ISE. Profilování typů koncových zařízení. Cisco Expo T-SECA2 Jiří Tesař Cisco

Transcription

1 Cisco Expo 2012 ISE Profilování typů koncových zařízení T-SECA2 Jiří Tesař Cisco Cisco Expo 2012 Cisco and/or its affiliates. All rights reserved. 1

2 Twitter Talk2cisco SMS

3 K čemu použít ISE Profiling? Implementace ISE profilování v živé síti Konfigurace profilování Monitorování a reportování Demo 3

4 ISE AP WLC Nexus 5000/2000 IP Phone Catalyst Switch Campus Network Catalyst 6500 Nexus 7000 Data Center 4

5 EAP Phase 1 Device Authentication MAC, DHCP, DNS, HTTP Phase 2 Device Identification ISE Phase 3 Device Policy Limited Access Allowed Device? NAD QoS Gold Allowed Access ACL VLAN Allow-All Employee 5

6 Internet Only Video Vlan assignment Printing Vlan Voice Vlan SNMP only Dynamic vlans Equipements connectés au réseau Id Group assignement ISE 6

7 Before Posture Assessment and Profiling After Employee Policy Applied Client Status Unknown Client Status Profiled, Workstation VLAN Limited Access VLAN Employee ACL Posture-Assessment ACL None QoS Silver QoS Gold User and Device Specific Attributes ISE User and Device Specific Attributes ISE CoA is based on an extension of RADIUS through RFC3576 7

8 Policy Authorization 8

9 Policy Authorization - Simple 9

10 Policy Authorization - Advanced User Device Type Location Posture Time Access Method Custom 10

11 What are the Required Parts of the Policy? Corp Asset? AuthC Type Profile AuthZ Result AD Member? Static List? MDM? Certificate? Machine Certs? User Certs? Uname/Pwd i-device Android Windows Other Full Access i-net only VDI + i-net 11

12 Number of "other devices" often exceeds number of computers Do you know every MAC address? Process to add MAC addresses when purchasing devices Process to remove MAC addresses when removing devices Some organization already may have processes in place and be in full control For others, Profiling, will help discover and categorize devices, effectively enabling a successful implementation of 802.1X 12

13 Configuration Administration/Identity Man./Identities/Endpoints How to build a MAC Databases? Find It (Existing DB) e.g. CUCM Build It (Not existing DB) e.g. Monitor Mode Buy It e.g. ISE Profiler 13

14 Monitor Authentications 14

15 ISE AP WLC Nexus 5000/2000 IP Phone Catalyst Switch Campus Network Catalyst 6500 Nexus 7000 Data Center 15

16 ISE Probes ISE Profiler uses a lot of probes to identify devices. It is not easy to choose which ones to use : RADIUS HTTP DHCPSPAN DHCP SNMP Netflow DNS 16

17 There are a number of profiling probes in ISE DHCP Helper DHCP Span HTTP RADIUS DNS SNMPQuery SNMPTrap Netflow In-band Explicit configuration SPAN Out-of-band Triggered 17

18 Best Practice For wired network we recommend using a combination of RADIUS, DHCP, DNS and SNMP : RADIUS DNS DHCP SNMP OUI prefix), IP Hostname DHCP class identifier, Client Identifier, parameters, req list CDP/ LLDP/ Mac Move NMAP Scan HTTP NetFlow OS and Common Ports User agent (OS type/version) Traffic identification HTTP, and NetFlow could also be used as additional methods when required. (Use HTTP Probe with WebAuth Portal & I-net Edge or VACLS to limit traffic) 18

19 SNMP Query, SNMP Trap, RADIUS, DHCP Helper Device Authenticator ISE Initial Attempt authentication order dot1x mab Open Mode: Time when MAC address is moved to FWD state MAC-Notification Trap is sent if configured Link-State trap if configured MAC-Notification Trap 30 sec to start SNMP Query DCHP Discovery / Request EAPOL / ID-Req (max-reauth-req +1) x tx-timer 802.1X times out 802.1X MAB Authorized DHCP Helper Username:00:11:22:33:44:55:66 Password: 00:11:22:33:44:55:66 Access-Accept Primary Key: 00:11:22:33:44:55:66 Attributes Switch IP Port ID CDP Info VLAN Data Session Data DHCP Options SNMP Query SNMP Response Point of Profiling 19

20 Using Profiling Base on RADIUS, DNS, DHCP in a Wired Network radius-server key xxxx ip device tracking EAP-OL DHCP RADIUS Oui, IP ISE DNS DNS probe (reverse-lookup) DHCP probe DHCP class identifier, hostname req attributes Dot1x Selective Open Mode Only DHCP is permited Si interface Vlan20 ip DHCP server ip DHCP Server 20

21 SNMP/CDP/LLDP, NetFlow snmp-server community xxxxxx RW snmp-server enable traps snmp linkdown linkup snmp-server enable traps mac-notification change move snmp-server version 2c xxxxxx SNMP CDP/ LLDP/ Mac notification CDP / LLDP ISE Queries following mibs: - system - cdpcacheentry - clapentry (If device is WLC) - cldccliententry (If device is WLC) LinkUp/Mac Notification/RADIUS Acct Start event queries: - interface data (ifindex, ifdesc, etc) - Port and Vlan data - Session Data (if interface type is Ethernet) - CDP data (if device is Cisco) Si Netflow v5 or v9 ip flow-export ISE ip flow-export source FastEthernet 0/1 ip flow-export version 9 21

22 Manual Scan For manual scan Specify subnet then «Run Scan» Click to see scan results Devices will be added to the database only if the real MAC address is known Use alternate probe to discover (eg RADIUS or SNMP probe) Large network scan could be very time consuming and could add a heavy load to ISE service node 22

23 Using Network Scan Option in a Profiler Policy Select NMAP Scan type And Take activate network scan SNMP Scan use «public» as default Ro community 23

24 DNS and NMAP Probes requires IP address for reverse DNS lookup or NMAP Scan RADIUS Probe Framed-IP-Address SNMP Probe cdpcacheaddress HTTP Probe Source IP DHCP Probe Dhcp-requested-address NMAP Probe requires MAC - IP binding Device will be include in the database only if MAC in known. ARP cache in the profiler service maps IP addresses and MAC addresses. Requires DHCP probe or the RADIUS probe. 24

25 Low touch deployment Centralize visibility without big ISE sensor investment Automatic discovery for most common devices (Printers, Cisco devices, phones) Topology independent ISE IOS Sensor Distributed Probes 25

26 ISE IOS Sensor Implementation It is possible also to use Cisco switches as collectors with: ISE 1.1 3K with 15.0(1)SE1 4K with 15.1(1)SG WLC 7.2 MR1 release - DHCP data only IOS Sensor collects data based on: OUI CDP LLDP DHCP MAB or EAP-OL Optional Filter dhcp/cdp options/tlv Radius Accounting ISE Avoid SPAN (for HTTP try to use HTTP redirection to ISE portal) IP Helper when possible for DHCP 26

27 Device Detection Base on CDP, LLDP or DHCP RADIUS Accounting MAB or EAP-OL Enable RADIUS probe ISE device-sensor accounting device-sensor notify all-changes Filter dhcp, cdp or lldp options/tlv device-sensor filter-list dhcp list my_dhcp_list option name host-name option name class-identifier option name client-identifier device-sensor filter-spec dhcp include list my_dhcp_list device-sensor filter-list lldp list my_lldp_list tlv name system-name tlv name system-description device-sensor filter-spec lldp include list my_lldp_list device-sensor filter-list cdp list my_cdp_list tlv name device-name tlv name platform-type device-sensor filter-spec cdp include list my_cdp_list 27

28 ISE Profiling result Switch Device Sensor Cache Cisco IP Phone 7945 SEP002155D60133 Cisco Systems, Inc. IP Phone CP-7945G SEP002155D

29 Best Practice for a Wireless Network For wireless network we recommend to use a combination of RADIUS, DHCP, DNS and HTTP : RADIUS Oui prefix), IP DNS DHCP DHCPSPAN HTTP Hostname DHCP class identifier, req attributes User agent (OS type/version) NMAP Scan OS Identification NMAP still available as complementary method 29

30 Set Calling-Station-ID to MAC Address for non-1x WLANs [more specifically, applies to any WLAN where NAC type!= RADIUS] Security > AAA > RADIUS > Authentication Disable DHCP Proxy to allow forwarding of DHCP -> IP Helpers Controller > Advanced > DHCP 30

31 RADIUS, DNS, DHCP (IP Helper) Disable DHCP Proxy 802.1X or web auth RADIUS Oui, IP DNS DNS probe (reverse-lookup) DHCP WLC ISE DHCP probe DHCP class identifier req attributes No open mode for Wireless ACL could be enforced for not yet profiled devices Vlan / ACL could be change after profiling Si interface Vlan20 ip DHCP server ip DHCP Server 31

32 HTTP Best Practice: Use of Controller for HTTP Redirect HTTP redirect to ISE 802.1X or web auth HTTP WLC 7.2 ActivateCoA ACL Redirect ISE HTTP User agent 802.1X SSID must be on Management WLAN To allow the initial profiling of HTTP(S) traffic redirected to ISE Policy Service. Once profiled, client can be assigned to a different VLAN per Authorization Policy. 32

33 No SPAN Physical Ports Wireless Interfaces Physical Ports Port Channel Wireless Interfaces GE0 GE0 ISE port includes profiling for HTTP / DHCP probes Management WLAN ( /24) Employee WLAN ( /24) Guest WLAN ( /24) If ISE is L2 adjacent to WLC, then 802.1X WLANs must be on Management interface, else MAC/IP binding required If ISE is L3 adjacent to WLC, then MAC/IP binding required. 33

34 HTTP / DHCP alternate solution: Use SPAN to capture traffic Some probes require to send a copy of the traffic to ISE Sends a copy of the traffic to another port on the switch by using SPAN / RSPAN feature. monitor session 1 source vlan xx, yy monitor session 1 destination interface Gi1/0/24 HTTP User agent DHCPSPAN Alternative to ip helper Source PORTS or VLANs ISE Probe 34

35 Best Practice : Use «VACL Capture» to Capture only HTTP HTTP only Si All traffic from vlan 10 C6500 Cat6K(config)#ip access-list extended HTTP_TRAFFIC Cat6K(config-ext-nacl)#permit tcp any any eq www Cat6K(config)#ip access-list extended ALL_TRAFFIC Cat6K(config-ext-nacl)#permit ip any any Cat6K(config)#vlan access-map HTTP_MAP 10 Cat6K(config-access-map)#match ip address HTTP_TRAFFIC Cat6K(config-access-map)#action forward capture Capture HTTP Cat6K(config)#vlan access-map HTTP_MAP 20 Cat6K(config-access-map)#match ip address ALL_TRAFFIC Cat6K(config-access-map)#action forward Forward all other traffic Cat6K(config)#vlan filter HTTP_MAP vlan-list 10, 20 Applied to vlan 10,20 Cat6K(config)#int fa2/24 Cat6K(config-if)#switchport capture allowed vlan 10 Cat6K(config-if)#switchport capture Capture port 35

36 Physical Ports 802.1X WLANs can be on different interface than Management interface Wireless Interfaces SPAN Port GE0 GE1 ISE port dedicated to profiling (HTTP / DHCP probes) o ISE interface dedicated to SPAN can profile HTTP traffic directly on each SSID (even those not L2 adjacent) without requiring redirection of user traffic to ISE web service interface (Client Provisioning). Management WLAN ( /24) Employee WLAN ( /24) Guest WLAN ( /24) 36

37 Device type OUI DHCP CDP LLDP (1.1) User agent Radius DNS Netflow Active scan smartphone Yes yes yes Yes yes Tablets yes yes yes Yes yes Worstation yes yes Yes hostname yes OS version yes yes Yes yes Printer yes yes Yes hostname yes Camera yes yes Yes (cisco) IP Phone yes yes Yes (cisco) Network devices yes Yes (cisco) Yes (lldp required) Yes (lldp required) Yes (lldp required) Others yes yes Yes yes Yes Yes Yes yes yes 37

38 ISE AP WLC Nexus 5000/2000 IP Phone Catalyst Switch Campus Network Catalyst 6500 Nexus 7000 Data Center 38

39 Profiles Policies use a Combination of Conditions to Identify Devices Is the MAC Address from Apple DHCP:host-name CONTAINS ipad IP:User-Agent CONTAINS ipad I m certain this device is an Ipad 39

40 100+ Already Existing Policies for Devices Identification For Your Reference Cont. 40

41 Parent Policy Select this option to create a matching Identity group 41

42 Identity groups directly used as a policy condition 42

43 43

44 NMAP DHCP LLDP CDP For Your Reference Netflow RADIUS IP SNMP 44

45 Any Combination of Theses Conditions Could be use in your Policies For Your Reference 45

46 Allow ISE to Actively Enforce Policy Over Connected Endpoints aaa server radius dynamic-author client server-key xxxxxxx CoA is triggered dynamically when a scenario is matched : - Endpoint is profiled for the 1 st time. - Endpoint is statically assigned with a new Policy - Endpoint is deleted from ISE DB. CoA 2010 Cisco and/or its affiliates. All rights reserved. 46

47 Profile Transitions Default Exception Actions CoA sent on these events based on Administration System Settings Profiling setting Top 3 predefined actions are not configurable Administrator may define additional Actions If insufficient attributes collections, device may be profiled in a more generic profile and CoA sent only for this profile. Ex: Apple-Device versus Apple-iPad HP-Device versus HP-JetDirect-Printer Exception action required to send CoA when device is eventually profiled into more specific policy. 47

48 Identity Group are used as a Condition for Authorization Rules Conditions Result Android, iphone, ipad or BlackBerry Devices Enforce ACL To permit only http on internet 48

49 ISE AP WLC Nexus 5000/2000 IP Phone Catalyst Switch Campus Network Catalyst 6500 Nexus 7000 Data Center 49

50 Real-Time Monitoring Profiled endpoint list Profiled endpoint Dashboard 50

51 Give you all Details About Authentication and Profiling 51

52 Detailed Report for Profiler Activity 52

53 Client Summary By Vendors 53

54 Client Summary by Endpoint Type 54

55 ISE AP WLC Nexus 5000/2000 IP Phone Catalyst Switch Campus Network Catalyst 6500 Nexus 7000 Data Center 55

56 Different Security to Different Security Roles Identity (Authentication) Employee Device (Profiling) Permission (Authorization) John Peter Apple-iPhone iphoneemployee VLAN #135 Apple-iPad ipademployee VLAN #136 Android AndroidEmployee VLAN #137 Blackberry BlackBerryEmployee VLAN #138 Contractor Contractor1 Contractor2 Any Contractors VLAN #145 IF $Identity AND $Device THEN $Permission 56

57 Users, using the same SSID, can be associated to different wired VLAN interfaces after EAP authentication Employees using iphone with their AD user id in AD group employee are assigned to VLAN 135 Employees using ipad with their AD user id in AD group employee are assigned to VLAN 136 Contractors using any device with their AD user id in AD group contractor are assigned to VLAN 145 ISE ISE 1 EAP Authentication Employees 2 Accept with VLAN Accept with VLAN 145 Corporate Resources Same-SSID CAPWAP VLAN 136 Contractor 3 EAP Authentication 802.1Q Trunk VLAN 145 Guest Resources 2010 Cisco and/or its affiliates. All rights reserved. 57

58 ners/sell/technology/ipc/integra ted-solutions/dcloud-byod.html m/internal/login.aspx Required Cisco Aironet 3500/3600/600 Series BYOD endpoint Laptop/tablet/smartphone acting as personal device Monitoring laptop Laptop accessing the demonstration environment and displaying management systems 58

59 2 roles available: 1. Scenarios Doctor 2. IT admin D Demo 2 roles available: ation scenario Doctor IT admin 7 (in professor7/student7/itadmin7) should be changed to your specific number for your session see IE page on your Hosted Workstation for a correct number 3 roles available: available: ssor ent in Professor D Demo Student Itadmin rate scenario see IE page on your Hosted Workstation for a correct number 7 (in corporate7/itadmin7) should be changed to your specific number for your session 2 roles available: ailable: ate in Corporate IT admin see IE page on your Hosted Workstation for a correct number 59

60 60

61 61

62 Reference Slide SXP SGACL 2010 Cisco and/or its affiliates. All rights reserved. 62

63 ISE Profiling Support Device profiling for Wired and wireless networks Use a combination of advanced probes to identify devices Is Integrated in ISE policies Use Cisco Infrastructure for distributed features (IOS Sensor) 63

64 Whitepapers Deployment Scenario Design Guide Deployment Scenario Config Guide IEEE 802.1X Deep Dive MAB Deep Dive Web Auth Deep Dive Flex Auth App Note IP Telephony Deep Dive MACSec Deep Dive /ps6638/whitepaper_C html 86/ps6638/Whitepaper_c html 86/ps6638/guide_c html 86/ps6638/config_guide_c html 86/ps6638/app_note_c html 86/ps6638/app_note_c html 86/ps6638/application_note_c _ps6638_Products_White_Paper.html 86/ps6638/config_guide_c html 86/ps6638/deploy_guide_c html 64

65 65

66 Twitter Talk2Cisco SMS Zveme Vás na Ptali jste se v sále LEO 1.den 17:45 18:30 2.den 16:30 17:00 66

67 Kód přednášky Prosíme, ohodnoťte tuto přednášku. 67

68