6E:12 Policy Mapping SGT: SGT_Infected Set SGT to Suspicious

24 Rapid Threat Containment with Firepower Management Centre and ISE For Your Reference Fully Supported on FMC 5.4 and ISE 1.3+ Uses pxgrid + Endpoint Protection Services (EPS) Note: ANC is Next Gen version of the older EPS Just in case you didn t have enough acronyms in your soup EPS functions are still there for Backward Compatibility Loads as a Remediation Module on FMC Remediation Module Takes Action via the EPS call through pxgrid

25 Context is the Currency of the Solution Integration Realm But It s Not Easy To Execute I have reputation info! I need threat data I have sec events! I need reputation I have NetFlow! I need entitlement I have threat data! I need reputation SIO We Need to Share But Integration Context Burden is on & IT Departments Take Network Actions I have application info! I need location & auth-group I have NBAR info! I need identity I have location! I need identity I have MDM info! I need location I have firewall logs! I need identity I have app inventory info! I need posture I have identity & device-type! I need app inventory & vulnerability

26 Enable Unified Threat Response By Sharing Contextual Data Cisco Platform Exchange Grid (pxgrid) 1 2 pxgrid controller 3 1 ISE collects contextual data from network Who What 2 Contextual data is shared via pxgrid technology When Where How Context ISE 5 Cisco Network Cisco and Partner Ecosystem Partners use ISE data to quickly identify and classify threats Partners take remediation actions through ISE ISE fine tunes access policies with security event data

27 pxgrid Industry Adoption Critical Mass June 15: 18 Partner Platforms and 9 Technology Areas Nov 15: 25 Partners anticipated with Firewall integration e.g. Ping Identity, NetiIQ, SecureAuth IAM & SSO e.g. LancopeLogrhythm, pxgrid-enabled Partners: SIEM & Vulnerability NetIQ, FortScale Cloud: Threat Elastica, Defense SkyHigh Networks? e.g. Tenable, Rabid 7 Other ISE Assessment Partners: Net/App: LiveAction, Savvius SIEM/TD: ArcSight, IBM QRadar, SIEM/TD: Splunk, Lancope, NetIQ, Net/App pxgrid Tibco LogLogic, Packet Symantec LogRhythm, Capture e.g. Splunk Performance FortScale, Rapid7 MDM/EMM: Cisco & Forensics Meraki, MobileIron, e.g. Emulex IAM: Ping, NetIQ, SecureAuth SECURITY THRUAirWatch, Symantec, Citrix, IBM, Vulnerability: Rapid7, Tenable INTEGRATIONGood, SAP, Tangoe, JAMF, Globo, IoT Security: Bayshore Networks IoT Secutity Absolute & more Cloud.. Access P-Cap/Forensics: Emulex Security e.g. Cisco FireSIGHT e.g. SkyHigh, Elastica Cisco: WSA, Sourcefire FireSIGHT Management Centre e.g. Cisco ISE Access Control Web Access e.g. Cisco WSA

28 Guest Access

29 Improve Guest Experiences Without Compromising Security Immediate, Uncredentialed Internet Access with Hotspot Guest Internet Guest Simple Self-Registration Internet Role-Based Access with Employee Sponsorship Sponsor Guest Internet and Network

30 ISE Built-in Portal Customisation? Notifications Approved! credentials username: trex42 password: littlearms Create Accounts Print SMS Mobile and Desktop Portals

31 Which Portals Are Customisable All Except The Admin Portal 1. Guest 2. Sponsor 3. BYOD (Device Registration) 4. My Devices 5. Client Provisioning (Desktop Posture) 6. MDM (Mobile Device Management) 7. Blacklist 8. Certificate Provisioning Portal

32 17 languages All portal support (hotspot, self registered, BYOD,... )

33 Access your portals to manage and share Choose from Pre-Built Portal Layouts

34 Supports all portal types Supports all languages (plus RTL Arabic & Hebrew)

35 ISE Express offers the same dynamic Guest features of the market-leading Cisco ISE in an entry-level bundle at an aggressive 70-80% discount over the competition.

36 Cisco ISE Base vs. Cisco ISE Express Cisco ISE Base Cisco ISE Express Features / Capabilities? Guest Access; RADIUS/AAA Same Platform Included w/licensing? NO Purchase HW or VM and licensing YES Bundle includes 1 ISE VM Licenses List Price? $6,990 US (ISE VM:$5,990 + Base: $1,000, for 200 licenses) $2,500 US

37 Where Can I Get ISE Express For Your Reference Download Install guide Guest and Web Authentication ISE Express Installation Guide for ISE 1.4 for Wireless Guest Access (PDF - 3 MB)

38 What s New ISE Express Installation Wizard Free, downloadable application Simplifies ISE and wireless controller installation Provisions Hotspot, Self-Registered or Sponsor services Modifies guest portals with logo and colours Go to ISE Cisco Software Download on CCO

39 Demo ISE Express Wizard

40

41 ISE Express Wizard Can be used on Any flavor of ISE running 1.4p3 and above Windows & MacOSX May work on existing setup but only supported on newly setup environment Prerequisite: IP Connectivity to ISE and WLC from the PC DHCP and user interfaces are preconfigured DNS for ISE and FQDN alias is already created During the Wizard operation, the WLC was rebooted. What command required the reboot?

42 Secure Access

43 Secure Access Use Cases Good Mac Authentication Bypass (MAB) Whitelist Central Web Authentication (CWA) No supplicant Better Roll out 802.1x in Phases (Monitor Mode) Best 802.1x (Low Impact, Closed Mode) Certificates EAP etc.. Supplicant on endpoint Switch configuration

44 ISE is a Standards-Based AAA Server Access Control System Must Support All Connection Methods Wired 802.1X = EAPoLAN Wireless 802.1X = EAPoLAN VPN VPN SSL / IPsec Supports Cisco and 3 rd -Party solutions via standard RADIUS, 802.1X, EAP, and VPN Protocols.. more to come RADIUS ISE Policy Server Cisco Prime

45 Building the Architecture in Phases Access-Prevention Technology A Monitor Mode is necessary Must have ways to implement and see who will succeed and who will fail Determine why, and then remediate before taking 802.1X into a stronger enforcement mode. Solution = Phased Approach to Deployment: What part of the network does phased deployment apply? Monitor Mode Low Impact Mode Closed Mode 47

46 Monitor Mode A Process, Not Just a Command Interface Config interface GigabitEthernet1/0/1 authentication host-mode multi-auth authentication open authentication port-control auto mab dot1x pae authenticator Pre-AuthC Enables 802.1X authentication on the switch, but even failed authentication will gain access Allows network admins to see who would have failed, and fix it, before causing a Denial of Service Post-AuthC SWITCHPORT SWITCHPORT DHCP TFTP DHCP TFTP KRB5 HTTP KRB5 HTTP EAPoL Permit All EAPoL Permit All Traffic always allowed 48 AuthC = Authentication AuthZ = Authorisation

47 Low-Impact Mode If Authentication Is Valid, Then Specific Access! Interface Config interface GigabitEthernet1/0/1 authentication host-mode multiauth authentication open authentication port-control auto mab dot1x pae authenticator ip access-group default-acl in Limited access prior to authentication AuthC success = Role-specific access dvlan Assignment / dacls Secure Group Access Still allows for pre-authc access for Thin Clients, WoL & PXE boot devices, etc Can dacl enforce L3 traffic on switches without L3 interface? DHCP KRB5 EAPoL TFTP HTTP Pre-AuthC SWITCHPORT Permit Some DHCP KRB5 EAPoL RDP HTTP Post-AuthC SWITCHPORT Role-Based ACL SGT What is the switch feature that finds IP address on a L2 switch? 49

48 Closed Mode No Access Prior to Login, Then Specific Access! Interface Config interface GigabitEthernet1/0/1 authentication host-mode multiauth authentication port-control auto mab dot1x pae authenticator Default 802.1X behaviour No access at all prior to AuthC Still use all AuthZ enforcement types dacl, dvlan, SGA Must take considerations for Thin Clients, WoL, PXE devices, etc Pre-AuthC Post-AuthC SWITCHPORT SWITCHPORT DHCP KRB5 EAPoL TFTP HTTP Permit EAP DHCP KRB5 EAPoL TFTP HTTP Permit All - or - SGT 50 Role-Based ACL

49 ISE Deployment for Wired Networks Phased Deployment Monitor Mode Low-Impact Mode What could be the challenge? Closed Mode 51

50 ISE Deployment for Wired Networks Phased Deployment What is the issue with Fail- Open in Low- Impact Mode? de Low-Impact Mode - Want phased deployment; Monitor -> Low-Impact mode - WoL and/or PXE Boot will be used losed Mode - dvlan will be used for Authorization - Fail-Open in legacy environment is required 52

51 Monitor mode process Address risks before enforcement Update MAB list Monitor ISE Logs Advance to Low-Impact Add new profiles Address supplicant issues Authentication should have high % of success rate

52 ISE Deployment Assistant Go to ISE Cisco Software Download on CCO 54

53 BYOD

54 Enable Faster and Easier Device Onboarding Without Any IT Support Rapid Device Identification with Out-of-the-Box Profiles Device Profiling Simplified Device Management from Self-Service Portal Automated Authentication and Access to Business Assets www? Confidential HR Records Employee IT Staff Internal Employee Intranet

55 Streamlining BYOD and Enterprise Mobility Reducing the Complexity of Managing BYOD and Device Onboarding Improved Device Recognition Integrated Native Certificate Authority for Devices Desktop & Mobile Ready! Customisable Branded Experiences Easy User Onboarding with Self-Service Device Portals Comprehensive Device Security with Posture and EMM Supports 1M Registered Endpoints and 250K ACTIVE, Concurrent Endpoints

56 Single Versus Dual SSID Provisioning Single SSID Start with 802.1X on one SSID using PEAP Dual SSID Start with CWA on one SSID SSID = BYOD-Open (MAB / CWA) Which flow provides better user experience? SSID = BYOD-Closed (802.1X) End on same SSID with 802.1X using EAP-TLS WLAN Profile SSID = BYOD-Closed EAP-TLS Certificate=MyCert SSID = BYOD-Closed (802.1X) End on different SSID with 802.1X using PEAP or EAP-TLS WLAN Profile SSID = BYOD-Closed PEAP or EAP-TLS (Certificate=MyCert)

57 Onboarding Personal Devices Registration, Certificate and Supplicant Provisioning MyDevices Portal Certificate Provisioning Device Onboarding Supplicant Provisioning Provisions device Certificates. Based on Employee-ID & Device-ID. Provisions Native Supplicants: Windows: XP, Vista, 7, 8, 8.1, 10 Mac: OS X 10.6, 10.7, 10.8, 10.9, ios: 4, 5, 6, 7, 8, 9 Android 2.2 and above 802.1X + EAP-TLS, PEAP & EAP-FAST ios Android Windows MAC OS Self- Service Model Employee Self-Service Portal Lost Devices are Blacklisted Self-Service Model reduces IT burden

58 What Makes a BYOD Policy? Sample Complete BYOD Policy Access-Reject Employee N Guest MAC address lookup to AD/LDAP Profiling Posture Machine certificates Non-exportable user certificate Machine auth with PEAP- MSCHAPv2 EAP chaining Y i-device N Y Registered? Y N Access-Accept Internet Only

59 Certificate Renewals Works Comments Before Expiry ios Android Windows MAC-OSX After Expiry ios Android Windows MAC-OSX Supplicant will not use an expired cert Not tested yet

60 Redirect Expired Certs Windows Everything Else

61 Certificate Authority ISE CA: Dual Root Phenomenon Different Chain of Trust Promoted S-PAN P-PAN PAN The 4th PSN added to Cube while S-PAN temporarily the root. PSN PSN PSN Now is a different chain of trust! Subordinate CA SCEP RA Subordinate CA SCEP RA OCSP Subordinate CA SCEP RA OCSP Subordinate CA SCEP RA OCSP

62 Certificate Authority ISE CA: Dual Root Phenomenon Single Chain of Trust Export Root CA & Import into S-PAN Promoted S-PAN P-PAN PAN The 4th PSN added to Cube while S-PAN temporarily the root. S-PAN has same Chain of Trust PSN PSN PSN PSN Subordinate CA SCEP RA OCSP Subordinate CA SCEP RA OCSP Subordinate CA SCEP RA OCSP Subordinate CA SCEP RA OCSP atw-lab-ise/admin# application configure ise Selection ISE configuration option <Snip> [7]Export Internal CA Store [8]Import Internal CA Store </Snip> [12]Exit

63 CA Hierarchy in 2.0 Certificate Authority A new certificate type called NODE_CA has been introduced - ROOT_CA The Root CA for the entire ISE PKI Hierarchy - NODE_CA Responsible for issuing the subordinate EP_CA certificate and the OCSP certificate - EP_CA Responsible for issuing the Endpoints their identity and device certificates - OCSP Responsible for signing the OCSP responses - EP_RA Registration Authority for SCEP to external CA s

64 CA Hierarchy in 2.0 Certificate Authority Multi Node Deployment with 2 PANs and a Single PSN P-PAN S-PAN PSN1 PSN2 PSN3 The NODE_CA on the Primary and Secondary PAN are signed by the ROOT_CA on the Primary PAN The NODE_CA on the Primary PAN is also responsible for signing the EP_CA and OCSP certificate for the PSNs

65 Native Supplicant Profile

66 Revoke Certificates from ISE Automatically Revoked when an Endpoint is marked as Stolen Certificates may be Manually Revoked What is the difference between device LOST & STOLEN from the ISE perspective? ISE is OCSP Responder for cert validation no CRL Lists!

67 Certificate Provisioning Portal In ISE 1.4, added the Certificate provisioning API. Now, in 2.0 we have a customisable portal. Customise it to look like the guest portals Configure which templates may be used like you would sponsor groups to a portal page..

68 Compliance

69 What Is the Cisco ISE Posture Service? Posture Service in ISE allows you to check the state (posture) for ALL the endpoints that are connecting to your ISE-enabled network. The Posture Agents, which are installed on the clients, interact with the Posture Service to enforce security policies on all the endpoints that attempt to gain access to your protected network. ISE Node PAN MnT PSN Posture Agents enforce security policies on noncompliant endpoints by blocking network access to your protected network. Must have Apex licensing enabled on your ISE devices

70 Posture Assessment Does the Device Meet Security Requirements? What is the main difference between Profiling & Posture? Posture Posture = The state-of-compliance with the company s security policy. Microsoft Updates Antivirus/ Antispyware Misc Service Packs Hotfixes OS/Browser versions Installation/Signatures File data Services Applications / Processes Registry Keys Patch Management Disk Encryption Extends the user / system Identity to include Posture Status.

71 Posture Enhancements Mac OSx Support Added for Custom Checks: File / Service / Application / Disk Encryption File, Service (daemon, User Agent), and Application (process) checks File condition, file path can have home or root follow with path. SHA 256 Check Property List (plist) Check NOTE: Disk Encryption new for ISE 2.0

72 Posture Enhancements - OSx Daemon Check A daemon is a program that runs in the background as part of the overall system (not tied to user) A user agent is a process that runs in the background on behalf of a particular user. ISE 2.0 supports feature to check user agent as well as the daemon

73 Disk Encryption Based on Opswat OESIS library, which is the same library we use for antivirus, antispyware and patch management applications. Administrator would be able to Import the new disk encryption support chart from the update server Checks can be based on Installation of specified disk encryption application. Disk encryption state

74 Windows: ISE Posture Disk Encryption

75 ISE Posture Disk Encryption State Location?

76 Posture for all Devices Desktop Posture vs Mobile Posture Desktop Compliance checks for Windows and OSx Variety of Checks ranging from OS, Hotfix, AV / AS, Patch Management and More Focused on Mobile Devices Posture ONLY Requires devices to comply with MDM policy PINLock, JailBroken, APP check and More Desktop Posture SOLUTION ISE + MDM Together Mobile Posture ISE can enforce Network Access based on Compliance ISE can enforce Network Access based on MDM Compliance

77 Multiple MDM Support Multiple MDM Vendors Can Be Added To ISE And Used Simultaneously In Policy

78 MDM Dictionary Attributes New MDM dictionary attributes UDID MEID MDM Server Name

79 MDM Authorisation Profiles Redirection authorisation profile example for MobileIron and Meraki MDM Server Selection added to Authorisation Profile

80 Sample Authorisation Policy Combining BYOD + MDM If Employee but not registered with ISE, (Endpoints: BYODRegistration EQUALS No), then start NSP flow If Employee and registered with ISE (Endpoints: BYODRegistration EQUALS Yes), then start MDM flow 85

81 MDM Flow If MDM Registration Status EQUALS UnRegistered, then Redirect to MDM for Enrollment If MDM Compliance Status EQUALS NonCompliant, then Redirect to MDM for Compliance Google Play/AppStore ISE Policy Server Cloud MDM Connect to WLAN=Corp Authentication MDM API Redirect browser to ISE VPN MDM Compliance Status!= Compliant Redirect to ISE landing page for MDM enrollment or compliance status 86

82 MDM Remediation CoA allows re-authentication to be processed based on new endpoint identity context (MDM enrollment/compliance status). ReAuth after Comply MDM Agents downloaded directly from MDM Server or Internet App Stores Periodic recheck via API; CoA if not compliant CoA ReAuth ISE Policy Server MDM API Cloud MDM Compliant = Full Access VPN ASA MDM Status = Compliant Remove Redirection and apply access permissions for compliant endpoints 87

83 TrustSec

84 Policy and Segmentation Design needs to be replicated to multiple locations, buildings, floors ACL Aggregation Layer VLAN Addressing DHCP Scope Redundancy Routing Static Filtering Access Layer Quarantine Voice Data Suppliers Guest Simple More Policies Segmentation using more with 2 VLANs

85 Software-Defined Segmentation with Cisco TrustSec/ SGT Simplicity: consistent policy enforcement on all networks Agility: reduce attack surface, keep pace with business Ready: secure, comply today

86 How TrustSec/ SGT is used today User to DC Access Control Network & Role Segmentation BYOD Security Application Protection Secure Contractor Access PCI & PHI Compliance Campus & DC Segmentation Server Segmentation Firewall Rule Reduction Fast Server Provisioning Threat Defence Machine- Machine Control

87 Segmentation with Security Group DC-MTV (SRV1) DC-MTV (SAP1) DC-RTP (SCM2) Production Servers Regardless of topology or location, policy (Security Group Tag) stays with users, devices, and servers Data Centre Firewall Aggregation Layer DC-RTP (VDI) Data Tag Destination Supplier Tag Guest Tag Access Layer Quarantine Tag Voice Data Suppliers Guest Quarantine Retaining initial VLAN/Subnet Design

88 Enforcing Policy Downstream Classify & Mark Context Telemetry: Manager Windows PC Compliant Propagation Cisco ISE Enforce Firewall Enforcement Classify Mark, Propagate, Enforce IP Precedence and DiffServ code points 802.1Q User Priority MPLS VPN TrustSec Timecard application server Credit Card transaction server

89 Classification Summary SGT Assignment Classification Dynamic Classification Static Classification IP Address VLANs 802.1X/ RAS VPN Authentication MAC Auth Bypass Web Authentication Common Classification for Mobile Devices Subnets L2 Interface L3 Interface Virtual Port Profile Layer 2 Port Lookup Pre-fix learning SGT Common Classification for Servers, Topology-based policy, etc.

90 SGT to Port Profile Classification Nexus 1000v version 2.1

91 Dynamic Classification Process in Detail Supplicant Switch / WLC ISE Layer 2 Layer 3 00:00:00:AB:CD:EF Classification 2 DHCP Lease: /24 EAPoL Transaction 1 Authorised MAC: 00:00:00:AB:CD:EF SGT = 5 ARP Probe EAP Transaction DHCP IP Device Tracking RADIUS Transaction Authorisation SGT Binding: 00:00:00:AB:CD:EF = /24 3 Authenticated Authorised cisco-av-pair=cts:security-group-tag= Policy Evaluation Make sure that IP Device Tracking is TURNED ON SRC: = SGT X#show cts role-based sgt-map all details Active IP-SGT Bindings Information IP Address Security Group Source ============================================= :SGA_Device INTERNAL :Employee LOCAL

92 How is the SGT Classification Shared? Propagation Inline SGT Tagging SXP Propagation CMD Field IP Address SGT ASIC Optionally Encrypted ASIC ASIC L2 Ethernet Frame SRC: (No CMD) Campus Access Distribution Core DC Core EOR DC Access Enterprise Backbone SXP Hypervisor SW SRC: WLC Inline Tagging (data plane): If Device supports SGT in its ASIC SXP (control plane): Shared between devices that do not have SGT-capable hardware FW IP Address SGT SRC Local SXP IP-SGT Binding Table

93 Traditional TrustSec Tag Assignment & SXP Propagation Propagation User / Endpoint Classification ISE Enforcement Directory Fin Servers HR Servers Access Switch Router DC FW DC Switch

94 ISE as SXP Speaker SXP Tag IP Addr Propagation SXP User / Endpoint Fin Servers 10 HR Servers Classification Propagation ISE Enforcement Directory Fin Servers HR Servers Access Switch Router DC FW DC Switch Does Access Switch need to understand TrustSec?

95 How is Policy Enforced with SGACL Enforcement End user authenticated Classified as Employee (5) FIB Lookup Destination MAC/Port SGT 20 Destination Classification Web_Dir: SGT 20 CRM: SGT 30 ISE SRC: Cat3750X Cat6500 Cat6500 Nexus 7000 Nexus 5500 Nexus SRC: DST: SGT: 5 WLC5508 Enterprise Backbone ASA5585 Nexus 2248 Web_Dir DST: SGT: 20 CRM DST: SGT: 30 SRC\DST Web_Dir (20) CRM (30) Employee (5) SGACL-A SGACL-B BYOD (7) Deny Deny

96 SGACL Policy on ISE for Switches 1 3 2

97 Enforcement Security Group Based Access Control for Firewalls Security Group Firewall (SGFW) Source Tags Destination Tags 115

98 New TrustSec Dashboard & WorkCentre

99 Improved Matrix, Colour Coded + Condensed

100 Improved Matrix, Colour Coded + Condensed

101 SXP Capability in ISE 2.0 For Your Reference Propagate SGTs from ISE directly to Enforcement devices (SXP Speaker) Access layer device does not need SGT understanding for this User-DC usecase ISE can learn about DC/network SGTs as an SXP Listener MSFT Active Directory 10 SGT Switch (ANY) ISE SXP Application Servers 8 SGT 802.1X Wireless Network (ANY) Routers DC Firewall DC Switch Application Servers 7 SGT

102 Device Administration

103 Anatomy of a Typical Device Administration Session with TACACS+ TACACS+ Separates Authentication, Authorisation and Accounting Flexible and extensible TCP for more reliable accounting Built-in Goodies such as User Change Password

104 Refresh on a Typical TACACS+ Session Which TCP port does T+ listen on as default? Two Main Authorisation stages SESSION: What can user do during this session? COMMAND: Can the user perform this command?

105 TACACS+ Authorisation: Protocol Level Authorisation is a single request/response: Header + Attributes Device Type user rem_add r Author admin office Result is FAIL, PASS_ADD, PASS_REPLACE Fail: Request is not Permitted PASS_ADD: The permissions asked for are valid, but the operation must also apply these extra attributes (Response Profile) PASS_REPLACE: The request is permitted, but with this alternative attribute profile Result priv-lvl 15 PASS_AD D ISE

106 Introducing The ISE Device Administration Work Centre Starting point for all TACACS+ Activities in ISE One exception in ISE 2.0

107 ISE Deployment Node Configuration Policy Service Node for Protocol Processing Session Services (e.g. Network Access/RADIUS) On by default Device Admin Service (e.g. TACACS+) MUST BE ENABLED FOR DEVICE ADMINISTRATION!! 142

108 Supported Migration paths using Migration Tools Path Segments Tools ACS 4.x to ISE ACS 4.x -> ACS 5.6 ACS 4 Migration Tool ACS 5.6 -> ISE ACS 5 Migration Tool ACS 5.0 ACS 5.4 to ISE ACS 5.x -> ACS 5.6 ACS 4 Migration Tool ACS 5.6 -> ISE ACS 5 Migration Tool ACS ACS 5.6 to ISE ACS ACS 5.6 to ISE ACS 5 Migration Tool Consider options carefully, especially if migrating from ACS 4

109 Device Administration ACS 5 to ISE Feature Map ISE Element ACS 5 Element Caveats Internal Users/Groups Internal Users/Groups Network Devices/NDG Network Devices/NDG - Default Network Device Default Network Device ISE must have RADIUS enabled. Shell Profiles TACACS Profiles Name Conflicts (shared namespace in ISE) Command Sets TACACS Command Sets Name Conflicts (shared namespace in ISE) External Proxy Servers TACACS Proxy Servers - Proxy Service TACACS Proxy Sequence+ Device Admin Policy Set Device Admin Service Device Admin Policy Set Policy Model differences, Group map Policy - TACACS+ Settings TACACS Global Settings

110 ACS 4.x vs. ACS 5.x vs. ISE 2.0

111 Migration Best Practices Follow recommendations from Migration tool Reports Rename ACS objects using ISE legal chars Move Group Map Policy to Authorisation Consider ACS 5 to ISE migration as opportunity to review and refresh Policy Especially if Migrating from ACS 4 ISE currently supports 30k NAD vs. ACS which supports 100k! TACACS+ over IPv6 is not supported on ISE 2.0 For complete list of comparison go to: 147

112 Additional Features

113 3 rd Party Device (NAD) Support Customers can now deploy ISE services such as Profiling, Posture, Guest and BYOD (on top of the already-working 802.1x) with Network Access Devices (NADs) manufactured by non-cisco third party vendors.

114 The Recipe Key Ingredients Session ID URL Redirect COA

115 Cisco Session ID & Redirect C0A8013C B3C1CAFB NAS IP Address Session Count Time Stamp NAD: show authentication session ISE: Detailed Authentication Report Browser: URL-redirect for Web Auth

116 My 3rd Party NAD does not have a Session ID?? ISE 2.0 can Generate a Synthesised Cisco Session ID Step 1: Concatenate RADIUS attributes : Resulting value is a 24-byte ASCII string Calling-Station-ID (31), NAS-Port (5), NAS-IP-Address (4) Step 2: Encryption key using a SHA256: Hash of RADIUS KeyWrap key/shared secret + NAD Profile ID Step 3: Calculate the encrypted session ID: HMAC-SHA256 of string in step 1 and key from step 2 C0A8013C B3C1CAFB Step 4: Apply Base64 encoding to the session ID Step 5: Prepend the value with ISE node IP address in hexadecimal ASCII format.

117 URL Redirection Static URL, Dynamic URL and URL Format Type: None / Static / Dynamic None NAD does not have usable redirection method Static NAD requires ISE generated URL to be applied to local device config Dynamic NAD can receive redirect via RADIUS authorisation URL Parameter Names Defines the format of vendor redirect Allows ISE to parse needed information from redirected requests

118 What is Change of Authorisation (CoA) The EndPoint needs a new Policy ( ISE 2.0 = RFC 3576 & RFC 5176) COA Ports Port 1700, type = Cisco COA Port 3799, type = RFC 5176 Example Cisco CoA operations Terminate session Terminate session with port bounce Re-authenticate session Disable host port Session Query For Active Services For Complete Identity Service Specific Service Activate Service De-activate Service Query CoA options are NAD-specific

119 What is Change of Authorisation (CoA) The EndPoint needs a new Policy (RFC 3576 & RFC 5176) Disconnect Message (DM) RFC 5176 Also known as Packet of Disconnect (PoD) or CoA Session Terminate Terminate user session(s) on a NAS and discard all associated session context. Disconnect-Request Disconnect-ACK/NAK Change-of-Authorisation (CoA) Messages Also known as Authorise Only or CoA Push CoA-Request packets contain information for dynamically changing session authorisations. CoA-Request CoA-ACK/NAK

120 My 3rd Party NAD does not support COA ReAuth/ COA Push ISE 2.0 can perform COA Stiching 3 CoA Terminate 1 Web Auth: Enter Credentials 4 Session 001 Accntg Stop 2 PSN CWA Success Hold session open for 20 seconds 5 New Auth Request Full Access Session 002 Employee Access 6 Matching request received < 20 sec; return policy for employee user

121 3 rd -Party NADs Supported Features Features Vary By Vendor, Platform, and Versions! AAA 802.1X (since 1.0) MAB (since 1.2.) LWA to local portal (since 1.0) CoA Profiling (with CoA) Guest Hotspot Central Web Authentication (CWA) Sponsored guest flow Self-Registration guest flow ISE hosted portals Posture BYOD Device registration Supplicant Provisioning Certificate Provisioning Self-Service device management (MyDevices) Single/Dual SSID TrustSec Dynamic SGT and SXP Listener

122 Wait There s More!!! MAB and 3rd-Party 3rd-Party RADIUS Dictionary ISE 2.0 Smart Configuration NAD Profiles Smart Conditions Authorisation Profiles Authorisation Policy

123 Adding 3 rd -Party NADS Network Access Device Configuration Administration > Network Resource > Network Devices Be sure to set the Device Profile correctly!! Enter Network Device Type and Location info to facilitate policy management Optional: Override default CoA Port per NAD

124 Current Vendor Test Results Vendor Verified Series Tested Model / Firmware Supported / Validated use cases CoA Profiler Posture Guest /BYOD Aruba Wireless 7000, InstantAP 7005-US/ Motorola Wireless RFS 4000 Wing v5.5 HP Wireless 830 (H3C) 8P/3507P35 HP Wired HP Wired HP 5500 HI Switch Series (H3C) HP 3800 Switch Series (ProCurve) A G-4SFP HI/ G-POE-2SFP (J9573A) KA Brocade Wired ICX / aT7f3 Ruckus Wireless ZD build 205 Additional 3 rd party NAD Support: Requires identification of device properties/capabilities and to creation of a custom NAD profile in ISE. More detailed guide to be published. Requires CoA support Requires CoA & urlredirect support Requires CoA & urlredirect support

125 Location Based Authorisation Authorise User Access To The Network Based On Their Location ISE 2.0 UI to Configure MSE MSE 8.0 I have Location Data Campus:Building:Floor:Zone

126 Enhance Control With Location-based Authorisation With The Integration Of Cisco Mobility Services Engine (MSE) What s new for ISE 2.0? The integration of Cisco Mobility Services Engine (MSE) allows administrators to leverage ISE to authorise network access based on user location. Benefits Granular control of network access with location-based authorisation for individual users Location-based authorisation Patient data access locations Doctor Lobby No access to patient data Admin defines location hierarchy and grants users specific access rights based on their location. Patient room Access to patient data Lab No access to patient data Patient data ER Access to patient data Lobby Lab Patient room Location Physical Logical ER Enhanced policy enforcement with automated location check and reauthorisation Simplified management by configuring authorisation with ISE management tools Capabilities Enables configuration of location hierarchy across all location entities Applies MSE location attributes in authorisation policy Checks MSE periodically for location changes (5 mins), one way communication from ISE to MSE. Reauthorises access based on new location (i.e. if the location changes apply COA) Requires a PLUS license in ISE

127 Q & A

128 Complete Your Online Session Evaluation Give us your feedback and receive a Cisco 2016 T-Shirt by completing the Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site Visit any Cisco Live Internet Station located throughout the venue T-Shirts can be collected Friday 11 March at Registration Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations.

129 Thank you

130