Symantec VIP Integration with ISE

Similar documents
On-boarding and Provisioning with Cisco Identity Services Engine

TrustSec How-To Guide: On-boarding and Provisioning

Cisco TrustSec How-To Guide: Guest Services

WLAN Security: Identifying Client and AP Security

MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

XenMobile Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Cisco IT Validates Rigorous Identity and Policy Enforcement in Its Own Wired and Wireless Networks

Cisco ISE 1.2 BYOD Lab Guide

Integrating Cisco ISE with GO!Enterprise MDM Quick Start

Policy Management: The Avenda Approach To An Essential Network Service

Good MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Configure ISE Version 1.4 Posture with Microsoft WSUS

Implementing and Configuring Cisco Identity Services Engine SISE v1.3; 5 Days; Instructor-led

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

Developing Network Security Strategies

Security Considerations for DirectAccess Deployments. Whitepaper

Cisco Actualtests Exam Questions & Answers

Palo Alto Networks GlobalProtect VPN configuration for SMS PASSCODE SMS PASSCODE 2015

Introduction to Endpoint Security

Configuration Guide. BES12 Cloud

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

Web Authentication Proxy on a Wireless LAN Controller Configuration Example

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement

VLANs. Application Note

Network Virtualization Network Admission Control Deployment Guide

Swivel Multi-factor Authentication

Two-Factor Authentication

Cisco Secure Access Control Server 4.2 for Windows

ARUBA WIRELESS AND CLEARPASS 6 INTEGRATION GUIDE. Technical Note

A Guide to New Features in Propalms OneGate 4.0

Contextual Authentication: A Multi-factor Approach

Entrust IdentityGuard Comprehensive

Cisco TrustSec How-To Guide: Planning and Predeployment Checklists

Top Five Security Must-Haves for Office 365. Frank Cabri, Vice President, Marketing Shan Zhou, Senior Director, Security Engineering

UAG Series. Application Note. Unified Access Gateway. Version 4.00 Edition 1, 04/2014. Copyright 2014 ZyXEL Communications Corporation

NXC5500/2500. Application Note. Captive Portal with QR Code. Version 4.20 Edition 2, 02/2015. Copyright 2015 ZyXEL Communications Corporation

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

Connected Data. Connected Data requirements for SSO

Com.X Router/Firewall Module. Use Cases. White Paper. Version 1.0, 21 May Far South Networks

Deploying Cisco Basic Wireless LANs WDBWL v1.1; 3 days, Instructor-led

Cisco Virtual Office Express

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Deployment Guide: Cisco Guest Access Using the Cisco Wireless LAN Controller

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

UAG4100 Support Notes

Workspot Configuration Guide for the Cisco Adaptive Security Appliance

Getting Started with Clearlogin A Guide for Administrators V1.01

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Centrify Cloud Connector Deployment Guide

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

Presented by Philippe Bogaerts Senior Field Systems Engineer Securing application delivery in the cloud

Using Entrust certificates with VPN

Portal Administration. Administrator Guide

Flexible Identity Federation

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

Network Access Security It's Broke, Now What? June 15, 2010

Leveraging SAML for Federated Single Sign-on:

DIGIPASS Authentication for Cisco ASA 5500 Series

DIGIPASS Authentication for SonicWALL SSL-VPN

Lab Configuring LEAP/EAP using Local RADIUS Authentication

WiNG5 DESIGN GUIDE By Sriram Venkiteswaran. WiNG5 Wireless Association Filters. How To Guide

Alex Wong Senior Manager - Product Management Bruce Ong Director - Product Management

CNS Implementing NetScaler 11.0 For App and Desktop Solutions

Cisco Identity Services Engine

Step-by-step Guide for Configuring Cisco ACS server as the Radius with an External Windows Database

How To Use Cisco Identity Based Networking Services (Ibns)

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Wireless Services. The Top Questions to Help You Choose the Right Wireless Solution for Your Business.

Call Flows for Simple IP Users

pfsense Captive Portal: Part One

Particularities of security design for wireless networks in small and medium business (SMB)

Deploying Virtual Cyberoam Appliance in the Amazon Cloud Version 10

FileCloud Security FAQ

Routing Security Server failure detection and recovery Protocol support Redundancy

Hosting topology SMS PASSCODE 2015

SonicWALL PCI 1.1 Implementation Guide

Implementing PCoIP Proxy as a Security Server/Access Point Alternative

SOSPG2. Implementing Network Access Controls. Nate Isaacson Security Solution Architect

TECHNICAL WHITEPAPER. Author: Tom Kistner, Chief Software Architect. Table of Contents

Authentication Solutions. Versatile And Innovative Authentication Solutions To Secure And Enable Your Business

Achieving PCI-Compliance through Cyberoam

Interlink Networks Secure.XS and Cisco Wireless Deployment Guide

Filtering and Identifying Web Activity by User Name

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

SANS Top 20 Critical Controls for Effective Cyber Defense

Secure Networks for Process Control

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

Unified Access Point Administrator's Guide

The PortalGuard All-In-One Authentication Solution-set: A Comparison Guide of Two-Factor Capabilities vs. the Competition

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

Syslog Server Configuration on Wireless LAN Controllers (WLCs)

WHMCS LUXCLOUD MODULE

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

Case Study - Configuration between NXC2500 and LDAP Server

Transcription:

Symantec VIP Integration with ISE

Table of Contents Overview... 3 Symantec VIP... 3 Cisco Identity Services Engine (ISE)... 3 Cisco Centralized Web Authentication... 4 VIP in Action... 4 ISE Configuration... 5 Administrator Configuration of VIP with ISE... 5 End-User Strong Authentication Login... 11 References... 13 Conclusion... 13

Overview Symantec Validation and ID Protection (VIP) with Intelligent Authentication (IA) is a cloud-based strong authentication service. It is designed to protect networks and applications against unauthorized access. It integrates Cisco s Central Web Authentication (CWA) with Cisco Identity Services Engine (ISE) and Cisco Wireless LAN Controller (WLC). It provides an easy, scalable, and cost-effective method of implementing an additional security layer, without additional investment in hardware or software. This whitepaper provides details of how VIP integrates with Cisco CWA, ISE, and WLC. Symantec VIP Symantec VIP enables enterprises to secure networks and applications and prevent malicious access by unauthorized attackers. VIP is a unified solution, providing two-factor and risk-based credential-less authentication. It relies on open standards that integrate into enterprise applications. Furthermore, VIP uses device and behavior profiling to deliver multi-factor authentication to users, without requiring any hardware or software-based authentication credentials. Key VIP features are: Cloud-based authentication deployment, without hardware or software installation Options for hardware and software credential generation, including free options for mobile devices Device and behavior profiling to deliver strong authentication without requiring hardware or software credentials Integration with enterprise infrastructure, such as RADIUS in either standard or custom configuration with plug-ins Self-service application for end users, including credential activation and synchronization Cisco Identity Services Engine (ISE) The Cisco Identity Services Engine (ISE) is a policy platform that combines multiple services: authentication, authorization, and accounting (AAA), posture, profiling, device on-boarding, and guest management. It allows enterprises to gather contextual information from networks, users, and devices. Administrators can then use the collected data to apply governance decisions across any network infrastructure.

Cisco Centralized Web Authentication Web Authentication allows users to submit their credentials through a web portal and authenticate to the network. Central Web Authentication (CWA) is a process whereby a policy server, such as Cisco ISE, is used to centrally authenticate users. ISE supports the RADIUS protocol and also adds cascading layers of profiling and access controls. i VIP in Action Your user requires access to internal resources using a personal device over the corporate wireless network. The user connects to an open SSID and is authenticated using only his or her user name and password. The wireless network is configured with the appropriate policies and access controls, although this configuration is transparent to users. The user sees a VIP-configured web portal with ISE. Among other benefits, this scenario provides the benefits of ISE, strong device ID, and multi-factor authentication with out-of-band verification.

After the VIP Enterprise Gateway is installed and configured, it connects to ISE over RADIUS to authenticate user name and password. It also connects to the VIP user service to perform additional verification. Additionally, the ISE Guest Portal can be configured with javascript-embedded web pages that are made available from Symantec. ISE Configuration The two sub-sections in this section provide high-level overviews of administrator configuration and end-user login. Administrator Configuration of VIP with ISE 1) Configure ISE with Enterprise Gateway a) In the ISE Admin Portal, navigate to Administration Identity Management External Identity Sources RADIUS Token to create a new radius token identity source. (In this example it is symcegvip.) b) Navigate to Administration Identity Management Identity Source Sequence to create a new identity source sequence (e.g. issegvip); in the authentication search list select the identity name you created. c) Define the authentication and authorization policies on ISE. Sample policies are shown here.

Authentication Policy Enabled Name Condition Protocols Identity Source Options MAB IF Wired_MAB OR Wireless_MAB Dot1X IF Wired_802.1X OR Wireless_802.1X allow protocols allow protocols HostLookup and use Internal Endpoints Reject Continue Drop PEAPoTLS and use DOT1X_Sequence Reject Reject Drop Default Rule allow Default and use DenyAccess Reject (if no match) protocols Network Reject Access Drop Authorization Policy Status Rule Name Identity Groups Other Conditions Permissions Wireless Black List Default Profiled Cisco IP Phones ISE Blacklist Wireless_Access Blackhole_Wireless _Access Cisco-IP-Phone - Cisco_ IP_Phones Guest Flow Any Wireless_MAB AND Network Access:Use Case EQUALS Guest Flow WLC-FullAccess Wireless MAB Any Wireless_MAB WLC-cwaEgVIP Default no matches DenyAccess d) Set up the authorization profiles in WLC as shown in these examples. Authorization Profiles WLC-FullAccess Access Type = ACCESS_ACCEPT Airespace-ACL-Name = WLC-ACL_PERMIT-ALL-TRAFFIC

WLC-cwaEgVIP Access Type = ACCESS_ACCEPT Web Authentication Centralized ACL WLC-ACL_ISE-RESTRICTED Redirect Manual waegvip 2) Upload Custom Web Portal to ISE. Upload the Symantec pages with javascript to Cisco ISE. Navigate to Administration Web Portal Management Settings Guest Multi-Portal Configurations to create a custom default portal, as shown in the example. Name: waegvip Portal Type: Custom Default Portal (Upload files) Operations: AUP not used and un-check all the check boxes File Uploads style.css login-symc-egvip.html

logo.png error.html success-google.refresh.html pagebg.jpg File Mapping Login file Login-symc-egvip.html AUP file aup.html Guest Success File success-google-refresh.html Error page file error.html For authentication, select check box both and also identity store sequence to be issegvip. 3) Configure ISE in WLC. a) Define the Access Control List in WLC to connect to the VIP User Service and the DMZ listener of the IDP proxy, as shown in this example.

Note: Actions in Sequential Lines 5 and 6 allow endpoints to reach the VIP cloud service and Actions in Sequential Lines 7 and 8 are for the DMZ listener of the IDP proxy. b) Define general access to permit all traffic, as shown in this example. c) Implement security by enabling radius authentication for authentication and accounting for ISE. AAA -> RADIUS -> Authentication: Add ISE and enable RFC 3576

AAA -> RADIUS -> Accounting: Add ISE

d) Configure the WLAN in this manner: Profile Name: demo-mab SSID: demo-mab Security -> Layer 2: None with MAC Filtering checked Security -> Layer 3: None AAA Servers: select ISE as both the authentication server and the accounting server Advanced Allow AAA Override NAC State Radius NAC Enable this WLAN End-User Strong Authentication Login 1) The end user connects to the SSID.

2) After getting connected to the SSID, when the user tries to access a resource or web page, the VIPenabled login page for CWA appears. 3) If it is the first time the user logs in from a specific device, then after entering the credentials, the user must pass a challenge by entering a security code. 4) If all credentials, including the security code, are valid, the user gains access to requested resource or web page. For detailed information regarding VIP integration, please refer to the VIP Integration Guide on VIP Manager.

References http://www.cisco.com/en/us/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_40_webauthentication_dg.pdf http://www.cisco.com/en/us/products/ps11640/products_configuration_example09186a0080ba6514.shtml http://www.cisco.com/en/us/products/ps11640/products_configuration_example09186a0080bead09.shtml Conclusion The integration of Symantec VIP and Identity Services Engine balances usability and security without altering the user s authentication experience. i - http://www.cisco.com/en/us/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_40_webauthentication_dg.pdf

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information