Deploying ISE in a Dynamic Public Environment

Size: px

Start display at page:

Download "Deploying ISE in a Dynamic Public Environment"

Milton Richardson
6 years ago
Views:

2 Deploying ISE in a Dynamic Public Environment Clark Gambrel, CCIE #18179 Technical Leader, Engineering, Core Software Group BRKSEC-2059

Take the Hassel out of your ISE deployment! K.I.T.T. Know ISE Through Training BRKSEC-2059 - Deploying ISE in

3 Take the Hassel out of your ISE deployment! K.I.T.T. Know ISE Through Training BRKSEC Deploying ISE in a Dynamic Public Environment BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 3

4 Deploying ISE in a Dynamic Public Environment Clark Gambrel, CCIE #18179 Technical Leader, Engineering, Core Software Group BRKSEC-2059

5 Abstract Managing a secure, yet flexible network in today's public access environments can be very challenging. Public access networks in areas like universities, hospitals and airports host a broad array of devices, both privately owned and corporately managed. With the increasing importance of the Internet of Things, the variety of devices that need to connect to these public networks is rapidly increasing. Cisco Identity Services Engine (ISE) plays an integral role in controlling the access to these dynamic public networks. This session will share lessons learned (best practice) from an ISE escalation engineer in troubleshooting complex customer environments.

6 Introduction

Clark Gambrel, CCIE #18179 Technical Leader

com @ClarkGambrel BRKSEC-2059 2017 Cisco and/or

13 Agenda Introduction Public environments, Why are they so challenging? Advice Words to live by in any environment (Best Practice!) Education What we have learned Hospitals/Medical Protecting the heart of your network Public Transportation Tips for the thrifty traveler Conclusion

ISE & Software Defined Segmentation Sessions You are here TECSEC-2222 (4 h) Securing Networks with Cisco Trustsec

Engine) BRKSEC-2203 (90m) Enabling Software- Defined Segmentation with TrustSec Tue 21 Feb 16:45 BRKSEC-3690 (2h)

Public Environment Fri 24-Feb 11:30 BRKSEC-3699 (2h) Designing ISE for Scale & High Availability Fri 24 Feb 09:00

Advanced ISE Services, Tips and Tricks Thu 23 Feb 09:00 BRKSEC-2344 (2h) Device Administration with TACACS+ using

15 ISE & Software Defined Segmentation Sessions You are here TECSEC-2222 (4 h) Securing Networks with Cisco Trustsec TECSEC-2404 (8 h) ACI Security TECSEC-2672 (8 h) Intermediate - Network Access Control with ISE (Identity Services Engine) BRKSEC-2203 (90m) Enabling Software- Defined Segmentation with TrustSec Tue 21 Feb 16:45 BRKSEC-3690 (2h) Advanced Security Group Tags: The Detailed Walk Through Wed 22 Feb 09:00 BRKSEC-2059 (2h) Deploying ISE in a Dynamic Public Environment Fri 24-Feb 11:30 BRKSEC-3699 (2h) Designing ISE for Scale & High Availability Fri 24 Feb 09:00 BRKSEC-3014 (2h) Security Monitoring with StealthWatch: The detailed walkthrough Wed 22 Feb 09:00 BRKSEC-3697 (2h) Advanced ISE Services, Tips and Tricks Thu 23 Feb 09:00 BRKSEC-2344 (2h) Device Administration with TACACS+ using Identity Services Engine 2.X Tue 21 Feb 14:15 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Labs & Lunch and Learn Sessions LTRSEC-2800 (90m) Integrating TrustSec and ACI Together Thurs 23 Feb 14:00 LABSEC-1007 (45m) AnyConnect(4.2) Posture with Identity Services Engine (ISE) 2.1 LABSEC-2004 (30m) Dot1x : Troubleshooting tips and tricks LALSEC-2003 Lunch and Learn - Cisco Identity Services Engine (ISE) Tue 21 Feb LABSEC-1300 (30m) Configuring and troubleshooting TACACS+ in ISE 2.1 with Nx-OS devices, IOS and WLC LTRSEC-3400 (4h) ISE Troubleshooting LAB Tue 21 Feb 14:15 LALSEC-2006 Lunch and Learn - Network as a Sensor/Enforcer Wed 22 Feb BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Public environments, Why are they so challenging?

19 Public environments, Why are they so challenging? On average each person carries 2.9 devices Each year new devices are introduced Kenny Louie under Creative Commons License BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 Public environments, Why are they so challenging? On average each person carries 2.9 devices Each year new devices are introduced Devices add new technology enhancements, i.e. TLS versions, mini browsers New and Improved - BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20

Public environments, Why are they so challenging? On average each person carries 2.9 devices Each year new devices are introduced Devices add new technology enhancements, i.e. TLS versions, mini browsers Device behavior differs from one OS version to the next Dilbert 2010 BRKSEC-2059 2017 Cisco and/or its affiliates.

21 Public environments, Why are they so challenging? On average each person carries 2.9 devices Each year new devices are introduced Devices add new technology enhancements, i.e. TLS versions, mini browsers Device behavior differs from one OS version to the next Dilbert 2010 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21

Public environments, Why are they so challenging? Devices are mostly unmanaged Source www.

23 Public environments, Why are they so challenging? Devices are mostly unmanaged End users have different levels of knowledge when it comes to configuring their own devices Where s the ANY key? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Public environments, Why are they so challenging? Devices are mostly unmanaged End users have different levels of knowledge when it comes to configuring their own devices Users expect a simple experience, similar to home use BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Public environments, Why are they so challenging? Devices are mostly unmanaged End users have different levels of knowledge when it comes to configuring their own devices Users expect a simple experience, similar to home use Lots of configuration parameters on ISE/Wireless Controller, which are correct? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Advice Words to live by in any environment (Best Practice)

27 Inter-Node Communications Radius Flapping can be a real mess! MnT Profiling sync leverages JGroup channels All replication outside node group must traverse PAN including Ownership Change! If Local JGroup fails, then nodes fall back to Global JGroup communication channel. MnT PAN PAN WLC PSN5 says I own this mac address PSN1 PSN PSN3 says L2 or L3 Ok PSN5 owns this mac address PSN PSN2 NODE GROUP A (JGROUP A) PSN4 PSN PSN PSN5 NODE GROUP B (JGROUP B) PSN PSN3 PSN PSN Cisco and/or its affiliates. All rights reserved. Cisco Public

28 Inter-Node Communications Radius Flapping can be a real mess! MnT Ok, now Radius flapping occurs. This could be due to timeouts received to WLC or due to the Radius NAC accounting bug This will also happen if a PSN receives profiling information for an endpoint that it doesn t own MnT PAN PAN WLC PSN5 says Ok PSN3 owns this mac address PSN1 PSN PSN3 says I L2 or L3 own this mac address PSN PSN2 NODE GROUP A (JGROUP A) PSN4 PSN PSN PSN5 NODE GROUP B (JGROUP B) PSN PSN3 PSN PSN Cisco and/or its affiliates. All rights reserved. Cisco Public

Profiling and Data Replication Before Tuning PAN MnT MnT Node Group = DC1-group PSN PSN PSN PSN Node Group = DC2-group 4 2 1 3 5 PSN PSN PSN PSN PSN NMAP RADIUS

29 Profiling and Data Replication Before Tuning PAN MnT MnT Node Group = DC1-group PSN PSN PSN PSN Node Group = DC2-group PSN PSN PSN PSN PSN NMAP RADIUS Auth RADIUS Acctng DHCP 1 DHCP 2 NetFlow # Ownership Change Global Replication BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Impact of Ownership Changes Before Tuning Owner? Owner? Owner? Owner? Owner? Node Group = DC1-group Node Group = DC2-group PSN PSN PSN PSN PSN PSN PSN PSN PSN RADIUS Auth DHCP 1 DHCP 2 NMAP RADIUS Acctng NetFlow BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 30

33 Advice: Timers WLC: Radius Default timer value of 2 seconds is too short During busy times, Authentication latency may increase and exceed the default value BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Advice: Timers WLC: Radius Default timer value of 2 seconds is too short During busy times, Authentication latency may increase and exceed the default value Use best practice value between 5-10 seconds, typically BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 34

36 Advice: Timers WLC: Radius Use timers appropriate to the environment (tune for your environment) Some remote/cloud based radius servers may have higher authentication latency and require some tweaking. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 36

Advice: Timers WLC: Radius - Continued Setting timers too long and the client might restart its session, retries from radius server will be dropped Avoid unnecessary radius server flaps with timers

37 Advice: Timers WLC: Radius - Continued Setting timers too long and the client might restart its session, retries from radius server will be dropped Avoid unnecessary radius server flaps with timers that are too short PSN1 PSN2 Radius flapping can have some major impacts on an ISE deployment Superman II, Warner Brothers 1980 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 38

Advice: Timers - Radius Typically 5-10 seconds BRKSEC-2059 2017

Advice: Timers - Radius Typically 5-10 seconds Usually matches Auth server timeout

40 Advice: Timers WLC: Radius - Continued Make sure that Aggressive Failover is disabled in the command line of the WLC This can have a big impact on ISE and Wireless Auths in general (Cisco Controller) >config radius aggressive-failover disable BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 41

(recommended) BRKSEC-2059 2017 Cisco and/or

Advice: Timers - WLANs This can also be sent as a Radius attribute in ISE under the AuthZ

44 Advice: Timers - WLANs For 802.1X SSIDs, Increase Client Idle Timeout to 1 hour (3600 sec) For Guest/Hotspot SSIDs, leave this low (300 sec) to free up resources (http redirect sessions) for clients that have disconnected BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 45

Ensures we get critical IP updates (Framed-IP-Address) and Device Sensor updates.

45 Advice: Timers - WLANs Interim Update WLC 7.6: Recommended setting: Disabled Behavior: Only send update on IP address change Ensures we get critical IP updates (Framed-IP-Address) and Device Sensor updates. Device Sensor updates not impacted BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 46

46 Advice: Timers - WLANs Interim Update WLC 7.6: Recommended setting: Disabled WLC 8.0: Recommended setting: Enabled with Interval set to 0 Behavior: Only send update on IP address change Device Sensor updates not impacted Settings mapped correctly on upgrades BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 47

47 Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. Specifications listed in ISE 1.3+ Installation Guide BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 48

48 Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. Specifications listed in ISE Installation Guide BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 49

49 Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 50

50 Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 51

3 we added OVA Templates for deploying SNS-3415 and SNS-3495 equivalent hardware.

51 Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. In 1.3 we added OVA Templates for deploying SNS-3415 and SNS-3495 equivalent hardware. That has been expanded to include the SNS-3515 and SNS platforms as well. It is highly recommended that you use these templates! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 52

52 Advice: VM Resources Reservations Admin and MnT nodes rely heavily on disk usage (read/writes). Deploying ISE in VMware environments where shared disk storage is utilized may not give a like disk performance when compared to physical appliances Increasing the number of disk shares that a node is allocated can in most cases increase performance of the node. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 53

Advice: VM Resources Reservations - Before & After Chart BRKSEC-2059

56 Advice: Avoid Meltdowns ISE Settings Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 57

Advice: Avoid Meltdowns ISE Settings Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated

57 Advice: Avoid Meltdowns ISE Settings Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications Administration Settings Protocols Radius BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 58

58 Advice: Avoid Meltdowns ISE Settings Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications Only use the profiling probes/information that you need. Don t have information overload. Avoid probes that use SPAN. Start with Radius only first. Use device sensors in network access device Administration Deployment Profiling BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 59

Load Balancing RADIUS Sample Flow 1 radius-server host 10.1.98.8 User 2 Access Device 4 VLAN 98 (10.1.98.0/24) RADIUS ACCTG AUTH request to to 10.1.98.8 RADIUS ACCTG AUTH response from from 10.1.98.8 VIP: 10.

60 Load Balancing RADIUS Sample Flow 1 radius-server host User 2 Access Device 4 VLAN 98 ( /24) RADIUS ACCTG AUTH request to to RADIUS ACCTG AUTH response from from VIP: PSN-CLUSTER Load Balancer VLAN 99 ( /24) PSN ISE-PSN-1 PSN ISE-PSN NAD has single RADIUS Server defined ( ) 2. RADIUS Auth requests sent to Requests for same endpoint load balanced to different PSN because roundrobin(rr) load balancing is used without persistance (sticky). 4. RADIUS response received from (originated by real server and source translated by LB) 5. RADIUS Accounting sent to/from different PSN based on RR and no sticky PSN ISE-PSN BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 61

61 Load Balancing RADIUS Sample Flow VLAN 98 ( /24) VLAN 99 ( /24) 1 radius-server host User 2 Access Device 4 5 RADIUS ACCTG AUTH request to to RADIUS ACCTG AUTH response from from VIP: PSN-CLUSTER Load Balancer PSN ISE-PSN-1 PSN ISE-PSN-2 1. NAD has single RADIUS Server defined ( ) 2. RADIUS Auth requests sent to Requests for same endpoint load balanced to same PSN via sticky based on RADIUS Calling-Station-ID and Framed-IP-Address 4. RADIUS response received from (originated by real server and source translated by LB) 5. RADIUS Accounting sent to/from same PSN based on sticky PSN ISE-PSN BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 62

62 Profiling and Data Replication After Tuning PAN MnT MnT Node Group = DC1-group PSN PSN 1 PSN PSN Node Group = DC2-group PSN PSN PSN PSN 2 PSN RADIUS Auth RADIUS Acctng NMAP DHCP 1 NetFlow # Ownership Change Global Replication BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 63

63 Impact of Ownership Changes After Tuning Owner Node Group = DC1-group Node Group = DC2-group PSN PSN PSN PSN PSN PSN PSN PSN PSN RADIUS Auth RADIUS Acctng NMAP DHCP 1 NetFlow BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 64

Advice: Bugs CSCuu68490 - duplicate radius-acct update message sent while roaming If Radius NAC is configured on a WLAN and a client connected

67 Advice: Bugs CSCuu duplicate radius-acct update message sent while roaming If Radius NAC is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 68

Advice: Bugs CSCuu68490 - duplicate radius-acct update message sent while roaming If Radius NAC is

packets These packets are unique (different radius IDs) but contain the same information 47ms Same

68 Advice: Bugs CSCuu duplicate radius-acct update message sent while roaming If Radius NAC is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets These packets are unique (different radius IDs) but contain the same information 47ms Same data Different ID BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 69

69 Advice: Bugs CSCuu duplicate radius-acct update message sent while roaming If Radius NAC is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets These packets are unique (different radius IDs) but contain the same information Currently resolved in and WLC code versions. 8.0 MR3+ BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 70

Avoid Radius Flapping USE BEST PRACTICE!

74 Education What we have learned

75 Education: High Authentication Latency eduroam eduroam allows users from participating organizations to use their local credentials while visiting other eduroam locations to access the internet. eduroam is a cloud based Radius proxy. It acts as a federation point between education/research based entities and their Radius servers. eduroam s Radius proxy is accessed via the internet. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 76

77 Education: High Authentication Latency eduroam Due to the high authentication latency sometimes associated with cloud based radius servers, it may be necessary to adjust your radius timers. If using a load balancer, create a separate VIP for eduroam (can contain the same PSNs) If no load balancer, dedicate PSNs for eduroam (or other high latency SSIDs), if possible BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 78

78 Education: Students Converge at Lunch High Density Student s roaming patterns especially during meal times and events can cause an increased load on your wireless and ISE infrastructure. Make sure that you have enough wireless density to handle this converged access. Distribute the load across multiple PSNs to avoid overwhelming a single server. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 79

79 Education: User w/multiple devices PEAP Problem Good reason to use EAP-TLS Students carry multiple devices PEAP-MSChapV2 as 802.1X Authentication Method may cause AD lockouts if not changed on all devices. Locked accounts generate Help desk calls. A single device with old password may cause repeated AD lockouts BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 80

80 Hospitals/Medical Protecting the heart of your network

Hospital: Medical Devices Securing and Profiling Most medical devices don t support

1X To protect patient data, use WPA2- PSK with Mac Filtering

82 Hospital: Medical Devices Securing and Profiling Encrypt! Most medical devices don t support 802.1X To protect patient data, use WPA2- PSK with Mac Filtering and Profiling BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 83

83 Hospital: Medical Devices Securing and Profiling Most medical devices don t support 802.1X To protect patient data, use WPA2- PSK with Mac Filtering and Profiling Use unique attributes to profile your medical devices Typical attributes that work well for medical devices are dhcp-classidentifier, dhcp-parameterrequest-list and host-name BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 84

84 Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Zebra Technologies Completes Acquisition of Motorola Solutions' Enterprise Business Press Releases 2014 ZIH Corp BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 85

85 Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. What this means Before acquisition: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 86

86 Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. What this means After acquisition: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 87

87 Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Device OS/Firmware updates BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 88

88 Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Device OS/Firmware updates Spoofed MAC Addresses with new or different profiling attributes BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 89

89 Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Device OS/Firmware updates Spoofed MAC Addresses with new or different profiling attributes BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 90

90 Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 91

Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling)

91 Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) This policy would catch any device that was in the configured whitelist and allow network access, simple right? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 92

whitelist and allow network access, simple right?

92 Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) This policy would catch any device that was in the configured whitelist and allow network access, simple right? You can then add an alarm to send an , whenever a device matches that policy. Currently we can enable for a single policy only. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 93

93 Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) This policy would catch any device that was in the configured whitelist and allow network access, simple right? You can then add an alarm to send an , whenever a device matches that policy. Currently we can enable for a single policy only. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 94

94 Hospital: Paging Dr. Ihateloggingin Suggestions for better user experience Doctors by nature are usually very busy and the last thing they want to do is to spend time logging into a webportal or changing a PEAP password. Use EAP-TLS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 95

busy and the last thing they want to do is to spend time logging into a webportal or

Use EAP-TLS A better option, if available would be to use EAP-TLS and CWA-Chaining to a

95 Hospital: Paging Dr. Ihateloggingin Suggestions for better user experience Doctors by nature are usually very busy and the last thing they want to do is to spend time logging into a webportal or changing a PEAP password. Use EAP-TLS A better option, if available would be to use EAP-TLS and CWA-Chaining to a Single Sign On (SSO) server. This would allow the end user to leverage the SSO token for other portals as well. Add an AUP check rule to stay logged in. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 96

96 Hospital: Nurse Carts/IP Phones Advice on corporate devices Nurses typically use rolling computer carts for charting patient information. To ensure continuous connections for these devices, survey your wireless for Voice applications. For ease of use and manageability, use Active Directory Group Policy Objects (GPO) to manage the supplicants and certificates of AD joined devices. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 97

Hospital: Medical NAC Profiles custom built for medical

devices Identification and classification of

Profiling methods and best practices Segmentation of medical

97 Hospital: Medical NAC Profiles custom built for medical devices Secure-access options for healthcare-specific devices Identification and classification of healthcarespecific devices (250+ devices) Thanks Craig! Profiling methods and best practices Segmentation of medical devices BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 98

98 Public Transportation Tips for the thrifty traveler

Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients AP groups/names or some unique Radius

100 Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients AP groups/names or some unique Radius attributes returned from the WLC during authentication can be used as location BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 101

101 Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients AP groups/names or some unique Radius attributes returned from the WLC during authentication can be used as location Matched policies based on these locations can send unique portals that advertise local businesses and shops near the user Cisco and/or its affiliates. All rights reserved. Cisco Public

102 Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients AP groups/names or some unique Radius attributes returned from the WLC during authentication can be used as location Matched policies based on these locations can send unique portals that advertise local businesses and shops near the user. Create unique portal pages for each area. Advertisements can be built into the portal page or referenced from an external server. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 103

103 Airport: Hotspot setup with custom redirect Using MSE and ISE 2.0 New to ISE 2.0, you can now leverage Mobility Services Engine (MSE) for physical location tracking Location information returned from the MSE can be used in the Authorization rule for directing clients to the portal serving their location Cisco and/or its affiliates. All rights reserved. Cisco Public

105 Conclusion

106 Conclusion Review Public Environments can be challenging Avoid ISE meltdowns Keep up to date with versions and patches, be aware of software defects that might affect your environment Use advice in this guide to solve challenges in your environment Use Real Best Practice to ensure that you have a successful deployment. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 107

Public ISE Community Public ISE Community: http://cs.

107 Public ISE Community Public ISE Community: Monitored and Responded to by TME s on my Team Ask Questions There Get Answers by Cisco Experts & Partners BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 108

Security Joins the Customer Connection Program Customer User Group Program 19,000+ Who can join: Cisco customers, service providers, solution partners and training partners Private online community

108 Security Joins the Customer Connection Program Customer User Group Program 19,000+ Who can join: Cisco customers, service providers, solution partners and training partners Private online community to connect with peers & Cisco s Security product teams Monthly technical & roadmap briefings via WebEx Opportunities to influence product direction Members Strong Join in World of Solutions Security zone Customer Connection stand Learn about CCP and Join New member thank-you gift* Customer Connection Member badge ribbon Local in-person meet ups starting Fall 2016 New member thank you gift * & badge ribbon when you join in the Cisco Security booth Other CCP tracks: Collaboration & Enterprise Networks Join Online Come to Security zone to get your new member gift* and ribbon * While supplies last BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 109

Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday)

109 Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 110

110 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 111

111 Q & A

112 Thank You

113

K.I.T.T. Know ISE Through Training

Take the Hassel out of your ISE deployment! K.I.T.T. Know ISE Through Training BRKSEC-2059 - Deploying ISE in a Dynamic Public Environment BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved.