Post on 20-Mar-2020
Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 1Cisco Expo
Cisco Expo
2012
Secure network access, principles of ISEimplementationGyörgy Ács
Consulting Systems Engineer, C|EH – Cisco
T-SECA1
2© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Twitter www.twitter.com/CiscoCZ
• Talk2cisco www.talk2cisco.cz/dotazy
• SMS 721 994 600
3© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Agenda
What is TrustSec
What is ISE
ISE Design
High Availability
Migration
© 2010 Cisco and/or its affiliates. All rights reserved. 4
5© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Identity Based Network Services (IBNS):
802.1X for wired access
Profiling by NAC Profiler
Guest = NGS
• Cisco NAC Appliance:
VLAN control via SNMP Control Plane
Profiling by NAC Profiler
Guest = NGS
Wired
IBNS
ACS
802.1X
Wired
NAC
SNMP
NAC
Multiple Options for Wired Access
6© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Wireless Access
802.1X controlled by WLC
WLC has local enforcement
Separate Policies on ACS
• Remote Access VPN
Policy controlled by ASA, or:
Policy controlled by in-line NAC
Separate Policies on ACS
VPN
Policy
Wireless and VPN Access
Wireless
802.1X
ACS
7© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
TrustSec Brings it all Together
TrustSec
WiFi
NACIBNS
ISE
8© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Complete System for Network Access Control & Enforcement
Nexus® 7K, 5K and 2K
Data Center
Cisco
ISE
Wireless
user
Campus
NetworkWired
user
Cat 6K
Egress Enforcement
MACsec
Profiler
Posture
Guest Services
RADIUS
Ingress Enforcement
Ingress Enforcement
WLC
SXP
802.1X
9© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Centralized Policy
• RADIUS Server
• Posture Assessment
• Guest Access Services
• Device Profiling
• Monitoring
• Troubleshooting
• Reporting
ACS
NAC
Profiler
NAC
Guest
NAC
Manager
NAC
Server
Identity
Services
Engine
Policy Server Designed for TrustSec
10© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
NADPAP
Admin
User
Policy Administration Point
All Management UI Activities
Synchronizing all ISE Nodes
PSN
All Policy is Synchronized from PAP to PSNs
Policy Service Node
The “Work-Horse”
RADIUS, Profiling, WebAuth
Posture, Sponsor Portal
Client Provisioning
SWITCHPORT
M&T
User
Network Access Device
Access-Layer Devices
Enforcement Point for all Policy
RADIUS From NAD to Policy Service Node
RADIUS From PSN to NAD w/ Enforcement Result
Logging
Monitoring and Reporting
Logging and Reporting Data
Logging
AD
PSN Queries AD
Directly
RADIUS Accounting
© 2010 Cisco and/or its affiliates. All rights reserved. 11
12© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
May be a Single ISE Appliance for all Functions…
Campus A
Campus B
Branch A
AP
WLC
AP
Switch
802.1X
WLC
Admin
M&T PSN
AP
Switch
802.1X
Branch B
Switch
802.1X
AP
Switch
802.1X
13© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
… or Fully Distributed System where all functions are broken out.
Campus A
Branch A
AP
WLC
AP
ASA VPN
Switch
802.1X
WLC
AP
Switch
802.1X
Branch B
Switch
802.1X
AP
Switch
802.1X
HA Inline
Posture Nodes
Pri. Admin
Campus B
PSN
PSN
PSN
PSNSec. Admin
Pri. MNT
Sec. MNT
14© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Interface to configure and view policies
• Responsible for policy sync across all nodes
• Provides: Licensing
Admin authentication & authorization
Admin audit
• Each ISE deployment must have at least one PAPOnly 1x Primary and 1x Backup PAP possible
Primary Management Appliance
15© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
PSN
PSN
PSN
PAP (Primary)
PAP (Secondary)
M&T(Primary)
M&T(Secondary)
Policy Sync
Policy Sync
Logging
Admin
User
• Changes made via Primary PAP DB are automatically synced to Secondary PAP and all PSNs.
16© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Evaluates and makes policy decisions This IS the RADIUS Server for your Network Access Devices
• Per policy decision, responsible for: Network access (such as AAA RADIUS services) Posture Guest access (web portals) Profiling Client Provisioning
• Each ISE deployment must have one or more PSNs Up to 40 PSNs
• Node Groups may be used for Load-Balanced Clusters More on this later in presentation
The “Work Horse”
17© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ISE supports distributed log collection across all nodes to optimize local data collection, aggregation and centralized correlation and storage.
Each ISE node collects logs locally from itself; Policy Service nodes running Profiler Services may also collect log (profile) data from NADs.
Each node transports its Audit Logging data to each Monitoring node as Syslog: Profiler events are buffered and forwarded to primary Admin node to update db.
NADs may also send Syslog directly to Monitoring node on UDP/20514 for activity logging, diagnostics, and troubleshooting.
NADs Policy Service
Nodes
Monitoring
Nodes
Netflow,
SNMP Traps,
RADIUS
External Log
Servers
Syslog (UDP/20514)
Alarm-triggered
SyslogSyslog
(UDP/20514)
HTTP SPAN,
DHCP
SPAN/Helper/Proxy
External Log Targets: Syslog (UDP/20514)
Profiler Syslog
(UDP/30514)
(Buffered)
(Not Buffered)
18© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
* VM Design guidance is to match or exceed the ISE physical appliance specifications upon which node sizing is based.
Hard disks with 10K or higher RPM are highly recommended.
Policy Service Sizing and Performance
Form
Factor
Platform
Size
Appliance Maximum
Endpoints
Profiler Events Posture Auths
Physical
Small ISE 3315 / 1121 3000 500/sec 70/sec
Medium ISE 3355 6000 500/sec 70/sec
Large ISE 3395 10,000 1200/sec 110/sec
Virtual S/M/L VM 10,000 * TBD TBD
19© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Major TrustSec component that enforces network policies.
• NAD sends request to the PSN for implementing authorization decisions for resources.
• Common enforcement mechanisms:
VLAN Assignment
dACLs
Security Group Access (SGA)*
• Basic NAD types
Cisco Catalyst Switches
Cisco Wireless LAN Controllers
Cisco ASA “VPN Concentrator”
20© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Inline Enforcement:
Dedicated Inline solution where infrastructure does not support RADIUS Change of Authorization (RFC 5176/3576, dACL, etc.)
Only needed in posture/profiling use cases
Acts as a RADIUS Proxy in Bridged or Routed Gateway mode
*Inline Enforcement can not be combined with other services
Special Case: ISE Becomes an in-line Appliance
VPN RADIUS RADIUS
iPeP PSN
© 2010 Cisco and/or its affiliates. All rights reserved. 21
22© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Data Center 1
Node A
10.1.100.3
Data Center 2
Replication over Layer 3
• If a single box fails then all runtime services continue using another box
RADIUS Services
Guest Services
Profiling Services
-Posture Services
-etc etc
• NADs are configured with multiple RADIUS servers
PAP/PSN/M&T PAP/PSN/M&T
radius-server host 10.1.100.3 key Cisco123
radius-server host 10.1.200.3 key Cisco123
Node B
10.1.200.3
X
23© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
PSN
PAP (Primary)
PAP (Secondary
-> Primary) Policy Sync
Logging
Admin
User
• Upon failure of Primary PAP, admin user can connect to Secondary PAP; all changes via backup PAP are automatically synced to all PSNs.
• Admin must first manually promote Secondary PAP to be Primary.
XPSN
PSN
M&T(Primary)
M&T(Secondary)
24© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• NADs can be configured with redundant RADIUS servers (PSN nodes).
• PSNs can also be configured in a cluster, or “node group”, behind a load balancer. NADs send requests to LB virtual IP for PSN services.
• PSNs in node group maintain heartbeat to verify member health.
Switch
PAP (Primary)
PSN Node Group
Load Balancers
Network
Access
Devices
PAP (Secondary)
Policy
Replication
AAA connection
25© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• In HA mode, two ISE appliances are deployed in an Active/Standby configuration; mutual interfaces share a common Service IP for user/management traffic; active iPEP responds to Service IP.
• Each active interface requires L2 connectivity to its mutual peer: trusted (eth0), untrusted (eth1), and HA (eth2 or eth3)
Internal
Network
Internet
AP WLC
ISE iPEP
ACTIVE
L3 Switch
ISE iPEP
STANDBY
L3 SwitchASA
Wireless
User
VPN User
eth1 eth0
eth1 eth0
eth2
eth2
Service IP
eth1
Service IP
eth0
Heartbeat
Link
VLAN 11 VLAN 12
26© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Logging
• Up to Two (2) M&T Nodes per ISE Deployment
• All PSNs will automatically Sync logs with both M&T nodes.The PAP displays dashboard and reporting from the Primary PAP to Admin
User.
PSN
PSN
PSN
M&T(Primary)
M&T(Secondary)
PAP
Admin
User
27© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Node HA Scheme Auto Failover? Notes
PAP Active/Standby No Secondary PAP must be
manually promoted
PSN • Node Groups (PSN
Clusters)
• Redundant PSN
config on NADs
Yes for established
sessions; sessions
in process of setup
may require re-auth
Node group: group together PSN
nodes that reside in a single
location behind a load balancer
and share a common multicast
address
NAD NAD-Specific NAD-Specific Examples: Redundant Wireless
Controllers
iPEP Active/Standby Yes, but stateless Clients must re-auth to backup
iPEP node upon failover
M&T Active/Active Yes One node serves as Primary; all
ISE logs automatically sent to
both HA M&T nodes
Any external loggers must be
configured to log to both nodes.
© 2010 Cisco and/or its affiliates. All rights reserved. 28
DEMO
© 2010 Cisco and/or its affiliates. All rights reserved. 29
30© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Campus A
Campus B
Branch A
AP
WLC
AP
ASA VPN
Switch
802.1X
WLC
• All Services run on both ISE Nodes
• Set one for Primary Admin / Secondary M&T
• Set other for Primary Monitoring / Sec. Admin
• No more than 2000 Endpoints Supported
Maximum Endpoints = 2,000
Admin
M&T PSN
AP
Switch
802.1X
Branch B
Switch
802.1X
AP
Switch
802.1X
Admin
M&T PSN
HA Inline
Posture Nodes
Pri. Admin Pri. M&T
31© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Campus A
Branch A
AP
WLC
AP
ASA VPN
Switch
802.1X
WLC
• Dedicated Management Appliances
• Pri. Admin / Sec MNT
• Pri MNT / Sec Admin
• Dedicated Policy Service Nodes
• Up to 5 PSNs
• No more than 10,000 Endpoints Supported
Maximum Endpoints = 10,000 / Maximum 5 PSNs
AP
Switch
802.1X
Branch B
Switch
802.1X
AP
Switch
802.1X
HA Inline
Posture Nodes
Pri. Admin
Sec. M&T
Pri. M&T
Sec. Admin
Campus B
PSN
PSN
PSN
PSN
32© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Campus A
Branch A
AP
WLC
AP
ASA VPN
Switch
802.1X
WLC
• Dedicated Management Appliances
• Pri. Admin
• Sec. Admin
• Pri MNT
• Sec Admin
• Dedicated Policy Service Nodes
• Up to 40 PSNs
• Up to 100,000 Endpoints Supported
Maximum Endpoints = 100,000 / Maximum 40 PSNs
AP
Switch
802.1X
Branch B
Switch
802.1X
AP
Switch
802.1X
HA Inline
Posture Nodes
Pri. Admin
Campus B
PSN
PSN
PSN
PSNSec. Admin
Pri. MNT
Sec. MNT
33© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ISE will Join the Domain
PAP Policy Service Nodes
Domain Computers
PAP
PSN01
PNS02
PSN03
AD
Each ISE Node will join and Query AD separately,
and have it’s own Computer Account in AD
34© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Multiple Domains
• Then only need to join one domain.
If Trust Relationship(s) Exist
• Join one Domain
• LDAP to query the others
If no Trust Relationships
© 2010 Cisco and/or its affiliates. All rights reserved. 35
36© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Is Infrastructure running 802.1X today?
ACS 4.x or 5.x is policy engine
It IS possible to migrate NADs and User Accounts to ISE
• If Infrastructure is NAC Appliance:
No migration today
Future version of ISE will allow migration.
• NAC Guest Server (NGS):
No migration today (planned for future release)
• NAC Profiler:
No migration Possible
Migration Paths do Exist
37© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Standalone ISE ONLY
Then do your Distributed ISE Deployments
• ACS Migration Tool (Windows w/ Java)
512 GB
TrustSec 1.99 or IBNS
38© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• We tried @ First, but there were problems.
• Policy Migration ability removed from 1.0 MR (1.0.4.x)
• It is supposed to come back in the future.
Policies cannot be migrated at this time.
Local Administrator Accounts
Any Security Group Access (SGA) Data
• No dVLAN data in AuthZ Profiles
Authorization Results
• Posture Checks
• Etc…
NAC Framework
Bad news first
39© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Identity Attribute Dictionaries
• RADIUS VSA Dictionaries
Dictionaries
• Local Users
• Local Endpoints
• Certificate Authentication Profiles
Identities
• Network Access Devices (NADs)
• Network Device Groups (NDGs)
Network Devices
Now the Good News
40© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Migration Tool
Users
NDGsNADs
Get it all organized in ACS 5 prior to using the tool.
41© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Shows: Counts, Successes, Failures and Warnings
42© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• TrustSec is a Systems Approach to Network Access Control, utilizing the network infrastructure to accomplish what used to be only available in overlays.
• ISE provides the first and only Policy Engine Solution that fully converges: Authentication, Authorization, Profiling, Guest and Posture.
• All ISE nodes will maintain a full copy of the database, providing a fully redundant Authentication infrastructure.
• Best Practice: Do not use < 500GB of storage with your VM’s
• You can Migrate NAD’s, NDG’s, Users and Devices from ACS. But not policies, AuthZ results, or SGA data today.
TrustSec and ISE Design
43© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Twitter www.twitter.com/CiscoCZ
• Talk2Cisco www.talk2cisco.cz/dotazy
• SMS 721 994 600
• Zveme Vás na Ptali jste se… v sále LEO 1.den 17:45 – 18:302.den 16:30 – 17:00
44© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Prosíme, ohodnoťtetuto přednášku.
T-SECA1