What do you want for Christmas?

Transcription

1 What do you want for Christmas?

2 ISE 2.0 new feature examples TACACS, Certificate Provisioning, Posture encryption Eugene Korneychuk, Michał Garcarz AAA TAC Engineers

3 Agenda ISE - new features in 2.0 AnyConnect new features in 4.1 and 4.2 Posture checks with disk encryption TACACS ASA, WLC and IOS examples Certificate Provisioning Q&A

4 ISE - new features in 2.0 ISE - new features in 2.0 AnyConnect new features in 4.1 and 4.2 Posture checks with disk encryption TACACS ASA, WLC and IOS examples Certificate Provisioning Q&A

5 ISE - new features in 2.0 TACACS+ and Device Admin Work Center UI Updates and WorkCenter Deployment / Operational Enhancements pxgrid, ANC, Fire & ISE TrustSec Enhancements & Work Center BYOD / Certificate Enhancements and the New Portal

6 ISE - new features in 2.0 Posture / MDM Enhancements Location / MSE Integration IPv6 Enhancements Phase-1 ISE Telemetry EAP-TTLS 3 rd Party NAD Support Easy Wired Access (EWA)

7 AnyConnect new features ISE - new features in 2.0 AnyConnect new features in 4.1 and 4.2 Posture checks with disk encryption TACACS ASA, WLC and IOS examples Certificate Provisioning Q&A

8 AnyConnect - new features CRL Checks (4.1) Platforms: Windows phone 8.1, Blackberry 10, Windows 10, RHEL 7, Ubuntu 14 (4.1) AMP module (4.1) Posture File/Sha-256, disk encryption, OSX file checks (4.2) Certificate selection for machine (4.2) IPV6 support for Linux and Mobile Platforms/VPN (4.2) Enhanced Trustsed Network Detection (4.2) Network Visibility Module (4.2/delayed)

9 Posture checks with disk encryption ISE - new features in 2.0 AnyConnect new features in 4.1 and 4.2 Posture checks with disk encryption TACACS ASA, WLC and IOS examples Certificate Provisioning Q&A

10 Disk Encryption Based on Opswat OESIS library, which is the same library we use for antivirus, antispyware and patch management applications. Administrator would be able to Import the new disk encryption support chart from the update server Checks can be based on Installation of specified disk encryption application. Disk encryption state

11 ISE Posture Disk Encryption

12 ISE Posture Disk Encryption Windows OS Example Product Name Disk Encryption State Check YES or NO Min Version of compliance module that provides support

13 ISE Posture Disk Encryption State Location?

14 OSx: ISE Posture Disk Encryption

15 ISE Posture Disk Encryption Mac OS Example Product Name Disk Encryption State Check YES or NO Min Version of compliance module that provides support

16 Example: Windows BitLocker

17 Example: Windows BitLocker

18 Example: Windows BitLocker

19 Example: Windows BitLocker

20 TACACS ASA,WLC and IOS examples ISE - new features in 2.0 AnyConnect new features in 4.1 and 4.2 Posture checks with disk encryption TACACS ASA,WLC and IOS examples Certificate Provisioning Q&A

21 AAA: a Key Security Concept Authentication, Authorization and Accounting (AAA) Authentication: who the user is Authorization: what they are allowed to Accounting: recording what they have done

22 Two Main Types of AAA Network Access AAA RADIUS Authentication Protocol NAS / NAD AAA Client Common Authentication Protocols PAP CHAP MS-CHAP

23 Two Main Types of AAA Device Administration AAA Telnet, SSH, Serial TACACS+ Terminal User AAA Client AAA Server

24 Remote Access Dial-in User Service IETF standard for AAA Most common AAA protocol for Network Access Why? Because IEEE 802.1X uses RADIUS 802.1X is used with vast majority of secure Wi-Fi Note: CAN be used for Device Administration, but not as powerful as TACACS+ for that form of AAA

25 Terminal Access Controller Access-Control System AAA standard protocol designed for controlling access to UNIX terminals Cisco enhanced it and created TACACS+ and published as open standard in the early 1990s Mainly used for Device Administration Can authenticate once and authorize many times Perfect for command authorizations

26 AuthC Once + AuthZ Many TACACS+ SSH to Network Device START (authentication) User trying to connect REPLY (authentication) request username AuthC CONTINUE (authentication) username REPLY (authentication) request password Authentication is Complete CONTINUE (authentication) password REPLY (authentication) Pass Shell AuthZ Command AuthZ # show run EXEC is Authorized Command is Authorized REQUEST (authorization) service = shell RESPONSE (authorization) PASS_ADD REQUEST (accounting) START / RESPONSE - SUCCESS REQUEST (authorization) service = command RESPONSE (authorization) Pass_ADD REQUEST (accounting) CONTINUE / RESPONSE - SUCCESS

27 ISE T+ versus ACS T+ Feature IPv6 T+ --- Reason Customizable ports It s fixed as 49 in 2.0, customization comes in 2.1 Max Sessions Per Node Coming in 2.1 Command-Set Import/Export Coming in 2.1 No Hit Counts & Policy Table Customization Different UI

28 Configuring Device Administration w/ TACACS+ and Some Best Practices

29 Device Admin Service is not Enabled by Default

30 Some Device Admin Best Practices USE NDG S! Different Policy Sets for IOS than AireSpace OS Different for Security Apps than Routers Different for ASA Differentiate based on location of Device

31 Use Policy Sets Based on Device Type

32 Example: Wireless LAN Controllers

33 Wireless LAN Controller + Device Admin Example The WLC has broad authorization capability, not granular Assign the Roles to the user Ie.: role1=wlans role2=security role3=wireless ^^^ This would allow access to WLAN, SECURITY and WIRELESS menu s only ^^^ Special Keyword of ALL < Full Access

34 Configuring the WLC x3 (AuthC, AuthZ, Acct)

35 Add TACACS+ to the Priority Order

36 WLC Verification

37 ASA + Device Admin ISE configuration Configure Command Set

38 ASA + Device Admin ISE configuration Configure Tacacs Rules

39 ASA + Device Admin Firewall configuration aaa-server ISE20-T protocol tacacs+ aaa-server ISE20-T (outside) host key cisco aaa authentication ssh console ISE20-T aaa authorization exec authentication-server auto-enable aaa authorization command ISE20-T ssh outside

40 ASA + Device Admin Firewall Verification john (Network Admin) $ ssh john@ john@ 's password: Type help or '?' for a list of available commands. ASA# conf t ASA(config)# crypto ikev1 policy 10 ASA(config-ikev1-policy)# encryption aes ASA(config-ikev1-policy)# exit ASA(config)# exit ASA# exit bob (Operator) $ ssh bob@ bob@ 's password: Type help or '?' for a list of available commands. ASA# ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms ASA# conf t Command authorization failed ASA#

41 ASA + Device Admin ISE Verification john (Network Admin) bob (Operator)

42 ASA + Device Admin ISE Verification bob (Operator) TACACS Authorization Detailed Report

43 IOS + Device Admin ISE configuration

44 IOS + Device Admin Router Configuration aaa new-model aaa authentication login AAA group tacacs+ aaa authorization config-commands aaa authorization exec AAA group tacacs+ aaa authorization commands 0 AAA group tacacs+ aaa authorization commands 1 AAA group tacacs+ aaa authorization commands 15 AAA group tacacs+ tacacs-server host key cisco line vty 0 4 authorization commands 0 AAA authorization commands 1 AAA authorization commands 15 AAA authorization exec AAA login authentication AAA transport input all

45 IOS+ Device Admin Router Verification john (Network Admin) $ telnet Trying Connected to bsns cisco.com. Escape character is '^]'. Username:john Password: Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#cry isa pol 10 Router(config-isakmp)#enc Router(config-isakmp)#encryption aes bob (Operator) $ telnet Trying Connected to bsns cisco.com. Escape character is '^]'. Username:bob Password: Router#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/12 ms Router#conf t Command authorization failed.

46 IOS+ Device Admin ISE Verification john (Network Admin) bob (Operator)

47 IOS+ Device Admin ISE Verification bob (Operator) TACACS Authorization Detailed Report

48 Best Practice: Use Prefixes for Your Results Results are often specific to the NAD-Type. Different results for AirOS than IOS than NX-OS. Results are not differentiated in GUI by Default

49 T+ Command Sets: Wildcard vs. Regex

50 Command Sets May Be Stacked! A Permit Below will take priority over a Deny above. Except with a Deny_Always IOS-SecOps-NoConfig Deny_Always Config * Permit Everything Else IOS-PermitAllCommands Permit *

51 Device Administration Design

52 1. All Services on all PSNs: Small Customers Only ISE Cube PSN-1 PAN MNT PSN-2 RAD T+

53 2. Dedicate PSNs to T+ vs. RADIUS and Backup the Other ISE Cube PSN-1 PAN MNT PSN-2 RAD T+

54 2. Dedicate PSNs to T+ vs. RADIUS and Backup the Other ISE Cube PSN-1 PAN X PSN-2 MNT RAD T+

55 3. Dedicate PSNs to T+ vs. RADIUS no Cross Pollination ISE Cube PSN-1 PSN-3 PSN-5 PAN PSN-2 PSN-4 PSN-6 MNT No RAD No T+ RAD T+

56 4. Separate ISE Cubes (Large Customers) Dev Admin Cube PSN-1 PSN-3 PSN-5 MNT PAN RADIUS Cube PSN-2 PSN-4 PSN-6 MNT PAN No RAD No T+ RAD T+

57 For TACACS+ Only PSN s Administration > System > Deployment > [ISE node] Policy Service is Required Device Admin = T+ For Network Access AAA Leave Off

58 For RADIUS Only PSN s Administration > System > Deployment > [ISE node] Policy Service is Required For Network Access: Enable What s Needed Leave this Off

59 Device Administration License Up to Max # of Network Devices One License. NTE $4500 Requires 1+ Base To Enable ISE Product

60 Certificate Provisioning ISE - new features in 2.0 AnyConnect new features in 4.1 and 4.2 Posture checks with disk encryption TACACS ASA, WLC and IOS examples Certificate Provisioning Q&A

61 Admin UI

62 Configure Authorized Groups Only users in the groups added can use the portal

63 Configure Certificate Templates Only the templates in this list can be used (unless none are added, in which case they can all be used).

64 Login, AUP, Post Access Banner

65 Single Certificate (No CSR) Creating a Priv/Pub Certificate Pair Must Match Logged in User, Except SuperAdmin & ERS Admins Must be a valid MAC Address format Added to SAN (eg , 11:11:11:11:11:11, , , ) Select from Templates User is Authorized to Use Select Download Format: PXCS12 Chain, PEM Cert + PKCS8 Key, PKCS12 File with Cert+Key only, Cert in PEM + Key in PKCS8 + PEM Cert Chain

66 Single Certificate (With CSR) Signing a Public Cert CSR Paste the CSR Contents Must be a valid MAC Address format Added to SAN (eg , 11:11:11:11:11:11, , , ) Select from Templates User is Authorized to Use Select Download Format: PXCS12 Chain, PEM Cert + PKCS8 Key, PKCS12 File with Cert+Key only, Cert in PEM + Key in PKCS8 + PEM Cert Chain

67 Bulk Certificates Create 500 or Less Certificate Pairs Select from Templates User is Authorized to Use Select Download Format: PXCS12 Chain, PEM Cert + PKCS8 Key, PKCS12 File with Cert+Key only, Cert in PEM + Key in PKCS8 + PEM Cert Chain

68 SCEP Support with ASA

69 X.509 X.509 SCEP Support for Non-BYOD Use-Cases ISE 2.0 Opens SCEP to Non-BYOD Flow Device Must be Listed as a Network Device in ISE Technically any SCEP should work But ASA is only tested & supported SCEP proxy PSN CA CSR Generated Instruct AnyConnect to Generate CSR SCEP request over HTTPS PKCS#7 Contains Encrypted CSR Request (PKCS#10) ASA Forwards the Request to RA via HTTP SCEP Response with Cert X.509 SCEP Response with Cert Public Cert is Signed by CA

70 ISE Internal CA Issues Certificates to ASA VPN webvpn enable outside anyconnect image disk0:/anyconnect-win k9.pkg 1 anyconnect profiles SCEP_AC_PROFILE disk0:/scep_ac_profile.xml anyconnect enable tunnel-group-list enable error-recovery disable tunnel-group Cert-Group type remote-access tunnel-group Cert-Group general-attributes address-pool POOL authentication-server-group ISE20 default-group-policy ISE_CA_CSCEP scep-enrollment enable tunnel-group Cert-Group webvpn-attributes authentication aaa certificate group-alias Cert-Group enable group-policy ISE_CA_CSCEP internal group-policy ISE_CA_CSCEP attributes wins-server none dns-server value vpn-tunnel-protocol ssl-client default-domain value example.com scep-forwarding-url value webvpn anyconnect profiles value SCEP_AC_PROFILE type user

71 ISE Internal CA Issues Certificates to ASA VPN aaa-server ISE20 protocol radius authorize-only interim-accounting-update periodic 1 dynamic-authorization aaa-server ISE20 (outside) host key ***** crypto ca trustpoint ISE20RootCA enrollment terminal crl configure crypto ca trustpoint ISE20NodeCA enrollment terminal crl configure crypto ca trustpoint ISE20SubCA enrollment terminal crl configure crypto ca trustpoint ISE20OCSPCA enrollment terminal crl configure

72 ISE Internal CA Issues Certificates to ASA VPN Enabling certificate enrollment in the profile

73 ISE Internal CA Issues Certificates to ASA VPN Step 1. Certificate Store is empty and connection is made only with credentials

74 ISE Internal CA Issues Certificates to ASA VPN Step 2. Anyconnect generates SCEP request, which contains CSR, and sends it over to ASA via HTTPS Step 3. ASA forwards SCEP request to ISE server

75 ISE Internal CA Issues Certificates to ASA VPN Step 4. ISE issues identity certificate and sends it over to ASA Step 5. ASA forwards forwards certificate to the client Step 6. Certificate is installed in client machine and user personal store, and AC client reconnect to VPN already with certificate

76 ISE Internal CA Issues Certificates to ASA VPN ISE Verification Certificate template is not configurable at this point

77 ISE Internal CA Issues Certificates to ASA VPN ASA Verification

78 Questions?

79 Dziękujemy