cisco - global home page - secure access solutions with identity … · service-type :[6] 6 call...
TRANSCRIPT
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Cisco Public Cisco Public © 2011 Cisco and/or its affiliates. All rights reserved. 1
Secure Access Solutions With Identity Services Engine György Ács
Security CSE
EMEA Central Core Team
16 March 2012
Cisco Public 2 © 2011 Cisco and/or its affiliates. All rights reserved.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Non-User Devices
• How do I discover
non-user devices?
• Can I determine what
they are?
• Can I control their access?
• Are they being spoofed?
ISE: Policies for people and devices
• Can I allow guests Internet-only
access?
• How do I manage guest access?
• Can this work in wireless and
wired?
• How do I monitor guest activities?
Guest Access
• How can I restrict access to my
network?
• Can I manage the risk of using
personal PCs, tablets, smart-
devices?
• Access rights on premises, at
home, on the road?
• Devices are healthy?
Authorized Access
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Internet
Campus
Network
“Printers should only ever
communicate internally”
“Employees should be able to access
everything but have limited access on
personal devices”
“Everyone’s traffic should be
encrypted” Internal Resources
Cisco Wireless
LAN Controller
Cisco® Identity Services Engine Cisco Access
Point
Cisco Switch
Cisco Public 5 © 2011 Cisco and/or its affiliates. All rights reserved.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
• Centralized Policy
• RADIUS Server
• Posture Assessment
• Guest Access Services
• Device Profiling
• Monitoring
• Troubleshooting
• Reporting
ACS
NAC
Profiler
NAC Guest
NAC Manager
NAC
Server
Identity
Services
Engine
Policy Server Designed for TrustSec
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
• NAC Agent
Permanent
Supports posture and remediation
• AnyConnect
Permanent
802.1X supplicant
• Web Agent
Supports guests
No permanent software installation
Cisco Public 8 © 2011 Cisco and/or its affiliates. All rights reserved.
Authentication/Authorization
Posture
Guest
Profiling
MACSec and SGA
Cisco Public 9 © 2011 Cisco and/or its affiliates. All rights reserved.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Guest
VLAN
Dynamic session control from a Policy server
Re-authenticate session
Terminate session
Terminate session with port
bounce
Disable host port
Session Query
For Active Services
For Complete Identity
Service Specific
Service Activate
Service De-activate
Service Query
Corp
VLAN
Device
RADIUS Client
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
switch(config)# dot1x system-auth-control
switch(config)# aaa server radius dynamic-author
client 10.1.100.21 server-key 0 cisco123
switch(config)# interface range g0/1-3, g0/5
switch(config-if-range)# switchport mode access
switch(config-if-range)# authentication port-control auto
switch(config-if-range)# dot1x pae authenticator
switch(config-if-range)# mab
switch(config-if-range)# authentication open
switch(config-if-range)# authentication host-mode multi-auth
switch(config-if-range)# switchport access vlan 10
switch(config-if-range)# switchport voice vlan 40
switch(config-if-range)# authentication order mab dot1x
switch(config-if-range)# authentication priority dot1x mab
ISE
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
5) Accounting
VLAN 100 = “DATACENTER” = 10.1.100.0 /24
1) Detection
3) Authentication
4) Authorization
2) Challenge
&
Response
802.1X / EAP RADIUS
ACCESS 10.1.10.x /24
Access Switch .1
AAA .21
EAPoL-Start
Access-Request
Protocol Negotiation (PEAP, EAP-FAST, EAP-TLS)
Access-Accept EAP Success
Username:cisco
Identity Challenge & Response
Cisco/Cisco123
Accounting-Start
Accounting-Stop
Open Mode: ACL-DEFAULT: permit DHCP ACL-PREPOSTURE
Service Selection: 802.1X
NAS-IP: 10.1.10.5
RADIUS-Key: cisco123
IETF:NAS-Port-Type == Ethernet
IETF:Service-Type == Framed
Calling-Station-ID = dead:beef:feed
Success!
Group: Internal Users
Authorization Policy: PREPOSTURE
[27] = 86400 (24 hours)
[29] = RADIUS-Request (1)
[64,65,81] = VLAN, 802, “ACCESS”
[26/9/1] = dACL=ACL-PREPOSTURE
Disconnect,
Shutdown,
Restart, Sleep
Timestamp, MAC, NAS IP, Port ID
Username, Group, Session-ID, …
Trust Auth Server Cert?
Username & Password?
aaa authen dot1x default group RADIUS
Authorization applied Re-DHCP
ISE ISE
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
4) HTTP BROWSER
VLAN 100 = “DATACENTER” = 10.1.100.0 /24
1) Detection
3) Authorization
2) MAB Failure
802.1X / EAP/HTTP RADIUS
ACCESS 10.1.10.x /24
Switch .1
AAA .21
EAPoL-Start
Access-Accept [GUEST ACCESS]
EAP Success
GUEST
Open Mode: ACL-DEFAULT: permit DHCP ACL-GUEST-REDIRECT
Service Selection: MAB
NAS-IP: 10.1.10.5
User-Name : [1] 14 "000423b2c55b”
User-Password : [2] 18 *
Service-Type :[6] 6 Call Check [10]
RADIUS Authorization: GUEST
[27] = 86400 (24 hours)
[29] = RADIUS-Request (1)
[64,65,81] = VLAN, 802, “GUEST”
[26/9/1] = dACL=ACL-GUEST
[26/9/1] = url-redirect-acl=ACL-WEBAUTH-REDIRECT
aaa authen dot1x default group RADIUS
Authorization applied Re-DHCP
ISE
NO Supplicant
URL-Redirect 302 : HTTPS://FQDN:8443/guestportal/gateway?sessionId={SessionIdValue}&action=cwa
MAB Request Access-Request
HTTP://www.google.com
EAPOL TIMEOUT
ISE
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Simple
Device Type User
Enforcement Policy • Permissions = Authorizations • Defines the access control policy and other attributes to be
applied to the auth session.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Advanced
Device Type Location User Posture Time Access Method Custom
Cisco Public 17 © 2011 Cisco and/or its affiliates. All rights reserved.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
802.1X authentication + posture + profiling + guest
NAC Appliance Description ISE – NEW
Checks File, Service, Registry, AV/AS checks Posture Conditions
Rules Multiple simple conditions are built together Compound Posture
Conditions
Requirements Requirements are used with Operating Systems. They contain
compound conditions. Each Requirement has a selected
Remediation action.
Posture Requirements
Role Requirements Posture policies can be evaluated based on Identity Groups, OS,
and dictionary attributes. Policies contain the Requirements
Posture Policy
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Authentication Posture Authorization
Compliance Check OS, Hotfix, Antivirus,
Personal Firewall Authenticate PC corporate
asset ?
Authenticate User
Quarantine
Remediation Fix problem,
make PC compliant
Authenticate Guests (WEB)
Profile Devices, MAB
Create different Zones to
segment network
Assign VLAN to port
Assign ACL to port
Cisco Public 20 © 2011 Cisco and/or its affiliates. All rights reserved.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Provision: Guest accounts via sponsor portal
Notify: Guests of account details by print, email, or SMS
Manage: Sponsor privileges, guest accounts and policies
Report: On all aspects of guest accounts
Guests
Authenticate/Authorize guest via a guest portal on ISE
ISE
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
4) HTTP BROWSER
VLAN 100 = “DATACENTER” = 10.1.100.0 /24
1) Detection
3) Authorization
2) MAB Failure
802.1X / EAP/HTTP RADIUS
ACCESS 10.1.10.x /24
Switch .1
AAA .21
EAPoL-Start
Access-Accept [GUEST ACCESS]
EAP Success
GUEST
Open Mode: ACL-DEFAULT: permit DHCP ACL-GUEST-REDIRECT
Service Selection: MAB
NAS-IP: 10.1.10.5
User-Name : [1] 14 "000423b2c55b”
User-Password : [2] 18 *
Service-Type :[6] 6 Call Check [10]
RADIUS Authorization: GUEST
[27] = 86400 (24 hours)
[29] = RADIUS-Request (1)
[64,65,81] = VLAN, 802, “GUEST”
[26/9/1] = dACL=ACL-GUEST
[26/9/1] = url-redirect-acl=ACL-WEBAUTH-REDIRECT
aaa authen dot1x default group RADIUS
Authorization applied Re-DHCP
ISE
NO Supplicant
URL-Redirect 302 : HTTPS://FQDN:8443/guestportal/gateway?sessionId={SessionIdValue}&action=cwa
MAB Request Access-Request
HTTP://www.google.com
EAPOL TIMEOUT
ISE
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Shows guest URL activity
when ASA syslogs sent to ISE
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Send syslogs to ISE M&T
UDP port 20514
Filter messages ID # 304001: accessed URLs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Create Service Policy in ASA
to inspect HTTP traffic for
guest subnet
ISE shows accessed URLs in
reports
Cisco Public 27 © 2011 Cisco and/or its affiliates. All rights reserved.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
• Profiler supplies the What.
• Profiler detects and classifies devices
• Profiler requires the advanced license
Same-SSID
802.1Q Trunk
VLAN 30
VLAN 40
Corporate
Resources
Internet
Employee
Employee
CAPWAP CAPWAP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
• Users, using the same SSID, can be associated to different wired VLAN interfaces after EAP authentication
• Employee using corporate laptop with their AD user id assigned to VLAN 30 = Full network access
• Employee using personal iPad/iPhone with their AD user id assigned to VLAN 40 = Internet only
CAPWAP CAPWAP
Same-SSID
802.1Q Trunk
VLAN 30
VLAN 40
EAP Authentication 1
Accept with VLAN 30 2
EAP Authentication 3
Accept with VLAN 40 4
ISE
Corporate
Resources
Internet
Employee
Employee
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Using Network Scan Option in a profiler Policy
SNMP Scan use « public » as default Ro community
Select NMAP Scan type And Take activate network scan
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Catalyst 3k
• Low touch deployment • Profiling Base on CDP/LLDP or DHCP • Centralize visibility without big ISE sensor investment • Automatic discovery for most common devices (Printers, Cisco devices, phones) • Topology independent
IOS Sensor Distributed Probes
ISE
Cisco Public 33 © 2011 Cisco and/or its affiliates. All rights reserved.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Confidentiality and Integrity Securing Data Path with MACSec
* National Institute of Standards and Technology Special Publication 800-38D
&^*RTW#(*J^*&*sd#J$%UJ&(
• Provides “WLAN / VPN equivalent” encryption (128bit AES GCM) to LAN connection
• NIST approved* encryption (IEEE802.1AE) + Key Management (IEEE802.1X-2010/MKA or Security Association Protocol).
• Allows the network to continue to perform auditing (Security Services)
Media Access Control Security (MACSec)
802.1X
Supplicant
with
MACSec
Guest User
MACSec Capable
Devices
&^*RTW#(*J^*&*sd#J$%UJWD&(
Data sent in clear
MACSec Link
Encrypt Decrypt Authenticated User
Note: Cat3750-X currently supports MACSec on downlink only
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Unified access interface for
VPN (SSL-VPN and IPSec)
802.1X for LAN / WLAN
Supports MACSec / MKA (802.1X-REV) for data encryption in software; Performance based on endpoint CPU
MACSec-capable hardware (network cards) enhance performance w/ AC 3.0
MACSec & AnyConnect 3.0
• Hardware encryption –
Requires AnyConnect and MACSec-ready hardware:
Intel 82576 Gigabit Ethernet Controller
Intel 82599 10 Gigabit Ethernet Controller
Intel ICH10 - Q45 Express Chipset (1Gbe LOM)
(Dell, Lenovo, Fujitsu, and HP have desktops shipping with this LOM.)
• Software encryption –
Requires AnyConnect and uses CPU of PC
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 36
SGACL
Keeps existing logical design at access layer
Distributes policy solely from central management server
Enterprise: BYOD / Employee / Contractor / Guest roles
Trusted network security zones:
- Map user access rights to network security zones
- Secure network zones provide encryption, message integrity & replay protection
802.1X/MAB/Web Auth
Database (SGT=4)
IT Server (SGT=10)
I’m a contractor
My group is IT Admin
Contactor
& IT Admin
SGT = 100
SGT = 100
SGT capable device
Applying SGT controls
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
How To Create SGT Policy
HR User (SGT 4)
IT Admin (SGT 7)
ACME Portal
(SGT 5)
Public Portal
(SGT 8)
Internal Portal
(SGT 9)
HR Server
(SGT 6)
Destination
SGT
Source
SGT
Web Web No Access Web
File Share
Web
SSH
RDP
File Share
Web
SSH
RDP
File Share
Full Access
SSH
RDP
File Share
permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp dst eq 139 deny ip
IT Maintenance ACL
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
ISR w/ EtherSwitch
Nexus 7010
Cat6500 Cat4500
ACS5.1 SQL Server WEB Server File Server
Cat6500
Directory
Service
Cat35750/E
Campus Access
Data Centre
SGT Assignment via 802.1X, MAB,
Web Auth
SGACL Enforcement
Cat4500
SXP
Branch Access
SRC \ DST Server A (111) Server B (222)
User A (10) Permit all SGACL-B
User B (20) Deny all SGACL-C
111 222
20 10
TrustSec to cover campus network as well as Data Centre
network
Support for Campus / Branch access
Source SGT assigned via 802.1X, MAB, or Web
Authentication
Server SGT assigned via IPM or statically
IP-to-SGT binding table is exchanged between Campus
access switch and Data Centre TrustSec capable device
Use Case 1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Personal Devices Remote VPN User
Wireless User Wired User IT Managed Devices
Campus Network
Security Group Firewall
ASA SG FW
• Availability in Arsenal release
(Q2 CY2012)
• Campus and DC enforcement
ISR SG FW
• Availability in 15.2(2)T (on
CCO)
• Branch office enforcement for
DC access
ASR1K SG FW
• Availability in Release 3.5 (on
CCO)
• WAN aggregation enforcement,
i.e restrict access from branches
to DC
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
TrustSec 2.1 Feature Matrix Security Group Access MACsec
Platform Models
802.1X /
Identity
Features
SGT SXP SGACL SG-FW Device
Sensors
Switch to
Switch
Client to
Switch
Cat 2K 2960, 2960-S
Cat 3K 3560, 3650E, 3750, 3750E,
3750-X 3560-X x
3560 C
Cat 4K Sup6E , Sup 6L-E
Sup7E, Sup 7L-E
Cat 6K Sup32 / Sup720
Sup2T
Nexus 7K
Nexus 5K
ASR 1K Pr1 / Pr2, 1001, 1002, 1004, 1006,
1013, ESP10/20/40, SIP 10/40
ISR G2 88X 89X 19xx 29xx 39xx
ASA
Wireless LAN
Controller
AnyConnect
Cisco Public 41 © 2011 Cisco and/or its affiliates. All rights reserved.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
• As a company, Cisco is positioned to be a leader in mobility with strong offerings in LAN, Wireless LAN and Remote Access VPN. In fact, only Cisco is ranked in the Leader Quadrant of all three Magic Quadrants.
•
• ISE (MQ leader) Provides unique management for both Wired, Wireless and VPN
Cisco Public 43 © 2011 Cisco and/or its affiliates. All rights reserved.
Thank you.