wireless lan security, policy and byodd2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/brkewn-2020.pdf ·...
TRANSCRIPT
Wireless LAN Security, Policy and BYOD Best Practices BRKEWN-2020
Federico Ziliotto
Systems Engineer CCIE – 23280 (Wireless, R&S)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Session abstract
Learn how to address the growing wave of BYOD (Bring Your Own Device) that have very real security implications as well as introduce some uniquely mobile challenges on the Enterprise wireless network.
We will cover the principles of secured wireless networks (encryption, 802.1X, guest access, etc.).
Next, we will take a look at enabling identity services for mobile devices on the network and at access policies for different populations of endpoints and users.
Prerequisite knowledge of 802.11 fundamentals is recommended.
3
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
For Your Reference
There are slides in your PDF that will not be presented, or quickly presented.
They are there usually valuable, but included only “For your Reference”.
For Your Reference
4
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Agenda
Introduction
Wireless Security
Identity Services
Which Policy for which Endpoint/User
5
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Wireless Bring Your Own Device (BYOD)
Drivers
Majority of new network devices have no wired port
Users will change devices more frequently than in the past
Mobile devices have become an extension of our work
Guest / Contractor access and accountability has become a strong business need
Examples
Guest and Contractors must be isolated and accounted for.
Users will have 1 wired and 2+ wireless devices moving forward
The wireless network must be secure and as predictable as the wired network
6
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public 7
ISE
Spectrum of BYOD Strategies Different Deployment Requirements for Different Environments
Controller only BYOD Controller + ISE-Wireless BYOD
Cisco WLAN Controller
Wireless Only
Basic Profiling and Policy on WLC
Wireless Only
AAA+ Advanced Profiling + Device Posture + Client On-board + Guest + Mobile Device
Management (MDM)
Cisco Catalyst Switch
ASA Firewall
Extended BYOD
Wired + Wireless + Remote Access
AAA + Advanced Profiling + Device Posture + Client On-board + Guest + MDM
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
IDENTITY PROFILING
VLAN 10 VLAN 20
Wireless LAN Controller
DHCP
RADIUS
SNMP
NETFLOW
HTTP
DNS
ISE
Unified Access Management
Access Point
802.1X EAP Machine/User Authentication
HQ
2:38pm
Profiling to
identify device
Full or partial access granted
Personal asset
Company asset
Posture of the device
Policy Decision
4
6
Corporate
Resources
Internet Only
1
2
3
Contextual Policy for BYOD Deployments Control and Enforcement
8
5
Enforcement dACl, VLAN,
SGA Cisco wireless can support multiple users and device types on a single SSID.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Device Policy Steps with Cisco ISE
9
Phase 1 Authentication
Phase 2 Device Identification and
Policy Assignment
EAP
Allowed
Device?
Allowed
Access
Phase 4 Device Policy Enforcement
• Silver QoS
• Allow-All ACL
• Employee VLAN
WLC
Internet-
Only
MAC, DHCP, DNS, HTTP
ISE
ISE
Phase 3 Posture assessment Client Supplicant
ISE
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Agenda
Introduction
Wireless Security
Identity Services
Which Policy for which Endpoint/User
10
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Wireless connection workflow
Endpoint
CAPWAP
11
Access Point (AP)
Wireless LAN Controller (WLC) Data Encapsulation – UDP 5246
Control Messages – UDP 5247 802.11
Probe Request
Probe Response Probe Request (forwarded)
Authentication Request (not for 802.1X, but in case of PSK)
Authentication Response
(Re) Association Request
(Re) Association Response
Do we need 802.1X?
In case of PSK or 802.1X we can encrypt
Do we need other identity services?
BRKEWN-2018
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Secure SSID
Open SSID
A secure SSID cannot fall back to open.
– Example: users not supporting 802.1X cannot fall back to web portal authentication on the same SSID as corporate users.
Pre-shared keys (PSK) and keys derived from 802.1X cannot co-exist on a secure SSID.
On both types of SSIDs you can combine multiple identity services if needed.
– Examples: guest users going through posture assessment, employees going through MDM, employees going through web portal after device authentication, etc.
Secure or open SSID?
12
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Secure SSID and key management
13
Pairwise Master Key (PMK) derived from the Pre-Shared Key (PSK)
PMK derived from 802.1X
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Is roaming a requirement?
It depends on how critical your SSID is.
For a secure SSID, dynamic encryption keys could be re-used, without the need to go through a new authentication (otherwise L2 connectivity will be lost).
IP connectivity should not be disrupted.
14
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Mobility
Group
Secure SSID – key management principles
Up to 24 WLCs in the same Mobility Group
15
With PSK there is no need for key management: keys are already statically defined.
Pro-active/Opportunistic Key Caching (PKC/OKC)
– Enabled with WPA2.
– Available since Windows XP SP2.
– Available on Samsung Galaxy S4 (Android 4.2.2).
Cisco Centralized Key Management (CCKM)
– Mostly used with 7921/7925/7926 phones.
– Available on Samsung Galaxy S4 (Android 4.2.2).
Sticky Key Caching (SKC)
– Available since iOS 5.0.
802.11r
– Available since iOS 6.0.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Mobility
Domain
Maintaining IP connectivity while roaming
Up to 72 WLCs in the same Mobility Domain
17
Intra Controller Mobility
– L2/same subnet: the point of presence (PoP) stays the same (or moves in case of same FlexConnect group).
– L3/different subnet: the controller takes care of keeping the same PoP.
Inter Controller Mobility
– L2/same subnet: the client database entry is moved to the new controller, the PoP moves to the new controller.
– L3/different subnet: the client database entry is copied to the new controller (foreign), the PoP stays on the old controller (anchor).
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Choosing the access control method
802.1X
MAC Authentication Bypass (MAB)
Web Authentication
What to do next? (posture assessment, MDM, etc.)
18
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
EAPoL Start
EAPoL Request Identity
Beginning
EAP-Response Identity: Alice RADIUS Access Request
[AVP: EAP-Response: Alice]
EAP-Request: PEAP
EAP-Response: PEAP
RADIUS Access-Challenge
[AVP: EAP-Request PEAP]
RADIUS Access Request
[AVP: EAP-Response: PEAP]
Multiple
Challenge-
Request
Exchanges
Possible
Middle
EAP Success
RADIUS Access-Accept
[AVP: EAP Success]
[AVP: VLAN 10, dACL-n] End
Layer 2 Point-to-Point Layer 3 Link
Authenticator Auth Server Supplicant EAP over LAN
(EAPoL) RADIUS
• 802.1X (EAPoL) is a delivery mechanism and it doesn't provide the actual authentication mechanisms.
• When utilizing 802.1X, you need to choose an EAP type, such as Transport Layer Security (EAP-TLS) or PEAP, which defines
how the authentication takes place.
IEEE 802.1X
19
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
EAP Authentication Types Different Authentication Options Leveraging Different Credentials
20
Tunneling-Based
EAP-PEAP
EAP-FAST
Inner Methods
EAP-GTC EAP-TLS EAP-MSCHAPv2
Tunnel-based – Common deployments use a tunneling protocol (EAP-PEAP) combined with an inner EAP type such as EAP-MSCHAPv2. PEAP Requires only a server-side certificate.
This provides security for the inner method, which may be vulnerable by itself.
Certificate-based – For more security EAP-TLS provides mutual authentication of both the server and client.
Certificate-Based
EAP-TLS
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
The RADIUS Protocol
RADIUS protocol is initiated by the network devices
No way to change authorization from the ISE
Now network devices listens to CoA request from ISE
It’s initiated by the client to the server, but not CoA…
21
RADIUS
CoA
• Re-authenticate session
• Terminate session
• Terminate session with port bounce
• Disable host port
Now I can control
ports when I want to!
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Layer 2 Point-to-Point Layer 3 Link
Authenticator Supplicant EAP over LAN
(EAPoL)
RADIUS
RADIUS CoA-Request
[VSA: subscriber: reauthenticate]
RADIUS CoA-Ack
Change of
Authorization
EAP-Response Identity: Alice RADIUS Access Request
[AVP: EAP-Response: Alice]
EAP-Request: PEAP
EAP-Response: PEAP
RADIUS Access-Challenge
[AVP: EAP-Request PEAP]
RADIUS Access Request
[AVP: EAP-Response: PEAP]
EAPoL Request Identity
Re-Authentication Multiple
Challenge-
Request
Exchanges
Possible
IEEE 802.1X with Change of Authorization (CoA)
22
Auth Server
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Any Packet
RADIUS Access-Accept
RADIUS Access-Request
[AVP: 00.0a.95.7f.de.06]
Network Access Granted
Authenticator RADIUS Server 00.0a.95.7f.de.06
MAC Authentication Bypass (MAB) Non-802.1X capable devices and no “user intelligence” behind
23
Mind the access level
on the MAB VLAN.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
AP-WLC DHCP/DNS ISE Server Optional:
• MAB
• 802.1X
1
Pre-webauth
ACL 2
Host Acquires IP Address, Triggers Session State 3
Host Opens Browser
Login Page
Host Sends Password
4
WLC Queries AAA Server
AAA Server Returns Policy
Server
authorizes
user 5
WLC Applies New WebAuth Policy (L3) 6
• SSID with
WebAuth 1
Local Web Authentication (LWA)
LOCAL because the redirection URL and the pre-webauth ACL are locally configured on the WLC.
24
MAB
(optional)
802.1X
(optional)
Local
Web Auth
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
LWA – Configuration example
25
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Central Web Authentication (CWA)
26
AP-WLC DHCP/DNS ISE Server
Host Acquires IP Address, Triggers Session State
4
• Open SSID with
MAC Filtering
enabled
1
AuthC success; AuthZ for unknown MAC returned:
Redirect/filter ACL, portal URL
Host Opens Browser – WLC redirects browser to ISE web page
Login Page
Host Sends Username/Password
5
Web Auth Success results in CoA
Server
authorizes
user
6
MAB re-auth
MAB Success
Session lookup – policy matched
Authorization ACL/VLAN returned. 7
First authentication session 2
3
CENTRAL because the redirection URL and the pre-webauth ACL are centrally configured on ISE and communicated to the WLC via RADIUS.
Central
Web Auth
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
CWA – Configuration example
27
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Other URL-Redirect scenarios (posture, MDM, etc.)
28
AP-WLC DHCP/DNS ISE Server
Host Acquires IP Address, Triggers Session State
4
• SSID configured
for 802.1X / MAB 1
AuthC success; AuthZ returned:
Redirect/filter ACL, URL for posture/MDM/etc.
Host Opens Browser – WLC redirects browser to ISE for other services
Posture check, MDM check, client provisioning, etc. 5
RADIUS CoA
Server
authorizes
user
6
802.1X/MAB re-auth
802.1X/MAB Success
Session lookup – policy matched
Authorization ACL/VLAN returned. 7
First authentication session 2
3 CWA is a URL-Redirect
scenario.
Thanks to RADIUS CoA we can apply other identity services after 802.1X, MAB or WebAuth.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Agenda
Introduction
Wireless Security
Identity Services
Which Policy for which Endpoint/User
29
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Required Network Components and Versions
Cisco Wireless LAN Controller
– Version 7.0.116 or greater (440x, WiSM1, Flex 7500, 2106 or later) o Centrally switched 802.1X WLANs only supported for RADIUS CoA with posture.
– Version 7.2.110.0 or greater (5508, WiSM2, Flex 7500, 8500, 2504 or later) o Both 802.1X and Open WLANs supported for RADIUS CoA with all URL-Redirect scenarios.
o Central and local switching supported for all URL-Redirect scenarios.
– Version 7.3 or greater (5508, WiSM2, Flex 7500, 8500, 2504 or later) o Central switching device profiling attributes for DHCP and HTTP collected by the WLC.
– Version 7.5 or greater (5508, WiSM2, Flex 7500, 8500, 2504 or later) o Central switching supported for native Profiling and Policy enforcement on the WLC.
Cisco Identity Services Engine
– Version 1.1.1 or greater.
– Base License for 802.1X and Web Authentication.
– Advanced License for Profiling, Posture, MDM, Client Provisioning, SGT.
– Wireless License for all features, just on wireless network access devices.
Cisco Wireless LAN Controller and Identity Services Engine
30
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
• Centralized Policy
• RADIUS Server
• Posture Assessment
• Guest Access Services
• Device Profiling
• Client Provisioning
• MDM
• Monitoring
Troubleshooting
Reporting
ACS
NAC
Profiler
Guest
Server
NAC
Manager
NAC
Server
Identity
Services
Engine
Cisco Identity Services Engine (ISE)
31
BRKSEC-2044
BRKSEC-3698
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Authentication and Authorization What are they?
32
802.1X / MAB / WebAuth
It tells what/who the
endpoint/user is.
It tells what the
endpoint/user can
access.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
ISE Policy Rules
33
1. Authentication Rules
• Define what identity stores to reference.
• Example – Active Directory, CA Server, Internal DB,etc.
2. Authorization Rules
• Define what users and devices get access to resources.
• Example – All Employees, with Windows Laptops have full access.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Policy Sets on ISE
34
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Policy Sets on ISE
35
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Authentication Rules
36
If this/these
condition(s) is/are
matched, then…
…allow this list of
authentication
protocols, and…
…optionally check
further (sub)rule(s)…
…or just use the
default rule…
…to pick the database
for verifying the
endpoint/user’s identity.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Factors in Choosing an EAP Method The Most Common EAP Types are PEAP and EAP-TLS
37
EAP Type(s) Deployed
Client Support
Security vs. Complexity
Authentication Server
Support
Most clients such as Windows, Mac OS X, Apple iOS devices support EAP-TLS, PEAP (MS-CHAPv2).
‒ Additional supplicants can add more EAP types (Cisco AnyConnect).
Certain EAP types (TLS) can be more difficult to deploy than others depending on device type.
Cisco ISE Supplicant Provisioning can aid in the deployment.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
ISE’s Identity Stores
38
Cisco ISE can reference variety of backend identity stores including Active Directory, PKI, LDAP, RSA SecurID and RADIUS Token.
ISE’s local database can also be used and ERS APIs are supported for remote management.
EAPoL
User/
Password
user1
C#2!ç@_E(
Certificate
RADIUS
Token
Active Directory,
Generic LDAP or PKI
RSA SecurID
Local DB
Backend Database(s)
Machine / User / MAC
Authentication
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Authorization rules
39
Rule Name Condition(s) Result(s)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Authorization Conditions
40
AuthZ Condition
External Identity Groups
Directory Attributes
Profiled Groups
Posture State
RADIUS &
Session Attributes
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Authorization Results – Permissions
41
Pre-canned attributes and user defined.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Converged Access – Downloadable ACL Support
42
Download - http://www.miercom.com/2013/05/cisco-wlc-5760/
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Cisco Wireless LAN Controller ACLs Layer 3-4 Filtering at Line-rate.
43
ACLs provide L3-L4 policy and can be applied per interface or per user.
Cisco 2500, 5508 and WiSM2 implement hardware, line-rate ACLs.
Up to 64 rules can be configured per ACL.
Wired
LAN
Implicit Deny All at the End
Inbound
Outbound
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
FlexConnect and AAA Override Setting the VLAN for Locally Switched Clients
44
WAN
ISE
IETF 81
IETF 64
IETF 65
interface GigabitEthernet0/37
description AP_3702
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 100,502-504
switchport mode trunk
Create Sub-Interface on
FlexConnect AP and (optional)
set the ACL on the VLAN
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Cisco Wireless User-Based QoS Capabilities
45
Allowing Per-User and Per-Devices Limiting of the Maximum QoS Level
Voice
Video
Best Effort
Background
Call Manager Access
Point
Employee –
Platinum QoS
WMM Queue
QoS Tagged Packets
Contractor –
Silver QoS WLC
For the Employee user, the
AAA server returned
QoS-Platinum so packets
marked with DSCP EF are
allowed to enter the WMM
Voice Queue.
For the contractor user, the
AAA server returned QoS-
Silver so even packets
marked with DSCP EF are
confined to the Best Effort
Queue.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
VLAN 100
MAB
WebAuth
Agent-less Device
SGT Enforcement
Security Group Access (SGA) Converged Access (CA) architecture
46
3850 / 5760 802.1X
Users,
Endpoints
IT Portal (SGT 4) 10.1.100.10
IP Address SGT
10.1.10.102 5
10.1.100.10 4
10.1.99.100 12
SGT-IP
Active
Directory ISE
SGT=5 SGT = Security Group Tag
SXP = SGT eXchange Protocol
SGACL = SGT ACL
deny sgt-src 5 sgt-dst 4
BRKEWN-2022
BRKSEC-2203
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
VLAN 100
MAB
WebAuth
Agent-less Device
Campus Network
Untagged Frame Tagged Frame
SGT Enforcement
Security Group Access (SGA) Cisco Unified Wireless Network (CUWN) architecture
47
2504 / 5508 802.1X
Users,
Endpoints
IT Portal (SGT 4) 10.1.100.10
Catalyst 3750-X Cat 6500
Distribution
The WLC sends the IP-to-SGT binding table via SXP to SGT
tagging or SGACL capable devices (e.g. Catalyst 3750-X)
IP Address SGT
10.1.10.102 5
10.1.10.110 14
10.1.99.100 12
SXP
Speaker Listener
SGT=5 SGT=5
Active
Directory ISE
SGT=5 SGT = Security Group Tag
SXP = SGT eXchange Protocol
SGACL = SGT ACL
deny sgt-src 5 sgt-dst 4
BRKSEC-2203
BRKSEC-3690
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
ISE Profiling
48
Is the MAC Address
from Apple?
Does DHCP-Hostname
contain “iPad”?
Is the HTTP user-agent
from an iPad?
Apple iPad
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
ISE Profiling Example of built-in policies
49
Smart Phones
Gaming
Consoles
Workstations
Multiple
Rules to Establish
Certainty Level
Minimum Certainty
for a Match
1
2
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Client attributes and traffic for Profiling How RADIUS, HTTP, DNS and DHCP (and other traffic) are used to classify clients
50
The ISE uses multiple attributes to build a complete picture of the end client’s device profile.
Information is collected from sensors which capture different attributes
– The ISE can even kick off an NMAP scan of the host IP to determine more details.
RADIUS
DHCP
DNS Server
A look up of the DNS
entry for the client’s
IP address reveals
the Hostname.
HTTP UserAgent
Mobile devices are quite chatty for
web applications, or they can also be
redirected to one of ISE’s portals.
ISE
3
4
DHCP/
HTTP
Sensor
The Client’s DHCP/HTTP
Attributes are captured
by the AP and provided
in RADIUS Accounting
messages by the WLC.
2
The MAC
address is
checked
against the
known vendor
OUI database.
1
HTTP
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Local Client Profiling and Local Policy since WLC 7.5
51
Device Type
Cisco WLC configuration
Enable DHCP and HTTP Local
Client Profiling on the WLAN
88 Pre-Defined Client Profiles
Local Policy based on Device Type
Step 1
Step 3
Step 2
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Assigning WLC Local Policy based on Role
52
Role
Controller
Radius
Employee Contractor
role=Employee role=Contractor
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Other Local Policy Options
53
Time of Day
Authentication LEAP
EAP-FAST
EAP-TLS
PEAP
Wireless Client Authentication EAP Type
Active hours for Policy
Time based policy
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Local Policy Actions
54
ACL
VLAN
QoS
Session Timeout
Enforced Policy
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public 55
Restriction: First Matched Rule Applies
Maximum 16 polices can be created per WLAN / AP Groups and 64 globally
Native Profiling per WLAN Native Profiling per AP Group
Applying Local Policies to WLANs and AP Groups
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Differentiating Guest Access via User Groups
External Database
Multiple groups can be created in ISE
Each group can contain:
Guest DB users (created by Sponsor and Self-service)
Internal DB users (created by Administrators)
External groups mapped in ISE
Mapping example for AD
Those groups can be used in different authorization
rules to differentiate network access
Identity Service Engine
56
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
ISE – Sponsor Portal
Customizable sponsor pages
Sponsor privileges tied to defined sponsor policy
• Roles sponsor can create
• Time profiles can be assigned
• Management of other guest accounts
• Single or bulk account creation
57
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
ISE – Guest Self-Service
58
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Client Provisioning Simplifying device management
59
Reduced Burden on IT Staff
Device On-Boarding
Self Registration
Supplicant Provisioning
Certificate Provisioning
Self Service Model
My Devices Portal for registration
Guest Sponsor Portal
Device Black Listing
User initiated control their devices, black-listing, re-instate device, etc.)
Support for:
iOS (6.0+)
MAC OSX (10.6+)
Android (2.2+)
Windows (XP+)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
“My Devices” Portal Self-Registration and Self-Blacklisting of BYOD Devices
60
Devices can be
Blacklisted By the User.
Devices Can be Self-Registered, Up
to an Administrator Defined Limit
3
2
New Devices Can be Added with
a Description
1
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
CA-Server
Apple iOS Device Provisioning
61
Initial Connection
Using PEAP
ISE WLC
1
Device Provisioning
Wizard
2
Future Connections
Using EAP-TLS
3
Change of
Authorization
CA-Server ISE WLC
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Android Device Provisioning
62
Initial Connection
Using PEAP 1 Redirection to Android
Marketplace to Install
Provisioning Utility
2
Future Connections
Using EAP-TLS
4
Provisioning using
Cisco Wi-Fi Setup
Assistant 3 Change of
Authorization
CA-Server ISE WLC
CA-Server ISE WLC
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Client Provisioning Policy
63
User OS Supplicant
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
MDM Integration
64
Jail Broken PIN Locked
Encryption ISE Registered PIN Locked MDM Registered Jail Broken
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
BRKSEC-3035
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Visibility with Prime Infrastructure and ISE Integration
65
Device Identity from
ISE Integration
Policy Information
Including Windows
AD Domain
AAA Override
Parameters Applied
to Client
Both Wired +
Wireless Clients in a
Single List
2
3
1
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Agenda
Introduction
Wireless Security
Identity Services
Which Policy for which Endpoint/User
66
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Managing those guys…
Corporate PCs
Other Corporate Machines and Mobile Devices
Employee Owned Devices
Guests
Contractors
Others
67
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Corporate Machines and Users – Identities
68
MAC address
Certificate
Login/Password
Other
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Got AD?
If using AD machine GPOs on a Windows environment, you may want to enable 802.1X machine authentication.*
User authentication can be added on top, still through 802.1X, or be delegated to Windows logon (even if not outside the company domain).
69
Active
Directory
* Microsoft introduced the concept of machine authentication also for this purpose.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Machine and User Authentication
70
With the native Windows 802.1X supplicant:
The same EAP method is used for both machine and user.
Once logged in to Windows, since the user’s identity is available, only user authentication is triggered.
With Cisco AnyConnect NAM:
Different, separate EAP methods can be used for the machine and the user.
EAP Chaining supports authenticating both the machine and the user, in the same session, whenever 802.1X is triggered.
How to force a user to authenticate from an already authenticated machine?
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Machine Access Restriction (MAR)
71
• Supplicant agnostic.
• The network access device (NAD) sends the endpoint’s MAC in the RADIUS attribute [31] Calling-Station-ID.
• ISE caches the MAC address of the authenticated machine in the MAR cache.
• When the user authenticates from the same device, ISE can tell it’s from the previously authenticated machine thanks to the MAR cache.
Machine Access Restriction
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
EAP Chaining
72
• Supported with AnyConnect 3.1 and ISE.
• It relies on advanced options of EAP-FAST to authenticate both the machine and the user in the same EAP(-FAST) session.
• If no user information is available (logged out), only machine credentials are used.
• If also the user’s identity is available, both machine and user information will be used for 802.1X authentication.
EAP
Chaining
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Access Enforcement
Changing VLAN between machine and user authentication is supported.
* Some supplicants (XP SP2/3) do not detect it and do not trigger IP renewal.
While keeping the same VLAN, a different ACL/SGT can be applied to the machine and the user.
This is more “client agnostic” as it does not require IP renewal.
73
Machine VLAN
User VLAN 5760
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Corporate non-Windows Machines
There is no concept of machine authentication as with Windows.
Through ISE we could still link some attributes of the user’s identity/account to the machine.
74
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Corporate non-Windows Machines
Assumption: employees authenticate with certificates through corporate non-Windows machines.
Example with Local Policy on WLC 7.5
75
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Corporate Mobile Devices
76
Specific EAP methods and account/certificate
attributes.
Force 802.1X through a device-specific certificate,
then WebAuth to verify the user behind.
Go for MDM.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Employee Owned Devices
If we have machine authentication in place, or even just certificates for employees authenticating from corporate machines, then it’s relatively easy…
What if not?
– Example: no machine authentication, employees authenticating from corporate machines with their login/password and using the same credentials on personal devices.
77
On the WLC
config advanced eap max-login-ignore-identity-response ?
enable ignore the same username reaching max in
the EAP identity response
disable check the same username reaching max in the
EAP identity response
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Asking the External DB
78
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Find Something Special on Corporate Devices
“Hey, I got this, we just need to turn on profiling…”
What if the employee owned device has the same OS?
79
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Find Something Special on Corporate Devices
80
dhcp-user-class-id = 43:6f:72:70:50:43 Profiling Policy = “corp_laptop”
dhcp-user-class-id = 62:6c:61:62:6c:61
C:\>ipconfig /setclassid "Local Area Connection" CorpPC
http://technet.microsoft.com/en-us/library/cc783756(WS.10).aspx
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Empower your Employees
81
DOMAIN\employee
On the WLC
config advanced eap max-login-ignore-identity-response disable
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Empower your Employees
82
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Empower your Employees
Dedicated guest account groups can be used to authenticate via 802.1X.
External guests won’t be able to obtain the same type of credentials.
83
U45&%ci3@d
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Guests
Lobby ambassador and sponsor capabilities on the WLC, Cisco Prime and ISE.
84
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Guests
WLC / Cisco Prime Infrastructure
– Built-in guest management services through the lobby ambassador user role.
– The guest identity store (local, LDAP, RADIUS) is supported with LWA only.
– Captive portals can be customized.
– Guest users can be assigned to guest profiles for QoS, rate limiting, etc.
ISE
– Guest management services through a dedicated Sponsor interface.
– The guest identity store (local or external) is supported with LWA and CWA.
– Captive portals can be customized and localized (more in the next slides…).
– Guest users can be assigned to dedicated VLANs, ACLs, QoS profiles, etc.
– Guests can go through additional checks, such as compliance, MDM, etc.
Some options to manage them
85
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Differentiating Guest Portals
How could we redirect guests from a specific WLAN or a specific location to separate portals?
86
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Differentiating Guest Portals
How could we redirect guests to separate portals based on their location or their WLAN?
87
RADIUS [30] Called-Station-ID
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Differentiating Guest Portals
How could we redirect guests from a specific WLAN or a specific location to separate portals?
88
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Restricting Guests from a Specific Sponsor and Site
Create a sponsor group on ISE restricting guest creation for a specific group.
Assign sponsor users with specific attributes to the sponsor group.
89
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Restricting Guests from a Specific Sponsor and Site
Authorize guests based on their group managed by that same sponsor.
90
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Contractors and “more than guest” Users
91
Guest groups flagged as
“ActivatedGuest” are enabled to
authenticate through other
(802.1X) methods, not just
through the web portal.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Contractors Additional Checks
92
What other BYOD needs do you have?
Q&A
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Key Takeaways
Wireless security (and BYOD) is a phased approach.
Understand the end user’s needs.
Keep it simple and functional.
Quite some things may already be available on your network.
Some other advanced options may require additional services.
94
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Call to Action…
Visit the World of Solutions:-
Cisco Campus
Walk-in Labs
Technical Solutions Clinics
Meet the Engineer
Lunch Time Table Topics, held in the main Catering Hall
Recommended Reading: For reading material and further resources for this session, please visit www.pearson-books.com/CLMilan2014
95
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Complete your online session evaluation
Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt
Complete Your Online Session Evaluation
96