Bezpečný přístup ve WLAN

Similar documents
On-boarding and Provisioning with Cisco Identity Services Engine

Cisco TrustSec How-To Guide: Guest Services

TrustSec How-To Guide: On-boarding and Provisioning

Implementing and Configuring Cisco Identity Services Engine SISE v1.3; 5 Days; Instructor-led

XenMobile Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Symantec VIP Integration with ISE

Cisco TrustSec How-To Guide: Planning and Predeployment Checklists

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Good MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Cisco IT Validates Rigorous Identity and Policy Enforcement in Its Own Wired and Wireless Networks

NXC5500/2500. Application Note. Captive Portal with QR Code. Version 4.20 Edition 2, 02/2015. Copyright 2015 ZyXEL Communications Corporation

Configure Guest Access

Managing the BYOD Evolution

The BYOD Wave: Policy, Security, and Wireless Infrastructure

Switch Configuration Required to Support Cisco ISE Functions

Cisco Secure Access Control Server 4.2 for Windows

Stefan Dürnberger. Consulting Systems Engineer Cisco Deutschland. sduernbe@cisco.com. Co-Author Bitkom Leitfaden BYOD

How To Use Cisco Identity Based Networking Services (Ibns)

Configure ISE Version 1.4 Posture with Microsoft WSUS

Cisco ISE 1.2 BYOD Lab Guide

Designing Unified Guest Access, Wired and Wireless BRKEWN-2016

Cisco EXAM Enterprise Network Unified Access Essentials. Buy Full Product.

UNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY PRÍPRAVA ŠTÚDIA MATEMATIKY A INFORMATIKY NA FMFI UK V ANGLICKOM JAZYKU

Deployment Guide: Cisco Guest Access Using the Cisco Wireless LAN Controller

ClickShare Network Integration

Developing Network Security Strategies

Cisco Trust and Identity Management Solutions

AAA & Captive Portal Cloud Service TM and Virtual Appliance

SOSPG2. Implementing Network Access Controls. Nate Isaacson Security Solution Architect

Passguide q

Securing Cisco Network Devices (SND)

Managing Users and Identity Stores

Integrating Cisco ISE with GO!Enterprise MDM Quick Start

UNDERSTANDING IDENTITY-BASED NETWORKING SERVICES AUTHENTICATION AND POLICY ENFORCEMENT

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

ARUBA WIRELESS AND CLEARPASS 6 INTEGRATION GUIDE. Technical Note

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

Application Note Secure Enterprise Guest Access August 2004

Securing Wireless LANs with LDAP

Security. AAA Identity Management. Premdeep Banga, CCIE # Cisco Press. Vivek Santuka, CCIE # Brandon J. Carroll, CCIE #23837

POLICY SECURE FOR UNIFIED ACCESS CONTROL

Cisco Identity Services Engine

UAG4100 Support Notes

Belnet Networking Conference 2013

Securing Networks with PIX and ASA

Configuring Wired 802.1x Authentication on Windows Server 2012

Cisco Virtual Office Express

This chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview

Universal NGWC/3850 Wireless Configuration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Extensible Authentication Protocol Transport Layer Security Deployment Guide for Wireless LAN Networks

IEEE 802.1X Overview. Port Based Network Access Control

Web Authentication Proxy on a Wireless LAN Controller Configuration Example

UAG Series. Application Note. Unified Access Gateway. Version 4.00 Edition 1, 04/2014. Copyright 2014 ZyXEL Communications Corporation

vwlan External RADIUS 802.1x Authentication

Getting Started with Clearlogin A Guide for Administrators V1.01

Network Access Security It's Broke, Now What? June 15, 2010

WLAN Security: Identifying Client and AP Security

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

Case Study - Configuration between NXC2500 and LDAP Server

Pulse Policy Secure. Layer 2 and the Pulse Policy Secure Series RADIUS Server. Product Release 5.1. Document Revision 1.0 Published:

Network Virtualization Network Admission Control Deployment Guide

802.1x in the Enterprise Network

How to Configure Captive Portal

Evolving Network Security with the Alcatel-Lucent Access Guardian

Certficate Extensions and Attributes Supporting Authentication in PPP and Wireless LAN. Daniel Schwarz

Integrating a Hitachi IP5000 Wireless IP Phone

How to Configure Guest Management on the DWC-1000

APPENDIX 3 LOT 3: WIRELESS NETWORK

TABLE OF CONTENTS NETWORK SECURITY 1...1

Secure WiFi Access in Schools and Educational Institutions. WPA2 / 802.1X and Captive Portal based Access Security

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

BYOD: BRING YOUR OWN DEVICE.

DIGIPASS Authentication for Cisco ASA 5500 Series

Configure WorkGroup Bridge on the WAP131 Access Point

Building secure wireless access point based on certificate authentication and firewall captive portal

Using IEEE 802.1x to Enhance Network Security

Managing Identities and Admin Access

Interlink Networks Secure.XS and Cisco Wireless Deployment Guide

TECHNICAL WHITEPAPER. Author: Tom Kistner, Chief Software Architect. Table of Contents

Central Web Authentication with a Switch and Identity Services Engine Configuration Example

Particularities of security design for wireless networks in small and medium business (SMB)

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Authentication. Authentication in FortiOS. Single Sign-On (SSO)

Mikrotik Router OS - Setup and Configuration Guide for Aradial Radius Server

Abstract. Avaya Solution & Interoperability Test Lab

Avaya Identity Engines Portfolio

White Paper Captive Portal Configuration Guide

Lab Configuring LEAP/EAP using Local RADIUS Authentication

D-Link Central WiFiManager Configuration Guide

Technical White Paper

Cisco TrustSec Solution Overview

Cisco Secure Access Control Server Deployment Guide

Transcription:

Cisco Expo 2012 Bezpečný přístup ve WLAN T-SECA5 Jaroslav Čížek, Cisco Cisco Expo 2012 Cisco and/or its affiliates. All rights reserved. 1

TrustSec, ISE, SGT, BYOD WLAN (& WIRED) 802.1X with Cisco ISE WLAN (& WIRED) Guest Access with Cisco ISE - Guest Access Needs - Managing and Provisioning Guest Accounts - Guest Portal - Guest Access Deployment - Monitoring Summary Anotace: Zabezpečení přístupu do sítě by mělo být řešeno univerzálně pro LAN i WLAN. Jak lze využít centralizovaných nástrojů ISE pro aplikaci bezpečnostních politik na bezdrátové síti pro trvalé i dočasné přístupy. 2

Brief summary of previous sessions 3

TrustSec, ISE, SGT, BYOD WLAN (& WIRED) 802.1X with Cisco ISE WLAN (& WIRED) Guest Access with Cisco ISE - Guest Access Needs - Managing and Provisioning Guest Accounts - Guest Portal - Guest Access Deployment - Monitoring Summary Anotace: Zabezpečení přístupu do sítě by mělo být řešeno univerzálně pro LAN i WLAN. Jak lze využít centralizovaných nástrojů ISE pro aplikaci bezpečnostních politik na bezdrátové síti pro trvalé i dočasné přístupy. 4

Identifying a User or Endpoint Active Directory, Generic LDAP, PKI User AND/OR Machine EAPoL RADIUS ISE RADIUS, e.g. Safeword Token Server local DB user1 C#2!ç@_E( RSA SecureID User/Password Certificate Token Identity Source Sequences Backend Database 5

Port-Based Access Control Using Authentication Layer 2 Point-to-Point Layer 3 Link Supplicant EAP over LAN (EAPoL) Authenticator RADIUS Auth Server ISE / ACS Beginning EAPoL Start EAPoL Request Identity EAP-Response Identity: Alice RADIUS Access Request [AVP: EAP-Response: Alice] Middle EAP-Response: PEAP EAP-Request: PEAP RADIUS Access Request [AVP: EAP-Response: PEAP] RADIUS Access-Challenge [AVP: EAP-Request PEAP] Multiple Challenge- Request Exchanges Possible End EAP Success RADIUS Access-Accept [AVP: EAP Success] [AVP: VLAN 10, dacl-n] 802.1X (EAPOL) is a delivery mechanism and it doesn't provide the actual authentication mechanisms. When utilizing 802.1X, you need to choose an EAP type, such as Transport Layer Security (EAP-TLS) or PEAP, which defines how the authentication takes place. 6

RFC 3576 (obsolete) and 5176 Layer 2 Point-to-Point Layer 3 Link Supplicant EAP over LAN (EAPoL) Authenticator RADIUS Auth Server Initial Authentication EAP Success RADIUS Access-Accept [AVP: EAP Success] [AVP: VLAN 10, dacl-n] RADIUS CoA-Request Change of Authorization [VSA: subscriber: reauthenticate] RADIUS CoA-Ack EAPoL Request Identity EAP-Response Identity: Alice RADIUS Access Request [AVP: EAP-Response: Alice] Re- Authentication EAP-Response: PEAP EAP-Request: PEAP RADIUS Access-Challenge RADIUS Access Request [AVP: EAP-Response: PEAP] [AVP: EAP-Request PEAP] Multiple Challenge- Request Exchanges Possible 7

Configuration 8

Default Network Access: Policy > Policy Elements > Results > Authentication 9

Policy -> Authorization 10

Switch WLC ISE 1.1 Best Practice: Use RADIUS Attributes to Set VLAN (IETF Attributes) Use same IETF attributes to set VLAN for wired and wireless WLC Interfaces/ VLAN Name must match Tunnel-Private-Grp-Id 3560X#sh vlan Case Sensitive on Switch, but not WLC VLAN Name Status -------- ------------------- --------- 1 default active 2 Engineering active 3 Marketing active... 11

Use VSA to Enforce ACL Name on WLC WLC Switch VSA Attribute IETF Attribute ACL Name Must match ACL can be pre-configured or downloaded dynamically ACL must be preconfigured 12

Allow ISE to Actively Enforce Policy Over Connected Endpoints aaa server radius dynamic-author client 10.100.7.20 server-key xxxxxxx CoA is triggered dynamically when a scenario is matched : - Endpoint is profiled for the 1 st time. - Endpoint is statically assigned with a new Policy - Endpoint is deleted from ISE DB. CoA 13

TrustSec, ISE, SGT, BYOD WLAN (& WIRED) 802.1X with Cisco ISE WLAN (& WIRED) Guest Access with Cisco ISE - Guest Access Needs - Managing and Provisioning Guest Accounts - Guest Portal - Guest Access Deployment - Monitoring Summary Anotace: Zabezpečení přístupu do sítě by mělo být řešeno univerzálně pro LAN i WLAN. Jak lze využít centralizovaných nástrojů ISE pro aplikaci bezpečnostních politik na bezdrátové síti pro trvalé i dočasné přístupy. 14

The company needs to provide guest access for visitors, both for the wired and wireless infrastructure. Particular restrictions need to be assigned to guest contractors, with access to specific resources only WLC Wireless APs Guest authentication portal Internet LAN switches 15

Redirection of the guest Web session to ISE guest portal for authentication ISE Policy server Access authorized for guest user WLC Open SSID «guest» with Web authentication switches Guest account needs to be created: via a sponsor or self service Guest user 16

Internal DB Identity Service Engine Guest DB External DB Database Static entries Bulk import Enabled / disabled Created by sponsors (bulk option) Guest self service Restricted access duration LDAP / AD Managed externally Enabled/disabled 17

If Need for Different Policies Based on User Role Guest Internet access only Created by any user Limited connection time: ½ day, one day Contractor Internet access Created by select users Access to selected resources Longer connection time: one week, one month 18

Identity Service Engine External Database External groups mapped in ISE Multiple groups can be created in ISE Each group can contain: Guest users (created by Sponsor and Self-service) Internal users (created by Administrators) Mapping example for AD Those groups can be used in different authorization rules to differentiate network access 19

Two ways to populate ISE Internal guest DB: Self-Service Option on ISE Guest Portal Sponsoring via ISE Sponsor Portal 20

21

Customizable sponsor pages Sponsor privileges tied to defined sponsor policy Roles sponsor can create Time profiles can be assigned Management of other guest accounts Single or bulk account creation 22

Customizable fields Define if mandatory or optional can add up to 5 other custom attributes Guest roles and time profiles Pre-defined by admin 23

Username configuration Created from first & last name or email Password configuration Generated automatically Configurable password complexity 24

Sponsor Will Have Three Ways to Inform Guest 1. Printing the details 2. Sending the details via e-mail 3. Sending the details via SMS 25

Sponsor AllAccounts Sponsor OwnAccounts Can create user in groups: contractor and guest Can use time profiles up to one week Can see all accounts in group Can create user in group guest only Can use time profiles up to one day Cannot do bulk creation 26

27

The sponsor account can be a Local ISE user LDAP user Active Directory user DB checking order can be configured via Identity Source Sequence in ISE In above example we interrogate the ISE DB first and then the AD 28

You can map any group: internal, AD, LDAP to a sponsor privilege group All users mapped to that group will log in with similar sponsor privileges as defined in the selected sponsor group Map internal groups to sponsor privilege groups Map internal groups Map AD groups 29

30

Several Languages are Supported Natively in ISE 1.1 All guest user pages are translated: Authentication page Acceptable usage policy Success/failure page 31

Portal allowing users to register their own devices Access can be granted to guest, employees, students 32

Multiple portal might be needed based on: Location / country When several organizational entities Type of device: WLC, switches For local language support ISE allows for : Portals customization Simultaneous use of several portals for user authentication Default portal Sample customized portal 33

Deployment Considerations Web Authentication is only for users (not devices) Browser required Manual entry of username/password Network equipment must intercept http request and redirect to guest portal for authentication 2 ways to enforce on the network equipment (WLC, switches) Local Web Auth (LWA) Web auth done on the network device (web-auth feature on devices) No CoA support Authorization only with ACLs Central Web Auth (CWA) Web auth configuration pushed centrally CoA support (for posture, profiling, ) Authorization can use VLAN or ACLs 34

1 802.1X Timeout 802.1X Failure MAB Failure Switch / AP-WLC DHCP/DNS ISE Server 1 Open SSID With web auth 2 Port Enabled, ACL Applied 3 Host Acquires IP Address, Triggers Session State 4 Host Opens Browser Login Page Host Sends Password 5 Switch Queries AAA Server AAA Server Returns Policy Server authorizes user 6 Switch Applies New ACL Policy 35

LWA requires local configuration on each: Switch Wireless LAN controller WLC Extra method: web authentication No change possible until re-authentication: posture, profiling Central Web Authentication (CWA) with ISE was created by Cisco to improve deployment Switch ISE 36

1 Switch configured for 802.1X / MAB only Switch / AP-WLC DHCP/DNS ISE Server 1 Open SSID for guest on WLC 2 First authentication session 3 AuthC success; AuthZ for unknown user returned: Redirect /filteracl, portal URL 4 Host Acquires IP Address, Triggers Session State 5 Host Opens Browser Switch redirects browser to ISE CWA page Host Sends Username/Password Login Page AUP process, if configured 6 Web Auth Success results in CoA 7 MAB re-auth MAC Success Session lookup policy matched Authorization dacl/vlan returned. Server authorizes user 37

No extra local method like web authentication VLAN assignment is also supported Centralization and dynamic push of configuration Portal URL Filtering and redirection ACL until guest authentication occurs Support for posture and profiling Catalyst 2960 (LAN Base) & 3560/3750: 12.2(55)SE3 Catalyst 4500 Series : 15.0(2)SG1 Sup 7E: CoA not currently supported Catalyst 6500 Series: 12.2(33)SXI7 Wireless LAN Controller (WLC/WiSM): 7.0.116.0 (CoA on 802.1X SSID only) 7.2 (CoA on Guest SSID) 38

Shows guest URL activity when Firewall syslogs sent to ISE 39

Send syslogs to ISE M&T UDP port 20514 Filter messages ID # 304001: accessed URLs 40

ASA to Send HTTP Create Service Policy in ASA to inspect HTTP traffic for guest subnet ISE shows accessed URLs in reports 41

TrustSec, ISE, SGT, BYOD WLAN & WIRED 802.1X with Cisco ISE WLAN & WIRED Guest Access with Cisco ISE - Guest Access Needs - Managing and Provisioning Guest Accounts - Guest Portal - Guest Access Deployment - Monitoring Summary Anotace: Zabezpečení přístupu do sítě by mělo být řešeno univerzálně pro LAN i WLAN. Jak lze využít centralizovaných nástrojů ISE pro aplikaci bezpečnostních politik na bezdrátové síti pro trvalé i dočasné přístupy. 42

Device Profiling Dynamic Policy Wireless Device State Employees (Company Asset) ISE Full Access VLAN Corporate Machine +/- Corp User Employee (Personal Laptop) Non-Corporate Machine with Employee User Logged In Employee (ipad) Employee User via WPA Authentication + Device = ipad Contractors Contractor Account Guest Laptop/Tablet/Phone WAP WLC W I R E D N E T W O R K Restricted VLAN Web Apps Only + Internet Contractor VLAN Internet Only Guest Account 43

Component of Cisco s TrustSec architecture: Wired & Wireless solutions Architecture testing and validation (CVD) Flexible solution Account creation Guest authentication portals, customization Integrated & scalable guest access solution Guest / Posture / Profiling Configuration / Monitoring 44

Cisco ISE http://www.cisco.com/go/ise Cisco TrustSec http://www.cisco.com/go/trustsec Cisco TrustSec 2.0 Product Bulletin (supported SW version table) http://www.cisco.com/en/us/solutions/collateral/ns170/ns896/ns1051/product_ bulletin_c25-662693.html BYOD http://www.cisco.com/en/us/docs/solutions/enterprise/borderless_networks/u nified_access/byodwp.html Wireless http://www.cisco.com/go/wireless 45

Twitter www.twitter.com/ciscocz Talk2Cisco www.talk2cisco.cz/dotazy SMS 721 994 600 Zveme Vás na Ptali jste se v sále LEO 2.den 16:30 17:00 46

T-SECA5 Prosíme, ohodnoťte tuto přednášku. 47

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information