Upload
cisco-canada
View
589
Download
3
Tags:
Embed Size (px)
Citation preview
Identity Services Engine
Abhi Gupta, SE
30 September 2014
Overview & Update
Cisco Public 3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Identity Services Engine (ISE) All-in-One Enterprise Policy Control
Who What Where When How
VM client, IP device, guest, employee, remote user
Wired Wireless VPN
Business-Relevant
Policies
Replaces AAA & RADIUS, NAC, guest mgmt & device identity servers
Security Policy Attributes
Identity
Context
Cisco Public 4 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Identity Services Engine (ISE)
How
What
Who
Where
When
Network
Partner Context Data
Consistent Secure Access Policy
ISE
Cisco ISE is the Market Leader
Cisco Public 5 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Provides Visibility, Context, and Control Across the Entire Continuum
BEFORE Control
Enforce
Harden
DURING AFTER Detect
Block
Defend
Scope
Contain
Remediate
Attack Continuum
Firewall
NGFW
NAC + Identity Services
VPN
UTM
NGIPS
Web + Email Security
Advanced Malware Protection
Network Behavior Analysis
pxGrid + ISE Ecosystem
Role of Cisco ISE in the Attack Continuum
Cisco Public 6 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Guest Access Management Easily provide guests limited-time, limited-resource Internet access
BYOD and Enterprise Mobility Seamlessly & securely onboard devices with the right levels of access
Secure Access across the Entire Network Simplify & unify enterprise network access policy across wired, wireless, & VPN
With Cisco TrustSec® Identity-aware Network Segmentation and Access Policy Enforcement
Customer use cases for ISE
Cisco Public 7 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public 8 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Guest Access Flow
Redirection of the guest web session to Cisco® ISE guest portal for authentication
ISE
Switches
WLC
AP
Imran
********
Sponsor
Local Radius
Workstations
Mobile (iPhone)
Guest
Cisco Public 9 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Life Cycle Management
Provision Manage Notify Report
Create guest
accounts in the
sponsor portal
Create sponsor
policy
Manage sponsor
groups
Customize portals
Notify guest using
different method
SMS
Report on all
aspects of guest
accounts
Cisco Public 10 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Branding with Themes!
Themes give you complete control over the look and feel of your sponsor Portal.
Mobile Sponsors
You are free to move about the cabin! Create a guest account on the fly from your smartphone / tablet away from your desk.
Streamlined Guest Creation
Set up your sponsor portal to show only the fields you need for your business.
Create Accounts Create Accounts
Print Email
SMS
Sponsoring Guests
Cisco Public 11 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Guest Receipts with Your Brand
Whether you’re delivering guest credentials on the printed page, over email or SMS, ISE makes it easy to deliver your complete branded experience.
SMS Notifications
Send credentials directly to a guests mobile phone.
Email Notifications
Do you have Guests visiting? Send them login credentials before they even arrive!
Your credentials
username: trex42
password: littlearms
Branded Guest Notifications
Cisco Public 12 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
A Guest Button
With our new navigation, getting to the Guest admin has never been easier.
Prepackaged Flows
Ships with the default flows used
by 90% of our customers:
Hotspot, Self-Service (with or without approval), & Sponsored.
One Stop Setup
Once you’re there, all the pieces you need are accessed in one place.
New Guest Portal Admin
Cisco Public 13 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
End User Visibility ISE makes the end user experience crystal clear as it updates the guest flow diagram in real time with each settings change.
Admin Friendly
Through extensive user research we’re made guest settings so easy to find that setting up a guest flow can be done in just a few clicks.
Guest Portal building made easy
Cisco Public 14 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Themes!
Themes give you complete control over the look and feel of your guest pages. Use our out-of-the-box themes or create your own using ThemeRoller for jQuery Mobile or standard CSS.
Live Preview
See your pages as the guests will see them as you customize.
Full Page Control
Use our defaults or customize every field in multiple languages.
Customize with Themes
Cisco Public 15 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public 16 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
BYOD Spectrum
Managed User
Managed Device
Managed User + Unmanaged
Device + Secure +
Compliance
Managed User
Unmanaged Device +
Secure
Managed User
Unmanaged Device
Environment requires
tight controls
Basic services and
easy access for
everyone
Register, configure
connectivity
Company’s native
applications, new
services, and full control
Cisco Public 17 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
What Does Cisco ISE offer?
Multiple Device
Support
Certificate
Provisioning
Multiple
Network
Topologies
Blacklisting and
Reinstating
of Devices
Self-Registration
Cisco Public 18 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
User connects to open SSID
Redirected to WebAuth portal
User enters employee or guest credentials
Guest signs AUP and gets guest access
Employee registers device
Downloads certificate
Downloads supplicant configuration
Employee reconnects using EAP-TLS
BYOD Flow Use Case: Single SSID
BYOD-Secure
Access Point
ISE
Wireless LAN Controller
AD/LDAP
Personal Asset
Cisco Public 19 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Managing certificates for BYOD adds significant complexity and expense when using Microsoft Public Key Infrastructure.
The ISE Certificate Authority is designed to work in concert as a self contained solution or with your existing Enterprise PKI to simplify BYOD deployments.
Single Management Console – Manage endpoints and their certs. Delete an endpoint ISE deletes the cert.
Simplified deployment – Supports stand alone and subordinate deployments. Removes corporate PKI team from every BYOD interaction.
Native Certificate Authority
Designed for BYOD use-cases only, not a general purpose CA
Optional
Enterprise
Root
Self-Contained
or Optional
Subordinate
Cisco ISE
Certificate
Authority
Cisco Public 20 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
PAN is Root CA for the ISE Cube
All PSNs are Subordinate CA’s to the PAN PSNs are SCEP Registration
Authorities (RA’s)
ISE PAN may be Subordinate to an existing Root CA or may be Stand-Alone Root.
Promotion of Standby PAN: Will not have any effect on operation
of the subordinate CA’s
For Standby to become Root CA > must manually install the Private/Public keys from the Primary PAN
PKI Hierarchy and Roles
PSN PSN PSN PSN
Primary
ISE CA
Enterprise
Root
(optional)
PAN
Standby PAN
Subordinate CA
SCEP RA
Subordinate CA
SCEP RA
Subordinate CA
SCEP RA
Subordinate CA
SCEP RA
Cisco Public 21 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Certificate Template(s)
• Define Internal or External CA
• Set the Key Sizes
• SAN Field Options
• UUID
• DNS Name
• MAC Address
• Serial #
• No Free-Form Adds..
• Set length of validity
Cisco Public 22 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
• ISE can Query MDM server using APIs
• Compliance based on:
General Compliant or ! Compliant Status
OR
Disk encryption enabled
PIN lock enabled
Jail-broken status
• MDM attributes available for policy conditions
• “Passive Reassessment”: Bulk recheck against the MDM server using a configurable timer
If the result of a periodic recheck shows that a connected device is no longer compliant, Cisco® ISE sends a CoA to terminate the session.
MDM Integration
Macro level
Micro level
Survivability Attribute
Cisco Public 23 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public 24 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Secure Access Role-Based, Dynamic Provisioning
Context-
Aware
Classification
Context-
Aware Policy
Enforcement
1
2
3
ISE
Who? What? When? Where? How?
Cisco Public 25 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco ISE Authentication Policy Who = 802.1X Managed Users Who? How
Examples: Employees and staff, faculty and students, or extended access to partners and contractors
Primary authentication methods: 802.1X or agent-based
Cisco Public 26 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Support for up to 50 concurrent Active Directory multi-join points.
No need for 2-way trust relationship between domains
Advanced algorithms for dealing with identical usernames.
ISE 1.3 is designed for growing businesses. With
support for multiple Active Directory domains, ISE
1.3 enables authentication and attribute collection
across the largest enterprises. example-1.com
example-2.com
example-n.com
ISE
Multi-Forest Active Directory Support
Cisco Public 27 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Scope A
acs.com
Company-B.com
Company-C.com
Company-D.com
Company-E.com
acs.com
acs.com
oceania.acs.com
australia.oceania.acs.com
canberra.australia.oceania.acs.com
amer.acs.com
brazil.south.amer.acs.com
1.3 AD Instance == 1.2 AD
Scope defines selected instances.
Here we have 3 AD instances for
Scope A out of 5 AD instances
configured on the ISE
Terminology
Cisco Public 28 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Authentication Policy
Individual AD
Instance can be
selected
Scopes can be selected
(All_AD_Instances, is a
synthetic scope created
automatically to select all
configured AD instances)
Cisco Public 29 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Authorization Policy Sample Policy
Permissions = Authorizations • Employee_iPAD Set VLAN = 30 (Corporate Access)
• Contractor_iPAD Set VLAN = 40 (Internet Only)
Who?
Who?
Cisco Public 30 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
What is Profiling ?
Collection Classification
Classifies based on Device fingerprint
• Process of collecting data to be used
for identifying devices
• Uses Probes for collecting device attributes
NMAP
SNMP HTTP
Radius DHCP
LLDP
NetFlow
Cisco Public 31 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Authorization Smartphones and Corporate Policy
Permissions = Authorizations • Employee Phone Set VLAN = 601 (Internet Only)
• Employee PC Set VLAN = 603 (Full Access)
Who = Employee What=?
Who? What?
Cisco Public 32 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
What is Posture ?
Posture is the state of compliance with the company’s security policy.
• Is the system running the current Windows patches?
• Do you have anti-virus software installed? Is it up to date?
• Do you have anti-spyware software installed? Is it up to date?
Cisco Public 33 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco ISE Posture Policy Example
Corporate Policy: • Must have Kaspersky AV installed
• Automatic remediation enforced
Guest Policy: • Must have AV installed but can be ANY vendor
Cisco Public 34 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco ISE Posture Agents
Cisco NAC Agent Cisco AnyConnect 4.0
Cisco Public 35 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public 36 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Tree View
AuthC
Protocols
Identity
Store
Cisco Public 37 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Filters in Live Log & Live Sessions
Cisco Public 38 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Off-Line Examination of Configuration
• Exportable Policy
Quick Link to
Export Page
Cisco Public 39 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Exports as XML
Cisco Public 40 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Consistent Secure Access
A Solid Foundation Today & Tomorrow
Simplified, Unified
Policy Management
for Access
Innovation & Market
Leadership in NAC, at
the core of Cisco
Security & Solutions
Unparalleled Visibility & Context
Get a Clearer Picture
of Who and What Is
On Your Network
Detect Threats from
Compromised
Devices via Health
Checks & SIEM/TD
Advanced Threat Containment
Only Cisco ISE delivers …
Abhi Gupta, SE [email protected] Rob Bleeker, CSE [email protected]