wireless lan security, policy and byodd2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/brkewn-2020.pdf ·...

Wireless LAN Security, Policy and BYOD Best Practices BRKEWN-2020

Federico Ziliotto

Systems Engineer CCIE – 23280 (Wireless, R&S)

© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public

Session abstract

Learn how to address the growing wave of BYOD (Bring Your Own Device) that have very real security implications as well as introduce some uniquely mobile challenges on the Enterprise wireless network.

We will cover the principles of secured wireless networks (encryption, 802.1X, guest access, etc.).

Next, we will take a look at enabling identity services for mobile devices on the network and at access policies for different populations of endpoints and users.

Prerequisite knowledge of 802.11 fundamentals is recommended.

3


For Your Reference

There are slides in your PDF that will not be presented, or quickly presented.

They are there usually valuable, but included only “For your Reference”.

For Your Reference

4

For Your Reference


Agenda

Introduction

Wireless Security

Identity Services

Which Policy for which Endpoint/User

5


Wireless Bring Your Own Device (BYOD)

Drivers

Majority of new network devices have no wired port

Users will change devices more frequently than in the past

Mobile devices have become an extension of our work

Guest / Contractor access and accountability has become a strong business need

Examples

Guest and Contractors must be isolated and accounted for.

Users will have 1 wired and 2+ wireless devices moving forward

The wireless network must be secure and as predictable as the wired network

6

© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public 7

ISE

Spectrum of BYOD Strategies Different Deployment Requirements for Different Environments

Controller only BYOD Controller + ISE-Wireless BYOD

Cisco WLAN Controller

Wireless Only

Basic Profiling and Policy on WLC

Wireless Only

AAA+ Advanced Profiling + Device Posture + Client On-board + Guest + Mobile Device

Management (MDM)

Cisco Catalyst Switch

ASA Firewall

Extended BYOD

Wired + Wireless + Remote Access

AAA + Advanced Profiling + Device Posture + Client On-board + Guest + MDM


IDENTITY PROFILING

VLAN 10 VLAN 20

Wireless LAN Controller

DHCP

RADIUS

SNMP

NETFLOW

HTTP

DNS

ISE

Unified Access Management

Access Point

802.1X EAP Machine/User Authentication

HQ

2:38pm

Profiling to

identify device

Full or partial access granted

Personal asset

Company asset

Posture of the device

Policy Decision

4

6

Corporate

Resources

Internet Only

1

2

3

Contextual Policy for BYOD Deployments Control and Enforcement

8

5

Enforcement dACl, VLAN,

SGA Cisco wireless can support multiple users and device types on a single SSID.


Device Policy Steps with Cisco ISE

9

Phase 1 Authentication

Phase 2 Device Identification and

Policy Assignment

EAP

Allowed

Device?

Allowed

Access

Phase 4 Device Policy Enforcement

• Silver QoS

• Allow-All ACL

• Employee VLAN

WLC

Internet-

Only

MAC, DHCP, DNS, HTTP

ISE

ISE

Phase 3 Posture assessment Client Supplicant

ISE


Agenda

Introduction

Wireless Security

Identity Services


10


Wireless connection workflow

Endpoint

CAPWAP

11

Access Point (AP)

Wireless LAN Controller (WLC) Data Encapsulation – UDP 5246

Control Messages – UDP 5247 802.11

Probe Request

Probe Response Probe Request (forwarded)

Authentication Request (not for 802.1X, but in case of PSK)

Authentication Response

(Re) Association Request

(Re) Association Response

Do we need 802.1X?

In case of PSK or 802.1X we can encrypt

Do we need other identity services?

BRKEWN-2018


Secure SSID

Open SSID

A secure SSID cannot fall back to open.

– Example: users not supporting 802.1X cannot fall back to web portal authentication on the same SSID as corporate users.

Pre-shared keys (PSK) and keys derived from 802.1X cannot co-exist on a secure SSID.

On both types of SSIDs you can combine multiple identity services if needed.

– Examples: guest users going through posture assessment, employees going through MDM, employees going through web portal after device authentication, etc.

Secure or open SSID?

12


Secure SSID and key management

13

Pairwise Master Key (PMK) derived from the Pre-Shared Key (PSK)

PMK derived from 802.1X


Is roaming a requirement?

It depends on how critical your SSID is.

For a secure SSID, dynamic encryption keys could be re-used, without the need to go through a new authentication (otherwise L2 connectivity will be lost).

IP connectivity should not be disrupted.

14


Mobility

Group

Secure SSID – key management principles

Up to 24 WLCs in the same Mobility Group

15

With PSK there is no need for key management: keys are already statically defined.

Pro-active/Opportunistic Key Caching (PKC/OKC)

– Enabled with WPA2.

– Available since Windows XP SP2.

– Available on Samsung Galaxy S4 (Android 4.2.2).

Cisco Centralized Key Management (CCKM)

– Mostly used with 7921/7925/7926 phones.

– Available on Samsung Galaxy S4 (Android 4.2.2).

Sticky Key Caching (SKC)

– Available since iOS 5.0.

802.11r

– Available since iOS 6.0.


Mobility

Domain

Maintaining IP connectivity while roaming

Up to 72 WLCs in the same Mobility Domain

17

Intra Controller Mobility

– L2/same subnet: the point of presence (PoP) stays the same (or moves in case of same FlexConnect group).

– L3/different subnet: the controller takes care of keeping the same PoP.

Inter Controller Mobility

– L2/same subnet: the client database entry is moved to the new controller, the PoP moves to the new controller.

– L3/different subnet: the client database entry is copied to the new controller (foreign), the PoP stays on the old controller (anchor).


Choosing the access control method

802.1X

MAC Authentication Bypass (MAB)

Web Authentication

What to do next? (posture assessment, MDM, etc.)

18


EAPoL Start

EAPoL Request Identity

Beginning

EAP-Response Identity: Alice RADIUS Access Request

[AVP: EAP-Response: Alice]

EAP-Request: PEAP

EAP-Response: PEAP

RADIUS Access-Challenge

[AVP: EAP-Request PEAP]

RADIUS Access Request

[AVP: EAP-Response: PEAP]

Multiple

Challenge-

Request

Exchanges

Possible

Middle

EAP Success

RADIUS Access-Accept

[AVP: EAP Success]

[AVP: VLAN 10, dACL-n] End

Layer 2 Point-to-Point Layer 3 Link

Authenticator Auth Server Supplicant EAP over LAN

(EAPoL) RADIUS

• 802.1X (EAPoL) is a delivery mechanism and it doesn't provide the actual authentication mechanisms.

• When utilizing 802.1X, you need to choose an EAP type, such as Transport Layer Security (EAP-TLS) or PEAP, which defines

how the authentication takes place.

IEEE 802.1X

19


EAP Authentication Types Different Authentication Options Leveraging Different Credentials

20

Tunneling-Based

EAP-PEAP

EAP-FAST

Inner Methods

EAP-GTC EAP-TLS EAP-MSCHAPv2

Tunnel-based – Common deployments use a tunneling protocol (EAP-PEAP) combined with an inner EAP type such as EAP-MSCHAPv2. PEAP Requires only a server-side certificate.

This provides security for the inner method, which may be vulnerable by itself.

Certificate-based – For more security EAP-TLS provides mutual authentication of both the server and client.

Certificate-Based

EAP-TLS


The RADIUS Protocol

RADIUS protocol is initiated by the network devices

No way to change authorization from the ISE

Now network devices listens to CoA request from ISE

It’s initiated by the client to the server, but not CoA…

21

RADIUS

CoA

• Re-authenticate session

• Terminate session

• Terminate session with port bounce

• Disable host port

Now I can control

ports when I want to!


Layer 2 Point-to-Point Layer 3 Link

Authenticator Supplicant EAP over LAN

(EAPoL)

RADIUS

RADIUS CoA-Request

[VSA: subscriber: reauthenticate]

RADIUS CoA-Ack

Change of

Authorization

EAP-Response Identity: Alice RADIUS Access Request

[AVP: EAP-Response: Alice]

EAP-Request: PEAP

EAP-Response: PEAP

RADIUS Access-Challenge

[AVP: EAP-Request PEAP]

RADIUS Access Request

[AVP: EAP-Response: PEAP]

EAPoL Request Identity

Re-Authentication Multiple

Challenge-

Request

Exchanges

Possible

IEEE 802.1X with Change of Authorization (CoA)

22

Auth Server


Any Packet

RADIUS Access-Accept

RADIUS Access-Request

[AVP: 00.0a.95.7f.de.06]

Network Access Granted

Authenticator RADIUS Server 00.0a.95.7f.de.06

MAC Authentication Bypass (MAB) Non-802.1X capable devices and no “user intelligence” behind

23

Mind the access level

on the MAB VLAN.


AP-WLC DHCP/DNS ISE Server Optional:

• MAB

• 802.1X

1

Pre-webauth

ACL 2

Host Acquires IP Address, Triggers Session State 3

Host Opens Browser

Login Page

Host Sends Password

4

WLC Queries AAA Server

AAA Server Returns Policy

Server

authorizes

user 5

WLC Applies New WebAuth Policy (L3) 6

• SSID with

WebAuth 1

Local Web Authentication (LWA)

LOCAL because the redirection URL and the pre-webauth ACL are locally configured on the WLC.

24

MAB

(optional)

802.1X

(optional)

Local

Web Auth


LWA – Configuration example

25

For Your Reference


Central Web Authentication (CWA)

26

AP-WLC DHCP/DNS ISE Server

Host Acquires IP Address, Triggers Session State

4

• Open SSID with

MAC Filtering

enabled

1

AuthC success; AuthZ for unknown MAC returned:

Redirect/filter ACL, portal URL

Host Opens Browser – WLC redirects browser to ISE web page

Login Page

Host Sends Username/Password

5

Web Auth Success results in CoA

Server

authorizes

user

6

MAB re-auth

MAB Success

Session lookup – policy matched

Authorization ACL/VLAN returned. 7

First authentication session 2

3

CENTRAL because the redirection URL and the pre-webauth ACL are centrally configured on ISE and communicated to the WLC via RADIUS.

Central

Web Auth


CWA – Configuration example

27

For Your Reference


Other URL-Redirect scenarios (posture, MDM, etc.)

28

AP-WLC DHCP/DNS ISE Server

Host Acquires IP Address, Triggers Session State

4

• SSID configured

for 802.1X / MAB 1

AuthC success; AuthZ returned:

Redirect/filter ACL, URL for posture/MDM/etc.

Host Opens Browser – WLC redirects browser to ISE for other services

Posture check, MDM check, client provisioning, etc. 5

RADIUS CoA

Server

authorizes

user

6

802.1X/MAB re-auth

802.1X/MAB Success

Session lookup – policy matched

Authorization ACL/VLAN returned. 7

First authentication session 2

3 CWA is a URL-Redirect

scenario.

Thanks to RADIUS CoA we can apply other identity services after 802.1X, MAB or WebAuth.


Agenda

Introduction

Wireless Security

Identity Services


29


Required Network Components and Versions

Cisco Wireless LAN Controller

– Version 7.0.116 or greater (440x, WiSM1, Flex 7500, 2106 or later) o Centrally switched 802.1X WLANs only supported for RADIUS CoA with posture.

– Version 7.2.110.0 or greater (5508, WiSM2, Flex 7500, 8500, 2504 or later) o Both 802.1X and Open WLANs supported for RADIUS CoA with all URL-Redirect scenarios.

o Central and local switching supported for all URL-Redirect scenarios.

– Version 7.3 or greater (5508, WiSM2, Flex 7500, 8500, 2504 or later) o Central switching device profiling attributes for DHCP and HTTP collected by the WLC.

– Version 7.5 or greater (5508, WiSM2, Flex 7500, 8500, 2504 or later) o Central switching supported for native Profiling and Policy enforcement on the WLC.

Cisco Identity Services Engine

– Version 1.1.1 or greater.

– Base License for 802.1X and Web Authentication.

– Advanced License for Profiling, Posture, MDM, Client Provisioning, SGT.

– Wireless License for all features, just on wireless network access devices.

Cisco Wireless LAN Controller and Identity Services Engine

30

For Your Reference


• Centralized Policy

• RADIUS Server

• Posture Assessment

• Guest Access Services

• Device Profiling

• Client Provisioning

• MDM

• Monitoring

Troubleshooting

Reporting

ACS

NAC

Profiler

Guest

Server

NAC

Manager

NAC

Server

Identity

Services

Engine

Cisco Identity Services Engine (ISE)

31

BRKSEC-2044

BRKSEC-3698


Authentication and Authorization What are they?

32

802.1X / MAB / WebAuth

It tells what/who the

endpoint/user is.

It tells what the

endpoint/user can

access.


ISE Policy Rules

33

1. Authentication Rules

• Define what identity stores to reference.

• Example – Active Directory, CA Server, Internal DB,etc.

2. Authorization Rules

• Define what users and devices get access to resources.

• Example – All Employees, with Windows Laptops have full access.


Policy Sets on ISE

34


Policy Sets on ISE

35


Authentication Rules

36

If this/these

condition(s) is/are

matched, then…

…allow this list of

authentication

protocols, and…

…optionally check

further (sub)rule(s)…

…or just use the

default rule…

…to pick the database

for verifying the

endpoint/user’s identity.


Factors in Choosing an EAP Method The Most Common EAP Types are PEAP and EAP-TLS

37

EAP Type(s) Deployed

Client Support

Security vs. Complexity

Authentication Server

Support

Most clients such as Windows, Mac OS X, Apple iOS devices support EAP-TLS, PEAP (MS-CHAPv2).

‒ Additional supplicants can add more EAP types (Cisco AnyConnect).

Certain EAP types (TLS) can be more difficult to deploy than others depending on device type.

Cisco ISE Supplicant Provisioning can aid in the deployment.


ISE’s Identity Stores

38

Cisco ISE can reference variety of backend identity stores including Active Directory, PKI, LDAP, RSA SecurID and RADIUS Token.

ISE’s local database can also be used and ERS APIs are supported for remote management.

EAPoL

User/

Password

user1

C#2!ç@_E(

Certificate

RADIUS

Token

Active Directory,

Generic LDAP or PKI

RSA SecurID

Local DB

Backend Database(s)

Machine / User / MAC

Authentication


Authorization rules

39

Rule Name Condition(s) Result(s)


Authorization Conditions

40

AuthZ Condition

External Identity Groups

Directory Attributes

Profiled Groups

Posture State

RADIUS &

Session Attributes


Authorization Results – Permissions

41

Pre-canned attributes and user defined.


Converged Access – Downloadable ACL Support

42

Download - http://www.miercom.com/2013/05/cisco-wlc-5760/

http://www.miercom.com/2013/05/cisco-wlc-5760/







Cisco Wireless LAN Controller ACLs Layer 3-4 Filtering at Line-rate.

43

ACLs provide L3-L4 policy and can be applied per interface or per user.

Cisco 2500, 5508 and WiSM2 implement hardware, line-rate ACLs.

Up to 64 rules can be configured per ACL.

Wired

LAN

Implicit Deny All at the End

Inbound

Outbound


FlexConnect and AAA Override Setting the VLAN for Locally Switched Clients

44

WAN

ISE

IETF 81

IETF 64

IETF 65

interface GigabitEthernet0/37

description AP_3702

switchport trunk encapsulation dot1q

switchport trunk native vlan 100

switchport trunk allowed vlan 100,502-504

switchport mode trunk

Create Sub-Interface on

FlexConnect AP and (optional)

set the ACL on the VLAN


Cisco Wireless User-Based QoS Capabilities

45

Allowing Per-User and Per-Devices Limiting of the Maximum QoS Level

Voice

Video

Best Effort

Background

Call Manager Access

Point

Employee –

Platinum QoS

WMM Queue

QoS Tagged Packets

Contractor –

Silver QoS WLC

For the Employee user, the

AAA server returned

QoS-Platinum so packets

marked with DSCP EF are

allowed to enter the WMM

Voice Queue.

For the contractor user, the

AAA server returned QoS-

Silver so even packets

marked with DSCP EF are

confined to the Best Effort

Queue.


VLAN 100

MAB

WebAuth

Agent-less Device

SGT Enforcement

Security Group Access (SGA) Converged Access (CA) architecture

46

3850 / 5760 802.1X

Users,

Endpoints

IT Portal (SGT 4) 10.1.100.10

IP Address SGT

10.1.10.102 5

10.1.100.10 4

10.1.99.100 12

SGT-IP

Active

Directory ISE

SGT=5 SGT = Security Group Tag

SXP = SGT eXchange Protocol

SGACL = SGT ACL

deny sgt-src 5 sgt-dst 4

BRKEWN-2022

BRKSEC-2203


VLAN 100

MAB

WebAuth

Agent-less Device

Campus Network

Untagged Frame Tagged Frame

SGT Enforcement

Security Group Access (SGA) Cisco Unified Wireless Network (CUWN) architecture

47

2504 / 5508 802.1X

Users,

Endpoints

IT Portal (SGT 4) 10.1.100.10

Catalyst 3750-X Cat 6500

Distribution

The WLC sends the IP-to-SGT binding table via SXP to SGT

tagging or SGACL capable devices (e.g. Catalyst 3750-X)

IP Address SGT

10.1.10.102 5

10.1.10.110 14

10.1.99.100 12

SXP

Speaker Listener

SGT=5 SGT=5

Active

Directory ISE

SGT=5 SGT = Security Group Tag

SXP = SGT eXchange Protocol

SGACL = SGT ACL

deny sgt-src 5 sgt-dst 4

BRKSEC-2203

BRKSEC-3690


ISE Profiling

48

Is the MAC Address

from Apple?

Does DHCP-Hostname

contain “iPad”?

Is the HTTP user-agent

from an iPad?

Apple iPad


ISE Profiling Example of built-in policies

49

Smart Phones

Gaming

Consoles

Workstations

Multiple

Rules to Establish

Certainty Level

Minimum Certainty

for a Match

1

2


Client attributes and traffic for Profiling How RADIUS, HTTP, DNS and DHCP (and other traffic) are used to classify clients

50

The ISE uses multiple attributes to build a complete picture of the end client’s device profile.

Information is collected from sensors which capture different attributes

– The ISE can even kick off an NMAP scan of the host IP to determine more details.

RADIUS

DHCP

DNS Server

A look up of the DNS

entry for the client’s

IP address reveals

the Hostname.

HTTP UserAgent

Mobile devices are quite chatty for

web applications, or they can also be

redirected to one of ISE’s portals.

ISE

3

4

DHCP/

HTTP

Sensor

The Client’s DHCP/HTTP

Attributes are captured

by the AP and provided

in RADIUS Accounting

messages by the WLC.

2

The MAC

address is

checked

against the

known vendor

OUI database.

1

HTTP


Local Client Profiling and Local Policy since WLC 7.5

51

Device Type

Cisco WLC configuration

Enable DHCP and HTTP Local

Client Profiling on the WLAN

88 Pre-Defined Client Profiles

Local Policy based on Device Type

Step 1

Step 3

Step 2


Assigning WLC Local Policy based on Role

52

Role

Controller

Radius

Employee Contractor

role=Employee role=Contractor


Other Local Policy Options

53

Time of Day

Authentication LEAP

EAP-FAST

EAP-TLS

PEAP

Wireless Client Authentication EAP Type

Active hours for Policy

Time based policy


Local Policy Actions

54

ACL

VLAN

QoS

Session Timeout

Enforced Policy

© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public 55

Restriction: First Matched Rule Applies

Maximum 16 polices can be created per WLAN / AP Groups and 64 globally

Native Profiling per WLAN Native Profiling per AP Group

Applying Local Policies to WLANs and AP Groups


Differentiating Guest Access via User Groups

External Database

Multiple groups can be created in ISE

Each group can contain:

Guest DB users (created by Sponsor and Self-service)

Internal DB users (created by Administrators)

External groups mapped in ISE

Mapping example for AD

Those groups can be used in different authorization

rules to differentiate network access

Identity Service Engine

56


ISE – Sponsor Portal

Customizable sponsor pages

Sponsor privileges tied to defined sponsor policy

• Roles sponsor can create

• Time profiles can be assigned

• Management of other guest accounts

• Single or bulk account creation

57


ISE – Guest Self-Service

58


Client Provisioning Simplifying device management

59

Reduced Burden on IT Staff

Device On-Boarding

Self Registration

Supplicant Provisioning

Certificate Provisioning

Self Service Model

My Devices Portal for registration

Guest Sponsor Portal

Device Black Listing

User initiated control their devices, black-listing, re-instate device, etc.)

Support for:

iOS (6.0+)

MAC OSX (10.6+)

Android (2.2+)

Windows (XP+)


“My Devices” Portal Self-Registration and Self-Blacklisting of BYOD Devices

60

Devices can be

Blacklisted By the User.

Devices Can be Self-Registered, Up

to an Administrator Defined Limit

3

2

New Devices Can be Added with

a Description

1


CA-Server

Apple iOS Device Provisioning

61

Initial Connection

Using PEAP

ISE WLC

1

Device Provisioning

Wizard

2

Future Connections

Using EAP-TLS

3

Change of

Authorization

CA-Server ISE WLC


Android Device Provisioning

62

Initial Connection

Using PEAP 1 Redirection to Android

Marketplace to Install

Provisioning Utility

2

Future Connections

Using EAP-TLS

4

Provisioning using

Cisco Wi-Fi Setup

Assistant 3 Change of

Authorization

CA-Server ISE WLC

CA-Server ISE WLC


Client Provisioning Policy

63

User OS Supplicant


MDM Integration

64

Jail Broken PIN Locked

Encryption ISE Registered PIN Locked MDM Registered Jail Broken

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

BRKSEC-3035


Visibility with Prime Infrastructure and ISE Integration

65

Device Identity from

ISE Integration

Policy Information

Including Windows

AD Domain

AAA Override

Parameters Applied

to Client

Both Wired +

Wireless Clients in a

Single List

2

3

1


Agenda

Introduction

Wireless Security

Identity Services


66


Managing those guys…

Corporate PCs

Other Corporate Machines and Mobile Devices

Employee Owned Devices

Guests

Contractors

Others

67


Corporate Machines and Users – Identities

68

MAC address

Certificate

Login/Password

Other


Got AD?

If using AD machine GPOs on a Windows environment, you may want to enable 802.1X machine authentication.*

User authentication can be added on top, still through 802.1X, or be delegated to Windows logon (even if not outside the company domain).

69

Active

Directory

* Microsoft introduced the concept of machine authentication also for this purpose.


Machine and User Authentication

70

With the native Windows 802.1X supplicant:

The same EAP method is used for both machine and user.

Once logged in to Windows, since the user’s identity is available, only user authentication is triggered.

With Cisco AnyConnect NAM:

Different, separate EAP methods can be used for the machine and the user.

EAP Chaining supports authenticating both the machine and the user, in the same session, whenever 802.1X is triggered.

How to force a user to authenticate from an already authenticated machine?


Machine Access Restriction (MAR)

71

• Supplicant agnostic.

• The network access device (NAD) sends the endpoint’s MAC in the RADIUS attribute [31] Calling-Station-ID.

• ISE caches the MAC address of the authenticated machine in the MAR cache.

• When the user authenticates from the same device, ISE can tell it’s from the previously authenticated machine thanks to the MAR cache.

Machine Access Restriction


EAP Chaining

72

• Supported with AnyConnect 3.1 and ISE.

• It relies on advanced options of EAP-FAST to authenticate both the machine and the user in the same EAP(-FAST) session.

• If no user information is available (logged out), only machine credentials are used.

• If also the user’s identity is available, both machine and user information will be used for 802.1X authentication.

EAP

Chaining


Access Enforcement

Changing VLAN between machine and user authentication is supported.

* Some supplicants (XP SP2/3) do not detect it and do not trigger IP renewal.

While keeping the same VLAN, a different ACL/SGT can be applied to the machine and the user.

This is more “client agnostic” as it does not require IP renewal.

73

Machine VLAN

User VLAN 5760


Corporate non-Windows Machines

There is no concept of machine authentication as with Windows.

Through ISE we could still link some attributes of the user’s identity/account to the machine.

74


Corporate non-Windows Machines

Assumption: employees authenticate with certificates through corporate non-Windows machines.

Example with Local Policy on WLC 7.5

75


Corporate Mobile Devices

76

Specific EAP methods and account/certificate

attributes.

Force 802.1X through a device-specific certificate,

then WebAuth to verify the user behind.

Go for MDM.


Employee Owned Devices

If we have machine authentication in place, or even just certificates for employees authenticating from corporate machines, then it’s relatively easy…

What if not?

– Example: no machine authentication, employees authenticating from corporate machines with their login/password and using the same credentials on personal devices.

77

On the WLC

config advanced eap max-login-ignore-identity-response ?

enable ignore the same username reaching max in

the EAP identity response

disable check the same username reaching max in the

EAP identity response


Asking the External DB

78


Find Something Special on Corporate Devices

“Hey, I got this, we just need to turn on profiling…”

What if the employee owned device has the same OS?

79


Find Something Special on Corporate Devices

80

dhcp-user-class-id = 43:6f:72:70:50:43 Profiling Policy = “corp_laptop”

dhcp-user-class-id = 62:6c:61:62:6c:61

C:\>ipconfig /setclassid "Local Area Connection" CorpPC

http://technet.microsoft.com/en-us/library/cc783756(WS.10).aspx






Empower your Employees

81

DOMAIN\employee

On the WLC

config advanced eap max-login-ignore-identity-response disable



82



Dedicated guest account groups can be used to authenticate via 802.1X.

External guests won’t be able to obtain the same type of credentials.

83

[email protected]

U45&%ci3@d


Guests

Lobby ambassador and sponsor capabilities on the WLC, Cisco Prime and ISE.

84


Guests

WLC / Cisco Prime Infrastructure

– Built-in guest management services through the lobby ambassador user role.

– The guest identity store (local, LDAP, RADIUS) is supported with LWA only.

– Captive portals can be customized.

– Guest users can be assigned to guest profiles for QoS, rate limiting, etc.

ISE

– Guest management services through a dedicated Sponsor interface.

– The guest identity store (local or external) is supported with LWA and CWA.

– Captive portals can be customized and localized (more in the next slides…).

– Guest users can be assigned to dedicated VLANs, ACLs, QoS profiles, etc.

– Guests can go through additional checks, such as compliance, MDM, etc.

Some options to manage them

85


Differentiating Guest Portals

How could we redirect guests from a specific WLAN or a specific location to separate portals?

86



How could we redirect guests to separate portals based on their location or their WLAN?

87

RADIUS [30] Called-Station-ID



How could we redirect guests from a specific WLAN or a specific location to separate portals?

88


Restricting Guests from a Specific Sponsor and Site

Create a sponsor group on ISE restricting guest creation for a specific group.

Assign sponsor users with specific attributes to the sponsor group.

89


Restricting Guests from a Specific Sponsor and Site

Authorize guests based on their group managed by that same sponsor.

90


Contractors and “more than guest” Users

91

Guest groups flagged as

“ActivatedGuest” are enabled to

authenticate through other

(802.1X) methods, not just

through the web portal.


Contractors Additional Checks

92

What other BYOD needs do you have?

Q&A


Key Takeaways

Wireless security (and BYOD) is a phased approach.

Understand the end user’s needs.

Keep it simple and functional.

Quite some things may already be available on your network.

Some other advanced options may require additional services.

94


Call to Action…

Visit the World of Solutions:-

Cisco Campus

Walk-in Labs

Technical Solutions Clinics

Meet the Engineer

Lunch Time Table Topics, held in the main Catering Hall

Recommended Reading: For reading material and further resources for this session, please visit www.pearson-books.com/CLMilan2014

95

http://www.pearson-books.com/CLMilan2014




Complete your online session evaluation

Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt

Complete Your Online Session Evaluation

96

wireless lan security, policy and byodd2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/brkewn-2020.pdf ·...

Documents