Identity Services Engine Overview and Update

Identity Services Engine

Abhi Gupta, SE

30 September 2014

Overview & Update

Cisco Public 3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco Identity Services Engine (ISE) All-in-One Enterprise Policy Control

Who What Where When How

VM client, IP device, guest, employee, remote user

Wired Wireless VPN

Business-Relevant

Policies

Replaces AAA & RADIUS, NAC, guest mgmt & device identity servers

Security Policy Attributes

Identity

Context


Cisco Identity Services Engine (ISE)

How

What

Who

Where

When

Network

Partner Context Data

Consistent Secure Access Policy

ISE

Cisco ISE is the Market Leader


ISE Provides Visibility, Context, and Control Across the Entire Continuum

BEFORE Control

Enforce

Harden

DURING AFTER Detect

Block

Defend

Scope

Contain

Remediate

Attack Continuum

Firewall

NGFW

NAC + Identity Services

VPN

UTM

NGIPS

Web + Email Security

Advanced Malware Protection

Network Behavior Analysis

pxGrid + ISE Ecosystem

Role of Cisco ISE in the Attack Continuum


Guest Access Management Easily provide guests limited-time, limited-resource Internet access

BYOD and Enterprise Mobility Seamlessly & securely onboard devices with the right levels of access

Secure Access across the Entire Network Simplify & unify enterprise network access policy across wired, wireless, & VPN

With Cisco TrustSec® Identity-aware Network Segmentation and Access Policy Enforcement

Customer use cases for ISE



Guest Access Flow

Redirection of the guest web session to Cisco® ISE guest portal for authentication

ISE

Switches

WLC

AP

Imran

********

Sponsor

Local Radius

Workstations

Mobile (iPhone)

Guest


Life Cycle Management

Provision Manage Notify Report

Create guest

accounts in the

sponsor portal

Create sponsor

policy

Manage sponsor

groups

Customize portals

Notify guest using

different method

Print

Email

SMS

Report on all

aspects of guest

accounts


Branding with Themes!

Themes give you complete control over the look and feel of your sponsor Portal.

Mobile Sponsors

You are free to move about the cabin! Create a guest account on the fly from your smartphone / tablet away from your desk.

Streamlined Guest Creation

Set up your sponsor portal to show only the fields you need for your business.

Create Accounts Create Accounts

Print Email

SMS

Sponsoring Guests


Guest Receipts with Your Brand

Whether you’re delivering guest credentials on the printed page, over email or SMS, ISE makes it easy to deliver your complete branded experience.

SMS Notifications

Send credentials directly to a guests mobile phone.

Email Notifications

Do you have Guests visiting? Send them login credentials before they even arrive!

Your credentials

username: trex42

password: littlearms

Branded Guest Notifications


A Guest Button

With our new navigation, getting to the Guest admin has never been easier.

Prepackaged Flows

Ships with the default flows used

by 90% of our customers:

Hotspot, Self-Service (with or without approval), & Sponsored.

One Stop Setup

Once you’re there, all the pieces you need are accessed in one place.

New Guest Portal Admin


End User Visibility ISE makes the end user experience crystal clear as it updates the guest flow diagram in real time with each settings change.

Admin Friendly

Through extensive user research we’re made guest settings so easy to find that setting up a guest flow can be done in just a few clicks.

Guest Portal building made easy


Themes!

Themes give you complete control over the look and feel of your guest pages. Use our out-of-the-box themes or create your own using ThemeRoller for jQuery Mobile or standard CSS.

Live Preview

See your pages as the guests will see them as you customize.

Full Page Control

Use our defaults or customize every field in multiple languages.

Customize with Themes



BYOD Spectrum

Managed User

Managed Device

Managed User + Unmanaged

Device + Secure +

Compliance

Managed User

Unmanaged Device +

Secure

Managed User

Unmanaged Device

Environment requires

tight controls

Basic services and

easy access for

everyone

Register, configure

connectivity

Company’s native

applications, new

services, and full control


What Does Cisco ISE offer?

Multiple Device

Support

Certificate

Provisioning

Multiple

Network

Topologies

Blacklisting and

Reinstating

of Devices

Self-Registration


User connects to open SSID

Redirected to WebAuth portal

User enters employee or guest credentials

Guest signs AUP and gets guest access

Employee registers device

Downloads certificate

Downloads supplicant configuration

Employee reconnects using EAP-TLS

BYOD Flow Use Case: Single SSID

BYOD-Secure

Access Point

ISE

Wireless LAN Controller

AD/LDAP

Personal Asset


Managing certificates for BYOD adds significant complexity and expense when using Microsoft Public Key Infrastructure.

The ISE Certificate Authority is designed to work in concert as a self contained solution or with your existing Enterprise PKI to simplify BYOD deployments.

Single Management Console – Manage endpoints and their certs. Delete an endpoint ISE deletes the cert.

Simplified deployment – Supports stand alone and subordinate deployments. Removes corporate PKI team from every BYOD interaction.

Native Certificate Authority

Designed for BYOD use-cases only, not a general purpose CA

Optional

Enterprise

Root

Self-Contained

or Optional

Subordinate

Cisco ISE

Certificate

Authority


PAN is Root CA for the ISE Cube

All PSNs are Subordinate CA’s to the PAN PSNs are SCEP Registration

Authorities (RA’s)

ISE PAN may be Subordinate to an existing Root CA or may be Stand-Alone Root.

Promotion of Standby PAN: Will not have any effect on operation

of the subordinate CA’s

For Standby to become Root CA > must manually install the Private/Public keys from the Primary PAN

PKI Hierarchy and Roles

PSN PSN PSN PSN

Primary

ISE CA

Enterprise

Root

(optional)

PAN

Standby PAN

Subordinate CA

SCEP RA

Subordinate CA

SCEP RA

Subordinate CA

SCEP RA

Subordinate CA

SCEP RA


Certificate Template(s)

• Define Internal or External CA

• Set the Key Sizes

• SAN Field Options

• UUID

• DNS Name

• MAC Address

• Serial #

• No Free-Form Adds..

• Set length of validity


• ISE can Query MDM server using APIs

• Compliance based on:

General Compliant or ! Compliant Status

OR

Disk encryption enabled

PIN lock enabled

Jail-broken status

• MDM attributes available for policy conditions

• “Passive Reassessment”: Bulk recheck against the MDM server using a configurable timer

If the result of a periodic recheck shows that a connected device is no longer compliant, Cisco® ISE sends a CoA to terminate the session.

MDM Integration

Macro level

Micro level

Survivability Attribute



Secure Access Role-Based, Dynamic Provisioning

Context-

Aware

Classification

Context-

Aware Policy

Enforcement

1

2

3

ISE

Who? What? When? Where? How?


Cisco ISE Authentication Policy Who = 802.1X Managed Users Who? How

Examples: Employees and staff, faculty and students, or extended access to partners and contractors

Primary authentication methods: 802.1X or agent-based


Support for up to 50 concurrent Active Directory multi-join points.

No need for 2-way trust relationship between domains

Advanced algorithms for dealing with identical usernames.

ISE 1.3 is designed for growing businesses. With

support for multiple Active Directory domains, ISE

1.3 enables authentication and attribute collection

across the largest enterprises. example-1.com

example-2.com

example-n.com

ISE

Multi-Forest Active Directory Support


Scope A

acs.com

Company-B.com

Company-C.com

Company-D.com

Company-E.com

acs.com

acs.com

oceania.acs.com

australia.oceania.acs.com

canberra.australia.oceania.acs.com

amer.acs.com

brazil.south.amer.acs.com

1.3 AD Instance == 1.2 AD

Scope defines selected instances.

Here we have 3 AD instances for

Scope A out of 5 AD instances

configured on the ISE

Terminology


Authentication Policy

Individual AD

Instance can be

selected

Scopes can be selected

(All_AD_Instances, is a

synthetic scope created

automatically to select all

configured AD instances)


Authorization Policy Sample Policy

Permissions = Authorizations • Employee_iPAD Set VLAN = 30 (Corporate Access)

• Contractor_iPAD Set VLAN = 40 (Internet Only)

Who?

Who?


What is Profiling ?

Collection Classification

Classifies based on Device fingerprint

• Process of collecting data to be used

for identifying devices

• Uses Probes for collecting device attributes

NMAP

SNMP HTTP

Radius DHCP

LLDP

NetFlow


ISE Authorization Smartphones and Corporate Policy

Permissions = Authorizations • Employee Phone Set VLAN = 601 (Internet Only)

• Employee PC Set VLAN = 603 (Full Access)

Who = Employee What=?

Who? What?


What is Posture ?

Posture is the state of compliance with the company’s security policy.

• Is the system running the current Windows patches?

• Do you have anti-virus software installed? Is it up to date?

• Do you have anti-spyware software installed? Is it up to date?


Cisco ISE Posture Policy Example

Corporate Policy: • Must have Kaspersky AV installed

• Automatic remediation enforced

Guest Policy: • Must have AV installed but can be ANY vendor


Cisco ISE Posture Agents

Cisco NAC Agent Cisco AnyConnect 4.0



Tree View

AuthC

Protocols

Identity

Store


Filters in Live Log & Live Sessions


Off-Line Examination of Configuration

• Exportable Policy

Quick Link to

Export Page


Exports as XML


Consistent Secure Access

A Solid Foundation Today & Tomorrow

Simplified, Unified

Policy Management

for Access

Innovation & Market

Leadership in NAC, at

the core of Cisco

Security & Solutions

Unparalleled Visibility & Context

Get a Clearer Picture

of Who and What Is

On Your Network

Detect Threats from

Compromised

Devices via Health

Checks & SIEM/TD

Advanced Threat Containment

Only Cisco ISE delivers …

Abhi Gupta, SE [email protected] Rob Bleeker, CSE [email protected]

mailto:[email protected]

mailto:[email protected]

Technology

Identity Services Engine Overview and Update