Professional Documents
Culture Documents
BRKSEC-2059 - Deploying ISE in A Dynamic Environment
BRKSEC-2059 - Deploying ISE in A Dynamic Environment
K.I.T.T.
Know ISE Through Training
BRKSEC-2059 - Deploying ISE in a Dynamic Environment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deploying ISE in a
Dynamic
Environment
Clark Gambrel, CCIE #18179
Technical Leader, Engineering, Core Software Group
BRKSEC-2059
Abstract
Managing a secure, yet flexible network in today's public access environments can
be very challenging. Public access networks in areas like universities, hospitals
and airports host a broad array of devices, both privately owned and corporately
managed. With the increasing importance of the Internet of Things, the variety of
devices that need to connect to these public networks is rapidly increasing. Cisco
Identity Services Engine (ISE) plays an integral role in controlling the access to
these dynamic public networks. This session will share lessons learned (best
practice) from an ISE escalation engineer in troubleshooting complex customer
environments.
Introduction
Clark Gambrel, CCIE #18179
Technical Leader – Engineering
Core Software Group
cgambrel@cisco.com
@ClarkGambrel
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
KENTUCKY
Kentucky is known for… BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Cisco ISE Break Out Sessions
BRKSEC-2695 Building an Enterprise Access Control Architecture using ISE and TrustSec
Imran Bashir | Tue 08:00-10:00 AM, Level 3, South Seas F | Wed 1:30-03:30 PM, Level 2, Mandalay Bay E
BRKCOC-2018 Inside Cisco IT: How Cisco Deployed ISE and TrustSec
David Iacobacci, Bassem Khalife | Thu 08:30-10:00 AM, Level 3, South Seas E
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Cisco TrustSec Break Out Sessions
BRKSEC-2203 Enabling Software-Defined Segmentation with TrustSec
Fay Lee | Tue 4:00-5:30 PM, Level 2, Mandalay Bay G
BRKCRS-2893 Choice of Segmentation and Group based Policies for Enterprise Networks
Hariprasad Holla | Thu 10:30-12:00 PM, Level 2, Breakers IJ
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Agenda
• Introduction
• Public environments, Why are they so challenging?
• Advice – Words to live by in any environment (Best Practice!)
• Education – What we have learned
• Hospitals/Medical – Protecting the heart of your network
• Public Transportation – Tips for the thrifty traveler
• Conclusion
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Please ask questions!!!
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public environments, Why are they
so challenging?
Public environments, Why are they so challenging?
• On average each person carries 2.9
devices
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Public environments, Why are they so challenging?
• On average each person carries 2.9
devices
• Each year new devices are
introduced
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Kenny Louie under Creative Commons License
Public environments, Why are they so challenging?
• On average each person carries 2.9
devices
• Each year new devices are
introduced
• Devices add new technology
enhancements, i.e. TLS versions,
mini browsers
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Public environments, Why are they so challenging?
• On average each person carries 2.9
devices
• Each year new devices are
introduced
• Devices add new technology
enhancements, i.e. TLS versions,
mini browsers
Dilbert 2010
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Public environments, Why are they so challenging?
• Devices are mostly unmanaged
• End users have different levels of
knowledge when it comes to
configuring their own devices
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Public environments, Why are they so challenging?
• Devices are mostly unmanaged
• End users have different levels of
knowledge when it comes to
configuring their own devices
• Users expect a simple experience,
similar to home use
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Public environments, Why are they so challenging?
• Devices are mostly unmanaged
• End users have different levels of
knowledge when it comes to
configuring their own devices
• Users expect a simple experience,
similar to home use
• Lots of configuration parameters on
ISE/Wireless Controller, which are
correct?
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Advice – Words to live
by in any environment
(Best Practice)
• Profiling sync leverages JGroup channels
• All replication outside node group must traverse
Inter-Node Communications PAN—including Ownership Change!
• If Local JGroup fails, then nodes fall back to
Radius Flapping can be a real mess! Global JGroup communication channel.
MnT MnT
PAN PAN
WLC
PSN5 says “I
own this mac
address”
PSN PSN
PSN3 PSN6
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Ok, now Radius flapping occurs.
• This could be due to timeouts received to WLC
Inter-Node Communications or due to the “Radius NAC” accounting bug
• This will also happen if a PSN receives profiling
Radius Flapping can be a real mess! information for an endpoint that it doesn’t own
MnT MnT
PAN PAN
WLC
PSN5 says
“Ok PSN3
owns this mac
address”
PSN PSN
PSN3 PSN6
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Profiling and Data Replication PAN
MnT
Ownership
# Change
Global
Replication
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Impact of Ownership Changes
Before Tuning
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Advice: Timers
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Advice: Timers
WLC: Radius
• Default timer value of 2 seconds is
too short
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Advice: Timers
WLC: Radius
• Default timer value of 2 seconds is
too short
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Advice: Timers
WLC: Radius
• Use timers appropriate to the
environment (tune for your
environment)
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Advice: Timers
WLC: Radius
• Use timers appropriate to the
environment (tune for your
environment)
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Advice: Timers
WLC: Radius - Continued
• Setting timers too long and the client
might restart its session, retries from
radius server will be dropped
• Radius flapping can have some Superman II, Warner Brothers 1980
major impacts on an ISE
deployment
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Advice: Timers - Radius
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Advice: Timers - Radius
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Advice: Timers
WLC: Radius - Continued
This can have a big impact
• Make sure that Aggressive
Failover is disabled in the on ISE and Wireless Auths
command line of the WLC
in general
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Advice: Timers - WLANs
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Advice: Timers - WLANs
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Advice: Timers - WLANs
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Advice: Timers - WLANs
Interim Update
• WLC 7.6:
• Recommended setting:
Disabled
• WLC 8.0:
• Recommended setting:
Enabled with Interval set to 0
• Behavior: Only send update on IP
address change
• Device Sensor updates not
impacted
• Settings mapped correctly on
upgrades
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Advice: VM Resources
Reservations
• To be successful (and
supported) ISE VMs must be
built with Dedicated Resources
that are equivalent to the
hardware appliance.
Specifications listed in ISE 1.3+ Installation Guide
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Advice: VM Resources
Reservations
• To be successful (and
supported) ISE VMs must be
built with Dedicated Resources
Specifications listed in ISE 2.0.1+ Installation Guide
that are equivalent to the
hardware appliance.
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Advice: VM Resources
Reservations
• To be successful (and
supported) ISE VMs must be
built with Dedicated Resources
that are equivalent to the
hardware appliance.
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Advice: VM Resources
Reservations
• To be successful (and
supported) ISE VMs must be
built with Dedicated Resources
that are equivalent to the
hardware appliance.
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Advice: VM Resources
Reservations
• To be successful (and
supported) ISE VMs must be
built with Dedicated Resources
that are equivalent to the
hardware appliance.
• In 1.3 we added OVA Templates
for deploying SNS-3415 and
SNS-3495 equivalent hardware.
That has been expanded to
include the SNS-3515 and SNS-
3595 platforms as well.
• It is highly recommended that
you use these templates!
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Advice: VM Resources
Reservations
• To be successful (and
supported) ISE VMs must be
built with Dedicated Resources
that are equivalent to the
hardware appliance.
• In 1.3 we added OVA Templates
for deploying SNS-3415 and
SNS-3495 equivalent hardware.
That has been expanded to
include the SNS-3515 and SNS-
3595 platforms as well.
• It is highly recommended that
you use these templates!
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Advice: VM Resources
Reservations
• Admin and MnT nodes rely
heavily on disk usage
(read/writes).
• Deploying ISE in VMware
environments where shared disk
storage is utilized may not give a
like disk performance when
compared to physical appliances
• Increasing the number of disk
shares that a node is allocated
can in most cases increase
performance of the node.
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Advice: VM Resources
Reservations - Before & After Chart
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Advice: VM Resources
Reservations – Before & After Graph
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Advice: VM Settings
Settings
• Snapshots are not supported!
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Advice: Avoid Meltdowns
ISE Settings
• Make sure that you have
Anomalous Suppression
Detection enabled, suppress
misbehaving clients as well as
repeated successful
authentications
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Advice: Avoid Meltdowns
ISE Settings
• Make sure that you have
Anomalous Suppression
Detection enabled, suppress
misbehaving clients as well as
repeated successful
authentications
AdministrationSettingsProtocolsRadius
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Advice: Avoid Meltdowns
ISE Settings
• Make sure that you have
Anomalous Suppression
Detection enabled, suppress
misbehaving clients as well as
repeated successful
authentications
• Only use the profiling
probes/information that you need.
Don’t have information overload.
Avoid probes that use SPAN.
Start with Radius only first. Use
device sensors in network access
device
AdministrationDeploymentProfiling
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Advice: Avoid Meltdowns
ISE Settings
• Enable EndPoint Attribute Filter
AdministrationSettingsProfiling
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Load Balancing RADIUS
Sample Flow
VLAN 98 (10.1.98.0/24) VLAN 99 (10.1.99.0/24)
5
PSN
10.1.99.5
1 radius-server host 10.1.98.8
ISE-PSN-1
2 AUTH request
RADIUS ACCTG requesttoto10.1.98.8
10.1.98.8 Load Balancer
PSN
10.1.99.6
AUTH response
RADIUS ACCTG from
response 10.1.98.8
from 10.1.98.8
Access VIP: 10.1.98.8 ISE-PSN-2
User
4
Device PSN-CLUSTER
PSN
1. NAD has single RADIUS Server defined (10.1.98.8) 10.1.99.7
2. RADIUS Auth requests sent to VIP @ 10.1.98.8 3
3. Requests for same endpoint load balanced to different PSN because round- ISE-PSN-3
robin(RR) load balancing is used without persistance (sticky).
4. RADIUS response received from VIP @ 10.1.98.8
(originated by real server ise-psn-3 @ 10.1.99.7 and source translated by LB)
5. RADIUS Accounting sent to/from different PSN based on RR and no sticky
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Load Balancing RADIUS
Sample Flow
VLAN 98 (10.1.98.0/24) VLAN 99 (10.1.99.0/24)
PSN
10.1.99.5
1 radius-server host 10.1.98.8
ISE-PSN-1
2 AUTH request
RADIUS ACCTG requesttoto10.1.98.8
10.1.98.8 Load Balancer
PSN
10.1.99.6
AUTH response
RADIUS ACCTG from
response 10.1.98.8
from 10.1.98.8
Access VIP: 10.1.98.8 ISE-PSN-2
User
4 5
Device PSN-CLUSTER
PSN
1. NAD has single RADIUS Server defined (10.1.98.8) 10.1.99.7
2. RADIUS Auth requests sent to VIP @ 10.1.98.8 3
3. Requests for same endpoint load balanced to same PSN via sticky based on ISE-PSN-3
RADIUS Calling-Station-ID and Framed-IP-Address
4. RADIUS response received from VIP @ 10.1.98.8
(originated by real server ise-psn-3 @ 10.1.99.7 and source translated by LB)
5. RADIUS Accounting sent to/from same PSN based on sticky
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Load Balancing RADIUS
All NADs are not created equal!
8540
2504
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Load Balancing RADIUS
IP vs Calling Station ID Stickiness
$$$
$$$
$$$
$$$
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Load Balancing RADIUS
Avoid spraying packets!!!
VLAN 98 (10.1.98.0/24) VLAN 99 (10.1.99.0/24)
PSN
10.1.99.5
radius-server host 10.1.98.8
ISE-PSN-1
AUTH request
RADIUS ACCTG requesttoto10.1.98.8
10.1.98.8 Load Balancer
PSN
10.1.99.6
AUTH response
RADIUS ACCTG from
response 10.1.98.8
from 10.1.98.8
Access VIP: 10.1.98.8 ISE-PSN-2
Device PSN-CLUSTER
User
PSN
10.1.99.7
ISE-PSN-3
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Profiling and Data Replication PAN
MnT
DHCP 1
RADIUS Auth
RADIUS Acctng NetFlow
NMAP
Ownership
# Change
Global
Replication
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Impact of Ownership Changes
After Tuning
Owner
Node Group = DC1-group Node Group = DC2-group
DHCP 1
RADIUS Auth
RADIUS Acctng NetFlow
NMAP
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Advice: Sizing
802.1x requires authentication for encryption
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Advice: Sizing
Endpoint Behavior
=1x
• Different Endpoints behave
differently on a network
• Because of this we need to
consider the types of endpoints
when sizing deployments =2x
• Mobile (handheld) devices are
the most demanding due to
wireless/power restrictions
• Based on observations from
many deployments, a 1x/2x/5x
ratio is a good rule of thumb =5x
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Advice: Sizing
Mobile devices typically have…
• Less RF Output power
• Fewer/Smaller Antennas
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Advice: Sizing
As a Result…
• Roam more often (up to 5x)
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Advice: Avoid Meltdowns
ISE Settings
• Enable EndPoint Attribute Filter
• Avoid Radius Flapping
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Advice: Bugs!!!
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Advice: Bugs
CSCuu68490 - duplicate radius-acct update message sent while roaming
• If “Radius NAC” is configured on a
WLAN and a client connected to it
roams, the WLC will send two
accounting update packets
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Advice: Bugs
CSCuu68490 - duplicate radius-acct update message sent while roaming
• If “Radius NAC” is configured on a
≈ 47ms
WLAN and a client connected to it
roams, the WLC will send two
accounting update packets
• These packets are unique (different Same data
radius IDs) but contain the same
information Different
ID
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Advice: Bugs
CSCuu68490 - duplicate radius-acct update message sent while roaming
• If “Radius NAC” is configured on a
WLAN and a client connected to it
roams, the WLC will send two
accounting update packets
• These packets are unique (different
radius IDs) but contain the same
information
• Currently resolved in 8.1.131.0+ and
8.2.100.0+ WLC code versions. 8.0
MR3+
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Advice: Bugs
CSCux78389 - Radius Failover should failover both auth/acct server on WLAN
PSN
PSN ISE-PSN-4
ISE-PSN-1
PSN ISE-PSN-5
PSN ISE-PSN-2
Load Balancer
Load Balancer PSN
ISE-PSN-6
PSN
ISE-PSN-3
Client Authentication
Radius Authentication Radius Accounting
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Advice: Bugs
CSCux78389 - Radius Failover should failover both authacct server on WLAN
PSN
PSN ISE-PSN-4
ISE-PSN-1
PSN ISE-PSN-5
PSN ISE-PSN-2
Load Balancer
Load Balancer PSN
ISE-PSN-6
PSN
ISE-PSN-3
Client Authentication
Radius Authentication Radius Accounting
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Advice: Bugs
CSCux78389 - Radius Failover should failover both authacct server on WLAN
PSN
PSN ISE-PSN-4
ISE-PSN-1
PSN ISE-PSN-5
PSN ISE-PSN-2
Load Balancer
Load Balancer PSN
ISE-PSN-6
PSN
ISE-PSN-3
Client Authentication
Radius Authentication Radius Accounting
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Advice: Bugs
CSCvc52228 - ISE does not delete endpoint mapping in REDIS when endpoint group is deleted from GUI
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Advice: Bugs
CSCvc74307 - ISE /var/cache/logwatch temp files are not removed
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Advice: Bugs
CSCvc40801 - ISE MnT sluggishness and high I/O when integrated with Prime Infrastructure
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Advice: Bugs
CSCva56322 - ISE 2.1 "Internal Server Error" when accessing Workcenters > Identities
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Avoid Radius Flapping…
USE BEST
PRACTICE!!!
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Education – What
we have learned
Education: High Authentication Latency
eduroam
• eduroam allows users from
participating organizations to use
their local credentials while visiting
other eduroam locations to access
the internet.
• eduroam is a “cloud based” Radius
proxy. It acts as a federation point
between education/research based
entities and their Radius servers.
• eduroam’s Radius proxy is
accessed via the internet.
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Education: High Authentication Latency
eduroam
jsmith@usau.edu
High Latency?
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Education: High Authentication Latency
eduroam
• Due to the high authentication
latency sometimes associated with
cloud based radius servers, it may
be necessary to adjust your radius
timers.
• If using a load balancer, create a
separate VIP for eduroam (can
contain the same PSNs)
• If no load balancer, dedicate PSNs
for eduroam (or other high latency
SSIDs), if possible
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Education: Students Converge at Lunch…
High Density
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Education: User w/Multiple devices – PEAP Problem
Good reason to use EAP-TLS
• Students carry multiple devices
• PEAP-MSChapV2 as 802.1X
Authentication Method may cause
AD lockouts if not changed on all
devices.
• Locked accounts generate Help
desk calls.
• A single device with old password
may cause repeated AD lockouts
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Hospitals/Medical – Protecting the
heart of your network
Hospital: Medical Devices
Securing and Profiling
• Most medical devices don’t support
802.1X
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Hospital: Medical Devices Encrypt!
Securing and Profiling
• Most medical devices don’t support
802.1X
• To protect patient data, use WPA2-
PSK with Mac Filtering and Profiling
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Hospital: Medical Devices
Securing and Profiling
• Most medical devices don’t support
802.1X
• To protect patient data, use WPA2-
PSK with Mac Filtering and Profiling
• Use unique attributes to profile your
medical devices
• Typical attributes that work well for
medical devices are dhcp-class-
identifier, dhcp-parameter-
request-list and host-name
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Hospital: Beware of Profiling Changes
Causes for change
• OUI information changes and Zebra Technologies
Device Feed Service updates.
Completes
Acquisition of
Motorola Solutions'
Enterprise Business
Press Releases 2014
ZIH Corp
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Hospital: Beware of Profiling Changes
Causes for change
• OUI information changes and What this means…
Device Feed Service updates. Before acquisition:
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Hospital: Beware of Profiling Changes
Causes for change
• OUI information changes and What this means…
Device Feed Service updates. After acquisition:
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Hospital: Beware of Profiling Changes
Causes for change
• OUI information changes and
Device Feed Service updates.
• Device OS/Firmware updates
www.apple.com
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Hospital: Beware of Profiling Changes
Causes for change
• OUI information changes and
Device Feed Service updates.
• Device OS/Firmware updates
• Spoofed MAC Addresses with new
or different profiling attributes
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Hospital: Beware of Profiling Changes
Causes for change
• OUI information changes and
Device Feed Service updates.
• Device OS/Firmware updates
• Spoofed MAC Addresses with new
or different profiling attributes
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Hospital: Beware of Profiling Changes
Alternate Policy Match with Alarms
• It is possible to build a fallback policy
below your original policy that relies on
a static MAC Whitelist (No profiling)
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Hospital: Beware of Profiling Changes
Alternate Policy Match with Alarms
• It is possible to build a fallback policy
below your original policy that relies on
a static MAC Whitelist (No profiling)
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Hospital: Beware of Profiling Changes
Alternate Policy Match with Alarms
• It is possible to build a fallback policy
below your original policy that relies on
a static MAC Whitelist (No profiling)
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Hospital: Beware of Profiling Changes
Alternate Policy Match with Alarms
• It is possible to build a fallback policy
below your original policy that relies on
a static MAC Whitelist (No profiling)
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Hospital: Paging Dr. Ihateloggingin
Suggestions for better user experience
• Doctors by nature are usually very busy
and the last thing they want to do is to
spend time logging into a webportal or
changing a PEAP password.
• Use EAP-TLS
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Hospital: Paging Dr. Ihateloggingin
Suggestions for better user experience
• Doctors by nature are usually very busy
and the last thing they want to do is to
spend time logging into a webportal or
changing a PEAP password.
• Use EAP-TLS
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Hospital: Medical NAC
Profiles custom built for medical devices
● Secure-access options for
healthcare-specific devices
● Identification and
classification of healthcare- Thanks
specific devices (250+
Craig!
devices)
● Segmentation of medical
devices
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Public
Transportation
– Tips for the
thrifty traveler
Airport: Hotspot setup with custom redirect
Using AP groups/names
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Airport: Hotspot setup with custom redirect
Using AP groups/names
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Airport: Hotspot setup with custom redirect
Using AP groups/names
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Airport: Hotspot setup with custom redirect
Using AP groups/names
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Airport: Hotspot setup with custom redirect
Using MSE and ISE 2.0
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Soapbox: Buy Public Certificates
Stop teaching users to accept Man-in-the-middle attacks!
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Conclusion
Conclusion
Review
• Public Environments can be challenging
• Avoid ISE “meltdowns”
• Keep up to date with versions and patches, be aware of software defects that
might affect your environment
• Use advice in this guide to solve challenges in your environment
• Use Real Best Practice to ensure that you have a successful deployment.
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Public ISE Community
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Complete Your Online
Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
ISE and TrustSec in CL 2017
ISE / TrustSec Labs
ISE integration with Firepower Visibility Driven Secure Cisco SD-Access- Hands-on
using pxGrid protocol Segmentation Lab
Wed 8:00-12:00 PM Wed 01:00-05:00 PM Wed 01:00 PM, MGM L-1, 116
MGM Grand, Level 1, MGM Grand, Level 1, Thu 08:00 PM, MGM L-1, 101
Room 104 Room 115
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Demos
BRKSEC-2059 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Thank you