Building An Enterprise Access Control Architecture Using ISE Group Based Policies PDF

#CLUS
Building an Enterprise
Access Control
Architecture using ISE and
Group Based Policies
Subtitle goes here
Imran Bashir
Technical Marketing Engineer, Security Business Group
BRKSEC-2695
#CLUS
Agenda
• Introduction
• Visibility
• Profiling
• AAA (802.1X & MAB)
• ISE Guest & Employee WebAuth
• Compliance: Desktop Posture, BYOD & MDM
• pxGrid: Enabling a Security EcoSystem
• Group Based Policies / Licensing / Roadmap
• Conclusion
#CLUS BRKSEC-2695 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot# XXX-XXXX

by the speaker until June 18, 2018.
Session Abstract
This session will focus on: 1. Emerging business requirements and ISE services such as: Guest,
profiling, posture, BYOD and MDM. 2. Secure policy based access control including 802.1X, MAB,
Web Authentication, and certificates/PKI. The session will show you how to expand policy decisions
to include contextual information gathered from profiling, posture assessment, location, and external
data stores such as AD and LDAP. 3. Enforcing network access policy through conventional means
such as VLANs and ACLS and emerging technologies such as Group Based Policies .
Cisco Group Based Policies technology is used to segment the campus and datacenter to increase
security and drive down the operational expenses associated with managing complex ACL firewall
rule tables and ACLs lists. This session is an introduction to the following advanced sessions:
BRKSEC-3699; BRKSEC-3698; BRKSEC-3690; TECSEC-3691.
BRKSEC-2695 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Important: Hidden Slide Alert
Look for this “For Your Reference”

Symbol in your PDF’s
There is a tremendous amount of

hidden content, for you to use later!
FOR YOUR REFERENCE
**250 +/- Slides in PDF (100 + are hidden)
ISE Sessions @Live Orlando 2018
Sunday Wednesday Thursday
TECSEC-2672 BRKSEC-3697 BRKSEC-3699
Identity Services Engine Advanced ISE Services, Tips & Tricks Designing ISE for Scale & High
2.4 Best Practices Craig Hyps, Wednesday 8:00-10:00 Availability
Jesse Dubois, Craig Hyps
Eugene Korneychuk, BRKCOC-2018 Thursday 8:00-10:00
Kevin Redmon, Inside Cisco IT: How Cisco Deployed ISE and Group
Vivek Santuka Based Policies throughout the Enterprise
BRKSEC-2038
Monday 9:00-6:00 Raj Kumar, David Iacobacci
Security for the Manufacturing
Wednesday 8:30-10:00
Floor - The New Frontier
Shaun Muller
Monday BRKSEC-2464
Thursday 10:30-12:00
Lets get practical with your network security
BRKSEC-2059 by using Cisco ISE
Deploying ISE in a Imran Bashir, Wednesday 10:30-12:00 BRKSEC-2039
Dynamic Environment Cisco Medical Device
Clark Gambrel BRKSEC-2695 Segmentation
Monday 1:30-3:30 Building an Enterprise Access Control Architecture Tim Lovelace, Mark Bernard
using ISE and Group Based Policies Thursday 1:00-2:30
Imran Bashir, Wednesday 1:30-3:30
ISE Integrations and Lab Sessions
Labs Tuesday Wednesday Thursday

LABSEC-2330 BRKSEC-3557 SOLSEC-2002 BRKSEC-3014
Rapid Threat Detection Advanced Security Extending Cisco Identity Security Monitoring with
on ISE 2.3 With Cisco Integration, Tips & Services Engine Policies Stealthwatch: The
Fire power integration via Tricks to the Cloud and Beyond Detailed Walkthrough
Pxgrid Aaron Woland Doug Johnson Matthew Robertson
Kushagra Kaushik, Tuesday 4:00-6:00 Wednesday 11:10-11:25 Thursday 8:00-10:00
Prachi Chauhan
BRKSEC-3889 DEVNET-1010
LABSEC-1200 Advanced Security Using Cisco pxGrid for
ISE 2.3 : Dot1x : Architecture Integrations Security Platform
Troubleshooting tips and using APIs and pxGrid Integration
tricks Jamie Sanbower Nancy Cam-Winget,
Kushagra Kaushik, Wednesday 1:30-3:30 Syam Appala
Prachi Chauhan Thursday 10:30-11:15
Software Defined Segmentation Sessions
Monday Tuesday Wednesday Thursday
BRKSEC-2026 BRKRST-2129 BRKRST-2100 BRKCLD-2412
Building Network The Evolution of Building Intent-Based Consistent Group-based
Security Policy Network Segmentation: Segmentation Policies Policy for On-premise, Hybrid
Through Data From Traditional for On-premise and & Multi-cloud with Cisco DNA
Intelligence methods to Software Public Cloud Intent-based Networking
Matthew Robertson, Defined Segmentation Fay-Ann Lee Ken Hook
Darrin Miller Paul Bourassa, Wed 10:30-12:00 Thursday 08:30-10:00
Monday 4:00-5:30 Ken Kaminski
Tuesday 4:00-6:00 BRKSEC-3690
Tuesday Thursday Advanced Security Group
LTRSEC-1571 Tags: The Detailed Walk
BRKCRS-2812 BRKCRS-2812 Through Darrin Miller
Software Defined
Cisco SD-Access – Cisco SD-Access – Thursday 10:00-10:00
Access with Cisco ISE
Integrating with Your Integrating with Your
and DNA Center Naman
Existing Network Existing Network
Latif, CCSCRS-2000
Kedar Karmarkar Kedar Karmarkar
Keith Simmons Cisco SD-Access: Secure
Tuesday 4:00-6:00 Thursday 8:00-10:00
Wednesday 8:00-12:00 Segmentation Design
Ankush Arora, Subodh Gajare
Thursday 10:00-11:00
Agenda
• Introduction
• Visibility
• Profiling
• AAA (802.1X & MAB)
• Conclusion
Managing policy based on ‘Trust’
Connecting Trusted Devices to Trusted Services
CISCO IDENTITY SERVICES ENGINE
User-Groups Device-type
Cloud
Non-Trusted App / Services

Trusted App / Services
Trusted User
Cloud App A
Cloud App B
Server A
Server B
Partners
Location Posture
Trusted Asset ✓ ✕ ✓ ✓ ✓ ✓
On Prem
Trusted User ✕ ✓ ✓ ✓ ✓ ✕
Time Threats Partners ✕ ✕ ✓ ✓ ✕ ✕
Behavior Vulnerability
Software-Defined Segmentation, Location-Free App/Service

Improved Visibility and Decision
Service Access & Entitlement Access
Context is everything
Poor context awareness Rich context awareness
IP ADDRESS: 192.168.2.101 BOB (EMPLOYEE)
UNKNOWN WINDOWS WORKSTATION
UNKNOWN BUILDING-A FLOOR-1
UNKNOWN 10:30 AM EST on APR 27

UNKNOWN KNOWN
UNKNOWN WIRELESS
UNKNOWN NO THREATS / VULNERABILITIES
RESULT RESULT
ACCESS TO IP (ANY DEVICE / USER) ROLE BASED ACCESS
?
? ?
Cisco ISE and Anyconnect
CISCO ISE SIEM, MDM, NBA, IPS, IPAM, etc.
WHO WHEN
Cisco ISE WHAT WHERE PxGRID
& APIs
HOW HEALTH
Context aware policy service, THREATS CVSS
to control access and threat Partner Eco System
ACCESS POLICY
across wired, wireless and
VPN networks FOR ENDPOINTS FOR NETWORK
WIRED WIRELESS VPN
Cisco Anyconnect
Supplicant for wired, wireless

and VPN access. Services
include: Posture assessment,
Malware protection, Web
security, MAC Security,
Network visibility and more.
Role-based Access Control | Guest Access | BYOD | Secure Access
Introducing Cisco Identity Services Engine
A centralized security solution that automates context-aware access to
network resources and shares contextual data
Physical Identity Profiling Role-Based Policy Access Network Resources

or VM and Posture
Cisco Group
Traditional
Based Policies ®
Who
Network What Guest Access

Door
When
BYOD Access
Where
Role-Based Access
How
ISE pxGrid
 Compliant Controller
Secure Access
Context
Why customers buy ISE?
Cisco ISE can reach deep into the network to deliver superior visibility into
Asset Visibility who and what is accessing resources.
Access Control Consistent access control in to wired, wireless and VPN Networks. 802.1X,
MAC, Web Authentication and Easy connect for admission control.
Fully customizable branded mobile and desktop guest portals, with dynamic
Guest Access visual workflows to easily manage guest user experience.
Simplified BYOD management with built-in CA and 3rd party MDM
BYOD Access integration for on boarding and self-service of personal mobile devices
Topology independent Software-defined segmentation policy to contain
Segmentation network threats by using Cisco Group Based Policies technology.
Context sharing with partner eco-system to improve their overall efficacy
Threat Control and accelerate time to containment of network threats.
Cisco ISE supports device administration using the TACACS+ security
Device Admin protocol to control and audit the configuration of network devices
Agenda
• Introduction
• Visibility
• Profiling
• AAA (802.1X & MAB)
• Conclusion
Asset Visibility
Visibility Attributes
Users Device Location Connectivity Time
•Name •Type •Physical •Medium (Wired / •Time of day

•Username •Ownership •Logical Wireless / VPN) •Day of Week
•contact •Compliance / •MSE Integration •Network Access •Connection
•Role Posture Devices duration
•Permissions/rights •State (Active
Session)
Behavior Application and Vulnerability Threat

Services
•Historical (Now and •Applications •CVE, CVSS scores •Malware / STIX
before) installed, running, •Vulnerably scan •Fidelity
•Was the device allowed from 3rd party •Spoofing
doing expected vs. •Services and scanners
Unexpected? Processes
Security starts with ‘Visibility’
Cisco ISE Profiling
1.5
million
devices with ‘50’ attributes

each can be stored
550+ Cisco ISE
High-level canned
profiles. +Periodic feeds Feed Service
(Online/Offline)
250+ Cisco Network ACTIVE PROBES Netflow DHCP DNS HTTP RADIUS NMAP SNMP
DEVICE SENSOR CDP LLDP DHCP HTTP H323 SIP MDNS

Medical device profiles
Cisco ISE Profiling overview
ACTIVE PROBES Netflow DHCP DNS HTTP RADIUS NMAP SNMP AD
ANYCONNECT ACIDex ISE data collection methods for Device profiling
Endpoints send DS
interesting data,
that reveal their DS
Feed Service
device identity
Cisco ISE (Online/Offline)
ACIDex Profiler Policy

If CDP:Platform Name = Cisco IP Phone = true, then Cisco-IP-Phone
Authorization Policy
If Endpoint ID Group = Cisco-IP-Phone = true, then Voice VLAN
AnyConnect Identity Extensions (ACIDex) | Device Sensor (DS) BRKSEC-2695 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Visibility based on Vulnerability
Integration with Vulnerability Scanners
Visibility based on Threat
Threat Endpoints based on Incident and Indicators
ISE Visibility Setup Wizard
Visibility Setup
Endpoint Discovery
ISE scans for endpoints within given IP MAC Address IPv4 Address Endpoint Profile OUI
subnet range. 00:22:BD:D3:5B:2F 10.1.0.13 Cisco-IP-Camera Cisco Systems
00:02:4B:CC:D6:63 10.1.20.33 Cisco-IP-Phone Cisco Systems
5C:F9:38:AA:1F:90 10.1.0.21 Apple-MacBook Apple Inc
30:46:9A:2E:C3:F0 10.1.0.73 Microsoft-Workstation Lenevo
Visibility Setup
Network Access Device Discovery
ISE 2.1 can do a SNMP scan of the network Name IP Address Device Type Location Description
and populate the Network Devices. Just add Cat3850-1 10.1.100.1 Switch Bldg-A Cisco IOS Software XE..
RADIUS secret to each NAD.
ISR4KX-1 10.1.100.2 Router Bldg-A Cisco IOS Software XE..
WLC5520-1 10.1.100.3 Controller DC-01 Cisco Controller
N5K-1 10.1.100.4 Switch DC-01 Cisco Nexus OS version..
* Only supported on Standalone ISE deployment.

Visibility Setup
Active Directory Connection
Connect to AD via the wizard to complete

the 3rd piece of ISE day-0 configuration
Cisco ISE Win Domain

Controller
Visibility Demo
Demo
Asset Visibility
Application ‘Visibility’ via Anyconnect

Corporate Public
IPFIX/NetFlow
Collector
Cisco Anyconnect with

‘Network Visibility’ module
Visibility Context Control

in to process, process hash, URLs, and more for Network Behavioral Analysis run-time applications via ’Posture Policies’
Agenda
• Introduction
• Visibility
• Profiling
• AAA (802.1X & MAB)
• Conclusion
Cisco ISE Profiling
1.5
million
devices with ‘50’ attributes

each can be stored
550+ Cisco ISE
High-level canned
profiles. +Periodic feeds Feed Service
(Online/Offline)
250+ Cisco Network ACTIVE PROBES Netflow DHCP DNS HTTP RADIUS NMAP SNMP

Medical device profiles
Cisco ISE Profiling overview
ACTIVE PROBES Netflow DHCP DNS HTTP RADIUS NMAP SNMP AD
ANYCONNECT ACIDex ISE data collection methods for Device profiling
Endpoints send DS
interesting data,
that reveal their DS
Feed Service
device identity
Cisco ISE (Online/Offline)
ACIDex Profiler Policy

If CDP:Platform Name = Cisco IP Phone = true, then Cisco-IP-Phone
If Endpoint ID Group = Cisco-IP-Phone = true, then Voice VLAN
AnyConnect Identity Extensions (ACIDex) | Device Sensor (DS) BRKSEC-2695 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
ISE canned profiles
Apple WYSE Samsung Motorola Cisco Roku

Nokia
Lexmark VMware HP Microsoft Sony
Samsung Xerox Philips
Profiling – How does it work?
A0:99:9B:00:01:AA
= Apple-MacBook
OS: Mac OS X +10

UA: *Macintosh* +10
UA: *Mac OS*
+10
A0:99:9B:00:01:AA
Must match minimum certainty factor
Custom Profiles
What can I do when Cisco® ISE can’t
recognize and profile a specific type of
endpoint (example: APC UPS)?
ISE does learn the OUI and possibly

other information, which can be used to
write a custom profile.
Attribute that can be used for writing

custom profiling conditions
RADIUS DHCP HTTP SPAN DNS SNMP NMAP NETFLOW AD
Active Directory Probe

• Increases OS fidelity through detailed info extracted via AD.
AD
Attributes • Leverages AD Runtime Connector
• Attempts to fetch AD attributes once computer hostname
Domain DHCP / DNS PSN learned from DHCP Probe and DNS Probe
Controller
• AD queries gated by:
• Rescan interval (default 1 day)
• Profiler activity for endpoint
Note: If AD probe enabled after endpoint learned and hostname acquired, then no AD query.
RADIUS DHCP HTTP SPAN DNS SNMP NMAP NETFLOW AD
AD Probe conditions Match on the following:

• AD Computer?
• Join Point Domain
Conditions • OS, Version, and Service Pack
Sample Attributes
MAB  DHCP  AD Probe

Simple as 1 – 2 – 3 !
Simplify profiling with ‘Device Sensor’
Network devices send endpoint raw data to ISE via RADIUS
 Doesn’t require packet

Just One Type of Probe redirections (DHCP Helper)
• Distributed collection on Network
Devices. Cache, CDP, LLDP, and SPAN sessions
CDP DHCP, HTTP (Wireless only), etc.
LLDP
DHCP ISE • Centralized collection over for profiling
MAC
RADIUS protocol
 Highly scalable and efficient
CDP  ISE runs only “RADIUS”
LLDP
DHCP
MAC probe
 Profiling based on:
RADIUS Accounting • CDP/LLDP
HTTP
DHCP
MAC
• DHCP
• HTTP (WLC only)
• mDNS,
• H323,
Data From • MSI-Proxy (4k only)
Device Sensor + Profile Conditions = PROFILED
Example: If DHCP Class ID It’s a Lexmark
MAC OUI + Lexmark Contains E260dn E260n Printer
Feed Service
• Introduced in ISE 1.2
• No need to wait for new Cisco® ISE version
• Zero-day support for popular endpoints is added using Cisco Feed Server
• Updates Profile Policies and IETF OUI Information
PSN Cisco
PSN Feed Partner

Server DB
Endpoint Custom Attributes
Administration > Identity Management > Settings
Once defined, Custom Attributes
can be set using:
• Admin UI
• File Import
• LDAP Import
• ERS API
Edit Custom attributes
864444923566 Save/Delete
Edit
Custom attributes exposed to Authorization policy

rule conditions
Medical NAC and Internet of Things
Medical profiles XML upload. Profiling data collection via usual means
250+ Medical
device profiles
UPLOAD
HOSPITAL MEDICAL DEVICES
pxGrid
IND
Cisco Industrial
Network Director
FACTORY INDUSTRIAL DEVICES
#CLUSIoT profiles ships with ISE 2.4. Cisco
© 2018 Profiling
and/or data collection
its affiliates. via pxGrid
All rights reserved. from
Cisco PublicIND 43
Medical NAC Whitepaper
• Technical Whitepaper - How to use ISE
profiling to identify, classify, and segment
medical devices
• Profiling options and best practices
• Custom Profile checklist
• How to obtain and install…
• Cisco Medical Device Profile Library:
• 250+ pre-built clinical device profiles
• https://communities.cisco.com/docs/DOC-66340
http://www.cisco.com/c/dam/en/us/products/collateral/security/medical-nac-white-paper.pdf
Planned PoC
Connector: FDA GUDID based Access
GUDID over Device-Sensor/
LLDP-MED / DHCP SNMP
Segmentation Policy
Swithces API ISE API
Note: Primary DI Number is NOT sent over network

protocol today. Cisco is seeking a way to work with MDM
to implement GUDID over LLDP-MED/DHCP, influence
FDA, or easier way to ingest such ID to ISE.
Collect Primary DI Number

(AccessGUDID/openFDA) to
query inventory & defect
attributes for better classification /
segmentation result
GUDID: Global Unique Device Identifier
Agenda
• Introduction
• Visibility
• Profiling
• AAA (802.1X & MAB)
• Conclusion
Cisco ISE support for Secure Access
SAML iDPs Single Sign-On
Native Supplicants /
Cisco AnyConnect
Certificate based Auth
Certificate Authorities
500,000 concurrent sessions
Upto 100K
Network Devices APIs Passwords / Tokens
SCEP / CRL
External Identity Stores
Active Directory
802.1X
ENTERPRISE SQL Server

NETWORK LDAP / SQL
LDAP Servers
Built-in CA
500,000
300K Internal Users Up to 50 distinct AD domain support
Authentication Methods Authorization Options
PASSIVE  MAC Authentication Bypass  Downloadable / Named ACL

IDENTITY  Easy Connect ®  Air Space ACL
 VLAN Assignment
 IEEE 802.1X  Security Group Tags
ACTIVE  Web Authentication  URL-Redirection
IDENTITY  Central WebAuth  Port Configuration
 Local WebAuth (ASP Macro / Interface-Template)
ASP: Auto Smart Port BRKSEC-2695

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Fundamentals of 802.1X
Credentials Endpoint Cisco ISE Active Directory

Network Device
(Certificate / Password / Token) (Supplicant) (Authentication Server) (Identity Store)
(Authenticator)
EAP
EAP EAP EAP

802.1X RADIUS
RADIUS: ACCESS-REQUEST
RADIUS SERVICE-TYPE: FRAMED
EAP: EAP-RESPONSE-IDENTITY
EAP: Extensible Authentication Protocol
Supplicant: Software running on the client that provides credentials to the

authenticator (Network Device).
Fundamentals of 802.1X
Endpoint Cisco ISE Active Directory

Network Device
(Supplicant) (Authentication Server) (Identity Store)
(Authenticator)
Port-Authorized
EAP EAP
802.1X RADIUS
RADIUS: ACCESS-ACCEPT
EAP: EAP-SUCCESS
Port-Unauthorized
(If authentication fails)
EAP: Extensible Authentication Protocol
Supplicant: Software running on the client that provides credentials to the

authenticator (Network Device).
Authentication vs. Authorization
Driving Home the Point
I’d like 40K from John Chambers Account
Do You Have Identification?
Yes, I Do. Here It Is.
Sorry, Imran Bashir is not Authorized

for John Chambers’ Account
Network Access Control
PROTECTED SHARED PUBLIC
SERVERS SERVICES NETWORK
Certificates / Passwords
NETWORK ACCESS
EMPLOYEE
CONTRACTOR alice
*****
AUTHENTICATION AUTHORIZATION
Who are you? What you can do?
ISE Authentication and Authorization policy
Authentication method Where to look for identities
How to handle Auth failures
Authorization conditions
End result
CONTRACTORS
Harry
Jim
Cisco ISE
EMPLOYEES
Alice
Authorization Options
Beyond RADIUS ‘ACESS-ACCEPT’ / ‘ACCESS-REJECT’
DACL or Named ACL VLANs Security Group Tags

Downloadable ACL (Wired) or
Dynamic VLAN Assignments Cisco Group Based Policies
Named ACL (Wired + Wireless)
Remediation
Guest
VLAN 4
Employees
Contractor VLAN 3
Employee 16 bit SGT assignment and
permit ip any any deny ip host <protected>
permit ip any any Per port / Per Domain / Per MAC SGT based Access Control
MAC Authentication Bypass (MAB)
Endpoints without supplicant will fail 802.1X authentication! Bypassing “Known” MAC Addresses
Cisco ISE
00-10-23-AA-1F-38 Network Device
802.1X
Cisco ISE
Network Device
LAN
EAP: What’s your Id?
No
802.1X Any Packet User: 00-10-23-AA-1F-38
ACCESS-ACCEPT
MAB requires a MAC database | ISE can build this database dynamically
Change of Authorization (CoA)
RFC 5176
Requires endpoint’s ‘active session’ on ISE

Initial
access
Automatic / Manual initiation of CoA
Change in
access
Use cases:
• Central Web Authentication (CWA)
• Device Profiling
• Posture assessment
RADIUS CoA (Change of Authorization) is • Threat Centric NAC
a feature that allows ISE to adjust an • Adaptive Network Control and more
active client session.
Central Web Authentication (CWA)
Endpoint Network Device Cisco ISE
NETWORK
Initial packet MAB Request Got your MAC,

need your ID
Initial AuthZ
Limited Access ACL + URL-Redirect to ISE
Google.com
alice
….... ISE login page
Username + password
CoA
Full Access ACL
CoA use cases
RFC 5176
Limited  Full Access (E.g. Posture)
Security Posture: ‘Non Complaint’
• Central Web Authentication
Authorization : Limited Access
• Guest Access
• Bring your Own device flows Security Posture: ‘Complaint’
Change of Authorization : Full Access

• Web notifications
• Posture Assessment
Full Access  Limited Access (E.g. ANC)
• Threat Centric NAC Ad Group Employee, Initial Access
• Adaptive Network Control Authorization : Full Access
• Device Profiling
Malware activity
• Easy Connect Threat
notification
Change of Authorization : Limited Access
Active V/s Passive Identity
1 DOMAIN\Jim
(AD Login)
Jim 3
2
Jim Logged in
Passive Identity
Alice?
Active Identity
Yes AD
Cisco ISE
1 2
3
Alice
Passive Identity Active Identity

IP to User mapping got via passive means like AD WMI IP to User mapping got via active interaction between ISE and the
events, AD Agents, Syslog, SPAN sessions and more. client via 802.1X, Web authentication, Remote access VPN, etc.
Easy Connect
Identity Based Access without 802.1X
DOMAIN
DOMAIN\bob
CONTROLLER Bob logged in
ISE retrieves user-ID and

DHCP DNS
user’s AD membership
NTP AD
FULL ACCESS
LIMITED ACCESS UNKNOWN LIMITED ACCESS
Limited
CoA: Full Access
EMPLOYEES FULL ACCESS
SWITCH-1 CISCO ISE

Enterprise
Network
No 802.1X
Immediate value Increased visibility Flexible deployment

Leverage existing into active network co-operates with
infrastructure sessions other auth methods
802.1x & EasyConnect
Demo
What About That 3rd “A” in “AAA”?
Accounting
Detailed Visibility into Passed/Failed Attempts
Detailed Visibility into All Active Sessions and Access Policy Applied
Repeat Count = 395
Per Session Details
Let’s Begin by Securing User Access with 802.1X
I’ve done my
homework in Proof
of Concept Lab and
it looks good. I’m
turning on 802.1X
tomorrow…
IT Mgr.
Enabled 802.1X
I can’t connect to my
network. It says
Authentication failed
but I don’t know how
to fix. My presentation
is in 2 hours…
Help Desk calls increase by 40%

Deploying 802.1X in Phases
Monitor Mode Low-Impact Mode Closed Mode
File ISE ISE File ISE File

DHCP DNS
Servers Servers Servers
Servers
Campus Network Campus Network Campus Network
PREAUTH ACL PERMIT ACL
Port Open permit eap dhcp dns permit ip any any Only EAP
Unconditionally deny any Allowed
Pass / Failed Before After Before After

Authentication Authentication Authentication Authentication Authentication
Monitor Mode
interface GigabitEthernet1/0/1
switchport access vlan 100
switchport mode access
switchport voice vlan 10
authentication host-mode multi-auth Monitor
authentication open Mode
authentication port-control auto
Before Authentication After Authentication Basic
mab
dot1x pae authenticator
1X/MAB
Traffic always allowed irrespective of authentication status authentication violation restrict
MONITOR MODE : GOALS MONITOR MODE : CONFIGURATION
 No impact to existing network access  Enable 802.1X and MAB

 See - What is on the network  Enable Open Access
- Who has a supplicant All traffic in addition to EAP is allowed Like
not having 802.1X enabled except
- Who has good credentials
authentications still occur
- Who has bad credentials  Enable Multi-Auth host mode
 Deterrence through accountability  No Authorization
Monitor Mode, next steps
MONITOR MODE : NEXT STEPS
 Improve Accuracy
 Evaluate Remaining Risk
 Leverage Information
 Prepare for Access Control
RADIUS Unknown
Server Known
Authenticator MAC
MAC
.1X
Failures
.1X-Pass
• RADIUS Authentication & Accounting Logs

• Passed / Failed 802.1X
(Who has bad credentials? Misconfigurations?)
• Passed / Failed MAB attempts
(What don’t I know?)
Low Impact Mode
authentication host-mode multi-auth Low-
ip access-group PRE-AUTH in Impact
authentication open Mode
Before Authentication After Authentication authentication port-control auto From
mab Monitor
Pre-Auth and Post-Auth Access controlled by IP ACLs dot1x pae authenticator Mode
authentication violation restrict
LOW-IMPACT MODE : GOALS
LOW-IMPACT MODE : CONFIGURATION
 Begin to control/differentiate network access
 Minimize Impact to Existing Network Access  Start from Monitor Mode
 Retain Visibility of Monitor Mode  Add ACLs, dACLs and flex-auth
 “Low Impact” == no need to re-architect your
network  Limit number of devices connecting to port
 Keep existing VLAN design  Authorize phones with dACLs and Voice
 Minimize changes VSA
Closed Mode
no authentication open
authentication event fail authorize vlan 101
authentication event no-resp authorize vlan 101
Before Authentication After Authentication authentication event server dead action \
authorize vlan 101
No access prior authentication, Specific access on Auth-success authentication port-control auto
mab
CLOSED MODE : GOALS dot1x pae authenticator
dot1x timer tx-period 10
 As per IEEE specification for 802.1X
 No access before authentication CLOSED MODE : CONFIGURATION
 Rapid access for non-802.1X-capable

corporate assets  Return to default “closed” access
 Logical isolation of traffic at the access  Timers or authentication order change
edge (VLAN segmentation)  Implement identity-based VLAN assignment
Flexible Authentication
aaa new-model
aaa authentication dot1x default group radius
802.1X 1 aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
MAB 2 aaa session-id common
!
dot1x system-auth-control
WebAuth 3 Authentication !
Authenticator Server radius server ise
address ipv4 172.20.254.201 auth-port 1645 acct-port 1646
WebAuth
MAB
802.1X key cisco
RADIUS
.1X 802.1X
timeout
MAB fail
Timeout
authentication host-mode multi-auth
Flexible authentication (FlexAuth) is a authentication order dot1x mab webauth
set of features that allows IT administrators to authentication priority dot1x webauth
mab
configure the sequence and priority of IEEE 802.1X, authentication port-control auto
MAC authentication bypass (MAB), and switch-based dot1x pae authenticator
web authentication (local WebAuth). !
Limiting sessions: Host Modes
Single Host Mode Switch Multi-Host Mode Switch
Only ‘one’ MAC Address is 1st MAC Address is

allowed. Second MAC authenticated. 2nd endpoint
Address causes Security piggybacks on 1st MAC
Hub Address authentication and Hub
Violation
bypasses authentication
Authenticated Piggyback
authentication host-mode single-host Endpoint-1 Endpoint-2 authentication host-mode multi-host Endpoint-1 Endpoint-2
Multi-Domain Mode Switch Multi-Authentication Switch
Each domain (Voice or Data) Voice domain authenticates one

authenticates one MAC MAC address. Data domain
address. 2nd MAC address on authenticates multiple MAC
each domain causes security VOICE IP Phone addresses. dACL or single VOICE IP Phone
violation VLAN Assignment for all
DATA devices are supported DATA DATA
authentication host-mode multi-domain Endpoint-1 Endpoint-2 authentication host-mode multi-auth Endpoint-1 Endpoint-2
From 15.2(1)E / 03.05.00E
C3850/C3650 FCS
15.2(1)SY on C6500
IBNS 2.0 Features 03.06.00E on Sup8E
Authentication
Access Session
Manager
Manager
Parameter Service
Class-maps Templates RADIUS
Map VLAN VLAN
802.1X
Authenticator Server
MAB
dACL dACL
802.1X
VLAN
Policy-map (Identity Control Policy) Authentication
SGT SGT
Manager RADIUS
WebAuth
Interface Template(s) dACL MAB
LAN
Modular Configurations SGT
Intelligent IBNS 2.0 Features AuthZ

Aging templates
Enhanced IPv6
Critical Common WebAuth Template
CoA
ACL Session-ID based
NEAT
Concurrent IPv6
Authentication Critical Differentiated Identity
MAB Authentication
Critical ACL
Scenarios today with Low Impact Mode:
Before Authentication Authentication Success AAA Server Unreachable
PRE-AUTH-ACL PRE-AUTH-ACL + dACL PRE-AUTH-ACL

Infra Servers Infra Servers Infra Servers
(DHCP, DNS) Permit ip host - (DHCP, DNS) (DHCP, DNS)
Permit any DHCP 10.1.1.1 any Permit any DHCP
Permit any DNS Permit any DHCP Permit any DNS
Deny any any Permit any DNS Deny any any
RADIUS Deny any any RADIUS RADIUS
Server Server Server
10.1.1.1 10.1.1.1 10.1.1.1

Default /
Default Dynamic Critical
VLAN VLAN VLAN
Protected Protected Protected
Servers Servers Servers
Before authentication success, the On authentication success, the The endpoint may be authorized to a
endpoint has limited access to the RADIUS server authorizes the critical VLAN, but the PRE-AUTH-
network resources, defined by the endpoint with a dACL (permit ip any ACL on the port would still block the
PRE-AUTH-ACL on the port any) granting full access access during AAA outage*
* Critical authorization wont apply to endpoints that were authorized by AAA server
© 2018 whenits itaffiliates.
Cisco and/or was reachable
All rights reserved. Cisco Public 74
username 000c293c8dca password 0 000c293c8dca
Critical MAB username 000c293c8dca aaa attribute list mab-local

!
aaa local authentication default authorization mab-local
Local Authentication during Server failure aaa authorization credential-download mab-local local
!
aaa attribute list mab-local
attribute type tunnel-medium-type all-802
attribute type tunnel-private-group-id "150"
000c.293c.8dca attribute type tunnel-type vlan
attribute type inacl "CRITICAL-V4"
!
policy-map type control subscriber ACCESS-POL
...
event authentication-failure match-first
WAN 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-↵
until-failure
10 terminate mab
? 20 terminate dot1x
30 authenticate using mab aaa authc-↵
list mab-local authz-list mab-local
000c.293c.331e
...
 Additional level of check to authorize hosts during a critical condition.

 EEM Scripts could be used for dynamic update of whitelist MAC addresses
 Sessions re-initialize once the server connectivity resumes.
Agenda
• Introduction
• Visibility
• Profiling
• AAA (802.1X & MAB)
• Conclusion
Handling Guests and Employees Without 802.1X
Employees and some non-user devices 802.1X
All other non-user devices MAB
Guest Users
Employees with Missing or Misconfigured Supplicants
Employee Guest
**** ****
Guest Network
DMZ Anchor Controller
Wireless INTERNET
• Open SSID
• Central Web Authentication
• Controller in DMZ Foreign Controller
• ISE separate interface for DMZ
CORP
Wired LAN
• Guest VLAN GUEST VLAN

• Flexible Authentication
– 802.1X fails to MAB for CWA
Corp Guest
SSID SSID
WebAuth Evolution.. The Need for a Better WebAuth
• LWA requires local configuration on each:
• Switch
• Wireless LAN controller Switch
• Local portal limited and difficult to manage WLC
• Limited redundancy options for external portals

• No dynamic VLAN support
• No change possible until re-authentication: posture, profiling
Central Web Authentication

(CWA) with ISE was created by
Cisco to improve deployment
ISE
Flex Auth
Converging Multiple Authentication Methods on a Single Wired Port
Interface Config 802.1X

interface GigabitEthernet1/0/1 Timeout/
failure
authentication host-mode multi-auth
authentication open
authentication port-control auto
mab
MAB
dot1x pae authenticator
Timeout/
! Failure
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab WebAuth
ISE Central Web Auth (CWA) Configuration
Condition is to match RADIUS Attribute
Service Type = 10 (Call-Check)
AND
[NAS-Type = 15 (Ethernet)
OR
NAS-Type= 19 (Wireless IEEE 802.11)]
By default, use Internal Endpoints DB for ID

Source if MAC Address is found in DB
If MAC address lookup fails, reject the

request and send access-reject.
If MAC address lookup returns no result,

continue the process and move to
authorization
• MAB Requests from Failed Auth user or Timed out user can still be processed to return specific
authorisation rule (VLAN, dACL, URL-Redirect, and SGT)
• By default, ‘If user not found’ value is set to ‘Reject’ before ISE 1.3
CWA Flow
Tracking session ID provides support for session lifecycle management including CoA.
https://ise.company.com:8443/guestportal/gateway?sessionId=0A010A...73691A&action=cwa
ISE Policy Server
Try MAB
Connect to WLAN=Corp
Redirect browser to ISE
VPN MAB Failed but return Default Policy

= URL Redirect to ISE + Session ID
CWA Flow
CoA allows re-authentication to be processed based on new endpoint identity context.
CoA
ISE Policy Server
jdoe / secret123 Auth Success

Reauth group=Employee
Enter Credentials
Permit Employee Access
VPN
Existing Session matches Employee Policy
= Remove Redirect + ACL permit ip any any
A Systems Approach
Switch/Controller is the Enforcement Point
3 Key Concepts
URL Redirect
• ISE returns URL redirect to the NAD per User Session
• URL ACL sent with URL Redirect
• Used for CWA, CPP, BYOD Cert and Supplicant Provisioning, MDM …
Session ID
• sessionid is generated by the NAD and is sent over to ISE in the access-
request packet.
• Unique per Auth session
• Multiple Users can be on same port (Multi-Auth)
Change Of Authorisation (COA)

• Adapt Policy to Changes in Endpoint State (Context)
URL Redirection
ISE uses URL Redirection for:
 Central Web Auth
 Client Software Provisioning
 Posture Discovery / Assessment
 Device Registration WebAuth
 BYOD On-Boarding
 Certificate Provisioning
 Supplicant Configuration
 Mobile Device Management
 External Web Pages
Session ID
C0A8013C00000618B3C1CAFB
NAS IP Address Session Count Time Stamp
• Session is created when NAD sends RADIUS authentication request to the

RADIUS server
• Used for correlation of otherwise unrelated events (i.e.: RADIUS to HTTPS)
• Used for Change of Authorization (CoA)
• Depends on time
Session ID
Glue That Binds Client Session to Access Device and ISE
NAD: “show authentication session”
About that Which

session… one??? ISE: Detailed Authentication Report
RADIUS
Browser: URL-redirect for Web Auth

https://ise11.example.com:8443/guestportal/gateway?C0A8013C00000618B3C1CAFB&portal=&a
ction=cwa
CoA from Live Sessions Log
Agenda
• Introduction
• Visibility
• Profiling
• AAA (802.1X & MAB)
• Conclusion
Why ISE for Guest?
Need
Internet
Wired / Guest Portals to Who can How long Monitor

Wireless Account Login / Sponsor can the access &
Access? (Credentials) Manage access? guest stay? activity
GUEST
ISE GUESTBRKSEC-2695
FEATURES © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
ISE Is Best For Guest
1
million API
# of supported Guest account notification options Portal language Manage guest

Guest accounts Email/ SMS customization accounts via REST
Hotspot Self Sponsored Sponsored Guest Access
Immediate, un-credentialed Self-registration by guests, Authorized sponsors create

Internet access Sponsors may approve access account and share credentials
The 3 types of guest access
Guest Demo
Demo
Pre-Expiration Notification
You are about to

expire! Go here.
http://bit.ly/reup
DESKTOP Mobile
Oracle Access Manager SAML SSO
User Login for Sponsor, Guest, and Device Registration Portals
• ISE is the Service Provider. OAM is the ID Provider (IDP)

• User connects to any end-user portal served by the IDP
(Ex: Oracle Weblogic) interface and then can access any
portal again using SSO. SAML session stored in cookie on
end-user device
• When accessing ISE portals set with SAML, built-in logic
checks for session cookie.
• If cookie exists then SSO!
• If no cookie exists then redirected to IDP for auth. After SSO, user
flow continues as normal
• Supported with ISE Sponsored Guest, Sponsor, BYOD,

and My Devices portals
• Supported Providers for ISE 1.4:
• Oracle Access Manager (OAM)
• Oracle Identity Federation (OIF)
SAML Flow
• In diagram,
• ISE is Service Provider for different portal
access.
• Oracle OAM is the IDP
• Request sent to portal.

• If no cookie (SAML assertion) in request,
then user redirected to IDP for
authentication
• After successful auth to IDP, user
redirected back to original portal with
assertion.
• ISE uses ‘username’ assertion value for
authorization against AD/LDAP stores.
Customizing Portals
• 17 languages
• All portal support
(hotspot, self
registered, BYOD, ... )
Access your portals to
manage and share For Use with
ISE 1.3 Only!
Choose from Pre-

Built Portal
Layouts
Supports all Supports all
portal pages languages
(plus RTL –
Supports all Arabic &
portal types Hebrew)
Portal Uploader for Firefox
Drag and drop exported

portal files from Portal
Builder here, tool will
upload necessary files
and configure ISE
settings/customizations
#CLUS BRKSEC-2695 © 2018 Cisco

© 2018 and/or
Cisco its affiliates.
and/or All All
its affiliates. rights reserved.
rights reserved.Cisco Public
Cisco Public 101
Social Network Guest Login
• Facebook login will be supported for Self Registration only
• Guests will be able to click on the Facebook button and get
access to the network immediately.
Cisco ISE
[email protected]
***************
Agenda
• Introduction
• Visibility
• Profiling
• AAA (802.1X & MAB)
• Conclusion
Posture:
Are my Endpoints Compliant with the
Company Security Policy?
VPN
Threat’s & Vulnerability

Corporate assessment Vendors
Applications
AMP, CTA, Rapid 7
Enterprise Qualys, Tennable, Nexpose

Backbone
Aggregation Layer
Access Layer
ISE Integration with MDM

Vendors
Supplier Employee
Application PIN Lock
Wired Wireless Wireless Jail Broken Corp Wipe
Non-Compliant BYOD
Disk Encryption Etc ..
ISE Native Posture for EndPoints

Application Anti Malware File Check Service
Anti Spyware Compound Patch mgmt USB Check
Anti Virus Disk Encryption Registry Others

What is ‘Posture’ ?
State of Compliance with Corp

Security Policies
Application Anti Malware File Check
Anti Spyware Compound Patch mgmt
Disk
Anti Virus Encryption Registry
Service USB Check Others

Cisco ISE Posture service
ISE Node
PAN All Posture Policies are written on PAN
The policies are then pushed to PSN’s
PSN
ISE provisions agents
Agents Discover ISE

MnT
ISE Node
PAN
PSN ISE Sends Posture

Polices to the agent
MnT
ISE Node
PAN
PSN
Agents Runs Posture

and reports back to ISE
MnT
ISE Node
PAN ISE Marks Endpoints
• Compliant
• Non-Compliant
PSN Then Apply Policy (COA)
MnT
Simplify posture administration and user experience
Next-level posture capabilities
Administrators can now gain better AnyConnect Available

inventory and compliance visibility Automatic Download NADs
ENABLED  HP
without impacting the end user. Broader  Brocade
Stealthmode installations
support for 3rd party NADs increases in progress  Aruba
 Ruckus
flexibility for admins. Additionally, users User123
 Cisco
…
UserABC
can onboard to AnyConnect faster and  Other –x
Terms of Service
without interruptions.
I Agree
Benefits
Admin
More flexibility User123
Deploy AnyConnect even with
non-Cisco NADs
Less user error
Capabilities
Enforce policy automatically
• Set up automatic AnyConnect installations • Streamline client provisioning with 3rd party NAD
Better user experience support
• Install AnyConnect and enforce posture in the
Eliminate interruptions with background with AnyConnect Stealthmode • Avoid cert errors using common posture certificates
posture in the background
• Gain better visibility into endpoint activity without a
user-disrupting agent
Always-on Policy Compliance
Posture defines the state of compliance with the company’s security policy
Posture Flow Antivirus Update
AUTHENTICATE USER/DEVICE
Posture: Unknown / Non-Compliant ?
QUARANTINE
Anti-Virus?
Limited Access: VLAN / dACL / SGTs
POSTURE ASSESMENT
Check Hotfix, AV, Pin lock, USB Device, etc.
REMEDIATION
WSUS, Launch App, Scripts, MDM, etc.
AUTHORIZATION CHANGE
Full Access – VLAN / dACL / SGTs.
ISE Architecture
Where does ISE Posture service run
STANDALONE ISE Policy Services Node (PSN) MULTI-NODE ISE
- Makes policy decisions
- RADIUS / TACACS+ Servers
Policy Administration Node (PAN)

- Single plane of glass for ISE admin
- Replication hub for all database config changes
Network
Monitoring and Troubleshooting Node (MnT)
- Reporting and logging node
- Syslog collector from ISE Nodes
pXGrid Controller
- Facilitates sharing of context
Posture Service runs on the PSN node
Endpoint considerations ENDPOINTS
Temporal Agent
Temporal Stealth Agent - Use Case: Temporary access, Contractor
- Use Case: Discovery - ISE gets posture status from endpoints
- ISE gets posture status from endpoints - User gets redirected to a Web Portal
- No User Interaction required - Posture conditions customizable
- Discovers Apps and HW - Remediation: Not Supported
- Applies AM and Firewall checks
- Remediation: Not Supported
- Use Case: Employee Access

- Use Case: Employee Access
- ISE gets posture status from endpoints
- ISE gets posture status from endpoints
- Agent could be installed from portal, ASA
MDM Integrations - Agent could be installed from portal, ASA
or software distribution methods
or software distribution methods
- Agent UI not visible to User
- Posture conditions customizable
- Posture conditions customizable
- Remediation: All ISE Supported
- Remediation: Limited Supported
AnyConnect Agent
AnyConnect Stealth Agent
Posture Assessment options for Windows
Temporal Stealth Temporal Agent AnyConnect agent AnyConnect
Agent in Stealth Mode Agent
AM installation
Firewall enabled AM installation
Application inventory Firewall enabled
AM installation Hardware inventory Application inventory
Firewall enabled USB check Hardware inventory
Application inventory AV installation USB check
Hardware inventory AV version/AV definition date AV installation
AM installation USB check AS installation AV version/AV definition date
Posture Firewall enabled + AS version/AS definition date AS installation
Conditions Application inventory AV installation Application/ File check AS version/AS definition date
Hardware inventory AV version/AV definition date Patch Management Application/ File check
USB check AS installation OS/service packs/hotfixes Patch Management
AS version/AS definition date Process, Registry & File check OS/service packs/hotfixes
Application/ File check + Process, Registry & File check
OS/service packs/hotfixes Patch Management Disk Encryption
Process, Registry & File check Disk Encryption Service Condition
Service Condition Registry Condition
Registry Condition Dictionary Condition
Dictionary Condition
Partial Automatic Remediation
Remediation
Manual Remediation not Supported Automatic Remediation
Actions None Manual Remediation
File, Link, WSUS show UI remediation, Supported.
PM activate UI remediation, Message
(PRA) Passive- txt, AUP Policy.
Reassessment) None None Supported Supported

Posture Assessment options for mac os
Temporal Stealth Temporal Agent AnyConnect agent AnyConnect
Agent in Stealth Mode Agent
AM installation AM installation
Firewall enabled Firewall enabled
Application inventory Application inventory
Hardware inventory Hardware inventory
AV installation AV installation
AV version/AV definition date AV version/AV definition date
Posture Not supported Supported AS installation AS installation
Conditions AS version/AS definition date AS version/AS definition date
Application/ File/ plist check Application/ File/ plist check
Patch Management Patch Management
OS/service packs/hotfixes OS/service packs/hotfixes
Disk Encryption Disk Encryption
Service Condition Service Condition
Dictionary Condition Dictionary Condition
Partial Supported Partial Supported

Remediation Unsupported: Manual, Launch Unsupported: Manual, Launch
Actions Not supported Not supported
Program, File Condition, Patch Program, File Condition, Patch
Management , USB Management , USB
(PRA) Passive-
Not supported Not supported Not supported Not supported
Reassessment)
Endpoint considerations ENDPOINTS
Installation rights
Temporal Stealth Agent Temporal Agent AnyConnect Stealth AnyConnect Agent

• Common Admin Credentials • No Admin credentials required. Agent • Admin Credentials required to
• Admin Credentials required to install Cisco AnyConnect
• Allow access to ports 445 and software.
139 in firewall install Cisco AnyConnect
software. • Upgrades does not require any
• Add Registry key for non- admin credentials.
domain user accounts. • Upgrades does not require any
admin credentials. • Runs as a User/ Service
• Runs as a User/ Service
Deploying ISE Posture Best Practice
DISCOVER DESIGN TEST DEPLOY
Discover your Start designing your Run Posture Polices Enable Posture
Network and the Posture Polices and in Monitor/ Audit enforcement and
current state of Conditions mode remediation
Compliance
CISCO ISE Posture
AnyConnect Stealth Mode
AnyConnect can run as a service without any UI
• Stealth mode (no UI) supports all Posture features which does not
require user interactions (and no UAC as well).
List of features NOT supported

• All remediation with Manual remediation type
• File remediation
• Link remediation
• WSUS show UI remediation
• PM activate UI remediation (e.g. Manual remediation not
supported etc ..)
• ISE will support upgrading clients from Headless to a full AnyConnect

install
New Application Inventory
New Summary View in
Context Directory
Hover
Multi-select
Adv Filtering
New Hardware Inventory
Rich Context
Utilization Filters
Mfg to Type Filters
Get Ahead of Threats with a Growing Intelligence Ecosystem
Threat-Centric NAC Enhancements
With the 2.2 release, ISE now takes Dynamic
in threat intelligence from Tenable, Standardized policy changes
Rapid7 and Cisco Cognitive Threat Reporting
Analytics (CTA). These new
solutions enhance posture AMP CTA
NEW
STIX Framework
assessment with a broader range
of threat-incident intelligence. Unknown Insignificant Distracting Painful Damaging Catastrophic
Cisco ISE Quarantine

Common Vulnerability Scoring System
(CVSS)
and remediation
Broader threat insight NEW
Apply multiple vulnerability data NEW 0 1 2 3 4 5 6 7 8 9 10

sources
Expanded coverage
Leverage an open platform and
standards-based framework • Supports third-party vulnerability and threat data • Supplements existing ISE reporting with easy-
sources on an open platform to-read STIX and CVSS-based reports
Fast remediation
Update policy dynamically to • Automates CoA based on vulnerability • Decreases the time to threat remediation and
prevent or change access intelligence supports dynamic policy changes
Cisco ISE Posture service (2)
• The Posture Service is not typically deployed during initial deployment rollouts.
• The Posture Service may be deployed in three modes :
Posture Mode Description
Audit Client is not notified of any failure results based on posture assessment policy.
Optional Client is notified of failure results and given the option to continue in order to bypass the
posture assessment policy.
Mandatory Client is notified of failure results and given a remediation timer to make corrective action
to comply with the posture assessment policy.
AnyConnect PSN Node Discovery
Default Gateway of primary interface.
Such as 10.86.116.1, (/auth/discovery, redirection expected.
Discovery Host
If it was set in the agent profile ISEPostureCFG.xml
/auth/discovery, redirection expected
enroll.cisco.com
hard coded
/auth/discovery, redirection expected
Previously connected head-ends

From ConnectionData.xml
No redirection expected
ISE 2.2
Packets to a “Call Home” list (inc. VIP of LB)
(ISEPostureCFG.xml)
List of PSN’s
ConnectionData.xml
FOR YOUR REFERENCE
Posture and Client Provisioning Flow

• The configuration of the posture and client provisioning flow includes three primary
sections:
• Client Provisioning
• Posture Subscription and Policy 2 Download
1 System
• Authorization Policy Dynamic Updates Settings
8
Simple Conditions
Posture
Subscription 9 Compound 3 Download CPP
and Policy
Conditions Packages
10 Remediation 11 Posture
4 Agent Profiles
Actions Requirements and configs Client
Provisioning
12 5
Posture Policy CPP Policy
6 7 Status?
Client
Authorization Authorization Compliant
Provisioning
Profiles (DACLs) Policy NonCompliant
Unknown Portal
Authorization Policy Unknown/
Compliant NonCompliant
URL Redirect to CPP for
Endpoint NAC and Web agents
BRKSEC-2695 Access © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Posture Flow
 If Posture Status = Unknown/Non-Compliant, then Redirect to ISE for Posture Assessment
 If Posture Agent not deployed, then provision Web Agent or Persistent NAC Agent
https://ise.company.com:8443/guestportal/gateway?sessionId=0A010A...73691A&action=cpp
ISE Policy Server
Connect to Network Authentication Auth Success

Posture Redirect browser to ISE group=Employee
Agent
VPN Posture Status != Compliant

Redirect to ISE for Client Provisioning and/or
Posture Assessment for Employee role
Posture Remediation and Client Resources
 CoA allows re-authentication to  Hourly updates for latest posture definitions
be processed based on new  New posture agents and modules
endpoint identity context (posture automatically downloaded
status).
CoA Cisco.com
Remediation Servers
ISE Policy Microsoft.com
Remediate Server
Windows
Posture Compliant = Full Access Updates
Agent
ASA
VPN Posture Status = Compliant

Posture Remove Redirection and apply access
Agent
No COA permissions for compliant endpoints
Inline Posture Node provides CoA and URL
Redirection w/Session
© 2018 Cisco and/or itsID
affiliates. All rights reserved. Cisco Public 127
Posture Demo
Demo
AMP Enabler Profile Page
• ISE Posture services now supports the
download and provisioning of the AMP
client module
• AMP Enabler profile is added under:
“Policy -> Policy Elements -> Results ->
CP -> Resources”
• Supported on Windows and OSX.
Installation location URLs should be
updated with location of external hosting
server.
• Provide URLs should be trustd by ISE.
Related certificate should be install in ISE
Administration->Certificates->Trusted
Certificates.
From ISE 1.3
Posture Lease Once postured compliant, user may disconnect/ reconnect multiple
times before re-posture
Cisco ISE and Microsoft SCCM
Agent to Agent Communication
AnyConnect SCCM Agent
Send list of Missing Patches
List of Patches Microsoft

Feed
Categorize Patches in to (Critical, Important, Moderate, Critical only

Low) using OPSWAT Libraries (Packaged via
Compliance Module) Important & Critical
Per Policy e.g. Update Critical (with specific Moderate, Important & critical
Get Patch
patches) etc … Severity
Low to critical
Update the list of Patches reported by ALL
AnyConnect
Pros
Agent to Agent
AnyConnect checks compliant state with the SCCM client using OPSWAT
libraries and returns ISE the state
If the SCCM Client reports that machine is compliant, no action is taken
from ISE.
If SCCM client reports machine is non-compliant, then ISE can work with
AC to apply a network policy (VLAN, dACL, etc ..) and remediate the
Any Connect SCCM Agent endpoint via SCCM client (trigger update etc …).
Cons
If the SCCM client has not sync’d in for a while, it reports AC that the client
SCCM Compliance State could
is compliant, endpoint gets network access even when they are truly non-
be out of sync. compliant.
If the SCCM client is corrupted, no way to find out compliance of the

machine, the results could be un-predictable.
ISE and SCCM Integration overview
ISE 2.1 integrates with SCCM Microsoft SCCM as external MDM servers for Cisco ISE
to retrieve compliance status
of Windows managed
Cisco ISE STATUS CHECKS
endpoints.
Registered
This integration uses MDM Registered + Non-Compliant
Posture Status Registered + Compliant
flows. (ISE communicates
with SCCM Server using WMI
WMI
to retrieve the current
attributes for a device.) WMI
Managed Asset
Patch and Software

management SCCM Servers
Server to Server
Pros
Current ISE
ISE Server checks compliant state (SCCM policies, last check-in for x
days, …) directly with the SCCM Server and returns ISE the state
ISE can then apply a network policy (VLAN, dACL, etc ..) based on the
MS SCCM ISE state returned from SCCM Server.
Server
Cons
ISE does not have the ability to remediate the client

This integration cannot
remediate the endpoiints ISE does not have the ability to launch a script or a program on the end
user machine.
ISE supports configuring both flows together
Agent to Agent Server to Server

Current ISE
MS SCCM ISE
Any Connect SCCM Agent Server
SCCM Compliance State could This integration cannot

be out of sync. remediate the endpoints
ISE and SCCM
Documentation
https://communities.cisco.com/docs/DOC-66933
Agenda
• Introduction
• Visibility
• Profiling
• AAA (802.1X & MAB)
• Conclusion
Why ISE for BYOD?
Need BYOD
access
Wired / Who can Register Native Corporate Report Lost

Wireless bring own Personal Supplicant Vs Personal or Stolen
Access? device? Devices configuration Dev access Asset
EMPLOYEE
ISE BYODBRKSEC-2695
FEATURES © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Bring Your Own Device
Device Support PUBLIC
EMM integrations
iDevice Single / Dual Access based on

SSID provisioning MDM policy
Android
Resources
✕✓✕✓✓✓
Devices
MAC OSx
✓✓✕✓✕✕
✕✓✓✕✕✕
Windows
Native supplicant ISE internal CA for

ChromeOS & cert provisioning BYOD certificates
CORPORATE
EMM: Enterprise Mobility Management | MDM: Mobile Device Management

BYOD Experience
Connect to Open SSID
Register Device
Native Supplicant Provisioning
Certificate Enrollment
Switch to Secure SSID
Single Versus Dual SSID Provisioning
• Single SSID • Dual SSID
• Start with 802.1X on one SSID • Start with CWA on one SSID
using PEAP
SSID = BYOD-Open
(MAB / CWA)
SSID = BYOD-Closed (802.1X) SSID = BYOD-Closed (802.1X)
• End on same SSID with 802.1X • End on different SSID with 802.1X
using EAP-TLS using PEAP or EAP-TLS
WLAN Profile WLAN Profile
SSID = BYOD-Closed SSID = BYOD-Closed
EAP-TLS PEAP or EAP-TLS
Certificate=MyCert (Certificate=MyCert)
Dual SSID
Device Enrollment and Provisioning
Step 1: Provisioning ISE Step 2: Authorization

Policy Engine
Full Access
CA
Redirect
Profiles
AD
Partial Access
MDM
Guest Portal Internet Only
EAP-TLS
open
BYOD_Provisioning
BYOD_Employee Wireless
Mobile Device Corporate
SSID LAN Resources Internet
Controllers
• Device connects to BYOD_Provisioning SSID

• Employee authenticated and redirected to Guest Portal
• Enrollment and provisioning
• Wi-Fi Profile includes BYOD_Employee configuration
Single SSID
Device Enrollment and Provisioning
Step 1: Provisioning ISE Step 2: Authorization

Policy Engine
Full Access
CA
Redirect
Profiles
AD
Partial Access
MDM
Guest Portal Internet Only
?
PEAP
EAP-TLS
BYOD_Employee
BYOD_Employee Wireless
Mobile Device Corporate
SSID
SSID LAN Resources Internet
Controllers
• Device connects to BYOD_Employee SSID

• Employee authenticated and redirected to Guest Portal
• Enrollment and provisioning
• Wi-Fi Profile includes BYOD_Employee configuration
BYOD Steps
DEVICE SUPPLICANT CERTIFICATE MDM
REGISTRATION PROVISIONING ENROLLMENT COMPLIANCE
Access
BYOD
Add personal device Configure adapter [Optional] If EAP-TLS [Optional] Enroll &
to ‘Registered Device’ settings (WiFi) & for authentication, compliance check for
Endpoint Group authentications install a certificate MDM policy
Portal and Client Provisioning Internal CA setting / MDM Integration.

Authorization Policy Policy SCEP External CA MDM policy attributes
Client Provisioning Policy
CONDITIONS RESULT
Client provisioning methods
Platform Certificate Device Registration Client Supplicant Provisioning Method

Provisioning in ISE
iOS Yes Yes iOS devices are provisioned using the Apple Over the air (OTA) process
Android Yes Yes Clients will be redirected to Google Play Store
Mac OSX Yes Yes ISE will redirect the client to download the setup Wizard (.dmg file format)
Windows Yes Yes ISE will redirect the client to download the setup Wizard (.exe file format)
ChromeOS Yes Yes Clients need to be pre-enrolled to Google Admin Console and also have
ISE NSA Chrome extension
BYOD
Native Supplicant Provisioning (iOS use-case) ForYour
For Your
Reference
Reference
PSN
Employee ISE / SCEP Proxy RegisteredDevices CA / SCEP Server
SSID = BYOD-Open / CWA Device Registration

HTTPS to the NSP Portal CENTRAL_WEB_AUTH state
ISE sends CA certificate to endpoint for trust with OTA
User clicks register.
ISE sends Profile Service to iOS

Device Device Enrollment
CSR is
Generated on
Encrypted Profile Service:
iOS https://ISE:8905/auth/OTAMobileConfig?sessionID
CSR sent to ISE
SCEP to MS Cert Authority Device Certificate Issued
Certificate sent to ISE CN =
ISE sends Device Certificate to iOS
74ba333ef6548dfc82054d0c7fec36e6ddddcbf1#employee1
Device
SAN = 00-0a-95-7f-de-06
Device Provisioning
CSR sent to ISE SCEP to MS Cert Authority
Certificate sent to ISE User Certificate Issued

ISE sends User Certificate to iOS CN = Employee
Device SAN = 00-0a-95-7f-
Signing Cert + User Cert: Wi-Fi Profile + EAP-TLS configured de-06
SSID = CTS-CORP / EAP-TLS Connect using EAP-TLS
RUN Access-Accept
BRKSEC-2695 147
state #CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
BYOD
NSP (Android use-case)
PSN
RegisteredDevice
Employee Wireless Controller ISE / SCEP Proxy s CA / SCEP Server Google Play
SSID = BYOD-Open / CWA CWA Redirect / Redirect ACL = CWA Device Registration
CENTRAL_WEB_AUTH
User opens browser
state
Redirect to ISE for CWA
CWA login
CWA login successful / Redirect to NSP Portal
User clicks Register
CoA to WLC Sample WLC ACL: Download SPW
ALLOW_GOOGLE
Redirect browser to http://play.google.com (Session:DeviceOS=Android)
permit udp any any dns
Access-Request permit tcp any <ISE_PSN>
NSP Redirect / Redirect ACL = deny ip any <internal_network>
SUPPLICANT_PROVISIONING ALLOW_GOOGLE permit tcp any 74.125.0.0
state Download Supplicant Provisioning Wizard (SPW) app from Google 255.255.0.0
Playstore
permit tcp any 173.194.0.0
User installs application and launches 255.255.0.0 Device Provisioning
App sends request to
Redirect Discovery to ISE permit tcp any 206.111.0.0
http://DFG/auth/discovery
255.255.0.0
ISE sends Device BYOD_Profile to Android Device deny ip any any
SCEP to MS Cert
CSR sent to ISE
Authority
Certificate sent to
ISE sends User Certificate to Android User Cert Issued
ISE
Device
SSID = CTS-CORP / EAP-TLS CN = Employee
Connect using EAP-TLS SAN = 00-0a-95-7f-
Access-Accept de-06
RUN
state #CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
ISE BYOD Certificate options
Ease of deployment and management
SCEP to Sub-CA of ISE Self-

Enterprise CA enterprise PKI Signed CA
ISE Internal CA
Why use ISE as a Certificate Authority?
Benefits of internal CA
• Internal CA simplifies ISE deployment
• ISE can deliver certificates directly to endpoints
• Closed-Loop BYOD Solution
• No need to rely on integrating ISE to PKI for BYOD Cert provisioning
• Internal CA can still work with PKI Infrastructure
• Focused on BYOD, MDM, and pxGrid use-cases only, not a general purpose CA
ISE CA Hierarchy
Multi Node Deployment with 2 PANs and a Single PSN
P-PAN
S-PAN
PSN1 PSN2 PSN3
• The NODE_CA on the Primary and Secondary PAN are signed by the ROOT_CA on the Primary PAN
• The NODE_CA on the Primary PAN is also responsible for signing the EP_CA and OCSP certificate for the PSNs
ISE internal Certificate Authority
Simplifying Certificate management for BYOD devices
Single Management Console – Manage

endpoints and their certs. Delete an endpoint
ISE deletes the cert.
Simplified deployment – Supports stand

alone and subordinate deployments. Removes
corporate PKI team from every BYOD
interaction
Certificate Template(s)
• Define Internal or
External CA
• Set the Key Sizes
• SAN Field Options
• MAC Address
• Set length of validity
EST – Enroll Over Secure Transport RFC 7030
 EST Uses TLS for Secure Transport

 Certificate enrollment of clients over a secure transport (BYOD)
 ECC-signed certificates
 TLS for secure transport of certificates and messages
Manual Certificate Provisioning

SCEP
EST
ECC EAP-TLS Support
Android 4.4 and later Windows 8 and later

Windows doesn’t support P-192 curve type
ISE 2.1 Supports ECC Certs in Trusted Store
Certificate Renewals
Works Comments 1.2.1
Before Expiry
iOS
Android
Windows
MAC-OSX
After Expiry
iOS
Android
Windows Supplicant will not use an expired cert
MAC-OSX Not tested yet
Allowing Expired Certificates
1.2.1
Option to allow expired certs for:

• Pure EAP-TLS
• EAP-TLS as an Inner Method
Redirect Expired Certs
1.2.1
Windows
Everything Else
Certificate Renewal: Optional Message 1.2.1
ISE BYOD Certificate Configuration
SCEP Enrollment Profile and CA Certificate Import
Administration > System > Certificates > SCEP CA Profiles
The SCEP server certificate and CA and
registration authority (RA) certificates of the
certificate chain for the SCEP server are
automatically retrieved into the Cisco® ISE
trust store.
Administration > System > Certificates > Certificate Store
NSP Flow – Internal CA
PSN
SSID = CORP
RA CA
Employee
PSN
Signing Certificate + User Certificate:

ISE sends Profile to Endpoint Wi-Fi Profile with EAP-TLS configured
SCEP Password = SessionID + Random
CSR is Generated on iOS

Password = SessionID + Random Key (from ISE)
CSR sent to ISE PSN (RA) via SCEP Validate Password Challenge
(session + random key)
CA Selection
CPP Certificate Template = Internal
User Certificate Issued:
Sent to Internal CA
CN = AD UserName
Certificate sent to ISE SAN = Values from Template
ISE sends Certificate to Endpoint

Signing Certificate + User Certificate:
Wi-Fi Profile with EAP-TLS configured
CoA: ReAuth
EAP-TLS: User Cert
RADIUS Access-Request
RADIUS Access-Accept BRKSEC-2695 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
• Primary PAN is Root CA for ISE deployment
PKI Hierarchy and Roles • All PSNs are Subordinate CAs to PAN
PSNs are SCEP Registration Authorities
(RAs)
Enterprise Root
(optional) • ISE PAN may be Subordinate to an existing
Root CA or may be Standalone Root.
Primary PAN
• Promotion of Standby PAN:
ISE CA
Standby PAN Will not have any effect on operation of the
subordinate CAs.
For Standby to become Root CA must
PSN PSN PSN PSN manually install the Private/Public keys from
Primary PAN.
Subordinate CA Subordinate CA Subordinate CA Subordinate CA
SCEP RA SCEP RA SCEP RA SCEP RA
Native Supplicant Profile
ISE is OCSP Responder for cert
Revoke Certificates from ISE validation – no CRL Lists !
• Automatically Revoked when an Endpoint is marked as “Lost”
• Certificates may be Manually Revoked
BYOD Security Practices from the Field
If you can, Create an Identity Group for your Corporate Owned
Devices.
• May be populated by .CSV import, or REST API
• Uses the Endpoint ID Group for what it was designed to do: MAC Address
Management
Provision Different Certificates for Corporate Owned Assets
• Available 1.3+, or if you use MDM to distribute the certificates
Don’t Trust ONLY the Certificate
• That is technically only authenticating the device, not the user
Agenda
• Introduction
• Visibility
• Profiling
• AAA (802.1X & MAB)
• Conclusion
Mobile Device compliance
MDM Policy Checks Posture Compliance assessment for Mobile devices
Device registration status
Device compliance status
1. Register with ISE 2. Internet Access
Disk encryption status
Pin lock status
Jailbreak status Cisco ISE Internet
Employee
Manufacturer *******
4. Comply MDM Policy

Model
IMEI
Personal Device
Serial number
OS version 3. Register with MDM 5. Allow Corp access
Phone number MDM Corporate
ISE Integration with 3rd-Party
MDM Vendors
• MDM device registration via ISE
• Non registered clients redirected to MDM
registration page
• Restricted access
• Non compliant clients will be given restricted
access based on policy
• Endpoint MDM agent

• Compliance
• Device applications check
• Device action from ISE

• Device stolen -> wipe data on client
MCMS
http://www.cisco.com/c/en/us/products/security/partner-ecosystem.html
Version: 5.0 Version: 6.2
Version: 7.1 Version: 2.3
Multiple MDM Support
Multiple MDM vendors can be added to ISE and used simultaneously in policy
Configure ISE Authorization Policy
Path: Policy > Authorization (MDM Attributes)
MDM Server reachability
Endpoint registration status
Endpoint macro-level compliance status
Endpoint micro-level compliance status

(Disk Encryption-, Pinlock-, and Jail broken status)
MDM attributes available for policy conditions

(Manufacturer, Model, IMEI, Serial Number,
OS Version, Phone Number)
MDM Dictionary Attributes
New MDM dictionary attributes

• UDID
• MEID
• MDM Server Name
MDM Authorization Profiles
Redirection authorization profile
example for MobileIron and
Meraki
MDM Server Selection

added to Authorization
Profile
Sample Authorization Policy
Combining BYOD + MDM
If Employee but not registered with ISE, (Endpoints:

BYODRegistration EQUALS No), then start NSP flow
If Employee and registered with ISE (Endpoints:
BYODRegistration EQUALS Yes), then start MDM flow © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
MDM Enrollment and Compliance
User Experience Upon MDM URL Redirect
MDM Enrollment MDM Compliance
MDM:DeviceRegistrationStatus MDM:DeviceCompliantStatus
EQUALS UnRegistered EQUALS NonCompliant
MDM Flow
 If MDM Registration Status EQUALS UnRegistered, then Redirect to MDM for Enrollment
 If MDM Compliance Status EQUALS NonCompliant, then Redirect to MDM for Compliance
https://ise.company.com:8443/guestportal/gateway?sessionId=0A010A...73691A&action=mdm
ISE Policy
Google Server
Play/AppStore Cloud MDM
Authentication
MDM API
Connect to WLAN=Corp
Redirect browser to ISE
VPN MDM Compliance Status != Compliant

Redirect to ISE landing page for MDM
enrollment or compliance status
MDM Remediation
 CoA allows re-authentication to  MDM Agents downloaded directly from MDM
be processed based on new Server or Internet App Stores
endpoint identity context (MDM  Periodic recheck via API; CoA if not compliant
enrollment/compliance status).
CoA
ISE Policy
Server
Cloud MDM
ReAuth
MDM API
ReAuth after Comply
Compliant = Full Access

ASA
VPN MDM Status = Compliant

Remove Redirection and apply access
permissions for compliant endpoints
MDM Integration Example with Meraki EMM
I
S
E
MDM Onboarding Off-Premise Devices
• Allows onboarding of mobile devices to partner MDM with AnyConnect VPN

• Leverages AnyConnect Identity Extensions (ACIDEX) data sent to ASA from AC VPN then
forwarded to ISE in RADIUS Accounting
• Requires ASA 9.3.2 and AnyConnect 4.1 and above
• AnyConnect 4.1 adds support for UDID, MEID, IMEI
• AnyConnect 4.1 supports only a minimum Android version 4.0+ and iOS v7.0+.
• MDM Server needs to support MDM API version 2

• Currently (as of 1.4 release time) supported only by Meraki
• AirWatch, MobileIron to add support soon
MDM Integration
Remediation
• Administrator / user can issue remote actions
on the device through MDM server (Example:
remote wiping the device)
• My Devices Portal
• ISE Endpoints Directory
Options
• Edit
• Reinstate
• Lost?
• Delete
• Full Wipe
• Corporate Wipe
• PIN Lock
Reporting
Mobile Device Management Report
For Your
MDM Serviceability - Get Device Info API Reference
Agenda
• Introduction
• Visibility
• Profiling
• AAA (802.1X & MAB)
• Conclusion
Incident Response challenge
Contextual awareness key to security event prioritization and response
Check Endpoint
Associate User to Posture Where is it on
Authorization the Network?
Associate User What Kind of
to Event NAC Device is it?
IAM ???
Potential AAA
???
Logs
Breach How Do I
Event! Mitigate?
Security ???
Event
???
???
MANY SCREENS DATA EXPLOSION MISSING LINKS EXPENSIVE FIX
“a real platform is something that,
somebody else can develop code for,
somebody else can integrate within
a fundamental way….”
Marty Roesch @ RSA Conference 2016
Cisco Security VP
https://youtu.be/pafHZmWWGo8
Integrating the traditional way
I have reputation info! I have application info!
I need threat data… I need location & auth-group…
I have sec events! I have NBAR info!

I need reputation… I need identity…
I have NetFlow! Proprietary I have location!

I need entitlement…
APIs aren’t I need identity…
the solution
I have threat data! I have MDM info!
I need reputation… I need location…
I have firewall logs! I have app inventory info!

I need identity… I need posture…
I have identity & device-type!

I need app inventory & vulnerability…
The problem!
I need threat data… I need location & auth-group…
I have sec events! I have NBAR info!

TRADITIONAL APIs
I need reputation… – One Integration at a Time
I need identity…
I have NetFlow!
• Single-purpose function = need for manyProprietary
APIs/dev (and lots of testing)
I have location!
I need entitlement…
• Not configurable = too much/little info for APIs aren’t
interface I need identity…
systems (scale issues)
the solution
I have data
• Pre-defined threatexchange
data! = wait until next release if you need aI change
have MDM info!
• Polling architecture = can’t scale beyond 1 or 2 system integrations
I have firewall logs! I have app inventory info!
• Security can beI “loose”
need identity… I need posture…

Solving the integration problem with a Grid
INFRASTRUCTURE
FOR A ROBUST
Direct, Secured ECOSYSTEM
Interfaces
• Single framework – develop once,
instead of multiple APIs
pxGrid
Context • Customize and secure what
Sharing context gets shared and with
which platforms
Single, Scalable
Framework • Bi-directional – share and
consume context
• Enables any pxGrid partner to
share with any other pxGrid
partner
pxGrid – Industry Adoption Critical Mass
50+ Partner Product Integrations and 12 Technology Areas
IAM & SSO • Application Protection: Arxan, DB Networks
Vulnerability • SIEM and Analytics: HanSight, Hawk*, Huntsman*,
SIEM & Assessment LogRhythm*, Micro Focus NetIQ*, Splunk*, TripWire*, IBM-
Threat Defense
? User Behavior
Qradar, Secureonix
• CASB: Elastica*, NetSkope, Skyhigh
Analytics • Deception: Attivo, illusive*, TrapX*
Net/App
Performance Packet Capture • Endpoint and Custom Detection: Invincea*, Redshift*,
& Forensics ThreatTrack, CloudPost Networks***, McAfee DXL,
TriagingX
IoT
Cisco pxGrid Rapid Threat • Firewall and Policy Management: Bayshore*, Check Point,
InfoBlox*, Intelliment, Cisco FMC*
Containment
Security SECURITY THRU (RTC) • Forensics and IR: Cisco Cognitive Threat Analytics*,
Lumeta, Endace, Cisco Stealthwatch*, Lemonfish*,
INTEGRATION TripWire*, WireX Systems
Firewall & Cloud Access • IAM/SSO: Ping Identity, Secureauth*, Situational
Access Control Security • Other: Cisco WSA, Ark NSS****, Cisco ISE PIC
• Threat Intelligence: Infocyte*
DDI • UEBA: E8*, Exabeam*, Fortscale*, Niara, Greenlight****
• Vulnerability Management: Rapid 7*, SAINT*, Tenable*,
Cisco ISE Tripwire*
Cisco WSA
Solutions
Cisco FirePOWER Cisco Stealthwatch * Rapid Threat Containment, ** Regulatory and Compliance Solution
***IoT, ****Regulatory and Compliance
Context based ‘Web filtering’
With Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Who: Doctor
What: Laptop
Where: Office RADIUS PxGRID
Internet
Who: Doctor
What: iPad
Enterprise W ww
Where: Office Backbone
Web
Security
Who: Guest
What: iPad Appliance
Where: Office
ISE PxGrid Ecosystem
Sharing Contextual data with Stealthwatch
Context Information
Cisco ISE Cisco SW

Mitigation Action
ISE PxGrid Ecosystem
Sharing Contextual data with Splunk
Context Information
Cisco ISE Splunk

Mitigation Action
Integrated Threat Defense
(Detection & Containment)
Employee
Change Authorization
ISE Supplier
Quarantine Server
Event: XYZ
Source IP: 10.4.51.5
Role: Supplier
Lancope Response: Quarantine
StealthWatch
or 3rd party App Network Fabric
Such as Splunk
Quarantine High Risk
Segment
Shared Internet
Server
Employee
pxGrid enables these 4 scenarios
CONTEXT TO PARTNER ENRICH ISE CONTEXT THREAT MITIGATION CONTEXT BROKERAGE
CISCO ECO- CISCO ECO- CISCO ECO- CISCO

ISE PARTNER ISE PARTNER ISE PARTNER ISE
CONTEXT CONTEXT ACTION pxGrid ECO-

PARTNERS
MITIGATE ISE 2.2
ISE makes Customer IT Enrich ISE context. Make Enforce dynamic policies in ISE brokers Customer’s IT
Platforms User/Identity, ISE a better Policy to the network based on platforms to share data
Device and Network Aware Enforcement Platform Partner’s request amongst themselves
• pxGrid Operation
• Context Exchange Use cases
Context • Rapid Threat Containment

• pxGrid based Threat mitigation
Exchange •
• Threat Centric NAC
Summary
and RTC
PxGrid components External
TLS / 5222
HTTP / 443
PxGrid
PxGrid Publisher PxGrid Controller
Subscriber
Listens on ports:
TCP/7400: Connection from internal processes
TCP/5222: Accepts connection from pGrid Clients
TCP/1521: Accepts connections to DB from XCP
TCP/694: Heartbeat traffic between pxGrid nodes
Enabling PxGrid
 ISE PSN nodes that control the Grid
 Needs ISE ‘Plus’ License
PxGrid Controller
PxGrid Controller
 Password authentication support from ISE 2.1 (discussed later)
 Client connection can be auto approved or can be set to manual approval
PxGrid Controller
Very important setting. If checked any

client with valid cert connects to the grid.
PxGrid service running

PxGrid Publisher / Subscriber
 PAN and MnT node publish and subscribe topics of information
 Authenticates and authorizes pxGrid clients
PxGrid Pub/Sub ISE nodes
Publish / Subscribe topics

Publish or subscribe specific topics
- ISE nodes can publish specific topics or subscribe to specific topics.
PxGrid Pub/Sub
Topics being published / subscribed by PxGrid node

Capabilities or Topics
GridControllerAdminService provides pxGrid services to subscriber
INTERNAL
Core provides pxGrid client the capability to query all the registered
capabilities on the ISE pxGrid node
AdaptiveNetworkControl provides enhanced pxGrid ANC mitigation capabilities to subscriber
EndpointProfileMetada provides pxGrid clients with available device information from ISE.
EndpointProtectionService provides compatible EPS/ANC pxGrid mitigation actions from ISE

1.3/1.4.
Group Based Policies provides pxGrid clients with exposed security group tag (SGT)
MetaData information
IdentityGroup provides pxGrid clients with Identity Group information that may not
be available via 802.1X authentications
SessionDirectory provides pxGrid clients with ISE published session information, or
available session objects.
https://communities.cisco.com/docs/DOC-68291
PxGrid Clients authenticate and subscribe to the Grid
 Authenticates to ISE pxGrid node using self-signed or CA-signed certificates
 Subscribe or direct queries
 Communicate TCP/5222 to ISE pxGrid node
PxGrid
Subscriber
Topics FMC is subscribed to 202

BRKSEC-2695 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Subscription and Groups
What you can subscribe to /
capable of?
E.g.:
 AdaptiveNetworkControl,
 SessionDirectory,
SUBSCRIBE  Group Based Policies
MetaData
GROUP
What are you authorized for?

PxGrid E.g.:
PxGrid Controller
Subscriber  Session
 ANC
PxGrid Client Groups
 pxGrid uses group-based authorization.
 When a client connects for the first time, the client is associated with a group.
Basic provides ISE pxGrid node connectivity. ANC Adaptive Network Control, access to
No session data ’exception policy’
Session Members can subscribe to session notification, EPS Earlier version of ANC (used by Splunk,
query session info, download bulk session data. Lancope, FireSIGHT Management Center 5.4)
The Grid controller authorizes exchange
Publisher GCL Client pxGrid Controller XCP Server GCL Client Subscriber
Authenticates & Allow pxGrid Cont Conm Publisher Auth &

C Status & Account
Authenticate & allow pxGrid Cont.Comml
O Subscriber Auth &
Status & Account
N
Add Publisher to
T Authorize Publisher To Topic Sequence
topic
R
Authorize Subscriber to Topic Sequence
O
Add Subscriber to
L topic
Publish Message to Topic
Publish Success
I Published Message to Subscriber
N Subscribe Success
F Publisher Capability & JID Query
R Publisher JID
A XMPP:Bulk Download Query
Builk Data Stream Over REST API

PxGrid authentication
CERTIFICATES
Self-signed pxGrid Client and pxGrid ISE Node certificates

How-to: https://communities.cisco.com/docs/DOC-68286
CA signed pxGrid Client and pxGrid ISE Node certificates

How-to: https://communities.cisco.com/docs/DOC-68287
PASSWORDS
New* in ISE 2.1

No clients yet.
Release Notes: http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/release_notes/ise21_rn.html#pgfId-678203
CA signed PxGrid certificate
Special cert template with
Root CA
EKU for both client and
Public
server authentication
Public Private Key Public Private Key
ISE
Trusted Certificates Client Trusted Certificates
C
Grid Controller Grid Client
ISE 2.1 CA for certificates
No need for a external CA server WWW
1. Use a Single Certificate Authority
2. Each pxGrid Participant Trust That Certificate
Authority
3. Each pxGrid Client use a ‘pxGrid’ Certificate
from that CA
4. *Controller Must still Authorize the
Splunk > FMC
Communication Controller
Instant Full Mesh Trust!
X.509
X.509
X.509
X.509X.509
pxGrid
pxGrid
pxGrid
pxGrid
X.509
pxGrid pxGrid
MnT
ISE 2.1 CA
New template in 2.1
PxGrid publication
IETF
https://datatracker.ietf.org/doc/draft-appala-mile-xmpp-grid/
Cisco
DevNet
https://developer.cisco.com/site/pxgrid/
• pxGrid Operation
• Context Exchange Use cases
Context • Rapid Threat Containment

• pxGrid based Threat mitigation
Exchange •
• Threat Centric NAC
Summary
and RTC
Firepower polices based on SGT
‘Access Control Policies’ based on ISE Attributes
PxGRID
NGIPS /
ASA + Firepower
Context based ‘Web filtering’
With Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Who: Doctor
What: Laptop
Where: Office RADIUS PxGRID
Internet
Who: Doctor
What: iPad
Enterprise W ww
Where: Office Backbone
Web
Security
Who: Guest
What: iPad Appliance
Where: Office
Secure cloud access
Context enables Single-Sign-On (SSO) and role-based access
Cisco ISE  Username

EMP_CORP  IP address
 MAC Address
 Device-type
 Posture
 Security Group Tag
SAML:EMP_CORP
Single Sign On SAML:EMP_BYOD

Employee (No additional authentication, Cloud
iDP consumes pXGrid data) iDP
Cloud Access
Policy
EMP_BYOD • Single login to the network, cloud access without authentication.

• Differentiated cloud access, based on contextual data sent over SAML
Cloud access policy based on ISE attributes
Context available via PxGrid

Packet Capture for Network Forensics
Identity/Device Aware Packet Capture Analytics
Use Case: Provide single pane of glass attributing user, role and device to packet captures and
related forensics
Provide ISE context to packet capture system so that it can associate users, devices and user roles to the packet capture
data, thereby simplifying network troubleshooting and forensics investigations
EMULEX Packet Capture

Platform
P-Cap Analysis @ 65.32.7.28
scottp: Finance : iPhone 4S
ISE Context Data

User : Group : Device : Posture
ISE and Infoblox
Context based IPAM: IP address management with user and device context.
Threat containment: Infoblox detects suspicious DNS resolutions and requests ISE quarantine over ANC
Cisco ISE provides context to Stealthwatch
Context Information
Syslog
pxGrid
Cisco ISE Cisco SW

Mitigation Action
ISE ecosystem partners
All ISE eco-system partners,

(including PxGrid) listed under
‘Cisco Security Technical
Alliance Program’
http://www.cisco.com/c/en/us/products/security/partner-ecosystem.html
PxGrid Use cases – 1
Use-Case Description Partner
IAM/SSO: ISE device, posture context to IAM to control application access. Situational
Device/Access-Aware Application (ID/IP)
Access
IAM/SSO: ISE user, group, access, device context to drive escalate auth policy. ISE auth Situational
Escalated Auth & SSO via Network state to SSO for network-to-application “zero sign-on” user experience. (ID/IP)
Auth SecureAuth,
NetIQ Network
Access Manager
Vulnerability Assessment: ISE identity and user role to vulnerability assessment platform to prioritize endpoint Tenable,
Prioritize Endpoint Vulnerabilities vulnerability remediation and drive Rapid Threat Containment quarantine actions Rapid 7, SAINT
via pxGrid Adaptive Network Control.
P-Cap/Forensics: ISE IP:user:device binding & related context to packet capture system to attribute Emulex
Simplify Packet Capture Forensics user, device, role, etc. to packet capture.
IoT Security: Associate Group Based Policies policy with IoT devices. ISE user/device context Bayshore
Network Access Policy for IoT with DLP. Rapid Threat Containment for quarantining non-compliant devices via Networks
Devices pxGrid Adaptive Network Control.
PxGrid Use cases – 2
Use-Case Description Partner
Cloud Access Monitoring: ISE user, group, access, device context to enhance monitoring & SkyHigh, Elastica
User/Device-Aware Cloud-Hosted reporting of access to cloud services by end-users.
Resource Monitoring
Network/App Performance Monitoring: ISE IP:user:device binding & related context to network data system to Savvius
User/device-aware network topology & attribute user, device, role, etc. to visualization and performance
performance management management data.
Threat Defense: Assess typical behavior of individual and groups of users and then FortScale,
User-behavior anomaly (UBA) detection look for anomalous behavior. Utilizes ISE user/device context in Rapid 7, E8
analytics and event reporting.
WSA+ISE: Web access decisions based on ISE user/device context. Enables Cisco WSA
User-aware web security policies customers to differentiate web content access policies based on real-
time user and device situational awareness.
DNS, DHCP & IP Address Management: Associate users and user network privileges with DHCP leases, IP Infoblox
User, Group and Device Based DDI address assignments and domain name access by using ISE
Monitoring & Reporting user/network context.
SIEM/TD: Same use-cases as existing SIEM/TD ecosystem, but utilizing pxGrid NetIQ, Lancope,
User/Device-Aware SIEM/ThreatDefense for context and Rapid Threat Containment. Splunk, FireSIGHT
Integration Management Center
BRKSEC-2695 © 2018 5.4, LogRhythm
Cisco and/or its affiliates. All rights reserved. Cisco Public 221
Single-Purpose APIs are Great for One Purpose
…Integrating One System to One Other System

I need threat data… SIO I need location & auth-group…
TRADITIONAL APIs – One Integration at a TimeI have NBAR info!
I have sec events!
I need reputation…
I need identity…
• Single-purpose function = need for many APIs/dev (and lots of testing)
I have NetFlow! Proprietary
We need to I have location!
• NotI need
configurable
entitlement… = too
APIs
much/little aren’t
info
share
for
data
interface systems (scale issues)
I need identity…
the solution
• Pre-defined
I have threatdata
data!exchange = wait until next release ifI have
you MDM
needinfo!
a change
• PollingI architecture = can’t scale beyond 1 or 2 system
have firewall logs!
integrations
I have app inventory info!
I need identity… I need posture…
• Security can be “loose”
Agenda
• Introduction
• Visibility
• Profiling
• AAA (802.1X & MAB)
• Conclusion
Policy and Segmentation
Design needs to be replicated to multiple locations, buildings, floors
ACL
Aggregation Layer
VLAN Addressing DHCP Scope
Redundancy Routing Static Filtering
Access Layer
Quarantine Voice Data Suppliers Guest
Simple
More Policies
Segmentation
using more
with 2VLANs
VLANs
Software-Defined Segmentation with Cisco
Group Based Policies / SGT
• Simplicity: consistent policy

enforcement on all networks
• Agility: reduce attack surface,

keep pace with business
• Ready: secure, comply today
How Group Based Policies / SGT is used today
User to DC
Access Control
Network & Role BYOD Application Secure PCI & PHI
Segmentation Security Protection Contractor Access Compliance
Campus & DC
Segmentation
Server Firewall Rule Fast Server Threat Defense Machine-
Segmentation Reduction Provisioning Machine Control
Segmentation with Security Group
DC-MTV (SRV1)
DC-MTV (SAP1) Production
DC-RTP (SCM2) Servers
Regardless of topology or location, policy

Data Center Firewall
(Security Group Tag) stays with users, devices, DC-RTP (VDI) Destination
and servers Aggregation Layer
Data Tag
Supplier Tag
Guest Tag
Quarantine Tag
Access Layer
Voice Data Suppliers Guest Quarantine
Retaining initial VLAN/Subnet Design
Enforcing Policy Downstream
Propagation Enforce
Classify
&
Timecard
Mark application
server
Credit Card
Firewall transaction server
Context Telemetry:
• Manager Enforcement
• Windows PC
• Compliant
Cisco ISE
Classify Mark, Propagate, Enforce
• IP Precedence and DiffServ code points
• 802.1Q User Priority
• MPLS VPN
• Group Based Policies
Classification
Classification Summary
SGT Assignment
Dynamic Classification Static Classification

• IP Address
• VLANs
• Subnets
802.1X/ RAS VPN Authentication • L2 Interface
SGT
• L3 Interface
Web Authentication
• Virtual Port Profile
• Layer 2 Port Lookup
MAC Auth Bypass Pre-fix learning
Common Classification for Mobile Devices Common Classification for Servers, Topology-
based policy, etc.
Classification
How a SGT is Assigned
End User, Endpoint is

classified with SGT SVI interface is Physical Server is
mapped to SGT mapped to SGT
Campus Access Distribution Core DC Core DC Dist. DC Access
Enterprise
Backbone
SRC: 10.1.100.98
Hypervisor SW
VLAN is mapped
WLC FW
to SGT
Virtual Machine is
BYOD device is mapped to SGT
classified with
SGT
Classification
Static Classification
IOS CLI Example
IP to SGT mapping L2IF to SGT mapping

cts role-based sgt-map A.B.C.D sgt SGT_Value (config-if-cts-manual)#policy static sgt SGT_Value
VLAN to SGT mapping L3IF to SGT mapping

cts role-based sgt-map vlan-list VLAN sgt SGT_Value cts role-based sgt-map interface name sgt SGT_Value
Subnet to SGT mapping L3 ID to Port Mapping

cts role-based sgt-map A.B.C.D/nn sgt SGT_Value (config-if-cts-manual)#policy dynamic identity name
Classification
SGT to Port Profile
Nexus 1000v version 2.1
Classification
Dynamic Classification Process in Detail

Supplicant Switch / WLC ISE
Layer 2 Layer 3
00:00:00:AB:CD:EF
EAPoL Transaction RADIUS Transaction

EAP Transaction
Authenticated
Policy
1
Authorized MAC: Authorization SGT
0Evaluation
00:00:00:AB:CD:EF Authorized
SGT = 5
cisco-av-pair=cts:security-group-tag=0005-01
2 DHCP
DHCP Lease: ARP Probe IP Device
3
Binding:
10.1.10.100/24 Tracking 00:00:00:AB:CD:EF = 10.1.10.100/24
SRC: 10.1.10.1 = SGT 5
3560X#show cts role-based sgt-map all details

Make sure that IP Active IP-SGT Bindings Information
Device Tracking IP Address Security Group Source

=============================================
is TURNED ON 10.1.10.1 3:SGA_Device INTERNAL
10.1.10.100 5:Employee LOCAL
A Systems Approach
Switch/Controller is the Enforcement Point
Propagation
How is the SGT Classification Shared?

Propagation
Inline SGT Tagging SXP
CMD Field IP Address SGT
10.1.100.98 50
ASIC ASIC ASIC
Optionally Encrypted L2 Ethernet Frame
SRC: 10.1.100.98
(No CMD)
Campus Access Distribution Core DC Core EOR DC Access
Enterprise
Backbone
SXP SRC: 10.1.100.98

Hypervisor SW
WLC FW
 Inline Tagging (data plane): IP Address SGT SRC
If Device supports SGT in its ASIC 10.1.100.98 50 Local
SXP IP-SGT Binding Table

 SXP (control plane): Shared between devices
that do not have SGT-capable hardware
Propagation
Inline Tagging
• SGT embedded within Cisco Meta Ethernet Frame Cisco Meta Data MACsec Frame
Data (CMD) in Layer 2 frame Destination MAC CMD EtherType Destination MAC
Source MAC Version Source MAC
• Capable switches understands and 802.1Q 802.1AE Header
Length
process SGT at line-rate CMD 802.1Q
AES-GCM 128bit
SGT Option Type
ETHTYPE CMD
• Optional MACsec protection
Encryption
SGT Value
ETHTYPE
PAYLOAD Other CMD Option
• No impact to QoS, IP
PAYLOAD
MTU/Fragmentation CRC
16 bit
• L2 Frame Impact: ~40 bytes 64K name space 802.1AE Header
ETHTYPE:0x8909 CRC
• Recommend L2 MTU~1600 bytes
ETHTYPE:0x88E5
Propagation
Packet Format
Propagation
SXP Flow
IP Src: 10.1.3.2 Dst:
10.1.3.1
TCP Src Port: 16277 Dst Port: 64999
IP Src: 10.1.3.1 Dst:
Flags: 0x02 (SYN)
10.1.3.2
IP Src: 10.1.3.2 Dst: TCP Src Port: 64999 Dst Port: 16277
10.1.3.1 Flags: 0x12 (SYN, ACK)
Flags: 0x10 (ACK) TCP SYN
Speaker TCP SYN-ACK Listener
TCP ACK
CTS6K CTS7K
10.1.10.100 (SGT6) 10.1.3.2 10.1.3.1
Cisco ISE
SXP OPEN
IP Src: 10.1.3.2 Dst:
10.1.3.1 SXP OPEN_RESP
Flags: 0x10 ( ACK) SXP UPDATE
IP Src: 10.1.3.1 Dst:
SXP Type: Open 10.1.3.2
Version: 1 TCP Src Port: 64999 Dst Port: 16277
Device ID: CTS6K Flags: 0x18 (PSH, ACK)
IP Src: 10.1.3.2 Dst: SXP Type: Open_Resp
10.1.3.1 Version: 1
TCP Src Port: 16277 Dst Port: 64999 Device ID: CTS7K
Flags: 0x10 (ACK)
SXP Type: Update
Update Type: Install
IP Address: 10.1.10.100 SGT: 6
Enforcement
How is Policy Enforced with SGACL
Destination Classification
Web_Dir: SGT 20
CRM: SGT 30
End user authenticated
FIB Lookup
Classified as Employee (5)
Destination MAC/Port SGT 20
ISE
Cat3750X Cat6500 Cat6500 Nexus 7000 Nexus 5500 Nexus 2248

Web_Dir
Enterprise DST: 10.1.100.52
5 Backbone SGT: 20
SRC:10.1.10.220
SRC: 10.1.10.220 DST: 10.1.100.52 CRM
SGT: 5 DST: 10.1.200.100
Nexus 2248
SGT: 30
WLC5508 ASA5585
Web_Dir
SRC\DST CRM (30)
(20)
Employee (5) SGACL-A SGACL-B
BYOD (7) Deny Deny
SGACL Policy on ISE for Switches
2
Enforcement
Security Group Based Access Control for Firewalls

Security Group Firewall (SGFW)
Source Tags Destination Tags
Review: SGFW flow
Business Data What was missing in SGFW ? Classification
App / Storage
Firewall Rules
Source Destination Action
Firewall
IP SGT IP SGT Service Action Propagation
Any Employee Any Biz Server HTTPS Allow Enforcement
Any Suspicious Any Biz Server Any Deny
Device Type: Apple Mac

User: Susan
Corp Network AD Group: Employee
Asset Registration: Yes
Policy
Server Policy Mapping  SGT: Employee
VPN Remote Access Switch

Access
Corp Asset
Endpoints
Visibility and Control for Remote Access
Production Apps Development
Data Center
Data Center ISE
Firewall
Simplified Remote Access

A B C Tag
Enterprise
Filtering based on SGT (Tag), not Network
based on pooled IP addresses allows ASA RAS
simplified cross connect of access
policy for multiple RAS VPN points Internet VPN
VPN
Firewall Policy maintenance (add, edit, Contractor C
delete) is streamlined for service
change
Vendor A Device Type B
Confidentiality
MACsec and NDAC
Media Access Control Security and Network Device Admission Control
• MACsec: Layer-2 Encryption (802.1AE)
• Industry Standard Extension to 802.1X
• Encrypts the links between host and switch and links between switches.
• Traffic in the backplane is unencrypted for inspection, etc.
• Client requires a supplicant that supports MACsec and the encryption key-exchange
• NDAC: Authenticate and Authorize switches entering the network

• Only honors SGTs from Trusted Peers
• Can retrieve policies from the ACS/ISE Server and “proxy” the trust to other devices.
SWITCHPORT
######## ######## ########

Encrypted Link Encrypted Link Encrypted Link
Use Case: DC Access Access Control
Traditional Firewall Rules
Policy Source Policy Dest. Svc Act.
Reduced OPEX Object - S Object- D
Admin reduction 24 -> 6 10.1.1.0/24 Fin Web
People Finance 10.1.2.0/24 Server 172.1.1.1 Web Permit
10.1.3.0/24
Reduced “ACE” Entries 10.1.1.0/24 Devlp
Reduction 60 - 90%. Engr 10.1.2.0/24 Server 172.1.1.2 Web Permit
10.1.3.0/24
Topology Independent SGA Firewall Rules
Rules with no IP addresses SGT - User SGT - Service Svc Act.
Fin Web
Contextual Access
Finance-Corp-PC Server Web Permit
User+Device
Fin Web
User+Device+Access_type Finance-IPAD Server Web Deny
Devlp Server
Engr-All-Devices Web Permit
Use Case: Peer-to-Peer Malware Control
Production
Employee
Servers
HR Database
Mark and Enforcement
Cisco ISE
Assets
Sales Developer Guests Malware Blocking
Internet ACL
Access
Source
Malware
Sales DENY DENY PERMIT
Blocking Deny tcp dst eq 445 log; block SMB file
Malware sharing
Developer DENY DENY PERMIT
Blocking
Deny tcp dst range 137 139 log; block
Guest DENY DENY DENY PERMIT
NetBios Session Service
Permit all
Group Based Policies : Controlling Bonjour Peer-to-
Peer Bonjour Sender: Bonjour Sender:
Bonjour Receiver: Professor iPAD Student iPhone
Classroom Display
mDNS Service Advertisements
UDP unicast traffic
Controlling Bonjour:
1. Filtering mDNS Service Advertisements:
2. Blocking Bonjour UDP data packets
Use Case: Data Center Segmentation
Protected Assets
Production Development HR
Storage
Servers Servers Database
Production
PERMIT DENY DENY PERMIT
Servers
Source
Development
DENY PERMIT DENY PERMIT
Servers
HR
DENY DENY PERMIT PERMIT
Database
Storage PERMIT PERMIT PERMIT PERMIT
Enforcement Classification
HR Database
Development
DC FW DC Switch server
SGT Propagation
Segmentation
No VLANs
Cisco ISE
Use Case: Data Center VM Automation
5 Days
Admin Clone Boot VM Security Firewall rules New VM
Log-in Template to and Team added installed
Hypervisor new VM provision provisions
3 Days
Admin Clone Boot VM N1KV Auto learns IP,
Log-in Template to and Policy pushed to
Hypervisor new VM provision Firewall
1 Hour
Admin Log-in UCS N1KV Auto learns IP,
Director and clicks on Policy pushed to
new VM catalog Firewall
Group Based Policies Functions and Platform Support
Classification Propagation Enforcement
Catalyst 2960-S/-C/-Plus/-X/-XR SXP Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-X
Catalyst 3560-E/-C/-X SXP Catalyst 3560-E/-C/, 3750-E
SGACL Catalyst 3750-X
Catalyst 3750-E/-X Catalyst 3560-X, 3750-X Catalyst 3850/3650
SXP SGT
Catalyst 3850/3650 SGACL WLC 5760
SXP SGT Catalyst 3850/3650 Catalyst 4500E (7E)
WLC 5760
SXP Catalyst 4500E (Sup6E) Catalyst 4500E (8E)
Catalyst 4500E (Sup6E/7E) SGACL Catalyst 6500E (2T)
SXP SGT Catalyst 4500E (7E, 8), 4500X
Catalyst 4500E (Sup8) Catalyst 6800
Catalyst 6500E (Sup720/2T) SXP Catalyst 6500E (Sup720)
Nexus 7000
Wireless LAN Controller SXP SGT Catalyst 6500E (2T), 6800 SGACL
2500/5500/WiSM2 Nexus 6000 NEW
SXP WLC 2500, 5500, WiSM2
Nexus 7000 Nexus 5600 NEW
SXP SGT WLC 5760 SGACL
Nexus 6000 NEW
Nexus 5500
SXP SGT
SGT Nexus 1000v NEW inline tagging
Nexus 5600 NEW Nexus 1000v NEW
Nexus 5500 SXP SGT Nexus 6000/5600 NEW SGACL
Nexus 1000v (Port Profile) SXP SGT Nexus 5500/22xx FEX ISR G2 Router, CGR2000
SGFW
SXP SGT Nexus 7000/22xx FEX
ISR G2 Router, CGR2000 SXP SGT GETVPN. DMVPN, IPsec ISRG2, CGS2000 ASR 1000 Router
SGFW
SXP SGT GETVPN. DMVPN, IPsec ASR1000 CSR-1000v Router
IE2000/3000, CGS2000 NEW
SXP SGT ASA5500 Firewall, ASASM
ASA 5500 Firewall
NEW
ASA5500 (VPN RAS) NEW SGFW ASAv Firewall NEW
• Inline SGT on all ISRG2 except 800 series:
SXP: IETF Internet Draft
SXP submitted to IETF and is being implemented by other vendors.

Bayshore Networks announce support in January 2014.
ISE Deployment
Architecture
ISE Node Personas = Functional Roles
Policy Administration Node Policy Service Node Monitoring and Network Access
All Management UI Activities RADIUS, Profiling, Web Troubleshooting Device
Synchronizing all ISE Nodes Auth, Posture, Sponsor Logging and Access-Layer Devices
Portal, Client Provisioning Reporting Data Enforcement Point for
all Policy
PAN PSN MnT NAD
SWITCHPORT
Admin
User All Policy is Synchronized
User
from PAN to PSNs
RADIUS From NAD to Policy Service Node
PSN Queries AD Directly
AD
RADIUS From PSN to NAD w/ Enforcement Result
RADIUS Accounting
Logging
Logging
Basic 2-Node ISE Deployment (Redundant)
Maximum Endpoints = 10,000 (Platform dependent)
Pri. Admin Pri. MnT
Admin Admin
MnT PSN MnT PSN
HA Inline
Campus B WLC
Posture Nodes
Campus A
ASA VPN Switch
802.1X
AP
WLC
• All Services run on both ISE Nodes

AP
Branch A Switch
• Set one for Primary Admin / Secondary MnT
Branch B
802.1X
• Set other for Primary Monitoring / Sec. Admin
• Max Endpoints is platform dependent:
Switch Switch • 33x5 = Max 2k endpoints
AP 802.1X AP 802.1X
• 3415 = Max 5k endpoints
• 3495 = Max 10k endpoints
Basic Distributed Deployment
Maximum Endpoints = 10,000 / Maximum 5 PSNs
Pri. Admin Pri. MnT

Sec. MnT Sec. Admin
PSN
HA Inline
Campus B WLC
Posture Nodes
Campus A
PSN
ASA VPN PSN Switch
802.1X
AP
WLC
PSN • Dedicated Management Appliances
AP • Primary Admin / Secondary MnT
Branch A Switch
• Primary MnT / Secondary Admin
Branch B
802.1X
• Dedicated Policy Service Nodes
• Up to 5 PSNs
Switch Switch • No more than 10,000 Endpoints Supported
AP 802.1X AP 802.1X
• 3355/3415 as Admin/MnT = Max 5k endpts
• 3395/3495 as Admin/MnT = Max 10k endpts
Fully Distributed Deployment
Maximum Endpoints = 250,000 / Maximum 40 PSNs
Pri. Admin Pri. MnT Sec. Admin Sec. MnT PSN
HA Inline
Campus B WLC
Posture Nodes
Campus A
PSN
ASA VPN PSN Switch
802.1X
AP
WLC • Dedicated Management Appliances
PSN • Primary Admin
AP • Secondary Admin
Branch A Switch Branch • Primary MnT
802.1X
B • Secondary MnT
• Dedicated Policy Service Nodes
Switch Switch • Up to 40 PSNs
AP 802.1X AP 802.1X
• Up to 100k endpoints using 3395 Admin and MnT
• Up to 250k endpoints using 3495 Admin and MnT
VMware OVA Templates!
• Finally! We have supported OVA Templates
• Ensures customers will not misconfigure their VMware settings
• Preset: Reservations, vCPUs, Storage
• Based on following Specs:
ISE-1.3.x.x-Eval-100-endpoint.ova:
• 2 CPU cores
• 4 GB RAM
• 200 GB disk
• 4 NICs
ISE-1.3.x.x-Virtual-SNS-3415.ova: ISE-1.3.x.x-Virtual-SNS-3495.ova:
• 4 CPU cores • 8 CPU cores
• 16 GB RAM • 32 GB RAM
• 600 GB disk • 600 GB disk
• 4 NICs • 4 NICs
Agenda
• Introduction
• Visibility
• Profiling
• AAA (802.1X & MAB)
• Conclusion
Licensing Enhancements
Final Pricing, SKUs, Migration, Feature is NOT

covered in this presentation
Brief Licensing Overview
Access Context Compliance
Base (Perpetual Lic.) Plus (Term Lic.) Apex (Term Lic.)

 AAA  BYOD  Unified Endpoint
 802.1X  Internal CA  MDM – 3rd Party
Compliance &
 Enhanced Guest  Profiling & Feed Service  Compliance Remediation
 Group Based Policies  EPS
 Multiple APIs  pxGrid AC Apex (Term Lic.)
• Endpoint must be online & Using the feature for it to consume a license
• Leaving the network will free the license & return it to the pool
A Systems Approach to
Building an Identity
Access Control
Architecture
Choosing the Correct Building Blocks
The “Group Based Policies ” Portfoliowww.cisco.com/go/Group Based Polic
Policy
Administration
Policy Decision Identity Services Engine (ISE)
Identity Access Policy System
Policy
Enforcement
Group Based Policies Cisco 2960/3560/3700/4500/6500, Nexus 7000 Cisco ASA, ISR, ASR 1000
Powered switches, Wireless and Routing Infrastructure
Policy
Information NAC Agent Web Agent 802.1X Supplicant
Group Based Policies No-Cost Persistent and Temporal Clients AnyConnect or
Powered for Posture, and Remediation OS-Embedded Supplicant
Identity-Based Access Is a Feature of the Network
Spanning Wired, Wireless, and VPN
BRKSEC-2695 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 262 262
Group Based Policies Design and How-To Guides
Secure Access Blueprints
ISE Public Resources
ISE Public Community
http://cs.co/ise-community
Customer Connection Program

http://cisco.com/go/ccp > Security
ISE Compatibility Guides

http://cs.co/ise-compatibility
ISE Design & Integration Guides

http://cs.co/ise-guides
ISE Licensing / Ordering Guide

http://cs.co/ise-licensing
http://cs.co/ise-ordering
Free, 90-day ISE Evaluation

http://cs.co/ise-eval
BRKSEC-2695
Public ISE Community
@ http://cs.co/ise-community
Complete your online session evaluation
Give us your feedback to be entered

into a Daily Survey Drawing.
Complete your session surveys through
the Cisco Live mobile app or on
www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing
on demand after the event at www.CiscoLive.com/Online.
Recommended Reading
• Buy our book, help us afford more beer!
http://amzn.com/1587144263 http://amzn.com/1587143259
Continue
your Demos in
the Cisco
Walk-in
self-paced
Meet the
engineer
Related
sessions
education campus labs 1:1
meetings
Thank you
#CLUS
#CLUS

Building An Enterprise Access Control Architecture Using ISE Group Based Policies PDF

Uploaded by

Copyright:

Available Formats

Building An Enterprise Access Control Architecture Using ISE Group Based Policies PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Building An Enterprise Access Control Architecture Using ISE Group Based Policies PDF

Uploaded by

Copyright:

Available Formats

What are the main topics covered in the presentation?

What are the main topics covered in the presentation?

What are some of the advanced ISE sessions recommended at the end?

What are some of the advanced ISE sessions recommended at the end?

#CLUS

Webex Teams will be moderated cs.co/ciscolivebot# XXX-XXXX

Look for this “For Your Reference”

There is a tremendous amount of

FOR YOUR REFERENCE

**250 +/- Slides in PDF (100 + are hidden)

Labs Tuesday Wednesday Thursday

CISCO IDENTITY SERVICES ENGINE

Non-Trusted App / Services

Software-Defined Segmentation, Location-Free App/Service

UNKNOWN WINDOWS WORKSTATION

UNKNOWN BUILDING-A FLOOR-1

UNKNOWN 10:30 AM EST on APR 27

UNKNOWN NO THREATS / VULNERABILITIES

Supplicant for wired, wireless

Role-based Access Control | Guest Access | BYOD | Secure Access

Physical Identity Profiling Role-Based Policy Access Network Resources

Network What Guest Access

Users Device Location Connectivity Time

•Name •Type •Physical •Medium (Wired / •Time of day

Behavior Application and Vulnerability Threat

devices with ‘50’ attributes

550+ Cisco ISE

DEVICE SENSOR CDP LLDP DHCP HTTP H323 SIP MDNS

DEVICE SENSOR CDP LLDP DHCP HTTP H323 SIP MDNS

ANYCONNECT ACIDex ISE data collection methods for Device profiling

ACIDex Profiler Policy

00:02:4B:CC:D6:63 10.1.20.33 Cisco-IP-Phone Cisco Systems

5C:F9:38:AA:1F:90 10.1.0.21 Apple-MacBook Apple Inc

30:46:9A:2E:C3:F0 10.1.0.73 Microsoft-Workstation Lenevo

WLC5520-1 10.1.100.3 Controller DC-01 Cisco Controller

N5K-1 10.1.100.4 Switch DC-01 Cisco Nexus OS version..

* Only supported on Standalone ISE deployment.

Connect to AD via the wizard to complete

Cisco ISE Win Domain

Application ‘Visibility’ via Anyconnect

Cisco Anyconnect with

Visibility Context Control

devices with ‘50’ attributes

550+ Cisco ISE

DEVICE SENSOR CDP LLDP DHCP HTTP H323 SIP MDNS

DEVICE SENSOR CDP LLDP DHCP HTTP H323 SIP MDNS

ANYCONNECT ACIDex ISE data collection methods for Device profiling

ACIDex Profiler Policy

Apple WYSE Samsung Motorola Cisco Roku

OS: Mac OS X +10

Must match minimum certainty factor

ISE does learn the OUI and possibly

Attribute that can be used for writing

Active Directory Probe

AD Probe conditions Match on the following:

MAB  DHCP  AD Probe

 Doesn’t require packet

PSN Feed Partner

Custom attributes exposed to Authorization policy