Professional Documents
Culture Documents
Brksec-1011 (2015)
Brksec-1011 (2015)
Brksec-1011 (2015)
BRKSEC-1011
Yuval Shchory
Product Line Manager, Access and Policy, SBG
From ISE 1.3
Session Abstract
This session covers the building blocks for a policy-based access control
architecture for wired, wireless, and VPN networks using Identity Services Engine
(ISE).
Starting with basic user and device authentication and authorisation using
technologies like 802.1X, MAB, Web Authentication, and certificates/PKI, the
session will show you how to expand policy decisions to include contextual
information gathered from profiling, posture assessment, location, and external
data stores such as AD and LDAP.
The architecture will be expanded further to address key use cases such as Guest
access and management, BYOD (device registration and supplicant provisioning),
MDM policy integration, and 802.1AE (MacSec). Visibility and pervasive policy
enforcement through VLANs, ACLs, and TrustSec.
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Housekeeping
Reference slides will be in the published version only
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. 4 Cisco Public
Agenda
• Introduction & Welcome
• Secure Access Architecture
• Gaining Visibility
• Authenticating and Authorising
• Visitation Rights
• Keeping the Network Clean
• Connecting not-so-Geeky Geeks
• Securing by Roles in the Network
• Sharing Context
• Summary
Presentation_ID © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• Introduction & Welcome
• Secure Access Architecture
• Gaining Visibility
• Authenticating and Authorising
• Visitation Rights
• Keeping the Network Clean
• Connecting not-so-Geeky Geeks
• Securing by Roles in the Network
• Sharing Context
• Summary
Presentation_ID © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Secure Access and TrustSec?
• Think of it as “Next-Generation NAC”
• Secure Access is Cisco’s Architecture for Context-based Identity and Access
Control, including:
– Profiling Technologies
– RADIUS
– IEEE 802.1X (Dot1x)
– Guest Services
– Device Management
– TrustSec
– Identity Services Engine (ISE)
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Cisco Identity Services Engine (ISE)
All-in-One Enterprise Policy Control
Identity
Context Cisco® ISE
Business-Relevant
Policies
Wired Wireless VPN
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
The Importance of Contextual Identity
Visibility “What” is Connecting to My
Network?
10
Profiling
• What ISE Profiling is:
– Dynamic classification of every device that connects to network using the infrastructure.
– Provides the context of “What” is connected independent of user identity for use in access policy
decisions
PCs
PCs Non-PCs
Non-PCs
UPS
UPS PhonePhone Printer
Printer AP
AP
How?
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Profiling Policy Overview
Profile Policies Use a Combination of Conditions to Identify Devices
DHCP:host-name IP:User-Agent
CONTAINS iPad CONTAINS iPad
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Profiling Non-User Devices
Dynamic Population of MAB Database Based on Device Type
Cameras = Video
VLAN
Management
Access Switch
UPS =
Management_Only
dACL
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
ISE
Profiling User Devices
Differentiated Access Based on Device Type
Kathy + Corp Laptop
= Full Access to
Marketing VLAN
• How can I restrict access to my
network?
• Can I manage the risk of using
personal PCs, tablets, smart- Named ACL = Internet_Only
devices?
VLAN = Marketing
Corp
Internet
WLAN
Controller
Kathy
Guest
Marketing
Kathy + Personal
Tablet / Smartphone
= Limited Access
(Internet Only)
ISE
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
How Is Profile Library Kept Current With Latest Devices?
Access Control System Must Detect and Classify Everything That Connects to the Network
CDP/LLDP/DHCP/mDNS/MSI/H323/RADIUS
ISE Policy Server
DNS
NMAP/SNMP HTTP/DHCP/RADIUS
DHCP/NetFlow
SNMP
VPN
NMAP
Cisco Prime
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Device Sensor Support
Device Sensor 3k/4k/WLC
SEP002155D60133
10.100.15.100
Cisco Systems, Inc. IP Phone CP-7945G
SEP002155D60133
ISE Profiling result
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Agenda
• Introduction & Welcome
• Secure Access Architecture
• Gaining Visibility
• Authenticating and Authorising
• Visitation Rights
• Keeping the Network Clean
• Connecting not-so-Geeky Geeks
• Securing by Roles in the Network
• Sharing Context
• Summary
Presentation_ID © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Verification Control
22
Authentication and Authorisation
What’s the Difference?
Who/what the
endpoint is.
+ context
802.1X / MAB / WebAuth
What the
endpoint has
access to.
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Authentication Rules
Choosing the Right ID Store
Authentication
Options
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Authorisation Rules
context
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Separation of Authentication and Authorisation
Policy Set
Condition
Authentication
Authorisation
Policy
Groups
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
For Your
External
Identity
Groups
RADIUS
& Directory
Session Attributes
Attributes
AuthZ
Condition
Posture Profiled
State Groups
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Detailed Visibility into Passed/Failed Attempts
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Monitor Mode
• A Process, Not Just a Command
Interface Config
• Enables 802.1X authentication on the switch,
interface GigabitEthernet1/0/1
authentication host-mode multi-auth but even failed authentication will gain access
authentication open • Allows network admins to see who would have
authentication port-control auto
mab failed, and fix it, before causing a Denial of
dot1x pae authenticator Service
Pre-AuthC Post-AuthC
SWITCHPORT SWITCHPORT
P P
DH C TFTP D HC TFTP
5 P 5 P
KRB HT T KRB HT T
oL oL
EAP Permit All EA P Permit All
AuthC = Authentication
Traffic always allowed AuthZ = Authorisation
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Low-Impact Mode
• If Authentication Is Valid, Then Specific Access!
SWITCHPORT SWITCHPORT
P P
DHC TFTP DHC RDP
KRB
5
HTT
P
KRB
5 HTT
P SGT
L Permit L
E APo E AP o
Some Role-Based ACL
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Closed Mode
• No Access Prior to Login, Then Specific Access!
Pre-AuthC Post-AuthC
SWITCHPORT SWITCHPORT
P
DHC
P
T FT P DH C TFTP
5
HTT
P SGT
K RB
5
HT T
P KR B
Permit oL Permit All
EA P
oL E AP
EAP
- or -
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Role-Based ACL
Securing Access From Non-User Devices
• Non-Authenticating Devices
– These are devices that were forgotten
– They do not have software to talk EAP on the network
…or they were not configured for it
Examples: Printers, IP Phones, Cameras, Badge Readers
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
One MAB For All
• ISE and 3rd-Party MAB Support
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Agenda
• Introduction & Welcome
• Secure Access Architecture
• Gaining Visibility
• Authenticating and Authorising
• Visitation Rights
• Keeping the Network Clean
• Connecting not-so-Geeky Geeks
• Securing by Roles in the Network
• Sharing Context
• Summary
Presentation_ID © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identity Services Engine Guest Services
Handling Guests and Employees Without 802.1X
Guest Users
Employee Guest
**** ****
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Guest Access: Life Cycle Management
Customize Portals
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
From ISE 1.3
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
From ISE 1.3
Hotspot
AUP
1. 3. 4.
Acceptable
Use Policy
I promise
to be good.
Success
I Agree
2.
44:6D:77:B4:FD:01
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
From ISE 1.3
Accepta
ble Use
Policy
Policy
terms and
I
Agr
condition
ee
Mobile Sponsors
You are free to move about the cabin!
Create and manage guest accounts
from your mobile phone or tablet.
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
How Could I Create My Own Portal in Minutes?
https://isepb.cisco.com
• 17 languages
• All portal support
(hotspot, self
registered, BYOD, ... )
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
CWA Flow
Tracking session ID provides support for session lifecycle management including CoA.
https://ise.company.com:8443/guestportal/gateway?sessionId=0A010A...73691A&action=cwa
Try MAB
Connect to WLAN=Corp
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Components of a Full Guest Lifecycle Solution
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Agenda
• Introduction & Welcome
• Secure Access Architecture
• Gaining Visibility
• Authenticating and Authorising
• Visitation Rights
• Keeping the Network Clean
• Connecting not-so-Geeky Geeks
• Securing by Roles in the Network
• Sharing Context
• Summary
Presentation_ID © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Posture
Are My Endpoints Compliant?
47
Are My Endpoints Compliant?
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Posture Assessment
• Does the PC Desktop Meet Security Requirements? Posture
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
ISE Posture Assessment
Authenticate
Quarantine
AuthC User
AuthC
Posture Assess
dVLAN
Endpoint
dACLs Remediate
OS
SGT Hotfix
Authorise
WSUS
Posture =
Unknown/
AV / AS Launch App Permit
Non-compliant Personal Scripts Access
FW • dACL
Etc…
More…. • dVLAN
• SGT
Posture = • Etc…
Compliant
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
ISE Posture Assessment Checks
Files
Microsoft Updates
– Service Packs
– Hotfixes
– OS/Browser versions
Antivirus
– Installation/Signatures
Antispyware
– Installation/Signatures
File data
Services
Applications/Processes
Registry keys
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Agenda
• Introduction & Welcome
• Secure Access Architecture
• Gaining Visibility
• Authenticating and Authorising
• Visitation Rights
• Keeping the Network Clean
• Connecting not-so-Geeky Geeks
• Securing by Roles in the Network
• Sharing Context
• Summary
Presentation_ID © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
BYOD
Extending Network Access to Personal Devices
53
Onboarding Personal Devices
Registration, Certificate and Supplicant Provisioning
Provisions device Certificates.
‒ Based on Employee-ID & Device-ID.
Certificate
Provisioning
Provisions Native Supplicants:
‒ Windows: XP, Vista, 7 & 8
‒ Mac: OS X 10.6, 10.7 & 10.8
MyDevices Supplicant
Portal Provisioning ‒ iOS: 4, 5, 6 & 7
Device ‒ Android – 2.2 and above
Onboarding ‒ 802.1X + EAP-TLS, PEAP & EAP-FAST
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
BYOD Policy in ISE
Registered?
AD Employee? Employee Access
Cert SAN value = MAC?
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
ISE Integration with 3rd-Party
MDM Vendors
• MDM device registration via ISE
– Non registered clients redirected to MDM
registration page
• Restricted access
– Non compliant clients will be given restricted
access based on policy
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Sample Authorisation Policy
Combining BYOD + MDM
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Agenda
• Introduction & Welcome
• Secure Access Architecture
• Gaining Visibility
• Authenticating and Authorising
• Visitation Rights
• Keeping the Network Clean
• Connecting not-so-Geeky Geeks
• Securing by Roles in the Network
• Sharing Context
• Summary
Presentation_ID © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
TrustSec Introduction
What is TrustSec? Centrally controlled by ISE
Policy Server
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Poor Business Class Passenger
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
TrustSec Concept
Classification
ISE Directory
Users, Devices Fin Servers SGT = 4
Enforcement
SGT Propagation
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
SGT Assignments
Enterprise
Backbone
SRC: 10.1.100.98
Hypervisor SW
VLAN is mapped
WLC FW
to SGT
Virtual Machine is
BYOD device is mapped to SGT
classified with
SGT
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Security Group Based Access Control for Firewalls
• Security Group Firewall (SGFW)
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Agenda
• Introduction & Welcome
• Secure Access Architecture
• Gaining Visibility
• Authenticating and Authorising
• Visitation Rights
• Keeping the Network Clean
• Connecting not-so-Geeky Geeks
• Securing by Roles in the Network
• Sharing Context
• Summary
Presentation_ID © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
APIs and pxGrid
Sharing Context Throughout the Network
68
ERS SDK Software Development Kit to aid deployment.
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
pxGrid
• Access-Controlled Interface to ISE Context & Network Control
Endpoint
Network Protection Service,
Actions via ISE EPS
CONTEXT
DATA
pxGrid
Presentation_ID © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Architectural Approach
Building an Identity-Based Network Architecture
• Architecture and Building Plan
B• Deploy in phases
to minimize
disruption and
increase adoption
rate. C
B
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Summary
Written to be Realized Security Policy For Your
Reference
Simple Version
Enforcement Policy
• Permissions = Authorisations
• Defines the access control policy and other
attributes to be applied to the auth session.
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Written to be Realized Security Policy For Your
Reference
Advanced Version
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Call to Action
• Visit the World of Solutions for
– Cisco Booths
– Walk in Labs, Technical Solution Clinics
• Meet the Engineer
• Lunch time Table Topics
• DevNet zone related labs and sessions
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Complete Your Online Session Evaluation
• Please complete your online session
evaluations after each session.
Complete 4 session evaluations
& the Overall Conference Evaluation
(available from Thursday)
to receive your Cisco Live T-shirt.
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Questions ?
80
Recommended Reading
• For reading material and further resources for this session, please
visit www.pearson-books.com/CLMilan2015
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Links
• Secure Access, TrustSec, and ISE on Cisco.com
– http://www.cisco.com/go/trustsec
– http://www.cisco.com/go/ise
– http://www.cisco.com/go/isepartner
• TrustSec and ISE Deployment Guides:
– http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone
_TrustSec.html
• YouTube, ISE : https://www.youtube.com/user/CiscoISE
• Fundamentals of TrustSec:
– http://www.youtube.com/ciscocin#p/c/0/MJJ93N-3Iew
BRKSEC-1011 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 82