Device Administration with TACACS+ using ISE 2.X

Transcription

1

2 Device Administration with TACACS+ using ISE 2.X Aaron T. Woland, CCIE #20113 Principal Engineer, Security Business Group BRKSEC-2344

3 You are in right place if your interest is Control and Visibility Of the Administration of the Devices that form the fabric of your network Using ISE with TACACS+. Laughing and Enjoying a Session at Cisco Live BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 3

4 Aaron Woland, CCIE# Principal Engineer Security Business BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 About Me Live in North Carolina. the South Southerners Known for: Politeness Courtesy Manors BBQ Frying Everything! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 About Me But, I am from New York New Yorker New Yorkers Known For: Speaking their Mind Being Blunt but Truthful Not known for our Manors Pizza & Bagels!!!!!!! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 About Me I am a Father Of 4 Daughters! So... Nothing Scares me anymore! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 Sarcasm If we can t laugh at ourselves, Then we cannot laugh at anything at all BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Disclaimer: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Please Fill Out The Survey! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Agenda v2 Introduction Why and What is Device Administration AAA Device Administration AAA in ISE Design Principles Components (Policy Elements, Policy Sets) NAD Types AAA Models Configuring the NADs Configuring Device Administration in ISE IOS / WLC / Nexus Proof is in the Pudding Migrating from ACS to ISE Final Questions?

12 Agenda Introduction Device Administration AAA in ISE 2.x Network Devices Configuring ISE for Device Administration The Proof is in the Puddin Migrating from ACS to ISE Final Conclusions

13 Why Do Device Administration AAA? Centralized Control of Network Devices Ensure Network Devices remain correctly configured Who may do what actions to which devices, under which conditions Centralized Visibility of Those Actions Reliably record those actions Who accessed a network device and commands did they execute? What configuration changes were made When did this all occur? Compliance: SOX, HIPPA, PCI DSS Requires secure auditing and reporting of network configuration changes BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 AAA: a Key Security Concept Authentication, Authorization and Accounting (AAA) Authentication: who the user is Authorization: what they are allowed to Accounting: recording what they have done BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Authentication vs. Authorization I d like 40K from John Chambers Account Do You Have Identification? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Authentication vs. Authorization I d like 40K from John Chambers Account Do You Have Identification? Yes, I Do. Here It Is. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Authentication vs. Authorization I d like 40K from John Chambers Account Do You Have Identification? Yes, I Do. Here It Is. Sorry, Aaron Woland is not Authorized for John Chambers Account BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Authentication vs. Authorization I d like 40K from John Chambers Account Do You Have Identification? Yes, I Do. Here It Is. Sorry, Aaron Woland is not Authorized for John Chambers Account BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Authentication vs. Authorization I d like 40K from John Chambers Account Do You Have Identification? Yes, I Do. Here It Is. Sorry, Aaron Woland is not Authorized for John Chambers Account BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 Authentication vs. Authorization I d like 40K from John Chambers Account Do You Have Identification? Yes, I Do. Here It Is. Sorry, Aaron Woland is not Authorized for John Chambers Account BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Two Main Types of AAA Network Access AAA RADIUS Authentication Protocol NAS / NAD AAA Client Common Authentication Protocols PAP CHAP MS-CHAP BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 22

22 Device Administration Telnet, SSH, Serial Terminal User AAA Client AAA Server BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

23 AAA Protocols 2 Main Protocols Designed for AAA: Remote Access Dial-in User Service (RADIUS) Terminal Access Controller Access-Control System (TACACS) See if we can make this page more exciting?? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 25

24 Remote Access Dial-in User Service IETF standard for AAA Most common AAA protocol for Network Access Why? Because IEEE 802.1X uses RADIUS 802.1X is used with vast majority of secure Wi-Fi Note: CAN be used for Device Administration, but not as powerful as TACACS+ for that form of AAA BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 26

25 A long time ago in a development lab far, far away BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27

26 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28

27 Terminal Access Controller Access-Control System AAA standard protocol designed for controlling access to UNIX terminals Cisco enhanced it and created TACACS+ and published as open standard in the early 1990s Mainly used for Device Administration Can authenticate once and authorize many times Perfect for command authorizations AuthZ results sent for each attempt, not just ONCE with AuthC BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29

28 AuthC Once + AuthZ Many TACACS+ SSH to Network Device START (authentication) User trying to connect REPLY (authentication) request username AuthC CONTINUE (authentication) username REPLY (authentication) request password Shell AuthZ Command AuthZ # show run Authentication is Complete EXEC is Authorized Command is Authorized CONTINUE (authentication) password REPLY (authentication) Pass REQUEST (authorization) service = shell RESPONSE (authorization) PASS_ADD REQUEST (accounting) START / RESPONSE - SUCCESS REQUEST (authorization) service = command RESPONSE (authorization) Pass_ADD REQUEST (accounting) CONTINUE / RESPONSE - SUCCESS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 30

29 Agenda Introduction Device Administration AAA in ISE 2.x Components (Policy Elements, Policy Sets) Design Principles Network Devices Configuring ISE for Device Administration The Proof is in the Puddin Migrating from ACS to ISE Final Conclusions

30 Device Administration AAA in ISE

31 TACACS+ is in ISE 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

32 So where do we begin?... BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 38

33 Introducing The ISE Device Administration Work Center Order of Operations: Left to Right on the Menu Bar 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

34 Overview: T+ Live Log BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 40

35 Overview: Deployment (ISE 2.2+) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

36 ISE Deployment Node Configuration OLD WAY Policy Service Node for Protocol Processing Session Services (e.g. Network Access/RADIUS) On by default Device Admin Service (e.g. TACACS+) MUST BE ENABLED FOR DEVICE ADMINISTRATION!! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 42

37 Identities Internal Users Separate Enable Password Can be defined if User is to be allowed privileged access after login Random Secure Passwords May Leverage AD For Passwords Internal Users External Password Management BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 43

38 Identities Internal Users Reality of Internal Identities: Allows ISE Admin to Control Group Membership Can Leverage External DB for Password Management Provides a 2 nd Level of Authentication if In my Experience, Not used too Often Anymore Everyone just leverages their AD / LDAP single-source-of-truth Saves the double maintenance and duplication of effort BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 44

39 Identities External IDs More Commonly Used Same List of Sources as Network Access Can be defined if User is to be allowed privileged access after login BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 45

40 Identities External IDs More Commonly Used Reality of External Identities: Way more common in today s enterprise Identity Source Sequences can be Used Active Directory Connector is VERY powerful Can Query over 2,000 AD Domains Multi-Forest Support (up to 50 Join Points) See CiscoLive.com for more on Active Directory One Time Password (OTP) Servers 2-factor Authentication for very Secure Environments BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 46

41 For More on Identities BRKSEC-2059 Deploying ISE in a Dynamic Public Environment BRKSEC-3699 Designing ISE for Scale & High Availability Online Recorded Sessions: BRKSEC-2132 What s new in ISE Active Directory Connector BRKSEC Building Enterprise Access Control Architecture using ISE & TrustSec BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 47

42 NADs Network Device Groups (NDG) Build a Detailed Hierarchy to make Policy Sets and Rule Creation More Powerful BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 48

43 NADs Network Devices TACACS+ Shared Secret Single Connect Mode Retire the Secret Retire Secret Accept Old and New Secret for Configured Time Period BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 49

44 Results Policy Elements Authorization Results TACACS Profiles AKA: Shell Profiles Different Types Assigned Level BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 52

45 Results Policy Elements Authorization Results Command Sets Lists of Commands to Permit / Deny BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 53

46 We Will Dive into These Elements more in the Config Section BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 54

47 Policy Sets Policy Set Ordered List Provides both Management AND Execution order Policy Set Condition For Policy Set How Policy Set is engaged BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 55

48 Policy Sets Policy Set Summary View Provides Overview of Execution Conditions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 56

49 ISE Authentication Processing Are you who you say you are? Policy Set Selection Authentication Policy Evaluation Determine Authentication protocols Select Identity Store Validate Credentials Evaluate Enable Authorization BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 57

50 Authentication in the Policy Set Authentication Policy Area BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 58

51 Policy Set Authentication Results Identity Source Allowed Protocols BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 59

52 ISE Authorization Processing Policy Set Selection Identity Selection Authorization Policy Evaluation Evaluation (Command Set or Profile) Reply BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 61

53 Device Administration Authorization in ISE Authorization Policy Area BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 62

54 Best Practices for Policy Sets Organization Optimal Size Mix for Policy Set breakdown in ISE 2.0: 6-10 Policy Sets rules Divide Complete Policy into robust Silos representing Use Cases e.g. By Device Type By Region BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 63

55 Example Policy Helpdesk Superuser Admin Superuser US EMEA Device\Identity US Helpdesk EMEA Helpdesk US Superuser EMEA Superuser Device: US Helpdesk Superuser Helpdesk Device:EMEA Helpdesk Helpdesk Superuser BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 64

56 Design Principles See BRKSEC-3699 Designing ISE for Scale & High Availability

57 Deployment Considerations Should we dedicate an ISE Policy Service Node (PSN) to TACACS+? How many PSNs should we dedicate to TACACS+ Should we dedicate a deployment to TACACS+? i.e. separate PAN + MnT BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 66

58 Options for Deploying Device Admin Priorities - According to policy Separate Deployment Separate PSN Mode Mixed PSN Mode TACACS RADIUS RADIUS TACACS RADIUS/ TACACS Separation of Configuration Separation of Logging Store Yes: Specialization for TACACS+ No: Avoid Duplication of Shared Items Avoid cost of duplicate PAN/PSN Yes: Optimize Log Retention VM No: Centralized Monitoring Independent Scaling of Services Yes: Scale as Needed Avoid NAC/Device Admin Load No: Avoid underutilized PSNs BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 67

59 Large Deployments: Separate Cubes ISE Cube 1 ISE Cube 2 MNT MNT PAN PSN VIP1 PSN VIP2 PAN Network Device Terminal User Network User BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 68

60 Medium Deployments: Separate Cubes Single ISE Cube PSN VIP1 PAN MNT PSN VIP2 Network Device Terminal User Network User 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69

61 Small Deployments: Separate Cubes Single ISE Cube PSN VIP1 PAN MNT PSN VIP2 Network Device Terminal User Network User BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 70

62 Why does Aaron Prefer Separate Cubes? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 72

63 Logging Capacity In Large scale appliance (3595), 320GB allocated to TACACS+ logs Capacity requirements variable Assuming: 4K log for Authentication/Session, 3K log for Command Author/Session Each admin has 40 Sessions/day, with 25 commands per session Admins\Disk Size 320 GB 1024 GB 2048 GB Example Calculation of Days Capacity See BRKSEC-3699 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 73

64 The Network Devices

65 Network Devices do AAA Differently Cisco IOS The Ultimate in Flexibility 16 Privilege Levels (0-15) User Authorized to a level of privilege, can execute all commands at that level Authorization into the Shell Authorization per-command Cisco WLC Nice and Easy Assigns a role to a User Role = Which Menus they get Write Access to. Cisco Nexus Blended Users Authorized to a Role Role = List of Features and Commands Available to User BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 75

66 Cisco IOS

67 The AAA Method List Authentication, Authorization or Accounting For Your Reference Will affect all things that use the aaa type if you don t specify otherwise Creates a Custom Method List: Name Should Mean Something to You Methods in Order: [group radius group tacacs local-case local enable none] aaa type { default list-name } method-1 [method-2 method-3 method-4 ] BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 77

68 Configuring IOS for TACACS+ authentication Device configuration for TACACS+ is vendor/product specific Example for IOS Required for TACACS+ aaa TACACS+ server definition Authentication control aaa new-model tacacs server ISE-PRIMARY address ipv key th3k3yu5ed aaa group server tacacs+ ISE-GROUP server name ISE-PRIMARY aaa authentication login VTY group ISE-GROUP local aaa authentication enable default group ISE-GROUP enable line vty 0 4 login authentication VTY BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 78

69 Configuring IOS for TACACS+ authorization Device configuration for TACACS+ is vendor/product specific Example for IOS Enable Session Authorization Enable Command Authorization aaa authorization exec VTY group ise-group local aaa authorization config-commands aaa authorization commands 0 VTY group ISE-GROUP local aaa authorization commands 1 VTY group ISE-GROUP local aaa authorization commands 15 VTY group ISE-GROUP local line vty 0 4 authorization exec VTY authorization commands 0 VTY authorization commands 1 VTY authorization commands 15 VTY BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 79

70 Configuring IOS for TACACS+ accounting Device configuration for TACACS+ is vendor/product specific Example for IOS aaa accounting exec default start-stop group ISE-GROUP aaa accounting commands 1 default start-stop group ISE-GROUP aaa accounting commands 15 default start-stop group ISE-GROUP BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 80

71 Cisco WLC

72 Configuring WLC for TACACS+ AAA BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 82

73 Configuring WLC for TACACS+ AAA T+ First Fallback to Local if T+ non-responsive BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 83

74 Configuring ISE

75 The User Account & Group Types Users Groups Description NetAdmin1 NetAdmin2 NetOps1 NetOps2 SecAdmin1 SecAdmin2 Helpdesk1 Helpdesk2 Employee1 Employee2 NetAdmin NetOps SecAdmin Helpdesk Employees Network Administrators Get full Access to Everything Possible Network Operators Access, but Limited to what Changes can be Made Security Administrators Read-only to absolutely everything, including configurations. Helpdesk Personell Read-only to all show commands, not including show-run. No changes permitted at all. Any other Employee No access to Shell or UI. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 85

76 Cisco IOS Device Admin Results

77 TACACS Profile NetAdmin (IOS) Task Type Specific for the Device Is a nice UI feature, to provide specific UI per device type IOS Privilege Level Default = Assigned at Login Max = Limit with enable command Idle Time For High-Powered Access, Limit the session time when no activity BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 87

78 TACACS Profile NetOps (IOS) IOS Privilege Level Default = Assigned at Login Max = Limit with enable command Allows privilege escalation when necessary BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 88

79 TACACS Profile SecAdmin (IOS) IOS Privilege Level SecAdmin will be limited by Command Set instead of Privilege Timer (absolute time) Because you want to mess with them. Idle Time For High-Powered Access, Limit the session time when no activity BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 89

80 TACACS Profile Helpdesk (IOS) IOS Privilege Level Will get all Priv1 commands, and any specially moved to Priv2 only. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 90

81 Command Set NetAdmin (IOS) Permit all Commands Since nothing below, all commands will be permitted. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 91

82 Command Set NetOps (IOS) Permit all Commands Anything not Listed Below will be allowed DENY_ALWAYS Shutdown and Reload will never be permitted, even when stacking permissions. If DENY instead of DENY_ALWAYS, then Permit wins in a Stack BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 92

83 Command Set SecAdmin (IOS) Permit all Commands Anything besides configure will be permitted DENY_ALWAYS Configure will never be allowed for Security Admins. All other commands will work. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 93

84 Command Set Helpdesk (IOS) Deny All Commands Except what is below PERMIT Allow all show commands for the privilege level. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 94

85 Cisco WLC Device Admin Results

86 TACACS Profiles for the WLC No command sets for WLC. It is role based, with its Menus. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 96

87 TACACS Profile NetAdmin (WLC) All Menus Full Access to the WLC BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 97

88 TACACS Profile SecAdmin (WLC) WLAN & Security Read/Write to WLAN Read/Write to Security Read-Only to everything else BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 98

89 TACACS Profile Helpdesk (WLC) Monitor Read-Only to Entire UI BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 99

90 TACACS Profile Employees (WLC) Lobby Special role that does not give access to WLC UI. Only to a Guest Management UI BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 100

91 Proof is in the Puddin

92 Login to an IOS Device Username:secadmin1 Password: 3750-X# show privilege Current privilege level is X# show run Building configuration... <SNIP> 3750-X#config t Command authorization failed. Username:netops1 Password: 3750-X# show priv Current privilege level is X# conf t ^ % Invalid input detected at '^' marker X# show run Building configuration... Current configuration : 3191 bytes This is how: 3750-X#show run i priv privilege configure all level 6 interface privilege configure level 6 authentication privilege exec level 7 show running-config BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 104

93 Device Admin Live Log Command AuthZ Authentication Exec AuthZ BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 105

94 TACACS+ Command Accounting ISE Accounting Report records all commands Purpose is to audit and fault find device configuration Comprehensive and flexible searching for commands: who, what, when, where BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 106

95 TACACS+ AAA Authentication Reporting ISE Authentication Reporting records all passed and failed authentication attempts Purpose is to audit and fault find device ISE interactions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 107

96 Login to a WLC Device BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 109

97 Backup Slides: Device Admin

98 Migration from ACS

99 Comparing ISE to ACS 5 Core TACACS+ Protocol engine is shared with ACS 5 However: ISE is not ACS Different management system (RBAC, GUI etc) Different policy system and GUI Different internal identity store Parity can be subtle BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 128

100 Example Parity Issue: ACS 4 vs 5 custom Attributes ACS 4: ACS 5: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 129

101 Example Parity Issue: ACS 4 vs 5 custom Attributes ACS 4: ACS 5: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 130

102 Using the Migration tool Migrate to Correct version of ACS Download the tool from ISE Enable migration interface in ACS/ISE If you are migrating to ISE with configuration: Backup ISE ACS 5.5 or ACS 5.6 Back up ISE Link Provided in Device Administration work center ACS: acs configweb-interface migration enable ISE: application configure ise / option 11 Save Certificates (Export including Private Keys) Back up ISE Configuration Back up System Logs Obtain AD credentials to rejoin if needed. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 132

103 Using the Migration tool Run Export Report Issues Found: Update ACS Run Export Run Import Report Issues Found: Update ACS Run Import BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 133

104 ACS 5 to ISE Migration: Identity Internal Users Issues Parity Gap Password Type Password Change Next Login + Lifetime Naming Constraints: More illegal chars in ISE External Identity Stores Migrate cleanly (As always, check names) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 134

105 ACS 5 to ISE Migration: Network Devices/NDGs Network Device migration caveats for ISE 2.0: IP Ranges not supported in ISE Exclusions supported by overlapping IPs IPV4 only Default Device must have RADIUS enabled Reconciliation flow for Migration Tool If Device does not exist in ISE (Defined by no overlap of IP configuration) Then add it If Device does exist (IP/subnet exactly matches) and (name exactly matches) Then update details to add TACACS+ elements If only approximate match. (name matches exactly, or IP/subnet matches exactly, but not both) Then generate error report BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 135

106 ACS 5 to ISE Migration: Authorization Results Command Sets and Shell Profiles migrate well Main gotcha: object names ISE stricter about names Policy Results namespace shared with Network Access Recommend using a prefix for Device admin Authorization Results BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 136

107 ACS 5 to ISE Migration: Policy ACS 5 Access Service Maps to ISE Policy Set ACS 5 Access Service separated from Selection Policy Can have Services that are not engaged Can have services selected by different Service Selection rules ACS 5 Group Map Group Map intended as transition step from ACS 4 Group Map content must be migrated to authorization Policy Authentication Allowed Protocols Part of Service configuration in ACS 5 Policy Result in ISE BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 137

108 ACS 5 to ISE Migration: TACACS+ Proxy ACS 5 Proxy Service maps to ISE Policy Set in Proxy Sequence Mode: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 138

109 Migration Best Practices Follow recommendations from Migration tool Reports Rename ACS objects using ISE legal chars Move Group Map Policy to Authorization Consider ACS 5 to ISE migration as opportunity to review and refresh Policy Especially if Migrating from ACS 4 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 139

110 ACS to ISE 2.2 feature comparison

111 ACS vs ISE feature comparison - RADIUS RADIUS ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2 PAP Yes Yes Yes Yes Yes CHAP Yes Yes Yes Yes Yes MS-CHAPv1 and v2 Yes Yes Yes Yes Yes EAP-MD5 Yes Yes Yes Yes Yes EAP-TLS Yes Yes Yes Yes Yes PEAP (with EAP-MSCHAPv2 inner method) Yes Yes Yes Yes Yes PEAP (with EAP-GTC inner method) Yes Yes Yes Yes Yes PEAP (with EAP-TLS inner method) Yes Yes Yes Yes Yes EAP-FAST (with EAP-MSCHAPv2 inner method) Yes Yes Yes Yes Yes EAP-FAST (with EAP-GTC inner method) Yes Yes Yes Yes Yes EAP-FAST (with EAP-TLS inner method) Yes Yes Yes Yes Yes EAP Chaining with EAP-FAST No No Yes Yes Yes RADIUS Proxy Yes Yes Yes Yes Yes RADIUS VSAs Yes Yes Yes Yes Yes LEAP Yes Yes Yes Yes Yes BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 141

112 ACS vs ISE feature comparison TACACS+ TACACS+ ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2 TACACS+ per-command authorization and accounting Yes Yes Yes Yes Yes TACACS+ support in IPv6 networks No Yes No No No TACACS+ change password Yes Yes Yes Yes Yes TACACS+ enable handling Yes Yes Yes Yes Yes TACACS+ custom services Yes Yes Yes Yes Yes TACACS+ proxy Yes Yes Yes Yes Yes TACACS+ optional attributes Yes Yes Yes Yes Yes TACACS+ additional auth types (CHAP / MSCHAP) Yes Yes Yes Yes Yes TACACS+ attribute substitution for Shell profiles Yes Yes Yes Yes Yes TACACS+ customizable port Yes Yes No Yes Yes BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 142

113 ACS vs ISE feature comparison Internal users and Admins Internal Users / Administrators ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2 Users: Password complexity Yes Yes Yes Yes Yes Users: Password aging 1. Warning and disable after defined interval. Grace period is not supported Yes Yes 1 Yes 1 Yes 1 Yes 1 Users: Password history Yes Yes Yes Yes Yes Users: Max failed attempts Yes Yes Yes Yes Yes Users: Disable user after n day of inactivity Yes Yes No Yes Yes Admin: Password complexity Yes Yes Yes Yes Yes Admin: Password aging Yes Yes Yes Yes Yes Admin: Password history Yes Yes Yes Yes Yes Admin: Max failed attempts Yes Yes Yes Yes Yes Admin: Password inactivity Yes Yes No Yes Yes Admin: entitlement report Yes Yes Yes Yes Yes Admin: session and access restrictions Yes Yes Yes Yes Yes BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 143

114 ACS to ISE feature comparison MAR, Conditions, Logs, Network Devices Machine Access Restriction, Conditions, Logs, Network devices ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2 Machine Access Restrictions Machine Access Restrictions caching and Distribution 1. ISE 2.0 supports only MAR cache. ISE 2.1 supports MAR cache between restarts but not distribution Yes Yes Yes 1 Yes 1 Yes 1 Conditions/Filters Network Access Restrictions (NARs) Yes Yes No No Yes Time based permissions Yes Yes Yes Yes Yes Log Management Log Viewing and reports Yes Yes Yes Yes Yes Export logs via SYSLOG Yes Yes Yes Yes Yes Network Devices Configure network devices with IP address ranges 1. When migrating from ACS to ISE, the Migration Tool automatically converts IP ranges in the last octet of the IP. Lookup Network Device by IP address 1. Can search by IP address but this can t be used in combination with other fields as search criteria Yes Yes No No Partially 1 Yes Yes Yes 1 Yes Yes 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC

115 ACS to ISE feature comparison Security management, Tools and utilities PKI / Security Management, Tools and utilities ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2 PKI / Security management Configurable management HTTPS certificate Yes Yes Yes Yes Yes CRL: Multiple URL definition Yes No No No No CRL: LDAP based definition Yes No Yes Yes Yes Online Certificate Status Protocol (OCSP) Yes Yes Yes Yes Yes Secure Syslogs No Yes Yes Yes Yes EAP-TLS Certificate lookup in LDAP or AD Yes Yes Yes Yes Yes Tools and Utilities Programmatic Interface for network device CRUD operations Yes Yes Yes Yes Yes Command line / scripting interface (CSUtil) Yes No No No No API for users, groups and end-point CRUD operations Yes Yes Yes Yes Yes Import and Export of Command Sets Yes Yes No No No Users: User change password (UCP) utility Yes Yes No No No BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 145

116 ACS to ISE feature comparison - Miscellaneous Miscellaneous ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2 Group Mapping 1. Workaround: Use authorization conditions in ISE authorization policy Yes Yes No No 1 No 1 RSA Token caching Yes Yes No No Yes Adding hosts with Wildcards Yes Yes No No No Alarm notification on a per-item level N/A Yes No No No Configurable RADIUS ports Yes No No Yes Yes Allow Special characters in object name 1. Migration tool converts automatically any special character unsupported by ISE to "_" Yes Yes No No Partially 1 Multiple NIC interfaces N/A Yes Yes Yes Yes Maximum concurrent sessions per user/group 1. For internal users Yes Yes No No Yes 1 Dial-in Attribute Support Yes Yes No No Yes RBAC for ISE Admin to allow administrators' rights to access/modify only subset(s) of a class of objects Yes No No Yes Yes BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 146

117 Non-Supported features Features that will have no ISE support ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2 Leap Proxy Yes No No No No Ability to select logging attributes for syslog messages Yes No No No No Logging to external DB (via ODBC) 1. Data can be exported from M&T for reporting. Not supported as log target that can be defined as critical logger Yes Yes 1 No No No BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 147

118 Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 148

119 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 149

120 Q & A

121 Thank You

122