Designing Unified Guest Access, Wired and Wireless BRKEWN-2016
|
|
- Emory Shelton
- 8 years ago
- Views:
Transcription
1 1
2 Designing Unified Guest Access, Wired and Wireless BRKEWN-2016
3 Agenda Overview : Guest Access as a Supplementary User Authentication Wireless Guest Access Control & Path Isolation Wired Guest Access Control & Path Isolation Guest Authentication Portal Guest Provisioning Monitoring & Reporting 3
4 Guest Access Overview
5 Evolution of Network Access Age of the Borderless Network Health Location Time Access Method... Mobile Workers Personal Devices VPN Hotspot VPN Employee (Sales) Managed Desktop? Printer (Payroll) Internet VPN Security Systems Employee (Finance) Managed Desktop? Employee (Sales) Managed Desktop? Printer (Sales) Branch Network Campus Network Internal Resources Guest Wireless Employee IP Camera Guest Game Console Contractor Wireless Employee 5
6 Context-Based Access Who = User Identity Known/Managed Users (Long-term) Examples: Employees/Staff, Faculty/Students, Extended Access Partners/Contractors Primary Auth Methods: 802.1X or Agent-based Considerations: Identity Stores EAP types and supplicant Unknown/Unmanaged Users (Temporary or Infrequent Access) Examples: Guests, Visitors, Short-term Partners/Contractors Primary Auth Method: Web authentication Considerations: Web Redirection and Authentication Portals Guest Provisioning and Identity Stores 6
7 Corporate vs Guests Employee 1 EAP Authentication ISE CAPWAP 2 Accept with VLAN 30 4 Accept with GUEST ACL VLAN 30 Corporate Resources Guest Device 3 Web Auth 802.1Q Trunk VLAN 50 Internet Users with Corporate Devices with their AD user id can be assigned to Employee VLAN Guests authenticate via Web Auth and are assigned to a GUEST-ACL on the Guest VLAN 7
8 Requirements for Secure Guest Access Technical No access until authorized Guest traffic should be segregated from the internal network Web-based authentication Full auditing of location, MAC, IP address, username Overlay onto existing enterprise network Bandwidth and QoS management Usability Monitoring No laptop reconfiguration, no client software required Plug & Play Splash screens and web content can differ by location Easy administration by non-it staff Guest network must be free or cost-effective and non-disruptive Mandatory acceptance of disclaimer or Acceptable Use Policy (AUP) before access is granted Logging and Monitoring Must not require guest desktop software or configuration 8
9 Guest Access Components Guest Customizable Login Page 802.1X/MAB Compatibility Flexible Access Policies Centralized Web Page Management Flexible Sponsored Access Guest Policies Credentials Centralized Accounting Centralized Web Page Management Sponsored Guest NAC Guest Server Credentials Parity for Wired / Wireless ACS 5.1 Centralized Accounting Employee Enterprise Directory Existing Credential Stores Integrated Access Authentication 9
10 Wireless Guest Access Control & Path Isolation
11 Access Control End-to-End Wireless Traffic Isolation The fact Traffic isolation achieved via LWAPP/CAPWAP valid from the AP to the WLAN Controller The challenge How to provide end-to-end wireless guest traffic isolation, allowing internet access but preventing any other communications? CAPWAP LWAPP/CAPWAP APs CAPWAP CAPWAP AP 11
12 Path Isolation Why Do We Need It for Guest Access? Extend traffic logical isolation end-to-end over L3 network domain Separate and differentiate the guest traffic from the corporate internal traffic (security policies, QoS, bandwidth, etc.) Securely transport the guest traffic across the internal network infrastructure to DMZ CAPWAP CAPWAP 12
13 Guest Access Control Cisco WLAN Controller Deployments LWAPP/CAPWAP tunnel is a Layer 2 tunnel (encapsulates original Ethernet frame) Same LWAPP/CAPWAP tunnel used for data traffic of different SSIDs WiSM Wireless VLANs WLAN Controller Control and data traffic tunneled to the controller via LWAPP/CAPWAP: data uses UDP 12222/5247 control uses UDP 12223/5246 LWAPP/CAPWAP Si Campus Core LWAPP/CAPWAP Data traffic bridged by WLAN controller on a unique VLAN corresponding to each SSID Si Si Traffic isolation provided by VLANs is valid up to the switch where the controller is connected LWAPP Lightweight Access Point Protocol CAPWAP - Control And Provisioning of Wireless Access Points Guest Emp Guest Emp 13
14 Solution #1: Path Isolation using EoIP WLAN Controller Deployments with EoIP Tunnel Use of up to 71 EoIP tunnels to logically segment and transport the guest traffic between remote and anchor controllers Other traffic (employee for example) still locally bridged at the remote controller on the corresponding VLAN No need to define the guest VLANs on the switches connected to the remote controllers Original guest s Ethernet frame maintained across LWAPP/CAPWAP and EoIP tunnels Redundant EoIP tunnels to the Anchor WLC 2100/2500 series and WLCM models can not terminate EoIP connections (no anchor role) or support IPSec Encrypted Tunnels on the remote WLC Cisco ASA Firewall EoIP Guest Tunnel CAPWAP Guests Internet Wireless LAN Controller DMZ or Anchor Wireless Controller 14
15 Guest Network Redundancy Using EoIP Pings (data path) functionality Anchor WLC reachability will be determined Foreign WLC will send pings at configurable intervals to see if Anchor WLC is alive Once an Anchor WLC failure is detected a DEAUTH is send to the client Remote WLC will keep on monitoring the Anchor WLC Under normal conditions round-robin fashion is used to balance clients between Anchor WLCs Primary Link Redundant Link EtherIP Guest Tunnel F1 CAPWAP Secure Si Internet Si Campus Core Wireless VLANs Secure Si Guest VLAN x/24 Management A1 Management CAPWAP A2 Management EtherIP Guest Tunnel Guest Secure Guest Secure 15
16 Implementing Guest Path Isolation Using WLC Building the EoIP Tunnel 1. Specify a mobility group for each WLC 2. Open ports for: Inter-Controller Tunneled Client Data Inter-Controller Control Traffic EoIP tunnel protocol Other ports as required 3. Create Guest VLAN on Anchor controller(s) 4. Create identical WLANs on the Remote and Anchor controllers 5. Configure the mobility groups and add the MAC-address and IP address of the remote WLC 6. Create the Mobility Anchor for the Guest WLAN 7. Modify the timers in the WLCs 8. Check the status of the Mobility Anchors for the WLAN 16
17 Guest Path Isolation WLAN Controller Deployments with EoIP Tunnel Remote Controller Configuration Anchor and Remote WLCs are configured in different Mobility Groups 17
18 Guest Path Isolation WLAN Controller Deployments with EoIP Tunnel Anchor and Remote Controller Configuration Configure Guest WLANs on the Remote and Anchor controllers Configure Guest VLAN on the Anchor WLC 18
19 Guest Path Isolation WLAN Controller Deployments with EoIP Tunnel Anchor and Remote Controller Configuration Configure the mobility groups and add the MAC-address and IP address of the remote WLCs Anchor Remote 19
20 Guest Path Isolation WLAN Controller Deployments with EoIP Tunnel Remote Controller Configuration Create the mobility anchor for the guest WLAN on Remote WLCs 20
21 Guest Path Isolation WLAN Controller Deployments with EoIP Tunnel Anchor Controller Configuration Create the Mobility Anchor for the guest WLAN on Anchor WLC 21
22 Path Isolation WLAN Controller Deployments with EoIP Tunnel Anchor Controller Modify the timers and DSCP on the Anchor WLCs Check the status of the mobility anchors for the WLAN 22
23 Guest Path Isolation Firewall Ports and Protocols Open ports in both directions for: EoIP packets IP protocol 97 Mobility UDP Port Must be Open! Inter-Controller CAPWAP (rel 5.0, 6.0, 7.0+) Data/Control Traffic UDP 5247/5246 Inter-Controller LWAPP (before rel 5.0 ) Data/Control Traffic UDP 12222/12223 Do NOT Open! Optional management/operational protocols: SSH/Telnet TCP Port 22/23 TFTP UDP Port 69 NTP UDP Port 123 SNMP UDP Ports 161 (gets and sets) and 162 (traps) HTTPS/HTTP TCP Port 443/80 Syslog TCP Port 514 RADIUS Auth/Account UDP Port 1812 and
24 Solution #2: Guest Path Isolation using VRF Campus Virtualization Virtual Routing / Forwarding (VRF) or VRF- lite is the L3 virtualization used in Enterprise Campus networks Guest isolation is done by dedicated VRF instances 802.1q, GRE, MPLS/LSP, Physical Int, Others 802.1q or Others Logical or Physical Int (Layer 3) Guest VRF Employee VRF Global Logical or Physical Int (Layer 3) 24
25 Guest Path Isolation using VRF WLC and VRF Virtualization LWAPP/CAPWAP Path Isolation at Access Layer L2 Path Isolation between WLC and Default Gateway L3 VRF Isolation from WLC to Firewall Guest DMZ interface Wireless LAN Controller CAPWAP Guest Provisioning Isolated L2 VLAN Corporate Intranet Si Corporate Access Layer Inside Guest VRF Internet Outside Guest DMZ L3 Switches with VRF Cisco ASA Firewall Guests Guest VRF Employee VRF Global 25
26 Wireless Guest Access Deployment Options Summary Internet Internet Internet DMZ WLC LAN NCS LAN NCS LAN EoIP No DMZ WLC Cisco Unified Wireless No DMZ Controller VRF Cisco Unified Wireless VRF DMZ WLC NCS Cisco Unified Wireless DMZ Controller Provisioning Portal Yes Yes Yes User Login Portal Yes Yes Yes Traffic Segmentation VLANs thru Network VRF thru Network Yes Tunnels or VLANs User Policy Management Yes Yes Yes Reporting Yes Yes Yes Overall Functionality Medium High High Overall Design Complexity Medium High Low 26
27 Wired Guest Access Control & Path Isolation
28 Unified Wired and Wireless Deployment Wired Guest Access Controller software version 4.2 and above provides one unified solution for both wired and wireless guest access Allows organizations to leverage existing wireless infrastructure to provide guest access on the LAN Universal provisioning interface and captive portal provides ease of guest user provisioning and consistent network access Enables the ability to leverage common guest user policies for both wired and wireless network access 28
29 Guest Access for Wired LAN Overview Wireless LAN Controllers version 4.2 and above offer Wired Guest Access Wired Guest VLAN must be L2 adjacent with WLC Wired Guest VLAN can be fallback VLAN in 802.1x/EAP authentication on switch Supported on WLC-4400, 5500 series, Catalyst 3750 Wireless and Catalyst 6500 with WiSM Wired Client EtherIP Guest Tunnel Layer-2 Switch CAPWAPP Secure Si Internet Campus Core EtherIP Guest Tunnel CAPWAPP Wireless VLANs Guest Secure Guest Secure Si Secure Si 29
30 WLC Wired Guest Access with EoIP Wired Guest Access by Wireless LAN Controllers Wired Guest ports provided in designated location and plugged into an Access Switch The configuration on the Access switch puts these ports into wired guest layer 2 VLAN On a single WLAN Controller the Guest VLAN will be trunked into WLC On a multi controller deployment with Auto Anchor mode the guest VLAN will trunk into the Foreign controller and then tunneled into DMZ Anchor controller Cisco ASA Firewall Isolated L2 VLAN EoIP Tunnel Internet Wireless LAN Controller DMZ or Anchor Wireless LAN Controller Corporate Intranet Wired Guests Wireless Guests 30
31 Wired Guest Access Deployment Steps Create a dynamic interface as Guest LAN which will be the ingress interface DHCP server information is not required on the ingress interface DHCP server information is required on the egress dynamic interface 31
32 Wired Guest Access Configuration Create wired WLAN as Guest LAN type 32
33 Wired Guest Access Configuration Assign the Ingress and Egress Interfaces Ingress interface is the wired guest LAN Egress interface could be the management or any dynamic interface 33
34 Wireless and Wired Guest Configuration Wireless and wired guest WLAN 34
35 Wired Guest Access Wired Guest Access Enforcement Point can be delivered in two different locations : Web Authentication on Catalyst Switches Wired Guest Access Feature on Wireless LAN Controllers Wired Guest Access with NAC server and manager Wired Guest Si Catalyst or NAC Authentication Wired Guest Enforcement Point L3 Path Isolation 802.1x Guest VLAN Failover WLC Wired Guest Open (guest) VLAN L2 Path Isolation 35
36 Wired Guest L3 Path Isolation with VRF Access using VLAN Isolation Guest Provisioning Internet Web Authentication by Catalyst Switches Wired Guest Isolation with VRF for L3 Isolation Isolated L2 VLAN Corporate Intranet Si Inside Guest VRF L3 Switches with VRF Outside Guest DMZ Cisco ASA Firewall Corporate Access Layer Wired Guest Guest VRF Employee VRF Global 36
37 WLC Wired Guest Access Deployment Considerations Five Guest-LANs for wired guest access are supported Admin can create wired guest VLANs on the WLC and associate it with the guest LAN Web-auth is the default security on a wired guest LAN, but open and web pass-thru can also be used No L2 security like 802.1x is supported Multicast and broadcast traffic are dropped on wired guest VLANs to reduce the load on the overall network Wired guest access is supported on a single guest WLC or on a Anchor-Foreign Guest WLC scenario 37
38 Architecture Summary Wireless is the preferred Guest Access technology because it provides no Physical connectivity to corporate network. Wired Guest Access can be delivered by Catalyst Switches or Wireless LAN Controller. Anchor Controller in DMZ allow for full Path Isolation from Access Point to DMZ. VRF can be used for L3 Guest Isolation Cisco ASA Firewall provides Internet access security and advanced security features for Guest control 38
39 Guest Services Portal
40 When to Use Web-Authentication? 802.1X Managed 802.1X-devices Known users MAB (mac-address bypass) Managed devices Web Auth Users without 802.1X devices Users with Bad credentials SSC SSC Employee Employee (bad credential) 802.1X Web Auth is a supplementary authentication method Guest Most useful when users can t perform or pass 802.1X Primary Use Case: Guest Access Secondary Use Case: Employee who fails 802.1X 40
41 Guest Authentication Portal Wireless & Wired Guest Authentication Portal is available in 4 modes: Internal (Default Web Authentication Pages) Customized (Downloaded Customized Web Pages) External Using ISE Guest Server External (Re-directed to external server) 41
42 Wireless Guest Authentication Portal Internal Web Portal Wireless guest user associates to the guest SSID Initiates a browser connection to any website Web login page will displayed Fixed Welcome Text Login Credentials 42
43 Wireless Guest Authentication Portal Customizable Web Portal Create your own Guest Access Portal web pages Upload the customized web page to the WLC Configure the WLC to use customizable web portal Customized WebAuth bundle up to 5 Mb in size can contain 22 login pages (16 WLANs, 5 Wired LANs and 1 Global) 22 login failure pages (in WLC 5.0 and up ) 22 login successful pages (in WLC 5.0 and up) 43
44 Wireless Guest Authentication Portal External Web Portal Set in WLC > Security > WebAuth > Login Or override at Guest WLAN Option to use Pre-Auth ACL 44
45 Wired Guest Authentication Portal Catalyst Switches Internal Web Portal Wired Auth-Proxy Banner Configurable Welcome Text from IOS config Welcome Text (config)#ip admission auth-proxy-banner http ^C Here is what the auth-proxy-banner looks like ^C Login Credentials 45
46 Wired Guest Authentication Portal Catalyst Switches Customizable Web Portal Configurable HTML Pages on bootflash: 4 Pages / 8KB each : login, success, expired, failure Images must be embedded or external 4 files, 8KB max each (config)#ip admission proxy http login expired page file bootflash:expired.html (config)#ip admission proxy http login page file bootflash:login.html (config)#ip admission proxy http success page file bootflash:success.html (config)#ip admission proxy http failure page file bootflash:fail.html Completely Customizable 46
47 Centralized Wireless & Wired Guest Portal ISE Guest Server Multi-Function Standalone/Distributed Appliance Customizable Multi-Portal Hosting Sponsored Guest Access Provisioning, Verification, Management 47
48 Wireless Guest Centralized Login Page 1) Administrator Creates WLAN Login Page on ISE 2) Wireless Guest Opens Web browser 3) Web traffic is intercepted by Wireless LAN Controller and redirected to Guest Server. 4) Guest Server returns centralized login page (2) (3) Redirect (1) AP WLC (4) ISE 48
49 Wired Guest Looks Exactly the Same as Wireless 1) Administrator Creates Wired Login Page on ISE 2) Wired guest opens Web browser 3) Web traffic is intercepted by switch and redirected to Guest Server. 4) Guest Server returns centralized login page (2) (3) Redirect (1) Switch (4) ISE 49
50 Authentication and Authorization Still Local 1) Administrator Creates Wired Login Page on ISE 2) Wired guest opens Web browser 3) Web traffic is intercepted by switch and redirected to Guest Server. 4) Guest Server returns centralized login page 5) Guest submits credentials to switch 6) Switch authenticates credentials & controls access (2) (3) (1) (5) POST to switch: username, pwd Switch (6) Authentication Access Control (4) ISE 50
51 Guest Services Provisioning
52 Requirements for Guest Provisioning Might be performed by non-it user Must deliver basic features, but might also require advanced features: Duration, Start/End Time, Bulk provisioning, Provisioning Strategies : Lobby Ambassador Employees 52
53 Multiple Guest Provisioning Services Cisco Guest Access Solution support several provisioning tools, with different feature richness. Included in Cisco Wireless LAN Solution Cisco Prime Network Control System Cisco Identity Services Engine Dedicated Provisioning Customer Server Customized Provisioning Cisco Wireless LAN Control Advanced Provisioning Customer Development Basic Provisioning Additional Cisco Product 53
54 Guest Provisioning Service : WLC Cisco Wireless LAN Controller Lobby Ambassador accounts can be created directly on Wireless LAN Controllers Lobby Ambassadors have limited guest feature and must create the user directly on WLC: Create Guest User up to 2048 entries Set time limitation up to 35 weeks Set Guest SSID Set QoS Profile 54
55 Guest Provisioning Service Create the Lobby Admin in WLC Lobby administrator can be created in WLC directly 55
56 Local WLC Guest Management Password is Created Quickly Create Guest with Time and WLAN Profile Guest Web Login 56
57 Guest Provisioning Service : NCS Cisco Prime Network Control System NCS offer specific Lobby Ambassador access for Guest management only Lobby Ambassador accounts can be created directly on NCS, or be defined on external RADIUS/TACACS+ servers Lobby Ambassadors on NCS are able to create guest accounts with advanced features like: Start/End time and date, duration, Bulk provisioning, Set QoS Profiles, Set access based on WLC, Access Points or Location 57
58 Guest Provisioning Service Lobby Ambassador Feature in NCS Associate the lobby admin with Profile and Location specific information 58
59 Guest Provisioning Service Add a Guest User with NCS 59
60 Guest Provisioning Service Print/ Details of Guest User 60
61 Guest Provisioning Service Schedule a Guest User 61
62 Cisco TrustSec Guest Services
63 Context Awareness: ISE Guest Management ISE Guest Service for Managing Guests Guest Policy Web Authentication Internet Wireless or Wired Access Guests Internet-Only Access Provision: Guest Accounts via Sponsor Portal Manage: Sponsor Privileges, Guest Accounts and Policies, Guest Portal Notify: Guests of Account Details by Print, , or SMS Report: On All Aspects of Guest Accounts 63
64 Cisco ISE Guest Server ISE Configuration 1. IT Administrator configures ISE: Sponsor or Lobby Admin access rights Add WLC in ISE Configure security/policy rules 2. IT Admin configures WLC to use Cisco ISE: Define Guest SSID Associate ISE as RADIUS Server IT Admin Network/Solution Mgt 2 1 Guest Visitor, Contractor, Customer Lobby Ambassador Employee Sponsor Corporate Network ISE Guest Server Lobby Ambassador Portal Guest Account Database Monitoring & reporting Wireless LAN Controller Policy Enforcement Guest Web Portal Internet 64
65 ISE Sponsored Guests Sponsor Portal Customizable Web Portal for Sponsors as well Authenticate Sponsors with corporate credentials Local Database Active Directory LDAP RADIUS Kerberos 65
66 Guest Portal Localization Several Languages are Supported Natively in ISE 1.1 All guest user pages are translated: Authentication page Acceptable usage policy Success/failure page 66
67 Cisco ISE Guest Server Guest User Creation Lobby Ambassador Employee Sponsor 1. Sponsor creates Guest Account through dedicated ISE server 2. Credentials are delivered to Guest by print, or SMS 3. Guest Authentication on Guest portal 4. RADIUS Request from WLC to Cisco ISE Server 5. RADIUS Response with policies (session timeout, ) 2 5 RADIUS Accounting 6 7 RADIUS Requests 4 Corporate Network 1 ISE Guest Server Lobby Ambassador Portal Guest Account Database Monitoring & reporting Wireless LAN Controller Policy Enforcement Guest Web Portal Internet 6. RADIUS Accounting with session information (time, login, IP, MAC, ) 3 7. Traffic can go through Guest Visitor, Contractor, Customer 67
68 ISE Sponsored Guest URL-REDIRECT ISE Guest Server 1. Guest is re-directed to the ISE Guest Portal when Browser is launched. 2. Guest enters the credentials created by the Sponsor GUEST Identity Store 3. Account is verified on ISE decision point against the Guest User Identity Store 68
69 ISE Self-Registration ISE Guest Server 4. Guest is re-directed again to login again with auto generated username/ password. Internet 6. Account is monitored via the timed profile settings. 5. Guest is provisioned with Authorization Policy for Web Access Only GUEST Identity Store 69
70 ISE Guest User Portal Settings Guest Portals define what Guests Users will be allowed to perform Guests can change password Guests change password at first login Guests can be allowed to download the posture client Guests can do self service Guests can be allowed to do device registration 70
71 Cisco ISE Guest Server Sponsor Authentication: Local Account/AD Assign user / group to Sponsor Integrate with Active Directory Order Priority Sequence to AD > Internal 71
72 Cisco ISE Guest Server Guest Portal Customization Multi-Portal Policies Username Policy Password Policy Localization Time Profiles 72
73 Cisco ISE Guest Server Sponsor Portal 73
74 Cisco ISE Guest Server Sponsor Guest Account Creation Create/View/Modify Guest Accounts Personal Settings Tools to Manage Guest Accounts / Print / SMS 74
75 Web Authentication Need something to intercept browser requests to provide captive portal and/or redirection to local or remote web auth portal Access Devices/Gateways Wired switch Wireless controller Inline Security Device/Appliances Dedicated NAC appliance Firewalls Web security gateways ISE Provides: Centralized and customizable Web authentication portal Both employee and guest auth supported Tunable username and password policies Support print, , SMS guest notifications 75
76 Web Auth and Guest Access Wireless Considerations WLC 7.0 Supports LWA; 7.2 adds CWA support ISE Guest Services requires account activation; Initial web auth must be against ISE guest portal (LWA or CWA). As a result o Requires ISE be the web auth portal for LWA; No support for hosting guest portal on WLC o For anchor controller deployments, requires pinhole through DMZ firewall back to ISE PSN on tcp/8443 from guest IP address pool. 76
77 Web Auth and Guest Access LWA vs CWA piggybacks on MAB authentication policy rule. Configure: If User Not Found = Continue (default Reject) If MAC address lookup fails, reject the request and send access-reject. If MAC address lookup returns no result, continue the process and move to authorization 77
78 URL Redirection Example: TCP Traffic Flow for Login Page User opens browser TCP port 80 SYN SYN-ACK ACK HTTP GET Redirect: HTTP Login Page Username, Password HTTP GET Access VLAN Switch responds with source IP of requested destination Host Access Switch 78
79 URL Redirection Central Web Auth, Client Provisioning, Posture Redirect URL: For CWA, Client Provisioning, and Posture, URL value returned as a Cisco AV-pair RADIUS attribute. Ex: cisco:cisco-av-pair=url-redirect= Redirect ACL: Access devices must be locally configured with ACL that specifies traffic to be permitted (= redirected) or denied (= bypass redirection) ACL value returned as a named ACL on NAD Ex: cisco:cisco-av-pair=url-redirect-acl=acl-posture-redirect ACL entries define traffic subject to redirection (permit) and traffic to bypass redirection (deny) Port ACL: ACL applied to the port (default ACL, dacl, named ACL) that defines traffic allowed through port prior to redirection 79
80 Guest Access with Anchor Controller Firewall must allow tcp/8443 from Guest IP pool to ISE PSN Cisco Wireless LAN Controller DMZ WLAN Anchor Controller ISE Policy Services 80
81 FlexConnect and External WebAuth URL/ACL Radius Auth WAN ISE for external webauth with FlexConnect central authentication with local switching. Guest client is provided with URL/ACL permit to ISE Clients does webauth with ISE Guest moves to local switching URL/ACL Branch Radius Auth Webauth VLAN Assignment 81
82 Wireless 802.1X Configuration URL Redirect ACL (Simple) Permit ping and DNS anywhere, and IP to ISE Optionally include access to remediation servers 82
83 Wireless 802.1X Configuration URL Redirect ACL (Detailed) Permit ping anywhere, DNS to name server, and TCP/8443 (optionally TCP/8080), TCP/8905, UDP/8905 to ISE 83
84 Common URLs for Redirection URL Redirect for Central Web Auth Cisco:cisco-av-pair=url-redirect= URL Redirect for Client Provisioning and Posture Cisco:cisco-av-pair=url-redirect= URL Redirect ACL Cisco:cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT LWA URL for Default ISE Guest Portal: LWA URL for Custom ISE Guest Portal: CWA URL redirect for Custom ISE Guest Portal: Cisco:cisco-av-pair=url-redirect= =SessionIdValue&action=cwa 84
85 Guest Monitoring, Reporting and Troubleshooting
86 Live Guest Verification - ISE Monitor > Operations > Authentications window will show all Authentications including Guests Identity and Authorization can be found for Guests 86
87 Guest Monitoring - NCS Monitor > Clients and Users window will show all Authentications including Guests Identity and Authorization can be found for Guests 87
88 Guest Monitoring - ISE Monitor > Operations > Authentications window will show all Authentications including Guests Identity and Authorization can be found for Guests 88
89 Aggregation of Guest Information Internet ISE Aggregate Guest Reporting Information From WLC (RADIUS Accounting) : login, start/stop time, MAC@, Source IP@ From ASA (syslog) : Destination IP@/ports, URL logging, Cisco ASA Firewall Syslog ISE RADIUS Guest Server Corporate Intranet Wireless Guest Wireless LAN Controller ntp server DMZ or Anchor Wireless LAN Controller policy-map global_policy class inspection_default inspect http! service-policy global_policy global logging enable logging timestamp logging list WebLogging message logging trap WebLogging logging facility 21 logging host inside
90 Guest Activity Reporting - ISE Guest Reports Drill Down Guest Detail 90
91 Guest Activity Reporting - NCS Customized Profile and Scheduling Variable Reporting Periods 91
92 Cisco TrustSec Guest Posture
93 Posture Assessment Leveraging the NAC Agent Additional Information is Learned Through Posture Posture Posture = the state-of-compliance with the company s security policy. Is the system running the current Windows Patches? Anti-Virus Installed? Is it Up-to-Date? Anti-Spyware Installed? Is it Up-to-Date? Now we can extend the user / system Identity to include their Posture Status. What can be checked? AV/AS, Registry, Files, Application / Process, Windows updates, WSUS and more. If not compliant Auto remediation, alert, download file NAC Agent (persistent) and Web Agent (Temporal) support 93
94 ISE Posture Policies Employee Policy: Microsoft patches updated McAfee AV installed, running, and current Corp asset checks Enterprise application running Contractor Policy: Any AV installed, running, and current Guest Policy: Accept AUP (No posture - Internet Only) Wired VPN Wireless Employees Contractors/Guests 94
95 LWA with Posture Supported in Open Authentication LWA Web-auth supports L3 authentication. WLC serves Login web page, sends username/password to ISE. Client posture is supported. Guest Associate to Guest, Redirect ISE WebPortal 2 Connect to ISE; action URL=WLC login, original URL= WLC Login page 4 Username/password to ISE Login success Redirect: page 6 Download Web Agent; Posture Validate and Remediation if necessary CoA policy push ACL Get 8 Authenticated Posture unknown Determine if Web Agent is necessary Posture compliant 95
96 CWA with Posture Open authentication, with ISE performing CWA Web-auth will happen on ISE, serves login page and verifies client credentials Client posture is supported. Guest Associate to Guest, Redirect ISE WebPortal 2 Connect to ISE login, original URL= ISE Login page 4 ISE verify Username/password Login success Redirect: page 6 Download Web Agent; Posture Validate and Remediation if necessary CoA policy push ACL Get 8 Authenticated Posture unknown Determine if Web Agent is necessary Posture compliant 96
97 Sample Redirect ACL for CWA 2k/3k/4k Example ip access-list extended ACL-WEBAUTH-REDIRECT deny udp any eq bootpc any eq bootpc deny udp any any eq domain deny deny tcp any host <PSN1> eq 8443 permit permit ip any any = Bypass Redirection = Redirect 6k Example ip access-list extended ACL-WEBAUTH-REDIRECT deny ip any host <PSN1> permit ip any any 97
98 Sample ACLs for CWA Redirection ip access-list extended ACL-DEFAULT permit udp any eq bootpc any eq bootps permit udp any any eq domain permit tcp any any eq http permit tcp any any eq https permit tcp any host eq 8080 permit tcp any host eq 8443ww (deny ip any any) Port ACL / dacl ip access-list extended ACL-WEBAUTH-REDIRECT deny udp any eq bootpc any eq bootps deny udp any any eq domain deny tcp any host eq 8080 deny tcp any host eq 8443 permit ip any any Redirect ACL DHCP x.x.x.x DNS x.x.x.x SSH x.x.x.x FTP x.x.x.x HTTP x.x.x.x 302: TCP/ HTTPS x.x.x.x 302: TCP/ TCP/ TCP/
99 Sample ACLs for Posture Redirection ip access-list extended ACL-DEFAULT permit udp any eq bootpc any eq bootps permit udp any any eq domain permit tcp any any eq http permit tcp any any eq https permit udp any host eq 8905 permit tcp any host eq 8080 permit tcp any host eq 8443 permit tcp any host eq 8905 permit tcp any host eq www (deny ip any any) DHCP x.x.x.x DNS x.x.x.x SSH x.x.x.x FTP x.x.x.x HTTP x.x.x.x 302: TCP/ HTTPS x.x.x.x 302: TCP/ TCP/ TCP/ UDP/ HTTP Port ACL or dacl ip access-list extended ACL-POSTURE-REDIRECT deny udp any eq bootpc any eq bootps deny udp any any eq domain deny udp any host eq 8905 deny tcp any host eq 8080 deny tcp any host eq 8443 deny tcp any host eq 8905 deny tcp any host eq www permit ip any any Redirect ACL TCP/8443 TCP/8905 UDP/
100 Troubleshooting Redirection Verify IOS code release and feature set! # show authentication session interface <int> o o o o Does the IP address display? Verify device tracking table entry. Is the session ID matching? Is the dacl downloaded, if applicable? Is the Redirect ACL applied? If so, verify contents on local switch # show ip access-list interface <int> o Is the access list properly applied to the client IP address per above? If not Verify that endpoint has an IP address Verify dacl contents in ISE ISE may show dacl authorization applied but switch rejects if ANY syntax error Access switch without SVIs for local access VLANs (common L2 case) o Is there a route from Management VLAN to client VLAN? o Is firewall dropping redirects sourced from Management VLAN? o Are dacls disappearing? If so, does host respond to ARP probes from ? Switch(config-if)# ip device tracking probe use-svi Related defects: CSCtn27420, CSCtl94012, CSCtr
101 Troubleshooting Redirection Separate Voice Authorization 3k-access(config-if)# do sh ip access-list int gi0/1 permit ip host any permit udp host any eq domain permit tcp host host eq 8443 permit tcp host any eq www permit tcp host any eq 443 permit tcp host host eq 8905 permit udp host host eq 8905 permit tcp host host eq www 101
102 ISE Integrated Troubleshooting Audit Network Device Configuration Are my switchports properly configured to support 802.1X, MAB, and Web Authentication per Cisco best practices? Is my switch properly configured to support AAA and other ISE services including Posture, Profiling, and Logging? 102
103 Summary
104 From Wireless Guest Access Sponsored Guest Guest Wireless LAN Controller Network Control System 104
105 to Unified Wired & Wireless Guest Access Sponsored Guest ISE Guest Server Guest Parity for Wired / WLAN 105
106 What We Have Covered What Guest Access Services are made of. The need for a secured infrastructure to support isolated Guest traffic. Unified Wireless is a key component of this infrastructure. The Guest Service components are integrated in Cisco Wired and Wireless Solution. Guest Access is one of the User Access Policy available to Control and Protect enterprise Borderless Network Cisco TrustSec enhances Guest Services overall. 106
107 BRKEWN-2016 Recommended Reading 107
108 Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. Don t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit 108
109 Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit after the event for updated PDFs, on-demand session videos, networking, and more! Follow Cisco Live! using social media: Facebook: Twitter: LinkedIn Group: 109
110 Presentation_ID
111 111
Cisco TrustSec How-To Guide: Guest Services
Cisco TrustSec How-To Guide: Guest Services For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 2 Introduction...
More informationSwitch Configuration Required to Support Cisco ISE Functions
APPENDIXC Switch Configuration Required to Support Cisco ISE Functions To ensure Cisco ISE is able to interoperate with network switches and functions from Cisco ISE are successful across the network segment,
More informationCisco TrustSec How-To Guide: Planning and Predeployment Checklists
Cisco TrustSec How-To Guide: Planning and Predeployment Checklists For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents...
More informationOn-boarding and Provisioning with Cisco Identity Services Engine
On-boarding and Provisioning with Cisco Identity Services Engine Secure Access How-To Guide Series Date: April 2012 Author: Imran Bashir Table of Contents Overview... 3 Scenario Overview... 4 Dual SSID
More informationDeployment Guide: Cisco Guest Access Using the Cisco Wireless LAN Controller
Deployment Guide: Cisco Guest Access Using the Cisco Wireless LAN Controller August 2006 Contents Overview section on page 1 Configuring Guest Access on the Cisco Wireless LAN Controller section on page
More informationTrustSec How-To Guide: On-boarding and Provisioning
TrustSec How-To Guide: On-boarding and Provisioning For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 2 Introduction...
More informationNetwork Virtualization Network Admission Control Deployment Guide
Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus
More informationWiNG5 CAPTIVE PORTAL DESIGN GUIDE
WiNG5 DESIGN GUIDE By Sriram Venkiteswaran WiNG5 CAPTIVE PORTAL DESIGN GUIDE June, 2011 TABLE OF CONTENTS HEADING STYLE Introduction To Captive Portal... 1 Overview... 1 Common Applications... 1 Authenticated
More information642 523 Securing Networks with PIX and ASA
642 523 Securing Networks with PIX and ASA Course Number: 642 523 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional and the Cisco Firewall
More informationWiNG 5.X How-To Guide
WiNG 5.X How-To Guide Captive Portals Part No. TME-12-2012-01 Rev. A MOTOROLA, MOTO, MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola Trademark Holdings, LLC
More informationNAC Guest. Lab Exercises
NAC Guest Lab Exercises November 25 th, 2008 2 Table of Contents Introduction... 3 Logical Topology... 4 Exercise 1 Verify Initial Connectivity... 6 Exercise 2 Provision Contractor VPN Access... 7 Exercise
More informationConfigure ISE Version 1.4 Posture with Microsoft WSUS
Configure ISE Version 1.4 Posture with Microsoft WSUS Document ID: 119214 Contributed by Michal Garcarz, Cisco TAC Engineer. Aug 03, 2015 Contents Introduction Prerequisites Requirements Components Used
More informationMDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series
MDM Integration with Cisco Identity Service Engine Secure Access How -To Guides Series Author: Aaron Woland Date: December 2012 Table of Contents Introduction.... 3 What Is the Cisco TrustSec System?...
More informationImplementing and Configuring Cisco Identity Services Engine SISE v1.3; 5 Days; Instructor-led
Implementing and Configuring Cisco Identity Services Engine SISE v1.3; 5 Days; Instructor-led Course Description Implementing and Configuring Cisco Identity Services Engine (SISE) v1.3 is a 5-day ILT training
More informationCisco TrustSec Solution Overview
Solution Overview Cisco TrustSec Solution Overview 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 10 Contents Introduction... 3 Solution Overview...
More informationCisco Virtual Office Express
. Q&A Cisco Virtual Office Express Overview Q. What is Cisco Virtual Office Express? A. Cisco Virtual Office Express is a solution that provides secure, rich network services to workers at locations outside
More informationXenMobile Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series
XenMobile Integration with Cisco Identity Service Engine Secure Access How -To Guides Series Author: Aaron Woland Date: December 2012 Table of Contents Introduction... 3 What Is the Cisco TrustSec System?...
More informationCisco EXAM - 500-451. Enterprise Network Unified Access Essentials. Buy Full Product. http://www.examskey.com/500-451.html
Cisco EXAM - 500-451 Enterprise Network Unified Access Essentials Buy Full Product http://www.examskey.com/500-451.html Examskey Cisco 500-451 exam demo product is here for you to test the quality of the
More informationVLANs. Application Note
VLANs Application Note Table of Contents Background... 3 Benefits... 3 Theory of Operation... 4 IEEE 802.1Q Packet... 4 Frame Size... 5 Supported VLAN Modes... 5 Bridged Mode... 5 Static SSID to Static
More informationCisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia ivk@cisco.com. 2006 Cisco Systems, Inc. All rights reserved.
Cisco Secure ACS Overview By Igor Koudashev, Systems Engineer, Cisco Systems Australia ivk@cisco.com 2006 Cisco Systems, Inc. All rights reserved. 1 Cisco Secure Access Control System Policy Control and
More informationWeb Authentication Proxy on a Wireless LAN Controller Configuration Example
Web Authentication Proxy on a Wireless LAN Controller Configuration Example Document ID: 113151 Contents Introduction Prerequisites Requirements Components Used Conventions Web Authentication Proxy on
More informationCisco IT Validates Rigorous Identity and Policy Enforcement in Its Own Wired and Wireless Networks
Cisco IT Article December 2013 End-to-End Security Policy Control Cisco IT Validates Rigorous Identity and Policy Enforcement in Its Own Wired and Wireless Networks Identity Services Engine is an integral
More informationSOSPG2. Implementing Network Access Controls. Nate Isaacson Security Solution Architect Nate.Isaacson@cdw.com
SOSPG2 Implementing Network Access Controls Nate Isaacson Security Solution Architect Nate.Isaacson@cdw.com Offer Pa Agenda The BYOD Challenges NAC terms The Big Picture NAC Solutions and Deployment What
More informationHow To Use Cisco Identity Based Networking Services (Ibns)
. Data Sheet Identity-Based Networking Services Identity-Based Networking Services Overview Cisco Identity-Based Networking Services (IBNS) is an integrated solution that offers authentication, access
More informationSymantec VIP Integration with ISE
Symantec VIP Integration with ISE Table of Contents Overview... 3 Symantec VIP... 3 Cisco Identity Services Engine (ISE)... 3 Cisco Centralized Web Authentication... 4 VIP in Action... 4 ISE Configuration...
More informationWiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME-05-2012-01 Rev. A
WiNG 5.X How To Policy Based Routing Cache Redirection Part No. TME-05-2012-01 Rev. A MOTOROLA, MOTO, MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola Trademark
More informationThis chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview
This chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview Deployment models C H A P T E R 6 Implementing Network
More informationCisco Identity Services Engine
Cisco Identity Services Engine Secure Access Stefan Dürnberger CCIE Security Sourcefire Certified Expert Most organizations, large and small, have already been compromised and don t even know it: 100 percent
More informationManaging the BYOD Evolution
Managing the BYOD Evolution Scott Lee-Guard Systems Engineer Agenda Managing the BYOD Evolution Personal Devices on Network Identification and Security Policy Enforcement Securely On-Board the Device Simplified
More informationDeploying Cisco Basic Wireless LANs WDBWL v1.1; 3 days, Instructor-led
Deploying Cisco Basic Wireless LANs WDBWL v1.1; 3 days, Instructor-led Course Description This 3-day instructor-led, hands-on course provides learners with skills and resources required to successfully
More informationCisco Trust and Identity Management Solutions
CHAPTER 2 Cisco TrustSec Identity, earlier known as Cisco Identity-based Networking Services (IBNS), a part of the Cisco Trust and Identity Management Solution, is the foundation for providing access control
More informationCisco s BYOD / Mobility
Cisco s BYOD / Mobility CONTROL and VISIBILITY for IT DEVICE CHOICE and PREDICTABILITY for Users BALANCE between the number of wired ports and wireless radios 2011 Cisco and/or its affiliates. All rights
More informationPassguide 500-451 35q
Passguide 500-451 35q Number: 500-451 Passing Score: 800 Time Limit: 120 min File Version: 18.5 Cisco 500-451 Cisco Unified Access Systems Engineer Exam 100% Valid in US, UK, Australia, India and Emirates.
More informationHow to set up the HotSpot module with SmartConnect. Panda GateDefender 5.0
How to set up the HotSpot module with SmartConnect Panda GateDefender 5.0 Content Introduction... 3 Minimum requirements to enable the hotspot module... 4 Hotspot settings... 6 General settings....6 Configuring
More informationCisco AnyConnect Secure Mobility Solution Guide
Cisco AnyConnect Secure Mobility Solution Guide This document contains the following information: Cisco AnyConnect Secure Mobility Overview, page 1 Understanding How AnyConnect Secure Mobility Works, page
More informationUniversal NGWC/3850 Wireless Configuration with Cisco Identity Service Engine. Secure Access How -To Guides Series
Universal NGWC/3850 Wireless Configuration with Cisco Identity Service Engine Secure Access How -To Guides Series Author: Aaron Woland Date: December 2012 Table of Contents 3850 Switch Wireless Configuration...
More informationUsing Templates. Information About Templates. Accessing the Controller Template Launch Pad CHAPTER
CHAPTER 11 This chapter describes how to add and apply templates. Templates allow you to set fields that you can then apply to multiple devices without having to reenter the common information. This chapter
More informationACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0
ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0 Module 1: Vulnerabilities, Threats, and Attacks 1.1 Introduction to Network Security
More informationEnabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches
print email Article ID: 4941 Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches Objective In an ever-changing business environment, your
More informationGood MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series
Good MDM Integration with Cisco Identity Service Engine Secure Access How -To Guides Series Author: Imran Bashir Date: December 2012 Table of Contents Mobile Device Management (MDM)... 3 Overview... 3
More informationHow To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (
UAG715 Support Note Revision 1.00 August, 2012 Written by CSO Scenario 1 - Trunk Interface (Dual WAN) Application Scenario The Internet has become an integral part of our lives; therefore, a smooth Internet
More informationBreak Internet Bandwidth Limits Higher Speed. Extreme Reliability. Reduced Cost.
Break Internet Bandwidth Limits Higher Speed. Extreme Reliability. Reduced Cost. Peplink. All Rights Reserved. Unauthorized Reproduction Prohibited Presentation Agenda Peplink Balance Pepwave MAX Features
More informationLifeSize Transit Deployment Guide June 2011
LifeSize Transit Deployment Guide June 2011 LifeSize Tranist Server LifeSize Transit Client LifeSize Transit Deployment Guide 2 Firewall and NAT Traversal with LifeSize Transit Firewalls and Network Address
More informationUAG Series. Application Note. Unified Access Gateway. Version 4.00 Edition 1, 04/2014. Copyright 2014 ZyXEL Communications Corporation
UAG Series Unified Access Gateway Version 4.00 Edition 1, 04/2014 Application Note Copyright 2014 ZyXEL Communications Corporation Table of Contents Scenario 1 How to Activate a Paid Access Hotspot...
More informationConfiguring SSL VPN on the Cisco ISA500 Security Appliance
Application Note Configuring SSL VPN on the Cisco ISA500 Security Appliance This application note describes how to configure SSL VPN on the Cisco ISA500 security appliance. This document includes these
More informationCisco Virtual Office Flexibility and Productivity for the Remote Workforce
Cisco Virtual Office Flexibility and Productivity for the Remote Workforce Cisco Virtual Office Overview Q. What is the Cisco Virtual Office? A. The Cisco Virtual Office solution provides secure, rich
More informationPublic Internet Access Done the Right Way
Public Internet Access Done the Right Way Supports 500 concurrent logins by default and up to 800 via license upgrade Integrated account generator, Web-based authentication portal and billing system Supports
More informationNXC5500/2500. Application Note. Captive Portal with QR Code. Version 4.20 Edition 2, 02/2015. Copyright 2015 ZyXEL Communications Corporation
NXC5500/2500 Version 4.20 Edition 2, 02/2015 Application Note Captive Portal with QR Code Copyright 2015 ZyXEL Communications Corporation Captive Portal with QR Code What is Captive Portal with QR code?
More informationDeploying F5 with Microsoft Active Directory Federation Services
F5 Deployment Guide Deploying F5 with Microsoft Active Directory Federation Services This F5 deployment guide provides detailed information on how to deploy Microsoft Active Directory Federation Services
More informationNETASQ MIGRATING FROM V8 TO V9
UTM Firewall version 9 NETASQ MIGRATING FROM V8 TO V9 Document version: 1.1 Reference: naentno_migration-v8-to-v9 INTRODUCTION 3 Upgrading on a production site... 3 Compatibility... 3 Requirements... 4
More informationRuckus Wireless ZoneDirector Command Line Interface
Ruckus Wireless ZoneDirector Command Line Interface Reference Guide Part Number 800-70258-001 Published September 2010 www.ruckuswireless.com Contents About This Guide Document Conventions................................................
More informationConfiguring the Transparent or Routed Firewall
5 CHAPTER This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. This chapter also includes information about customizing
More informationINTRODUCTION TO FIREWALL SECURITY
INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ
More informationWeb Authentication Application Note
What is Web Authentication? Web Authentication Application Note Web authentication is a Layer 3 security feature that causes the router to not allow IP traffic (except DHCP-related packets) from a particular
More informationMulti-Homing Security Gateway
Multi-Homing Security Gateway MH-5000 Quick Installation Guide 1 Before You Begin It s best to use a computer with an Ethernet adapter for configuring the MH-5000. The default IP address for the MH-5000
More informationSecure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco
Secure Access into Industrial Automation and Systems Industry Best Practice and Trends Serhii Konovalov Venkat Pothamsetty Cisco Vendor offers a remote firmware update and PLC programming. Contractor asks
More informationIntegrating Cisco ISE with GO!Enterprise MDM Quick Start
Integrating Cisco ISE with GO!Enterprise MDM Quick Start GO!Enterprise MDM Version 3.x Overview 1 Table of Contents Overview 3 Getting GO!Enterprise MDM Ready for ISE 5 Grant ISE Access to the GO!Enterprise
More informationDEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services
DEPLOYMENT GUIDE Version 1.0 Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services Table of Contents Table of Contents Using the BIG-IP Edge Gateway for layered security and
More informationTECHNICAL WHITEPAPER. Author: Tom Kistner, Chief Software Architect. Table of Contents
TECHNICAL WHITEPAPER Author: Tom Kistner, Chief Software Architect Last update: 18. Dez 2014 Table of Contents Introduction... 2 Terminology... 2 Basic Concepts... 2 Appliances... 3 Hardware...3 Software...3
More informationASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example
ASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example Document ID: 113110 Contents Introduction Prerequisites Requirements Components Used Network Diagram Related Products Conventions Background
More informationBarracuda Link Balancer
Barracuda Networks Technical Documentation Barracuda Link Balancer Administrator s Guide Version 2.2 RECLAIM YOUR NETWORK Copyright Notice Copyright 2004-2011, Barracuda Networks www.barracuda.com v2.2-110503-01-0503
More informationD-Link Central WiFiManager Configuration Guide
Table of Contents D-Link Central WiFiManager Configuration Guide Introduction... 3 System Requirements... 3 Access Point Requirement... 3 Latest CWM Modules... 3 Scenario 1 - Basic Setup... 4 1.1. Install
More informationBYOD @ Stefan Dürnberger. Consulting Systems Engineer Cisco Deutschland. sduernbe@cisco.com. Co-Author Bitkom Leitfaden BYOD
BYOD @ Stefan Dürnberger Consulting Systems Engineer Cisco Deutschland sduernbe@cisco.com CCIE Security #16458 Co-Author Bitkom Leitfaden BYOD http://www.bitkom.org/files/documents/20130404_lf_byod_2013_v2.pdf
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationExecutive Summary and Purpose
ver,1.0 Hardening and Securing Opengear Devices Copyright Opengear Inc. 2013. All Rights Reserved. Information in this document is subject to change without notice and does not represent a commitment on
More informationAuthentication. Authentication in FortiOS. Single Sign-On (SSO)
Authentication FortiOS authentication identifies users through a variety of methods and, based on identity, allows or denies network access while applying any required additional security measures. Authentication
More informationADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3
ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3 TO THE Overview EXHIBIT T to Amendment No. 60 Secure Wireless Network Services are based on the IEEE 802.11 set of standards and meet the Commonwealth of Virginia
More informationDeploying ACLs to Manage Network Security
PowerConnect Application Note #3 November 2003 Deploying ACLs to Manage Network Security This Application Note relates to the following Dell PowerConnect products: PowerConnect 33xx Abstract With new system
More informationSonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity
SSL-VPN Combined With Network Security Introducing A popular feature of the SonicWALL Aventail SSL VPN appliances is called End Point Control (EPC). This allows the administrator to define specific criteria
More informationV310 Support Note Version 1.0 November, 2011
1 V310 Support Note Version 1.0 November, 2011 2 Index How to Register V310 to Your SIP server... 3 Register Your V310 through Auto-Provision... 4 Phone Book and Firmware Upgrade... 5 Auto Upgrade... 6
More informationCisco Actualtests 642-584 Exam Questions & Answers
Cisco Actualtests 642-584 Exam Questions & Answers Number: 642-584 Passing Score: 800 Time Limit: 120 min File Version: 33.4 http://www.gratisexam.com/ Cisco 642-584 Exam Questions & Answers Exam Name:
More informationHow to Configure Captive Portal
How to Configure Captive Portal Captive portal is one of the user identification methods available on the Palo Alto Networks firewall. Unknown users sending HTTP or HTTPS 1 traffic will be authenticated,
More informationConfiguring the Edgewater 4550 for use with the Bluestone Hosted PBX
Configuring the Edgewater 4550 for use with the Bluestone Hosted PBX NOTE: This is an advisory document to be used as an aid to resellers and IT staff looking to use the Edgewater 4550 in conjunction with
More informationUAG4100 Support Notes
2013 UAG4100 Support Notes CSO ZyXEL 2013/07/29 Table of Contents Scenario 1 Activate a Paid Access Hotspot... 2 Print ticket to access the Internet... 3 Pay with PayPal payment service to access the Internet...
More informationController Management
Controller Management - Setup & Provisioning - 1 PRONTO SERVICE CONTROLLER (PN-CPP-A-1422) 2 PSC Key Features Fully interoperable with IEEE802.11b/g compliant products External AP support and management
More informationA host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
More informationIntroducing Cisco Voice and Unified Communications Administration Volume 1
Introducing Cisco Voice and Unified Communications Administration Volume 1 Course Introduction Overview Learner Skills and Knowledge Course Goal and Course Flow Additional Cisco Glossary of Terms Your
More informationWireless Local Area Networks (WLANs)
4 Wireless Local Area Networks (WLANs) Contents Overview...................................................... 4-3 Configuration Options: Normal Versus Advanced Mode.............. 4-4 Normal Mode Configuration..................................
More informationAPPENDIX 3 LOT 3: WIRELESS NETWORK
APPENDIX 3 LOT 3: WIRELESS NETWORK A. TECHNICAL SPECIFICATIONS MAIN PURPOSE The Wi-Fi system should be capable of providing Internet access directly to a user using a smart phone, tablet PC, ipad or Laptop
More information1Y0-250 Implementing Citrix NetScaler 10 for App and Desktop Solutions Practice Exam
1Y0-250 Implementing Citrix NetScaler 10 for App and Desktop Solutions Practice Exam Section 1: Assessing infrastructure needs for the NetScaler implementation 1.1 Task Description: Verify the objectives
More informationNetwork Security Solutions Implementing Network Access Control (NAC)
Network Security Solutions Implementing Network Access Control (NAC) Tested Solution: Protecting a network with Sophos NAC Advanced and Switches Sophos NAC Advanced is a sophisticated Network Access Control
More informationCCT vs. CCENT Skill Set Comparison
Operation of IP Data Networks Recognize the purpose and functions of various network devices such as Routers, Switches, Bridges and Hubs Select the components required to meet a given network specification
More information1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet
Review questions 1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet C Media access method D Packages 2 To which TCP/IP architecture layer
More informationSecure Networks for Process Control
Secure Networks for Process Control Leveraging a Simple Yet Effective Policy Framework to Secure the Modern Process Control Network An Enterasys Networks White Paper There is nothing more important than
More informationTABLE OF CONTENTS NETWORK SECURITY 1...1
Network Security 1 This document is the exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and exclusive use by instructors
More information642 552 Securing Cisco Network Devices (SND)
642 552 Securing Cisco Network Devices (SND) Course Number: 642 552 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional, Cisco Firewall Specialist,
More informationLifeSize Video Communications Systems Administrator Guide
LifeSize Video Communications Systems Administrator Guide November 2009 Copyright Notice 2005-2009 LifeSize Communications Inc, and its licensors. All rights reserved. LifeSize Communications has made
More informationSecure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions
Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions Gigi Joseph, Computer Division,BARC. Gigi@barc.gov.in Intranet Security Components Network Admission Control (NAC)
More informationCisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release
Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release PB526545 Cisco ASA Software Release 8.2 offers a wealth of features that help organizations protect their networks against new threats
More informationLab 9.1.1 Organizing CCENT Objectives by OSI Layer
Lab 9.1.1 Organizing CCENT Objectives by OSI Layer Objectives Organize the CCENT objectives by which layer or layers they address. Background / Preparation In this lab, you associate the objectives of
More informationIINS Implementing Cisco Network Security 3.0 (IINS)
IINS Implementing Cisco Network Security 3.0 (IINS) COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using
More informationINTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505
INTEGRATION GUIDE DIGIPASS Authentication for Cisco ASA 5505 Disclaimer DIGIPASS Authentication for Cisco ASA5505 Disclaimer of Warranties and Limitation of Liabilities All information contained in this
More informationTech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks
Tech Brief Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks Introduction In today s era of increasing mobile computing, one of the greatest challenges
More informationApplication Note Secure Enterprise Guest Access August 2004
Application Note Secure Enterprise Guest Access August 2004 Introduction More and more enterprises recognize the need to provide easy, hassle-free high speed internet access to people visiting their offices,
More information(d-5273) CCIE Security v3.0 Written Exam Topics
(d-5273) CCIE Security v3.0 Written Exam Topics CCIE Security v3.0 Written Exam Topics The topic areas listed are general guidelines for the type of content that is likely to appear on the exam. Please
More informationImplementing Cisco IOS Network Security
Implementing Cisco IOS Network Security IINS v3.0; 5 Days, Instructor-led Course Description Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles
More informationA Guide to New Features in Propalms OneGate 4.0
A Guide to New Features in Propalms OneGate 4.0 Propalms Ltd. Published April 2013 Overview This document covers the new features, enhancements and changes introduced in Propalms OneGate 4.0 Server (previously
More informationGaining Visibility by Using the Network
Gaining Visibility by Using the Network Daniel Braine CCIE R/S:24663 Security/Wireless CSE Dec 2012 Fly By the Seat of Your Pants Network Management Management & Security Who's actually on my network?
More informationFirewall Authentication Proxy for FTP and Telnet Sessions
Firewall Authentication Proxy for FTP and Telnet Sessions First Published: May 14, 2003 Last Updated: August 10, 2010 Before the introduction of the Firewall Authentication Proxy for FTP and Telnet Sessions
More informationThe Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series
Cisco IOS Firewall Feature Set Feature Summary The Cisco IOS Firewall feature set is available in Cisco IOS Release 12.0. This document includes information that is new in Cisco IOS Release 12.0(1)T, including
More information