TrustSec and ISE Deployment Best Practices (2012 San Diego)

Abstract 2011 and 2012 have been very busy years with the adoption of Cisco’s TrustSec System, a comprehensive systems-approach to Network Access Control and Policy enforcement. This session will discuss the recommended deployment of TrustSec and Identity Services Engine (ISE) based on best-practices and lessons learned in the Field. At the end of this session, the attendee should have a strong understanding of how to deploy ISE with 802.1X for wired and wireless networks. We will examine the correct use of profiling probes to meet the needs of the policy, tips and tricks for successful staged roll-outs, Guest Services, and even Bring Your Own Device (BYOD) policy logic. Note: this session will not cover all possible options for deployment, only best-practices, tips and tricks with the current state of the solution. This is an advanced session that assumes prior knowledge of 802.1X and ISE design basics. This session is intended for a technical audience of Network or Security Administrators and Engineers.BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

Why this Cisco Live Session? A Complex Solution Network Access ISE Configuration Devices Profiling PoliciesSwitch WLC AuthC AuthZ Posture for yourConfig Config Policies Policies Policies Policies Policies BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

This Presentation Contains a Culmination of BestPractices and Tips from a Wide Range of CiscoTechnologists, not just me  Special Thanks to: Jason Frazier, Shelly Cadora, Jason Kunst, Craig Hyps, Darrin Miller and the entire Secure Access & Mobility TME Team BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

Cisco’s Trusted Security (TrustSec)What’s so special, anyways? Cisco has more 802.1X capable ports deployed in the world than any other vendor. Dedicated Team of Wired 802.1X experts: Cisco’s Identity Based Network Services (IBNS) team Many experiences (IBNS, NAC Framework, NAC Appliance, Wireless Authentication, etc…) Functions that used to require over-lay appliances are now in the infrastructure URL Redirection, Agent Traffic Redirection, Rate Limiting, Sessionization for the multiple stages of Network Access Lifecycle.BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

The TrustSec SystemComponents Policy Administration Policy Decision Identity Services Engine (ISE) Identity Access Policy System Policy Enforcement Cisco 2900/3560/3700/4500/6500, Nexus 7000 Cisco ASA, ISR, ASR 1000 TrustSec Powered switches, Wireless and Routing Infrastructure Policy Information NAC Agent Web Agent 802.1X Supplicant No-Cost Persistent and Temporal Clients AnyConnect or TrustSec Powered for Posture, and Remediation OS-Embedded SupplicantBRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

Deployment Best Practices

Best Practice Config: ISE

ISE & Certificates When running the ISE Install wizard, use lower-case for hostname. ‒ Do no use self-signed certificates in production networks Certificate is used for all Portal Communication and EAP ‒ Using a certificate that is already trusted by all normal clients is a big benefit. BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

Other ISE Best PracticesDNS & NTP DNS ‒ Reverse DNS required for AD Integration. ‒ All ISE Nodes must be resolvable by FQDN NTP ‒ Cannot stress enough how important time sync is. ‒ Use NTP. Ensure it is accurate. ‒ Time Zone = UTC a best practice for large deployments.BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

Network Device GroupsCreation of many: Organize & Why use them A little up-front work, can really help you get specific in your policies. Organize by: ‒ Device Type Wired / Wireless / Firewall / VPN OEAP / CVO ‒ Place in Network Access-Layer / Data Center ‒ Geographic LocationBRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

Profiling Importance of DHCP & RADIUS Probes…  MAC  IP Binding is CRITICAL  Why: What happens when the Probe (HTTP or NMAP or even NetFlow) is not L2 Adjacent. 2. Open browser to ISE portal Endpoint IP Address Profile 00-00-0C-00-00-01 10.250.1.1 i-Pad 2. MAC Address comes from the ARP table, which is the Default12-34-56-78-09-10 Gateway 10.250.1.1 1. i-Pad joins wireless first time PSN Internet BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

ProfilingHow do we get the MAC IP Bindings? • The dhcp-requested address DHCP Probe attribute in the DHCP packet • Framed-IP-address attribute in RADIUS Probe. RADIUS packet BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

Profiling New in ISE 1.1New i-devices profile w/ NMAP probe We gather generic information, such as iOS for OS. Apple-Device i-Device HTTP Probe i-Pad • Launch NMAPBRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

ProfilingNew OUI’s for Devices In the future, there is slated to be a ―feed service‖ for profiling dictionaries. ‒ This will alleviate the issues of not having the new OUI’s for the latest i-device, etc… While we wait for the much anticipated ISE feature, new profile dictionaries are shipped with interim releases, etc… ‒ We can manually update our own libraries.BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

Getting Traffic to Probes: HTTP SPAN outbound WWW Traffic • Internet Pipe easier to SPAN than Campus Communications • SPAN is not best-practice • But, sometimes required PSN Internet HTTP BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

ProfilingGrabbing User-Agent Strings from Portals (CWA or CPP) In ISE 1.0, ISE leverages an invisible http object in the CWA/CPP page to acquire the user agent string during redirect to https for Client Provisioning and Posture content. ‒ I.e.: iPad = No Posture Possible; MacOS = MAC Agent; Windows = Windows Agent and/or Temporal Agent Although redirected to CPP process, the separate Profiling process was not able to capture the user agent. ‒ ISE 1.1 code has been updated to allow the agent string acquired from the CPP (which evaluates decrypted packet) to be updated to profiling process. No HTTP Probe necessary to grab this. ‒ This is less Processor intensive, but more ―process intensive‖ i.e: it has impact on user-experience.BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

Getting Traffic to Probes: HTTP Using the CPP or CWA portal to capture HTTP User-Agent00-11-22-33-44-55 Endpoint IP Address Profile 00-11-22-33-44-55 10.250.1.1 i-Pad Apple-Dev PSN RADIUS Internet BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Getting Traffic to Probes: DHCP Can use a SPAN session to capture all DHCP Traffic DHCP-RESP PSN DHCP-REQ DHCP Internet BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

Getting Traffic to Probes: DHCP Can use ip helper-address to copy ISE on all DHCP requests PSN DHCP-REQ DHCP-REQ DHCP-REQ Internet BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

Getting Traffic to Probes: DHCP IOS Sensor in 15.0(1)SE1 – Switch is sensor. Sends via RADIUS DHCP-RESP PSN DHCP-REQ Internet RADIUS-ACCT MAC IP Address 12-34-56-ab-cd-ef 10.254.33.10 BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

Tips and Tricks

Moving from Monitor Mode to Low-Impact

Moving from Monitor to Low-Impact Mode Monitor Mode Rule Name Conditions Permissions interface GigabitEthernet1/0/1 IP Phones if Cisco-IP-Phone then Cisco_IP_Phone authentication open mab BYOD if BYOD and Employee then Employee dot1x pae authenticator Non_AuthZ if i-device or Android then GUEST Contractor if Contractor then Contractor Employee if Employee then Employee NAD Default If no matches, then Deny Access SWITCHPORT PSN RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] Matched Rule = Default RADIUS Access-RejectNo Supplicant MAC-Addr is Unknown… Continue to AuthZ table BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

Moving from Monitor to Low-Impact Low-Impact Rule Name Conditions Permissions interface GigabitEthernet1/0/1 IP Phones if Cisco-IP-Phone then Cisco_IP_Phone authentication open mab BYOD if BYOD and Employee then Employee dot1x pae authenticator ip access-group ACL-DEFAULT in Non_AuthZ if i-device or Android then GUEST Contractor if Contractor then Contractor Employee if Employee then Employee NAD Default If no matches, then WEBAUTH SWITCHPORT PSN RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] Matched Rule = Default RADIUS Access-Accept [AVP:url-redirect, dacl]No Supplicant MAC-Addr is Unknown… Continue to AuthZ table BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

Moving from Monitor to Low-Impact Low-Impact: An Entire Switch at a Time  Create a Network Device Group for all Switches that will use Low-Impact.Update for Low- Impact BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

Moving from Monitor to Low-Impact Low-Impact: An Entire Switch at a Time Rule Name Conditions Permissions interface GigabitEthernet1/0/1 IP Phones if Cisco-IP-Phone then Cisco_IP_Phone authentication open mab BYOD if BYOD and Employee then Employee dot1x pae authenticator ip access-group ACL-DEFAULT in Non_AuthZ if i-device or Android then GUEST Contractor if Contractor then Contractor Employee if Employee then Employee I Conf_Rooms f DEVICE:Stage EQUALS Stage#AuthMode then WEBAUTH NAD SWITCHPORT PSN Default If no matches, then Deny Access RADIUS Access-Request All Other Switches [AVP: 00.0a.95.7f.de.06 ] Matched Rule = Conf_Rooms Will still be in Monitor RADIUS Access-Accept Mode! [AVP:url-redirect, dacl]No Supplicant MAC-Addr is Unknown… Continue to AuthZ table BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

Moving from Monitor to Low-Impact For Your ReferenceSpecifying NAD + Interfaces in AuthZ Policy When you are willing to enable it a switch at a time, it’s easy. ‒ Most want to enable it a port at a time (Conference rooms only, for example). How can we identify which port(s) should be treated differently? ‒ We can build a static list of Switches and their Ports ‒ Requires 1 AuthZ rule line Per SwitchBRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

Moving from Monitor to Low-ImpactSpecifying NAD + Interfaces in AuthZ Policy When you are willing to enable it a switch at a time, it’s easy. ‒ Most want to enable it a port at a time (Conference rooms only, for example). How can we identify which port(s) should be treated differently? ‒ We can build a static list of Switches and their Ports ‒ Requires 1 AuthZ rule line Per SwitchBRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

Moving from Monitor to Low-Impactmab eap Trick of the Trade What is ―mab eap‖? ‒ Option of MAB configuration uses EAP-MD5 to transmit the MAB data. Behavior with ISE will be the same. ‒ We can use this as a differentiator ports that should be in Low-Impact. C3750X(config-if)#mab ? eap Use EAP authentication for MAC Auth Bypass <cr> C3750X(config-if)#mab eap C3750X(config-if)#description Conference Room B Available with ISE 1.1+BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

Moving from Monitor to Low-Impactmab eap Trick of the Trade Policy  Policy Elements  Authentication  Results Allowed Protocols ‒ Allow EAP-MD5 ‒ Detect EAP-MD5 as Host LookupNote: Best-Practiceis to never modifydefault objects BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

Moving from Monitor to Low-Impact mab eap Trick of the Trade Rule Name Conditions Permissions interface GigabitEthernet1/0/1 IP Phones if Cisco-IP-Phone then Cisco_IP_Phone authentication open mab eap BYOD if BYOD and Employee then Employee dot1x pae authenticator ip access-group ACL-DEFAULT in Non_AuthZ if i-device or Android then GUEST Contractor if Contractor then Contractor Employee if Employee then Employee I Network Access:EapAuthentication Conf_Rooms f then WEBAUTH EQUALS EAP-MD5 NAD SWITCHPORT PSN Default If no matches, then Deny Access RADIUS Access-Request All Other Switches [AVP: 00.0a.95.7f.de.06 ] Matched Rule = Conf_Rooms Will still be in Monitor RADIUS Access-Accept Mode! [AVP:url-redirect, dacl]No Supplicant MAC-Addr is Unknown… Continue to AuthZ table BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

Conditional Redirection Aids with user-experience / Eliminates unwanted browser redirection.

Conditional RedirectionBest Practice for overall end-user experience Overview: ‒ When an Authentication Succeeds without posture status known, temporary access w/ URL Redirection so NAC Agent can find ISE. Problem definition: ‒ Users complain that while they are waiting for posture to complete, all their web browser traffic in all tabs is being redirected to ISE. Possible Solution: ‒ Conditional RedirectionBRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

Conditional RedirectionBest Practice for overall end-user experience ip access-list extended ACL-WEBAUTH-REDIRECT: permit ip any host <PSN1> permit ip any host <PSN2> permit ip any host <x.x.x.x> (getagent.cisco.com) Endpoint with NAC Agent Pre-Installed: ‒ Set the discovery host to: getagent.cisco.com Endpoint that does not have Agent already: ‒ Will require to manually enter http://getagent.cisco.com to have agent provisioned.BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

Conditional Redirection For Your ReferenceBest Practice for overall end-user experience Only redirect when needed. ‒ Setup the ACL to only redirect users when they go to a certain site: example getagent.cisco.com Setup the switch to redirect the following: ‒ All PSNs (DH set in ISE must be in this list) ‒ And website getagent.cisco.com (DNS setup to resolve to one of the PSNs) The DH will be one of the PDPs (automatically provisioned by the agent install and DH config in the profile). ‒ If user needs to get the agent type in getagent.cisco.com and install the agent Otherwise the user is not redirected however posture discovery is still functional CAVEAT: Users will have to know what URL to type in, in order to get the agent (like ACL method in NAC).BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

BYOx Agenda What is all the hype about? Example Strategies On-Boarding Provisioning Policies Building a BYOD AuthZ PolicyBRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

What is driving this new hype?Executive Bling & the ―i-Revolution‖ Top down demand & new generation: ―Our CEO went to a Retail Conference recently and won an iPad. He demands we allow it access to the network, because it is a productivity tool and we prohibiting his productivity without the iPad‖ New Requirement: ‒ Allow access to i-devices New Term: ―Bring Your Own Device‖ (BYOD)BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

What makes a BYOD policy?MachineAuth Approach… Start  Only corporate devices may Here access my network, period. ‒ Use EAP-TLS with AD-issued Corp no Asset? non-exportable machine certificates. Access-Reject ‒ That is our ―BYOD‖ Policy. yes Access-Accept  Not too common anymore.BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

What makes a BYOD policy?VDx Approach… Start  Only corporate devices may access Here my Corporate Network. ‒ Others should get RDP/ICA to a Corp no VDI farm. Asset? ‒ Could use Profiling to determine Limited Access Corp Asset. yes to VDI farm only ‒ Could use Certs or Machine-Auth w/ PEAP-MSChapv2 Access-Accept  Happening a good bit.BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

What makes a BYOD policy?Even more complicatedStart Here Registered Employee No No GUEST Yes Access-Reject Yes Registered i-Device Yes No Device No Yes Access-Accept Internet OnlyBRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

What makes a BYOD policyThe policy server is critical to meeting your goals Identity Services Engine = BYOD engine!Who? What? How? Known users (Employees, Device identity Wired Sales, HR) Device classification (profile) Wireless Unknown users (Guests) Device health (posture) VPNWhere? When? Other? Geographic location Date Custom attributes Department Time Device/User states SSID / Switchport Start/Stop Access Applications usedBRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 53

ISE BYOD ReleaseIdentity Services Engine 1.1.1 (―minor release‖)  Provision a Certificate for the device. Cert Provisioning ‒ Based on Employee-ID & Device-ID.  Provision the Native Supplicant for the Device: MyDevices Supplicant Portal Provisioning ‒ iOS, Android, Win & MAC-OSX Device Onboarding ‒ Use EAP-TLS or PEAP  Employees get Self-Service Portal ‒ Lost Devices are Blacklisted iOS Android Windows Self-Service Model  Self-Service Model MAC OS ‒ IT does not need to be in the middle.BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

Authorization Policy Rule Name Conditions Permissions GUEST if GUEST then GUEST1. Any PEAP authentications: Open Rule if Wireless_MAB then WEBAUTH ‒ Send directly to Native Supplicant Provisioning. Network Access:EapTunnel PEAP if then Supp-Provision EQUALS PEAP2. Add CWA to Open SSID Employee & EAP-TLS & ‒ Need to know who they are, and IF we should provision them. Employee if then Employee Certificate SAN = MAC_Addr Default If no matches, then Deny Access Matched Rule = PEAP… Redirect to Supplicant Provisioning… PSN SSID = CORP RADIUS Access-Request PEAP MSHACPv2 – EAP-ID = Employee1 RADIUS Access-Accept [cisco-av-pair] = url-redirect-acl=AGENT-REDIRECT [cisco-av-pair] = url- redirect=https://ISE:8443/guestportal/gateway?sessionId=Sessio Employee nIdValue&action=nsp BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 55

Authorization Policy Rule Name Conditions Permissions GUEST if GUEST then GUEST1. Any PEAP authentications: Open Rule if Wireless_MAB then WEBAUTH ‒ Send directly to Native Supplicant Provisioning. Network Access:EapTunnel PEAP if then Supp-Provision EQUALS PEAP2. Add CWA to Open SSID Employee & EAP-TLS & ‒ Need to know who they are, and IF we should provision them. Employee if then Employee Certificate SAN = MAC_Addr Default If no matches, then Deny Access Matched Rule = Open Rule… Send HTTP traffic to CWA Portal. PSN SSID = GUEST RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] RADIUS Access-Accept [cisco-av-pair] = url-redirect-acl=AGENT-REDIRECT [cisco-av-pair] = url- redirect=https://ISE:8443/guestportal/gateway?sessionId=Sessio GUEST nIdValue&action=cwa BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

Authorization Policy Rule Name Conditions Permissions GUEST if GUEST then GUEST1. Any PEAP authentications: Open Rule if Wireless_MAB then WEBAUTH ‒ Send directly to Native Supplicant Provisioning. Network Access:EapTunnel PEAP if then Supp-Provision EQUALS PEAP2. Add CWA to Open SSID Employee & EAP-TLS & ‒ Need to know who they are, and IF we should provision them. Employee if then Employee Certificate SAN = MAC_Addr Default If no matches, then Deny Access Employee Authentication Succeeded... PSN User != Guest SSID = GUEST RADIUS Access-Request Start Self-Provisioning Flow [AVP: 00.0a.95.7f.de.06 ] RADIUS Access-Accept [cisco-av-pair] = url-redirect-acl=AGENT-REDIRECT [cisco-av-pair] = url- redirect=https://ISE:8443/guestportal/gateway?sessionId=Sessio Employee nIdValue&action=cwa BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

Authorization Policy Rule Name Conditions Permissions GUEST if GUEST then GUEST1. Any PEAP authentications: Open Rule if Wireless_MAB then WEBAUTH ‒ Send directly to Native Supplicant Provisioning. Network Access:EapTunnel PEAP if then Supp-Provision EQUALS PEAP2. Add CWA to Open SSID Employee & EAP-TLS & ‒ Need to know who they are, and IF we should provision them. Employee if then Employee Certificate SAN = MAC_Addr Default If no matches, then Deny Access Guest Authentication Succeeded... Send CoA… PSN User = Guest SSID = GUEST Change of Authorization Request Bypass Self-Provisioning Flow CoA ACK/NAK RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] RADIUS Access-Accept GUEST BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 58

Authorization Policy Rule Name Conditions Permissions GUEST if GUEST then GUEST1. Any PEAP authentications: EmpWebAuth if Employee & Guest-Flow then Supp-Provision ‒ Send directly to Native Supplicant Provisioning. Open Rule if Wireless_MAB then WEBAUTH2. Add CWA to Open SSID Network Access:EapTunnel PEAP if then Supp-Provision ‒ Need to know who they are, and IF we should provision them. EQUALS PEAP Employee & EAP-TLS & Employee if then Employee Certificate SAN = MAC_Addr Matched Rule = Open Rule… Default If no matches, then Deny Access Send HTTP traffic to CWA Portal... PSN SSID = GUEST RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] RADIUS Access-Accept [cisco-av-pair] = url-redirect-acl=AGENT-REDIRECT [cisco-av-pair] = url- redirect=https://ISE:8443/guestportal/gateway?sessionId=Sessio GUEST nIdValue&action=cwa BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

Authorization Policy Rule Name Conditions Permissions GUEST if GUEST then GUEST1. Any PEAP authentications: EmpWebAuth if Employee & Guest-Flow then Supp-Provision ‒ Send directly to Native Supplicant Provisioning. Open Rule if Wireless_MAB then WEBAUTH2. Add CWA to Open SSID Network Access:EapTunnel PEAP if then Supp-Provision ‒ Need to know who they are, and IF we should provision them. EQUALS PEAP Employee & EAP-TLS & Employee if then Employee Certificate SAN = MAC_Addr Employee Authentication Succeeded… Default If no matches, then Deny Access Send CoA… Start Native Supplicant Provisioning… PSN User != Guest SSID = GUEST Self-Provisioning Flow Disabled; Change of Authorization Request Continue normal CWA processing CoA ACK/NAK RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] RADIUS Access-Accept Employee [cisco-av-pair] = url-redirect-acl=ACL=NSP-ACL [cisco-av-pair] https://ip:port/guestportal/gateway?sessionId=Sessio nIdValue&action=nsp BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

Native Supplicant Provisioning (iOS use-case) PSNEmployee HTTPS to the NSP Portal ISE sends root certificate to endpoint for trust with OTA User clicks register. ISE sends Profile Service to iOS Device CSR is Generated Encrypted Profile Service: on iOS https://ISE:8905/auth/OTAMobileConfig?sessionID CSR sent to ISE SCEP to MS Cert Authority Certificate sent to ISE User Certificate Issued CN = Employee ISE sends Profile Service to iOS Device SAN = 00-0a-95-7f-de-06 Signing Certificate + User Certificate: Wi-Fi Profile with EAP-TLS configured SSID = CTS-CORP EAP-TLS BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

The Opposite End of Spectrum:How to differentiate corporate provisioned devices?

Corporate AssetsProvide differentiated access for IT-managed systems.Start Here Registered Employee No No GUEST Yes Access-Reject Yes Domain No Member? YES Access-Accept Internet OnlyBRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 66

Identifying the Machine AND the USERMachine Access Restrictions (MAR) MAR provides a mechanism for the RADIUS server to search the previous authentications and look for a machine-authentication with the same Calling-Station-ID. This means the machine must do authenticate before the user. ‒ i.e. Must log out, not use hibernate, etc…. See the reference slides for more possible limitations.BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

Machine Access Restrictions (MAR) Rule Name Conditions PermissionsMAR Cache IP Phones if Cisco-IP-Phone then Cisco_IP_PhoneCalling-Station-ID 00:11:22:33:44:55 –Passed MachineAuth if Domain Computers then MachineAuth Employee & Employee if WasMachineAuthenticated = then Employee true GUEST if GUEST then GUEST Default If no matches, then WEBAUTH NAD SWITCHPORT PSN RADIUS Access-Request [EAP-ID=CorpXP-1] Matched Rule = MachineAuth RADIUS Access-Accept [cisco-av-pair] = dACL=Permit-All BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 68

Machine Access Restrictions (MAR) Rule Name Conditions PermissionsMAR Cache IP Phones if Cisco-IP-Phone then Cisco_IP_PhoneCalling-Station-ID 00:11:22:33:44:55 –Passed MachineAuth if Domain Computers then MachineAUth Employee & Employee if WasMachineAuthenticated = then Employee true GUEST if GUEST then GUEST Default If no matches, then WEBAUTH NAD SWITCHPORT PSN EAPoL Start Matched Rule = Employee RADIUS Access-Request [EAP-ID = Employee1] RADIUS Access-Accept [cisco-av-pair] = dACL=Permit-All BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 69

Machine Access Restrictions (MAR)Potential Issues with MAR Potential Issues with MAR: ‒ Wired/WiFi transitions: Calling-Station-ID (MAC address) is used to link machine and user authentication; MAC address will change when laptop moves from wired to wireless breaking the MAR linkage. ‒ Machine state caching: The state cache of previous machine authentications is neither persistent across ACS/ISE reboots nor replicated amongst ACS/ISE instances ‒ Hibernation/Standby: 802.1X fails when the endpoint enters sleep/hibernate mode and then moves to a different location, or comes back into the office the following day, where machine auth cache is not present in new RADIUS server or has timed out.BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 70

For YourMachine Access Restrictions (MAR) ReferencePotential Issues with MAR Spoofing: Linkage between user authentication and machine authentication is tied to MAC address only. It is possible for endpoint to pass user authentication only using MAC address of previously machine- authenticated endpoint. MAR description (from ACS guide): http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control _server_for_windows/4.2/user/guide/UsrDb.html#wp354105BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 71

Identifying the Machine AND the UserReal Customer Example: Custom DHCP Attribute & use Profiler  One customer decided to modify the DHCP- User-Class-ID on their Domain Members ‒ Provided a unique way to profile the device as a Corporate Asset. C:>ipconfig /setclassid "Local Area Connection" CorpXYZ Windows XP IP Configuration DHCP ClassId successfully modified for adapter"Local Area Connection" http://technet.microsoft.com/en-us/library/cc783756(WS.10).aspx BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

Identifying the Machine AND the UserThe next chapter of authentication: EAP-Chaining IETF working group is in process of standardizing on Tunneled EAP (TEAP). ‒ Next-Generation EAP method that provides all benefits of current EAP Types. ‒ Also provides EAP-Chaining. Cisco will do it before TEAP is ready ‒ EAP-FASTv2 ‒ AnyConnect 3.1 ‒ Identity Services Engine 1.1.1 (1.1 Minor Release)BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

EAP-Chaining With AnyConnect 3.1.1 and ISE 1.1.1 Rule Name Conditions Permissions IP Phones if Cisco-IP-Phone then Cisco_IP_Phone1. Machine Authenticates MachineAuth if Domain Computers then MachineAuth2. ISE Issues Machine AuthZ PAC Employee & Network Employee if then Employee Access:EAPChainingResult = User and machine suceeded GUEST if GUEST then GUEST Default If no matches, then WEBAUTH NAD SWITCHPORT PSN EAPoL Start RADIUS Access-Request [EAP-Tunnel = FAST] EAP-Request:TLV RADIUS Access-Challenge [EAP-TLV = ―Machine‖] EAP-Response RADIUS Access-Request TLV = ―Machine‖ [EAP-TLV= ―Machine‖] [EAP-ID=Corp-Win7-1] PAC RADIUS Access-Accept EAP Success BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 74

EAP-Chaining With AnyConnect 3.1.1 and ISE 1.1.1 Rule Name Conditions Permissions IP Phones if Cisco-IP-Phone then Cisco_IP_Phone3. User Authenticates MachineAuth if Domain Computers then MachineAuth4. ISE receives Machine PAC Employee &5. ISE issues User AuthZ PAC Network Employee if then Employee Access:EAPChainingResult = User and machine suceeded GUEST if GUEST then GUEST Default If no matches, then WEBAUTH NAD SWITCHPORT PSN PAC EAPoL Start RADIUS Access-Request [EAP-Tunnel = FAST] EAP-Request:TLV RADIUS Access-Challenge PAC [EAP-TLV = ―Machine‖] EAP-Response RADIUS Access-Request TLV = ―User‖ [EAP-TLV= ―User‖] [EAP-ID=Employee1] PAC RADIUS Access-Accept EAP Success BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 75

Multiple Active – Directory Domains

Active Directory IntegrationMultiple Domains If Trust Relationship(s) Exist Use When Possible • Then only need to join one domain. If no Trust Relationships • Complicated. Depends on Authentication Requirements & EAP Methods. • One option: LDAP • Other option: RADIUS-ProxyBRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 78

Multiple Active Directory DomainsLDAP Key Points: ‒ MSCHAPv2 does not work with LDAP, however: EAP-GTC Does. ‒ EAP-GTC was removed from the Native Supplicant on Microsoft AD1 AD2BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 79

What works with LDAP Machine AuthC Machine AuthZ User AuthC User AuthZ EAP-TLS (port 389) Yes Yes, if comparing cert Yes Yes* values (O,OU) Yes, if condition uses primary group id=515 (Domain Computers) EAP-TLS (port 3268) Yes Yes, if condition uses Yes Yes, must have cert primary group id=515 published to AD * (Domain Computers) Yes, if comparing cert values (O,OU) PEAP-GTC (port 389) No No Yes Yes PEAP-GTC (port 3268) No No No Yes * If user belongs to ―Domain Users‖ group only, must use primary group ID= 513 for authz ruleBRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 80

Combining AND & OR

Troubleshooting Tools and Tips

Conditional DebuggingTip from the Field On the WLC, we can debug on a per mac-address basis. (Cisco Controller) >debug client b8:c7:5d:d4:95:32 (Cisco Controller) > (Cisco Controller) > (Cisco Controller) >*apfMsConnTask_1: Apr 10 19:02:04.179: b8:c7:5d:d4:95:32 Association received from mobile on AP 00:26:cb:4e:b2:d0 *apfMsConnTask_1: Apr 10 19:02:04.179: b8:c7:5d:d4:95:32 10.1.41.101 RUN (20) Changing IPv4 ACL none (ACL ID 255) ===> none (ACL ID 255) --- (caller apf_policy.c:1697) *apfMsConnTask_1: Apr 10 19:02:04.179: b8:c7:5d:d4:95:32 10.1.41.101 RUN (20) Changing IPv6 ACL none (ACL ID 255) ===> none (ACL ID 255) --- (caller apf_policy.c:1864) *apfMsConnTask_1: Apr 10 19:02:04.179: b8:c7:5d:d4:95:32 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile *apfMsConnTask_1: Apr 10 19:02:04.179: b8:c7:5d:d4:95:32 Applying site-specific Local Bridging override for station b8:c7:5d:d4:95:32 - vapId 1, site default-group, interface employee *apfMsConnTask_1: Apr 10 19:02:04.179: b8:c7:5d:d4:95:32 Applying Local Bridging Interface Policy for station b8:c7:5d:d4:95:32 - vlan 41, interface id 11, interface employee *apfMsConnTask_1: Apr 10 19:02:04.179: b8:c7:5d:d4:95:32 processSsidIE statusCode is 0 and status is 0BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 90

Conditional DebuggingTip from the Field No per mac-address debugging on switches, but: ‒ We can enable per port rather than per mac. 3560-X#debug condition interface g0/1 Condition 1 set 3560-X#debug authentication all All Auth Manager debugging is on 3560-X#conf t Enter configuration commands, one per line. End with CNTL/Z. 3560-X(config)#int g0/1 3560-X(config-if)#shut 3560-X(config-if)# *Mar 13 17:30:26.848: AUTH-EVENT (Gi0/1) Host access set to ask on unauthorized port since feature *Mar 13 17:30:26.848: AUTH-EVENT (Gi0/1) host access set to 1 on GigabitEthernet0/1 *Mar 13 17:30:26.848: AUTH-EVENT (Gi0/1) Setting domain DATA to UNATHED *Mar 13 17:30:26.848: AUTH-EVENT (Gi0/1) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port GigabitEthernet0/1 *Mar 13 17:30:26.848: AUTH-EVENT (Gi0/1) Host access set to ask on unauthorized port since feature *Mar 13 17:30:26.848:BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 91

Critical ItemsCritical Items for an Operationally Efficient Environment Good, working DNS is a REQUIREMENT ‒ Multiple TAC cases where customers don’t have working DNS ‒ I know: how is that possible, right?  All ISE nodes must have forward & reverse DNS EntriesBRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 92

Troubleshooting Redirection Verify IOS code release and feature set!# show authentication session interface <int> o Does the IP address display? Verify device tracking table entry. o Is the session ID matching? o Is the dACL downloaded, if applicable? o Is the Redirect ACL applied? If so, verify contents on local switch BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 93

Troubleshooting Redirection 3560-X(config-if)# do sho ip access-list int g0/13560-X(config-if)#do sho authen sess int g0/1 permit ip host 10.1.41.100 host 10.1.100.3Interface: GigabitEthernet0/1 permit ip host 10.1.41.100 host 10.1.100.4 MAC Address: 0050.5687.0039 permit udp host 10.1.41.100 any eq domain (5 matches) IP Address: 10.1.41.100 permit tcp host 10.1.41.100 any eq 8443 User-Name: 00-50-56-87-00-39 permit tcp host 10.1.41.100 any eq www Status: Authz Success Domain: DATA Security Policy: Should Secure Security Status: Unsecure 3560-X#sho run | b ip access-list extended ACL-WEBAUTH-REDIRECT Oper host mode: multi-auth ip access-list extended ACL-WEBAUTH-REDIRECT Oper control dir: both deny udp any any eq domain Authorized By: Authentication Server remark redirect all applicable traffic to the ISE Server Vlan Group: N/A permit tcp any any eq www ACS ACL: xACSACLx-IP-WebAuthDACL-4f849c3e permit tcp any any eq 443 URL Redirect ACL: ACL-WEBAUTH-REDIRECT remark all other traffic will be implicitly denied from the redirection URL Redirect: https://ATW-ISE-02.cts.local:8443/guestportal/gateway?sessionId=0A01283C0000003041DE089E&action=cwa Session timeout: N/A Idle timeout: N/A Common Session ID: 0A01283C0000003041DE089E Acct Session ID: 0x00000038 Handle: 0xA3000030 BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 94

Troubleshooting Redirection # show ip access-list interface <int> o Is the access list properly applied to the client IP address per above? If not…  Verify that endpoint has an IP address  Verify dACL contents in ISE—ISE may show dACL authorization applied but switch rejects if ANY syntax error Access switch without SVIs for local access VLANs (common L2 case) o Is there a route from Management VLAN to client VLAN? o Is firewall dropping redirects sourced from Management VLAN? o Are dACLs disappearing? If so, does host respond to ARP probes from 0.0.0.0?  Switch(config-if)# ip device tracking probe use-svi BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 95

Wireless URL Redirection ConsiderationsApple Captive Network Assistant (CNA) Problem: URL redirection on Apple devices may fail due to Apple Captive Network Assistant (CNA) Background on CNA: Apple iOS feature to facilitate network access when captive portals present that requires login by automatically opening web browser in a controlled window. Feature attempts to detect the presence of captive portal by sending a web request upon WiFi connectivity to http://www.apple.com/library/test/success.html ‒ If response received, then Internet access assumed and no further interaction ‒ If no response received, Internet access is assumed to be blocked by captive portal and CNA auto-launches browser to requests portal login in a controlled window. Solutions: 1. Disable Auto-Login under WLAN settings (requires user knowledge and interaction) 2. Configure WLC to bypass CNA: > config network web-auth captive-bypass enable Command available in WLC 7.2: http://www.cisco.com/en/US/docs/wireless/controller/7.2/command/reference/cli72commands.html#wp15129591 BRKSEC-3040 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 96

TrustSec and ISE Deployment Best Practices (2012 San Diego)

by Cisco Security on Jun 19, 2012

Statistics

Views

Actions

1 Embed 1

Accessibility

Categories

Upload Details

Usage Rights

Report content

TrustSec and ISE Deployment Best Practices (2012 San Diego) Presentation Transcript