Download - Cisco ISE for Campus Security
Michael “Zig” Zsiga, CCIE # 44883
Lead Technical Architect (LTA) @ ePlus03-23-2016
Leveraging Cisco’s Identity Services Engine to maintain complete Visibility and Consistent Secure Control of all devices in a Campus Environment
2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Today’s Agenda• Use Case Architecture• ISE Primer• Complete Visibility• Consistent Secure Control• BYOD• Guest Access• Guest Demo
3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case Architecture
The Different Ways Customers Use ISE
Guest Access ManagementEasily provide visitors secure guest Internet access
BYOD and Enterprise MobilitySeamlessly classify & securely onboard devices with the right levels of access
Secure Access across the Entire NetworkStreamline enterprise network access policy over wired, wireless, & VPN
Software-Defined Segmentation with Cisco TrustSec®Simplify Network Segmentation and Enforcement to Contain Network Threats
Visibility & Context Sharing with pxGridShare endpoint and user context to Cisco and 3rd party system
Network Device AdministrationDevice administration and Network Access on a single platform
5© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE Use Case Architecture - Overview
Users Devices Permissions
Trusted User Trusted Device Full Access
Trusted User Untrusted Device Limited Access
Untrusted User Trusted Device Limited Access
Untrusted User Untrusted Device No Access
WWW
6© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Real Life Use Case from an ePlus K-12 Customer
•Gaming Systems: Xbox, PS4, etc...•Soho Routers / Switches: Linksys, Belkin, Netgear, etc…
Full Visibility of what is being connected to their network
•An Employee gets access to a file share•A student gets access to internal printers only
Secure Control with Security Policies being applied based on Business requirements
•Self-sponsored guest access•Sponsored guest access•Predictable and intuitive
Guest Access that is fluid and uses a Single Portal
•Single Pane of Glass•Flexible Design and implementation
Ease of Management that can minimize the overhead a small IT shop has traditionally encountered
Customer Requirements Overview
7© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Real Life Use Case from an ePlus K-12 Customer Customer Details Overview
Network Devices
• 200-plus (NAD)s• ~150 Cisco
Switches• ~ 50 WLCs
Trusted Users
• An Employee (Staff / Faculty)
• A Student
Trusted Devices
• School owned and managed Device
Identity Permissions
• What are you allowed to access: Printers, Servers, WWW
• Trusted Users can have different access based on their needs
8© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Real Life Use Case from an ePlus K-12 Customer
Full Visibility • Implemented a Monitor Mode ISE Deployment• Nothing is blocked initially, just tracked in ISE
Secure Control• Multiple levels of access for Trusted / Trusted Tiers.• Employees have more access than Students, both are Trusted Users
Guest Access• Self-sponsored guest access - Anyone can use but is limited to
internet access and a small subset of printers• Sponsored guest access - Specific use case for vendor access
Ease of Management
• Moving all security configuration to a single web portal front end• Previously touch 200-plus network devices to make the same change• Modular deployment with Policy Sets (Wired, Wireless, VPN)• Two (2) Wireless SSIDs only: Internal vs Guest
Customer Solution Overview
9© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE Primer
10© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
•Centralized Policy
•RADIUS Server
•Secure Group Access
•Posture Assessment
•Guest Access Services
•Device Profiling
•Monitoring
•Troubleshooting
•Reporting
ACS
Profiler
Guest Server
NAC Manager
NAC Server
Identity Services Engine
Identity Services EnginePolicy Server Designed for Secure Access
10
Device Registration
Supplicant and Cert Provisioning
Mobile Device Management
Partner Ecosystem
11© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network Resources
Role-Based Access
Introducing Cisco Identity Services Engine
A centralised security solution that automates context-aware access to network resources and shares contextual data
NetworkDoor
Identity Profilingand Posture
Who
What
When
Where
How
CompliantContext
Traditional Cisco TrustSec®
Role-Based Policy AccessPhysical or VM
Guest Access
BYOD Access
Secure AccessISE pxGridController
12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Complete Visibility
13© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Extensive Context Awareness
Make Fully Informed Decisions with Rich Contextual Awareness
Poor Context Awareness
Context:BobIP address 192.168.1.51Who
TabletUnknownWhat
Building 200, first floorUnknownWhere
11:00 a.m. EST on April 10UnknownWhen
WirelessUnknownHow
The right user, on the right device, from the right place is granted the right access
Any user, any device, anywhere gets on the networkResult
14© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Many Different Visibility Variables
Trust Gradient
•Authentication•Certificate•Managed/Unmanaged•Compliance/Posture
Threat/Risk
•Threat score•Fidelity
Reach
•What services can be accessed
•What other entities can be impacted
Behaviour
•Historical versus active. Now or before
•Was I doing the expected or unexpected
Users
•Role•Permissions/rights• Importance
Devices
•Ownership – managed or unmanaged
•Type of device•Function•Applications
Connectivity
•Medium (Wired/Wireless/VPN)
•NAD/NAD Details•State (active session)
Location
•Physical•Logical
Time
•Time of Day•Day of week•Connection duration
15© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
15
PCs Non-PCsUPS Phone Printer AP
PCs Non-PCsUPS Phone Printer AP
How?
Profiling• What ISE Profiling is:
• Dynamic classification of every device that connects to network using the infrastructure.• Provides the context of “What” is connected independent of user identity for use in access policy
decisions
What Profiling is NOT:‒ An authentication mechanism.‒ An exact science for device classification.
16© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
16
Profiling TechnologyVisibility Into What Is On the Network
17© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Profiling TechnologyHow Do We Classify a Device?
• Profiling uses signatures (similar to IPS)
• Probes are used to collect endpoint data
RADIUS
DHCP
DNS
HTTP SNMP Query
NetFlow
DHCPSPANSNMP Trap
NMAP
18© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
18
Profiling Policy OverviewProfile Policies Use a Combination of Conditions to Identify Devices
Is the MAC Address from Apple
DHCP:host-name CONTAINS iPad
IP:User-Agent CONTAINS iPad
Profile Library
Assign this MAC Address to the “iPad” Policy
I am fairly certain this device is an
iPad
19© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Consistent Secure Control
20© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE is a Standards-Based AAA ServerAccess Control System Must Support All Connection Methods
20
ISE Policy Server
VPN
Cisco Prime
Wired
Wireless
VPN
Supports Cisco and 3rd-Party solutions via standard RADIUS, 802.1X, EAP, and VPN Protocols
RADIUS802.1X = EAPoLAN
802.1X = EAPoLAN
SSL / IPsec
21© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
21
Separation of Authentication and Authorization
Policy Groups
Authentication
Authorization
Policy Set Condition
Default from ISE 1.3
22© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
22
What About That 3rd “A” in “AAA”?Accounting
23© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Detailed Visibility into Passed/Failed Attempts
23
24© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Building the Architecture in Phases
24
Access-Prevention Technlogy– A Monitor Mode is necessary– Must have ways to implement and see who will succeed and who will fail
Determine why, and then remediate before taking 802.1X into a stronger enforcement mode.
Solution = Phased Approach to Deployment:– Monitor Mode– Low-Impact Mode
-or-– Closed Mode
25© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
BYOD
26© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
26
Onboarding Personal DevicesRegistration, Certificate and Supplicant Provisioning
DeviceOnboarding
Certificate Provisioning
SupplicantProvisioning
Self-Service Model
iOSAndroid
WindowsMAC OS
MyDevicesPortal
Provisions device Certificates.‒ Based on Employee-ID & Device-ID.
Provisions Native Supplicants:‒ Windows: XP, Vista, 7 & 8‒ Mac: OS X 10.6, 10.7 & 10.8‒ iOS: 4, 5, 6 & 7‒ Android – 2.2 and above‒ 802.1X + EAP-TLS, PEAP & EAP-FAST
Employee Self-Service Portal‒ Lost Devices are Blacklisted‒ Self-Service Model reduces IT burden
Single and Dual SSID onboarding.
27© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
27
What Makes a BYOD Policy?Sample Complete BYOD Policy
Internet Only
Employee Guest
Access-Reject
i-Device Registered?
Access-Accept
MAC address lookup to AD/LDAPProfilingPostureMachine certificatesNon-exportable user certificateMachine auth with PEAP-MSCHAPv2’EAP chaining
Y
N
N
Y
Y
N
28© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Guest Access
29© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Improve Guest Experiences Without Compromising Security
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
Immediate, Uncredentialed Internet Access
with Hotspot
Simple Self-Registration
Role-Based Access with Employee Sponsorship
30© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE Built-in Portal Customisation?
Create Accounts
Print Email SMS
Mobile and Desktop Portals
NotificationsApproved! credentialsusername: trex42password: littlearms
31© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Which Portals Are CustomisableAll Except The Admin Portal
1. Guest2. Sponsor3. BYOD (Device Registration)4. My Devices5. Client Provisioning (Desktop Posture)6. MDM (Mobile Device Management)7. Blacklist8. Certificate Provisioning Portal
https://isepb.cisco.com/
• 17 languages
• All portal support (hotspot, self registered, BYOD, ... )
Access your portals to manage and share
Choose from Pre-Built Portal Layouts
Supports all languages (plus RTL –
Arabic & Hebrew)
Supports all portal types
35© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Guest Demo
36© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Guest Demo
• ISE_CLLE_SR_Demo• Self Registration Demo
• ISE_CLLE_HS_Demo• Hotspot Demo• Access key is “ISE_DEMO!!” without quotes
Two different SSIDs
37© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Q & A
38© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What to do next?
• Email: [email protected]
• Phone: (603) 263-3568
• Twitter: @michael_zsiga
Contact me or anyone else @ ePlus
If you are bored and want to hang out with fellow Nerds and Geeks alike join BOSNOG: The Boston Network Operators Group (www.bosnog.org)