Bezpečný přístup ve WLAN

Transcription

1 Cisco Expo 2012 Bezpečný přístup ve WLAN T-SECA5 Jaroslav Čížek, Cisco Cisco Expo 2012 Cisco and/or its affiliates. All rights reserved. 1

2 TrustSec, ISE, SGT, BYOD WLAN (& WIRED) 802.1X with Cisco ISE WLAN (& WIRED) Guest Access with Cisco ISE - Guest Access Needs - Managing and Provisioning Guest Accounts - Guest Portal - Guest Access Deployment - Monitoring Summary Anotace: Zabezpečení přístupu do sítě by mělo být řešeno univerzálně pro LAN i WLAN. Jak lze využít centralizovaných nástrojů ISE pro aplikaci bezpečnostních politik na bezdrátové síti pro trvalé i dočasné přístupy. 2

3 Brief summary of previous sessions 3

4 TrustSec, ISE, SGT, BYOD WLAN (& WIRED) 802.1X with Cisco ISE WLAN (& WIRED) Guest Access with Cisco ISE - Guest Access Needs - Managing and Provisioning Guest Accounts - Guest Portal - Guest Access Deployment - Monitoring Summary Anotace: Zabezpečení přístupu do sítě by mělo být řešeno univerzálně pro LAN i WLAN. Jak lze využít centralizovaných nástrojů ISE pro aplikaci bezpečnostních politik na bezdrátové síti pro trvalé i dočasné přístupy. 4

5 Identifying a User or Endpoint Active Directory, Generic LDAP, PKI User AND/OR Machine EAPoL RADIUS ISE RADIUS, e.g. Safeword Token Server local DB user1 C#2!ç@_E( RSA SecureID User/Password Certificate Token Identity Source Sequences Backend Database 5

6 Port-Based Access Control Using Authentication Layer 2 Point-to-Point Layer 3 Link Supplicant EAP over LAN (EAPoL) Authenticator RADIUS Auth Server ISE / ACS Beginning EAPoL Start EAPoL Request Identity EAP-Response Identity: Alice RADIUS Access Request [AVP: EAP-Response: Alice] Middle EAP-Response: PEAP EAP-Request: PEAP RADIUS Access Request [AVP: EAP-Response: PEAP] RADIUS Access-Challenge [AVP: EAP-Request PEAP] Multiple Challenge- Request Exchanges Possible End EAP Success RADIUS Access-Accept [AVP: EAP Success] [AVP: VLAN 10, dacl-n] 802.1X (EAPOL) is a delivery mechanism and it doesn't provide the actual authentication mechanisms. When utilizing 802.1X, you need to choose an EAP type, such as Transport Layer Security (EAP-TLS) or PEAP, which defines how the authentication takes place. 6

7 RFC 3576 (obsolete) and 5176 Layer 2 Point-to-Point Layer 3 Link Supplicant EAP over LAN (EAPoL) Authenticator RADIUS Auth Server Initial Authentication EAP Success RADIUS Access-Accept [AVP: EAP Success] [AVP: VLAN 10, dacl-n] RADIUS CoA-Request Change of Authorization [VSA: subscriber: reauthenticate] RADIUS CoA-Ack EAPoL Request Identity EAP-Response Identity: Alice RADIUS Access Request [AVP: EAP-Response: Alice] Re- Authentication EAP-Response: PEAP EAP-Request: PEAP RADIUS Access-Challenge RADIUS Access Request [AVP: EAP-Response: PEAP] [AVP: EAP-Request PEAP] Multiple Challenge- Request Exchanges Possible 7

8 Configuration 8

9 Default Network Access: Policy > Policy Elements > Results > Authentication 9

10 Policy -> Authorization 10

11 Switch WLC ISE 1.1 Best Practice: Use RADIUS Attributes to Set VLAN (IETF Attributes) Use same IETF attributes to set VLAN for wired and wireless WLC Interfaces/ VLAN Name must match Tunnel-Private-Grp-Id 3560X#sh vlan Case Sensitive on Switch, but not WLC VLAN Name Status default active 2 Engineering active 3 Marketing active... 11

12 Use VSA to Enforce ACL Name on WLC WLC Switch VSA Attribute IETF Attribute ACL Name Must match ACL can be pre-configured or downloaded dynamically ACL must be preconfigured 12

13 Allow ISE to Actively Enforce Policy Over Connected Endpoints aaa server radius dynamic-author client server-key xxxxxxx CoA is triggered dynamically when a scenario is matched : - Endpoint is profiled for the 1 st time. - Endpoint is statically assigned with a new Policy - Endpoint is deleted from ISE DB. CoA 13

14 TrustSec, ISE, SGT, BYOD WLAN (& WIRED) 802.1X with Cisco ISE WLAN (& WIRED) Guest Access with Cisco ISE - Guest Access Needs - Managing and Provisioning Guest Accounts - Guest Portal - Guest Access Deployment - Monitoring Summary Anotace: Zabezpečení přístupu do sítě by mělo být řešeno univerzálně pro LAN i WLAN. Jak lze využít centralizovaných nástrojů ISE pro aplikaci bezpečnostních politik na bezdrátové síti pro trvalé i dočasné přístupy. 14

15 The company needs to provide guest access for visitors, both for the wired and wireless infrastructure. Particular restrictions need to be assigned to guest contractors, with access to specific resources only WLC Wireless APs Guest authentication portal Internet LAN switches 15

16 Redirection of the guest Web session to ISE guest portal for authentication ISE Policy server Access authorized for guest user WLC Open SSID «guest» with Web authentication switches Guest account needs to be created: via a sponsor or self service Guest user 16

17 Internal DB Identity Service Engine Guest DB External DB Database Static entries Bulk import Enabled / disabled Created by sponsors (bulk option) Guest self service Restricted access duration LDAP / AD Managed externally Enabled/disabled 17

18 If Need for Different Policies Based on User Role Guest Internet access only Created by any user Limited connection time: ½ day, one day Contractor Internet access Created by select users Access to selected resources Longer connection time: one week, one month 18

19 Identity Service Engine External Database External groups mapped in ISE Multiple groups can be created in ISE Each group can contain: Guest users (created by Sponsor and Self-service) Internal users (created by Administrators) Mapping example for AD Those groups can be used in different authorization rules to differentiate network access 19

20 Two ways to populate ISE Internal guest DB: Self-Service Option on ISE Guest Portal Sponsoring via ISE Sponsor Portal 20

21 21

22 Customizable sponsor pages Sponsor privileges tied to defined sponsor policy Roles sponsor can create Time profiles can be assigned Management of other guest accounts Single or bulk account creation 22

23 Customizable fields Define if mandatory or optional can add up to 5 other custom attributes Guest roles and time profiles Pre-defined by admin 23

24 Username configuration Created from first & last name or Password configuration Generated automatically Configurable password complexity 24

25 Sponsor Will Have Three Ways to Inform Guest 1. Printing the details 2. Sending the details via 3. Sending the details via SMS 25

26 Sponsor AllAccounts Sponsor OwnAccounts Can create user in groups: contractor and guest Can use time profiles up to one week Can see all accounts in group Can create user in group guest only Can use time profiles up to one day Cannot do bulk creation 26

27 27

28 The sponsor account can be a Local ISE user LDAP user Active Directory user DB checking order can be configured via Identity Source Sequence in ISE In above example we interrogate the ISE DB first and then the AD 28

29 You can map any group: internal, AD, LDAP to a sponsor privilege group All users mapped to that group will log in with similar sponsor privileges as defined in the selected sponsor group Map internal groups to sponsor privilege groups Map internal groups Map AD groups 29

30 30

31 Several Languages are Supported Natively in ISE 1.1 All guest user pages are translated: Authentication page Acceptable usage policy Success/failure page 31

32 Portal allowing users to register their own devices Access can be granted to guest, employees, students 32

33 Multiple portal might be needed based on: Location / country When several organizational entities Type of device: WLC, switches For local language support ISE allows for : Portals customization Simultaneous use of several portals for user authentication Default portal Sample customized portal 33

34 Deployment Considerations Web Authentication is only for users (not devices) Browser required Manual entry of username/password Network equipment must intercept http request and redirect to guest portal for authentication 2 ways to enforce on the network equipment (WLC, switches) Local Web Auth (LWA) Web auth done on the network device (web-auth feature on devices) No CoA support Authorization only with ACLs Central Web Auth (CWA) Web auth configuration pushed centrally CoA support (for posture, profiling, ) Authorization can use VLAN or ACLs 34

35 X Timeout 802.1X Failure MAB Failure Switch / AP-WLC DHCP/DNS ISE Server 1 Open SSID With web auth 2 Port Enabled, ACL Applied 3 Host Acquires IP Address, Triggers Session State 4 Host Opens Browser Login Page Host Sends Password 5 Switch Queries AAA Server AAA Server Returns Policy Server authorizes user 6 Switch Applies New ACL Policy 35

36 LWA requires local configuration on each: Switch Wireless LAN controller WLC Extra method: web authentication No change possible until re-authentication: posture, profiling Central Web Authentication (CWA) with ISE was created by Cisco to improve deployment Switch ISE 36

37 1 Switch configured for 802.1X / MAB only Switch / AP-WLC DHCP/DNS ISE Server 1 Open SSID for guest on WLC 2 First authentication session 3 AuthC success; AuthZ for unknown user returned: Redirect /filteracl, portal URL 4 Host Acquires IP Address, Triggers Session State 5 Host Opens Browser Switch redirects browser to ISE CWA page Host Sends Username/Password Login Page AUP process, if configured 6 Web Auth Success results in CoA 7 MAB re-auth MAC Success Session lookup policy matched Authorization dacl/vlan returned. Server authorizes user 37

38 No extra local method like web authentication VLAN assignment is also supported Centralization and dynamic push of configuration Portal URL Filtering and redirection ACL until guest authentication occurs Support for posture and profiling Catalyst 2960 (LAN Base) & 3560/3750: 12.2(55)SE3 Catalyst 4500 Series : 15.0(2)SG1 Sup 7E: CoA not currently supported Catalyst 6500 Series: 12.2(33)SXI7 Wireless LAN Controller (WLC/WiSM): (CoA on 802.1X SSID only) 7.2 (CoA on Guest SSID) 38

39 Shows guest URL activity when Firewall syslogs sent to ISE 39

40 Send syslogs to ISE M&T UDP port Filter messages ID # : accessed URLs 40

41 ASA to Send HTTP Create Service Policy in ASA to inspect HTTP traffic for guest subnet ISE shows accessed URLs in reports 41

42 TrustSec, ISE, SGT, BYOD WLAN & WIRED 802.1X with Cisco ISE WLAN & WIRED Guest Access with Cisco ISE - Guest Access Needs - Managing and Provisioning Guest Accounts - Guest Portal - Guest Access Deployment - Monitoring Summary Anotace: Zabezpečení přístupu do sítě by mělo být řešeno univerzálně pro LAN i WLAN. Jak lze využít centralizovaných nástrojů ISE pro aplikaci bezpečnostních politik na bezdrátové síti pro trvalé i dočasné přístupy. 42

43 Device Profiling Dynamic Policy Wireless Device State Employees (Company Asset) ISE Full Access VLAN Corporate Machine +/- Corp User Employee (Personal Laptop) Non-Corporate Machine with Employee User Logged In Employee (ipad) Employee User via WPA Authentication + Device = ipad Contractors Contractor Account Guest Laptop/Tablet/Phone WAP WLC W I R E D N E T W O R K Restricted VLAN Web Apps Only + Internet Contractor VLAN Internet Only Guest Account 43

44 Component of Cisco s TrustSec architecture: Wired & Wireless solutions Architecture testing and validation (CVD) Flexible solution Account creation Guest authentication portals, customization Integrated & scalable guest access solution Guest / Posture / Profiling Configuration / Monitoring 44

45 Cisco ISE Cisco TrustSec Cisco TrustSec 2.0 Product Bulletin (supported SW version table) bulletin_c html BYOD nified_access/byodwp.html Wireless 45

46 Twitter Talk2Cisco SMS Zveme Vás na Ptali jste se v sále LEO 2.den 16:30 17:00 46

47 T-SECA5 Prosíme, ohodnoťte tuto přednášku. 47

48