Take the Hassel out of your ISE deployment! K.I.T.T. Know ISE Through Training. BRKSEC Deploying ISE in a Dynamic Public Environment

Transcription

1 Take the Hassel out of your ISE deployment! K.I.T.T. Know ISE Through Training BRKSEC Deploying ISE in a Dynamic Public Environment 1

2

3 Deploying ISE in a Dynamic Public Environment BRKSEC-2059 Clark Gambrel, CCIE #18179 Technical Leader, Engineering, Security Business Group

4 Introduction 4

5 Clark Gambrel, CCIE #18179 Technical Leader Engineering Security Business 5

6 KENTUCKY 6

7 Here 7

8 KENTUCKY 9

9 KENTUCKY Kentucky is known for 10

10 KENTUCKY Kentucky is known for 11

11 KENTUCKY Kentucky is known for 12

12 KENTUCKY Kentucky is known for 13

13 KENTUCKY 14

14 KENTUCKY 16

15 KENTUCKY 17

16 KENTUCKY 18

17 KENTUCKY 19

18 KENTUCKY Ich bin ein Redneck 20

19 Cisco ISE Sessions: Building Blocks BRKSEC-3697 Advanced ISE Services, Tips and Tricks (Thur 9:00am) BRKSEC-2060 Device Administration with TACACS+ using Identity Services Engine (Thur 11:30am) BRKSEC-3699 Designing ISE for Scale & High Availability (Tue 2:15pm) LALSEC-0003 Lunch and Learn - Cisco Identity Services Engine (ISE) (Tue 12:45pm) COCSEC-2015 Inside Cisco IT: Cisco IT s Assured Network Access: Identity Services Engine (ISE) Deployment and Best Practices (Tue 11:15am) BRKSEC-2059 Deploying ISE in a Dynamic Public Environment (Wed 4:30pm) TECSEC-3672 Advanced - Network Access Control with ISE (Identity Service Engine) 2.0 (Mon 9:00 am) BRKSEC-2132 What's new in ISE Active Directory connector (Wed 4:30pm) 21

20 TrustSec Network aaa Sensor/Enforcer sessions BRKSEC-2203 Intermediate Enabling TrustSec Software-Defined Segmentation (Thur 2:30pm) BRKSEC-3690 Advanced TrustSec Deep dive on software defined segmentation (Fri 9:00am) BRKSEC-2026 Network as a Sensor and Enforcer (Thur 9:00am) BRKCRS-2891 Enterprise Network Segmentation with Cisco TrustSec (Wed 2:30pm) LTRSEC-2016 The Essentials of Cisco TrustSec (Tue 2:15pm) LALSEC-0006 Lunch and Learn - Network as a Sensor / Enforcer (Thur 1:00pm) TECSEC-2222 Securing Networks with Cisco Trustsec (Mon 2:15 pm) BRKCRS-1449 Introductory - Network as a Sensor / Enforcer : Cisco's End-to-End Analysis and Security Architectures (Wed 11:30am) BRKGS-2606 Securing the Enterprise with Network Intelligence (Tue 4:15pm) 22

21 Other Complimentary Sessions BRKSEC-3053 Practical PKI for Remote Access VPN with ISE (Fri 11:30am) BRKSEC-2051 It's all about Securing the Endpoint! (Tue 11:15 am) BRKSEC-2073 NetFlow Security Monitoring with Cisco Threat Defense (CTD) (Wed 2:30pm) PSOSEC-4003 Stop Threats Before They Stop You: Gain visibility and control as you speed time to containment of infected endpoints. (Wed 1:15pm) LALCRS-0001 Lunch and Learn - Cisco TrustSec for the Enterprise (Tue 12:45pm) LTRSEC-2017 Simplified IBNS 2.0 with Auto-identity (Advanced dot1x) Lab (Tue 9:00am) LTRCRS-2006 Network as a Sensor and Enforcer Lab (Thur 2:00pm) 23

22 Agenda Introduction Public environments, Why are they so challenging? Advice Words to live by in any environment (Best Practice!) Education What we have learned Hospitals/Medical Protecting the heart of your network Public Transportation Tips for the thrifty traveler Conclusion 24

23 Public environments, Why are they so challenging? 25

24 Public environments, Why are they so challenging? On average each person carries 2.9 devices 26

25 Public environments, Why are they so challenging? On average each person carries 2.9 devices Each year new devices are introduced Kenny Louie under Creative Commons License 27

26 Public environments, Why are they so challenging? On average each person carries 2.9 devices Each year new devices are introduced Devices add new technology enhancements, i.e. TLS versions, mini browsers New and Improved

27 Public environments, Why are they so challenging? On average each person carries 2.9 devices Each year new devices are introduced Devices add new technology enhancements, i.e. TLS versions, mini browsers Device behavior differs from one OS version to the next Dilbert

28 Public environments, Why are they so challenging? Devices are mostly unmanaged Source 30

29 Public environments, Why are they so challenging? Devices are mostly unmanaged End users have different levels of knowledge when it comes to configuring their own devices Where s the ANY key? 31

30 Public environments, Why are they so challenging? Devices are mostly unmanaged End users have different levels of knowledge when it comes to configuring their own devices Users expect a simple experience, similar to home use 32

31 Public environments, Why are they so challenging? Devices are mostly unmanaged End users have different levels of knowledge when it comes to configuring their own devices Users expect a simple experience, similar to home use Lots of configuration parameters on ISE/Wireless Controller, which are correct? 33

32 Advice Words to live by in any environment (Best Practice) 34

33 Advice: Timers Displaying a Clock Collection

34 Advice: Old Timers 37

35 Advice: Old Timers 38

36 Advice: Timers 40

37 Advice: Timers 41

38 Advice: Timers WLC: Radius Default timer value of 2 seconds is too short During busy times, Authentication latency may increase and exceed the default value Use best practice value between 5-10 seconds, typically Use timers appropriate to the environment (tune for your environment) Some remote/cloud based radius servers may have higher authentication latency and require some tweaking. 42

39 Advice: Timers WLC: Radius - Continued Setting timers too long and the client might restart its session, retries from radius server will be dropped Avoid unnecessary radius server flaps with timers that are too short PSN1 PSN2 Radius flapping can have some major impacts on an ISE deployment Superman II, Warner Brothers

40 Advice: Timers - Radius Typically 5-10 seconds 44

41 Advice: Timers - Radius Typically 5-10 seconds Usually matches Auth server timeout value 45

42 Advice: Timers WLC: Radius - Continued Make sure that Aggressive Failover is disabled in the command line of the WLC This can have a big impact on ISE and Wireless Auths in general (Cisco Controller) >config radius aggressive-failover disable 46

43 Advice: Timers - WLANs Increase Session Timeout to 2+ hours (7200+ sec), if Enabled (recommended) 47

44 Advice: Timers - WLANs This can also be sent as a Radius attribute in ISE under the AuthZ Profile 48

45 Advice: Timers - WLANs Increase Client Exclusion to 180+ seconds (3+ mins) 49

46 Advice: Timers - WLANs For 802.1X SSIDs, Increase Client Idle Timeout to 1 hour (3600 sec) For Guest/Hotspot SSIDs, leave this low (300 sec) to free up resources (http redirect sessions) for clients that have disconnected 50

47 Advice: Timers - WLANs Interim Update WLC 7.6: Recommended setting: Disabled Behavior: Only send update on IP address change Ensures we get critical IP updates (Framed-IP-Address) and Device Sensor updates. Device Sensor updates not impacted 51

48 Advice: Timers - WLANs Interim Update WLC 7.6: Recommended setting: Disabled WLC 8.0: Recommended setting: Enabled with Interval set to 0 Behavior: Only send update on IP address change Device Sensor updates not impacted Settings mapped correctly on upgrades 52

49 Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. Specifications listed in ISE 1.3+ Installation Guide 53

50 Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. 54

51 Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. 55

52 Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. In 1.3 we added OVA Templates for deploying SNS-3415 and SNS-3495 equivalent hardware It is highly recommended that you use these templates 56

53 Advice: Avoid Meltdowns ISE Settings Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications 57

54 Advice: Avoid Meltdowns ISE Settings Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications Administration Settings Protocols Radius 58

55 Advice: Avoid Meltdowns ISE Settings Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications Only use the profiling probes/information that you need. Don t have information overload. Avoid probes that use SPAN. Start with Radius only first. Use device sensors in network access device Administration Deployment Profiling 59

56 Advice: Avoid Meltdowns ISE Settings Enable EndPoint Attribute Filter Administration Settings Profiling 60

57 Advice: Avoid Meltdowns ISE Settings Enable EndPoint Attribute Filter Avoid Radius Flapping 61

58 Advice: Bugs!!! 62

59 Advice: Bugs CSCuu duplicate radius-acct update message sent while roaming If Radius NAC is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets 63

60 Advice: Bugs CSCuu duplicate radius-acct update message sent while roaming If Radius NAC is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets These packets are unique (different radius IDs) but contain the same information 47ms Same data Different ID 64

61 Advice: Bugs CSCuu duplicate radius-acct update message sent while roaming If Radius NAC is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets These packets are unique (different radius IDs) but contain the same information Currently resolved in and WLC code versions. 8.0 MR3 beta ( x) is available upon request now 65

62 Inter-Node Communications Radius Flapping can be a real mess! MnT Profiling sync leverages JGroup channels All replication outside node group must traverse PAN including Ownership Change! If Local JGroup fails, then nodes fall back to Global JGroup communication channel. MnT PAN PAN WLC PSN5 says I own this mac address PSN1 PSN PSN3 says L2 or L3 Ok PSN5 owns this mac address PSN PSN2 NODE GROUP A (JGROUP A) PSN4 PSN PSN PSN5 NODE GROUP B (JGROUP B) PSN PSN3 PSN PSN6 66

63 Inter-Node Communications Radius Flapping can be a real mess! MnT Ok, now Radius flapping occurs. This could be due to timeouts received to WLC or due to the Radius NAC accounting bug This will also happen if a PSN receives profiling information for an endpoint that it doesn t own MnT PAN PAN WLC PSN5 says Ok PSN3 owns this mac address PSN1 PSN PSN3 says I L2 or L3 own this mac address PSN PSN2 NODE GROUP A (JGROUP A) PSN4 PSN PSN PSN5 NODE GROUP B (JGROUP B) PSN PSN3 PSN PSN6 67

64 Avoid Radius Flapping USE BEST PRACTICE!!! 68

65 Education What we have learned 69

66 Education: High Authentication Latency eduroam According to the organization s website, eduroam (education roaming) is the secure, world-wide roaming access service developed for the international research and education community The technology behind eduroam is based on 802.1X standard and a hierarchy of RADIUS proxy servers.(source: eduroam.org) 70

67 Education: High Authentication Latency eduroam eduroam allows users from these organizations to use their credentials while visiting other participating locations to access the internet. eduroam is a cloud based Radius proxy. It acts as a federation point between education/research based entities and their Radius servers. eduroam s Radius proxy is accessed via the internet. 71

68 Education: High Authentication Latency eduroam username: Radius: Accept High Latency? 72

69 Education: High Authentication Latency eduroam Due to the high authentication latency sometimes associated with cloud based radius servers, it may be necessary to adjust your radius timers. If using a load balancer, create a separate VIP for eduroam (can contain the same PSNs) If no load balancer, dedicate PSNs for eduroam (or other high latency SSIDs), if possible 73

70 Education: Students Converge at Lunch High Density Student s roaming patterns especially during meal times and events can cause an increased load on your wireless and ISE infrastructure. Make sure that you have enough wireless density to handle this converged access. Distribute the load across multiple PSNs to avoid overwhelming a single server. 74

71 Education: User with multiple devices - PEAP EAP-TLS Use case Students carry multiple devices PEAP-MSChapV2 as 802.1X Authentication Method may cause AD lockouts if not changed on all devices. Locked accounts generate Help desk calls. A single device with old password may cause repeated AD lockouts 75

72 Your Students are ready. Are you? 76

73 Hospitals/Medical Protecting the heart of your network 77

74 Hospital: Medical Devices Securing and Profiling Most medical devices don t support 802.1X 78

75 Hospital: Medical Devices Securing and Profiling Encrypt! Most medical devices don t support 802.1X To protect patient data, use WPA2- PSK with Mac Filtering and Profiling 79

76 Hospital: Medical Devices Securing and Profiling Most medical devices don t support 802.1X To protect patient data, use WPA2- PSK with Mac Filtering and Profiling Use unique attributes to profile your medical devices Typical attributes that work well for medical devices are dhcp-classidentifier, dhcp-parameterrequest-list and host-name 80

77 Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Zebra Technologies Completes Acquisition of Motorola Solutions' Enterprise Business Press Releases 2014 ZIH Corp 81

78 Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. What this means Before acquisition: 82

79 Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. What this means After acquisition: 83

80 Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Device OS/Firmware updates 84

81 Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Device OS/Firmware updates Spoofed MAC Addresses with new or different profiling attributes 85

82 Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Device OS/Firmware updates Spoofed MAC Addresses with new or different profiling attributes 86

83 Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) 87

84 Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) This policy would catch any device that was in the configured whitelist and allow network access, simple right? 88

85 Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) This policy would catch any device that was in the configured whitelist and allow network access, simple right? You can then add an alarm to send an , whenever a device matches that policy. Currently we can enable for a single policy only. 89

86 Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) This policy would catch any device that was in the configured whitelist and allow network access, simple right? You can then add an alarm to send an , whenever a device matches that policy. Currently we can enable for a single policy only. 90

87 Hospital: Paging Dr. Ihateloggingin Suggestions for better user experience Doctors by nature are usually very busy and the last thing they want to do is to spend time logging into a webportal or changing a PEAP password. Use EAP-TLS 91

88 Hospital: Paging Dr. Ihateloggingin Suggestions for better user experience Doctors by nature are usually very busy and the last thing they want to do is to spend time logging into a webportal or changing a PEAP password. Use EAP-TLS A better option, if available would be to use EAP-TLS and CWA-Chaining to a Single Sign On (SSO) server. This would allow the end user to leverage the SSO token for other portals as well. 92

89 Hospital: Nurse Carts/IP Phones Advice on corporate devices Nurses typically use rolling computer carts for charting patient information. To ensure continuous connections for these devices, survey your wireless for Voice applications. For ease of use and manageability, use Active Directory Group Policy Objects (GPO) to manage the supplicants and certificates of AD joined devices. 93

90 Your Patients are ready. Are you? 94

91 Public Transportation Tips for the thrifty traveler 95

92 Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients 96

93 Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients AP groups/names or some unique Radius attributes returned from the WLC during authentication can be used as location 97

94 Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients AP groups/names or some unique Radius attributes returned from the WLC during authentication can be used as location Matched policies based on these locations can send unique portals that advertise local businesses and shops near the user. 98

95 Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients AP groups/names or some unique Radius attributes returned from the WLC during authentication can be used as location Matched policies based on these locations can send unique portals that advertise local businesses and shops near the user. Create unique portal pages for each area. Advertisements can be built into the portal page or referenced from an external server. 99

96 Airport: Hotspot setup with custom redirect Using MSE and ISE 2.0 New to ISE 2.0, you can now leverage Mobility Services Engine (MSE) for physical location tracking Location information returned from the MSE can be used in the Authorization rule for directing clients to the portal serving their location.

97 Your Travelers are ready. Are you? 101

98 Conclusion 102

99 Conclusion Review Public Environments can be challenging Avoid ISE meltdowns Keep up to date with versions and patches, be aware of software defects that might affect your environment Use advice in this guide to solve challenges in your environment Use Real Best Practice to ensure that you have a successful deployment. 103

100 Call to Action Visit the World of Solutions for Cisco Campus Security Solutions Area Technical Solution Clinics - Security Meet the Engineer I have some availability this week, if you would like to discuss more. Lunch and Learn Topics - LALSEC-0006 Lunch and Learn - Network as a Sensor / Enforcer (Thur 1:00pm) DevNet zone related sessions 104

101 Enter to Win an Apple Watch or GoPro HERO4! Cisco Live Berlin ISE Technology Partner Ecosystem Tour How it works: Participants Learn more about the ISE Partner Ecosystem Learn about the ISE Partner Ecosystem use-cases Get more in-depth information about Cisco ISE How Visit Cisco ISE Ecosystem booth at the World of Solutions Visit at least FIVE solution demonstrations Attend LTRCRS-2006 Network as a Sensor and Enforcer Lab (Thur 2:00pm) to see if you re a WINNER!!!

102 Complete Your Online Session Evaluation Please complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt. All surveys can be completed via the Cisco Live Mobile App or the Communication Stations 5 s are really nice! 106

103 Real Best Practices are ready. Are you? 107

104 Thank you 108

105