Cisco ISE for Campus Security

Michael “Zig” Zsiga, CCIE # 44883

Lead Technical Architect (LTA) @ ePlus03-23-2016

Leveraging Cisco’s Identity Services Engine to maintain complete Visibility and Consistent Secure Control of all devices in a Campus Environment

2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Today’s Agenda• Use Case Architecture• ISE Primer• Complete Visibility• Consistent Secure Control• BYOD• Guest Access• Guest Demo


Use Case Architecture

The Different Ways Customers Use ISE

Guest Access ManagementEasily provide visitors secure guest Internet access

BYOD and Enterprise MobilitySeamlessly classify & securely onboard devices with the right levels of access

Secure Access across the Entire NetworkStreamline enterprise network access policy over wired, wireless, & VPN

Software-Defined Segmentation with Cisco TrustSec®Simplify Network Segmentation and Enforcement to Contain Network Threats

Visibility & Context Sharing with pxGridShare endpoint and user context to Cisco and 3rd party system

Network Device AdministrationDevice administration and Network Access on a single platform


ISE Use Case Architecture - Overview

Users Devices Permissions

Trusted User Trusted Device Full Access

Trusted User Untrusted Device Limited Access

Untrusted User Trusted Device Limited Access

Untrusted User Untrusted Device No Access

WWW


Real Life Use Case from an ePlus K-12 Customer

•Gaming Systems: Xbox, PS4, etc...•Soho Routers / Switches: Linksys, Belkin, Netgear, etc…

Full Visibility of what is being connected to their network

•An Employee gets access to a file share•A student gets access to internal printers only

Secure Control with Security Policies being applied based on Business requirements

•Self-sponsored guest access•Sponsored guest access•Predictable and intuitive

Guest Access that is fluid and uses a Single Portal

•Single Pane of Glass•Flexible Design and implementation

Ease of Management that can minimize the overhead a small IT shop has traditionally encountered

Customer Requirements Overview


Real Life Use Case from an ePlus K-12 Customer Customer Details Overview

Network Devices

• 200-plus (NAD)s• ~150 Cisco

Switches• ~ 50 WLCs

Trusted Users

• An Employee (Staff / Faculty)

• A Student

Trusted Devices

• School owned and managed Device

Identity Permissions

• What are you allowed to access: Printers, Servers, WWW

• Trusted Users can have different access based on their needs


Real Life Use Case from an ePlus K-12 Customer

Full Visibility • Implemented a Monitor Mode ISE Deployment• Nothing is blocked initially, just tracked in ISE

Secure Control• Multiple levels of access for Trusted / Trusted Tiers.• Employees have more access than Students, both are Trusted Users

Guest Access• Self-sponsored guest access - Anyone can use but is limited to

internet access and a small subset of printers• Sponsored guest access - Specific use case for vendor access

Ease of Management

• Moving all security configuration to a single web portal front end• Previously touch 200-plus network devices to make the same change• Modular deployment with Policy Sets (Wired, Wireless, VPN)• Two (2) Wireless SSIDs only: Internal vs Guest

Customer Solution Overview


ISE Primer


•Centralized Policy

•RADIUS Server

•Secure Group Access

•Posture Assessment

•Guest Access Services

•Device Profiling

•Monitoring

•Troubleshooting

•Reporting

ACS

Profiler

Guest Server

NAC Manager

NAC Server

Identity Services Engine

Identity Services EnginePolicy Server Designed for Secure Access

10

Device Registration

Supplicant and Cert Provisioning

Mobile Device Management

Partner Ecosystem


Network Resources

Role-Based Access

Introducing Cisco Identity Services Engine

A centralised security solution that automates context-aware access to network resources and shares contextual data

NetworkDoor

Identity Profilingand Posture

Who

What

When

Where

How

CompliantContext

Traditional Cisco TrustSec®

Role-Based Policy AccessPhysical or VM

Guest Access

BYOD Access

Secure AccessISE pxGridController


Complete Visibility


Extensive Context Awareness

Make Fully Informed Decisions with Rich Contextual Awareness

Poor Context Awareness

Context:BobIP address 192.168.1.51Who

TabletUnknownWhat

Building 200, first floorUnknownWhere

11:00 a.m. EST on April 10UnknownWhen

WirelessUnknownHow

The right user, on the right device, from the right place is granted the right access

Any user, any device, anywhere gets on the networkResult


Many Different Visibility Variables

Trust Gradient

•Authentication•Certificate•Managed/Unmanaged•Compliance/Posture

Threat/Risk

•Threat score•Fidelity

Reach

•What services can be accessed

•What other entities can be impacted

Behaviour

•Historical versus active. Now or before

•Was I doing the expected or unexpected

Users

•Role•Permissions/rights• Importance

Devices

•Ownership – managed or unmanaged

•Type of device•Function•Applications

Connectivity

•Medium (Wired/Wireless/VPN)

•NAD/NAD Details•State (active session)

Location

•Physical•Logical

Time

•Time of Day•Day of week•Connection duration


15

PCs Non-PCsUPS Phone Printer AP

PCs Non-PCsUPS Phone Printer AP

How?

Profiling• What ISE Profiling is:

• Dynamic classification of every device that connects to network using the infrastructure.• Provides the context of “What” is connected independent of user identity for use in access policy

decisions

What Profiling is NOT:‒ An authentication mechanism.‒ An exact science for device classification.


16

Profiling TechnologyVisibility Into What Is On the Network


Profiling TechnologyHow Do We Classify a Device?

• Profiling uses signatures (similar to IPS)

• Probes are used to collect endpoint data

RADIUS

DHCP

DNS

HTTP SNMP Query

NetFlow

DHCPSPANSNMP Trap

NMAP


18

Profiling Policy OverviewProfile Policies Use a Combination of Conditions to Identify Devices

Is the MAC Address from Apple

DHCP:host-name CONTAINS iPad

IP:User-Agent CONTAINS iPad

Profile Library

Assign this MAC Address to the “iPad” Policy

I am fairly certain this device is an

iPad


Consistent Secure Control


ISE is a Standards-Based AAA ServerAccess Control System Must Support All Connection Methods

20

ISE Policy Server

VPN

Cisco Prime

Wired

Wireless

VPN

Supports Cisco and 3rd-Party solutions via standard RADIUS, 802.1X, EAP, and VPN Protocols

RADIUS802.1X = EAPoLAN

802.1X = EAPoLAN

SSL / IPsec


21

Separation of Authentication and Authorization

Policy Groups

Authentication

Authorization

Policy Set Condition

Default from ISE 1.3


22

What About That 3rd “A” in “AAA”?Accounting


Detailed Visibility into Passed/Failed Attempts

23


Building the Architecture in Phases

24

Access-Prevention Technlogy– A Monitor Mode is necessary– Must have ways to implement and see who will succeed and who will fail

Determine why, and then remediate before taking 802.1X into a stronger enforcement mode.

Solution = Phased Approach to Deployment:– Monitor Mode– Low-Impact Mode

-or-– Closed Mode


BYOD


26

Onboarding Personal DevicesRegistration, Certificate and Supplicant Provisioning

DeviceOnboarding

Certificate Provisioning

SupplicantProvisioning

Self-Service Model

iOSAndroid

WindowsMAC OS

MyDevicesPortal

Provisions device Certificates.‒ Based on Employee-ID & Device-ID.

Provisions Native Supplicants:‒ Windows: XP, Vista, 7 & 8‒ Mac: OS X 10.6, 10.7 & 10.8‒ iOS: 4, 5, 6 & 7‒ Android – 2.2 and above‒ 802.1X + EAP-TLS, PEAP & EAP-FAST

Employee Self-Service Portal‒ Lost Devices are Blacklisted‒ Self-Service Model reduces IT burden

Single and Dual SSID onboarding.


27

What Makes a BYOD Policy?Sample Complete BYOD Policy

Internet Only

Employee Guest

Access-Reject

i-Device Registered?

Access-Accept

MAC address lookup to AD/LDAPProfilingPostureMachine certificatesNon-exportable user certificateMachine auth with PEAP-MSCHAPv2’EAP chaining

Y

N

N

Y

Y

N

http://findicons.com/files/icons/808/on_stage/128/symbol_check.png










Guest Access


Improve Guest Experiences Without Compromising Security

Guest

Guest

GuestSponsor

Internet

Internet

Internet and Network

Immediate, Uncredentialed Internet Access

with Hotspot

Simple Self-Registration

Role-Based Access with Employee Sponsorship


ISE Built-in Portal Customisation?

Create Accounts

Print Email SMS

Mobile and Desktop Portals

NotificationsApproved! credentialsusername: trex42password: littlearms


Which Portals Are CustomisableAll Except The Admin Portal

1. Guest2. Sponsor3. BYOD (Device Registration)4. My Devices5. Client Provisioning (Desktop Posture)6. MDM (Mobile Device Management)7. Blacklist8. Certificate Provisioning Portal

https://isepb.cisco.com/

• 17 languages

• All portal support (hotspot, self registered, BYOD, ... )

Access your portals to manage and share

Choose from Pre-Built Portal Layouts

Supports all languages (plus RTL –

Arabic & Hebrew)

Supports all portal types


Guest Demo


Guest Demo

• ISE_CLLE_SR_Demo• Self Registration Demo

• ISE_CLLE_HS_Demo• Hotspot Demo• Access key is “ISE_DEMO!!” without quotes

Two different SSIDs


Q & A


What to do next?

• Email: [email protected]

• Phone: (603) 263-3568

• Twitter: @michael_zsiga

Contact me or anyone else @ ePlus

If you are bored and want to hang out with fellow Nerds and Geeks alike join BOSNOG: The Boston Network Operators Group (www.bosnog.org)

mailto:[email protected]

http://www.bosnog.org/

Cisco ISE for Campus Security

Technology

Transcript of Cisco ISE for Campus Security