Professional Documents
Culture Documents
Cisco Ise 2020 PDF
Cisco Ise 2020 PDF
TECSEC-2053
Jerry Lin, CSE Ned Zaldivar, CSE Sylvain Levesque, CSE
Irvine, California Houston, Texas Montreal, Canada
PSN PSN
• Android: Settings > Security & Screen Lock > Trusted Credentials > System /
User
Certificate File Formats Demystified
• DER (.der .cer) – Distinguished Encoding Rules
• Binary encoded single cert per file
• Cannot copy / paste
Router
Linux
MDM
ISE
MS
Capability / Feature
Deploy BYOD certs via VPN?
Deploy BYOD certs wired or wireless?
Deploy certs to Active Directory domain computers?
Highly Scalable?
Easily Manageable?
Cisco BU/TAC Official Support
PKI Use Cases Covered
Use Use Cases MS PKI ISE PKI MDM
Cases PKI
1 Corporate AD Domain Devices
(GPO User+Machine Certs)
2 BYOD: Personal Devices
(iOS, Android, MacOSX, *Linux
Windows, Linux)
3 Corporate non-Domain
Devices *Linux
(iOS, Android, MacOSX,
Windows, Linux)
http://www.cusoon.fr/update-microsoft-certificate-authorities-to-use-the-sha-2-
hashing-algorithm-2/
See Appendix for full step by step instructions
Complete CA roles
See Appendix for full step by step details Root CA COMPLETE!
• http://support.microsoft.com/kb/281557
• http://blogs.technet.com/b/instan/archive/2009/01/14/using-a-custom-template-
for-subordinate-ca-s.aspx
Building Windows 2012 Server Subordinate CA
Corporate Asset AD Domain Devices (Use Case #1)
Root CA • Windows SubCA for…
• Corporate domain
PCs(User & machine
certs)
Sub CA-1 ISE • Used for EAP-Chaining
PAN Intermediate
CA • Other subordinate CAs
PSN PSN
• Install AD Domain
Services
• Promote SubCA to domain
controller and join existing
domain.
Complete SubCA install
• Select RootCA Server Certificate
• All Configured !!!
• http://support.microsoft.com/kb/281557
• http://blogs.technet.com/b/instan/archive/2009/01/14/using-a-custom-template-
for-subordinate-ca-s.aspx
Example: Certificate Template Versions
See Appendix for full step by step instructions
• Workstation template is GPO based and offers customized settings (validity
period, key length, etc) since it is a V2 template.
• AutoEnrollment support!
Issue “Workstation2” Certificate Template
Remove!!
1. Select Certificate
Template to Issue
2. Select Workstation2
template
3. Validate new template
published!
Creating User Certificate Template
• Required for deployment. Must duplicate default template!
• Tools > Certificate Authority > Certificate Template(right-click) > Manage
Enable AutoEnrollment in GPO (Computer)
ENABLE Both!
Enable AutoEnrollment in GPO (Computer)
Enable AutoEnrollment in GPO (User)
ENABLE Both!
Enable AutoEnrollment in GPO (User)
Verification of User and Machine templaces
Root CA
PSN PSN
Primary
PSN #20
PAN
• Generate CSRs for ALL NODES
at Primary PAN
• Bind CA-signed certs for ALL NODES at Primary
PAN PSN #40
ISE Tomcat
http://ise:2560/ocsp
As Designed
ISE (PSN) CA Server Status
As expected
Export/Import ISE CA Certificate Key
PAN PAN
Register
PAN/PSN PSN
PAN PSN
CSR-PAN-Intermediate CA PSN SubCA
WIN2012-RootCA PAN PSN
CSR-PSN
Adding PSN1 to Admin Node
Importing PSN cert into Admin Node
Registering PSN1 to PAN
Registering PSN1 to PAN
In Progress
Certificate Signing Requests for Intermediate CA
Certificate Signing Requests for Intermediate CA
Certificate Signing Requests for Intermediate CA
Generating a Certificate with a SAN in ADCS
• Active Directory Certificate Services does not support by default the generation
of a certificate with an additional Subject Alternate Name
• A certutil command is required in CLI/Powershell to activate this option. And
the Certificate Authority service has to be restarted:
64
Generating a Certificate with a SAN in ADCS
65
Cert Request to WIN2012-RootCA
Cert Request to WIN2012-RootCA
Cert Request to WIN2012-RootCA
Bind ISE Certificate
Newly imported Trusted Certs
Delete This!
Remove PSN services from PAN
Uncheck!
ISE will restart
ISE PAN and PSN Personas
PAN
PSN
Import WIN2012-RootCA Cert!
Final Trusted Certificates
In Win2012-RootCA (CA Hierarchy Complete!)
CSR for PSN
CSR for PSN
Bind PSN EAP Authentication Cert
Used for Client Authentication + Others
PSN1 Cert Completion
ISE PKI Chain Complete!
New with ISE 1.3!
Root CA
PSN
• Certificates Revocation
• OCSP/CRL Validation and Troubleshooting
• Roaming from One PSN to Another
• EAP-Chaining, Machine+User Authentication
In this case, the nonce option was activated on ISE. This option was not
matching in the Microsoft CA’s OCSP request and configuration
OCSP – ISE Troubleshooting
• Detailed information can be obtained from the ISE prrt-management.log at Debug Level
• The file can be downloaded and searched with the “ocsp” keyword. The log file can also be
searched in the CLI using “tail” and grep” for the same keyword:
91
CRL – ISE Validation and Troubleshooting
• Detailed information can be obtained from the ISE prrt-management.log log file at Debug Level (Administration-
>Logging)
• The file can be downloaded and be searched for the “CRL” keyword The log file can also be searched in the CLI:
Connectivity
OK!
CRL
downloaded
and validated
92
Certificate Revocation
& Renewal
Revoking User Access in ISE
• My Devices Portal,
https://ise:8443/mydevicesportal
• Lost (Blacklisting, cert not revoked)
• Stolen (Blacklisting and cert revoked)
Revoking User Access in MS2012
• Device Lost? Employee leaves job? Contract ended?
• How to block selected devices only?
Match?
Revoking an User Certificate
2. Cease of
Operation
1. WIN2012-SubCA>Issued Certificates>(right-
click)All Tasks>Revoke Certificate
3. WIN2012-SubCA>Revoked Certificates>(right-
click)All Tasks> Publish
Certificate Lifecycle and Expiration - BYOD
• Authorization policies with ISE 1.3 can be defined with the following attributes:
• Allows endpoints having certificates near their expiration date to trigger the
SCEP provisioning process again
ISE
PAN Intermediate
CA
PSN1 PSN2
PSN PSN
WLC1/AP1 WLC2/AP2
SSID SSID
Roaming Across PSNs
• Certificate trust relationship across PSNs under ISE Intermediate CA
User
Authentication Authentication ( includes both user & machine identity types )
User
Credentials
EAP-FAST (Flexible Authentication via Secure
Tunneling)
• Defined in RFC 4851 and was developed by Cisco Systems
• Does not use certificates (anonymous PAC provisioning)
• Mutual authentication provided by Protected Access Credential (PAC) file, usually provisioned dynamically
• Occurs in 3 Phases:
• MacOS is subject to the same limitations but the Anyconnect Network Access Manager
802.1X supplicant is only available for Windows
• The Machine and User identities can be linked together in an ISE Authorization Policy
with the same attributes as with Windows
EAP Chaining Flow
Established connection Established secure connection
Client
Provisioning
Phase 0
EAP Identity Request
EAP Identity Response
EAP Identity Response
EAP-FAST Start (S bit, A-ID)
Phase 1
TLS Client Hello (Client_randomm PAC-Opaque)
TLS Server Hello (server_random), TLS Change cipher spec, TLS Finished
TLS Change cipher spec, TLS finished
Identity-Type TLV (Machine Type), EAP Payload-TLV (EAP Request-Identity)
Identity-Type TLV (Machine Type), EAP Payload-TLV (EAP Response Identity)
Machine Authentication- can be EAP-MSCHAPv2/EAP-GTC/EAP-TLS/Machine cert or Machine Authorization PAC
Crypto-Binding TLV (Nonce, Compound MAC), Intermediate Result TLV (Success)
Crypto-Binding TLV (Nonce, compound MAC), Intermediate Result TLV (Success)
Crypto Binding TLV (none, Compound MAC), Intermediate Result TLV (Success)
Crypto Binding TLV (none, Compound MAC), Intermediare Result TLV (Success)
EAP Success
EAP Chaining (Using EAP-TLS)
Configurations Required
Enabled both user and machine certificate enrollment via GPO
Install AnyConnect NAM module
Configure ISE EAP Chaining authentication/authorization
EAP Chaining Authorization
Goal: Ties corporate employee to corporate machine!
• If both user and machine authenticate successfully, the user is considered using
corporate asset.
• If both or either user/machine fails authentication, restricted or denied access
can be applied via ISE authorization policy.
Access
Privilege
Microsoft GPO Configuration
• User+Machine = success
Customer Site
SCEP Cert
Enrollment Authenticatio MX Security
n Appliance
Active Directory
MR Access Point
Meraki Systems Manager SCEP Configuration
• The Meraki Systems Manager uses a default SCEP certificate for provisioning:
Default SCEP
Certificate
3. Upload Cert
Issuer Information
Meraki Systems Manager - Defining an EAP-TLS
Profile for a Managed Device
Profile Definition
Identity Certificate
Trusted Certificates
To be pushed
Airwatch - Certificate Provisioning
The Airwatch EMM offers multiple mechanisms to deliver certificates to managed devices:
• Built-in CA with on-premise appliance or cloud offering
• Integration with 3rd-party Certificate Servers using SCEP and Microsoft ADCS using
DCOM/NDES/SCEP
On-Premise:
• Direct Active Directory
authentication/authorization
integration for enrollment
Airwatch - Certificate Provisioning
Cloud Based:
• Active Directory Authentication/Authorization for enrollment and for Certificate Services
through the Airwatch Cloud Connector (ACC) installed on a domain member:
Airwatch Certificate Template
Subject
Definition
SAN Definition
Airwatch Certificate Attributes
Trusted Certificates
To be pushed
WIFI-Authentication
Definition
Asset Differentiation with
Certificates
Common Name vs Fully Distinguished Name
• The Subject Name in a Certificate can be auto-populated with information from the Active
Directory Directory Services. Typically values are the Common Name and the Fully
Distinguished Name
131
Common Name vs Fully Distinguished Name
The Certificate Template used will define if the CN or the FDN is used to populate
the Subject Name in the Certificate generated:
Common Name*
133
Asset Differentiation – Distinguished Name
• Fields in certificates can be used to differentiate assets and access in ISE
Example: The Organizational Unit (OU) could be used to identify Corporate
Assets
OU=Corporate Assets
134
Asset Authorization and Differentiation
• ISE 1.3 exposes an attribute that maps the certificate template used to issue the
certificate (with an external Microsoft CA only, with ISE CA in 2.0)
• This can be used to identify the access control use cases and provide
differentiated access and authorization:
Authorization rule1 – Template Name = SCEP_BYOD -> Personal Devices Employees
Authorization rule2 – Template Name = Airwatch_template -> Corporate Mobile Devices
Authorization rule3 – Template Name = Computer -> Corporate PCs
Authorization rule4 – Template Name = DCE_RPC -> Corporate Macbooks
Attribute Description
137
NED
NED Z. Talks! Talks
Exchange of Information
Publishing / Subscribing
ISE 3rd Party
ISE
• Via UI, one by one -> Administration > • Via CLI -> application configure ise
Certificates > System Certificates >
• Enter 7 to export the certificates and
Select Certificate, Then Export
keys
• Requires repository
ISE Deployment Node
Lancope Stealtwatch using Web UI
• Define Port
• Define Account
• Define MnT &
Policy Node(s)
Import Certificates (CA, pxGrid, ISE System)
Lancope Stealthwatch Configuration – Access via Admin UI
• Need to establish trust with ISE for Mitigation
Added CA Certificate shown below
• Access via
Verification of Identity (via syslog)
Authentication Details / Identity & Device Table
• ISE Collects all this great information like Posture, Port, Network Access device,
MDM Status, Device and IDENTITY!!!
TrustSec Metadata
Why pxGrid with WSA for Identity?
WSA implemented as a transparent proxy and requiring identity. That means a
user logged into AD will authenticate transparently (no user interaction).
But what about BYOD devices….
Certificates
Exchange of TAG
Encrypted
‘#$!...’
Client
Inbound Inline Deployment Internal Server
Integrated SSL Decryption Encrypted
‘@!<...’
• Protecting incoming server traffic
• Policy determines what to inspect
• Server’s key needed to decrypt FirePOWER
Decrypted
• Detection and Prevention ‘abc...’
Encrypted
‘#$!...’
Client
Outbound Inline Proxy Deployment External Server
Integrated SSL Decryption Encrypted
‘@!<...’
• Protecting outgoing client traffic
• Policy determines what to inspect
• Root CA/key needed to re-encrypt FirePOWER
Decrypted
• 2 Separate sessions established ‘abc...’
Encrypted
‘#$!...’
Client
Outbound Inline Proxy Configuration Summary
Configuration on FireSIGHT Management Center
• Install Root Certificate with Private Key for MiTM
• Download CA certificate
• Backup CA certificate in Certificate Authority
• Convert PFX/P12 certificate to PEM
• Import CA certificate into FireSIGHT
• Download CA Certificate
• DER Format
Firefox 36.0.1 no no no no no no no
no***, images
Chrome bypass** bypass** no*** jacked yes yes yes
* requires RootCA (without key) certificate in trusted store
** bypassed because *.google.com is verified by chrome
*** ERR_SSL_PROTOCOL_ERROR
Troubleshooting Errors
FireSIGHT Connection Events
• Add more rows to Connection Events for troubleshooting
Demo of FirePOWER
Decryption
** Demo Video **
Certificates for Decryption
using Web Security
Appliance
Integration SSL Decryption
Cisco Web Security Appliance
• Superior Performance starting with WSA 8.0
• Used for Decrypting HTTPS traffic so you can apply HTTP policy to traffic
Outbound Proxy Deployment External Server
Using WCCP or Explicit for Traffic Redirection Encrypted
‘@!<...’
• Protecting outgoing client traffic
Encrypted
• 2 Separate sessions established ‘#$!...’
Client
Outbound Proxy Configuration Summary
Configuration on WSA
• Install Root Certificate with Private Key for MiTM
• Verify decryption
Import CA Certificate
• Navigate in WSA to Network > Certificate Management
• Select Import
• Please include
private key
Define Decryption Policy
• Navigate to WSA Web UI to
Web Security Manager > Decryption
Policies
2. Q: Apple iOS, SCEP not working with ISE cert from external CA
Ans: Update the Root CA cert in ISE certificate
Review Deployment
Understand PKI/CA and Configurations
Deployment Use Cases
“How to…”
PKI
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
• Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you
Appendix
Win2012-RootCA
Installation
http://social.technet.microsoft.com/wiki/contents/articles/12370.windows-
server-2012-set-up-your-first-domain-controller-step-by-
step.aspx?PageIndex=2
Let’s Build a Root CA!
Install the 2012 R2 server
• Building the Enterprise Root CA • Add Roles and Features
Windows 2012 R2 Installation
Adding Active Directory Domain Services
• Install Domain Services
Add DHCP and DNS
AD DS and DHCP install
Continue…
Finish installing AD DS, DHCP, DNS Services
Specify Subordinate CA
SubCA Install
Name the CA
Implementing Cisco Secure Mobility Solutions Deploy Cisco’s Identity Services Engine and 802.1X secure network access
(SIMOS)
Protect data traversing a public or shared infrastructure such as the Internet by
implementing and maintaining Cisco VPN solutions
Securing Cisco Networks with Threat Detection and Designed for professional security analysts, the course covers essential areas of Cisco Cybersecurity Specialist
Analysis (SCYBER) competency including event monitoring, security event/alarm/traffic analysis, and
incident response
Network Security Product and Solutions Training For official product training on Cisco’s latest security products, including Adaptive
Security Appliances, NGIPS, Advanced Malware Protection, Identity Services
Engine, Email and Web Security Appliances see
www.cisco.com/go/securitytraining
Example Windows
Certificate Templates
Certificate Template Versions
• Version 1 – Designed for clients and issuing CAs running Windows 2000 OS.
V1 template properties cannot be modified except assigned permissions that
controls access to the template.
• Version 2 – Introduced in Windows 2003 and beyond. More granular control
and supports certificate autoenrollment.
• Version 3 – Includes version 2 features and support for Suite B cryptographic
algorithms created by the US National Security Agency.
http://technet.microsoft.com/en-us/library/cc725838.aspx
Example: Certificate Template Versions
Default
Default
Issue “VPN User” User Certificate Template
1. Select Certificate
Template to Issue
2. Select VPN User
template
3. Validate new user
template published!
Computer vs Workstation Template?
Which one to use?
• Either one should work
• Simply need to create a duplicate from default to ensure version 2 or higher.
Workstation Template
• Required for Machine Authentication (EAP-TLS)
• Required for EAP Chaining
• Certificate Authority > Certificate Template, (right-
click) > Manage
• Certificate Template >
WorkstationAuthentication,(right-click) > Duplicate
Workstation Template
Create a Duplicate Workstation Template
Other tabs, leave as Default.
• Request Handling
• Cryptography
• Key Attestation
• Issuance Requirements
• Server
• Extensions
Workstation Template
Remove!!
1. Select Certificate
Template to Issue
2. Select Workstation2
template
3. Validate new template
published!
Enable AutoEnrollment in GPO (Computer)
ENABLE Both!
Enable AutoEnrollment in GPO (Computer)
Enable AutoEnrollment in GPO (User)
ENABLE Both!
Enable AutoEnrollment in GPO (User)
Verification of User and Machine templaces
Default
Appendix:
Windows 2012: OCSP
Detailed Configuration
Creating Your OCSP Responder Template
• Duplicate the default OCSP Response
Signing template
OCSP Template Properties
OCSP Template Properties
OCSP Template Properties
OCSP Template Properties
• Allow_All policy can just be Access_Accept to eliminate any 3rd party switch
compatibility.
Installing NAM
EAP Chaining support in AnyConnect 3.1
• Deploy NAM via AnyConnect ISO
• Or, deploy NAM via ASA Headend as part of SSLVPN Group Policy
Configuring NAM (Network Access Module)
Windows Only
• Configuration.xml file, C:\ProgramData\Cisco\Cisco Anyconnect Secure Mobility
Client\Network Access Manager\system\configuration.xml
EAP_Chain_MachineTLS_UserTLS
299
NAM: EAP Chaining Setup
Setup New EAP TLS Configuration
NAM Setup
NAM Setup
NAM Setup
NAM Setup
NAM Setup
Saving configuration.xml file