Getting the Most out of your BYOD Investment A Deep Dive of ISE BYOD Policy

Transcription

1

2 Getting the Most out of your BYOD Investment A Deep Dive of ISE BYOD Policy Kevin Redmon System Test Engineer

3 Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 3

4 Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 4

5 Introduction About me 13+ year veteran of Cisco BYOD Smart Solution Test Team for 2 years From Ohio (Go BUCKEYES!!!) now living in North Carolina (Go Pirates/Wolfpack/Blue Devils/Tarheels!!!) Youngest of 12 children with 9 sisters, 2 brothers Married 6 WONDERFUL years to my beautiful wife, Sonya A princess of a daughter, Melody, 3 ½ years old. 6

6 Introduction About Cisco s BYOD System Design The Cisco s BYOD System Design Version 2.6 released in March 2014 Key Updates from 2.5: Feature parity between Converged Access and CUWN ac WiFi Support on AP3600 Location/Context Enabled via Mobility Services Engine (MSE) Mobility AVC and QoS for Jabber Collaboration Cisco s Identity Services Engine (ISE) is at the center of the solution. Next version of the CVD to come out Summer

7 Check your gear before diving in Before implementing the concepts in this presentation, be sure to test in a controlled environment Certain features and capabilities were released in particular versions/license of code The behavior may vary slightly between different platforms Tweak configurations as needed to achieve desired result I m Human Ensure that your company s security policy is sufficiently executed in the configured BYOD policy 8

8 BYOD Network Overview Branch WAN Campus Internet Edge Cisco 5508 Series Wireless Controller (Guest Controller) Internet Primary GETVPN Tunnel SP Network Internet Backup DMVPN Tunnel Cisco ASR 1000 Series Aggregation Routers ASA Firewall Campus Core Services Module Cisco ISR Series Router (Primary Router) Cisco SR Series Router (Backup Router) Catalyst 3850, X, 3650-X, or 2960-S Series Switches Cisco Aironet 2600, 3500, and 3600 Series Access Points Application & File Servers Data Center RSA DNS DHCP Prime Infra CA AD ISE CUCM Mobility Services Engine Campus 5500/5760 Series Wireless Controller(s) Campus Aironet Access Points Branch Flex 7500 Series Wireless Controller(s) Building Module 9

9 Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 10

10 RADIUS RFC2865 states: RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user. Four Packet Types Access-Request Access-Accept Access-Reject Access-Challenge RFC3576 Dynamic Authorization Extensions to RADIUS 12

11 Identity Services Engine (ISE) AAA Authentication (AuthC), Authorization (AuthZ), Accounting AuthC confirms who you (as the user of the endpoint) or the endpoint itself are. AuthZ determines what network resources you (as the user) and/or the endpoint are allowed to access RADIUS is the underlying protocol that allows this all to happen 13

12 Typical BYOD Flow 1. CWA/NSP ISE portal authenticates, authorizes, and/or registers the endpoint and enrolls the endpoint with the Certificate Authority 2. MDM Enrollment (Advanced Use Case) enroll with MDM 3. ISE Quarantine (Advanced Use Case) ensure endpoint adheres to ISE endpoint policy 4. MDM Quarantine (Advanced Use Case) ensure endpoint adheres to MDM endpoint policy 5. Final Access Level each future access to the network will be automatic with the certificate authentication at the configured access level

13 Endpoint Onboarding (Single SSID) Endpoint NAS ISE CA Username via PEAP RADIUS Access-Request RADIUS Access-Challenge RADIUS Access-Request RADIUS Access-Request RADIUS Access-Accept User Accesses Webpage Redirect to ISE NSP Portal User Provides Info about Endpoint to ISE Public key and X.509 for SCEP enrollment Certificate deployed to endpoint certificate store SCEP proxy SCEP proxy Endpoint = Registered 15

14 Endpoint Access (BYOD_Employee) Endpoint NAS ISE CA Endpoint AuthC via EAP-TLS RADIUS Access-Request RADIUS Access-Challenge RADIUS Access-Request RADIUS Access-Request CRL Check RADIUS Access-Accept Valid Certificate User granted Full Access 16

15 Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 18

16 BYOD Network Overview Branch WAN Campus Internet Edge Cisco 5508 Series Wireless Controller (Guest Controller) Internet Primary GETVPN Tunnel SP Network Internet Backup DMVPN Tunnel Cisco ASR 1000 Series Aggregation Routers ASA Firewall Campus Core Services Module Cisco ISR Series Router (Primary Router) Cisco SR Series Router (Backup Router) Catalyst 3850, X, 3650-X, or 2960-S Series Switches Cisco Aironet 2600, 3500, and 3600 Series Access Points Application & File Servers Data Center RSA DNS DHCP Prime Infra CA AD ISE CUCM Mobility Services Engine Campus 5500/5760 Series Wireless Controller(s) Campus Aironet Access Points Branch Flex 7500 Series Wireless Controller(s) Building Module 20

17 Authentication Policy 22

18 Authentication Conditions 23

19 Authentication Condition Wireless 802.1x 24

20 Authentication Attribute Value Pairs (AVPs) in BYOD Method of Access Method of Access Wired RADIUS NAS-Port-Type Ethernet Wireless Wireless IEEE RADIUS:NAS-Port-Type Equals Ethernet 25

21 Authentication Attribute Value Pairs (AVPs) in BYOD Method of Authentication Method of Authentication RADIUS Service-Type 802.1x Framed Web Authentication MAC Authentication Bypass Login Call-Check RADIUS:Service-Type Equals Framed 26

22 Authentication Protocols 27

23 Default Network Access 28

24 Authentication Policy 29

25 Authentication AVPs in BYOD Authentication Protocol Authentication Protocol EAP-TLS PEAP Network Access EapAuthentication = EAP-TLS EapTunnel = PEAP Network Access:EapAuthentication = EAP-TLS Network Access:EapTunnel = PEAP 30

26 Authorization Policy 31

27 Authorization Profiles 32

28 Authorization Profile Wireless CWA 33

29 Authorization Profile Wireless CWA AVPs 34

30 Authorization AVPs Access Type = ACCESS_ACCEPT Airespace-ACL-Name = ACL_Provisioning cisco-av-pair = url-redirect-acl=acl_provisioning_redirect cisco-av-pair = urlredirect= cwa 35

31 BYOD CVD Authorization Common Tasks/AVPs Common Task DACL Name VLAN Web Redirection Filter-ID Airespace ACL Name Radius AV Pair DACL = <ACL_NAME> Tunnel-Private-Group-ID = 1:<VLAN#> Tunnel-Type = 1:13 (VLAN) Tunnel-Medium-Type = 1:6 (IEEE-802) cisco-av-pair = url-redirect-acl=<acl_name> cisco-av-pair = url-redirect= action=<cwa nsp mdm> Filter-ID = <ACL_NAME>.in Airespace-ACL-Name = <ACL_NAME> 36

32 Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 37

33 Authentication Request PEAP Packet capture Single SSID Onboarding, BYOD_Employee, Full Access User Note 1: EAP Method Types

34 Authentication Response PEAP Packet capture Single SSID Onboarding, BYOD_Employee, Full Access User 40

35 PEAP Overview Method of Access (Wired/Wireless) and Method of Authentication (802.1x/MAB/WebAuth) happens in the Access-Request Authentication Protocol takes a few packets the 2 nd Access-Request contains PEAP The TLS exchange takes several additional packets The Access_Accept contains the Authorization for the endpoint Contains a Redirect ACL Contains a Redirect URL Contains a Access Control ACL The SessionID is the unique identifier for the session Over 13 different fields in the Access-Request to flag off of for Authentication 41

36 Authentication Request PEAP So many fields to choose from!!! Note 1: EAP Method Types

37 Authentication Request - MAB Packet capture Dual SSID Onboarding, BYOD_Provisioning, Partial Access User 43

38 Authentication Response - MAB Packet capture Dual SSID Onboarding, BYOD_Provisioning, Partial Access User 44

39 Authentication Request EAP-TLS Packet capture BYOD_Employee, Partial Access User 45

40 Authentication Response EAP-TLS Packet capture BYOD_Employee, Partial Access User 46

41 Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 47

42 Configuration Options Authentication Enable the sending of Vendor Specific Attributes (VSAs) radius-server vsa send accounting radius-server vsa send authentication Configure the Cisco VSAs radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include Adjust MAC address format radius-server attribute 31 {append-circuit-id mac format {default ietf unformatted} remote-id send nas-port-detail [mac-only]} 49

43 Configuration Options Authentication (cont d) Send NAS-identifier radius-server attribute 32 include-in-access-req Non-RFC-compliant NAS-Port-Types radius-server attribute 61 extended radius-server attribute nas-port format Enable Change of Authorization aaa server radius dynamic-author client server-key 7 032A A701E1D5D4C 50

44 Configuration Options Authorization Authorization Profile DACL VLAN Web Redirect Filter-ID Airespace ACL Wireless Wired 51

45 RADIUS Dictionaries 86 pre-defined RADIUS IETF Attributes By default, ISE provides the following RADIUS-vendor dictionaries: Airespace (Cisco Wireless) Cisco (General Cisco RADIUS) Cisco-BBSM (Cisco Building Broadband Service Manager) Cisco-VPN3000 (Cisco VPN) Microsoft (Microsoft Authentication) Additional RADIUS-vendor dictionaries can be added 1 Export/Import functionality or manual configuration Note 1: 52

46 Authorization Profiles Custom Attribute Value Pairs 53

47 Troubleshooting Your Configuration Authentication Live Logs Details 54

48 Troubleshooting Your Configuration Authentication Live Logs Details - Overview 55

49 Troubleshooting Your Configuration Authentication Live Logs Details Authentication Details 56

50 Troubleshooting Your Configuration Authentication Live Logs Details Authentication Details (cont d) 57

51 Troubleshooting Your Configuration Authentication Live Logs Details Other Attributes 58

52 Troubleshooting Your Configuration Authentication Live Logs Details Other Attributes (cont d) 59

53 Troubleshooting Your Configuration Authentication Live Logs Details Result 60

54 Troubleshooting Your Configuration Authentication Live Logs Details Steps 61

55 Best Practices Dive in but don t get the bends Do a packet capture of relevant RADIUS traffic Audit any fields that may be missing yet needed Can you get the additional fields via another method? Supplementary attributes via ISE Profiling Do a proof of concept in a controlled environment Second instance of ISE and an indicative network Singular instance of ISE with a unique alpha user/endpoint/port/ssid 62

56 Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 63

57 Additional Reference Material Cisco Bring Your Own Device (BYOD) Design Guide 65

58 Additional Reference Material Cisco Bring Your Own Device (BYOD) Design Guide Cisco Bring Your Own Device (BYOD) Networking LiveLessons Video Series 66

59 Additional Reference Material Cisco Bring Your Own Device (BYOD) Design Guide Cisco Bring Your Own Device (BYOD) Networking LiveLessons Video Series Cisco ISE for BYOD and Secure Unified Access by Aaron Woland and Jamey Heary 67

60 Participate in the My Favorite Speaker Contest Promote Your Favorite Speaker and You Could be a Winner Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress) Send a tweet and include Your favorite speaker s Twitter handle <@EE_KDawg> Two hashtags: #CLUS #MyFavoriteSpeaker You can submit an entry for more than one of your favorite speakers Don t forget to View the official rules at 68

61 Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online 69

62 Continue Your Education Demos in the Cisco Campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings 70

63 Conclusion RADIUS is the glue for ISE s Security Policy ISE is highly customizable Confirm any changes to your BYOD policy in a controlled environment Leverage Authentication Live Logs for troubleshooting and further insight 71

64

65

66 Backup Slides

67 BYOD CVD Authorization Summary Onboarding Scenarios Authorization Profile DACL VLAN Web Redirect Filter-ID Airespace ACL Access-Type Wireless CWA CWA ACCESS_ACCEPT Wireless NSP NSP ACCESS_ACCEPT Wired CWA CWA ACCESS_ACCEPT Internet Until MDM MDM ACCESS_ACCEPT ISE Quarantine MDM ACCESS_ACCEPT MDM Quarantine MDM ACCESS_ACCEPT 78

68 BYOD CVD Authorization Summary Network Access Scenarios - Campus Authorization Profile DACL VLAN Web Redirect Filter-ID Airespace ACL Access-Type Campus Wifi Full Access ACCESS_ACCEPT Campus Wifi Partial Access ACCESS_ACCEPT Campus Wifi Internet Only ACCESS_ACCEPT Campus WiFi MAB ACCESS_ACCEPT Campus Wired Full Access ACCESS_ACCEPT Campus Wired Partial Access ACCESS_ACCEPT Campus Wired Internet Only ACCESS_ACCEPT Campus Wired MAB ACCESS_ACCEPT 79

69 BYOD CVD Authorization Summary Network Access Scenarios Branch (FlexConnect mode) Authorization Profile DACL VLAN Web Redirect Filter-ID Airespace ACL Access-Type Branch Wifi Full Access 1 ACCESS_ACCEPT Branch Wifi Partial Access 1 ACCESS_ACCEPT Branch Wifi Internet Only 1 ACCESS_ACCEPT Branch Wifi Internet Only 1 ACCESS_ACCEPT Branch Wired Full Access ACCESS_ACCEPT Branch Wired Partial Access ACCESS_ACCEPT Branch Wired Internet Only ACCESS_ACCEPT Branch Wired MAB ACCESS_ACCEPT Note 1: Access control (ie ACLs) is supplemented by FlexConnect ACLs for these scenarios. 80

70 BYOD CVD Authorization Summary Lost/Stolen Devices, Guest Access, and Miscellaneous Authorization Profile DACL VLAN Web Redirect Filter-ID Airespace ACL Access-Type EPS Quarantine ACCESS_REJECT Blackhole WiFi Access Blackhole ACCESS_ACCEPT Blackhole Wired Access Blackhole ACCESS_ACCEPT Sponsored Guest Access 1 ACCESS_ACCEPT Basic Access 1 ACCESS_ACCEPT PermitAccess ACCESS_ACCEPT DenyAccess ACCESS_REJECT Note 1: Access control (ie ACLs) is managed by the Edge ASA for these scenarios. 81

71 82 The End