Upload
cisco-public-sector
View
4.375
Download
6
Embed Size (px)
DESCRIPTION
Identity Services Engine- ISE (Nathan Boyd)
Citation preview
Identity Services Engine – Policy based access
Nathan Boyd Consulting Systems Engineer
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
§ BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=76566
§ BRKSEC-2044 - Building an Enterprise Access Control Architecture with ISE (2014 Milan) - 2 Hours https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=76593
§ BRKSEC-3035 - Successful designing and deploying Cisco's ISE 1.2/MDM integration (2014 Milan) - 90 Mins https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=76611
§ BRKSEC-2692 - Identity Based Networking: IEEE 802.1X and Beyond (2014 Milan) - 90 Mins https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=76607
For your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
• Centralized Policy
• RADIUS Server
• Posture Assessment
• Guest Access Services
• Device Profiling
• Client Provisioning
• MDM
• Monitoring Troubleshooting Reporting
ACS
NAC Profiler
Guest Server
NAC Manager
NAC Server
Identity Services Engine
Cisco Identity Services Engine (ISE)
4
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Authentication and Authorization What are they?
5
802.1X / MAB / WebAuth
It tells what/who the endpoint/user is.
It tells what the endpoint/user can access.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
ISE Policy Rules
6
1. Authentication Rules • Define what identity stores to reference.
• Example – Active Directory, CA Server, Internal DB,etc.
2. Authorization Rules • Define what users and devices get access to resources.
• Example – All Employees, with Windows Laptops have full access.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Policy Sets on ISE
7
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Policy Sets on ISE
8
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Authentication Rules
9
If this/these condition(s) is/are matched, then…
…allow this list of authentication
protocols, and…
…optionally check further (sub)rule(s)…
…or just use the default rule…
…to pick the database for verifying the
endpoint/user’s identity.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Factors in Choosing an EAP Method The Most Common EAP Types are PEAP and EAP-TLS
10
EAP Type(s) Deployed
Client Support
Security vs. Complexity
Authentication Server Support
§ Most clients such as Windows, Mac OS X, Apple iOS devices support EAP-TLS, PEAP (MS-CHAPv2).
‒ Additional supplicants can add more EAP types (Cisco AnyConnect).
§ Certain EAP types (TLS) can be more difficult to deploy than others depending on device type.
§ Cisco ISE Supplicant Provisioning can aid in the deployment.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
ISE’s Identity Stores
11
§ Cisco ISE can reference variety of backend identity stores including Active Directory, PKI, LDAP, RSA SecurID and RADIUS Token.
§ ISE’s local database can also be used and ERS APIs are supported for remote management.
EAPoL
User/ Password
user1 C#2!ç@_E(
Certificate
RADIUS
Token
Active Directory, Generic LDAP or PKI
RSA SecurID
Local DB
Backend Database(s)
Machine / User / MAC Authentication
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Authorization rules
12
Rule Name Condition(s) Result(s)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Authorization Conditions
13
AuthZ Condition
External Identity Groups
Directory Attributes
Profiled Groups
Posture State
RADIUS &
Session Attributes
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Authorization Results – Permissions
14
Pre-canned attributes and user defined.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Converged Access – Downloadable ACL Support
15
Download - http://www.miercom.com/2013/05/cisco-wlc-5760/
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Cisco Wireless LAN Controller ACLs Layer 3-4 Filtering at Line-rate.
16
§ ACLs provide L3-L4 policy and can be applied per interface or per user.
§ Cisco 2500, 5508 and WiSM2 implement hardware, line-rate ACLs.
§ Up to 64 rules can be configured per ACL.
Wired LAN
Implicit Deny All at the End
Inbound
Outbound
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
FlexConnect and AAA Override Setting the VLAN for Locally Switched Clients
17
WAN
VLAN 502
ISE
IETF 81
IETF 64 IETF 65
interface GigabitEthernet0/37 description AP_3702 switchport trunk encapsulation dot1q switchport trunk native vlan 100 switchport trunk allowed vlan 100,502-504 switchport mode trunk
Create Sub-Interface on FlexConnect AP and (optional)
set the ACL on the VLAN
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Cisco Wireless User-Based QoS Capabilities
18
Allowing Per-User and Per-Devices Limiting of the Maximum QoS Level
Voice
Video
Best Effort
Background
Call Manager Access Point
Employee – Platinum QoS
WMM Queue
QoS Tagged Packets
Contractor – Silver QoS WLC
For the Employee user, the AAA server returned
QoS-Platinum so packets marked with DSCP EF are allowed to enter the WMM
Voice Queue.
For the contractor user, the AAA server returned QoS-
Silver so even packets marked with DSCP EF are confined to the Best Effort
Queue.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
VLAN 100
MAB
WebAuth
Agent-less Device
SGT Enforcement
Security Group Access (SGA) Converged Access (CA) architecture
19
3850 / 5760 802.1X
Users, Endpoints
IT Portal (SGT 4) 10.1.100.10
IP Address SGT
10.1.10.102 5
10.1.100.10 4
10.1.99.100 12
SGT-IP
Active Directory ISE
SGT=5 SGT = Security Group Tag SXP = SGT eXchange Protocol SGACL = SGT ACL
deny sgt-‐src 5 sgt-‐dst 4
BRKEWN-2022 BRKSEC-2203
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
VLAN 100
MAB
WebAuth
Agent-less Device
Campus Network
Untagged Frame Tagged Frame
SGT Enforcement
Security Group Access (SGA) Cisco Unified Wireless Network (CUWN) architecture
20
2504 / 5508 802.1X
Users, Endpoints
IT Portal (SGT 4) 10.1.100.10
Catalyst 3750-X Cat 6500 Distribution
The WLC sends the IP-to-SGT binding table via SXP to SGT tagging or SGACL capable devices (e.g. Catalyst 3750-X)
IP Address SGT
10.1.10.102 5
10.1.10.110 14
10.1.99.100 12
SXP
Speaker Listener
SGT=5 SGT=5
Active Directory ISE
SGT=5 SGT = Security Group Tag SXP = SGT eXchange Protocol SGACL = SGT ACL
deny sgt-‐src 5 sgt-‐dst 4
BRKSEC-2203 BRKSEC-3690
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
ISE Profiling
21
Is the MAC Address from Apple?
Does DHCP-Hostname contain “iPad”?
Is the HTTP user-agent from an iPad?
Apple iPad
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
ISE Profiling Example of built-in policies
22
Smart Phones
Gaming Consoles
Workstations
Multiple Rules to Establish
Certainty Level
Minimum Certainty for a Match
1
2
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Client attributes and traffic for Profiling How RADIUS, HTTP, DNS and DHCP (and other traffic) are used to classify clients
23
§ The ISE uses multiple attributes to build a complete picture of the end client’s device profile.
§ Information is collected from sensors which capture different attributes – The ISE can even kick off an NMAP
scan of the host IP to determine more details.
RADIUS
DHCP
DNS Server
A look up of the DNS entry for the client’s IP address reveals
the Hostname.
HTTP UserAgent
Mobile devices are quite chatty for web applications, or they can also be
redirected to one of ISE’s portals. ISE
34
DHCP/ HTTP
Sensor
The Client’s DHCP/HTTP Attributes are captured by
the AP and provided in RADIUS Accounting
messages by the WLC.
2
The MAC address is checked
against the known vendor OUI database.
1
HTTP
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Local Client Profiling and Local Policy since WLC 7.5
24
Device Type
Cisco WLC configuration
Enable DHCP and HTTP Local Client Profiling on the WLAN
88 Pre-Defined Client Profiles
Local Policy based on Device Type
Step 1
Step 3
Step 2
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Assigning WLC Local Policy based on Role
25
Role
Controller
Radius
Employee Contractor
role=Employee role=Contractor
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Other Local Policy Options
26
Time of Day
Authentication LEAP
EAP-FAST
EAP-TLS
PEAP
Wireless Client Authentication EAP Type
Active hours for Policy
Time based policy
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Local Policy Actions
27
ACL
VLAN
QoS
Session Timeout
Enforced Policy
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public 28
Restriction: First Matched Rule Applies
Maximum 16 polices can be created per WLAN / AP Groups and 64 globally
Native Profiling per WLAN Native Profiling per AP Group
Applying Local Policies to WLANs and AP Groups
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Differentiating Guest Access via User Groups External Database
§ Multiple groups can be created in ISE
§ Each group can contain:
§ Guest DB users (created by Sponsor and Self-service)
§ Internal DB users (created by Administrators)
§ External groups mapped in ISE
Mapping example for AD
Those groups can be used in different authorization rules to differentiate network access
Identity Service Engine
29
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
ISE – Sponsor Portal
§ Customizable sponsor pages
§ Sponsor privileges tied to defined sponsor policy
• Roles sponsor can create
• Time profiles can be assigned
• Management of other guest accounts
• Single or bulk account creation
30
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
ISE – Guest Self-Service
31
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Client Provisioning Simplifying device management
32
Reduced Burden on IT Staff Device On-Boarding Self Registration Supplicant Provisioning Certificate Provisioning
Self Service Model My Devices Portal for registration Guest Sponsor Portal
Device Black Listing User initiated control their devices, black-listing, re-instate device, etc.)
Support for: iOS (6.0+) MAC OSX (10.6+) Android (2.2+) Windows (XP+)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
“My Devices” Portal Self-Registration and Self-Blacklisting of BYOD Devices
33
Devices can be Blacklisted By the User.
Devices Can be Self-Registered, Up to an Administrator Defined Limit
3
2
New Devices Can be Added with a Description
1
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
CA-Server
Apple iOS Device Provisioning
34
Initial Connection Using PEAP
ISE WLC
1
Device Provisioning Wizard
2
Future Connections Using EAP-TLS
3
Change of Authorization
CA-Server ISE WLC
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Android Device Provisioning
35
Initial Connection Using PEAP 1 Redirection to Android
Marketplace to Install Provisioning Utility
2
Future Connections Using EAP-TLS
4
Provisioning using Cisco Wi-Fi Setup
Assistant 3 Change of
Authorization
CA-Server ISE WLC
CA-Server ISE WLC
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Client Provisioning Policy
36
User OS Supplicant
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
MDM Integration
37
Jail Broken PIN Locked
Encryption ISE Registered PIN Locked MDM Registered Jail Broken
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
BRKSEC-3035
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Visibility with Prime Infrastructure and ISE Integration
38
Device Identity from ISE Integration
Policy Information Including Windows
AD Domain
AAA Override Parameters Applied
to Client
Both Wired + Wireless Clients in a
Single List
2
3
1
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Which Policy for which Endpoint/User
§ Corporate PCs
§ Other Corporate Machines and Mobile Devices
§ Employee Owned Devices
§ Guests
§ Contractors
§ Others
39
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Corporate Machines and Users – Identities
40
MAC address
Certificate
Login/Password Other
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Got AD?
§ If using AD machine GPOs on a Windows environment, you may want to enable 802.1X machine authentication.*
§ User authentication can be added on top, still through 802.1X, or be delegated to Windows logon (even if not outside the company domain).
41
Active Directory
* Microsoft introduced the concept of machine authentication also for this purpose.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Machine and User Authentication
42
With the native Windows 802.1X supplicant: § The same EAP method is used for both machine and user. § Once logged in to Windows, since the user’s identity is available, only user
authentication is triggered. With Cisco AnyConnect NAM: § Different, separate EAP methods can be used for the machine and the user. § EAP Chaining supports authenticating both the machine and the user, in the
same session, whenever 802.1X is triggered.
How to force a user to authenticate from an already authenticated machine?
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Machine Access Restriction (MAR)
43
• Supplicant agnostic. • The network access device (NAD) sends
the endpoint’s MAC in the RADIUS attribute [31] Calling-Station-ID.
• ISE caches the MAC address of the authenticated machine in the MAR cache.
• When the user authenticates from the same device, ISE can tell it’s from the previously authenticated machine thanks to the MAR cache.
Machine Access Restriction
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
EAP Chaining
44
• Supported with AnyConnect 3.1 and ISE. • It relies on advanced options of EAP-FAST
to authenticate both the machine and the user in the same EAP(-FAST) session.
• If no user information is available (logged out), only machine credentials are used.
• If also the user’s identity is available, both machine and user information will be used for 802.1X authentication.
EAP Chaining
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Access Enforcement
§ Changing VLAN between machine and user authentication is supported. * Some supplicants (XP SP2/3) do not detect it and do not trigger IP renewal.
§ While keeping the same VLAN, a different ACL/SGT can be applied to the machine and the user. ü This is more “client agnostic” as it does not require IP renewal.
45
Machine VLAN
User VLAN 5760
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Corporate non-Windows Machines
§ There is no concept of machine authentication as with Windows.
§ Through ISE we could still link some attributes of the user’s identity/account to the machine.
46
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Corporate Mobile Devices
47
Specific EAP methods and account/certificate attributes.
Force 802.1X through a device-specific certificate, then WebAuth to verify the user behind.
Go for MDM.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Asking the External DB
48
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Find Something Special on Corporate Devices
49
dhcp-user-class-id = 43:6f:72:70:50:43 è Profiling Policy = “corp_laptop”
dhcp-user-class-id = 62:6c:61:62:6c:61
C:\>ipconfig /setclassid "Local Area Connection" CorpPC http://technet.microsoft.com/en-us/library/cc783756(WS.10).aspx
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Empower your Employees
50
DOMAIN\employee
On the WLC config advanced eap max-login-ignore-identity-response disable
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Empower your Employees
51
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Empower your Employees § Dedicated guest account groups can be used to authenticate
via 802.1X.
§ External guests won’t be able to obtain the same type of credentials.
52
U45&%ci3@d
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Guests § Lobby ambassador and sponsor
capabilities on the WLC, Cisco Prime and ISE.
53
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Guests
– Guest management services through a dedicated Sponsor interface. – The guest identity store (local or external) is supported with LWA and CWA. – Captive portals can be customized and localized (more in the next slides…). – Guest users can be assigned to dedicated VLANs, ACLs, QoS profiles, etc. – Guests can go through additional checks, such as compliance, MDM, etc.
Some options to manage them
54
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Differentiating Guest Portals
§ How could we redirect guests from a specific WLAN or a specific location to separate portals?
55
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Differentiating Guest Portals
§ How could we redirect guests to separate portals based on their location or their WLAN?
56
RADIUS [30] Called-Station-ID
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Differentiating Guest Portals
§ How could we redirect guests from a specific WLAN or a specific location to separate portals?
57
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Restricting Guests from a Specific Sponsor and Site
§ Create a sponsor group on ISE restricting guest creation for a specific group.
§ Assign sponsor users with specific attributes to the sponsor group.
58
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Restricting Guests from a Specific Sponsor and Site
§ Authorize guests based on their group managed by that same sponsor.
59
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Contractors and “more than guest” Users
60
Guest groups flagged as “ActivatedGuest” are enabled to
authenticate through other (802.1X) methods, not just
through the web portal.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Contractors Additional Checks
61
Additional Configuration Notes for Your Reference
63
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Steps for Integrating the WLC and ISE
64
1. Configure WLAN for 802.1X Authentication • Configure RADIUS Server on Controller • Setup WLAN for AAA Override, Profiling and RADIUS NAC
2. Configure ISE Profiling • Enable profiling probes
3. Setup Access Restrictions • Configure ACLs to filter and control network access.
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
AAA Override Attributes
65
Network Access • RADIUS “Tunnel-Type” + “Tunnel-Medium-Type” + “Tunnel-Private-Group-ID”
• Set the Interface to which the client is connected (VLAN).
Network Restrictions • Cisco “Airespace-ACL-Name”
• Sets the Access Control List used to filter traffic to/from the client.
Quality of Service • Cisco “Airespace-QOS-Level”
• Sets the maximum QoS queue level available for use by the client (Bronze, Silver, Gold or Platinum).
• Cisco “Airespace-802.1p-Tag” and/or “Airespace-DSCP-Tag” • Sets the maximum QoS tagging level available for use by the client.
Cisco Wireless LAN Controller For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
URL Redirection Central Web Auth, Client Provisioning, Posture
66
§ Url-Redirect: for CWA, Client Provisioning, Posture and MDM, the URL value is returned as a Cisco AV-pair RADIUS attribute.
Ex: cisco:cisco-av-pair=url-redirect= https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
§ Url-Redirect-Acl: this ACL specifies the traffic to be permitted (i.e., bypass redirection) or denied (i.e., trigger redirection). The ACL is returned as a named ACL on the WLC.
Ex: cisco-av-pair=url-redirect-acl=ACL-POSTURE-REDIRECT ACL entries define traffic subject to redirection (deny) and traffic to bypass
redirection (permit).
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Configuring ISE as the Authentication and Accounting Server
67
Enable “RFC 3576” to support RADIUS Change of
Authorization.
Add to Accounting Servers to Receive Session
Statistics and profiling data.
1
2
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Configuring the WLAN for Secure SSID Enabling Secure Authentication and Encryption with WPA2-Enterprise
68
WPA2 Security with AES Encryption
1
For Your Reference
802.1X as the authentication key management (CCKM
optional)
2
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Setting the WLAN QoS Level Using WMM, the QoS Level is Based on the Marking of the Packet.
69
§ If WMM is set to Allowed, the Quality of Service configuration serves as a limit for the entire SSID.
§ Ensure all controller uplinks, media servers and Access Points have proper Quality of Service trust commands on the switch ports.
This Acts As An Upper Limit, or Ceiling for the WLAN’s QoS Configuration
1
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Configuring the WLAN for ISE Identity-based Networking Cont’d
70
Allow AAA Override to
support dynamic RADIUS attributes
Enable RADIUS NAC to accept
RADIUS Change of
Authorization messages for
this SSID.
Enable Radius Client Profiling to Send DHCP
and HTTP attributes to ISE
via RADIUS accounting.
1 2
3
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Configuring ISE Profiling Probes
71
§ Profiling relies on a multitude of “probes” to classify the client’s device type.
§ Profiling can always be achieved through a span port, more efficient profiling is achieved through probes that selectively forward attributes.
§ For DHCP Profiling: – Option A: Use at least WLC version 7.2.110.0 to send
DHCP attributes to ISE through RADIUS accounting. – Option B: Use Cisco IOS “ip helper” addressed to ISE
on switches adjacent to the WLC (with DHCP proxy disabled).
§ For HTTP Profiling: – Use at least WLC version 7.3 to send the HTTP user
agent info to ISE through RADIUS accounting.
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
1. Configure Integration with External CA Server • Define SCEP URL and certificates.
http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bff108.shtml and http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_ISE.html#wp1024207
2. Define Supplicant Provisioning Profile • Define what security and EAP type is deployed to end devices.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_ISE.html#wp1024291
Steps for Configuring Device Provisioning
72
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Configuring SCEP Integration on the ISE The ISE Must Point to the SCEP Server and Have a Valid Certificate Signed by the CA
73
Configure the SCEP URL Pointing to the MS Server or other CA
1
Request a Certificate for the ISE from the CA Server
2
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Configuring Certificates on the ISE Certificates are Used for HTTPS and/or EAP
74
Use the Certificate from Your CA Server for EAP Authentication
2
The Web Server Certificate Can Be The Same, or Different than the EAP
Certificate
1
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Configuring the Web-Auth Redirect ACL
75
Use the ISE server’s IP address (optionally restricted to a specific port too) to allow traffic to
the web portal.
2
This ACL will be referenced by name by ISE to restrict the user before web portal login.
1
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Defining the Supplicant Provisioning Authorization Profile
76
Configure Redirect ACL On WLC 2
Choose “Supplicant Provisioning” for the Redirect Portal
1
For Your Reference