Documente Academic
Documente Profesional
Documente Cultură
BRKSEC-3697
We will examine best practices for Bring Your Own Device (BYOD) deployments
with the most common mobile platforms, including multiple tiers of registered
devices. We will perform a detailed examination of certificate usage including
integration of ISE with your enterprise certificate authority (CA), endpoint
certificate usage, and wildcard certificates. There will be a detailed examination of
guest life-cycle management, including self-service and sponsored guest access
models. Lastly, attendees will be introduced to troubleshooting and serviceability
tips.
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Live Melbourne: ISE and TrustSec Sessions
BRKSEC-3697 BRKSEC-3699 BRKSEC-2690 BRKSEC-3690
Advanced ISE Designing ISE for Deploying Security Advanced Security
Services, Tips and Scale & High Group Tags Group Tags: The
Tricks Availability (Wed 2:30pm) Detailed Walk Through
(Fri 2:00pm) (Fri 8:45am) (Fri 8:45am)
BRKSEC-2044 Building an Enterprise Access Control Architecture Using ISE & TrustSec (Thurs 8:30am)
DEVNET-1618
BRKSEC-1011 BRKSEC-2691 Cisco pxGrid: A New
Written to Realised IBNS 2.0: New-style Architecture for
Security Policy 802.1X and more Security Platform
(Thurs 2:45pm) (Thurs 4:30pm) Integration
(Thurs 2:00pm)
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Important: Hidden Slide Alert
ForYour
For Your
Reference
Reference
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Agenda
Introduction
Certificates, Certificates, Certificates
BYOD Best Practices
Integrating with Cisco and Non-Cisco
ISE in a Security EcoSystem
Serviceability & Troubleshooting
Staged Deployments (Time Permitting)
Conclusion
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
ISE and Certificate Usage
Certificates
X.509
username
organization
location
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Certificates
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Certificates
Layer 2 Layer 3
Link Link
Authentication
Supplicant Authenticator Server
Start
EAPoL Start
EAP-Request/Identity
Port Unauthorized
Secure
EAP-Response/Identity
Web Server
RADIUS Access Request
Root CA
Internal
BRKSEC-3697
Communications 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Certificates
SSID
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Certificates
SSID
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Certificates
ise.company.com
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Certificates
ise/admin# application configure ise
ise-ca
ise-ca
ise-ca-#0002
ise-ca-#0002
ise-ca-#00002
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Certificates
employee1
CN=employee1 employee1
ise-ca
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Certificates
PSN #1
Generate CSR for PSN #1
Bind CA-signed cert for PSN #1
Generate CSR
Primary
PSN #20
for Primary PAN PAN Generate CSR for PSN #20
Bind CA-signed cert Bind CA-signed cert for PSN #20
for Primary PAN
PSN #40
Generate CSR for PSN #40
Bind CA-signed cert for PSN #40
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Certificates
Primary
PSN #20
Generate CSRs for ALL NODES PAN
at Primary PAN
Bind CA-signed certs for ALL NODES at
Primary PAN
Manage System (Local) certs for ALL
NODES at primary PAN PSN #40
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Certificates
ise-lab.company.com ise-lab.company.com
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Certificates
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificates
Trusted Certificates
In 1.3, trusted certificates have a new Trusted For attribute.
Security Goal: To prevent the public certificates used for Cisco Services from being
used internally.
When importing a trust certificate, the user must specify what the certificate is
trusted for.
It is important to select at least one category, or the cert will not be used in any
trust store.
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Certificates
- pxGrid 1 No No
Certificates for all roles are managed from the Primary PAN node.
1 While ISE technically allows wildcard in the CN, Microsoft supplicants will reject, so never recommended
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificates
Have Unique
Certificates
(Identity)
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Certificates
Options:
Add complexity to the Portal
Configuration Page by Choosing
Certificates on Each Node?
What about Large Deployments (40 PSNs)?
Configure it entirely outside of the Portal
Configuration screen?
Some way to combine?
X
PSN-1: Cert1
PSN-2: Cert2
PSN-3: Cert3
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Certificates
Group Tag
Node 2 Sec Admin, M&T and PSN
GuestPortalCerts
(Grouping Certificates to a
Node 3 - PSN Logical Name)
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Certificates
Subordinate
CA
ise.company.com
ise.company.com
Cert
ise.company.com
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Certificates
Root CA
ise.company.com
Subordinate CA
Subordinate CA
ISE Cert
BRKSEC-3697 If you must use a PKCS chain, it needs to be in PEM format (not DER)
2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificates
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Certificates
X X
PSN PSN
Trusted Certs
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Certificates
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Certificates
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Certificates
SPONSOR http://sponsor.company.com
100.1.99.6
https://sponsor.company.com:8443/sponsorportal
Load Balancer ISE-PSN-2
100.1.98.8
100.1.99.7
Name Mismatch!
Requested URL = sponsor.company.com ISE-PSN-3
Certificate Subject = ise-psn-3.company.com
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Certificates
SPONSOR http://sponsor.company.com
100.1.99.6
https://sponsor.company.com:8443/sponsorportal
Load Balancer ISE-PSN-2
100.1.99.8
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Certificates
ISE Certificate with SAN
ise-psn.company.com
*.company.com
!= psn.[ise].domain.com
Position in FQDN is fixed
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Certificates
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Certificates
Clients Misbehave!
Example education customer:
ONLY 6,000 Endpoints (all BYOD style)
10M Auths / 9M Failures in a 24 hours!
42 Different Failure Scenarios all related to
clients dropping TLS (both PEAP & EAP-TLS).
Supplicant List:
Kyocera, Asustek, Murata, Huawei, Motorola, HTC, Samsung, ZTE, RIM, SonyEric, ChiMeiCo,
Apple, Intel, Cybertan, Liteon, Nokia, HonHaiPr, Palm, Pantech, LgElectr, TaiyoYud, Barnes&N
5411 No response received during 120 seconds on last EAP message sent to the client
This error has been seen at a number of Escalation customers
Typically the result of a misconfigured or misbehaving supplicant not completing the EAP process.
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Certificates
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Certificates
1 5
NAD
ise-psn-1.domain.com
SSID
Same EXACT
Private / Pub Key
may be installed
on all PSNs
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Certificates
Solution: Common Cert, Wildcard in SAN
CN = ise-psn.domain.com
ISE-1 ISE-2 SAN contains
ise-psn.domain.com
*.domain.com, or
all PSN FQDNs
Cert Authority ise-psn-1.domain.com ise-psn-2.domain.com Wildcard SAN support:
comodo.com CA
SSL.com CA
1 5 Digicert.com CA
Symantec/Verisign CA
NAD Microsoft 2008 CA
ise-psn.domain.com
SSID Failed with GoDaddy CA
Do not support * in SAN
Only support * in CN
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Certificates
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Certificates
CWA Example
DNS and Port SettingsSingle Interface Enabled for Guest Portal
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Certificates
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Certificate Authority
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
NSP Flow Internal CA Certificate Authority
PSN
SSID = CORP
RA CA
Employee
PSN
CA Selection
CPP Certificate Template = Internal
User Certificate Issued:
Sent to Internal CA
CN = AD UserName
Certificate sent to ISE SAN = Values from Template
RADIUS Access-Accept
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
NSP Flow External CA Certificate Authority
PSN
SSID = CORP
RA CA
Employee
PSN
RADIUS Access-Request
RADIUS Access-Accept
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Certificate Authority
ISE CA: Multiple Personalities/Identities
Root CA Subordinate CA
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Certificate Authority
Primary PAN
Subordinate CA
ISE CA Root CA
Standby PAN signs the actual
Endpoint Certs
Secondary PAN is
another Root CA!
PSN PSN PSN PSN Ensure you export
Primary PAN and
Subordinate CA Subordinate CA Subordinate CA Subordinate CA import on
SCEP RA SCEP RA SCEP RA SCEP RA
Secondary
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Node Registration Process Overview Certificate Authority
All PSNs are
Each PSN will get three certificates for CA functions: instructed by PAN to
Subordinate CA To sign endpoint certificates Generate the CSRs
OCSP To identify node with OCSP service
Registration Authority (RA) To identify sub-ca when
requesting certificates for endpoints. PAN (Root CA)
signs all three certs
PSN PAN
per-node
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Issue & Revoke Endpoint Certificates Certificate Authority
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Certificate Authority
Revoke certificates
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Certificate Authority
Re-generate the Root CA
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Certificate Authority
ISE as an Intermediate CA
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Certificate Authority
Certificate Revocation
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Certificate Authority
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Certificate Authority
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Certificate Authority
OCSP Check
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Certificate Authority
CA Server status
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Certificate Authority
Export CA Certs
Ise-pan1/admin# application configure ise
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Certificate Authority
Import of CA Certs
ise-pan1/admin# application configure ise
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Certificate Authority
BYOD-NSP TLS-template
TLS-template
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Certificate Authority
Certificate Template(s)
Define Internal or
External CA
TLS-template
Set the Key Sizes
SAN Field Options:
MAC Address
No Free-Form Adds..
Set length of validity
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Certificate Authority
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Certificate Authority
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Certificate Authority
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Agenda
Introduction
Certificates, Certificates, Certificates
BYOD Best Practices
Integrating with Cisco and Non-Cisco
ISE in a Security EcoSystem
Serviceability & Troubleshooting
Staged Deployments (Time Permitting)
Conclusion
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
BYOD in Practice
BYOD
Java-Less Provisioning
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
BYOD
Java-Less Provisioning
Downloads as DMG
Double-Click to Run
App
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
BYOD
Java-Less Provisioning
Downloads as DMG
Double-Click to Run
App
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
BYOD
Native Supplicant Provisioning (iOS use-case)
ForYour
For Your
Reference
Reference
PSN
Device Provisioning
CSR sent to ISE SCEP to MS Cert Authority
RUN Access-Accept
state
BYOD
NSP (Android use-case) ForYour
For Your
Reference
Reference
PSN
RegisteredDevice
Employee Wireless Controller ISE / SCEP Proxys CA / SCEP Server Google Play
SSID = BYOD-Open / CWA CWA Redirect / Redirect ACL = CWA Device Registration
CENTRAL_WEB_AUTH
User opens browser
state
Redirect to ISE for CWA
CWA login
CWA login successful / Redirect to NSP Portal
User clicks Register
CoA to WLC Sample WLC ACL: Download SPW
ALLOW_GOOGLE
Redirect browser to http://play.google.com (Session:DeviceOS=Android)
permit udp any any dns
Access-Request permit tcp any <ISE_PSN>
NSP Redirect / Redirect ACL = deny ip any <internal_network>
SUPPLICANT_PROVISIONING ALLOW_GOOGLE permit tcp any 74.125.0.0
state Download Supplicant Provisioning Wizard (SPW) app from255.255.0.0
Google Playstore
permit tcp any 173.194.0.0
User installs application and launches 255.255.0.0 Device Provisioning
App sends request to
Redirect Discovery to ISE permit tcp any 206.111.0.0
http://DFG/auth/discovery
255.255.0.0
ISE sends Device BYOD_Profile to Android Device deny ip any any
SCEP to MS Cert
CSR sent to ISE
Authority
ISE sends User Certificate to Android Certificate sent to
ISE User Cert Issued
Device
SSID = CTS-CORP / EAP-TLS CN = Employee
Connect using EAP-TLS SAN = 00-0a-95-7f-
Access-Accept de-06
RUN
state
BYOD
AuthZ Policy
AuthZ Result
Redirect to
NSP Portal
Client Provisioning
Policies for OS Type NSA APP or
iOS OTA Process
(Next Slide)
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
BYOD
Native Supplicant
Profile
SCEP Certificate
Provisioning & Native
Supplicant Profile
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
BYOD
New: Windows & iOS Settings in NSP
TLS-Profile
TLS-Profile
TLS-template
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
BYOD
Renewing Certificates
Works Comments
1.2.1
Before Expiry
iOS
Android
Windows
Mac OSX
After Expiry
iOS
Android
Windows Supplicant will not use an expired cert
Mac OSX
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
BYOD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
BYOD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
BYOD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
The Opposite of BYOD:
How to differentiate corporate provisioned devices?
Corporate versus Personal Assets
Provide differentiated access for IT-managed systems
Start Here
Registered
Employee No No
Guest
Yes Access-Reject
Yes
BYOD Workstation
No No
Device _Corp
BYOD-Device
Yes Yes
Multiple probes or
probe attributes can
produce required
attribute values
interface Vlan20 DHCP Server
ip helper-address @IP DHCP server
ip helper-address @IP_ISE
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
BYOD
Custom Profile
Workstation_Corp
Duplicate profile
Workstation
Add rule to match any
(OR) of these
conditions to
mycompany.com:
DNS FQDN
DHCP client-fqdn
DHCP domain-name
Increase CF by 20
Minimum CF=30
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
BYOD
http://technet.microsoft.com/en-us/library/cc783756(WS.10).aspx
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
BYOD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
BYOD
Optional Checks:
Files unique to
corporate image
Applications/
Services specific to
organizations SOE.
SOE=Standard Operating Environment
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
BYOD
ForYour
For Your
Client
Identity Certificates Reference
Reference
Server
Windows CA Server
> MMC > Certificate
Templates:
Template does not
allow private key to Windows Client > User Certificate Store:
be exported
If attempt to export certificate, not given option
to export private key (required for import into
another client).
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
BYOD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
BYOD
NAD
SWITCHPORT
PSN
RADIUS Access-Request
[EAP-ID=CorpXP-1] Matched Rule = MachineAuth
RADIUS Access-Accept
[cisco-av-pair] = dACL=Permit-All
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
BYOD
NAD
SWITCHPORT
PSN
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
BYOD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
BYOD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
BYOD
With AnyConnect 3.1.1 and ISE 1.1.1 IP Phones if Cisco-IP-Phone then Cisco_IP_Phone
Employee &
2. ISE Issues Machine Employee if
Network
then Employee
Access:EAPChainingResult =
AuthZ PAC User and machine suceeded
NAD
SWITCHPORT
PSN
EAPoL Start
RADIUS Access-Request
[EAP-Tunnel = FAST]
EAP-Request:TLV RADIUS Access-Challenge
[EAP-TLV = Machine]
EAP-Response RADIUS Access-Request
TLV = Machine [EAP-TLV= Machine]
[EAP-ID=Corp-Win7-1] PAC
RADIUS Access-Accept
EAP Success
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
BYOD
With AnyConnect 3.1.1 and ISE 1.1.1 IP Phones if Cisco-IP-Phone then Cisco_IP_Phone
NAD
SWITCHPORT
PSN
PAC
EAPoL Start
RADIUS Access-Request
[EAP-Tunnel = FAST]
EAP-Request:TLV RADIUS Access-Challenge
PAC
[EAP-TLV = Machine]
EAP-Response RADIUS Access-Request
TLV = User [EAP-TLV= User]
[EAP-ID=Employee1] PAC
RADIUS Access-Accept
EAP Success
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
BYOD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
BYOD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
BYOD
Mobile Device
w/ Certificate
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
802.1X and CWA Chaining Rule Name Conditions Permissions
NAD
SWITCHPORT
PSN
CN=employee1 || Cert is Valid
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
802.1X and CWA Chaining Rule Name Conditions Permissions
BobSmith
xxxxxxxxx
NAD
SWITCHPORT
PSN
Session Data
User Identity = employee1
RADIUS CoA
EAP-ID Req
[AVP:reauth]
User Group = employees
Access-Granted
CWA Identity = BobSmith
CWA Group = employees
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
BYOD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
BYOD
CoA
Final Authorization
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Agenda
Introduction
Certificates, Certificates, Certificates
BYOD Best Practices
Integrating with Cisco and Non-Cisco
ISE in a Security EcoSystem
Serviceability & Troubleshooting
Staged Deployments (Time Permitting)
Conclusion
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Non-Cisco NAD Integration
Deployment
Why?
Security! Before this, malicious users would be able to put a mac-
address into the username & password fields of WebAuth (or non-
Cisco switches even in the supplicant identity).
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Deployment
Internal IDs
Mix of Users &
Endpoints
11:22:33:44:55:66
11:22:33:44:55:66
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Deployment
Users Endpoints
= MAB
= MAC
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Deployment
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Deployment
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Deployment
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Deployment
Deny non-matches
Dictionaries for
FreeRADIUS
will work
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Deployment
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Deployment
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
BYOD Onboarding for 3rd Party NADs
Deployment
Using a Cisco Catalyst Switch as Inline PeP
Caution:
3rd Party Catalyst
1. Join NAD Switch
Each switch will vary in its
Open SSID resource limits that impact
PSN
scaling
124 In general, limit endpoint
sessions per port to a few.
Port Configured as RADIUS Access-Request
Access Port + Multi-Auth [USER=1122.3344.5566]
MAB
2. Browse RADIUS Access-Accept
HTTP Request [cisco-av-pair] = url-redirect
Redirection to PSN
Submit Credentials
3. WebAuth CWA
Native Supplicant Provisioning Process
4. NSP
NSP
5. Join
Corp SSID
802.1X Devices are Authorized to
124
4. GUEST
CoA
Access
Guest Access Granted
129
Deployment
DETAILS ON 3rd PARTY On-Boarding Process
ForYour
For Your
Reference
Reference
interface X
description For 3rd Party OnBoarding
switchport access vlan 41
switchport mode access
switchport voice vlan 99
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 2274
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open To authenticate virtually unlimited endpoints
authentication order mab dot1x
authentication priority dot1x mab Since 99.9999% MAB, try MAB First
authentication port-control auto
authentication violation restrict
Will clear the mac-address after 5 minutes
mab
dot1x pae authenticator
dot1x timeout quiet-period 300 Enabled Provisioning from CWA Flow
dot1x timeout tx-period 10
spanning-tree portfast
ip dhcp snooping information option allow-untrusted
end
130
Deployment
Open WLAN
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Deployment
Special ISE Node deployed behind a RADIUS NAD for POSTURE ONLY!
VPN Example
IPN provides
Entry key functions
Point for Third to support
Party Wireless
rd
ExamplePosture behind 3 -party access devices:
RADIUS Proxy
URL Redirection for Client Provisioning,
eth1 eth0
Discovery, and Posture Assessment
dACLs AP
Wireless for traffic enforcement
Controller
ISE Inline L3 Switch Policy Services
CoA to apply new access policy after
User
posture state change
Posture 1) 802.1X auth for WLC
Wireless Wired Node 2) Auth/Posture for Inline
Posture Node
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Agenda
Introduction
Certificates, Certificates, Certificates
BYOD Best Practices
Integrating with Cisco and Non-Cisco
ISE in a Security EcoSystem
Serviceability & Troubleshooting
Staged Deployments (Time Permitting)
Conclusion
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
ISE in a Security EcoSystem
Using ISE in a Security EcoSystem
Endpoints Access Distribution Edge
Branch
Mobile
Provider
Guest
Campus
Bad USB
Internet
Data Center
EPS
pxGrid
Lancope
Stealthwatch
NetFlow ( )
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
SourceFire Nation Remediation Plugins
https://supportforums.cisco.com/community/12226126/sourcefire-api#quicktabs-community_activity=1
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Add the Remediation Module to FireSight
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
FireSIGHT to ISE Remediation Explained
Remediation API supports programmatic responses to Correlation Rules in FireSIGHT Management Center
ISE Remediation Module is uploaded to the FireSIGHT Management Center
User defines rules on one or more triggering conditions i.e., Malware, IPS, connection, application events etc.
Multiple actions can be configured to initiate different responses from ISE
Quarantining or disconnecting user among possible actions
Module download here: ISE 1.2 Rem Module
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Splunk ISE App
http://apps.splunk.com/app/1589
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
LanCope StealthWatch
Monitor Mode StealthWatch
Management
Maintain historical session table
Open Mode, Multi-Auth Console Correlate NetFlow to username
Unobstructed Access Build User-centric reports
No impact on productivity
Profiling, posture assessment
Gain Visibility
syslog
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Serviceability: ISE 1.3
Serviceability
Tree View
AuthC
Protocols
Identity
Store
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tree View
AuthC
Protocols
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Serviceability
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Serviceability
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Serviceability
Debug Endpoint
Creates debug file of all
activity for all services
related to that specific
endpoint
Executes and stored per
PSN
Can be downloaded as
separate files per-PSN
Or Merged as a single file
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Serviceability
Quick Link to
Export Page
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Serviceability
Exports as XML
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Serviceability
ISE-1.3.x.x-Virtual-SNS-3415.ova: ISE-1.3.x.x-Virtual-SNS-3495.ova:
4 CPU cores 8 CPU cores
16 GB RAM 32 GB RAM
600 GB disk 600 GB disk
4 NICs 4 NICs
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Serviceability
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Combining AND & OR
Policy Tips & Tricks
Cannot
Mix??
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Policy Tips & Tricks
Advanced Editor
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Policy Tips & Tricks
Simple Conditions
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
Introduction
Certificates, Certificates, Certificates
BYOD Best Practices
Integrating with Cisco and Non-Cisco
ISE in a Security EcoSystem
Serviceability & Troubleshooting
Staged Deployments (Time Permitting)
Conclusion
Jump to Conclusion
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Staged Deployments
Phased Deployments
NAD
Default If no matches, then Deny Access
SWITCHPORT
PSN
RADIUS Access-Request
[AVP: 00.0a.95.7f.de.06 ]
Matched Rule = Default
RADIUS Access-Reject
No Supplicant
MAC-Addr is Unknown
Continue to AuthZ table
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
Phased Deployments
NAD
Default If no matches, then WEBAUTH
SWITCHPORT
PSN
RADIUS Access-Request
[AVP: 00.0a.95.7f.de.06 ]
Matched Rule = Default
RADIUS Access-Accept
[AVP:url-redirect, dacl]
No Supplicant
MAC-Addr is Unknown
Continue to AuthZ table
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
Phased Deployments
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Phased Deployments
Create a Network Device Group for all Switches that will use Low-Impact.
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
Phased Deployments
ForYour
For Your
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
Phased Deployments
Authentication Policy
Authorization Policy
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Phased Deployments
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
Phased Deployments
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Phased Deployments
C3750X(config-if)#mab ?
eap Use EAP authentication for MAC Auth Bypass
<cr>
C3750X(config-if)#mab eap
C3750X(config-if)#description Conference Room B
Available
with
ISE 1.1+ *6500 added support in
SXJ4
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
Phased Deployments
Note: Best-Practice
is to never modify
default objects
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
Phased Deployments
SWITCHPORT
PSN Default If no matches, then Deny Access
RADIUS Access-Request
[AVP: 00.0a.95.7f.de.06 ]
All Other Switches
Matched Rule = Conf_Rooms Will still be in Monitor
RADIUS Access-Accept Mode!
[AVP:url-redirect, dacl]
No Supplicant
MAC-Addr is Unknown
Continue to AuthZ table
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
Phased Deployments
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Phased Deployments
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
Agenda
Introduction
Certificates, Certificates, Certificates
BYOD Best Practices
Integrating with Cisco and Non-Cisco
ISE in a Security EcoSystem
Serviceability & Troubleshooting
Staged Deployments (Time Permitting)
Conclusion
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco Live 2015 T-Shirt!
Complete Overall Event Survey + 5 Session Evaluations.
Directly from your mobile device on the Cisco Live
Mobile App
By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/clmelbourne2015
Visit any Cisco Live Internet Station located
throughout the venue
Learn online with Cisco Live!
T-Shirts can be collected in the World of Solutions Visit us online after the conference for full
on Friday 20 March 12:00pm - 2:00pm access to session videos and
presentations. www.CiscoLiveAPAC.com
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 175
Recommended Reading
http://amzn.com/1587143259
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 176
Questions ?
177
Additional Reference Slides
Agenda
Introduction
Certificates, Certificates, Certificates
BYOD Best Practices
Integrating with Cisco and Non-Cisco
Multi-Join Active Directory
Serviceability & Troubleshooting
Staged Deployments (Time Permitting)
Conclusion
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 181
Multi-Join AD Connector
Multi-AD
Domain Diagnostic:
A new utility that can be run either prior to joining a domain or subsequent to this action to determine whether
there are any environmental issues related to the domain.
Test Authentication:
Allows an authentication for a specific user to be directed to specific node and return results together with
authorization related information such as groups and attributes.
Username Lookup:
Ability for administrator to lookup all group memberships and attributes of a user from AD, without requiring
the users password. Similar to the authorization-only test in the ASA.
SID Based Group Mapping:
Group related policy functionality will be modified so that it is based on SIDs (Security Identifier) of the group
and not simply the textual group name as was done previously. This has significant performance advantages.
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 183
Key Terminology
AD Instance
Scope
ise1.na.cisco.com
emea.cisco.com emerging.cisco.com na.cisco.com
- Same ISE node can connect to
the same AD multiple times as
long as domain is different
- Here we have ise1 node also
joined to na.cisco.com domain
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 185
Multi-AD
Terminology Continued
acs.com
acs.com
acs.com
acs.com
Instances
amer.acs.com
Company-B.com
A
brazil.south.amer.acs.com
Scope
Company-C.com
All AD
oceania.acs.com
Company-D.com
australia.oceania.acs.com
Company-E.com
canberra.australia.oceania.acs.com
186
Multi-AD
Terminology Continued
acs.com
acs.com
acs.com
amer.acs.com
Company-B.com
Scope A
brazil.south.amer.acs.com
Company-C.com
oceania.acs.com
Company-D.com
australia.oceania.acs.com
Company-E.com
canberra.australia.oceania.acs.com
acs.com
acs.com
acs.com
amer.acs.com
Company-B.com
Scope A
brazil.south.amer.acs.com
Company-C.com
oceania.acs.com
Company-D.com
australia.oceania.acs.com
Company-E.com
canberra.australia.oceania.acs.com
AD Authentication Flow
Identity
Scope AD
Rewrite
AuthC (Optional) Instance (Optional)
Policy to
AD Domain List Target
(Optional) AD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 189
Multi-AD
Authentication Policy
Individual AD
Instance can be
selected
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 190
Multi-AD
Identity
Scope AD
Rewrite
AuthC (Optional) Instance (Optional)
Policy to
AD Domain List Target AD
(Optional)
ISE installs in single scope mode, where all AD instance is part of single scope
Adding a scope enables multi-scope mode and moves all of the AD instances into
automatically created Default_Scope
You may always delete all other scopes & return to single scope mode
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 192
Multi-AD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 193
Multi-AD
Identity
Scope AD
Rewrite
AuthC (Optional) Instance (Optional)
Policy to
AD Domain List Target AD
(Optional)
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 194
Multi-AD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 195
Multi-AD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 196
Multi-AD
DNS Requirement
- DNS should be able to resolve AD nodes for both forward & reverse.
- Note: for Kerberos referrals to work properly, it is usually necessary to make sure the
DNS server can resolve (both forward and backward) the machine names for ISE
- i.e. DNS records should be created for these ISE generated machine accounts.
- DNS should be able to resolve A & SRV record of all AD servers consistently
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 197
Multi-AD
OU can be
specified during
Domain join
process
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 198
Multi-AD
1. Acts like any other AD-Joined PC, and follows that process much closer than ever
before.
2. Does leverage AD Sites & Services to leverage the best DC.
3. Sends CLDAP ping requests to domain controllers according to priorities in SRV record
and processes only the first response, if any. Note: The CLDAP response contains DC
site and Client site (e.g. site to which ISE machine is assigned).
4. If DC site and Client site are the same then response originator (i.e. DC) is selected.
5. If DC site and Client site are not the same then AD Connector performs DNS SRV query
scoped to the discovered Client site, gets list of domain controllers serving the client site,
sends CLDAP ping requests to these domain controllers and processes only the first
response, if any. The response originator (i.e. DC) is selected. Note: If no DC in clients
site serving the site or no DC currently available in the site then DC detected in #2 is
selected.
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 199
Multi-AD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 200
Multi-AD
The default setting is not to use the domain list (i.e.: All)
Identity
Scope AD
Rewrite
AuthC (Optional) Instance (Optional)
Policy to
AD Domain List Target
(Optional) AD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 201
Multi-AD
Authentication Domains
- This is a white-list of AD
domains that ISE should
use.
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 202
Multi-AD
Identity
Scope AD
Rewrite
AuthC (Optional) Instance (Optional)
Policy to
AD Domain List Target
(Optional) AD
Identity Rewrite
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 204
Multi-AD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 205
Multi-AD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 206
Multi-AD
Test Authentication
Can run
from
scope
level
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 207
Multi-AD
Test Authentication
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 208
Multi-AD
Domain Diagnostics
Can run
from
scope
level
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 209
Multi-AD
Domain Diagnostics
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 210
Multi-AD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 211
Multi-AD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 212
Multi-AD
You can have a mix of TLS certs with identity in different X509 fields
ISE will figure it out
Even if usernames are ambiguous, say two johnsmith from an acquisition, if the client
certs are in AD it will auto-magically use them to rule out the ambiguity
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 213
Multi-AD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 214
Multi-AD
SAM Names:
- If the identity is a SAM name (username or machine name without any domain
markup), we will search the forest of each join point (once) looking for the identity. If
there is one (unique) match, we determine their domain / unique name and continue
the AAA flow.
- If the SAM name is not unique and we are using a password-less protocol like EAP-
TLS, we have no other criteria to locate the right user so we fail with an Ambiguous
identity error.
- If we are using a password based protocol like (EAP)PAP/MSCHAP, then we continue
to check the passwords. If there is only one account with the supplied password, we
have a unique match and can continue the AAA flow. However, if there is more than
one account with the same password, we fail with Ambiguous identity error.
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 215
Multi-AD
Avoiding Issues
- The customer should be encouraged to use UPNs or FQDN host identities if they hit
ambiguity errors frequently. In some cases, it will be the only way to resolve their
issue. In others, it may be sufficient to guarantee the users have unique passwords
and the hunting algorithm will work, although it will be more efficient and lead to less
password lockout issues if unique identities are used in the first place.
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multi-AD
Uniqueness Enforcement
- Unqualified identities can result in non-unique user or machine identities, which would
lead to potentially incorrect policy being returned if we do not catch them. Therefore,
we must verify if an identity is unique and if it is not, the authentication must fail with an
ambiguous username error.
- This has performance implications because we need to search each of our join points
forests for a possible match to the unqualified identity. Therefore, customers should
be encourage to use qualified identities in the first place to avoid the performance hit.
- A secondary issue is what if a domain is unavailable and we are resolving an
ambiguous username. We cannot know for certain if the identity is unique (it could
exist in the domain thats unavailable)
- If SAM names must be used, the Authentication Domains feature should be used to
define the account domains that really matter. This will limit the search scope to just
those and ignore errors from domains outside of the Authentication Domain list.
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 217
Multi-AD
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 218
Multi-AD
Should only be
performed under
TAC supervision!!!!
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 219
Multi-AD
Caveats ForYour
For Your
Reference
Reference
When using UPN usernames, the UPN suffix or AD domain suffix must be unique.
When using NetBIOS domain prefix in identities, the NetBIOS domain must be unique.
When using machine authentication with a fully qualified machine name, e.g.
host/machine.domain.com, the DNS domain (domain.com) must be unique.
If not using any domain markup in identities, i.e. using SAM names, they should be unique
to improve performance. They must be unique if using password-less protocols such as
EAP-TLS. The {username,password} combination must be unique if using a password
based protocol.
The DNS names (forward lookup such A and SRV records) of Active Directory servers
must be unique and lead to consistent results.
The IP addresses (reverse lookup) of servers used by AD connector must be unique and
lead to consistent results.
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 220
Multi-AD
Alternative UPN
Example: chyps@alt.upn
SAM name
Examples: chyps and machine$
BRKSEC-3697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 221