Identity Services Engine (ISE)

Identity Services Engine – Policy based access

Nathan Boyd Consulting Systems Engineer

© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public

§  BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=76566

§  BRKSEC-2044 - Building an Enterprise Access Control Architecture with ISE (2014 Milan) - 2 Hours https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=76593

§  BRKSEC-3035 - Successful designing and deploying Cisco's ISE 1.2/MDM integration (2014 Milan) - 90 Mins https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=76611

§  BRKSEC-2692 - Identity Based Networking: IEEE 802.1X and Beyond (2014 Milan) - 90 Mins https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=76607

For your Reference


•  Centralized Policy

•  RADIUS Server

•  Posture Assessment

•  Guest Access Services

•  Device Profiling

•  Client Provisioning

•  MDM

•  Monitoring Troubleshooting Reporting

ACS

NAC Profiler

Guest Server

NAC Manager

NAC Server

Identity Services Engine

Cisco Identity Services Engine (ISE)

4


Authentication and Authorization What are they?

5

802.1X / MAB / WebAuth

It tells what/who the endpoint/user is.

It tells what the endpoint/user can access.


ISE Policy Rules

6

1. Authentication Rules •  Define what identity stores to reference.

•  Example – Active Directory, CA Server, Internal DB,etc.

2. Authorization Rules •  Define what users and devices get access to resources.

•  Example – All Employees, with Windows Laptops have full access.


Policy Sets on ISE

7


Policy Sets on ISE

8


Authentication Rules

9

If this/these condition(s) is/are matched, then…

…allow this list of authentication

protocols, and…

…optionally check further (sub)rule(s)…

…or just use the default rule…

…to pick the database for verifying the

endpoint/user’s identity.


Factors in Choosing an EAP Method The Most Common EAP Types are PEAP and EAP-TLS

10

EAP Type(s) Deployed

Client Support

Security vs. Complexity

Authentication Server Support

§  Most clients such as Windows, Mac OS X, Apple iOS devices support EAP-TLS, PEAP (MS-CHAPv2).

‒  Additional supplicants can add more EAP types (Cisco AnyConnect).

§  Certain EAP types (TLS) can be more difficult to deploy than others depending on device type.

§  Cisco ISE Supplicant Provisioning can aid in the deployment.


ISE’s Identity Stores

11

§  Cisco ISE can reference variety of backend identity stores including Active Directory, PKI, LDAP, RSA SecurID and RADIUS Token.

§  ISE’s local database can also be used and ERS APIs are supported for remote management.

EAPoL

User/ Password

user1 C#2!ç@_E(

Certificate

RADIUS

Token

Active Directory, Generic LDAP or PKI

RSA SecurID

Local DB

Backend Database(s)

Machine / User / MAC Authentication


Authorization rules

12

Rule Name Condition(s) Result(s)


Authorization Conditions

13

AuthZ Condition

External Identity Groups

Directory Attributes

Profiled Groups

Posture State

RADIUS &

Session Attributes


Authorization Results – Permissions

14

Pre-canned attributes and user defined.


Converged Access – Downloadable ACL Support

15

Download - http://www.miercom.com/2013/05/cisco-wlc-5760/


Cisco Wireless LAN Controller ACLs Layer 3-4 Filtering at Line-rate.

16

§  ACLs provide L3-L4 policy and can be applied per interface or per user.

§ Cisco 2500, 5508 and WiSM2 implement hardware, line-rate ACLs.

§ Up to 64 rules can be configured per ACL.

Wired LAN

Implicit Deny All at the End

Inbound

Outbound


FlexConnect and AAA Override Setting the VLAN for Locally Switched Clients

17

WAN

VLAN 502

ISE

IETF 81

IETF 64 IETF 65

interface GigabitEthernet0/37 description AP_3702 switchport trunk encapsulation dot1q switchport trunk native vlan 100 switchport trunk allowed vlan 100,502-504 switchport mode trunk

Create Sub-Interface on FlexConnect AP and (optional)

set the ACL on the VLAN


Cisco Wireless User-Based QoS Capabilities

18

Allowing Per-User and Per-Devices Limiting of the Maximum QoS Level

Voice

Video

Best Effort

Background

Call Manager Access Point

Employee – Platinum QoS

WMM Queue

QoS Tagged Packets

Contractor – Silver QoS WLC

For the Employee user, the AAA server returned

QoS-Platinum so packets marked with DSCP EF are allowed to enter the WMM

Voice Queue.

For the contractor user, the AAA server returned QoS-

Silver so even packets marked with DSCP EF are confined to the Best Effort

Queue.


VLAN 100

MAB

WebAuth

Agent-less Device

SGT Enforcement

Security Group Access (SGA) Converged Access (CA) architecture

19

3850 / 5760 802.1X

Users, Endpoints

IT Portal (SGT 4) 10.1.100.10

IP Address SGT

10.1.10.102 5

10.1.100.10 4

10.1.99.100 12

SGT-IP

Active Directory ISE

SGT=5 SGT = Security Group Tag SXP = SGT eXchange Protocol SGACL = SGT ACL

deny sgt-‐src 5 sgt-‐dst 4

BRKEWN-2022 BRKSEC-2203


VLAN 100

MAB

WebAuth

Agent-less Device

Campus Network

Untagged Frame Tagged Frame

SGT Enforcement

Security Group Access (SGA) Cisco Unified Wireless Network (CUWN) architecture

20

2504 / 5508 802.1X

Users, Endpoints

IT Portal (SGT 4) 10.1.100.10

Catalyst 3750-X Cat 6500 Distribution

The WLC sends the IP-to-SGT binding table via SXP to SGT tagging or SGACL capable devices (e.g. Catalyst 3750-X)

IP Address SGT

10.1.10.102 5

10.1.10.110 14

10.1.99.100 12

SXP

Speaker Listener

SGT=5 SGT=5

Active Directory ISE

SGT=5 SGT = Security Group Tag SXP = SGT eXchange Protocol SGACL = SGT ACL

deny sgt-‐src 5 sgt-‐dst 4

BRKSEC-2203 BRKSEC-3690


ISE Profiling

21

Is the MAC Address from Apple?

Does DHCP-Hostname contain “iPad”?

Is the HTTP user-agent from an iPad?

Apple iPad


ISE Profiling Example of built-in policies

22

Smart Phones

Gaming Consoles

Workstations

Multiple Rules to Establish

Certainty Level

Minimum Certainty for a Match

1

2


Client attributes and traffic for Profiling How RADIUS, HTTP, DNS and DHCP (and other traffic) are used to classify clients

23

§  The ISE uses multiple attributes to build a complete picture of the end client’s device profile.

§  Information is collected from sensors which capture different attributes –  The ISE can even kick off an NMAP

scan of the host IP to determine more details.

RADIUS

DHCP

DNS Server

A look up of the DNS entry for the client’s IP address reveals

the Hostname.

HTTP UserAgent

Mobile devices are quite chatty for web applications, or they can also be

redirected to one of ISE’s portals. ISE

34

DHCP/ HTTP

Sensor

The Client’s DHCP/HTTP Attributes are captured by

the AP and provided in RADIUS Accounting

messages by the WLC.

2

The MAC address is checked

against the known vendor OUI database.

1

HTTP


Local Client Profiling and Local Policy since WLC 7.5

24

Device Type

Cisco WLC configuration

Enable DHCP and HTTP Local Client Profiling on the WLAN

88 Pre-Defined Client Profiles

Local Policy based on Device Type

Step 1

Step 3

Step 2


Assigning WLC Local Policy based on Role

25

Role

Controller

Radius

Employee Contractor

role=Employee role=Contractor


Other Local Policy Options

26

Time of Day

Authentication LEAP

EAP-FAST

EAP-TLS

PEAP

Wireless Client Authentication EAP Type

Active hours for Policy

Time based policy


Local Policy Actions

27

ACL

VLAN

QoS

Session Timeout

Enforced Policy

© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public 28

Restriction: First Matched Rule Applies

Maximum 16 polices can be created per WLAN / AP Groups and 64 globally

Native Profiling per WLAN Native Profiling per AP Group

Applying Local Policies to WLANs and AP Groups


Differentiating Guest Access via User Groups External Database

§  Multiple groups can be created in ISE

§  Each group can contain:

§  Guest DB users (created by Sponsor and Self-service)

§  Internal DB users (created by Administrators)

§  External groups mapped in ISE

Mapping example for AD

Those groups can be used in different authorization rules to differentiate network access

Identity Service Engine

29


ISE – Sponsor Portal

§  Customizable sponsor pages

§  Sponsor privileges tied to defined sponsor policy

• Roles sponsor can create

• Time profiles can be assigned

• Management of other guest accounts

• Single or bulk account creation

30


ISE – Guest Self-Service

31


Client Provisioning Simplifying device management

32

Reduced Burden on IT Staff Device On-Boarding Self Registration Supplicant Provisioning Certificate Provisioning

Self Service Model My Devices Portal for registration Guest Sponsor Portal

Device Black Listing User initiated control their devices, black-listing, re-instate device, etc.)

Support for: iOS (6.0+) MAC OSX (10.6+) Android (2.2+) Windows (XP+)


“My Devices” Portal Self-Registration and Self-Blacklisting of BYOD Devices

33

Devices can be Blacklisted By the User.

Devices Can be Self-Registered, Up to an Administrator Defined Limit

3

2

New Devices Can be Added with a Description

1


CA-Server

Apple iOS Device Provisioning

34

Initial Connection Using PEAP

ISE WLC

1

Device Provisioning Wizard

2

Future Connections Using EAP-TLS

3

Change of Authorization

CA-Server ISE WLC


Android Device Provisioning

35

Initial Connection Using PEAP 1 Redirection to Android

Marketplace to Install Provisioning Utility

2

Future Connections Using EAP-TLS

4

Provisioning using Cisco Wi-Fi Setup

Assistant 3 Change of

Authorization

CA-Server ISE WLC

CA-Server ISE WLC


Client Provisioning Policy

36

User OS Supplicant


MDM Integration

37

Jail Broken PIN Locked

Encryption ISE Registered PIN Locked MDM Registered Jail Broken

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

BRKSEC-3035


Visibility with Prime Infrastructure and ISE Integration

38

Device Identity from ISE Integration

Policy Information Including Windows

AD Domain

AAA Override Parameters Applied

to Client

Both Wired + Wireless Clients in a

Single List

2

3

1


Which Policy for which Endpoint/User

§ Corporate PCs

§ Other Corporate Machines and Mobile Devices

§  Employee Owned Devices

§ Guests

§ Contractors

§ Others

39


Corporate Machines and Users – Identities

40

MAC address

Certificate

Login/Password Other


Got AD?

§  If using AD machine GPOs on a Windows environment, you may want to enable 802.1X machine authentication.*

§ User authentication can be added on top, still through 802.1X, or be delegated to Windows logon (even if not outside the company domain).

41

Active Directory

* Microsoft introduced the concept of machine authentication also for this purpose.


Machine and User Authentication

42

With the native Windows 802.1X supplicant: §  The same EAP method is used for both machine and user. § Once logged in to Windows, since the user’s identity is available, only user

authentication is triggered. With Cisco AnyConnect NAM: § Different, separate EAP methods can be used for the machine and the user. §  EAP Chaining supports authenticating both the machine and the user, in the

same session, whenever 802.1X is triggered.

How to force a user to authenticate from an already authenticated machine?


Machine Access Restriction (MAR)

43

•  Supplicant agnostic. •  The network access device (NAD) sends

the endpoint’s MAC in the RADIUS attribute [31] Calling-Station-ID.

•  ISE caches the MAC address of the authenticated machine in the MAR cache.

•  When the user authenticates from the same device, ISE can tell it’s from the previously authenticated machine thanks to the MAR cache.

Machine Access Restriction


EAP Chaining

44

•  Supported with AnyConnect 3.1 and ISE. •  It relies on advanced options of EAP-FAST

to authenticate both the machine and the user in the same EAP(-FAST) session.

•  If no user information is available (logged out), only machine credentials are used.

•  If also the user’s identity is available, both machine and user information will be used for 802.1X authentication.

EAP Chaining


Access Enforcement

§ Changing VLAN between machine and user authentication is supported. *  Some supplicants (XP SP2/3) do not detect it and do not trigger IP renewal.

§ While keeping the same VLAN, a different ACL/SGT can be applied to the machine and the user. ü This is more “client agnostic” as it does not require IP renewal.

45

Machine VLAN

User VLAN 5760


Corporate non-Windows Machines

§  There is no concept of machine authentication as with Windows.

§  Through ISE we could still link some attributes of the user’s identity/account to the machine.

46


Corporate Mobile Devices

47

Specific EAP methods and account/certificate attributes.

Force 802.1X through a device-specific certificate, then WebAuth to verify the user behind.

Go for MDM.


Asking the External DB

48


Find Something Special on Corporate Devices

49

dhcp-user-class-id = 43:6f:72:70:50:43 è Profiling Policy = “corp_laptop”

dhcp-user-class-id = 62:6c:61:62:6c:61

C:\>ipconfig /setclassid "Local Area Connection" CorpPC http://technet.microsoft.com/en-us/library/cc783756(WS.10).aspx


Empower your Employees

50

DOMAIN\employee

On the WLC config advanced eap max-login-ignore-identity-response disable


Empower your Employees

51


Empower your Employees §  Dedicated guest account groups can be used to authenticate

via 802.1X.

§  External guests won’t be able to obtain the same type of credentials.

52

[email protected]

U45&%ci3@d


Guests §  Lobby ambassador and sponsor

capabilities on the WLC, Cisco Prime and ISE.

53


Guests

–  Guest management services through a dedicated Sponsor interface. –  The guest identity store (local or external) is supported with LWA and CWA. –  Captive portals can be customized and localized (more in the next slides…). –  Guest users can be assigned to dedicated VLANs, ACLs, QoS profiles, etc. –  Guests can go through additional checks, such as compliance, MDM, etc.

Some options to manage them

54


Differentiating Guest Portals

§ How could we redirect guests from a specific WLAN or a specific location to separate portals?

55



§ How could we redirect guests to separate portals based on their location or their WLAN?

56

RADIUS [30] Called-Station-ID



§ How could we redirect guests from a specific WLAN or a specific location to separate portals?

57


Restricting Guests from a Specific Sponsor and Site

§ Create a sponsor group on ISE restricting guest creation for a specific group.

§  Assign sponsor users with specific attributes to the sponsor group.

58


Restricting Guests from a Specific Sponsor and Site

§  Authorize guests based on their group managed by that same sponsor.

59


Contractors and “more than guest” Users

60

Guest groups flagged as “ActivatedGuest” are enabled to

authenticate through other (802.1X) methods, not just

through the web portal.


Contractors Additional Checks

61

Additional Configuration Notes for Your Reference

63

For Your Reference


Steps for Integrating the WLC and ISE

64

1. Configure WLAN for 802.1X Authentication •  Configure RADIUS Server on Controller •  Setup WLAN for AAA Override, Profiling and RADIUS NAC

2. Configure ISE Profiling •  Enable profiling probes

3. Setup Access Restrictions •  Configure ACLs to filter and control network access.

For Your Reference


AAA Override Attributes

65

Network Access • RADIUS “Tunnel-Type” + “Tunnel-Medium-Type” + “Tunnel-Private-Group-ID”

•  Set the Interface to which the client is connected (VLAN).

Network Restrictions • Cisco “Airespace-ACL-Name”

•  Sets the Access Control List used to filter traffic to/from the client.

Quality of Service • Cisco “Airespace-QOS-Level”

•  Sets the maximum QoS queue level available for use by the client (Bronze, Silver, Gold or Platinum).

• Cisco “Airespace-802.1p-Tag” and/or “Airespace-DSCP-Tag” •  Sets the maximum QoS tagging level available for use by the client.

Cisco Wireless LAN Controller For Your Reference


URL Redirection Central Web Auth, Client Provisioning, Posture

66

§ Url-Redirect: for CWA, Client Provisioning, Posture and MDM, the URL value is returned as a Cisco AV-pair RADIUS attribute.

Ex: cisco:cisco-av-pair=url-redirect= https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa

§ Url-Redirect-Acl: this ACL specifies the traffic to be permitted (i.e., bypass redirection) or denied (i.e., trigger redirection). The ACL is returned as a named ACL on the WLC.

Ex: cisco-av-pair=url-redirect-acl=ACL-POSTURE-REDIRECT ACL entries define traffic subject to redirection (deny) and traffic to bypass

redirection (permit).

For Your Reference


Configuring ISE as the Authentication and Accounting Server

67

Enable “RFC 3576” to support RADIUS Change of

Authorization.

Add to Accounting Servers to Receive Session

Statistics and profiling data.

1

2

For Your Reference


Configuring the WLAN for Secure SSID Enabling Secure Authentication and Encryption with WPA2-Enterprise

68

WPA2 Security with AES Encryption

1

For Your Reference

802.1X as the authentication key management (CCKM

optional)

2


Setting the WLAN QoS Level Using WMM, the QoS Level is Based on the Marking of the Packet.

69

§  If WMM is set to Allowed, the Quality of Service configuration serves as a limit for the entire SSID.

§  Ensure all controller uplinks, media servers and Access Points have proper Quality of Service trust commands on the switch ports.

This Acts As An Upper Limit, or Ceiling for the WLAN’s QoS Configuration

1

For Your Reference


Configuring the WLAN for ISE Identity-based Networking Cont’d

70

Allow AAA Override to

support dynamic RADIUS attributes

Enable RADIUS NAC to accept

RADIUS Change of

Authorization messages for

this SSID.

Enable Radius Client Profiling to Send DHCP

and HTTP attributes to ISE

via RADIUS accounting.

1 2

3

For Your Reference


Configuring ISE Profiling Probes

71

§  Profiling relies on a multitude of “probes” to classify the client’s device type.

§  Profiling can always be achieved through a span port, more efficient profiling is achieved through probes that selectively forward attributes.

§  For DHCP Profiling: –  Option A: Use at least WLC version 7.2.110.0 to send

DHCP attributes to ISE through RADIUS accounting. –  Option B: Use Cisco IOS “ip helper” addressed to ISE

on switches adjacent to the WLC (with DHCP proxy disabled).

§  For HTTP Profiling: –  Use at least WLC version 7.3 to send the HTTP user

agent info to ISE through RADIUS accounting.

For Your Reference


1. Configure Integration with External CA Server •  Define SCEP URL and certificates.

http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bff108.shtml and http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_ISE.html#wp1024207

2. Define Supplicant Provisioning Profile •  Define what security and EAP type is deployed to end devices.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_ISE.html#wp1024291

Steps for Configuring Device Provisioning

72

For Your Reference


Configuring SCEP Integration on the ISE The ISE Must Point to the SCEP Server and Have a Valid Certificate Signed by the CA

73

Configure the SCEP URL Pointing to the MS Server or other CA

1

Request a Certificate for the ISE from the CA Server

2

For Your Reference


Configuring Certificates on the ISE Certificates are Used for HTTPS and/or EAP

74

Use the Certificate from Your CA Server for EAP Authentication

2

The Web Server Certificate Can Be The Same, or Different than the EAP

Certificate

1

For Your Reference


Configuring the Web-Auth Redirect ACL

75

Use the ISE server’s IP address (optionally restricted to a specific port too) to allow traffic to

the web portal.

2

This ACL will be referenced by name by ISE to restrict the user before web portal login.

1

For Your Reference


Defining the Supplicant Provisioning Authorization Profile

76

Configure Redirect ACL On WLC 2

Choose “Supplicant Provisioning” for the Redirect Portal

1

For Your Reference

Technology

Identity Services Engine (ISE)