Brksec-1011 (2015)

Written to be Realised Security Policies
BRKSEC-1011
Yuval Shchory
Product Line Manager, Access and Policy, SBG
From ISE 1.3
Session Abstract
This session covers the building blocks for a policy-based access control
architecture for wired, wireless, and VPN networks using Identity Services Engine
(ISE).
Starting with basic user and device authentication and authorisation using
technologies like 802.1X, MAB, Web Authentication, and certificates/PKI, the
session will show you how to expand policy decisions to include contextual
information gathered from profiling, posture assessment, location, and external
data stores such as AD and LDAP.
The architecture will be expanded further to address key use cases such as Guest
access and management, BYOD (device registration and supplicant provisioning),
MDM policy integration, and 802.1AE (MacSec). Visibility and pervasive policy
enforcement through VLANs, ACLs, and TrustSec.
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Housekeeping
Reference slides will be in the published version only
Visit Cisco Live Online: CiscoLive.com
? Questions are welcome!
Please use the microphone if exists
Please put your phone on stun
Visit the World of Solutions and Meet the Expert
Feedback welcome. Please complete online evaluation
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. 4 Cisco Public
Agenda
• Introduction & Welcome
• Secure Access Architecture
• Gaining Visibility
• Authenticating and Authorising
• Visitation Rights
• Keeping the Network Clean
• Connecting not-so-Geeky Geeks
• Securing by Roles in the Network
• Sharing Context
• Summary
Presentation_ID © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• Sharing Context
• Summary
What is Secure Access and TrustSec?
• Think of it as “Next-Generation NAC”
• Secure Access is Cisco’s Architecture for Context-based Identity and Access
Control, including:
– Profiling Technologies
– RADIUS
– IEEE 802.1X (Dot1x)
– Guest Services
– Device Management
– TrustSec
– Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
All-in-One Enterprise Policy Control
Who What Where When How
Security Policy Attributes
Identity
Context Cisco® ISE
Business-Relevant
Policies
Wired Wireless VPN
Virtual machine client, IP device, guest, employee, and remote user
The Importance of Contextual Identity
Visibility “What” is Connecting to My
Network?
10
Profiling
• What ISE Profiling is:
– Dynamic classification of every device that connects to network using the infrastructure.
– Provides the context of “What” is connected independent of user identity for use in access policy
decisions
PCs
PCs Non-PCs
Non-PCs
UPS
UPS PhonePhone Printer
Printer AP
AP
How?
 What Profiling is NOT:

‒ An authentication mechanism.
‒ An exact science for device classification.
Profiling Technology
How Do We Classify a Device?
• Profiling uses signatures (similar to IPS)
• Probes are used to collect endpoint

data
DHCP HTTP SNMP Query
RADIUS SNMP Trap DHCPSPAN
DNS NMAP NetFlow
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Profiling Policy Overview
Profile Policies Use a Combination of Conditions to Identify Devices
Is the MAC Address

from Apple
DHCP:host-name IP:User-Agent
CONTAINS iPad CONTAINS iPad
I am fairly certain Assign this MAC

this device is an Address to the
iPad “iPad” Policy
Profile Library
Profiling Technology
Visibility Into What Is On the Network
Profiling Non-User Devices
Dynamic Population of MAB Database Based on Device Type
• How do I discover non-user devices?

• Can I determine what they are?
• Can I control their access? Printers = Printer
VLAN
Cameras = Video
VLAN
Management
Access Switch
UPS =
Management_Only
dACL
ISE
Profiling User Devices
Differentiated Access Based on Device Type
Kathy + Corp Laptop
= Full Access to
Marketing VLAN
• How can I restrict access to my
network?
• Can I manage the risk of using
personal PCs, tablets, smart- Named ACL = Internet_Only
devices?
VLAN = Marketing
Corp
Internet
WLAN
Controller
Kathy
Guest
Marketing
Kathy + Personal
Tablet / Smartphone
= Limited Access
(Internet Only)
ISE
How Is Profile Library Kept Current With Latest Devices?
• Dynamic Feed Service
– Live Update Service for New Profiles and OUI Files

– Cisco and Cisco Partners contribute to service
– Opt In Model: New profiles automatically
downloaded from Cisco.com and applied to live
system.
Embedded Endpoint Detection and Classification
Access Control System Must Detect and Classify Everything That Connects to the Network
CDP/LLDP/DHCP/mDNS/MSI/H323/RADIUS
ISE Policy Server
DNS
NMAP/SNMP HTTP/DHCP/RADIUS
DHCP/NetFlow
SNMP
VPN
NMAP
Cisco Prime
Device Sensor Support
Device Sensor 3k/4k/WLC
• Distributed Probes with Centralized Collection
• The Network IS the Collector!

• Automatic discovery for most common devices (printers, phones, Cisco devices)
• Collects the data at point closest to endpoint ISE
• Topology independent
• Profiling based on:
– CDP/LLDP
– DHCP
– HTTP (WLC only)
– mDNS, H323, CDP/LLDP/DHCP/CDP/LLDP/DHCP CDP/LLDP/DHCP DHCP HTTP
MSI-Proxy (4k only)
Device Sensor Distributed Probes
Device Sensor in Action
# show device-sensor cache all
Switch Device Sensor Cache
Cisco IP Phone 7945
SEP002155D60133
10.100.15.100
Cisco Systems, Inc. IP Phone CP-7945G
SEP002155D60133
ISE Profiling result
Agenda
• Sharing Context
• Summary
Verification Control
Authentication, Authorisation, and Accounting

“Who” is Connecting, Access Rights Assigned, and Logging
22
Authentication and Authorisation
What’s the Difference?
Who/what the
endpoint is.
+ context
802.1X / MAB / WebAuth
What the
endpoint has
access to.
Authentication Rules
Choosing the Right ID Store
RADIUS EAP Types Identity Source

Attributes EAP-FAST Internal/Certificate
Service type EAP-TLS Active Directory
NAS IP PEAP LDAPv3
Username EAP-MD5 RADIUS
SSID … Host lookup … Identity Sequence
Authentication
Options
802.1X / MAB / WebAuth
Authorisation Rules
802.1X / MAB / WebAuth Return standard IETF

RADIUS / 3rd-Party Vendor
Specific Attributes (VSAs):
• ACLs (Filter-ID)
• VLANs
(Tunnel-Private-Group-ID)
• Session-Timeout
• IP (Framed-IP-Address)
• Vendor-Specific including
Cisco, Aruba, Juniper, etc.
context
Separation of Authentication and Authorisation
Policy Set
Condition
Authentication
Authorisation
Policy
Groups
For Your
Authorisation Conditions Reference
External
Identity
Groups
RADIUS
& Directory
Session Attributes
Attributes
AuthZ
Condition
Posture Profiled
State Groups
Detailed Visibility into Passed/Failed Attempts
Monitor Mode
• A Process, Not Just a Command
Interface Config
• Enables 802.1X authentication on the switch,
interface GigabitEthernet1/0/1
authentication host-mode multi-auth but even failed authentication will gain access
authentication open • Allows network admins to see who would have
authentication port-control auto
mab failed, and fix it, before causing a Denial of
dot1x pae authenticator Service 
Pre-AuthC Post-AuthC
SWITCHPORT SWITCHPORT
P P
DH C TFTP D HC TFTP
5 P 5 P
KRB HT T KRB HT T
oL oL
EAP Permit All EA P Permit All
AuthC = Authentication
Traffic always allowed AuthZ = Authorisation
Low-Impact Mode
• If Authentication Is Valid, Then Specific Access!
Interface Config • Limited access prior to authentication

interface GigabitEthernet1/0/1
authentication host-mode multi-auth
• AuthC success = Role-specific access
authentication open • dVLAN Assignment / dACLs
mab
• Secure Group Access
dot1x pae authenticator • Still allows for pre-AuthC access for Thin
ip access-group default-ACL in
Clients, WoL & PXE boot devices, etc…
P P
DHC TFTP DHC RDP
KRB
5
HTT
P
KRB
5 HTT
P SGT
L Permit L
E APo E AP o
Some Role-Based ACL
Closed Mode
• No Access Prior to Login, Then Specific Access!
Interface Config • Default 802.1X behaviour

interface GigabitEthernet1/0/1 • No access at all prior to AuthC
authentication host-mode multi-auth
• Still use all AuthZ enforcement types
mab • dACL, dVLAN, SGA
dot1x pae authenticator
• Must take considerations for Thin Clients,
WoL, PXE devices, etc…
P
DHC
P
T FT P DH C TFTP
5
HTT
P SGT
K RB
5
HT T
P KR B
Permit oL Permit All
EA P
oL E AP
EAP
- or -
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Role-Based ACL
Securing Access From Non-User Devices
• Non-Authenticating Devices
– These are devices that were forgotten
– They do not have software to talk EAP on the network
…or they were not configured for it
Examples: Printers, IP Phones, Cameras, Badge Readers
– How to work with these?

• Solution: Do not use 802.1X on ports with Printers
…but what happens when the device moves
or another endpoint plugs into that port?!
• Solution: MAC Authentication Bypass (MAB)
One MAB For All
• ISE and 3rd-Party MAB Support
 MAC Authentication is NOT a defined standard.

• Cisco uses the Service-Type=Call-Check to
detect MAB and uses Calling-Station-ID for host
lookup in identity store.
• Most 3rd parties use Service-Type=Login for
802.1X, MAB and WebAuth
– Some do not populate Calling-Station-ID with MAC
address!
• With ISE 1.2, MAB can work with different

Service-Type and Calling-Station-ID values or
“password” settings.
Recommendation is to keep as many checkboxes
enabled as possible for increased security
Agenda
• Sharing Context
• Summary
Identity Services Engine Guest Services
Handling Guests and Employees Without 802.1X
Employees and some non-user devices 802.1X
All other non-user devices MAB
Guest Users
Employees with Missing or Misconfigured Supplicants
Employee Guest
**** ****
Guest Access: Life Cycle Management
Manage Provision Notify Report
Create Sponsor Notify Guest using Report on all

Create Guest
Policy different method aspects of Guest
Accounts in the
Sponsor Portal • Print Accounts
Manage sponsor • Email
groups • SMS
Customize Portals
From ISE 1.3
Cisco ISE Guest

All New Guest Admin Experience
Setup a Guest experience in 5 minutes!
Flow Visualizer: see what guests will experience
Customization Preview: See your customization real time
All User Facing Pages Customizable

Includes: Guest, Sponsor, My Devices Portals and
receipts via print, email & SMS
Robust WYSIWYG customization with Themes
Standards based CSS & HTML for Advanced Admins
Out-of-the-box Guest Flows

Hotspot
Self Service with SMS Notifications & Approvals
Brand-able Sponsor Portal (Mobile and Desktop)
Guest REST API

Create and manage guest accounts
Search, filter and bulk operation support
From ISE 1.3
Hotspot
AUP
1. 3. 4.
Acceptable
Use Policy
I promise
to be good.
Success
I Agree
2.
44:6D:77:B4:FD:01
Goal: Get them on the Internet

with AUP acceptance no matter
who they are and remember
CiscoLive 44:6D:77:B4:FD:01
them so you don’t get in their
way each time they connect.
From ISE 1.3
Self-Registered Guest Access with SMS

The user
• Provides personal information and phone number
• Receives credentials via SMS
• Provides these credentials at the web login page
• Is successfully logged in
1. 2. 3. 4.
Accepta
ble Use
Policy
Policy
terms and
I
Agr
condition
ee
Self Service Verified Credentials Logging in Success and Redirect

Sign-up
From ISE 1.3
Streamlined Sponsor Portals

Branding with Themes!
Streamlined Guest Creation

Quickly create single or
multiple accounts
Create Accounts Create Accounts

Print Email SMS
Mobile Sponsors
You are free to move about the cabin!
Create and manage guest accounts
from your mobile phone or tablet.
How Could I Create My Own Portal in Minutes?
https://isepb.cisco.com
• 17 languages
• All portal support
(hotspot, self
registered, BYOD, ... )
CWA Flow
 Tracking session ID provides support for session lifecycle management including CoA.
https://ise.company.com:8443/guestportal/gateway?sessionId=0A010A...73691A&action=cwa
ISE Policy Server
Try MAB
Connect to WLAN=Corp
Redirect browser to ISE
VPN MAB Failed but return Default Policy

= URL Redirect to ISE + Session ID
Components of a Full Guest Lifecycle Solution
Provisioning: Guest accounts

via sponsor portal
Notify: Guests of account details
by print, email, or SMS
Manage: Sponsor privileges,

guest accounts and policies,
guest portal
Authenticate/Authorise guest via

a guest portal on ISE
Guests
Report: On all aspects of guest

accounts
Agenda
• Sharing Context
• Summary
Posture
Are My Endpoints Compliant?
47
Are My Endpoints Compliant?
Posture Assessment
• Does the PC Desktop Meet Security Requirements? Posture
• Posture = The state-of-compliance with the company’s security policy.

– Is the system running the current Windows Patches?
– Anti-Virus Installed? Is it Up-to-Date?
– Anti-Spyware Installed? Is it Up-to-Date?
– Is the endpoint running corporate application?
– Is the endpoint running unauthorised application?
• Extends the user / system Identity to include Posture Status.
ISE Posture Assessment
Authenticate
Quarantine
AuthC User
AuthC
Posture Assess
dVLAN
Endpoint
dACLs Remediate
OS
SGT Hotfix
Authorise
WSUS
Posture =
Unknown/
AV / AS Launch App Permit
Non-compliant Personal Scripts Access
FW • dACL
Etc…
More…. • dVLAN
• SGT
Posture = • Etc…
Compliant
ISE Posture Assessment Checks
Files
 Microsoft Updates
– Service Packs
– Hotfixes
– OS/Browser versions
 Antivirus
– Installation/Signatures
 Antispyware
– Installation/Signatures
 File data
 Services
 Applications/Processes
 Registry keys
Agenda
• Sharing Context
• Summary
BYOD
Extending Network Access to Personal Devices
53
Onboarding Personal Devices
Registration, Certificate and Supplicant Provisioning
 Provisions device Certificates.
‒ Based on Employee-ID & Device-ID.
Certificate
Provisioning
 Provisions Native Supplicants:
‒ Windows: XP, Vista, 7 & 8
‒ Mac: OS X 10.6, 10.7 & 10.8
MyDevices Supplicant
Portal Provisioning ‒ iOS: 4, 5, 6 & 7
Device ‒ Android – 2.2 and above
Onboarding ‒ 802.1X + EAP-TLS, PEAP & EAP-FAST
 Employee Self-Service Portal

‒ Lost Devices are Blacklisted
iOS
Android
Self-
Service
‒ Self-Service Model reduces IT burden
Windows
Model
MAC OS
 Single and Dual SSID onboarding.
BYOD Policy in ISE
Device User AuthC Method Result
Registered?
AD Employee? Employee Access
Cert SAN value = MAC?
Auth Method = Cert?
ISE Integration with 3rd-Party
MDM Vendors
• MDM device registration via ISE
– Non registered clients redirected to MDM
registration page
• Restricted access
– Non compliant clients will be given restricted
access based on policy
• Endpoint MDM agent

– Compliance
– Device applications check
• Device action from ISE

– Device stolen -> wipe data on client
Version: 5.0 Version: 6.2

Version: 7.1 Version: 2.3
MCMS
MDM Compliance Checking
• Compliance and Attribute Retrieval via API
• Compliance based on:

– General Compliant or ! Compliant status Macro level
OR
– Disk encryption enabled Micro level

– Pin lock enabled
– Jail broken status
• MDM attributes available for policy conditions

• “Passive Reassessment”: Bulk recheck against the
MDM server using configurable timer.
– If result of periodic recheck shows that a connected device is no
longer compliant, ISE sends a CoA to terminate session.
Sample Authorisation Policy
Combining BYOD + MDM
If Employee but not registered with ISE, (Endpoints:

BYODRegistration EQUALS No), then start NSP flow
If Employee and registered with ISE (Endpoints:
BYODRegistration EQUALS Yes), then start MDM flow
Reporting
Mobile Device Management Report
Agenda
• Sharing Context
• Summary
TrustSec Introduction
What is TrustSec? Centrally controlled by ISE
Policy Server
• Software-defined segmentation technology supported in

over 20 Cisco product families
• PCI DSS validated
• Revolutionary Access Control Enforcement
• Assign a TAG at login  Enforce that tag in the Campus
/ Branch / Datacentre / Firewall
• Allows you to:
– Segment network using logical security groups
– Control access to assets based on security groups
– Scale security enforcement
Campus/DC Firewalls Routers
Switches
The Poor Business Class Passenger
TrustSec Concept
Classification
ISE Directory
Users, Devices Fin Servers SGT = 4
Enforcement
SGT:5 HR Servers SGT = 10
Switch Router DC FW DC Switch
SGT Propagation
 Classification of systems/users based on context (user role, device, location,

access method)
 A Security Group Tag (SGT) is assigned based on context
 SGT used by firewalls, routers and switches to make intelligent blocking decisions
SGT Assignments
End User, Endpoint is

classified with SGT SVI interface is Physical Server is
mapped to SGT mapped to SGT
Campus Access Distribution Core DC Core EOR DC Access
Enterprise
Backbone
SRC: 10.1.100.98
Hypervisor SW
VLAN is mapped
WLC FW
to SGT
Virtual Machine is
BYOD device is mapped to SGT
classified with
SGT
Security Group Based Access Control for Firewalls
• Security Group Firewall (SGFW)
Source Tags Destination Tags
Agenda
• Sharing Context
• Summary
APIs and pxGrid
Sharing Context Throughout the Network
68
ERS SDK Software Development Kit to aid deployment.
pxGrid
• Access-Controlled Interface to ISE Context & Network Control
Endpoint
Network Protection Service,
Actions via ISE EPS
CONTEXT
DATA
pxGrid
 Focus is export of ISE session context and enabling remediation actions

from external systems
 Granular context acquisition via queries to publisher/subscriber interface
How pxGrid Works
Authorise  Publish  Discover  Subscribe  Query
ISE as pxGrid Controller

CISCO ISE
I have location! Continuous Publish

Publish Flow I have application info!
pxGrid
I need app & identity… Directed
Discover TopicDQuery
Continuous Flow Topic
iscover
Context I need location & device-type
Directed Query
Sharing
I have sec events! I have identity & device!

I need identity & device… I need geo-location & MDM…
I have MDM info!

I need location…
Agenda
• Sharing Context
• Summary
Architectural Approach
Building an Identity-Based Network Architecture
• Architecture and Building Plan
A• Make sure you A

have the right
pieces before
production. 
C• Keep end goal in
mind BUT…
B• Deploy in phases
to minimize
disruption and
increase adoption
 
rate. C
B
Summary
Written to be Realized Security Policy For Your
Reference
Simple Version
User Device Type
Enforcement Policy
• Permissions = Authorisations
• Defines the access control policy and other
attributes to be applied to the auth session.
Written to be Realized Security Policy For Your
Reference
Advanced Version
User Device Type Location Posture Time Access Method Custom
Call to Action
• Visit the World of Solutions for
– Cisco Booths
– Walk in Labs, Technical Solution Clinics
• Meet the Engineer
• Lunch time Table Topics
• DevNet zone related labs and sessions
Complete Your Online Session Evaluation
• Please complete your online session
evaluations after each session.
Complete 4 session evaluations
& the Overall Conference Evaluation
(available from Thursday)
to receive your Cisco Live T-shirt.
• All surveys can be completed via

the Cisco Live Mobile App or the
Communication Stations
Questions ?
80
Recommended Reading
• For reading material and further resources for this session, please
visit www.pearson-books.com/CLMilan2015
Links
• Secure Access, TrustSec, and ISE on Cisco.com
– http://www.cisco.com/go/trustsec
– http://www.cisco.com/go/ise
– http://www.cisco.com/go/isepartner
• TrustSec and ISE Deployment Guides:
– http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone
_TrustSec.html
• YouTube, ISE : https://www.youtube.com/user/CiscoISE
• Fundamentals of TrustSec:
– http://www.youtube.com/ciscocin#p/c/0/MJJ93N-3Iew

Brksec-1011 (2015)

Uploaded by

Copyright:

Available Formats

You might also like

Brksec-1011 (2015)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec-1011 (2015)

Uploaded by

Copyright:

Available Formats

Written to be Realised Security Policies

Visit Cisco Live Online: CiscoLive.com

? Questions are welcome!

Please use the microphone if exists

Please put your phone on stun

Visit the World of Solutions and Meet the Expert

Feedback welcome. Please complete online evaluation

Who What Where When How

Security Policy Attributes

Virtual machine client, IP device, guest, employee, and remote user

 What Profiling is NOT:

• Profiling uses signatures (similar to IPS)

• Probes are used to collect endpoint

RADIUS SNMP Trap DHCPSPAN

DNS NMAP NetFlow

Is the MAC Address

I am fairly certain Assign this MAC

• How do I discover non-user devices?

• Dynamic Feed Service

– Live Update Service for New Profiles and OUI Files

• Distributed Probes with Centralized Collection

• The Network IS the Collector!

Cisco IP Phone 7945

Authentication, Authorisation, and Accounting

RADIUS EAP Types Identity Source

802.1X / MAB / WebAuth

802.1X / MAB / WebAuth Return standard IETF

Authorisation Conditions Reference

Interface Config • Limited access prior to authentication

Interface Config • Default 802.1X behaviour

– How to work with these?

 MAC Authentication is NOT a defined standard.

• With ISE 1.2, MAB can work with different

Employees and some non-user devices 802.1X

All other non-user devices MAB

Employees with Missing or Misconfigured Supplicants

Manage Provision Notify Report

Create Sponsor Notify Guest using Report on all

Cisco ISE Guest

All User Facing Pages Customizable

Out-of-the-box Guest Flows

Guest REST API

Goal: Get them on the Internet

Self-Registered Guest Access with SMS

Self Service Verified Credentials Logging in Success and Redirect

Streamlined Sponsor Portals

Streamlined Guest Creation

Create Accounts Create Accounts

ISE Policy Server

Redirect browser to ISE

VPN MAB Failed but return Default Policy

Provisioning: Guest accounts

Manage: Sponsor privileges,

Authenticate/Authorise guest via

Report: On all aspects of guest

• Posture = The state-of-compliance with the company’s security policy.

 Employee Self-Service Portal

Device User AuthC Method Result