K.I.T.T. Know ISE Through Training

Size: px

Start display at page:

Download "K.I.T.T. Know ISE Through Training"

Maurice Osborne
6 years ago
Views:

Take the Hassel out of your ISE deployment! K.I.T.T. Know ISE Through Training BRKSEC-2059 - Deploying ISE in

1 Take the Hassel out of your ISE deployment! K.I.T.T. Know ISE Through Training BRKSEC Deploying ISE in a Dynamic Public Environment BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 1

3 Deploying ISE in a Dynamic Public Environment Clark Gambrel, CCIE #18179 Technical Leader, Engineering, Security Business Group BRKSEC-2059

4 Introduction

11 Agenda Introduction Public environments, Why are they so challenging? Advice Words to live by in any environment (Best Practice!) Education What we have learned Hospitals/Medical Protecting the heart of your network Public Transportation Tips for the thrifty traveler Conclusion

Cisco ISE & TrustSec Sessions: Building Blocks

(Thurs 8:00 am) BRKCOC-2015 Cisco IT's Assured Network

8:00am) (Thurs 8:00am) BRKSEC-2045 - Mobile Devices and

4:00pm) (Tue 4:00pm) PSOSEC-2009- ISE 2.0 & 2.

Building an Enterprise Access Control Architecture

BRKSEC-2059 Deploying ISE in a Dynamic Public

Security Everywhere on Enterprise Networks (Mon 4:00pm)

Policies (Thurs 8:00am) BRKSEC-2203 Deploying TrustSec

Advanced Security Group Tags: The Detailed Walk Through

13 Cisco ISE & TrustSec Sessions: Building Blocks BRKSEC-3699 Designing ISE for Scale & High Availability (Thurs 8:00 am) BRKCOC-2015 Cisco IT's Assured Network Access: (ISE) Deployment and Best Practices (Thurs 10:30am). BRKSEC-3697 Advanced ISE Services, Tips and Tricks (Wed 8:00am) (Thurs 8:00am) BRKSEC Mobile Devices and BYOD Security - Deployment and Best Practices (Mon 4:00pm) (Tue 4:00pm) PSOSEC ISE 2.0 & 2.1 Features (Tue 12:30 pm + Wed 10:30 am) BRKSEC Building an Enterprise Access Control Architecture using ISE and TrustSec (Mon 1:30 pm + Wed 8:00 am) BRKSEC-2059 Deploying ISE in a Dynamic Public Environment (Thurs 8:00 am) BRKCRS 1449 Enabling Security Everywhere on Enterprise Networks (Mon 4:00pm) BRKCRS-2893 Choice of Segmentation and Group-based Policies (Thurs 8:00am) BRKSEC-2203 Deploying TrustSec Security Group Tagging (Tue 1:30pm) BRKSEC-3690 Advanced Security Group Tags: The Detailed Walk Through (Wed 1:30pm) BRKSEC Building Network Security Policy: Through Data Intelligence (Thurs 1:00pm) 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 Public environments, Why are they so challenging?

16 Public environments, Why are they so challenging? On average each person carries 2.9 devices Each year new devices are introduced Kenny Louie under Creative Commons License BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Public environments, Why are they so challenging? On average each person carries 2.9 devices Each year new devices are introduced Devices add new technology enhancements, i.e. TLS versions, mini browsers New and Improved - BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17

Public environments, Why are they so challenging? On average each person carries 2.9 devices Each year new devices are introduced Devices add new technology enhancements, i.e. TLS versions, mini browsers Device behavior differs from one OS version to the next Dilbert 2010 BRKSEC-2059 2016 Cisco and/or its affiliates.

18 Public environments, Why are they so challenging? On average each person carries 2.9 devices Each year new devices are introduced Devices add new technology enhancements, i.e. TLS versions, mini browsers Device behavior differs from one OS version to the next Dilbert 2010 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18

Public environments, Why are they so challenging? Devices are mostly unmanaged Source www.

20 Public environments, Why are they so challenging? Devices are mostly unmanaged End users have different levels of knowledge when it comes to configuring their own devices Where s the ANY key? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Public environments, Why are they so challenging? Devices are mostly unmanaged End users have different levels of knowledge when it comes to configuring their own devices Users expect a simple experience, similar to home use BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Public environments, Why are they so challenging? Devices are mostly unmanaged End users have different levels of knowledge when it comes to configuring their own devices Users expect a simple experience, similar to home use Lots of configuration parameters on ISE/Wireless Controller, which are correct? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Advice Words to live by in any environment (Best Practice)

27 Advice: Timers WLC: Radius Default timer value of 2 seconds is too short During busy times, Authentication latency may increase and exceed the default value Use best practice value between 5-10 seconds, typically Use timers appropriate to the environment (tune for your environment) Some remote/cloud based radius servers may have higher authentication latency and require some tweaking. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27

Advice: Timers WLC: Radius - Continued Setting timers too long and the client might restart its session, retries from radius server will be dropped Avoid unnecessary radius server flaps with timers

28 Advice: Timers WLC: Radius - Continued Setting timers too long and the client might restart its session, retries from radius server will be dropped Avoid unnecessary radius server flaps with timers that are too short PSN1 PSN2 Radius flapping can have some major impacts on an ISE deployment Superman II, Warner Brothers 1980 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28

Advice: Timers - Radius Typically 5-10 seconds BRKSEC-2059 2016

Advice: Timers - Radius Typically 5-10 seconds Usually matches Auth server timeout

31 Advice: Timers WLC: Radius - Continued Make sure that Aggressive Failover is disabled in the command line of the WLC This can have a big impact on ISE and Wireless Auths in general (Cisco Controller) >config radius aggressive-failover disable BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 31

Advice: Timers - WLANs Increase Session Timeout to 2+ hours (7200+ sec), if Enabled

Advice: Timers - WLANs This can also be sent as a Radius attribute in ISE under the AuthZ

35 Advice: Timers - WLANs For 802.1X SSIDs, Increase Client Idle Timeout to 1 hour (3600 sec) For Guest/Hotspot SSIDs, leave this low (300 sec) to free up resources (http redirect sessions) for clients that have disconnected BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Advice: Timers - WLANs Interim Update WLC 7.6: Recommended setting: Disabled Behavior: Only send update on IP address change Ensures we get critical IP updates (Framed-IP-Address) and Device Sensor updates. Device Sensor updates not impacted BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 Advice: Timers - WLANs Interim Update WLC 7.6: Recommended setting: Disabled WLC 8.0: Recommended setting: Enabled with Interval set to 0 Behavior: Only send update on IP address change Device Sensor updates not impacted Settings mapped correctly on upgrades BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. Specifications listed in ISE 1.3+ Installation Guide BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. Specifications listed in ISE Installation Guide BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 41

3 we added OVA Templates for deploying SNS-3415 and SNS-3495 equivalent hardware.

42 Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. In 1.3 we added OVA Templates for deploying SNS-3415 and SNS-3495 equivalent hardware. That has been expanded to include the SNS-3515 and SNS platforms as well. It is highly recommended that you use these templates! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 42

Advice: VM Resources Reservations Admin and MnT nodes rely heavily on

Deploying ISE in VMware environments where shared disk storage is

appliances Increasing the number of disk shares that a node is allocated

43 Advice: VM Resources Reservations Admin and MnT nodes rely heavily on disk usage (read/writes). Deploying ISE in VMware environments where shared disk storage is utilized may not give a like disk performance when compared to physical appliances Increasing the number of disk shares that a node is allocated can in most cases increase performance of the node. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 43

Advice: VM Resources Reservations - Before & After Chart BRKSEC-2059

46 Advice: Avoid Meltdowns ISE Settings Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 46

Advice: Avoid Meltdowns ISE Settings Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated

47 Advice: Avoid Meltdowns ISE Settings Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications Administration Settings Protocols Radius BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 Advice: Avoid Meltdowns ISE Settings Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications Only use the profiling probes/information that you need. Don t have information overload. Avoid probes that use SPAN. Start with Radius only first. Use device sensors in network access device Administration Deployment Profiling BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 48

Advice: Bugs CSCuu68490 - duplicate radius-acct update message sent while roaming If Radius NAC is configured on a WLAN and a client connected

52 Advice: Bugs CSCuu duplicate radius-acct update message sent while roaming If Radius NAC is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 52

Advice: Bugs CSCuu68490 - duplicate radius-acct update message sent while roaming If Radius NAC is

packets These packets are unique (different radius IDs) but contain the same information 47ms Same

53 Advice: Bugs CSCuu duplicate radius-acct update message sent while roaming If Radius NAC is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets These packets are unique (different radius IDs) but contain the same information 47ms Same data Different ID BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 53

54 Advice: Bugs CSCuu duplicate radius-acct update message sent while roaming If Radius NAC is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets These packets are unique (different radius IDs) but contain the same information Currently resolved in and WLC code versions. 8.0 MR3+ BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 54

Inter-Node Communications Radius Flapping can be a real mess! MnT Profiling sync leverages JGroup channels All replication outside node group must traverse PAN including Ownership Change!

56 Inter-Node Communications Radius Flapping can be a real mess! MnT Profiling sync leverages JGroup channels All replication outside node group must traverse PAN including Ownership Change! If Local JGroup fails, then nodes fall back to Global JGroup communication channel. MnT PAN PAN WLC PSN5 says I own this mac address PSN1 PSN PSN3 says L2 or L3 Ok PSN5 owns this mac address PSN PSN2 NODE GROUP A (JGROUP A) PSN4 PSN PSN PSN5 NODE GROUP B (JGROUP B) PSN PSN3 PSN PSN6 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 56

57 Inter-Node Communications Radius Flapping can be a real mess! MnT Ok, now Radius flapping occurs. This could be due to timeouts received to WLC or due to the Radius NAC accounting bug This will also happen if a PSN receives profiling information for an endpoint that it doesn t own MnT PAN PAN WLC PSN5 says Ok PSN3 owns this mac address PSN1 PSN PSN3 says I L2 or L3 own this mac address PSN PSN2 NODE GROUP A (JGROUP A) PSN4 PSN PSN PSN5 NODE GROUP B (JGROUP B) PSN PSN3 PSN PSN6 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 57

59 Education What we have learned

60 Education: High Authentication Latency eduroam eduroam allows users from participating organizations to use their local credentials while visiting other eduroam locations to access the internet. eduroam is a cloud based Radius proxy. It acts as a federation point between education/research based entities and their Radius servers. eduroam s Radius proxy is accessed via the internet. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 60

62 Education: High Authentication Latency eduroam Due to the high authentication latency sometimes associated with cloud based radius servers, it may be necessary to adjust your radius timers. If using a load balancer, create a separate VIP for eduroam (can contain the same PSNs) If no load balancer, dedicate PSNs for eduroam (or other high latency SSIDs), if possible BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 62

63 Education: Students Converge at Lunch High Density Student s roaming patterns especially during meal times and events can cause an increased load on your wireless and ISE infrastructure. Make sure that you have enough wireless density to handle this converged access. Distribute the load across multiple PSNs to avoid overwhelming a single server. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 63

64 Education: User w/multiple devices PEAP Problem Good reason to use EAP-TLS Students carry multiple devices PEAP-MSChapV2 as 802.1X Authentication Method may cause AD lockouts if not changed on all devices. Locked accounts generate Help desk calls. A single device with old password may cause repeated AD lockouts BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 64

65 Hospitals/Medical Protecting the heart of your network

Hospital: Medical Devices Securing and Profiling Most medical devices don t support

1X To protect patient data, use WPA2- PSK with Mac Filtering

67 Hospital: Medical Devices Securing and Profiling Encrypt! Most medical devices don t support 802.1X To protect patient data, use WPA2- PSK with Mac Filtering and Profiling BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 67

68 Hospital: Medical Devices Securing and Profiling Most medical devices don t support 802.1X To protect patient data, use WPA2- PSK with Mac Filtering and Profiling Use unique attributes to profile your medical devices Typical attributes that work well for medical devices are dhcp-classidentifier, dhcp-parameterrequest-list and host-name BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 68

69 Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Zebra Technologies Completes Acquisition of Motorola Solutions' Enterprise Business Press Releases 2014 ZIH Corp BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 69

70 Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. What this means Before acquisition: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 70

71 Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. What this means After acquisition: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 71

72 Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Device OS/Firmware updates BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 72

73 Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Device OS/Firmware updates Spoofed MAC Addresses with new or different profiling attributes BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 73

74 Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Device OS/Firmware updates Spoofed MAC Addresses with new or different profiling attributes BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 74

75 Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 75

Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling)

76 Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) This policy would catch any device that was in the configured whitelist and allow network access, simple right? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 76

77 Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) This policy would catch any device that was in the configured whitelist and allow network access, simple right? You can then add an alarm to send an , whenever a device matches that policy. Currently we can enable for a single policy only. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 77

78 Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) This policy would catch any device that was in the configured whitelist and allow network access, simple right? You can then add an alarm to send an , whenever a device matches that policy. Currently we can enable for a single policy only. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 78

79 Hospital: Paging Dr. Ihateloggingin Suggestions for better user experience Doctors by nature are usually very busy and the last thing they want to do is to spend time logging into a webportal or changing a PEAP password. Use EAP-TLS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 79

busy and the last thing they want to do is to spend time logging into a webportal or

Use EAP-TLS A better option, if available would be to use EAP-TLS and CWA-Chaining to a

80 Hospital: Paging Dr. Ihateloggingin Suggestions for better user experience Doctors by nature are usually very busy and the last thing they want to do is to spend time logging into a webportal or changing a PEAP password. Use EAP-TLS A better option, if available would be to use EAP-TLS and CWA-Chaining to a Single Sign On (SSO) server. This would allow the end user to leverage the SSO token for other portals as well. Add an AUP check rule to stay logged in. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 80

81 Hospital: Nurse Carts/IP Phones Advice on corporate devices Nurses typically use rolling computer carts for charting patient information. To ensure continuous connections for these devices, survey your wireless for Voice applications. For ease of use and manageability, use Active Directory Group Policy Objects (GPO) to manage the supplicants and certificates of AD joined devices. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 81

Hospital: Medical NAC Profiles custom built for medical

devices Identification and classification of

82 Hospital: Medical NAC Profiles custom built for medical devices Secure-access options for healthcare-specific devices Identification and classification of healthcarespecific devices (250+ devices) Profiling methods and best practices Thank s Craig! Segmentation of medical devices BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 82

83 Public Transportation Tips for the thrifty traveler

Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients AP groups/names or some unique Radius

85 Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients AP groups/names or some unique Radius attributes returned from the WLC during authentication can be used as location BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 85

86 Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients AP groups/names or some unique Radius attributes returned from the WLC during authentication can be used as location Matched policies based on these locations can send unique portals that advertise local businesses and shops near the user. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 86

87 Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients AP groups/names or some unique Radius attributes returned from the WLC during authentication can be used as location Matched policies based on these locations can send unique portals that advertise local businesses and shops near the user. Create unique portal pages for each area. Advertisements can be built into the portal page or referenced from an external server. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 87

88 Airport: Hotspot setup with custom redirect Using MSE and ISE 2.0 New to ISE 2.0, you can now leverage Mobility Services Engine (MSE) for physical location tracking Location information returned from the MSE can be used in the Authorization rule for directing clients to the portal serving their location Cisco and/or its affiliates. All rights reserved. Cisco Public

Soapbox: Buy Public Certificates Stop teaching users to accept Man-in-the-middle

90 Conclusion

91 Conclusion Review Public Environments can be challenging Avoid ISE meltdowns Keep up to date with versions and patches, be aware of software defects that might affect your environment Use advice in this guide to solve challenges in your environment Use Real Best Practice to ensure that you have a successful deployment. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 91

Public ISE Community Public ISE Community: http://cs.

92 Public ISE Community Public ISE Community: Monitored and Responded to by TME s on my Team Ask Questions There Get Answers by Cisco Experts & Partners BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 92

Security Joins the Customer Connection Program Customer User Group Program 19,000+ Who can join: Cisco customers, service providers, solution partners and training partners Private online community

93 Security Joins the Customer Connection Program Customer User Group Program 19,000+ Who can join: Cisco customers, service providers, solution partners and training partners Private online community to connect with peers & Cisco s Security product teams Monthly technical & roadmap briefings via WebEx Opportunities to influence product direction Members Strong Join in World of Solutions Security zone Customer Connection stand Learn about CCP and Join New member thank-you gift* Customer Connection Member badge ribbon Local in-person meet ups starting Fall 2016 New member thank you gift * & badge ribbon when you join in the Cisco Security booth Other CCP tracks: Collaboration & Enterprise Networks Join Online Come to Security zone to get your new member gift* and ribbon Presentation ID * While supplies last 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 93

Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

94 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 94

95 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 95

96 Thank you

Take the Hassel out of your ISE deployment! K.I.T.T. Know ISE Through Training. BRKSEC Deploying ISE in a Dynamic Public Environment

Take the Hassel out of your ISE deployment! K.I.T.T. Know ISE Through Training BRKSEC-2059 - Deploying ISE in a Dynamic Public Environment 1 Deploying ISE in a Dynamic Public Environment BRKSEC-2059 Clark