Abstract image of a woman sitting on books and studying on a laptop

Demystifying TrustSec, Identity, NAC and ISE

Cisco Canada, profile picture
Cisco Canada

The document outlines a technical session focused on demystifying Cisco's TrustSec system, which includes key technologies like identity services and access control solutions. It discusses how authentication, authorization, and different deployment scenarios of 802.1x can enhance network security within an organization. The session emphasizes the importance of visibility and provides solutions for integrating non-authenticating devices and improving guest access management.

TechnologyBusiness
1 of 99
Downloaded 1,072 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Most read
15
16
Most read
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
Demystifying TrustSec, Identity, NAC and ISE Hosuk Won, TrustSec TME howon@cisco.com Secure Access & Mobility Product Group #CiscoPlus
Session Abstract • This session is a technical breakout that will help demystify the technology behind the Cisco TrustSec System, including the Identity Services Engine. • We will build use cases to introduce, compare, and contrast different access control features and solutions, and discuss how they are used within the TrustSec System. • The technologies that will be covered include user & device authorization, 802.1X, Profiling Technology, Supplicant‘s, certificates/PKI, Posture, CoA, RADIUS, EAP, Guest Access, Security Group Access (SGA), and 802.1AE (MacSec). • All of the technologies will be discussed in relation with Cisco‘s Identity Services Engine #CiscoPlus
Session Objectives At the end of the session, you should understand: • The many parts and pieces that make up Cisco‘s TrustSec Solution • How 802.1X and SGA work • The benefits of deploying TrustSec • The different deployment scenarios that are possible You should also: • Provide us with feedback! • Attend related sessions that interest you • Have a nice glossary of terms at your disposal #CiscoPlus
Cisco‘s Trusted Security (TrustSec) #CiscoPlus
What is TrustSec • Yes, it can be confusing • Think of it as ―Next-Generation NAC‖ • TrustSec is a System approach to Access Control: IEEE 802.1X (Dot1x) Profiling Technologies Guest Services Secure Group Access (SGA) MACSec (802.1AE) Identity Services Engine (ISE) Access Control Server (ACS) #CiscoPlus
So, TrustSec = Identity, Right? • Yes, but it refers to an Identity System (or solution) Policy Servers are only as good as the enforcement device (Switches, WLC‘s, Firewalls, etc…) • But what is ―Identity‖: • Understanding the Who / What / Where / When & How of a user or device‘s access to a network. #CiscoPlus
#CiscoPlus
Why Identity Is Important Who are you? Keep the Outsiders 1 802.1X (or supplementary method) Out authenticates the user Keep the Insiders Where can you go? Honest 2 Based on authentication, user is placed in correct VLAN What service level to you receive? Personalize the 3 The user can be given per-user Network services (ACLs, Macros, SGA) What are you doing? Increase Network 4 The user‘s identity and location can Visibility be used for tracking and accounting #CiscoPlus
What Is Authentication? • Authentication is the process of establishing and confirming the identity of a client requesting services I’d Like to Withdraw $200.00 Please. Do You Have Identification? Yes, I Do. Here It Is. An Authentication System Is Only as Strong as the Method of Verification Used #CiscoPlus
What Is Authorization? • Authorization is the process of granting a level of access to the network I’d Like to Withdraw $200.00 Please. Do You Have Identification? Yes, I Do. Here It Is. Thank You. Here is your money. #CiscoPlus
The Business Case #CiscoPlus
Business Case • Throughout the presentation, we will refer to a business case. One that will continue to evolve: Company: Retailer-X Problem Definition: The company stores credit card data from all sales transactions. As with all companies: Vendors & Guests are constantly visiting Retailer- X, to pitch new products to be sold, or even to sell network, security & collaboration equipment to Retailer-X. Company must ensure that only Retailer-X employees are gaining access to the network. Solution: Identity with 802.1X #CiscoPlus
Default Port State State without Default Port without 802.1X 802.1X No Authentication Required  No visibility  No Access Control ? ? USER #CiscoPlus
Default Security with Default Security with 802.1X 802.1X Before Authentication  No visibility (yet)  Strict Access Control One Physical Port ->Two Virtual ports Uncontrolled port (EAPoL only) Controlled port (everything else) ? ? USER ALL traffic except EAPoL is dropped #CiscoPlus
Default Security with Default Security with 802.1X 802.1X After Authentication  User/Device is Known  Identity-based Access Control • Single MAC per port Looks the same as without 802.1X ? Authenticated User: Sally Having read your mind Sally, that Authenticated Machine: XP-ssales-45 is true, unless you apply an authorization, access is wide open. We will discuss restricting access at a later time. #CiscoPlus
Revisit: Business Case • Company: Retailer-X • Problem Definition: The company stores credit card data from all sales transactions. As with most companies: Vendors & Guests are constantly visiting Retailer-X, to pitch new products to be sold, or even to sell network, security & collaboration equipment to Retailer-X. Company must ensure that only Retailer-X employees are gaining access to the network. • Solution: Identity with 802.1X #CiscoPlus
Revisit: Business Case • Did we meet the business case? YES! • But what was missing? • What lessons have we learned? We called Dot1x an "access prevention" technology #CiscoPlus
What Happened? What went Wrong? @ Retailer-X, BEFORE Monitor Mode is available … I‘ve done my homework in Proof of Concept Lab and it looks good. I‘m turning on 802.1X tomorrow… Enabled 802.1X IT Mgr. I can‘t connect to my network. It says Authentication failed but I don‘t know how to fix. My presentation is in 2 hours… Help Desk call increased by 40% #CiscoPlus
What was missing? • What lessons were learned? • Access-Prevention Technology A Monitor Mode is necessary Must have ways to implement & see who would succeed & who would fail Determine why, and then remediate before taking Dot1x into a stronger enforcement mode. • Solution = Phased Approach to Deployment: Monitor Mode Authenticated Mode Enforcement Mode -or- Closed Mode #CiscoPlus
Monitor Mode A process, not just a mode. • Enables 802.1X Authentication on the Switch Interface Config • But: Even failed Authentication will gain interface GigabitEthernet1/0/1 authentication host-mode multi-auth Access authentication open • Allows Network Admins to see who authentication port-control auto mab would have failed, and fix it, before dot1x pae authenticator causing a Denial of Service  Pre-AuthC Post-AuthC SWITCHPORT SWITCHPORT P P DH C TFTP D HC TFTP 5 P 5 P KRB HT T KRB HT T oL oL E AP Permit All EA P Permit All Traffic always allowed #CiscoPlus
Authenticated Mode If Authentication is Valid, then Full Access! Interface Config • Monitor Mode + ACL to limit traffic flow interface GigabitEthernet1/0/1 • AuthC success = Full Access authentication host-mode multi-auth authentication open • Failed AuthC would only be able to authentication port-control auto communicate to certain services mab dot1x pae authenticator • WebAuth for non-Authenticated ip access-group default-ACL in Pre-AuthC Post-AuthC SWITCHPORT SWITCHPORT P P DH C TFTP DH C TFTP 5 P HT T P KRB 5 HT T KRB L Permit L E AP o E AP o Permit All Some #CiscoPlus
Enforcement Mode If Authentication is Valid, then Specific Access! Interface Config • AuthC Success = Role Specific Access interface GigabitEthernet1/0/1 • dVLAN Assignment / dACLs authentication host-mode multi-auth authentication open • Specific dACL, dVLAN authentication port-control auto • Secure Group Access mab dot1x pae authenticator • Still Allows for pre-AuthC Access for ip access-group default-ACL in Thin Clients, PXE, etc… • WebAuth for non-Authenticated Pre-AuthC Post-AuthC SWITCHPORT SWITCHPORT P P DHC TFTP DHC RDP KRB 5 HTT P KRB 5 HTT P SGT L Permit L E APo E AP o Some Role-Based ACL #CiscoPlus
Closed Mode No Access prior to Login, then Specific Access! Interface Config • Default 802.1X Behavior interface GigabitEthernet1/0/1 • No access at all prior to AuthC authentication host-mode multi-auth authentication port-control auto • Still use all AuthZ Enforcement Types mab • dACL, dVLAN, SGA dot1x pae authenticator • Must take considerations for Thin Clients & PXE, etc… Pre-AuthC Post-AuthC SWITCHPORT SWITCHPORT P DHC P T FT P DH C TFTP 5 HTT P SGT K RB 5 HT T P KR B Permit oL Permit All EA P oL E AP EAP - or - #CiscoPlus Role-Based ACL
What was missing? • What lessons were learned? • No visibility from the supplicant Little to no User-Interaction User saw an ―Authentication Failed‖ message, and that was all. When everything works – the user is unaware. But, when things stop working… No visibility. Just a call to the help-desk • Solution: 3rd Party Supplicants Cisco‘s AnyConnect Supplicant Provides a Diagnostic and Reporting Tool (DART) Detailed logs from the Client Side Unique hooks with RDP and VDI environments #CiscoPlus
What was missing? • What lessons were learned? • No Visibility at the RADIUS Server #CiscoPlus
What was missing? • What lessons were learned? • Solution: ACS VIEW  Identity Services Engine (ISE) #CiscoPlus
What was missing? • What lessons were learned? • Solution: ACS VIEW & ISE #CiscoPlus
What was missing? • What lessons were learned? • Solution: ACS VIEW  ISE #CiscoPlus
What was missing? • What lessons were learned? • Non-Authenticating Devices These are devices that were forgotten They don‘t have software to talk EAP on the network Or, they weren‘t configured for it Printers, IP Phones, Camera‘s, Badge Readers How to work with these? Don‘t configure Dot1x on the SwitchPort But, what about when it moves • Solution? Do not use dot1x on ports with Printers ---------------------------------------------------------------------- • Solution: MAC Authentication Bypass (MAB) #CiscoPlus
MAC Authentication Bypass (MAB) • What is it? • A list of MAC Addresses that are allowed to ―skip‖ authentication • Is this a replacement for Dot1X? No Way! • This is a ―Bandage‖ In a Utopia: All devices authenticate. • List may be Local or Centralized Can you think of any benefits to a centralized model? #CiscoPlus
What was missing? • What lessons were learned? • Guests: Guests will not have configured supplicants. Plus: they won‘t be authorized for access. Original Solution: Dot1x Timeouts How this works: After a timeout period, the switchport is automatically put into a Guest VLAN which provides Internet access. No Supplicant has responded for 90 seconds… So just AuthZ the port for the GUEST VLAN #CiscoPlus
What was missing? • What lessons were learned? • Missing or Misconfigured Supplicants: Group Policies may not have worked Software Distribution may have missed a machine that‘s been off- network for a period of time. Etc… Dot1x Timeouts would take effect Someone who should have been an authorized user would end-up in the Guest Network HelpDesk gets a call from an unhappy user. No Supplicant has responded for 90 seconds… So just AuthZ the port for the GUEST VLAN #CiscoPlus
Enter: Web Authentication • Used to identify users without supplicants Mis-configured, missing altogether, etc. • Guest Authentication #CiscoPlus
Business Case Continues to Evolve • Requirements: 1. Retailer-X must ensure that only Retailer-X employees are gaining access to the network. Solution: Identity with 802.1X 2. Authorized Non-Authenticating Devices must continue to have network access. Solution: Centralized MAB 3. Need to Automate the building of the MAB List Solution: <Let’s find out> #CiscoPlus
Profiling #CiscoPlus
Profiling Technology • The ability to classify devices • Why Classify? Originally: identify the devices that cannot authenticate and automagically build the MAB list. i.e.: Printer = Bypass Authentication Today: Now we also use the profiling data as part of an authorization policy. i.e.: Authorized User + i-device = Internet Only #CiscoPlus
Profiling PCs Non-PCs UPS Phone Printer AP • Visibility  Additional benefits of Profiling - Visibility: A view of what is truly on your network Tracking of where a device has been, what IP Addresses it has had, and other historical data. An understanding of WHY the device was profiled as a particular type (what profile signatures were matched) #CiscoPlus
Profiling Technology Visibility into what is on the network #CiscoPlus
Profiling Technology • How do we Classify a Device? • Profiling uses Signatures (similar to IPS) #CiscoPlus
Profiling • Determining required profile attributes #CiscoPlus
Profiling • Determining required profile attributes #CiscoPlus
Profiling • Best Practice Recommendations • HTTP Probe: Use URL Redirects over SPAN to centralize collection and reduce traffic load on net and ISE related to SPAN/RSPAN. Or use VACLs or other ways to filter HTTP only traffic  DHCP Probe: Use IP Helpers when possible—be aware that L3 device serving DHCP will not relay DHCP, also! For DHCP SPAN, make sure probe captures traffic to central DHCP Server.  SNMP Probe: ISE 1.1 added SNMP probe to pull ARP tables from Cisco Layer-3 Devices. Adds benefit when DHCP is not used. #CiscoPlus
Profiling Technology • Limitations of Profiling • Best Guess: The profiling is based on Best-Effort • MAB is a Filter: It was only used to determine what MAC Addresses were allowed to ―skip‖ Authentication Now we also use the profiling data as part of an authorization policy. i.e.: Authorized User + i-device = Internet Only #CiscoPlus
Business Case Continues to Evolve • Requirements: 1. Retailer-X must ensure that only Retailer-X employees are gaining access to the network. Solution: Identity with 802.1X 2. Authorized Non-Authenticating Devices must continue to have network access. Solution: Centralized MAB 3. Need to Automate the building of the MAB List Solution: Use Profiling technology to automate the building MAB list. #CiscoPlus
Business Case Evolution Improving Guest Access #CiscoPlus
Guest Users‘ Needs WLC Wireless APs Internet LAN #CiscoPlus
How does it work? Access authorized for guest user Redirection of the guest web session to ISE guest portal for authentication ISE Policy Server WLC Guest account needs to be created: Open SSID • via a sponsor « guest » • or self service With Web authentication Guest user #CiscoPlus
Components of a Full Guest Lifecycle Solution Provisioning: Guest accounts via sponsor portal Notify: Guests of account details by print, email, or SMS Manage: Sponsor privileges, guest accounts and policies, guest portal Authenticate/Authorize guest via a guest portal on ISE Guests Report: On all aspects of guest accounts #CiscoPlus
Guest Users DB – Account Creation Methods • Two Ways to Populate ISE Internal Guest Database • Self-Service Option on ISE ‗Guest Portal‘ • Sponsoring via ISE ‗Sponsor Portal‘ #CiscoPlus
For Your ISE – Guest Self-Service Reference #CiscoPlus
ISE – Sponsor Portal  Customizable sponsor pages  Sponsor privileges tied to authentication/ authorization policy • Roles sponsor can create • Time profiles can be assigned • Management of other guest accounts • Single or bulk account creation  Sponsor and Guest reporting and audit #CiscoPlus
Sponsor Portal: Informing Guests • Sponsor will have three ways to inform guest 1. Printing the details 2. Sending the details via e-mail 3. Sending the details via SMS #CiscoPlus
Guest user roles • When need for different policies for users Guest Contractor • Internet access only • Internet access • Limited connection time: • Access to selected resources ½ day, one day • Longer connection time: one week, one month  Use of several user identity groups in ISE: #CiscoPlus
Sponsor groups and privileges Sponsor group1 Sponsor group2 • Can create user in groups: • Can create user in group ‗contractor‘ and ‗guest‘ ‗guest‘ only • Can use time profiles up to • Can use time profiles up to one one week day • Can see all accounts in group • Cannot do bulk creation #CiscoPlus
Components of a Full Guest Lifecycle Solution Provisioning: Guest accounts via sponsor portal Notify: Guests of account details by print, email, or SMS Manage: Sponsor privileges, guest accounts and policies, guest portal Authenticate/Authorize guest via a guest portal on ISE Guests Report: On all aspects of guest accounts #CiscoPlus
ISE – Web Authentication #CiscoPlus
Components of a Full Guest Lifecycle Solution Provisioning: Guest accounts via sponsor portal Notify: Guests of account details by print, email, or SMS Manage: Sponsor privileges, guest accounts and policies, guest portal Authenticate/Authorize guest via a guest portal on ISE Guests Report: On all aspects of guest accounts #CiscoPlus
Full Audit of Guest Lifecycle #CiscoPlus
Business Case Evolution We have Identity… We have Guests Lifecycle Management… Can we get more information? #CiscoPlus
Business Case Continues to Evolve • Requirements: 4. Employee‘s of Retailer-X Must be using a Corporate-owned asset. 5. All Corporate assets must be running Trend Micro Anti-Virus, and it must be up-to-date. 6. All guests must run Antivirus (any). Solution: Let’s find out  #CiscoPlus
Posture Assessment Posture • Does the device meet Security Requirements? • Posture = the state-of-compliance with the company‘s security policy. Is the system running the current Windows Patches? Anti-Virus Installed? Is it Up-to-Date? Anti-Spyware Installed? Is it Up-to-Date? • Now we can extend the user / system Identity to include their Posture Status. #CiscoPlus
ISE – Posture Assessment Checks Files • Microsoft Updates Service Packs Hotfixes OS/Browser versions • Antivirus Installation/Signatures • Antispyware Installation/Signatures • File data • Services • Applications/ Processes • Registry keys #CiscoPlus
Posture Assessment • What if a user fail the check? • New term: Remediation The act of correcting any missing or out-of-date items from the Posture Assessment. This can trigger the use of: Corporate Patching Systems (ex: BigFix, Altiris, etc.) Windows Software Update Service (WSUS) Windows Update Anti-Virus product Update Services (LiveUpdate.exe, etc.) #CiscoPlus
Posture Assessment Flow Posture Uname / Pwd = OK Posture = Unknown Authorization = Temporary Corp VLAN #CiscoPlus
Posture Assessment Flow Posture Uname / Pwd = OK Posture = Unknown Authorization = Temporary Corp VLAN Permit ip any host Remediation Permit ip any host PolicyServer Deny ip any any #CiscoPlus
Posture Assessment Flow Posture Uname / Pwd = OK Posture = Compliant Authorization = Full Access Corp VLAN Permit ip any host Remediation any Permit ip any host PolicyServer Deny ip any any #CiscoPlus
Making this work well • Change of Authorization (CoA) • CoA allows an enforcement device (switchport, wireless controller, VPN device) to change the VLAN/ACL/Redirection for a device/user without having to start the entire process all over again. • Without it: Remove the user from the network & then have the entire AAA process begin again. i.e.: disassociate wireless device & have to join wireless again. • RFC 3576 and 5176 #CiscoPlus
Creating a System out of these Technologies #CiscoPlus
Network Access Controls Multiple Options for Wired Access • Identity Based Network • Cisco NAC Appliance: Services (IBNS): VLAN control via SNMP Control Plane 802.1X for wired access Profiling by NAC Profiler Profiling by NAC Profiler Guest = NGS Guest = NGS Wired Wired IBNS NAC 802.1X SNMP ACS NAC #CiscoPlus
Network Access Controls Wireless and VPN Access • Wireless Access • Remote Access VPN 802.1X controlled by WLC Policy controlled by ASA, or: WLC has local enforcement Policy controlled by in-line NAC Separate Policies on ACS Separate Policies on ACS Wireless VPN 802.1X Policy ACS #CiscoPlus
Network Access Controls • TrustSec Brings it all Together TrustSec 802.1X #CiscoPlus
What is the Identity Services Engine? • ISE is a Next-Generation RADIUS Server = • Note: RADIUS for Network Access ONLY #CiscoPlus
Identity Services Engine • Policy Server Designed for TrustSec ACS • Centralized Policy • AAA Services NAC Profiler • Posture Assessment • Guest Access Services NAC Guest • Device Profiling Identity NAC Services • Monitoring Manager Engine • Troubleshooting NAC Server • Reporting #CiscoPlus
A ―Systems‖ Approach #CiscoPlus
A Systems Approach • Why is this so important? • When Identity is an overlay (like NAC Appliance) There is an appliance or some other device that is doing the enforcement. Called a Policy Enforcement Point (PEP) The trick is to ―shape‖ traffic towards those PEP‘s Some use DHCP or DNS Tricks Others use MAC Spoofing (Man-in-the-Middle) Cisco uses the network to get traffic to the Appliance: Virtual Networks (VRF‘s) Policy Based Routing (PBR), etc. #CiscoPlus
Overlay solution Internet ASA Set to Auth VLAN Trusted Set to Access VLAN NAC Server Global Network Untrusted DIRTY VRF Guest VRF Access Switch (Cat 3750) VLAN 100 (DIRTY_VLAN) VLAN 200 (EMPLOYEES) VLAN 210 (CONTRACTORS) VLAN 300 (GUESTS) Corporate PC Connects #CiscoPlus
A Systems Approach • Why is this so important? • When Identity is embedded (like 802.1X) The Switch, WLC, or VPN is the enforcement device Called a Policy Enforcement Point (PEP) The Switch does all the work, instead of an appliance URL Redirection Policy Enforcement with ACL‘s, SGT‘s, VLAN Assignment, etc… #CiscoPlus
A Systems Approach • Switch is the PEP #CiscoPlus
A Systems Approach • Switch is the PEP #CiscoPlus
Adding Power to Dot1X #CiscoPlus
Secure Group Access • Topology Independent Access Control • Term describing use of: Secure Group TAG (SGT‘s) Secure Group ACL‘s (SGACL‘s) When a user log‘s in they are assigned a TAG (SGT) that identifies their role The TAG is carried throughout the Network • Server Switch applies SGACL‘s based on a ―Matrix‖ (see below). SGT Public Private Staff Permit Permit Guest Permit Deny #CiscoPlus
Customer Challenges - Ingress Access Control • Can I create / manage the new VLANs or IP Address scope? • How do I deal with DHCP refresh in new subnet? • How do I manage ACL on VLAN interface? • Does protocol such as PXE or WOL work with VLAN assignment? • Any impact to the route summarization? VLAN Assignment 802.1X/MAB/Web Auth ACL • Who‘s going to maintain ACLs? Download • What if my destination IP addresses are changed? • Does my switch have enough TCAM to handle all request?  Traditional access authorization methods leave some deployment concerns:  Detailed design before deployment is required, otherwise…  Not so flexible for changes required by today‘s business  Access control project ends up with redesigning whole network #CiscoPlus
What is Secure Group Access? • SGA is a part of TrustSec • Next-Generation Access Control Enforcement Removes concern TCAM Space for detailed Ingress ACLs Removes concern of ACE explosion on DC Firewalls • An Additional Enforcement allowing stickiness of Infrastructure Now adds stickiness of Cisco ASA Firewalls, too. • Assign a TAG at Login  Enforce that tag in the DataCenter. #CiscoPlus
What is a Secure Group Tag? A Role-Based TAG: 1. A user (or device) logs into network via 802.1X 2. ISE is configured to send a TAG in the Authorization Result – based on the ―ROLE‖ of the user/device 3. The Switch Applies this TAG to the users traffic. #CiscoPlus
Security Group Based Access Control • SGA allows customers: To keep existing logical design at access layer To change / apply policy to meet today‘s business requirement To distribute policy from central management server Ingress Enforcement SGT=100 Finance (SGT=4) 802.1X/MAB/Web Auth SGACL HR (SGT=100) I’m an employee HR SGT = 100 My group is HR Egress Enforcement #CiscoPlus
Security Group Based Access Control • Security Group Firewalling: Extends the Concept to the ASA Use Security-Group Tags (SGT‘s) in your ASA Firewall Policy! Available in Arsenal (1HCY2012) Ingress Enforcement Finance (SGT=4) SGT=100 802.1X/MAB/Web Auth I’m an employee HR SGT = 100 My group is HR Egress Enforcement HR (SGT=100) S-IP User S-SGT D-IP D-SGT DENY #CiscoPlus
Media Access Control Security • MACSec: Layer-2 Encryption (802.1AE) • Industry Standard Extension to 802.1X Encrypts the link between the host & the switch. Traffic in the backplane is unencrypted for inspection, etc. Requires a supplicant that supports MACSec and the encryption key-exchange Encrypted Link SWITCHPORT ######## #CiscoPlus
Business Case Evolution: B.Y.O.D. #CiscoPlus
#CiscoPlus
Business Case Continues to Evolve • The ―i-Revolution‖ • New Requirement: ―Our CEO went to a Retail Conference recently and won an iPad. He demands we allow it access to the network, because it is a productivity tool and we prohibiting his productivity without the iPad‖ • New Requirement: Allow access to i-devices • New Term: ―Bring Your Own Device‖ (BYOD) #CiscoPlus
Identity Services Engine • Policy Management for the Borderless Networks • Context-Based Access Who? What? How? Known users Device identity Wired (Employees, Sales, HR) Device classification Wireless Unknown users (Guests) (profile) VPN Device health (posture) Where? When? Other? Geographic location Date Custom attributes Department Time Device/User states SSID / Switchport Start/Stop Access Applications used • Policy Definition • Policy Enforcement • Monitoring and Troubleshooting #CiscoPlus
How do we Build a BYOD Policy? • What are the Required Parts of the Policy? Corp Asset? AuthC Type Profile AuthZ Result • AD • Machine • i-Device • Full Access Member? Certs? • Android • i-Net only • Static List? • User Certs? • Windows • VDI + i-Net • MDM? • Uname/Pwd • Other • Certificate? #CiscoPlus
Example BYOD Policy in ISE • Using a Pre-Defined List of Assets Device Type User Results #CiscoPlus
Example BYOD Policy in ISE • Using a Pre-Defined List of Assets Device Type User Results ANY User Any i-device Not in Above Identity Group Assign Guest VLAN #CiscoPlus
Summary #CiscoPlus
Links • Trustsec & ISE on Cisco.com http://www.cisco.com/go/trustsec http://www.cisco.com/go/ise http://www.cisco.com/go/isepartner • TrustSec & ISE Deployment Guide: http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/la nding_DesignZone_TrustSec.html • Youtube: Fundamentals of TrustSec: http://www.youtube.com/ciscocin#p/c/0/MJJ93N-3Iew #CiscoPlus
Q&A #CiscoPlus
We value your feedback. Please be sure to complete the Breakout Sessions Evaluation Form. Access today‘s presentations at cisco.com/ca/ciscoplus Follow @CiscoCanada and join the #CiscoPlus conversation #CiscoPlus
Demystifying TrustSec, Identity, NAC and ISE

More Related Content

PDF
Identity Services Engine Overview and Update
Cisco Canada
 
PPTX
Cisco Identity Services Engine (ISE)
Anwesh Dixit
 
PDF
An Introduction to VMware NSX
Scott Lowe
 
PDF
ClearPass Overview
JoAnna Cheshire
 
PPTX
Customer Presentation - Aruba Wi-Fi Overview (1).PPTX
ssuser5824cf
 
PPTX
CCNA 1 Routing and Switching v5.0 Chapter 10
Nil Menon
 
PPT
Implementing 802.1x Authentication
dkaya
 
PPTX
EMEA Airheads- ArubaOS - Cluster Manager
Aruba, a Hewlett Packard Enterprise company
 
Identity Services Engine Overview and Update
Cisco Canada
 
Cisco Identity Services Engine (ISE)
Anwesh Dixit
 
An Introduction to VMware NSX
Scott Lowe
 
ClearPass Overview
JoAnna Cheshire
 
Customer Presentation - Aruba Wi-Fi Overview (1).PPTX
ssuser5824cf
 
CCNA 1 Routing and Switching v5.0 Chapter 10
Nil Menon
 
Implementing 802.1x Authentication
dkaya
 
EMEA Airheads- ArubaOS - Cluster Manager
Aruba, a Hewlett Packard Enterprise company
 

What's hot (20)

PDF
Campus Network Design version 8
Aruba, a Hewlett Packard Enterprise company
 
PDF
CCNAv5 - S2: Chapter4 Routing Concepts
Vuz Dở Hơi
 
PDF
ISE-CiscoLive.pdf
ssuserf4db0a
 
PPTX
Fortinet sandboxing
Nick Straughan
 
PPTX
Access Management with Aruba ClearPass
Aruba, a Hewlett Packard Enterprise company
 
PDF
Aruba clearpass ebook_chpt1_final
Aruba, a Hewlett Packard Enterprise company
 
PDF
Useful cli commands v1
Aruba, a Hewlett Packard Enterprise company
 
PDF
Advanced rf troubleshooting_peter lane
Aruba, a Hewlett Packard Enterprise company
 
PDF
Open dns configuring opendns on aruba controller
Aruba, a Hewlett Packard Enterprise company
 
PDF
Cisco Meraki Overview
SSISG
 
PPTX
EMEA Airheads ClearPass guest with MAC- caching using Time Source
Aruba, a Hewlett Packard Enterprise company
 
PDF
VMware NSX 101: What, Why & How
Aniekan Akpaffiong
 
PPTX
NSX-T Architecture and Components.pptx
Atif Raees
 
PDF
Radius vs. Tacacs+
Netwax Lab
 
PDF
Putting Firepower Into The Next Generation Firewall
Cisco Canada
 
PDF
Microsoft Zero Trust
David J Rosenthal
 
PDF
Cisco Meraki- Simplifying IT
Cisco Canada
 
PDF
Meraki Solution Overview
Claudiu Sandor
 
PPTX
Getting the most out of the aruba policy enforcement firewall
Aruba, a Hewlett Packard Enterprise company
 
PDF
EMEA Airheads- Troubleshooting 802.1x issues
Aruba, a Hewlett Packard Enterprise company
 
Campus Network Design version 8
Aruba, a Hewlett Packard Enterprise company
 
CCNAv5 - S2: Chapter4 Routing Concepts
Vuz Dở Hơi
 
ISE-CiscoLive.pdf
ssuserf4db0a
 
Fortinet sandboxing
Nick Straughan
 
Access Management with Aruba ClearPass
Aruba, a Hewlett Packard Enterprise company
 
Aruba clearpass ebook_chpt1_final
Aruba, a Hewlett Packard Enterprise company
 
Useful cli commands v1
Aruba, a Hewlett Packard Enterprise company
 
Advanced rf troubleshooting_peter lane
Aruba, a Hewlett Packard Enterprise company
 
Open dns configuring opendns on aruba controller
Aruba, a Hewlett Packard Enterprise company
 
Cisco Meraki Overview
SSISG
 
EMEA Airheads ClearPass guest with MAC- caching using Time Source
Aruba, a Hewlett Packard Enterprise company
 
VMware NSX 101: What, Why & How
Aniekan Akpaffiong
 
NSX-T Architecture and Components.pptx
Atif Raees
 
Radius vs. Tacacs+
Netwax Lab
 
Putting Firepower Into The Next Generation Firewall
Cisco Canada
 
Microsoft Zero Trust
David J Rosenthal
 
Cisco Meraki- Simplifying IT
Cisco Canada
 
Meraki Solution Overview
Claudiu Sandor
 
Getting the most out of the aruba policy enforcement firewall
Aruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Troubleshooting 802.1x issues
Aruba, a Hewlett Packard Enterprise company
 
Ad

Viewers also liked (20)

PDF
Cisco Trustsec & Security Group Tagging
Cisco Canada
 
PPTX
PIW ISE best practices
Sergey Kucherenko
 
PPTX
From Cisco ACS to ISE
Mahzad Zahedi
 
PPTX
802.1x Authentication Standard
Dan Miller
 
PPTX
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
Robb Boyd
 
PPT
A study on biometric authentication techniques
Subhash Basistha
 
PDF
Deployment guide series ibm tivoli access manager for e business v6.0 sg247207
Banking at Ho Chi Minh city
 
PDF
Fedv6tf-fhs
Tim Martin
 
PDF
Ieee 802.1 x
Swapnil Kapate
 
PDF
IEEE 802.1X and Axis’ Implementation
Axis Communications
 
PPT
802.1x
Alp isik
 
PDF
802.1x Implementation Plan for Seacoast
Sithideth Banavong
 
PDF
ISE-802.1X-MAB
Emerson Barros Rivas
 
PPTX
SC Magazine & ForeScout Survey Results
Forescout Technologies Inc
 
PDF
DSS ITSEC Conference 2012 - Forescout NAC #1
Andris Soroka
 
PDF
Why NAC and Why Not NAC
digitallibrary
 
PDF
ForeScout: Our Approach
Forescout Technologies Inc
 
PPTX
Frost & Sullivan Report
Forescout Technologies Inc
 
PDF
The Internet of Things Isn't Coming, It's Here
Forescout Technologies Inc
 
PDF
Cisco Study: State of Web Security
Cisco Canada
 
Cisco Trustsec & Security Group Tagging
Cisco Canada
 
PIW ISE best practices
Sergey Kucherenko
 
From Cisco ACS to ISE
Mahzad Zahedi
 
802.1x Authentication Standard
Dan Miller
 
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
Robb Boyd
 
A study on biometric authentication techniques
Subhash Basistha
 
Deployment guide series ibm tivoli access manager for e business v6.0 sg247207
Banking at Ho Chi Minh city
 
Fedv6tf-fhs
Tim Martin
 
Ieee 802.1 x
Swapnil Kapate
 
IEEE 802.1X and Axis’ Implementation
Axis Communications
 
802.1x
Alp isik
 
802.1x Implementation Plan for Seacoast
Sithideth Banavong
 
ISE-802.1X-MAB
Emerson Barros Rivas
 
SC Magazine & ForeScout Survey Results
Forescout Technologies Inc
 
DSS ITSEC Conference 2012 - Forescout NAC #1
Andris Soroka
 
Why NAC and Why Not NAC
digitallibrary
 
ForeScout: Our Approach
Forescout Technologies Inc
 
Frost & Sullivan Report
Forescout Technologies Inc
 
The Internet of Things Isn't Coming, It's Here
Forescout Technologies Inc
 
Cisco Study: State of Web Security
Cisco Canada
 
Ad

Similar to Demystifying TrustSec, Identity, NAC and ISE (20)

PDF
RSA SecurID Access
MarketingArrowECS_CZ
 
PPTX
Sem cis ise
Lino Quivén
 
PPTX
Webinar: Goodbye RSA. Hello Modern Authentication.
SecureAuth
 
PPTX
19.) security pivot (policy byod nac)
Jeff Green
 
PPTX
19.) security pivot (policy byod nac)
Jeff Green
 
PDF
Security 101: Multi-Factor Authentication for IBM i
Precisely
 
PPT
Novell® iChain® 2.3
webhostingguy
 
PDF
Security 101: Multi-Factor Authentication for IBM i
Precisely
 
PDF
Securing Cassandra The Right Way
DataStax Academy
 
PDF
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Systems, Inc.
 
PDF
G3sixty Overview
toharendi123
 
PDF
Injection techniques conversys
Krishnendu Paul
 
PPTX
Cloud security privacy- org
Dharmalingam S
 
PDF
Staying Secure When Moving to the Cloud - Dave Millier
TriNimbus
 
PPTX
SecureID RSA, Multifactor Authentication
comstarndt
 
PPTX
Uno, nessuno o 10.000, la gestione dell'identità ai tempi di Microsoft Azure
Giuliano Latini
 
PDF
Oracle 4월 20일
Cana Ko
 
PDF
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
Precisely
 
PDF
Auth-Shield
Chetan Kapila
 
PDF
Cloud Security @ TIM - Current Practises and Future Challanges
Michele Vecchione
 
RSA SecurID Access
MarketingArrowECS_CZ
 
Sem cis ise
Lino Quivén
 
Webinar: Goodbye RSA. Hello Modern Authentication.
SecureAuth
 
19.) security pivot (policy byod nac)
Jeff Green
 
19.) security pivot (policy byod nac)
Jeff Green
 
Security 101: Multi-Factor Authentication for IBM i
Precisely
 
Novell® iChain® 2.3
webhostingguy
 
Security 101: Multi-Factor Authentication for IBM i
Precisely
 
Securing Cassandra The Right Way
DataStax Academy
 
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Systems, Inc.
 
G3sixty Overview
toharendi123
 
Injection techniques conversys
Krishnendu Paul
 
Cloud security privacy- org
Dharmalingam S
 
Staying Secure When Moving to the Cloud - Dave Millier
TriNimbus
 
SecureID RSA, Multifactor Authentication
comstarndt
 
Uno, nessuno o 10.000, la gestione dell'identità ai tempi di Microsoft Azure
Giuliano Latini
 
Oracle 4월 20일
Cana Ko
 
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
Precisely
 
Auth-Shield
Chetan Kapila
 
Cloud Security @ TIM - Current Practises and Future Challanges
Michele Vecchione
 

More from Cisco Canada (20)

PDF
Cisco connect montreal 2018 net devops
Cisco Canada
 
PDF
Cisco connect montreal 2018 iot demo kinetic fr
Cisco Canada
 
PPTX
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco Canada
 
PDF
Cisco connect montreal 2018 secure dc
Cisco Canada
 
PDF
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco Canada
 
PDF
Cisco connect montreal 2018 vision mondiale analyse locale
Cisco Canada
 
PDF
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Canada
 
PDF
Cisco connect montreal 2018 collaboration les services webex hybrides
Cisco Canada
 
PDF
Integration cisco et microsoft connect montreal 2018
Cisco Canada
 
PDF
Cisco connect montreal 2018 compute v final
Cisco Canada
 
PDF
Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco Canada
 
PDF
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco Canada
 
PDF
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Canada
 
PDF
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Canada
 
PDF
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Canada
 
PDF
Cisco Connect Toronto 2018 DevNet Overview
Cisco Canada
 
PDF
Cisco Connect Toronto 2018 DNA assurance
Cisco Canada
 
PDF
Cisco Connect Toronto 2018 network-slicing
Cisco Canada
 
PDF
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Canada
 
PDF
Cisco Connect Toronto 2018 sixty to zero
Cisco Canada
 
Cisco connect montreal 2018 net devops
Cisco Canada
 
Cisco connect montreal 2018 iot demo kinetic fr
Cisco Canada
 
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco Canada
 
Cisco connect montreal 2018 secure dc
Cisco Canada
 
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco Canada
 
Cisco connect montreal 2018 vision mondiale analyse locale
Cisco Canada
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Canada
 
Cisco connect montreal 2018 collaboration les services webex hybrides
Cisco Canada
 
Integration cisco et microsoft connect montreal 2018
Cisco Canada
 
Cisco connect montreal 2018 compute v final
Cisco Canada
 
Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco Canada
 
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco Canada
 
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Canada
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Canada
 
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Canada
 
Cisco Connect Toronto 2018 DevNet Overview
Cisco Canada
 
Cisco Connect Toronto 2018 DNA assurance
Cisco Canada
 
Cisco Connect Toronto 2018 network-slicing
Cisco Canada
 
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Canada
 
Cisco Connect Toronto 2018 sixty to zero
Cisco Canada
 

Recently uploaded (20)

PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Metrics GmbH
 
PPTX
Configure Apache Mutual Authentication
Antonino Piraino
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PPTX
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 
PDF
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
PDF
A proposed approach for plagiarism detection in Myanmar Unicode text
IAESIJAI
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Metrics GmbH
 
Configure Apache Mutual Authentication
Antonino Piraino
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
A proposed approach for plagiarism detection in Myanmar Unicode text
IAESIJAI
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
The various Industrial Revolutions .pptx
bandileshozi3
 

Demystifying TrustSec, Identity, NAC and ISE

  • 1. Demystifying TrustSec, Identity, NAC and ISE Hosuk Won, TrustSec TME howon@cisco.com Secure Access & Mobility Product Group #CiscoPlus
  • 2. Session Abstract • This session is a technical breakout that will help demystify the technology behind the Cisco TrustSec System, including the Identity Services Engine. • We will build use cases to introduce, compare, and contrast different access control features and solutions, and discuss how they are used within the TrustSec System. • The technologies that will be covered include user & device authorization, 802.1X, Profiling Technology, Supplicant‘s, certificates/PKI, Posture, CoA, RADIUS, EAP, Guest Access, Security Group Access (SGA), and 802.1AE (MacSec). • All of the technologies will be discussed in relation with Cisco‘s Identity Services Engine #CiscoPlus
  • 3. Session Objectives At the end of the session, you should understand: • The many parts and pieces that make up Cisco‘s TrustSec Solution • How 802.1X and SGA work • The benefits of deploying TrustSec • The different deployment scenarios that are possible You should also: • Provide us with feedback! • Attend related sessions that interest you • Have a nice glossary of terms at your disposal #CiscoPlus
  • 4. Cisco‘s Trusted Security (TrustSec) #CiscoPlus
  • 5. What is TrustSec • Yes, it can be confusing • Think of it as ―Next-Generation NAC‖ • TrustSec is a System approach to Access Control: IEEE 802.1X (Dot1x) Profiling Technologies Guest Services Secure Group Access (SGA) MACSec (802.1AE) Identity Services Engine (ISE) Access Control Server (ACS) #CiscoPlus
  • 6. So, TrustSec = Identity, Right? • Yes, but it refers to an Identity System (or solution) Policy Servers are only as good as the enforcement device (Switches, WLC‘s, Firewalls, etc…) • But what is ―Identity‖: • Understanding the Who / What / Where / When & How of a user or device‘s access to a network. #CiscoPlus
  • 8. Why Identity Is Important Who are you? Keep the Outsiders 1 802.1X (or supplementary method) Out authenticates the user Keep the Insiders Where can you go? Honest 2 Based on authentication, user is placed in correct VLAN What service level to you receive? Personalize the 3 The user can be given per-user Network services (ACLs, Macros, SGA) What are you doing? Increase Network 4 The user‘s identity and location can Visibility be used for tracking and accounting #CiscoPlus
  • 9. What Is Authentication? • Authentication is the process of establishing and confirming the identity of a client requesting services I’d Like to Withdraw $200.00 Please. Do You Have Identification? Yes, I Do. Here It Is. An Authentication System Is Only as Strong as the Method of Verification Used #CiscoPlus
  • 10. What Is Authorization? • Authorization is the process of granting a level of access to the network I’d Like to Withdraw $200.00 Please. Do You Have Identification? Yes, I Do. Here It Is. Thank You. Here is your money. #CiscoPlus
  • 11. The Business Case #CiscoPlus
  • 12. Business Case • Throughout the presentation, we will refer to a business case. One that will continue to evolve: Company: Retailer-X Problem Definition: The company stores credit card data from all sales transactions. As with all companies: Vendors & Guests are constantly visiting Retailer- X, to pitch new products to be sold, or even to sell network, security & collaboration equipment to Retailer-X. Company must ensure that only Retailer-X employees are gaining access to the network. Solution: Identity with 802.1X #CiscoPlus
  • 13. Default Port State State without Default Port without 802.1X 802.1X No Authentication Required  No visibility  No Access Control ? ? USER #CiscoPlus
  • 14. Default Security with Default Security with 802.1X 802.1X Before Authentication  No visibility (yet)  Strict Access Control One Physical Port ->Two Virtual ports Uncontrolled port (EAPoL only) Controlled port (everything else) ? ? USER ALL traffic except EAPoL is dropped #CiscoPlus
  • 15. Default Security with Default Security with 802.1X 802.1X After Authentication  User/Device is Known  Identity-based Access Control • Single MAC per port Looks the same as without 802.1X ? Authenticated User: Sally Having read your mind Sally, that Authenticated Machine: XP-ssales-45 is true, unless you apply an authorization, access is wide open. We will discuss restricting access at a later time. #CiscoPlus
  • 16. Revisit: Business Case • Company: Retailer-X • Problem Definition: The company stores credit card data from all sales transactions. As with most companies: Vendors & Guests are constantly visiting Retailer-X, to pitch new products to be sold, or even to sell network, security & collaboration equipment to Retailer-X. Company must ensure that only Retailer-X employees are gaining access to the network. • Solution: Identity with 802.1X #CiscoPlus
  • 17. Revisit: Business Case • Did we meet the business case? YES! • But what was missing? • What lessons have we learned? We called Dot1x an "access prevention" technology #CiscoPlus
  • 18. What Happened? What went Wrong? @ Retailer-X, BEFORE Monitor Mode is available … I‘ve done my homework in Proof of Concept Lab and it looks good. I‘m turning on 802.1X tomorrow… Enabled 802.1X IT Mgr. I can‘t connect to my network. It says Authentication failed but I don‘t know how to fix. My presentation is in 2 hours… Help Desk call increased by 40% #CiscoPlus
  • 19. What was missing? • What lessons were learned? • Access-Prevention Technology A Monitor Mode is necessary Must have ways to implement & see who would succeed & who would fail Determine why, and then remediate before taking Dot1x into a stronger enforcement mode. • Solution = Phased Approach to Deployment: Monitor Mode Authenticated Mode Enforcement Mode -or- Closed Mode #CiscoPlus
  • 20. Monitor Mode A process, not just a mode. • Enables 802.1X Authentication on the Switch Interface Config • But: Even failed Authentication will gain interface GigabitEthernet1/0/1 authentication host-mode multi-auth Access authentication open • Allows Network Admins to see who authentication port-control auto mab would have failed, and fix it, before dot1x pae authenticator causing a Denial of Service  Pre-AuthC Post-AuthC SWITCHPORT SWITCHPORT P P DH C TFTP D HC TFTP 5 P 5 P KRB HT T KRB HT T oL oL E AP Permit All EA P Permit All Traffic always allowed #CiscoPlus
  • 21. Authenticated Mode If Authentication is Valid, then Full Access! Interface Config • Monitor Mode + ACL to limit traffic flow interface GigabitEthernet1/0/1 • AuthC success = Full Access authentication host-mode multi-auth authentication open • Failed AuthC would only be able to authentication port-control auto communicate to certain services mab dot1x pae authenticator • WebAuth for non-Authenticated ip access-group default-ACL in Pre-AuthC Post-AuthC SWITCHPORT SWITCHPORT P P DH C TFTP DH C TFTP 5 P HT T P KRB 5 HT T KRB L Permit L E AP o E AP o Permit All Some #CiscoPlus
  • 22. Enforcement Mode If Authentication is Valid, then Specific Access! Interface Config • AuthC Success = Role Specific Access interface GigabitEthernet1/0/1 • dVLAN Assignment / dACLs authentication host-mode multi-auth authentication open • Specific dACL, dVLAN authentication port-control auto • Secure Group Access mab dot1x pae authenticator • Still Allows for pre-AuthC Access for ip access-group default-ACL in Thin Clients, PXE, etc… • WebAuth for non-Authenticated Pre-AuthC Post-AuthC SWITCHPORT SWITCHPORT P P DHC TFTP DHC RDP KRB 5 HTT P KRB 5 HTT P SGT L Permit L E APo E AP o Some Role-Based ACL #CiscoPlus
  • 23. Closed Mode No Access prior to Login, then Specific Access! Interface Config • Default 802.1X Behavior interface GigabitEthernet1/0/1 • No access at all prior to AuthC authentication host-mode multi-auth authentication port-control auto • Still use all AuthZ Enforcement Types mab • dACL, dVLAN, SGA dot1x pae authenticator • Must take considerations for Thin Clients & PXE, etc… Pre-AuthC Post-AuthC SWITCHPORT SWITCHPORT P DHC P T FT P DH C TFTP 5 HTT P SGT K RB 5 HT T P KR B Permit oL Permit All EA P oL E AP EAP - or - #CiscoPlus Role-Based ACL
  • 24. What was missing? • What lessons were learned? • No visibility from the supplicant Little to no User-Interaction User saw an ―Authentication Failed‖ message, and that was all. When everything works – the user is unaware. But, when things stop working… No visibility. Just a call to the help-desk • Solution: 3rd Party Supplicants Cisco‘s AnyConnect Supplicant Provides a Diagnostic and Reporting Tool (DART) Detailed logs from the Client Side Unique hooks with RDP and VDI environments #CiscoPlus
  • 25. What was missing? • What lessons were learned? • No Visibility at the RADIUS Server #CiscoPlus
  • 26. What was missing? • What lessons were learned? • Solution: ACS VIEW  Identity Services Engine (ISE) #CiscoPlus
  • 27. What was missing? • What lessons were learned? • Solution: ACS VIEW & ISE #CiscoPlus
  • 28. What was missing? • What lessons were learned? • Solution: ACS VIEW  ISE #CiscoPlus
  • 29. What was missing? • What lessons were learned? • Non-Authenticating Devices These are devices that were forgotten They don‘t have software to talk EAP on the network Or, they weren‘t configured for it Printers, IP Phones, Camera‘s, Badge Readers How to work with these? Don‘t configure Dot1x on the SwitchPort But, what about when it moves • Solution? Do not use dot1x on ports with Printers ---------------------------------------------------------------------- • Solution: MAC Authentication Bypass (MAB) #CiscoPlus
  • 30. MAC Authentication Bypass (MAB) • What is it? • A list of MAC Addresses that are allowed to ―skip‖ authentication • Is this a replacement for Dot1X? No Way! • This is a ―Bandage‖ In a Utopia: All devices authenticate. • List may be Local or Centralized Can you think of any benefits to a centralized model? #CiscoPlus
  • 31. What was missing? • What lessons were learned? • Guests: Guests will not have configured supplicants. Plus: they won‘t be authorized for access. Original Solution: Dot1x Timeouts How this works: After a timeout period, the switchport is automatically put into a Guest VLAN which provides Internet access. No Supplicant has responded for 90 seconds… So just AuthZ the port for the GUEST VLAN #CiscoPlus
  • 32. What was missing? • What lessons were learned? • Missing or Misconfigured Supplicants: Group Policies may not have worked Software Distribution may have missed a machine that‘s been off- network for a period of time. Etc… Dot1x Timeouts would take effect Someone who should have been an authorized user would end-up in the Guest Network HelpDesk gets a call from an unhappy user. No Supplicant has responded for 90 seconds… So just AuthZ the port for the GUEST VLAN #CiscoPlus
  • 33. Enter: Web Authentication • Used to identify users without supplicants Mis-configured, missing altogether, etc. • Guest Authentication #CiscoPlus
  • 34. Business Case Continues to Evolve • Requirements: 1. Retailer-X must ensure that only Retailer-X employees are gaining access to the network. Solution: Identity with 802.1X 2. Authorized Non-Authenticating Devices must continue to have network access. Solution: Centralized MAB 3. Need to Automate the building of the MAB List Solution: <Let’s find out> #CiscoPlus
  • 35. Profiling #CiscoPlus
  • 36. Profiling Technology • The ability to classify devices • Why Classify? Originally: identify the devices that cannot authenticate and automagically build the MAB list. i.e.: Printer = Bypass Authentication Today: Now we also use the profiling data as part of an authorization policy. i.e.: Authorized User + i-device = Internet Only #CiscoPlus
  • 37. Profiling PCs Non-PCs UPS Phone Printer AP • Visibility  Additional benefits of Profiling - Visibility: A view of what is truly on your network Tracking of where a device has been, what IP Addresses it has had, and other historical data. An understanding of WHY the device was profiled as a particular type (what profile signatures were matched) #CiscoPlus
  • 38. Profiling Technology Visibility into what is on the network #CiscoPlus
  • 39. Profiling Technology • How do we Classify a Device? • Profiling uses Signatures (similar to IPS) #CiscoPlus
  • 40. Profiling • Determining required profile attributes #CiscoPlus
  • 41. Profiling • Determining required profile attributes #CiscoPlus
  • 42. Profiling • Best Practice Recommendations • HTTP Probe: Use URL Redirects over SPAN to centralize collection and reduce traffic load on net and ISE related to SPAN/RSPAN. Or use VACLs or other ways to filter HTTP only traffic  DHCP Probe: Use IP Helpers when possible—be aware that L3 device serving DHCP will not relay DHCP, also! For DHCP SPAN, make sure probe captures traffic to central DHCP Server.  SNMP Probe: ISE 1.1 added SNMP probe to pull ARP tables from Cisco Layer-3 Devices. Adds benefit when DHCP is not used. #CiscoPlus
  • 43. Profiling Technology • Limitations of Profiling • Best Guess: The profiling is based on Best-Effort • MAB is a Filter: It was only used to determine what MAC Addresses were allowed to ―skip‖ Authentication Now we also use the profiling data as part of an authorization policy. i.e.: Authorized User + i-device = Internet Only #CiscoPlus
  • 44. Business Case Continues to Evolve • Requirements: 1. Retailer-X must ensure that only Retailer-X employees are gaining access to the network. Solution: Identity with 802.1X 2. Authorized Non-Authenticating Devices must continue to have network access. Solution: Centralized MAB 3. Need to Automate the building of the MAB List Solution: Use Profiling technology to automate the building MAB list. #CiscoPlus
  • 45. Business Case Evolution Improving Guest Access #CiscoPlus
  • 46. Guest Users‘ Needs WLC Wireless APs Internet LAN #CiscoPlus
  • 47. How does it work? Access authorized for guest user Redirection of the guest web session to ISE guest portal for authentication ISE Policy Server WLC Guest account needs to be created: Open SSID • via a sponsor « guest » • or self service With Web authentication Guest user #CiscoPlus
  • 48. Components of a Full Guest Lifecycle Solution Provisioning: Guest accounts via sponsor portal Notify: Guests of account details by print, email, or SMS Manage: Sponsor privileges, guest accounts and policies, guest portal Authenticate/Authorize guest via a guest portal on ISE Guests Report: On all aspects of guest accounts #CiscoPlus
  • 49. Guest Users DB – Account Creation Methods • Two Ways to Populate ISE Internal Guest Database • Self-Service Option on ISE ‗Guest Portal‘ • Sponsoring via ISE ‗Sponsor Portal‘ #CiscoPlus
  • 50. For Your ISE – Guest Self-Service Reference #CiscoPlus
  • 51. ISE – Sponsor Portal  Customizable sponsor pages  Sponsor privileges tied to authentication/ authorization policy • Roles sponsor can create • Time profiles can be assigned • Management of other guest accounts • Single or bulk account creation  Sponsor and Guest reporting and audit #CiscoPlus
  • 52. Sponsor Portal: Informing Guests • Sponsor will have three ways to inform guest 1. Printing the details 2. Sending the details via e-mail 3. Sending the details via SMS #CiscoPlus
  • 53. Guest user roles • When need for different policies for users Guest Contractor • Internet access only • Internet access • Limited connection time: • Access to selected resources ½ day, one day • Longer connection time: one week, one month  Use of several user identity groups in ISE: #CiscoPlus
  • 54. Sponsor groups and privileges Sponsor group1 Sponsor group2 • Can create user in groups: • Can create user in group ‗contractor‘ and ‗guest‘ ‗guest‘ only • Can use time profiles up to • Can use time profiles up to one one week day • Can see all accounts in group • Cannot do bulk creation #CiscoPlus
  • 55. Components of a Full Guest Lifecycle Solution Provisioning: Guest accounts via sponsor portal Notify: Guests of account details by print, email, or SMS Manage: Sponsor privileges, guest accounts and policies, guest portal Authenticate/Authorize guest via a guest portal on ISE Guests Report: On all aspects of guest accounts #CiscoPlus
  • 56. ISE – Web Authentication #CiscoPlus
  • 57. Components of a Full Guest Lifecycle Solution Provisioning: Guest accounts via sponsor portal Notify: Guests of account details by print, email, or SMS Manage: Sponsor privileges, guest accounts and policies, guest portal Authenticate/Authorize guest via a guest portal on ISE Guests Report: On all aspects of guest accounts #CiscoPlus
  • 58. Full Audit of Guest Lifecycle #CiscoPlus
  • 59. Business Case Evolution We have Identity… We have Guests Lifecycle Management… Can we get more information? #CiscoPlus
  • 60. Business Case Continues to Evolve • Requirements: 4. Employee‘s of Retailer-X Must be using a Corporate-owned asset. 5. All Corporate assets must be running Trend Micro Anti-Virus, and it must be up-to-date. 6. All guests must run Antivirus (any). Solution: Let’s find out  #CiscoPlus
  • 61. Posture Assessment Posture • Does the device meet Security Requirements? • Posture = the state-of-compliance with the company‘s security policy. Is the system running the current Windows Patches? Anti-Virus Installed? Is it Up-to-Date? Anti-Spyware Installed? Is it Up-to-Date? • Now we can extend the user / system Identity to include their Posture Status. #CiscoPlus
  • 62. ISE – Posture Assessment Checks Files • Microsoft Updates Service Packs Hotfixes OS/Browser versions • Antivirus Installation/Signatures • Antispyware Installation/Signatures • File data • Services • Applications/ Processes • Registry keys #CiscoPlus
  • 63. Posture Assessment • What if a user fail the check? • New term: Remediation The act of correcting any missing or out-of-date items from the Posture Assessment. This can trigger the use of: Corporate Patching Systems (ex: BigFix, Altiris, etc.) Windows Software Update Service (WSUS) Windows Update Anti-Virus product Update Services (LiveUpdate.exe, etc.) #CiscoPlus
  • 64. Posture Assessment Flow Posture Uname / Pwd = OK Posture = Unknown Authorization = Temporary Corp VLAN #CiscoPlus
  • 65. Posture Assessment Flow Posture Uname / Pwd = OK Posture = Unknown Authorization = Temporary Corp VLAN Permit ip any host Remediation Permit ip any host PolicyServer Deny ip any any #CiscoPlus
  • 66. Posture Assessment Flow Posture Uname / Pwd = OK Posture = Compliant Authorization = Full Access Corp VLAN Permit ip any host Remediation any Permit ip any host PolicyServer Deny ip any any #CiscoPlus
  • 67. Making this work well • Change of Authorization (CoA) • CoA allows an enforcement device (switchport, wireless controller, VPN device) to change the VLAN/ACL/Redirection for a device/user without having to start the entire process all over again. • Without it: Remove the user from the network & then have the entire AAA process begin again. i.e.: disassociate wireless device & have to join wireless again. • RFC 3576 and 5176 #CiscoPlus
  • 68. Creating a System out of these Technologies #CiscoPlus
  • 69. Network Access Controls Multiple Options for Wired Access • Identity Based Network • Cisco NAC Appliance: Services (IBNS): VLAN control via SNMP Control Plane 802.1X for wired access Profiling by NAC Profiler Profiling by NAC Profiler Guest = NGS Guest = NGS Wired Wired IBNS NAC 802.1X SNMP ACS NAC #CiscoPlus
  • 70. Network Access Controls Wireless and VPN Access • Wireless Access • Remote Access VPN 802.1X controlled by WLC Policy controlled by ASA, or: WLC has local enforcement Policy controlled by in-line NAC Separate Policies on ACS Separate Policies on ACS Wireless VPN 802.1X Policy ACS #CiscoPlus
  • 71. Network Access Controls • TrustSec Brings it all Together TrustSec 802.1X #CiscoPlus
  • 72. What is the Identity Services Engine? • ISE is a Next-Generation RADIUS Server = • Note: RADIUS for Network Access ONLY #CiscoPlus
  • 73. Identity Services Engine • Policy Server Designed for TrustSec ACS • Centralized Policy • AAA Services NAC Profiler • Posture Assessment • Guest Access Services NAC Guest • Device Profiling Identity NAC Services • Monitoring Manager Engine • Troubleshooting NAC Server • Reporting #CiscoPlus
  • 75. A Systems Approach • Why is this so important? • When Identity is an overlay (like NAC Appliance) There is an appliance or some other device that is doing the enforcement. Called a Policy Enforcement Point (PEP) The trick is to ―shape‖ traffic towards those PEP‘s Some use DHCP or DNS Tricks Others use MAC Spoofing (Man-in-the-Middle) Cisco uses the network to get traffic to the Appliance: Virtual Networks (VRF‘s) Policy Based Routing (PBR), etc. #CiscoPlus
  • 76. Overlay solution Internet ASA Set to Auth VLAN Trusted Set to Access VLAN NAC Server Global Network Untrusted DIRTY VRF Guest VRF Access Switch (Cat 3750) VLAN 100 (DIRTY_VLAN) VLAN 200 (EMPLOYEES) VLAN 210 (CONTRACTORS) VLAN 300 (GUESTS) Corporate PC Connects #CiscoPlus
  • 77. A Systems Approach • Why is this so important? • When Identity is embedded (like 802.1X) The Switch, WLC, or VPN is the enforcement device Called a Policy Enforcement Point (PEP) The Switch does all the work, instead of an appliance URL Redirection Policy Enforcement with ACL‘s, SGT‘s, VLAN Assignment, etc… #CiscoPlus
  • 78. A Systems Approach • Switch is the PEP #CiscoPlus
  • 79. A Systems Approach • Switch is the PEP #CiscoPlus
  • 80. Adding Power to Dot1X #CiscoPlus
  • 81. Secure Group Access • Topology Independent Access Control • Term describing use of: Secure Group TAG (SGT‘s) Secure Group ACL‘s (SGACL‘s) When a user log‘s in they are assigned a TAG (SGT) that identifies their role The TAG is carried throughout the Network • Server Switch applies SGACL‘s based on a ―Matrix‖ (see below). SGT Public Private Staff Permit Permit Guest Permit Deny #CiscoPlus
  • 82. Customer Challenges - Ingress Access Control • Can I create / manage the new VLANs or IP Address scope? • How do I deal with DHCP refresh in new subnet? • How do I manage ACL on VLAN interface? • Does protocol such as PXE or WOL work with VLAN assignment? • Any impact to the route summarization? VLAN Assignment 802.1X/MAB/Web Auth ACL • Who‘s going to maintain ACLs? Download • What if my destination IP addresses are changed? • Does my switch have enough TCAM to handle all request?  Traditional access authorization methods leave some deployment concerns:  Detailed design before deployment is required, otherwise…  Not so flexible for changes required by today‘s business  Access control project ends up with redesigning whole network #CiscoPlus
  • 83. What is Secure Group Access? • SGA is a part of TrustSec • Next-Generation Access Control Enforcement Removes concern TCAM Space for detailed Ingress ACLs Removes concern of ACE explosion on DC Firewalls • An Additional Enforcement allowing stickiness of Infrastructure Now adds stickiness of Cisco ASA Firewalls, too. • Assign a TAG at Login  Enforce that tag in the DataCenter. #CiscoPlus
  • 84. What is a Secure Group Tag? A Role-Based TAG: 1. A user (or device) logs into network via 802.1X 2. ISE is configured to send a TAG in the Authorization Result – based on the ―ROLE‖ of the user/device 3. The Switch Applies this TAG to the users traffic. #CiscoPlus
  • 85. Security Group Based Access Control • SGA allows customers: To keep existing logical design at access layer To change / apply policy to meet today‘s business requirement To distribute policy from central management server Ingress Enforcement SGT=100 Finance (SGT=4) 802.1X/MAB/Web Auth SGACL HR (SGT=100) I’m an employee HR SGT = 100 My group is HR Egress Enforcement #CiscoPlus
  • 86. Security Group Based Access Control • Security Group Firewalling: Extends the Concept to the ASA Use Security-Group Tags (SGT‘s) in your ASA Firewall Policy! Available in Arsenal (1HCY2012) Ingress Enforcement Finance (SGT=4) SGT=100 802.1X/MAB/Web Auth I’m an employee HR SGT = 100 My group is HR Egress Enforcement HR (SGT=100) S-IP User S-SGT D-IP D-SGT DENY #CiscoPlus
  • 87. Media Access Control Security • MACSec: Layer-2 Encryption (802.1AE) • Industry Standard Extension to 802.1X Encrypts the link between the host & the switch. Traffic in the backplane is unencrypted for inspection, etc. Requires a supplicant that supports MACSec and the encryption key-exchange Encrypted Link SWITCHPORT ######## #CiscoPlus
  • 88. Business Case Evolution: B.Y.O.D. #CiscoPlus
  • 90. Business Case Continues to Evolve • The ―i-Revolution‖ • New Requirement: ―Our CEO went to a Retail Conference recently and won an iPad. He demands we allow it access to the network, because it is a productivity tool and we prohibiting his productivity without the iPad‖ • New Requirement: Allow access to i-devices • New Term: ―Bring Your Own Device‖ (BYOD) #CiscoPlus
  • 91. Identity Services Engine • Policy Management for the Borderless Networks • Context-Based Access Who? What? How? Known users Device identity Wired (Employees, Sales, HR) Device classification Wireless Unknown users (Guests) (profile) VPN Device health (posture) Where? When? Other? Geographic location Date Custom attributes Department Time Device/User states SSID / Switchport Start/Stop Access Applications used • Policy Definition • Policy Enforcement • Monitoring and Troubleshooting #CiscoPlus
  • 92. How do we Build a BYOD Policy? • What are the Required Parts of the Policy? Corp Asset? AuthC Type Profile AuthZ Result • AD • Machine • i-Device • Full Access Member? Certs? • Android • i-Net only • Static List? • User Certs? • Windows • VDI + i-Net • MDM? • Uname/Pwd • Other • Certificate? #CiscoPlus
  • 93. Example BYOD Policy in ISE • Using a Pre-Defined List of Assets Device Type User Results #CiscoPlus
  • 94. Example BYOD Policy in ISE • Using a Pre-Defined List of Assets Device Type User Results ANY User Any i-device Not in Above Identity Group Assign Guest VLAN #CiscoPlus
  • 95. Summary #CiscoPlus
  • 96. Links • Trustsec & ISE on Cisco.com http://www.cisco.com/go/trustsec http://www.cisco.com/go/ise http://www.cisco.com/go/isepartner • TrustSec & ISE Deployment Guide: http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/la nding_DesignZone_TrustSec.html • Youtube: Fundamentals of TrustSec: http://www.youtube.com/ciscocin#p/c/0/MJJ93N-3Iew #CiscoPlus
  • 97. Q&A #CiscoPlus
  • 98. We value your feedback. Please be sure to complete the Breakout Sessions Evaluation Form. Access today‘s presentations at cisco.com/ca/ciscoplus Follow @CiscoCanada and join the #CiscoPlus conversation #CiscoPlus