Building an Enterprise Access Control

Architecture using ISE and TrustSec

BRKSEC-2044

Imran Bashir
Technical Marketing Engineer

#clmel
 Introduction
Session Abstract
Tomorrow's requirement to network the Internet of Things requires an access control Profiling
architecture
that contextually regulates who and what is allowed onto the network. Identity Service Engines (ISE)
plays a central role in providing network access control for Wired, Wireless and VPNAAA networks. In
(802.1x
addition, ISE is the policy control point for TrustSec, which controls access from & MAB)
the network edge to
resources.
ISE Guest &
Employee
This session will focus on: 1. Emerging business requirements and ISE services WebAuth
such as: Guest,
profiling, posture, BYOD and MDM. 2. Secure policy based access control including 802.1X, MAB,
Web Authentication, and certificates/PKI. The session will show you how to expand policy decisions
Compliance
to include contextual information gathered from profiling, posture assessment, Desktop
location,Posture
and external
BYOD & MDMmeans
data stores such as AD and LDAP. 3. Enforcing network access policy through conventional
such as VLANs and ACLS and emerging technologies such as TrustSec.
PxGrid
Cisco TrustSec technology is used to segment the campus and data centre to increase security and
drive down the operational expenses associated with managing complex ACL firewall rule tables and
TrustSec
ACLs lists. This session is an introduction to the following advanced sessions: BRKSEC-3699;
BRKSEC-3698; BRKSEC-3690; TECSEC-3691.
ISE Deployment
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
IT Trends of Securing Access

Internet of Things Encompasses Everything

Antivirus software installed BYOD for productivity and
personalisation
Operating system patches up-
to-date Average worker with 3 devices
~ 7 Billion connected devices
Over 15 Billion devices by 2015
71% mobile video traffic in 2016
2/3 of worker in cloud by 2016
50% workloads are virtualised

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Mobile Malware doubled
ISE Provides ONE Policy for Unified Access

ONE MANAGEMENT
ONE NETWORK
Single Plane of Glass
Management with
Integrated
Wired and Wireless Cisco Prime
CISCO
in ONE Physical
Infrastructure, UNIFIED
with ONE Operating ACCESS
System & Open APIs
ONE POLICY

Simplified, Unified Policy

Management
with Cisco ISE
Cisco Identity Services Engine (ISE)
Delivering the Visibility and Control for Secure Network Access

Network

Partner
Who Context Data

What
Cisco ISE
Where
Consistent Secure
Access Policy
When

How

Cisco ISE is the Market Leader

Why Cisco ISE?
Cisco ISE Provides Comprehensive, Unified Policy Management and
Enforcement to Ensure Secure Wired, Wireless, and VPN Access

Visibility Driven – Accurately

Identify and Assess Network Users &
Devices

Access Control – Grant/Limit access

to align with appropriate business
policy

Threat Focused – Minimise the spread of

network threats & the impact of data
breaches
The Different Ways Customers Use ISE

Guest Access Management

Easily provide guests limited-time, limited-resource Internet access

BYOD and Enterprise Mobility

Seamlessly & securely onboard devices with the right levels of access

Secure Access across the Entire Network

Simplify & unify enterprise network access policy across wired, wireless, & VPN

With Cisco TrustSec®

Identity-aware Network Segmentation and Access Policy Enforcement
Secure Access and TrustSec = Identity, Right?
• Yes, but it refers to an Identity System (or Solution)
– Policy servers are only as good as the intel received about the endpoints requiring
access and the devices that enforce policy (Switches, WLCs, Firewalls, etc…)
• So what is “Identity”?
– Understanding the Who / What / Where / When and How of users and devices that
access the network = CONTEXT

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
The Importance of Contextual Identity
 Introduction

Profiling

AAA
(802.1x & MAB)

Visibility “What” is Connecting to My

ISE Guest &
Employee WebAuth

Network? Compliance
Desktop Posture
BYOD & MDM

PxGrid

TrustSec

ISE Deployment
11
Profiling
• What ISE Profiling is:
– Dynamic classification of every device that connects to network using the infrastructure.
– Provides the context of “What” is connected independent of user identity for use in access policy
decisions
PCs
PCs Non-PCs
Non-PCs
UPS
UPS PhonePhone Printer
Printer AP
AP

How?

 What Profiling is NOT:

‒ An authentication mechanism.
‒ An exact science for device classification.

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Profiling Non-User Devices
Dynamic Population of MAB Database Based on Device Type

• How do I discover non-user devices?

• Can I determine what they are?
• Can I control their access? Printers = Printer
VLAN

Cameras = Video
VLAN

Management
Access Switch

UPS =
Management_Only
dACL

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
ISE
Profiling User Devices
Differentiated Access Based on Device Type
Kathy + Corp Laptop
= Full Access to
Marketing VLAN
• How can I restrict access to my
network?
• Can I manage the risk of using
personal PCs, tablets, smart- Named ACL = Internet_Only
devices?

VLAN = Marketing
Corp

Internet
WLAN
Controller
Kathy
Guest
Marketing
Kathy + Personal
Tablet / Smartphone
= Limited Access
(Internet Only)

ISE
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Profiling Technology
How Do We Classify a Device?

• Profiling uses signatures (similar to IPS)

• Probes are used to collect endpoint

data
DHCP HTTP SNMP Query

RADIUS SNMP Trap DHCPSPAN

DNS NMAP NetFlow

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Profiling Policy Overview
Profile Policies Use a Combination of Conditions to Identify Devices

Is the MAC Address

from Apple

DHCP:host-name IP:User-Agent
CONTAINS iPad CONTAINS iPad

I am fairly certain Assign this MAC

this device is an Address to the
iPad “iPad” Policy
Profile Library
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
 Device Sensor Support
Device Sensor 3k/4k/WLC
Distributed Probes with Centralised Collection
• The Network IS the Collector!
• Automatic discovery for most common devices (printers, phones, Cisco devices)
• Collects the data at point closest to endpoint ISE
• Topology independent
• Profiling based on:
– CDP/LLDP
– DHCP
– HTTP (WLC only)
– mDNS, H323, CDP/LLDP/DHCP/CDP/LLDP/DHCP CDP/LLDP/DHCP DHCP HTTP
MSI-Proxy (4k only)
Device Sensor Distributed Probes

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Device Sensor in Action
# show device-sensor cache all
Switch Device Sensor Cache

Cisco IP Phone 7945

SEP002155D60133
10.100.15.100
Cisco Systems, Inc. IP Phone CP-7945G

SEP002155D60133
ISE Profiling result

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Device Profile Feed Service
Another Cisco Innovation and Industry First!

1,000s of NEW devices launch every day

The Internet of Things makes “keeping up”

a complete nightmare…until now.

Device feed service shares new, vetted

device profiles from the Cisco community

More supported devices with real-time

updates = faster onboarding for users
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
 Introduction

Profiling
Verification Control
AAA
(802.1x & MAB)

ISE Guest &

Authentication, Authorisation, and Accounting
Employee WebAuth

“Who” is Connecting, Access Rights Assigned, and Logging It

Compliance
Desktop Posture
BYOD & MDM

PxGrid

TrustSec

ISE Deployment
20
ISE is a Standards-Based AAA Server
Access Control System Must Support All Connection Methods

Supports Cisco and 3rd-Party

solutions via standard RADIUS,
802.1X, EAP, and VPN Protocols
ISE Policy Server
Wired
802.1X = EAPoLAN
RADIUS
Wireless
802.1X = EAPoLAN

VPN VPN
SSL / IPsec
Cisco Prime

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Authentication and Authorisation
What’s the Difference?

Who/what the
endpoint is.

802.1X / MAB / WebAuth

What the
endpoint has
access to.

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Separation of Authentication and Authorisation
Policy Set
Condition

Authentication

Authorisation

Policy
Groups

23

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tree View

AuthC
Protocols

Identity
Store

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication Rules
Choosing the Right ID Store

RADIUS EAP Types Identity Source

Attributes EAP-FAST Internal/Certificate
Service type EAP-TLS Active Directory
NAS IP PEAP LDAPv3
Username EAP-MD5 RADIUS
SSID … Host lookup … Identity Sequence

Authentication
Options

802.1X / MAB / WebAuth

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
 • Microsoft AD Servers 2003-2012.
Integrating My Identity Stores • LDAPv3-Compliant Servers
Local / LDAP / AD / RADIUS / Token Servers • External RADIUS Servers
• RSA and RFC-2865-Compliant One-
Time Password/Token Servers
• Certificate Servers
• Identity Sequences
ISE Policy Server

VPN

Cisco Prime

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Multi–Forest Active Directory Support
ISE 1.3 is designed for growing businesses. With
support for multiple Active Directory domains, ISE
1.3 enables authentication and attribute collection example-1.com
across the largest enterprises.

 Support for 50 concurrent Active

Directory join points
ISE
example-2.com
 No need for 2-way trust relationship
between domains
 Advanced algorithms for dealing with
identical usernames.

example-n.com

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
AD Authentication Flow

Identity
Scope AD Join
Rewrite
AuthC (Optional) Point (Optional)
Policy to
AD Domain List Target
(Optional) AD

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Test Authentication

Can run
from
scope
level

Can run from

AD Join Point

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Test Authentication

Different authentication types

ISE node can be selected to run the test auth

Can provide group & attribute details if options are

selected

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authorisation Rules

802.1X / MAB / WebAuth Return standard IETF

RADIUS / 3rd-Party Vendor
Specific Attributes (VSAs):
• ACLs (Filter-ID)
• VLANs
(Tunnel-Private-Group-ID)
• Session-Timeout
• IP (Framed-IP-Address)
• Vendor-Specific including
Cisco, Aruba, Juniper, etc.

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
What About That 3rd “A” in “AAA”?
Accounting

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Detailed Visibility into Passed/Failed Attempts

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Detailed Visibility into All Active Sessions and Access Policy Applied

Repeat Count = 395

Per Session Details

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Introduction

Profiling
Verification Control
AAA
(802.1x & MAB)

ISE Guest &

Employee WebAuth
802.1X and MAB
Compliance
Desktop Posture
BYOD & MDM

PxGrid

TrustSec

ISE Deployment
35
Let’s Begin by Securing User Access with 802.1X
I’ve done my
homework in Proof
of Concept Lab and
it looks good. I’m
turning on 802.1X
tomorrow…
IT Mgr.
Enabled 802.1X

I can’t connect to my
network. It says
Authentication failed
but I don’t know how
to fix. My presentation
is in 2 hours…

Help Desk calls increase by 40%

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Building the Architecture in Phases
 Access-Prevention Technology
– A Monitor Mode is necessary
– Must have ways to implement and see who will succeed and who will fail
 Determine why, and then remediate before taking 802.1X into a stronger
enforcement mode.

 Solution = Phased Approach to Deployment:

Monitor Mode Low Impact Mode Closed Mode

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Monitor Mode
A Process, Not Just a Command

Interface Config
• Enables 802.1X authentication on the switch,
interface GigabitEthernet1/0/1
authentication host-mode multi-auth but even failed authentication will gain access
authentication open • Allows network admins to see who would have
authentication port-control auto
mab failed, and fix it, before causing a Denial of
dot1x pae authenticator Service 
Pre-AuthC Post-AuthC

SWITCHPORT SWITCHPORT

P P
DH C TFTP D HC TFTP

5 P 5 P
KRB HT T KRB HT T

oL oL
EAP Permit All EA P Permit All

AuthC = Authentication
Traffic always allowed AuthZ = Authorisation
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Low-Impact Mode
If Authentication is Valid, Then Specific Access!

Interface Config • Limited access prior to authentication

interface GigabitEthernet1/0/1
authentication host-mode multi-auth
• AuthC success = Role-specific access
authentication open • dVLAN Assignment / dACLs
authentication port-control auto
mab
• Secure Group Access
dot1x pae authenticator • Still allows for pre-AuthC access for Thin
ip access-group default-ACL in
Clients, WoL & PXE boot devices, etc…
Pre-AuthC Post-AuthC

SWITCHPORT SWITCHPORT

P P
DHC TFTP DHC RDP

KRB
5
HTT
P
KRB
5 HTT
P
SGT
L Permit L
E APo E AP o
Some Role-Based ACL

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Closed Mode
No Access Prior to Login, Then Specific Access!

Interface Config • Default 802.1X behaviour

interface GigabitEthernet1/0/1 • No access at all prior to AuthC
authentication host-mode multi-auth
authentication port-control auto
• Still use all AuthZ enforcement types
mab • dACL, dVLAN, SGA
dot1x pae authenticator
• Must take considerations for Thin Clients,
WoL, PXE devices, etc…

Pre-AuthC Post-AuthC

SWITCHPORT SWITCHPORT

P
DHC
P
T FT P DH C TFTP
5 P SGT
K RB
5
HT T
P KR B HTT

Permit oL Permit All

EA P
oL E AP
EAP
- or -
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Role-Based ACL
Securing Access From Non-User Devices
• Non-Authenticating Devices
– These are devices that were forgotten
– They do not have software to talk EAP on the network
…or they were not configured for it
Examples: Printers, IP Phones, Cameras, Badge Readers

– How to work with these?

• Solution: Do not use 802.1X on ports with Printers
…but what happens when the device moves
or another endpoint plugs into that port?!
• Solution: MAC Authentication Bypass (MAB)

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
MAC Authentication Bypass (MAB)
What is it?
• A list of MAC Addresses that are allowed to “skip” authentication
• Is this a replacement for 802.1X?
– No Way!
• This is a “Band-aid”
– In a Utopia, ALL devices authenticate.
• List may be Local or Centralised
– Can you think of any benefits to a centralised model?

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
One MAB For All
ISE and 3rd-Party MAB Support
• MAC Authentication is NOT a defined standard.
• Cisco uses the Service-Type = Call-Check to
detect MAB and uses Calling-Station-ID for host
lookup in identity store.
• Most 3rd parties use Service-Type = Login for
802.1X, MAB and WebAuth
– Some 3rd Parties do not populate Calling-Station-ID
with MAC address.

• With ISE 1.2, MAB can work with different

Service-Type and Calling-Station-ID values or
different “password” settings.

Recommendation is to keep as many checkboxes

enabled as possible for increased security

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
 Introduction

Profiling

AAA
(802.1x & MAB)

ISE Guest &

Employee WebAuth
Web Authentication
Compliance
Desktop Posture
BYOD & MDM

PxGrid

TrustSec

ISE Deployment
Handling Guests and Employees Without 802.1X

Employees and some non-user devices 802.1X

All other non-user devices MAB

Guest Users

Employees with Missing or Misconfigured Supplicants

Employee Guest

**** ****

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Network Access for Guests and Employees
• Unifying network access for guest users
and employees
Guest
Contractor
SSID
Corp

SSID
Guest

IP Phone
Printer
Employee
Desktop

On wireless: On wired:
 Using multiple SSIDs  No notion of SSID
 Open SSID for Guest  Unified port: Need to use different auth
methods on single port ► Enter Flex Auth

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Flex Auth
Converging Multiple Authentication Methods on a Single Wired Port

Interface Config
802.1X
interface GigabitEthernet1/0/1 Timeout/
failure
authentication host-mode multi-auth
authentication open
authentication port-control auto MAB
mab
dot1x pae authenticator
Timeout/
! Failure
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab WebAuth
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
CWA Flow
 Tracking session ID provides support for session lifecycle management including CoA.

https://ise.company.com:8443/guestportal/gateway?sessionId=0A010A...73691A&action=cwa

ISE Policy Server

Try MAB

Connect to WLAN=Corp

Redirect browser to ISE

VPN MAB Failed but return Default Policy

= URL Redirect to ISE + Session ID

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
CWA Flow
 CoA allows re-authentication to be processed based on new endpoint identity context.

CoA
ISE Policy Server

jdoe / secret123 Auth Success

Reauth group=Employee
Enter Credentials

Permit Employee Access

VPN
Existing Session matches Employee Policy
= Remove Redirect + ACL permit ip any any
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
A Systems Approach
Switch/Controller is the Enforcement Point

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
URL Redirection
ISE uses URL Redirection for:
 Central Web Auth
 Client Software Provisioning
 Posture Discovery /
Assessment
 Device Registration WebAuth
 BYOD On-Boarding
 Certificate Provisioning
 Supplicant Configuration
 Mobile Device Management
 External Web Pages
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Session ID
Glue That Binds Client Session to Access Device and ISE

NAD: “show authentication session”

About that Which

session… one??? ISE: Detailed Authentication Report

RADIUS

Browser: URL-redirect for Web Auth

https://ise11.example.com:8443/guestportal/gateway?C0A8013C00000618B3C1CAFB&portal=&a
ction=cwa

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
CoA from Live Sessions Log

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
 Introduction

Profiling

AAA
(802.1x & MAB)

ISE Guest &

Identity Services Engine Guest and
Employee WebAuth

Enhancements Compliance
Desktop Posture
BYOD & MDM

PxGrid

TrustSec

ISE Deployment
ISE for Guest Access Management
Automate and Control the Entire Guest Lifecycle

Hotspot, Self Service, & Sponsor

Complete control over Guest Policy, with custom portals,
for un-credentialed Internet access and employee-
sponsored credentialed access.

Guests Tracking and Management

Track Guest access and activity across your
network for security and compliance demands

Free up IT Support time

Self -provisioning & automated onboarding reduce
the IT resource burden

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Cisco ISE Guest
All New Guest Admin Experience
Setup a Guest experience in 5 minutes!
Flow Visualiser: see what guests will experience
Customisation Preview: See your customisation real time

All User Facing Pages Customisable

Includes: Guest, Sponsor, My Devices Portals and
All New Guest Admin Experience
receipts via print, email & SMS
Robust WYSIWYG customisation with Themes
Standards based CSS & HTML for Advanced Admins

Out-of-the-box Guest Flows

Hotspot
Self Service with SMS Notifications & Approvals
Brand-able Sponsor Portal (Mobile and Desktop)

Guest REST API

Create and manage guest accounts
Search, filter and bulk operation support Guests Branded Sponsor Portal Receipts
Print, Email and SMS

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Branded Guest Receipts & Notifications
Guest Receipts with Your Brand
Whether you’re delivering guest credentials
on the printed page, over email or SMS,
ISE makes it easy to deliver your complete
branded experience.

Email Notifications
Do you have Guests visiting? Send
them login credentials before they
even arrive!
Your credentials
username: trex42
password: littlearms

SMS Notifications
Send credentials directly to a guests mobile phone.

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Sponsor Portal
Branding with Themes!
Themes give you complete
control over the look and feel of
your sponsor Portal. Use our out-
of-the-box themes or create your
own using ThemeRoller for
jQuery Mobile or standard CSS.

Streamlined Guest Creation Create Accounts Create Accounts

Print Email SMS

Set up your sponsor portal to show only the

fields you need for your business.

Mobile Sponsors
You are free to move about the cabin! Create and
manage guest accounts from your mobile phone or
tablet.

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Basic Supported Guest Flows

1. Hotspot
2. Self Service
3. Self Service Sponsor Approved
4. Sponsored

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hotspot
Guest Flow #1

Acceptable
Use Policy
I promise
to be good.
Day Ends
I Agree

44:6D:77:B4:FD:01

44:6D:77:B4:FD:01

Goal: Get them on the Internet with AUP acceptance no matter who they are and remember who they are next
time so you don’t get in their way.
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secret Code Controls Access to Guest Wi-Fi

Registration code: require the

user to enter a code before
completing a self service
registration.

Access code: require the user

to enter a code before
accessing a hotspot or
logging in using guest chemist
credentials.

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Self Service with Email Verification
Guest Flow #2

Fill In A Simple Form Check Your Email Connect to WFI

hansolo
nerfherder

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Self Service with SMS
Guest Flow #2

optional optional

Goal: Get them on the Internet as long as you have a 3 rd

party identifier that proves who the user is.
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Self Registration with Sponsored Approval
Guest Flow #3
ISE sends email
requesting approval

Visiting email?

Approved! credentials Logs into Sponsor Portal

username: trex42
password: littlearms and Approves or rejects

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Approving Self Registration Requests

DESKTOP Mobile
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sponsored Flow
Guest Flow #4

Hi! Can I
get on your Sure. I just
Wi-Fi? need a little
information.

Print, email
& SMS
credentials.
Cool!

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Pre-Expiration Notification

You are about to

expire! Go here.
http://bit.ly/reup

DESKTOP Mobile

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Introduction

Profiling

AAA
(802.1x & MAB)

ISE Guest &

Posture Employee WebAuth
Are My Endpoints Compliant? Compliance
Desktop Posture
BYOD & MDM

PxGrid

TrustSec

ISE Deployment
68
Posture Assessment
Does the Device Meet Security Requirements? Posture

• Posture = The state-of-compliance with the company’s security policy.

Microsoft Updates Antivirus File data

Service Packs Installation/Signatures Services
Hotfixes Antispyware Applications / Processes
OS/Browser versions Installation/Signatures Registry Keys

• Extends the user / system Identity to include Posture Status.

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
ISE Posture Assessment
Authenticate
Quarantine
AuthC User
AuthC Posture Assess
dVLAN
Endpoint
dACLs Remediate
OS
SGT Hotfix Authorise
WSUS
Posture =
Unknown/ AV / AS Launch App Permit
Non-compliant Personal Scripts Access
FW • dACL
Etc… • dVLAN
More….
• SGT
Posture = • Etc…
Compliant

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
ISE – Posture Policies
Employee Policy: Contractor Policy:
• Microsoft patches updated • Any AV installed,
• Trend Micro AV installed, running, and current
running, and current
• Corp asset checks
• Enterprise application Guest Policy: Accept AUP
running (No posture - Internet Only)

Wired VPN Wireless

Employees Contractors/Guests
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
 Posture Flow
 If Posture Status = Unknown/Non-Compliant, then Redirect to ISE for Posture Assessment
 If Posture Agent not deployed, then provision Web Agent or Persistent NAC Agent

https://ise.company.com:8443/guestportal/gateway?sessionId=0A010A...73691A&action=cpp

ISE Policy Server

Connect to Network Authentication Auth Success

Posture Redirect browser to ISE group=Employee
Agent

VPN Posture Status != Compliant

Redirect to ISE for Client Provisioning and/or
Posture Assessment for Employee role
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
 Posture Remediation and Client Resources
 CoA allows re-authentication to  Hourly updates for latest posture definitions
be processed based on new  New posture agents and modules
endpoint identity context (posture automatically downloaded
status).
CoA Cisco.com

Remediation Servers
ISE Policy Microsoft.com
Remediate Server
Windows
Posture Compliant = Full Access Updates
Agent

ASA

VPN Posture Status = Compliant

Posture Remove Redirection and apply access
Agent
No COA permissions for compliant endpoints
Inline
73 Posture Node provides CoA and URL
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Redirection w/Session ID
ASA/ISE Integration Feature Overview
• Support VPN posture specifically between the ASA & ISE deployments
• Remove the requirements for IPN (Inline Posture Node) in ASA/VPN/ISE
deployments.
• IPN is a device that would sit behind the ASA and enforce ISE policy

CoA
Cisco.com
ISE
Policy Intranet
ASA Server
Limited
VPN Full Access
Access
Database
Posture
Agent

Non-Compliant
Compliant
AV Server

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
 ASA 9.2.1, ISE 1.2 Patch 5, AnyConnect 3.1 mr6

ASA Posture Assessment Flow

VPN
User ASA ISE
VPN Initiated From AnyConnect
to ASA Radius Authentication
Enterprise Network

AuthC OK - Posture Unknown

Access-Accept: dACL & URL-Redirection

Accounting Start (Client Identity Information)

Limited Access
Posture Assessment
Posture Compliant

CoA –Policy Push (new dACL)

Full Network Access

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
 Introduction

Profiling

AAA
(802.1x & MAB)

ISE Guest &

BYOD Employee WebAuth
Extending Network Access to PersonalCompliance
Devices
Desktop Posture
BYOD & MDM

PxGrid

TrustSec

ISE Deployment
76
BYOD
Onboarding Personal Devices
Registration, Certificate and Supplicant Provisioning
 Provisions device Certificates.
‒ Based on Employee-ID & Device-ID.
Certificate
Provisioning
 Provisions Native Supplicants:
‒ Windows: XP, Vista, 7 & 8
‒ Mac: OS X 10.6, 10.7, 10.8, 10.9 & 10.10
MyDevices Supplicant
Portal Provisioning ‒ iOS: 4, 5, 6, 7 & 8
Device ‒ Android – 2.2 and above
Onboarding ‒ 802.1X + EAP-TLS, PEAP & EAP-FAST

 Employee Self-Service Portal

‒ Lost Devices are Blacklisted
iOS
Android Self-
Service
‒ Self-Service Model reduces IT burden
Windows
MAC OS Model
 Single and Dual SSID onboarding.

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Walk Through BYOD Onboarding

• Out of the box flow walks

users through onboarding.

• Fully customisable user

experience with Themes.

• My Devices gives end

users control to add an
manage their devices.

• Mobile and desktop ready

out of the box.
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Java-Less Provisioning

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Java-Less Provisioning

 Downloads as
DMG
 Double-Click to
Run App

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificate Renewals
Works Comments 1.2.1
Before Expiry
iOS
Android
Windows
MAC-OSX
After Expiry
iOS
Android
Windows Supplicant will not use an expired cert
MAC-OSX Not tested yet
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Allowing Expired Certificates
1.2.1

Option to allow expired certs for:

• Pure EAP-TLS
• EAP-TLS as an Inner Method

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Redirect Expired Certs
1.2.1

Windows

Everything Else

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificate Renewal: Optional Message
1.2.1

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Single Versus Dual SSID Provisioning
• Single SSID • Dual SSID
– Start with 802.1X on one SSID – Start with CWA on one SSID
using PEAP
SSID = BYOD-Open
(MAB / CWA)

SSID = BYOD-Closed (802.1X) SSID = BYOD-Closed (802.1X)

– End on same SSID with 802.1X – End on different SSID with 802.1X
using EAP-TLS using PEAP or EAP-TLS
WLAN Profile WLAN Profile
SSID = BYOD-Closed SSID = BYOD-Closed
EAP-TLS PEAP or EAP-TLS
Certificate=MyCert (Certificate=MyCert)

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Client Provisioning Policy

OS User Supplicant Posture

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
BYOD Policy in ISE

Device User AuthC Method Result

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
ISE BYOD Certificate Configuration
SCEP Enrollment Profile and CA Certificate Import

Administration > System > Certificates > SCEP CA Profiles

The SCEP server certificate and CA and
registration authority (RA) certificates of the
certificate chain for the SCEP server are
automatically retrieved into the Cisco® ISE
trust store.

Administration > System > Certificates > Certificate Store

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
 ISE 1.3: Internal Certificate Authority
Simplifying certificate management for BYOD devices
• Managing certificates for BYOD adds significant complexity
Enterprise CA
and expense when using Microsoft Public Key Infrastructure.
The ISE Certificate Authority is designed to work in concert Subordinate
with your existing PKI to simplify BYOD deployments. Optional

• Single Management Console – Manage endpoints and their

certs. Delete an endpoint ISE deletes the cert.
Cisco ISE CA
• Simplified deployment – Supports stand alone and subordinate
deployments. Removes corporate PKI team from every BYOD
interaction.

*Designed for BYOD and MDM use-cases only, not a general purpose CA

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
 • Primary PAN is Root CA for ISE deployment
PKI Hierarchy and Roles
• All PSNs are Subordinate CAs to PAN
PSNs are SCEP Registration Authorities
(RAs)
Enterprise Root
(optional) • ISE PAN may be Subordinate to an existing
Root CA or may be Standalone Root.
Primary PAN
• Promotion of Standby PAN:
ISE CA
Standby PAN Will not have any effect on operation of the
subordinate CAs.
For Standby to become Root CA must
PSN PSN PSN PSN manually install the Private/Public keys from
Primary PAN.
Subordinate CA Subordinate CA Subordinate CA Subordinate CA
SCEP RA SCEP RA SCEP RA SCEP RA

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Native Supplicant Profile

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificate Template(s)
 Define Internal or
External CA
 Set the Key Sizes
 SAN Field Options
 UUID
 DNS Name
 MAC Address
 Serial #
(No Free-Form Input)
 Set length of validity

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
 ISE is OCSP Responder for cert
Revoke Certificates from ISE validation – no CRL Lists !

 Automatically Revoked when an Endpoint is marked as “Lost”

 Certificates may be Manually Revoked

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Introduction

Profiling

AAA
(802.1x & MAB)

ISE Guest &

Mobile Device Management (MDM) Employee WebAuth

Extending “Posture” Assessment and RemediationCompliance

to Mobile Devices
Desktop Posture
BYOD & MDM

PxGrid

TrustSec

ISE Deployment
ISE Integration with 3rd-Party
MDM Vendors
• MDM device registration via ISE
– Non registered clients redirected to MDM
registration page

• Restricted access
– Non compliant clients will be given restricted
access based on policy

• Endpoint MDM agent

– Compliance
– Device applications check

• Device action from ISE

MCMS
– Device stolen -> wipe data on client

Version: 5.0 Version: 6.2

Version: 7.1 Version: 2.3
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Configure ISE Authorisation Policy
Configure ISE Authorisation Policy
Path: Policy > Authorisation (MDM Attributes)
MDM Server reachability

Endpoint registration status

Endpoint macro-level compliance status

Endpoint micro-level compliance status

(Disk Encryption-, Pinlock-, and Jail broken status)

MDM attributes available for policy conditions

(Manufacturer, Model, IMEI, Serial Number,
OS Version, Phone Number)

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Sample Authorisation Policy
Combining BYOD + MDM

If Employee but not registered with ISE, (Endpoints:

BYODRegistration EQUALS No), then start NSP flow
If Employee and registered with ISE (Endpoints:
BYODRegistration EQUALS Yes), then start MDM flow
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
MDM Enrollment and Compliance
User Experience Upon MDM URL Redirect

MDM Enrollment MDM Compliance

MDM:DeviceRegistrationStatus MDM:DeviceCompliantStatus
EQUALS UnRegistered EQUALS NonCompliant
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
MDM Flow
 If MDM Registration Status EQUALS UnRegistered, then Redirect to MDM for Enrollment
 If MDM Compliance Status EQUALS NonCompliant, then Redirect to MDM for Compliance

https://ise.company.com:8443/guestportal/gateway?sessionId=0A010A...73691A&action=mdm
ISE Policy
Google Server
Play/AppStore Cloud MDM

Authentication
MDM API
Connect to WLAN=Corp

Redirect browser to ISE

VPN MDM Compliance Status != Compliant

Redirect to ISE landing page for MDM
enrollment or compliance status
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
MDM Remediation
 CoA allows re-authentication to  MDM Agents downloaded directly from MDM
be processed based on new Server or Internet App Stores
endpoint identity context (MDM  Periodic recheck via API; CoA if not compliant
enrollment/compliance status).
CoA
ISE Policy
Server
Cloud MDM
ReAuth
MDM API
ReAuth after Comply

Compliant = Full Access

ASA

VPN MDM Status = Compliant

Remove Redirection and apply access
permissions for compliant endpoints
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
MDM Integration
Remediation
• Administrator / user can issue remote actions
on the device through MDM server (Example:
remote wiping the device)
– My Devices Portal
– ISE Endpoints Directory

Options
• Edit
• Reinstate
• Lost?
• Delete
• Full Wipe
• Corporate Wipe
• PIN Lock
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Reporting
Mobile Device Management Report

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
 Introduction

Profiling

AAA
(802.1x & MAB)

ISE Guest &

APIs and pxGrid Employee WebAuth

Sharing Context Throughout Compliance

the Network
Desktop Posture
BYOD & MDM

PxGrid

TrustSec

ISE Deployment
104
Single-Purpose APIs are Great for One Purpose
…Integrating One System to One Other System

I have reputation info! I have application info!

I need threat data… SIO I need location & auth-group…
TRADITIONAL APIs – One Integration at a TimeI have NBAR info!
I have sec events!
I need reputation…
I need identity…
• Single-purpose function = need for many APIs/dev (and lots of testing)
I have NetFlow! Proprietary
• NotI configurable
WeAPIsneed
aren’tto interface systems
I have location!
need entitlement… = too much/little info for (scale issues)
I need identity…
share data
the solution
• Pre-defined
I have threatdata
data!exchange = wait until next release ifI haveyou MDM
needinfo!a change
I need reputation… I need location…
• PollingI architecture = can’t scale beyond 1 or 2 Isystem
have firewall logs!
integrations
have app inventory info!
I need identity… I need posture…
• Security can be “loose”
I have identity & device-type!
I need app inventory & vulnerability…

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Platform Exchange Grid – pxGrid
Enabling the Potential of Network-Wide Context Sharing

SIO INFRASTRUCTURE FOR A

ROBUST ECOSYSTEM
Direct, Secured • Single framework – develop once,
Interfaces instead of multiple APIs
• Customise and secure what
pxGrid context gets shared and with which
Context platforms
Sharing
• Bi-directional – share and consume
Single, Scalable context
Framework • Enables any pxGrid partner to
share with any other pxGrid partner
• Integrating with Cisco ONE SDN
for broad network control functions

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Next Wave of Cisco pxGrid Partnerships
Sharing Context with an Even Broader Ecosystem

Faster Remediation of Threats with SIEM

Extension of Access Policy & Compliance with MDM

Context-driven OT Policy and Segmentation for IoT

Endpoint Vulnerability Remediation

Simplified Network Troubleshooting and Forensics

SSO Secure Access to Sensitive Data on Mobile Devices

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
pxGrid Components

pxGrid
Publisher
Threat
IPS Defense ASA-CX

WWW

Cisco WSA IPAM

pxGrid pxGrid
Controller Subscriber

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
pxGrid Architecture
Certificate Based Auth Certificate Based Auth

SF-IPS

Grid Publish
Grid
Subscribe

WSA
ISE In 1.0 of pxGrid:
• ISE is the only Publisher
• Session Directory is only Topic
StealthWatch
• Future versions will allow Pub & Sub
IDS, Firew alls,
Threat Defence, etc.

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
SIEM/Threat Defence Integration
Use Case: Identity and device aware threat management
Increase confidence around event severity levels in SIEMs and TD consoles; make
events actionable in the network. SIEM/TD share “worst offenders” with ISE for
user/device policy decisions.
SIEM/TD
Platform
Policy: Detect sensitive data
access on mobile devices;
quarantine such users
Data: “Sensitive Data” Cisco ISE ISE Quarantines/Remediates
Type: “Mobile Device” User/Traffic

Context: Share with SIEM

USER : DEVICE TYPE : CONN STATUS
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Address & DNS Management
User, Group and Device Based Monitoring & Reporting

Use Case: Simplify IPAM and DNS reporting

Supplement IP and MAC address-based DHCP and DNS monitoring and reporting
with “who, what and where”. This reduces manual reporting or in-house
development by IT orgs.

Report: Cisco PAN

Who is accessing XYZ Cisco PSN IPAM & DNS
domain? User & Device
Control
What devices and
OS’s are on the network? pxGrid Enabled pxGrid Client

Context: Subscribe to Session Topic

USER : DEVICE TYPE : GROUP

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Introduction

Profiling

AAA
(802.1x & MAB)

ISE Guest &

Employee WebAuth
TrustSec Introduction
Compliance
Desktop Posture
BYOD & MDM

PxGrid

TrustSec

ISE Deployment
TrustSec Introduction
Policy and Segmentation
Design needs to be replicated to multiple locations,
buildings, floors

ACL
Aggregation Layer
VLAN Addressing DHCP Scope

Redundancy Routing Static Filtering

Access Layer

Quarantine Voice Data Suppliers Guest

Simple
More Policies
Segmentation
using more
with 2VLANs
VLANs
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
 Software-Defined Segmentation with Cisco
TrustSec/ SGT

• Simplicity: consistent policy

enforcement on all networks

• Agility: reduce attack surface,

keep pace with business

• Ready: secure, comply today

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
 How TrustSec/ SGT is Used Today

User to DC
Access Control
Network & Role BYOD Application Secure PCI & PHI
Segmentation Security Protection Contractor Access Compliance

Campus & DC
Segmentation
Server Firewall Rule Fast Server Threat Defence Machine-
Segmentation Reduction Provisioning Machine Control
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Segmentation with Security Group
DC-MTV (SRV1)
DC-MTV (SAP1) Production
DC-RTP (SCM2) Servers

Regardless of topology or location, Data Center Firewall DC-RTP (VDI) Destination

policy (Security Group Tag) stays
Aggregation Layer
with users, devices, and servers Data Tag
Supplier Tag
Guest Tag
Quarantine Tag
Access Layer

Voice Data Suppliers Guest Quarantine

Retaining initial VLAN/Subnet Design

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Improving Security..
Strategies to
mitigate TCI

http://www.asd.gov.au/infosec/top-mitigations/top35mitigations-2014-table.htm
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
TrustSec Authorisation and Enforcement
VLANS dACL or Named ACL Security Group Access
Employee
IP Any
Remediation

Employees Guest Contractor

VLAN 3 Security Group Access—SXP,
VLAN 4
SGT, SGACL, SGFW

• Does not require switch port • Less disruptive to endpoint • Simplifies ACL management
ACL management (no IP address change
• Uniformly enforces policy
required)
• Preferred choice for path independent of topology
isolation • Improved user experience
• Fine-grained access control
• Requires VLAN proliferation • Increased ACL management
and IP refresh

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Enforcing Policy Downstream
Propagation Enforce
Classify
&
Timecard
Mark application
server
Credit Card
Firewall transaction server
Context Telemetry:
• Manager Enforcement
• Windows PC
• Compliant
Cisco ISE
Classify Mark, Propagate, Enforce
• IP Precedence and DiffServ code points
• 802.1Q User Priority
• MPLS VPN
• TrustSec
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
 Classification

How a SGT is Assigned

End User, Endpoint is

classified with SGT SVI interface is Physical Server is
mapped to SGT mapped to SGT

Cam pus Access Distribution Core DC Core DC Dist. DC Access

Enterprise
Backbone

SRC: 10.1.100.98
Hypervisor SW
VLAN is mapped
WLC FW
to SGT
Virtual Machine is
BYOD device is mapped to SGT
classified with
SGT

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
 Classification

Classification Summary
Dynamic Classification Static Classification
• IP Address
• VLANs
• Subnets
802.1X/ RAS VPN Authentication • L2 Interface
SGT
• L3 Interface
Web Authentication • Virtual Port Profile
• Layer 2 Port Lookup
Pre-fix learning
MAC Auth Bypass
Common Classification for Mobile Common Classification for Servers,
Devices Topology-based policy, etc.
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
 Classification

Static Classification

IOS CLI Example

IP to SGT mapping L2IF to SGT mapping

cts role-based sgt-map A.B.C.D sgt SGT_Value (config-if-cts-manual)#policy static sgt SGT_Value

VLAN to SGT mapping L3IF to SGT mapping

cts role-based sgt-map vlan-list VLAN sgt SGT_Value cts role-based sgt-map interface name sgt SGT_Value

Subnet to SGT mapping L3 ID to Port Mapping

cts role-based sgt-map A.B.C.D/nn sgt SGT_Value (config-if-cts-manual)#policy dynamic identity name

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
 Classification

SGT to Port Profile

Nexus 1000v version 2.1

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
 Classification

Dynamic Classification Process in Detail

Supplicant Switch / WLC ISE
Layer 2 Layer 3
00:00:00:AB:CD:EF

EAPoL Transaction RADIUS Transaction

EAP Transaction
Authenticated
Policy
1
Authorised MAC: Authorisation SGT
0Evaluation
00:00:00:AB:CD:EF Authorised
SGT = 5
cisco-av-pair=cts:security-group-tag=0005-01
2 DHCP
DHCP Lease: ARP Probe IP Device
3
Binding:
10.1.10.100/24 Tracking 00:00:00:AB:CD:EF = 10.1.10.100/24

SRC: 10.1.10.1 = SGT 5

3560X#show cts role-based sgt-map all details

Make sure that IP Active IP-SGT Bindings Information

Device Tracking IP Address Security Group Source

=============================================
is TURNED ON 10.1.10.1 3:SGA_Device INTERNAL
10.1.10.100 5:Employee LOCAL
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
A Systems Approach
• Switch/Controller is the Enforcement Point

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
 Propagation

How is the SGT Classification Shared?

Propagation
Inline SGT Tagging SXP
CMD Field IP Address SGT

10.1.100.98 50
ASIC ASIC ASIC
Optionally Encrypted L2 Ethernet Fram e
SRC: 10.1.100.98
(No CMD)

Campus Access Distribution Core DC Core EOR DC Access

Enterprise
Backbone

SXP SRC: 10.1.100.98

Hypervisor SW

WLC FW
IP Address SGT SRC
 Inline Tagging (data plane):
10.1.100.98 50 Local
If Device supports SGT in its ASIC
SXP IP-SGT Binding Table

 SXP (control plane): Shared between devices

that do not have SGT-capable hardware
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
 Propagation

Inline Tagging
• SGT embedded within Cisco Meta Ethernet Frame Cisco Meta Data MACsec Frame
Data (CMD) in Layer 2 frame Destination MAC CMD EtherType Destination MAC
Source MAC Source MAC
• Capable switches understands and 802.1Q
Version
802.1AE Header
process SGT at line-rate CMD
Length
802.1Q

AES-GCM 128bit
SGT Option Type
• Optional MACsec protection ETHTYPE CMD

Encryption
SGT Value
ETHTYPE

• No impact to QoS, IP PAYLOAD Other CMD Option

MTU/Fragmentation CRC
PAYLOAD

16 bit
• L2 Frame Impact: ~40 bytes ETHTYPE:0x8909
64K name space 802.1AE Header

CRC
• Recommend L2 MTU~1600 bytes
ETHTYPE:0x88E5

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
 Propagation

SXP Flow
IP Src: 10.1.3.2 Dst: 10.1.3.1
TCP Src Port: 16277 Dst Port: 64999
Flags: 0x02 (SYN)
IP Src: 10.1.3.1 Dst: 10.1.3.2
TCP Src Port: 64999 Dst Port: 16277
IP Src: 10.1.3.2 Dst: 10.1.3.1 Flags: 0x12 (SYN, ACK)
TCP Src Port: 16277 Dst Port: 64999
Flags: 0x10 (ACK)
TCP SYN
Speaker TCP SYN-ACK Listener
TCP ACK
CTS6K CTS7K
10.1.10.100 (SGT6) 10.1.3.2 10.1.3.1
Cisco ISE
SXP OPEN
IP Src: 10.1.3.2 Dst: 10.1.3.1
TCP Src Port: 16277 Dst Port: 64999 SXP OPEN_RESP
Flags: 0x10 ( ACK)
SXP Type: Open SXP UPDATE
IP Src: 10.1.3.1 Dst: 10.1.3.2
Version: 1 TCP Src Port: 64999 Dst Port: 16277
Device ID: CTS6K Flags: 0x18 (PSH, ACK)
SXP Type: Open_Resp
IP Src: 10.1.3.2 Dst: 10.1.3.1 Version: 1
TCP Src Port: 16277 Dst Port: 64999 Device ID: CTS7K
Flags: 0x10 (ACK)
SXP Type: Update
Update Type: Install
IP Address: 10.1.10.100 SGT: 6

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
 Enforcement

How is Policy Enforced with SGACL

Destination Classification
Web_Dir: SGT 20
CRM: SGT 30
End user authenticated
FIB Lookup
Classified as Employee (5)
Destination MAC/Port SGT 20
ISE

Cat3750X Cat6500 Cat6500 Nexus 7000 Nexus 5500 Nexus 2248

Web_Dir
Enterprise DST: 10.1.100.52
5 Backbone SGT: 20
SRC:10.1.10.220
SRC: 10.1.10.220 DST: 10.1.100.52 CRM
SGT: 5 DST: 10.1.200.100
Nexus 2248
SGT: 30
WLC5508 ASA5585

Web_Dir
SRC\DST CRM (30)
(20)

Employee (5) SGACL-A SGACL-B

BYOD (7) Deny Deny

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
SGACL Policy on ISE for Switches

2
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
 Enforcement

Security Group Based Access Control for Firewalls

Security Group Firewall (SGFW)

Source Tags Destination Tags

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Review: SGFW Flow
Business Data What was missing in SGFW ? Classification
App / Storage
Firewall Rules
Source Destination Action
Firewall
IP SGT IP SGT Service Action Propagation
Any Employee Any Biz Server HTTPS Allow Enforcement
Any Suspicious Any Biz Server Any Deny

Device Type: Apple Mac

User: Susan
Corp Network AD Group: Employee
Asset Registration: Yes
Policy
Server Policy Mapping  SGT: Em ployee
VPN Remote Access Switch
Access

Corp Asset
Endpoints

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
 Visibility and Control for Remote Access
Production Apps Development

Data Centre
Data Centre ISE
Firewall

Simplified Remote Access

A B C Tag
Enterprise
Filtering based on SGT (Tag), not
Network ASA RAS
based on pooled IP addresses allows
simplified cross connect of access
policy for multiple RAS VPN points Internet VPN
VPN
Firewall Policy maintenance (add, edit, Contractor C
delete) is streamlined for service
change
Vendor A Device Type B
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
 Use Case: DC Access Access Control
Traditional Firewall Rules
Policy Source Policy Dest. Svc Act.
Reduced OPEX Object - S Object- D
10.1.1.0/24 Fin Web
Admin reduction 24 -> 6 Finance Server 172.1.1.1 Web Permit
10.1.2.0/24
People
10.1.3.0/24
10.1.1.0/24 Devlp
Reduced “ACE” Entries Engr 10.1.2.0/24 Server 172.1.1.2 Web Permit
Reduction 60 - 90%. 10.1.3.0/24
SGA Firewall Rules
Topology Independent SGT - User SGT - Service Svc Act.
Rules with no IP addresses Fin Web
Finance-Corp-PC Server Web Permit
Contextual Access Fin Web
Finance-IPAD Server Web Deny
User+Device
Devlp Server
User+Device+Access_type Engr-All-Devices Web Permit

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Use Case: Peer-to-Peer Malware Control

Production
Employee
Servers
HR Database

Mark and Enforcement

Cisco ISE

Assets
Sales Developer Guests Malware
Internet Blocking ACL
Access
Source

Malware
Sales DENY DENY PERMIT
Blocking Deny tcp dst eq 445 log; block SMB file
Developer DENY
Malware
DENY sharing
PERMIT
Blocking
Deny tcp dst range 137 139 log; block
Guest DENY DENY DENY PERMIT
NetBios Session Service
Permit all

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Use Case: Data Centre Segmentation
Protected Assets
Production Development HR
Storage
Servers Servers Database
Production
PERMIT DENY DENY PERMIT
Servers

Source
Development
DENY PERMIT DENY PERMIT
Servers
HR
DENY DENY PERMIT PERMIT
Database
Storage PERMIT PERMIT PERMIT PERMIT

Enforcement Classification

HR Database

Development
DC FW DC Switch server
SGT Propagation
Segmentation
No VLANs
Cisco ISE

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
ISE + Fire + TrustSec
Before During After

Switch Router VPN & Wireless

Firewall Controller

? x Segmentation Policy Enforcement

• Containment (Quarantine or
• Threat Detection • Collecting additional telemetry
Block all together)
• Prevention and Mitigation • Added visibility
• Apply QoS
• Evaluate Policy
• Apply policy routing
• Deep inspection

Threat data Sharing Enforce

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
TrustSec Platform Support
Classification Propagation Enforcement

Catalyst 2960S/C/Plus/X/XR SXP Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-X

SGACL
Catalyst 3560-E/-C/-X SXP Catalyst 3560-E/-C/, 3750-E Catalyst 3750-X
Catalyst 3750-E/-X Catalyst 3560-X, 3750-X SGACL
NEW
SXP SGT
Catalyst 3850 NEW
Catalyst 3850 Catalyst 3850
SXP SGT NEW WLC 5760
WLC 5760 NEW
SXP Catalyst 4500E (Sup6E)
Catalyst 4500E (Sup6E/7E) Catalyst 4500E (7E) NEW
SXP SGT Catalyst 4500E (7E), 4500X SGACL
Catalyst 6500E (2T)
Catalyst 6500E (Sup720/2T)
Wireless LAN Controller SXP Catalyst 6500E (Sup720) Catalyst 6800 NEW

2500/5500/WiSM2 SXP SGT Catalyst 6500E(2T) & 6800 NEW SGACL

Nexus 7000
Nexus 7000 WLC 2500, 5500, WiSM2
SXP
Nexus 5500
Nexus 5500 SXP SGT WLC 5760 NEW SGACL

Nexus 1000v SXP Nexus 1000v ISR G2, CGR2000

SGFW

SXP SGT Nexus 5500/22xx FEX

ISR G2 , CGR2000 ASR 1000 Router
SXP SGT Nexus 7000/22xx FEX SGFW CSR1000v Router
ASA5500 (VPN RAS) Beta SXP SGT GETVPN IPsec ISRG2* CGR2000
ASA 5500 & ASA-SM
SXP SGT GETVPN IPsec ASR1000
SGFW
ASAv Beta
SXP ASA5500 Firewall, ASASM
• Inline SGT on all ISRG2 except 800 series:
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
SXP: IETF Internet Draft

SXP submitted to IETF and is being implemented by other vendors.

Bayshore Networks announce support in January 2014.

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
A Systems Approach to Building an Identity
Access Control Architecture
Choosing the Correct Building Blocks
The “TrustSec” Portfolio www.cisco.com/go/trustsec

Policy
Administration Identity Services Engine (ISE)
Policy Decision Identity Access Policy System

Policy
Enforcement Cisco 2960/3560/3700/4500/6500, Nexus 7000
TrustSec Powered Cisco ASA, ISR, ASR 1000
switches, Wireless and Routing Infrastructure

Policy
NAC Agent Web Agent 802.1X Supplicant
Information No-Cost Persistent and Temporal Clients AnyConnect or
TrustSec Powered for Posture, and Remediation OS-Embedded Supplicant

Identity-Based Access Is a Feature of the Network

Spanning Wired, Wireless, and VPN
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 154 154
 TrustSec Design and How-To Guides
Secure Access Blueprints

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Summary
Cisco Secure Access and TrustSec
Technology Review: I want to allow guests into the
network Guest Access

I need to allow/deny iPADs in my

network Profiler
Network Identity & Enforcement
• Authentication - I need to ensure my endpoints
(802.1x, MAB, Web, NAC) don’t become a threat vector
Posture
• Authorisation -
(VLAN, dACL, SXP or SGT) MACsec
I need to ensure data integrity &
• Enforcement – confidentiality for my users Encryption
(SGACL and Identity Firewall)
I need a scalable way of
authorising users or devices in Security Group
the network Access
I need to securely allow personal
devices on the network BYOD/MDM
How can I set my firewall policies Identity-Based
based on identity instead of IP
addresses? Firewall
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Summary
• Cisco Secure Access + TrustSec is an architecture for enterprise-wide identity access
control built on standards and powered with Cisco intelligence.
• ISE is an Identity Policy Server for gathering context about every connected endpoint and
enables centralised policy configuration, context sharing, and visibility with distributed
policy enforcement.
• Secure Access with ISE integrates user and device identity, profiling, posture, onboarding,
and MDM with additional endpoint attributes to provide a contextual identity for all
connected devices.
• Secure Group Access pushes contextual identity into the network to deliver next
generation policy enforcement across switches, routers, and firewalls.
• Cisco offers blueprints to aid in the design and deployment of identity access solutions
based on Secure Access architecture.
• Cisco Secure Access can be deployed in phases to ease deployment and increase
success.
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
Call to Action
• Visit the Cisco Campus at the World of Solutions
to experience the following demos/solutions in action:
• Meet the Engineer, Discuss your project’s
challenges
• Visit CiscoLive365.com after the event for
updated PDFs, on-demand session videos,
networking, and more!

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
Links
• Secure Access, TrustSec, and ISE on Cisco.com
– http://www.cisco.com/go/trustsec
– http://www.cisco.com/go/ise
– http://www.cisco.com/go/isepartner

• TrustSec and ISE Deployment Guides:

– http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone
_TrustSec.html

• YouTube: Fundamentals of TrustSec:

– http://www.youtube.com/ciscocin#p/c/0/MJJ93N-3Iew

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
Q&A
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco Live 2015 T-Shirt!
Complete your Overall Event Survey and 5 Session
Evaluations.

• Directly from your mobile device on the Cisco Live

Mobile App
• By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/clmelbourne2015
• Visit any Cisco Live Internet Station located
throughout the venue Learn online with Cisco Live!
Visit us online after the conference for full
T-Shirts can be collected in the World of Solutions access to session videos and
on Friday 20 March 12:00pm - 2:00pm presentations. www.CiscoLiveAPAC.com

BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public