cisco - global home page - secure access solutions with identity … · service-type :[6] 6 call...

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Cisco Public Cisco Public © 2011 Cisco and/or its affiliates. All rights reserved. 1

Secure Access Solutions With Identity Services Engine György Ács

Security CSE

EMEA Central Core Team

16 March 2012

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

Non-User Devices

• How do I discover

non-user devices?

• Can I determine what

they are?

• Can I control their access?

• Are they being spoofed?

ISE: Policies for people and devices

• Can I allow guests Internet-only

access?

• How do I manage guest access?

• Can this work in wireless and

wired?

• How do I monitor guest activities?

Guest Access

• How can I restrict access to my

network?

• Can I manage the risk of using

personal PCs, tablets, smart-

devices?

• Access rights on premises, at

home, on the road?

• Devices are healthy?

Authorized Access


Internet

Campus

Network

“Printers should only ever

communicate internally”

“Employees should be able to access

everything but have limited access on

personal devices”

“Everyone’s traffic should be

encrypted” Internal Resources

Cisco Wireless

LAN Controller

Cisco® Identity Services Engine Cisco Access

Point

Cisco Switch


• Centralized Policy

• RADIUS Server

• Posture Assessment

• Guest Access Services

• Device Profiling

• Monitoring

• Troubleshooting

• Reporting

ACS

NAC

Profiler

NAC Guest

NAC Manager

NAC

Server

Identity

Services

Engine

Policy Server Designed for TrustSec


• NAC Agent

Permanent

Supports posture and remediation

• AnyConnect

Permanent

802.1X supplicant

• Web Agent

Supports guests

No permanent software installation


Authentication/Authorization

Posture

Guest

Profiling

MACSec and SGA


Guest

VLAN

Dynamic session control from a Policy server

Re-authenticate session

Terminate session

Terminate session with port

bounce

Disable host port

Session Query

For Active Services

For Complete Identity

Service Specific

Service Activate

Service De-activate

Service Query

Corp

VLAN

Device

RADIUS Client


switch(config)# dot1x system-auth-control

switch(config)# aaa server radius dynamic-author

client 10.1.100.21 server-key 0 cisco123

switch(config)# interface range g0/1-3, g0/5

switch(config-if-range)# switchport mode access

switch(config-if-range)# authentication port-control auto

switch(config-if-range)# dot1x pae authenticator

switch(config-if-range)# mab

switch(config-if-range)# authentication open

switch(config-if-range)# authentication host-mode multi-auth

switch(config-if-range)# switchport access vlan 10

switch(config-if-range)# switchport voice vlan 40

switch(config-if-range)# authentication order mab dot1x

switch(config-if-range)# authentication priority dot1x mab

ISE


5) Accounting

VLAN 100 = “DATACENTER” = 10.1.100.0 /24

1) Detection

3) Authentication

4) Authorization

2) Challenge

&

Response

802.1X / EAP RADIUS

ACCESS 10.1.10.x /24

Access Switch .1

AAA .21

EAPoL-Start

Access-Request

Protocol Negotiation (PEAP, EAP-FAST, EAP-TLS)

Access-Accept EAP Success

Username:cisco

Identity Challenge & Response

Cisco/Cisco123

Accounting-Start

Accounting-Stop

Open Mode: ACL-DEFAULT: permit DHCP ACL-PREPOSTURE

Service Selection: 802.1X

NAS-IP: 10.1.10.5

RADIUS-Key: cisco123

IETF:NAS-Port-Type == Ethernet

IETF:Service-Type == Framed

Calling-Station-ID = dead:beef:feed

Success!

Group: Internal Users

Authorization Policy: PREPOSTURE

[27] = 86400 (24 hours)

[29] = RADIUS-Request (1)

[64,65,81] = VLAN, 802, “ACCESS”

[26/9/1] = dACL=ACL-PREPOSTURE

Disconnect,

Shutdown,

Restart, Sleep

Timestamp, MAC, NAS IP, Port ID

Username, Group, Session-ID, …

Trust Auth Server Cert?

Username & Password?

aaa authen dot1x default group RADIUS

Authorization applied Re-DHCP

ISE ISE


4) HTTP BROWSER

VLAN 100 = “DATACENTER” = 10.1.100.0 /24

1) Detection

3) Authorization

2) MAB Failure

802.1X / EAP/HTTP RADIUS

ACCESS 10.1.10.x /24

Switch .1

AAA .21

EAPoL-Start

Access-Accept [GUEST ACCESS]

EAP Success

GUEST

Open Mode: ACL-DEFAULT: permit DHCP ACL-GUEST-REDIRECT

Service Selection: MAB

NAS-IP: 10.1.10.5

User-Name : [1] 14 "000423b2c55b”

User-Password : [2] 18 *

Service-Type :[6] 6 Call Check [10]

RADIUS Authorization: GUEST

[27] = 86400 (24 hours)


[64,65,81] = VLAN, 802, “GUEST”

[26/9/1] = dACL=ACL-GUEST

[26/9/1] = url-redirect-acl=ACL-WEBAUTH-REDIRECT



ISE

NO Supplicant

URL-Redirect 302 : HTTPS://FQDN:8443/guestportal/gateway?sessionId={SessionIdValue}&action=cwa

MAB Request Access-Request

HTTP://www.google.com

EAPOL TIMEOUT

ISE


Simple

Device Type User

Enforcement Policy • Permissions = Authorizations • Defines the access control policy and other attributes to be

applied to the auth session.


Advanced

Device Type Location User Posture Time Access Method Custom


802.1X authentication + posture + profiling + guest

NAC Appliance Description ISE – NEW

Checks File, Service, Registry, AV/AS checks Posture Conditions

Rules Multiple simple conditions are built together Compound Posture

Conditions

Requirements Requirements are used with Operating Systems. They contain

compound conditions. Each Requirement has a selected

Remediation action.

Posture Requirements

Role Requirements Posture policies can be evaluated based on Identity Groups, OS,

and dictionary attributes. Policies contain the Requirements

Posture Policy


Authentication Posture Authorization

Compliance Check OS, Hotfix, Antivirus,

Personal Firewall Authenticate PC corporate

asset ?

Authenticate User

Quarantine

Remediation Fix problem,

make PC compliant

Authenticate Guests (WEB)

Profile Devices, MAB

Create different Zones to

segment network

Assign VLAN to port

Assign ACL to port


Provision: Guest accounts via sponsor portal

Notify: Guests of account details by print, email, or SMS

Manage: Sponsor privileges, guest accounts and policies

Report: On all aspects of guest accounts

Guests

Authenticate/Authorize guest via a guest portal on ISE

ISE


4) HTTP BROWSER

VLAN 100 = “DATACENTER” = 10.1.100.0 /24

1) Detection

3) Authorization

2) MAB Failure

802.1X / EAP/HTTP RADIUS

ACCESS 10.1.10.x /24

Switch .1

AAA .21

EAPoL-Start

Access-Accept [GUEST ACCESS]

EAP Success

GUEST

Open Mode: ACL-DEFAULT: permit DHCP ACL-GUEST-REDIRECT

Service Selection: MAB

NAS-IP: 10.1.10.5

User-Name : [1] 14 "000423b2c55b”

User-Password : [2] 18 *

Service-Type :[6] 6 Call Check [10]

RADIUS Authorization: GUEST

[27] = 86400 (24 hours)


[64,65,81] = VLAN, 802, “GUEST”

[26/9/1] = dACL=ACL-GUEST

[26/9/1] = url-redirect-acl=ACL-WEBAUTH-REDIRECT



ISE

NO Supplicant

URL-Redirect 302 : HTTPS://FQDN:8443/guestportal/gateway?sessionId={SessionIdValue}&action=cwa

MAB Request Access-Request

HTTP://www.google.com

EAPOL TIMEOUT

ISE


Shows guest URL activity

when ASA syslogs sent to ISE


Send syslogs to ISE M&T

UDP port 20514

Filter messages ID # 304001: accessed URLs


Create Service Policy in ASA

to inspect HTTP traffic for

guest subnet

ISE shows accessed URLs in

reports


• Profiler supplies the What.

• Profiler detects and classifies devices

• Profiler requires the advanced license

Same-SSID

802.1Q Trunk

VLAN 30

VLAN 40

Corporate

Resources

Internet

Employee

Employee

CAPWAP CAPWAP


• Users, using the same SSID, can be associated to different wired VLAN interfaces after EAP authentication

• Employee using corporate laptop with their AD user id assigned to VLAN 30 = Full network access

• Employee using personal iPad/iPhone with their AD user id assigned to VLAN 40 = Internet only

CAPWAP CAPWAP

Same-SSID

802.1Q Trunk

VLAN 30

VLAN 40

EAP Authentication 1

Accept with VLAN 30 2

EAP Authentication 3

Accept with VLAN 40 4

ISE

Corporate

Resources

Internet

Employee

Employee


Using Network Scan Option in a profiler Policy

SNMP Scan use « public » as default Ro community

Select NMAP Scan type And Take activate network scan


Catalyst 3k

• Low touch deployment • Profiling Base on CDP/LLDP or DHCP • Centralize visibility without big ISE sensor investment • Automatic discovery for most common devices (Printers, Cisco devices, phones) • Topology independent

IOS Sensor Distributed Probes

ISE


Confidentiality and Integrity Securing Data Path with MACSec

* National Institute of Standards and Technology Special Publication 800-38D

&^*RTW#(*J^*&*sd#J$%UJ&(

• Provides “WLAN / VPN equivalent” encryption (128bit AES GCM) to LAN connection

• NIST approved* encryption (IEEE802.1AE) + Key Management (IEEE802.1X-2010/MKA or Security Association Protocol).

• Allows the network to continue to perform auditing (Security Services)

Media Access Control Security (MACSec)

802.1X

Supplicant

with

MACSec

Guest User

MACSec Capable

Devices

&^*RTW#(*J^*&*sd#J$%UJWD&(

Data sent in clear

MACSec Link

Encrypt Decrypt Authenticated User

Note: Cat3750-X currently supports MACSec on downlink only


Unified access interface for

VPN (SSL-VPN and IPSec)

802.1X for LAN / WLAN

Supports MACSec / MKA (802.1X-REV) for data encryption in software; Performance based on endpoint CPU

MACSec-capable hardware (network cards) enhance performance w/ AC 3.0

MACSec & AnyConnect 3.0

• Hardware encryption –

Requires AnyConnect and MACSec-ready hardware:

Intel 82576 Gigabit Ethernet Controller

Intel 82599 10 Gigabit Ethernet Controller

Intel ICH10 - Q45 Express Chipset (1Gbe LOM)

(Dell, Lenovo, Fujitsu, and HP have desktops shipping with this LOM.)

• Software encryption –

Requires AnyConnect and uses CPU of PC

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 36

SGACL

Keeps existing logical design at access layer

Distributes policy solely from central management server

Enterprise: BYOD / Employee / Contractor / Guest roles

Trusted network security zones:

- Map user access rights to network security zones

- Secure network zones provide encryption, message integrity & replay protection

802.1X/MAB/Web Auth

Database (SGT=4)

IT Server (SGT=10)

I’m a contractor

My group is IT Admin

Contactor

& IT Admin

SGT = 100

SGT = 100

SGT capable device

Applying SGT controls


How To Create SGT Policy

HR User (SGT 4)

IT Admin (SGT 7)

ACME Portal

(SGT 5)

Public Portal

(SGT 8)

Internal Portal

(SGT 9)

HR Server

(SGT 6)

Destination

SGT

Source

SGT

Web Web No Access Web

File Share

Web

SSH

RDP

File Share

Web

SSH

RDP

File Share

Full Access

SSH

RDP

File Share

permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp dst eq 139 deny ip

IT Maintenance ACL


ISR w/ EtherSwitch

Nexus 7010

Cat6500 Cat4500

ACS5.1 SQL Server WEB Server File Server

Cat6500

Directory

Service

Cat35750/E

Campus Access

Data Centre

SGT Assignment via 802.1X, MAB,

Web Auth

SGACL Enforcement

Cat4500

SXP

Branch Access

SRC \ DST Server A (111) Server B (222)

User A (10) Permit all SGACL-B

User B (20) Deny all SGACL-C

111 222

20 10

TrustSec to cover campus network as well as Data Centre

network

Support for Campus / Branch access

Source SGT assigned via 802.1X, MAB, or Web

Authentication

Server SGT assigned via IPM or statically

IP-to-SGT binding table is exchanged between Campus

access switch and Data Centre TrustSec capable device

Use Case 1


Personal Devices Remote VPN User

Wireless User Wired User IT Managed Devices

Campus Network

Security Group Firewall

ASA SG FW

• Availability in Arsenal release

(Q2 CY2012)

• Campus and DC enforcement

ISR SG FW

• Availability in 15.2(2)T (on

CCO)

• Branch office enforcement for

DC access

ASR1K SG FW

• Availability in Release 3.5 (on

CCO)

• WAN aggregation enforcement,

i.e restrict access from branches

to DC


TrustSec 2.1 Feature Matrix Security Group Access MACsec

Platform Models

802.1X /

Identity

Features

SGT SXP SGACL SG-FW Device

Sensors

Switch to

Switch

Client to

Switch

Cat 2K 2960, 2960-S

Cat 3K 3560, 3650E, 3750, 3750E,

3750-X 3560-X x

3560 C

Cat 4K Sup6E , Sup 6L-E

Sup7E, Sup 7L-E

Cat 6K Sup32 / Sup720

Sup2T

Nexus 7K

Nexus 5K

ASR 1K Pr1 / Pr2, 1001, 1002, 1004, 1006,

1013, ESP10/20/40, SIP 10/40

ISR G2 88X 89X 19xx 29xx 39xx

ASA

Wireless LAN

Controller

AnyConnect


• As a company, Cisco is positioned to be a leader in mobility with strong offerings in LAN, Wireless LAN and Remote Access VPN. In fact, only Cisco is ranked in the Leader Quadrant of all three Magic Quadrants.

•

• ISE (MQ leader) Provides unique management for both Wired, Wireless and VPN

Thank you.

cisco - global home page - secure access solutions with identity … · service-type :[6] 6 call...

Documents