Professional Documents
Culture Documents
Brain Storm March 12th Session V 8
Brain Storm March 12th Session V 8
Brain Storm March 12th Session V 8
3
Topics
– How did we get here Story
– Right Priority, Unpopular Message
– Identity Service Engine (ISE) 101
– Live ISE Demo of ISE - Dynamic ACL/Dynamic
Vlans/Web Auth/Reporting/User Integration
– Mobile Device Management Solutions (MDM)
– Live CX Next Generation of firewalls for
applications
– Questions
Right Priority, Unpopular Message
1. Solid, switched, virtualized network
2. Pervasive RF in all areas where students will be
focused, with Central Web Authorization
3. Internet capacity to allow consumption without
frustration & ensure filtering is accurate
4. High capacity virtualized server environment for
applications
5. Add Identity Services posture and profile services to
Authorization with NCS Prime for Management
6. Utilize an MDM for rapid deployment
ISE 101
6
7
Solutions Overview
9
1
1
1
1
1
What we have done so far….
Start
Here
Single no
Service
Access-Reject
yes
Access-Accept
1
What is the flow of a Policy in ISE…
Start Here
Registered No
Student No
Guest
Access-Reject
Yes
Yes
Registered
i-Device Yes No
Device
No Yes
Access-Accept
Internet Only
1
Live Demo of ISE
– Dynamic ACL
– Dynamic Vlans
– Web Authentication
– Reporting
– User Integration
ISE Deep Dive
1
ISE Personas
Administration Node
– Interface to configure policies
Monitoring Node
– Interface for logging and report data
Monitoring Monitoring
Secondary Primary
Monitoring Monitoring
Policy Policy
Service Service
Distributed Deployment
•Administration + Monitoring on same
appliance; Policy Service on dedicated
appliance
Admin
Mon • 2 x Admin+Monitor
Admin
Mon
• Max 5 PSNs
• Max 10k endpoints
Policy
Svcs
Policy
Svcs
Policy
Svcs
Policy
Svcs
Policy
Svcs
Typical ISE Deployment
Example Small School District
A/S Admin, Monitoring,
Policy Service nodes
AD/LDAP
(External ID/
Attribute Store)
HA Inline Posture
Nodes
Campus A
ASA VPN
WLC
802.1X
Switch
AP 802.1X
Branch A Branch B
Switch Switch
AP 802.1X AP
802.1X
Typical ISE Deployment
Example Medium 2 Building Campus
HA Inline Posture
Nodes
Distributed Inline
Campus A Campus B Posture Node
Switch
WLC
802.1X
Switch
AP
AP 802.1X
Branch A Branch B
Switch Switch
AP 802.1X AP
802.1X
Mobile Device Management
2
Cisco
Prime
Infrastructure Mobile Device
Mobility Management
w/ Assurance Identity
Services Engine Services Engine
(MSE) (ISE)
Catalyst Cisco
Switches
WLC
Cisco
AnyConnect
2
ISE & MDM Are Complimentary
AUP
Mobile + PC Enterprise Software
Distribution
Classification/ Registration Management
Profiling User <-> Device
Ownership (Backup, Remote Wipe,
etc.)
Policy Compliance
Secure Network Access Cert + Supplicant (Jailbreak, Pin Lock, etc.)
(Wireless, Wired, VPN) Provisioning
Secure Data
Context-Aware Access Control Containers
(Role, Location, etc.) Inventory
Management
2
Mobile Device Management Flow
Multi Context NG Firewall
2
Multiple Context’s -One Firewall
BYOD
Segments
Student
Wired
Segments
Guest
Segments
Closing discussion
– Topics to take away and respond to
Leave you with these questions
• What is your BYOD policy?
• Where are your BYOD roadmap?
• How do you know what is on your network any given
time? And what they are doing?
• How do you allow contractors access to your network?
• How do you profile devices?
• How do you ensure data loss prevention in devices?
• How would you minimize the risk of your rollout of
802.1X implementation without risking outages?
• How would you segment data center access?
Reference Slides
Solution: Cisco TrustSec
Remote VPN
Wireless User VPN User Devices Devices
User
Inline Inline
FO State Service IP Trunk: Service IP Internal
Internet VLANs Network
Link Link eth1 eth0
VPN 11-15
User
ISP B
outside inside
Student
Mobile Device Management on Cloud
• For Cloud Based Solutions, Bandwidth and Latency will
need to be considered.
• Scalability = 30 Calls per second.
• Survivability:
– If the MDM is not available, the rule will not match.
– Will (by default) stick the user in the “Register with MDM”
state.
• Ability for administrator and user in ISE to issue remote
actions on the device through
– the MDM server (eg: remote wiping the device)
• MyDevices Portal
– Endpoints Directory in ISE
Mobile Device Management API
• With the API, we can query on:
– General Compliant or ! Compliant (Macro level) -or-
– Disk encryption is one
– Pin lock
– Jail broken
– Bulk re-check against the MDM every 4 hours.
– But we are not using the cached data in the AuthZ
• If result of Bulk Re-check shows that a device is
no longer compliant – we will send a CoA Change
of Authorization to terminate session.
• Works same with all 4 vendors.
Mobile Device Management Solutions
Netflow,
SNMP Traps,
RADIUS Alarm-triggered
Syslog
Syslog (UDP/20514)
Administration HA and Synchronization
• Changes made via Primary Administration DB are automatically synced to
Secondary Administration and all Policy Service nodes.
Policy Sync
Policy Service
Admin Node Node
(Primary) Policy Sync
Policy Service
Admin Node
User Logging
Monitoring Monitoring
Node (Primary) Node (Secondary)