Advanced ISE Services, Tips & Tricks

Size: px

Start display at page:

Download "Advanced ISE Services, Tips & Tricks"

Reynold Heath
5 years ago
Views:

2 Advanced ISE Services, Tips & Tricks Craig Hyps Principal Engineer, Policy and Access BRKSEC-3697

3 Important: Hidden Slide Alert Look for this For Your Reference Symbol in your PDF s There is a tremendous amount of hidden content, for you to use later! For Your Reference **~300 Slides in PDF BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 3

Find this session 3. Click the Spark button under Speakers in the session description 4. Enter the room, room name = BRKSEC-3697 5.

4 Cisco Spark Ask Questions, Get Answers, Continue the Experience Use Cisco Spark to communicate with the Speaker and fellow participants after the session Download the Cisco Spark app from itunes or Google Play 1. Go to the Cisco Live Melbourne 2017 Mobile app 2. Find this session 3. Click the Spark button under Speakers in the session description 4. Enter the room, room name = BRKSEC Join the conversation! The Spark Room will be open for 2 weeks after Cisco Live BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 Other ISE/TrustSec-Related Sessions This Week All Sessions available for review on CiscoLive.com BRKSEC-2141: Maximizing your ISE Deployment Using its Latest Capabilities Yuval Shchory BRKSEC-2696: Building an Enterprise Access Control Architecture using ISE and TrustSec Jatin Sachdeva BRKSEC-3699: Designing ISE for Scale & High Availability Craig Hyps BRKCOC-2015: Inside Cisco IT: How Cisco Deployed ISE and TrustSec, Globally Simon Finn BRKSEC-2203: Enabling Software-Defined Segmentation with TrustSec Kevin Regan DEVNET-1010: Using Cisco pxgrid for Security Platform Integration Brian Gonsalves 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation ID

NEW Content BRKSEC-3697 2017 Cisco and/or its

7 v pxgrid + TC-NAC + RTC v ISE-PIC v Identity in a Sessionless World v Trusted Device + Trusted User

8 Agenda Introduction Passive vs. Active Identities Passive ID Enhancements in ISE 2.2 / ISE-PIC Enabling Passive Identity Passive Identity Providers Easy Connect Trusted Device + Trusted User Conclusion

9 What is Passive Identity

10 Passive ID Passive vs Active Identity / Authentication Most of security vendors (including Cisco) use Passive Authentication to provide user identity for security policies. Is asking Microsoft AD to please tell our product the username & IP address of users who authenticate to AD. i.e.: It s all hearsay Example: Context Directory Agent (CDA) using Windows Management Infrastructure (WMI) to tell it when a user authenticates and current IP. Active authentication is learning it from the endpoint/user directly. Ex: chyps@cisco.com has authenticated to the wireless network Blizzard Cisco ISE is the authentication server & learns directly from Craig Is more reliable and works for all devices/users, not just AD managed systems. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 10

Active Authentication Passive ID Data Center AD AD X.509 X.509 AD X.509 CA NGFW EAP 802.1X part of WPA2 RADIUS Credentials provided directly to ISE via EAP (802.

11 Active Authentication Passive ID Data Center AD AD X.509 X.509 AD X.509 CA NGFW EAP 802.1X part of WPA2 RADIUS Credentials provided directly to ISE via EAP (802.1X) ISE Validates Credentials Against ID Store ISE Providing Authorization Results BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Passive Authentication Passive ID Data Center K AD Login / Kerberos AD AD AD NGFW ISE Credentials not provided directly by user/endpoint ISE trusts the source that user auth succeeded ISE pulls groups and attributes from ID store BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Agenda Introduction Passive vs. Active Identities Passive ID Enhancements in ISE 2.2 / ISE-PIC Enabling Passive Identity Passive Identity Providers Easy Connect Trusted Device + Trusted User Conclusion

14 ISE 2.2 Introduces Major Enhancements to Passive ID Capabilities

15 Passive ID Passive ID Enhancements at a Glance Designed to be the Single ID Solution for ALL Cisco Security Portfolio Best of All Existing Solutions True Single Source of Identity No Longer Need Separate Connection to AD, LDAP, etc. New Features & Sources Agents, WMI, Syslog, REST Remotely Check with Endpoints Is Endpoint Still on Network? Is User Still Logged In? Scale to 100 DCs and beyond Passive Identity Sharing via pxgrid with BASE License BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Passive ID Why customers buy ISE Passive ID Asset Visibility Guest Access Access Control BYOD Access Segmentation Context Sharing Threat Control Device Admin Identity sharing with partner eco-system to provide a single source of truth that provides actionable intelligence for better partner solution effectiveness. Cisco ISE can reach deep into the network to deliver superior visibility into who and what is accessing resources. Fully customizable branded mobile and desktop guest portals, with dynamic visual workflows to easily manage guest user experience. Consistent access control in to wired, wireless and VPN Networks X, MAC, Web Authentication and Easy connect for admission control. Simplified BYOD management with built-in CA and 3rd party MDM integration for on boarding and self-service of personal mobile devices Topology independent Software-defined segmentation policy to contain network threats by using Cisco TrustSec technology. Context sharing with partner eco-system to provide a single source of user and device details for better partner solution effectiveness. Security ecosystem partners from a broad variety of technology areas integrate with ISE to take network mitigation and investigation actions in response to security events. Cisco ISE supports device administration using the TACACS+ security protocol to control and audit the configuration of network devices BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16

Passive ID Introducing ISE Passive Identity Connector (PIC) Standalone Appliance for Passive Identity Only Same Passive ID Capabilities of its big brother, ISE.

17 Passive ID Introducing ISE Passive Identity Connector (PIC) Standalone Appliance for Passive Identity Only Same Passive ID Capabilities of its big brother, ISE. All the passive sources, and sharing capabilities of pxgrid Just in a new, smaller packaging and license Low Cost Passive Identity Only No Authorization. No Policies. Everything in one Virtual Appliance (2 for redundancy) Simple to Install and Use Upgrade to full ISE with Simple License BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Passive ID Why customers buy ISE-PIC Passive ID Asset Visibility Guest Access Access Control BYOD Access Segmentation Context Sharing Threat Control Device Admin Identity sharing with partner eco-system to provide a single source of truth that provides actionable intelligence for better partner solution effectiveness. Cisco ISE can reach deep into the network to deliver superior visibility into who and what is accessing resources. Fully customizable branded mobile and desktop guest portals, with dynamic visual workflows to easily manage guest user experience. Consistent access control in to wired, wireless and VPN Networks X, MAC, Web Authentication and Easy connect for admission control. Simplified BYOD management with built-in CA and 3rd party MDM integration for on boarding and self-service of personal mobile devices Topology independent Software-defined segmentation policy to contain network threats by using Cisco TrustSec technology. Context sharing with partner eco-system to provide a single source of user and device details for better partner solution effectiveness. Security ecosystem partners from a broad variety of technology areas integrate with ISE to take network mitigation and investigation actions in response to security events. Cisco ISE supports device administration using the TACACS+ security protocol to control and audit the configuration of network devices BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18

Passive ID Vision ASA Cloud Web Security Umbrella SSX

Connector ISE or PIC AD Syslog & REST APIC-DC APIC-EM

Attributes Needed AD Group Membership (?

Location Assigned SGT ISE ID Groups (User / Endpoint)

Users DN AD Attributes NSX Group Scraping?

SmartSearch Editing) Session Directory MDM Management

20 Passive ID Vision ASA Cloud Web Security Umbrella SSX Cloud Umbrella VA FMC SSX CON WWW AD CWS / ISR Connector ISE or PIC AD Syslog & REST APIC-DC APIC-EM Stealthwatch Terminal Services Agent Username Context Attributes Needed AD Group Membership (?) MSE Location AD Domain Name Endpoint Profile NDG Location Assigned SGT ISE ID Groups (User / Endpoint) Express Raw EPG? Users DN AD Attributes NSX Group Scraping? Certificate Attribs & Template ID (may have to allow SmartSearch Editing) Session Directory MDM Management Info (Which MDM & State) AD LDAP ODBC SAML BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 ISE 2.2 Passive Identity Feature Overview Broker for IP-User/Group Mappings for Cisco Consumers Collect Passive ID via multiple sources Share out via pxgrid Passive ID? pxgrid Pub/Sub Bus Output ISE or PIC Input to ISE-PIC / ISE WMI Kerberos SPAN ISE-PIC Agent Syslog REST API Endpoint Probe AD AD AD AD Custom Apps Same User? Still There? AD AD Almost Anything BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Four Tenets of a Complete Passive ID Solution Passive ID Build Binding Table Multiple Methods Pub/Sub pxgrid CDA-RADIUS Learn Share Update Use Verify Endpoint Inform of Changes Management Interfaces Caching BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Passive ID For ISE to Build the Bindings of Users and IPs Learn Active Directory Windows Management Instrumentation (WMI) Active Directory Pub/Sub Messaging ISE Subscribes to Certain Security Events, AD Informs ISE of Events ISE-PIC Agent Native Windows Application Load on Domain Controller or Member Server SPAN Passively Monitor Kerberos Exchanges and Build Table of Bindings BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Passive ID For ISE to Build the Bindings of Users and IPs Learn Syslog Sources Custom Parsers w/ Easy Automatic Builder Tool Source Types: AAA Servers (ISE, ACS) VPN (F5/ASA/Nortel VPN), Web Security Appliances (BlueCoat) IP Address Managers (InfoBlox, BlueCat, AD, dhcpd) Provides L2 to L3 Binding Data & DHCP leases used to identify logoff REST API Sources Terminal Services Agent Same Agent used by Firepower Management Center Citrix and MS Terminal Servers Binds users to IP and source port-range Generic API Sources Guest Solutions, Badging Systems and Custom Integrations BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Four Tenets of a Complete Solution Passive ID Build Binding Table Multiple Methods Pub/Sub pxgrid CDA-RADIUS Learn Share Update Use Verify Endpoint Inform of Changes Management Interfaces Caching BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Passive ID Sharing of WHO is on the Network and their IP Address Share Platform exchange Grid (pxgrid) Pub/Sub Communication Bus Same pxgrid Topics for ISE and ISE-PIC # Subscribers based on deployment model (up to 25 Subscribers) PIC will support 20 Subscribers at FCS Simplified Registration / Configuration in ISE & ISE-PIC (v2.2+) Easier Certificate Usage Username / Password / Token Assertion CDA-RADIUS Interface (Not in FCS Code) Legacy Interface used by ASA Classic, CWS and Older WSA Code Release Date: TBD BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 Four Tenets of a Complete Solution Passive ID Build Binding Table Multiple Methods Pub/Sub pxgrid CDA-RADIUS Learn Share Update Use Verify Endpoint Inform of Changes Management Interfaces Caching BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 Passive ID Use Management (Metadata) APIs are Required It s not enough to receive the IP to User Bindings from pxgrid The Consumers Management Application must know which groups/users exist to build the policies. The Management App must know how to tie back the usernames received from pxgrid to the usernames pulled from the Single Source of Truth ISE & ISE-PIC can provide that information to the subscribers, but the management apps have to be updated to use ISE as that source of truth. Simply Put: What is needed for Policy Authoring, and then binding what is configured in the Policy to the information received from pxgrid? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 Passive ID Use Stealthwatch: Stealthwatch 6.9 uses ISE 2.2 as the Single-Source-of-Truth SW 6.9 will work with ISE , but less data will be available. Endpoint Protection Services (EPS) works as always Stealthwatch 6.8 is last version of Stealthwatch that uses syslog to receive context from ISE Upgrades from 6.8 to 6.9: If pxgrid was configured in 6.8, will continue to function If syslog only, will need to reconfigure ISE connection SW adds pxgrid session data to User Table and Flow Attribution No separate Management/Metadata API Required BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Passive ID Use Firepower Management Center: Firepower 6.1 & 6.2 are still using their existing Realms for the MetaData Configured under System > Integrations > Realms LDAP configuration to Pick Interesting Users and Groups for Access Policies Future Versions could use ISE Users and Groups selected from Realms are bound to session data sent via pxgrid Matching entries are added to Identity Cache and sent to Firepower Appliances Firepower 6.2 has newer pxgrid libraries Enhanced error-handling Multi-threaded BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 Passive ID Use Web Security Appliance (WSA): WSA has CDA-RADIUS interface for Context Directory Agent (CDA) Integration WSA also has a pxgrid interface for SGT-Based Policies No TrustSec with ISE-PIC User-Specific Policies would be necessary with ISE-PIC No Group-Based Policies available in WSA with pxgrid today When CDA-RADIUS Interface available for ISE-PIC, could integrate WSA that way. Plan WSA to have full pxgrid Support WSA would use Realms for Metadata Then Binds the pxgrid or CDA-RADIUS data to the selections from the Realms BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Four Tenets of a Complete Solution Passive ID Build Binding Table Multiple Methods Pub/Sub pxgrid CDA-RADIUS Learn Share Update Use Verify Endpoint Inform of Changes Management Interfaces Caching BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Passive ID Update Identify Changes Logoff Detection Endpoint Probe uses WMI to remotely verify endpoint and user are still logged in. Change in DHCP binding or DHCP lease expiration Session ended per Syslog provider TS Agent removes session WMI Update Events Can renew session Session Timeouts Purge of inactive sessions Configurable 1-24 hours BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 A Day In the Life of ID Sharing with StealthWatch

35 A Day in the Life of Passive ID w/ Stealthwatch User DHCP AD ISE / PIC Stealthwatch Passive ID Join Network: DHCP Request LEARN SHARE DHCP IP Address Assignment (Optional) Syslog Kerberos - User Authenticates to Active Directory WMI or Agent Notification Lookup: Groups & Attribs for User L2/L3 Binding Added to Session Directory Username:IP_Address Added to Session Directory Groups & Attribs Added to Session Directory pxgrid: Notify pxgrid: Get Info USE Merge ID info into Stealthwatch User Table & Flow Attribution Endpoint Probe: WMI Who is Current User UPDATE Lease Expiration (Optional) Syslog Delete Session pxgrid: Notify Update ID the Stealthwatch User Table & Flow Attribution BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Agenda Introduction Passive vs. Active Identities Passive ID Enhancements in ISE 2.2 / ISE-PIC Enabling Passive Identity Passive Identity Providers Easy Connect Trusted Device + Trusted User Conclusion

37 Enabling ISE Passive Identity

38 Passive ID Configuring ISE Passive Identity Enable Passive ID on ISE PSN Enables all passive identity provider features Typically need only 2 nodes (for redundancy) to support WMI. Additional PSNs can be enabled for Passive ID to support: PIC Agent Syslog Endpoint probes SPAN API / TS Agent BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 Agenda Introduction Passive vs. Active Identities Passive ID Enhancements in ISE 2.2 / ISE-PIC Enabling Passive Identity Passive Identity Providers Easy Connect Trusted Device + Trusted User Conclusion

40 Passive Identity Providers

41 Windows Management Instrumentation (WMI)

42 Passive ID ISE 2.2 versus Earlier ISE Versions and CDA ISE 2.1: Config AD and Passive ID DCs in separated places Enter each Passive ID DC manually or manual import Registry Hacks on the DCs ~10 Pages of Instructions ISE 2.2: One Place for Active Directory config Automagically lists eligible DCs Simple as clicking Config WMI Interesting AD groups Setup Wizard Can Leverage Agent (See Agent Section) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 Passive ID Windows Management Instrumentation (WMI) Remotely Connects to DCs Leveraging WMI Acts like a Pub/Sub communication: ISE/PIC subscribes to certain events WMI alerts ISE/PIC when those events occur 4768 (Kerberos Ticket Granting) & 4770 (Kerberos Ticket Renewal) Entries in Session Directory Expire (Purged) if nothing new has been learned / updated Configurable (1-24 hours) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 43

Configure Passive ID Continued Passive ID Lists All the DCs in Domain

Passive ID Configure WMI Output file ad_agent.

50 Passive ID Working with WMI Windows Management Instrumentation is a core Windows management technology WMI allows you to manage both local or remote computers Does not require installation of an agent in the domain Connectivity requirements for successful WMI connection must be met The Config WMI will do it for you BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 50

Passive ID What Config WMI Does WMI Configuration requires 5 things: Config WMI WMI Configuration Task Registry Changes Permissions to use DCOM Permissions to use WMI Remotely Access to Read

51 Passive ID What Config WMI Does WMI Configuration requires 5 things: Config WMI WMI Configuration Task Registry Changes Permissions to use DCOM Permissions to use WMI Remotely Access to Read the Security Event Log of the Active Directory Domain Controller Windows Firewall must allow traffic from / to ISE BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 Passive ID Limitations / Etc. Can only monitor DCs in Domains that are Joined Directly i.e.: A Join Point must Exist Configuration needs to be per domain controller (on all DCs) Uses DCOM (WMI is DCOM Based) Read-Only DC not supported 100 directly monitored DCs Supported Windows versions 2003 and above Config WMI only works on 2008 and above BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 52

53 Passive ID Store Credentials Join Creds will be stored encrypted Endpoint probe cannot work without it Needs the Admin credentials to access endpoint Will be used for Passive ID monitored DCs If not checked, then credentials will have to be entered separately for each monitored DC Cannot uncheck in ISE-PIC BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 53

Passive ID Leveraging AD for Passive ID Retrieve from AD for every passive identity learned UPN user@domain DN

54 Passive ID Leveraging AD for Passive ID Retrieve from AD for every passive identity learned UPN DN CN=Administrator,CN=Users,DC=demo,DC=local, Interesting AD groups Works for all providers, not just WMI BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 54

AD groups Choose DCs to monitor Start wizard from two places

55 Passive ID Passive ID Wizard Simple and Easy way to configure AD for Passive ID Enter Active Directory and Credentials Select interesting AD groups Choose DCs to monitor Start wizard from two places BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 55

60 ISE PIC Agent

61 Passive ID ISE PIC Agent Agent included when Install ISE/ISE-PIC Upgrade and Download Agent from Agents tab in UI Manually Install or Push from ISE!! Yes, I said Push from ISE Native, 32-bit Application Agent Requires.Net 4.0 or Above Can be installed on Member Server or DC BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 61

62 Passive ID ISE to Agent Communication Agent is client, it needs to know which ISE Passive ID nodes to connect to When pushing from ISE, it is configured automagically Manual installation, the admin must tell the agent who to speak with There is NO User Interface for the Agent Admin must create nodes file High Availability: Configure Agent with > 1 ISE Passive ID node ID Mapping & Configuration is only 1 at a time. If an error is received, Agent moves to the next ISE node in the list BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 62

63 Passive ID ISE to Agent Communication 10 second polling: Doubles as the keep-alive Config is provided from ISE node to Agent during that poll Immediate updates when there is a change 1 per minute: Agent sends DC connection status to ISE Passive ID node Mapping updates are sent immediately BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 63

64 Passive ID Push Installation from ISE When deploying from ISE Nodes file built automatically Include all Passive Nodes from the ISE/PIC Deployment Nodes file is stored in ISE agent root folder Leverages ISEExec to run the installation Copies the MSI from ISE to %SYSTEMROOT% Executes the MSI BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 64

Passive ID Agent Is Running BRKSEC-3697 2017 Cisco

Passive ID Agent Directory BRKSEC-3697 2017 Cisco

Passive ID Agent Nodes File Contains list of ISE Passive ID nodes for connection Agent communicates with one node at a time If an error is received, it moves to the next node in

69 Passive ID Agent Nodes File Contains list of ISE Passive ID nodes for connection Agent communicates with one node at a time If an error is received, it moves to the next node in the list For Manual Installs, must put the ISE Passive ID Nodes in the nodes file Read at startup BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 69

Simple Uninstall Remove Agent from AD Server Passive ID BRKSEC-3697

73 Considerations and Limitations Passive ID Passive ID learned via PIC Agent not currently merged with Easy Connect Agent Can Monitor More than one DC (up to 10) Reverse lookup Ensure you have configured reverse lookup from the Agent s IP to hostname for the relevant DNS server/s from ISE-PIC side Agent uses Native Windows APIs Agent still uses WMI Requests come from a Windows Approved Server, so no need for Registry Hacks If Domain Admin, you do not need any other changes to Windows AD No UI at all -- Runs as a Windows Service Manual Removal When Changing the Passive ID nodes, you much manually change the Nodes File Must Restart Agent when Changing the Nodes file because it is read at startup BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 73

Log Forwarding to Increase Scale DC3 Passive ID DC1 Monitored DC2 ISE Member w/ Agent Monitored DC5 DC4 https://blogs.technet.microsoft.

75 Kerberos Sniffing via SPAN

76 SPAN Configuration List of nodes and interfaces will be displayed, but only for those running the Passive ID Service Pick Node, and then the interface. If you don not have Passive ID running, that must be configured as a pre-requisite Work Center -> PassiveID -> Providers -> SPAN Passive ID Monitor Kerberos traffic on server link to AD1, AD2 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 76

77 Network Configuration Configure the switch to span network from AD Passive ID Or create a VACL that sends only Kerberos (tcp/88) traffic into the SPAN port Configure dedicated port on ISE for SPAN (use this interface only for span traffic) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 77

78 Syslog Provider

79 Passive ID Identity Syslog Sources Define syslog clients in order to receive and parse syslog messages Configure Host / IP Connection type UDP port TCP port Template Default Domain If domain is not identified in syslog message for the specific user, this default domain is automatically assigned to user in order to ensure that all users are assigned a domain. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 79

80 Passive ID Identity Syslog Sources Could be any source (Theoretically) Log Message must include: Mapping operation New Mapping (Mandatory) Remove Mapping (Optional) Data IP Address (Mandatory) Username (Mandatory, unless DHCP) Domain (Optional) Will use Default Domain if Domain not Included MAC Address (Optional) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 80

83 DHCP Syslogs Passive ID DHCP Syslogs from IPAM Providers Used for L2<>L3 Bindings (MAC to IP) Will not be presented by themselves in the Session Table Identity is the Key (Identity Connector) Will be merged to an existing session with Identity (based on IP) Used for Lease Renewal & Lease Expiration updates Expired DHCP Lease will Remove Session from Sessions Table BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 83

84 Passive ID Syslog Provider Details Passive ID learned via Syslog not currently merged with Easy Connect The syslog service matches the host name from the message to that which the administrator previously defined in the GUI in order to identify the correct client template Ensure you have configured reverse lookup from the syslog client s IP to hostname for the relevant DNS server/s from ISE node side Can configure with hostname instead of IP BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 84

85 Passive ID Syslog Provider Details High Availability - redundancy is to send syslogs to 2 nodes Results in double logs & added noise Or use Anycast to do it cheaply Or use Load Balancer Not part of MnT syslog parsing Running as a separate process Different ports BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 85

86 Endpoint Probe aka: Is the user still there

87 Passive ID Endpoint Probe Is the user still there: Endpoint is reachable Same User is still Logged on Requires Administrative Privilege on the Endpoint Domain Admins Group Uses the Stored Credentials from the Join Point Will not work without those BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 87

Passive ID Endpoint Probe Active Directory Windows Only Saved Domain Admin Creds will

89 Passive ID Endpoint Probe Flow Runs every 4 hours (not configurable) Tries WMI for the Endpoint First Easier & Faster WMI Fails then ISEExec will be run Query the Endpoint for the User Enable WMI for next time Also retrieves MAC address OS type (Endpoint profile) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 89

90 Endpoint Probe Session Passive ID Tracking Identity Session If endpoint unreachable no update If same user logged in update session with new info (mac, os type, last seen) Otherwise, remove session Endpoint Probe is used in conjunction with Easy Connect also If user is no longer there, send CoA to NAD to end the Network Session BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 90

Endpoint Probe Configuration ISE Only Passive ID Designed for Scale Only in ISE PSNs Configured to Own Subnets Similar to AD Sites & Services Configure the Closest PSN to do the probing

91 Endpoint Probe Configuration ISE Only Passive ID Designed for Scale Only in ISE PSNs Configured to Own Subnets Similar to AD Sites & Services Configure the Closest PSN to do the probing If subnet does not exist here it will not be queried Comma separated subnets /24, /24 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 91

93 Agenda Introduction Passive vs. Active Identities Passive ID Enhancements in ISE 2.2 / ISE-PIC Enabling Passive Identity Passive Identity Providers Easy Connect Trusted Device + Trusted User Conclusion

94 Easy Connect: Identifying Trusted Users without 802.1X User Authentication

95 Easy Connect Architecture Easy Connect WMI MnT Standby MnT PSN PSN AD Logins MnT Active MnT AD Logins Publish Session Topic to pxgrid PSN SXP PXG User: jsmith IP: :22:33:44:55:66 Wired Switch RADIUS AAA CoA Update SXP peers with SGT mappings from RADIUS + EZC pxgrid Controller Cisco ASA BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 95

96 Easy Connect Consuming Both AD and RADIUS Logins Windows Event log IP Address Username imbashir chyps ISE Session Directory MAC IP Uname Profile Method Source SGT 22:33:44: 55:66: hslai Samsung Galaxy 33:44:55: 66:77: chyps imbashir Identity Mapping Identity Mapping dot1x RADIUS zsariedd Apple-iPad mab RADIUS 20 44:55:66: 77:88: awoland Appleanything Easy Connect dot1x RADIUS 10 AD Logins WMI SXP PSN IdMap AD Logins RADIUS Logins MnT Update SXP peers with SGT mappings from RADIUS Publish Session Topic to pxgrid PXG Cisco ASA BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 96

Easy Connect Enforcement Merging RADIUS Identity with AD Login Identity Merge active RADIUS Identity with passive AD Identity AuthZ = RADIUS + Passive ID 00:11:22:33:44:55 11:22:33:44:55:66 Calling

97 Easy Connect Enforcement Merging RADIUS Identity with AD Login Identity Merge active RADIUS Identity with passive AD Identity AuthZ = RADIUS + Passive ID 00:11:22:33:44:55 11:22:33:44:55:66 Calling ID: 00:11:22:33:44:55 Framed IP: AD Logins Wired Switch RADIUS AAA Authentication /Authorization Calling ID: 11:22:33:44:55:66 Framed IP: Windows Event log IP Address Cisco ASA Username imbashir chyps CoA WMI SXP PSN IdMap ISE Session Directory MAC IP Uname Profile Method Source SGT 00:11:22: 33:44: chyps Windows7- WS 11:22:33: 44:55: imbashir Windows 10 22:33:44: 55:66: hslai Samsung Galaxy 33:44:55: 66:77:88 AD Logins RADIUS Logins MnT PXG Identity Map- Mapping RADIUS Identity Map- Mapping RADIUS dot1x RADIUS zsariedd Apple-iPad mab RADIUS 20 44:55:66: 77:88: awoland Appleanything Update SXP peers with SGT mappings from RADIUS + PassiveID Internal CoA + Identity Dot1x +PsvID MAB +PsvID Easy Connect dot1x RADIUS 10 Publish Session Topic to pxgrid BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public

98 Easy Connect Configuration (beyond Passive ID) Authorization Profile Easy Connect To enable Easy Connect, Authorization Profile must: Flag session as candidate for Passive Identity tracking. Permit access for AD login. For Easy Connect sessions, MnT node: Merges RADIUS session with AD login session based on matching IP address Generates CoA reauth to PSN to apply new authorization based on AD identity (Passive ID). BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 98

Easy Connect Configuration Authorization Policy Add conditions based on Passive Identity Easy Connect

100 What Merges with Easy Connect? Passive ID Provider WMI ISE-PIC Agent Endpoint Probe Syslog (Identity) Syslog (DHCP) SPAN (Kerberos) API Provider Yes No Yes No Yes No No BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 100

101 Agenda Introduction Passive vs. Active Identities Passive ID Enhancements in ISE 2.2 / ISE-PIC Enabling Passive Identity Passive Identity Providers Easy Connect Trusted Device + Trusted User Conclusion

102 Identifying Trusted Devices without 802.1X Machine Authentication

103 Identifying Trusted Devices using Profiler Trusted Devices Custom Profile Workstation_Corp Duplicate profile Workstation Add rule to match any (OR) of these conditions to mycompany.com: DNS FQDN DHCP client-fqdn DHCP domain-name Increase CF by 20 Minimum CF=30 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 103

Identifying Trusted Devices using Profiler Real Customer Example: Profiling Based on a Custom DHCP Attribute Trusted Devices One customer decided to modify the DHCP Class Identifier on their Domain

104 Identifying Trusted Devices using Profiler Real Customer Example: Profiling Based on a Custom DHCP Attribute Trusted Devices One customer decided to modify the DHCP Class Identifier on their Domain Computers Provided a unique way to profile the device as a Corporate Asset. Manual Configuration Example: C:\>ipconfig /setclassid "Local Area Connection" CorpXYZ Windows XP IP Configuration DHCP ClassId successfully modified for adapter "Local Area Connection" GPO Script Configuration Example: Condition value must be expressed in hex. 1 - Create a GPO which has the necessary IPCONFIG command in a startup script 2 - Create a Domain Local group called something like 'Laptop Computer Accounts' and add all the laptop computer accounts 3 - Modify the GPO by removing the 'Authenticated Users' from the permissions list 4 - Add the 'Laptop Computer Accounts' group to the permissions list and assign 'Read' and 'Apply Group Policy' permissions. 5 - Link the GPO to the domain root (or the highest level OU which will encompass all computer accounts) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104

105 Identifying Trusted Devices using NMAP Work Centers > Profiler > Manual Scans Original Scan Options Trusted Devices Start New Custom Scan -or- pick Saved Scan Action Skip Ping Check BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 105

107 Manual NMAP Scan Work Centers > Profiler > Manual Scans Trusted Devices TCP ports automatically checked for McAfee epolicy Orchestrator if Service Version information checked. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 107

NMAP Scan Actions Used in Profiler Policies

Devices BRKSEC-3697 2017 Cisco and/or its

109 Triggered NMAP Scan using Template Trusted Devices Policy > Profiling > Profiling Policies (or Work Centers > Profiler > Profiling Policies) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109

110 Enhanced NMAP Probe SMB Discovery Trusted Devices Detailed Windows Info including: Ø Ø Ø Ø Ø Common Platform Enumeration (CPE) FQDN Operating System version Domain Workgroup NMAP Reference: If unable to get SMB info, verify SMB can access computer: Windows 7 Scan to Folder SMB Setup BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 110

111 Enhanced NMAP Probe Custom Ports, Service Info, epo Check Trusted Devices Custom Port Check on TCP/8081 and McAfee epolicy Orchestrator Agent Check BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 111

112 AD Probe Administration > System > Deployment > (node) > Profiling Configuration - or - Work Centers > Profiler > Node Config > Deployment > (node) > Profiler Config Increases OS fidelity through detailed info extracted via AD. Distinguishes corporate from non-corporate endpoints. è IS device a Corp Asset? Leverages AD Runtime Connector Attempts fetch of AD attributes once computer hostname learned from: DHCP Probe DNS Probe AD queries gated by: Rescan interval (default 1 day) Profiler activity for endpoint Note: If AD probe enabled after endpoint learned and hostname acquired, then no AD query. Trusted Devices 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

113 AD Probe Conditions and Attributes Conditions Match on the following: AD Computer? Join Point Domain OS, Version, and Service Pack Trusted Devices Sample Attributes MAB à DHCP à AD Probe Simple as 1 2 3! 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

$Example: Check for key Terces with value YNAPMOC under HKLM\SOFTWARE\ Microsoft\Bmurc\Daerb\ Optional Checks: Files$

114 Identifying Corporate Assets using Posture Check for Unique Corp Attributes Trusted Devices ISE Posture checks registry for pre-populated or unique entries. Example: Check for key Terces with value YNAPMOC under HKLM\SOFTWARE\ Microsoft\Bmurc\Daerb\ Optional Checks: Files unique to corporate image Applications/ Services specific to organization s SOE. SOE=Standard Operating Environment BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 114

115 Endpoint Custom Attributes Administration > Identity Management > Settings Trusted Devices Once defined, Custom Attributes can be set using: Admin UI File Import LDAP Import ERS API BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 115

Endpoint Custom Attributes Edit Attributes From Context Visibility Trusted Devices 864444923566

117 Endpoint Import from File CSV Template 20MB File Limit Trusted Devices Export will include many more fields than prior releases Import only fields required, but first 3 must be MAC, EP Policy and ID Group in specific order. MACAddress,EndPointPolicy,IdentityGroup,AuthenticationIdentityStore,Description,Devic eregistrationstatus,byodregistration,device Type, Address,FirstName,hostname,Last Name,Custom.AssetNumber,Custom.AssetTy pe,custom.profitcenter,custom.corpdevice, MDMServerID,MDMServerName,MDMEnrolle d,username,networkdevicename,oui,portal User,UserName,StaticAssignment,StaticGroup Assignment,UserType,EndpointIdentityGroup, MDMOSVersion,PortalUser.FirstName,PortalU ser.lastname,portaluser. address,portal User.PhoneNumber,PortalUser.GuestType,Po rtaluser.gueststatus,portaluser.location,port aluser.guestsponsor,portaluser.creationtyp e,aupaccepted, BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 117

Endpoint ERS API Trusted Devices <customattributes> <entry> <key>profitcenter</key> <value>00251977</value> </entry> <entry> <key>corpdevice</key> <value>true</value> </entry> <entry>

119 Endpoint ERS API Trusted Devices <customattributes> <entry> <key>profitcenter</key> <value> </value> </entry> <entry> <key>corpdevice</key> <value>true</value> </entry> <entry> <key>assetnumber</key> <value> </value> </entry> <entry> <key>assettype</key> <value>corporate</value> </entry> </customattributes> <key>assetnumber</key> <value> </value> BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 119

Trusted Devices Custom Endpoint Attributes Exposed to Authorization Policy Rule

Registered devices added from self-serve portals used to track personal devices.

121 Identifying Corporate Assets Device Registration Trusted Devices Is a user-registered device a corporate asset? Registered devices added from self-serve portals used to track personal devices. Cannot validate self-registered devices as corporate unless use some other method. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 121

122 External Device Registration Is Device Registered in a Trusted System? ISE can check enrollment and compliance with most MDM/EMM vendors as well as SCCM and Intune. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 122

123 Methods for Linking Trusted Devices with Trusted Users

124 Trusted Device + Trusted User Identifying the Machine AND the USER Machine Access Restrictions (MAR) MAR provides a mechanism for the RADIUS server to search the previous authentications and look for a machine-authentication with the same Calling- Station-ID. This means the machine must authenticate before the user. i.e. Must log out, not use hibernate, etc. See the reference slides for more possible limitations. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 124

125 Machine Access Restrictions (MAR) Trusted Device + Trusted User MAR Cache Calling-Station-ID 00:11:22:33:44:55 Passed Rule Name Conditions Permissions IP Phones if Cisco-IP-Phone then Cisco_IP_Phone MachineAuth if Domain Computers then MachineAuth Employee if Employee & WasMachineAuthenticated = true then Employee GUEST if GUEST then GUEST Default If no matches, then WEBAUTH NAD SWITCHPORT PSN RADIUS Access-Request [EAP-ID=CorpXP-1] RADIUS Access-Accept [cisco-av-pair] = dacl=permit-all Matched Rule = MachineAuth BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 125

Machine Access Restrictions (MAR) Trusted Device + Trusted User MAR Cache Calling-Station-ID 00:11:22:33:44:55 Passed Rule Name Conditions Permissions IP Phones if Cisco-IP-Phone then Cisco_IP_Phone

126 Machine Access Restrictions (MAR) Trusted Device + Trusted User MAR Cache Calling-Station-ID 00:11:22:33:44:55 Passed Rule Name Conditions Permissions IP Phones if Cisco-IP-Phone then Cisco_IP_Phone MachineAuth if Domain Computers then MachineAUth Employee if Employee & WasMachineAuthenticated = true then Employee GUEST if GUEST then GUEST Default If no matches, then WEBAUTH NAD SWITCHPORT PSN EAPoL Start RADIUS Access-Request [EAP-ID = Employee1] RADIUS Access-Accept [cisco-av-pair] = dacl=permit-all Matched Rule = Employee BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 126

127 TEAP Problems we Face Today w/ Secure Network Access What Certificates do I Trust For EAP? How can I easily get a Certificate onto my Systems Easily Renew My Certificates Identify Computer and User BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 127

129 TEAP vs. Other EAP Types TEAP EAP- TEAP (RFC-7170) EAP-FASTv2 (Proprietary) EAP-PEAP EAP-TTLS (RFC-5281) Certificate Provisioning in-band Distribute EAP Server Trust-List User + Machine EAP Chaining Posture Transport inband (PT-TLS or PT-EAP) Certificate Renewals in-band Fast Reconnect w/ Server Fast Reconnect w/ PAC File BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 1 2

130 Identifying the Machine AND the User The next chapter of authentication: EAP-Chaining TEAP RFC-7170: Tunneled EAP (TEAP). Next-Generation EAP method that provides all benefits of current EAP Types. Also provides EAP-Chaining. Cisco did it YEARS before TEAP was/is adopted EAP-FASTv2 AnyConnect 3.1+ Identity Services Engine **Adopted & in Production at Organizations World-Wide! Only True Chain of Machine + User BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 130

EAP-Chaining With AnyConnect 3.1.1 and ISE 1.1.1 1. Machine Authenticates 2.

then Cisco_IP_Phone MachineAuth if Domain Computers then MachineAuth Employee if Employee &

GUEST then GUEST Default If no matches, then WEBAUTH NAD SWITCHPORT PSN EAPoL Start

FAST] RADIUS Access-Challenge [EAP-TLV = Machine ] RADIUS Access-Request [EAP-TLV= Machine ]

131 EAP-Chaining With AnyConnect and ISE Machine Authenticates 2. ISE Issues Machine AuthZ PAC Rule Name Conditions Permissions IP Phones if Cisco-IP-Phone then Cisco_IP_Phone MachineAuth if Domain Computers then MachineAuth Employee if Employee & Network Access:EAPChainingResult = User and machine suceeded then TEAP Employee GUEST if GUEST then GUEST Default If no matches, then WEBAUTH NAD SWITCHPORT PSN EAPoL Start EAP-Request:TLV EAP-Response TLV = Machine EAP Success RADIUS Access-Request [EAP-Tunnel = FAST] RADIUS Access-Challenge [EAP-TLV = Machine ] RADIUS Access-Request [EAP-TLV= Machine ] [EAP-ID=Corp-Win7-1] RADIUS Access-Accept PAC BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 131

EAP-Chaining With AnyConnect 3.1.1 and ISE 1.1.1 3. User Authenticates 4. ISE receives Machine PAC 5.

Access:EAPChainingResult = User and machine suceeded then TEAP Employee GUEST if GUEST then GUEST Default If no matches, then WEBAUTH NAD SWITCHPORT PSN PAC PAC EAPoL Start EAP-Request:TLV

132 EAP-Chaining With AnyConnect and ISE User Authenticates 4. ISE receives Machine PAC 5. ISE issues User AuthZ PAC Rule Name Conditions Permissions IP Phones if Cisco-IP-Phone then Cisco_IP_Phone MachineAuth if Domain Computers then MachineAuth Employee if Employee & Network Access:EAPChainingResult = User and machine suceeded then TEAP Employee GUEST if GUEST then GUEST Default If no matches, then WEBAUTH NAD SWITCHPORT PSN PAC PAC EAPoL Start EAP-Request:TLV EAP-Response TLV = User EAP Success RADIUS Access-Request [EAP-Tunnel = FAST] RADIUS Access-Challenge [EAP-TLV = Machine ] RADIUS Access-Request [EAP-TLV= User ] [EAP-ID=Employee1] RADIUS Access-Accept PAC BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 132

133 Trusted Device + Trusted User Identifying the Machine AND the User What to do when EAP-Chaining is not Available? There are many needs to determine Machine AND the User Windows is the only current OS that can run EAP-Chaining (with AnyConnect) What about ios or Android based Tablets? Chain together 802.1X with Easy Connect (EZC) Can validate the device using a user-issued certificates Will validate the actual user with AD or other credentials provided to external provider Chain together 802.1X with Centralized Web Authentication (CWA) Can validate the device using a user-issued certificates Will validate the actual user with username/password or smartcard or other method that validates the user BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 133

AND CWA:CWA_ExternalGroup= Employees Employee & Network Access: EAPAuthentication = EAP-TLS Trusted Device + Trusted User then then Employee & SGT CWAchain Default If no matches,

135 802.1X and CWA Chaining 1. EAP-TLS Authentication 2. ISE Sends Access-Accept w/ URL-Redirect Rule Name Conditions Permissions IP Phones if Cisco-IP-Phone then Cisco_IP_Phone Employee_CWA Employee_1X if if AD:ExternalGroup=Employees AND CWA:CWA_ExternalGroup= Employees Employee & Network Access: EAPAuthentication = EAP-TLS Trusted Device + Trusted User then then Employee & SGT CWAchain Default If no matches, then WEBAUTH NAD SWITCHPORT PSN CN=employee1 Cert is Valid EAP-ID Response RADIUS Access-Request [EAP-Protocol= TLS ] RADIUS Access-Accept [AVP:url-redirect, dacl] Session Data User Identity = employee1 User Group = employees BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 135

136 802.1X and CWA Chaining 3. User Enters Uname/PWD 4. ISE Sends CoA-reauth Rule Name Conditions Permissions IP Phones if Cisco-IP-Phone then Cisco_IP_Phone Employee_CWA Employee_1X if if AD:ExternalGroup=Employees AND CWA:CWA_ExternalGroup= Employees Employee & Network Access: EAPAuthentication = EAP-TLS Trusted Device + Trusted User then then Employee & SGT CWAchain NAD SWITCHPORT BobSmith xxxxxxxxx Default If no matches, then WEBAUTH PSN EAP-ID Req RADIUS CoA [AVP:reauth] Session Data User Identity = employee1 User Group = employees CWA Identity = BobSmith CWA Group = employees BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 136

137 802.1X and CWA Chaining 3. User Enters Uname/PWD 4. ISE Sends CoA-reauth 5. Supplicant Responds with Cert 6. ISE sends Accept, dacl & SGT Rule Name Conditions Permissions IP Phones if Cisco-IP-Phone then Cisco_IP_Phone Employee_CWA Employee_1X if if AD:ExternalGroup=Employees AND CWA:CWA_ExternalGroup= Employees Employee & Network Access: EAPAuthentication = EAP-TLS Default If no matches, then WEBAUTH Trusted Device / Trusted User then then Employee & SGT CWAchain NAD SWITCHPORT PSN CN=employee1 Cert is Valid EAP-ID Response Access-Granted RADIUS Access-Request [EAP-Protocol= TLS ] RADIUS Access-Accept [AVP: dacl + SGT] Session Data User Identity = employee1 User Group = employees CWA Identity = BobSmith CWA Group = employees BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 137

138 Trusted Device and Trusted User Putting it All Together

Trusted Device + Trusted User Identifying Trusted Devices ISE Profiling Device Classification and Trusted (Whitelist) Identification Profiling Source Condition DNS Matching Hostname/Domain Name NMAP

139 Trusted Device + Trusted User Identifying Trusted Devices ISE Profiling Device Classification and Trusted (Whitelist) Identification Profiling Source Condition DNS Matching Hostname/Domain Name NMAP SMB Discovery for matching AD domain name NMAP McAfee epo Agent Detection AD Probe Computer exists in AD domain DHCP Custom User Class ID pushed via GPO BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 139

140 Trusted Device + Trusted User Identifying Trusted Devices Other options to identify trusted computers Source AD/LDAP/ODBC/RADIUS MDM / EMM Posture Device Registration BYOD Import / API Custom Attributes Description Lookup device in existing trusted ID store Lookup device in existing trusted DM store Endpoint inspection for managed device attribs Admins / Trusted users vouch for device Onboard personal assets as trusted device Seed inventory of managed / trusted devices Import/API marking of trusted endpoints BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 140

141 Trusted Device + Trusted User Matching Trusted Users to Trusted Devices Combinations Flows Source MAR CWA Chaining EZC Chaining EAP Chaining TEAP Description Cache previous successful Machine Auth event and link to user auth with same MAC Link Web Authentication to current 802.1X auth Link Passive ID to current MAB/802.1X auth Link Machine 802.1X and User 802.1X auth Link Machine 802.1X and User 802.1X auth BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 141

142 Trusted Device + Trusted User Implicit Device Trust 802.1X User Authentication using non-exportable certificates 802.1X User Authentication with embedded device data in certificate Example, match authenticating MAC address to issued certificate value Multi-Factor authentication (MFA) based on individual user input. Devices authenticated using Easy Connect are implicitly members of AD domain In order trigger AD login event, device must be member of domain AD login is not simply authentication using AD credentials BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 142

143 Trusted Device + Trusted User Trusted Device and Trusted User Policies = Implicitly Trusted Device = Trusted Device = Trusted User Auth Method Sample Auth Policy SGT 802.1X Machine + User (EAP Chain) AD_PC_Employee_1X AD_PC-Employee 802.1X Machine + EZC (EZC Chain) AD_PC_Employee_EZC AD_PC-Employee 802.1X Machine + CWA (CWA Chain) AD_PC_Employee_WebAuth AD_PC-Employee 802.1X User Auth + EZC (EZC Chain) Employee_1X_EZConnect AD_PC-Employee 802.1X User Auth Employee_1X Employee 802.1X Machine Auth Only AD_PC_1X AD_Computer MAB + EZConnect (no 1X) Employee_EZConnect AD_PC-Employee MAB + CWA (no 1X) Employee_WebAuth Employee MAB + Trusted Device Profile AD_PC_MAB AD_Computer BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 143

144 Trusted Device + Trusted User Trusted Device and Trusted User Policies * Include Trusted Device Profile = Trusted Device = Trusted User Auth Method Sample Auth Policy SGT 802.1X Machine + User (EAP Chain) AD_PC_Employee_1X AD_PC-Employee 802.1X Machine + EZC (EZC Chain) AD_PC_Employee_EZC AD_PC-Employee 802.1X Machine + CWA (CWA Chain) AD_PC_Employee_WebAuth AD_PC-Employee 802.1X User Auth + EZC (EZC Chain) Employee_1X_EZConnect AD_PC-Employee 802.1X User Auth Employee_1X Employee 802.1X Machine Auth Only AD_PC_1X AD_Computer MAB + EZConnect (no 1X) Employee_EZConnect AD_PC-Employee MAB + CWA (no 1X) Employee_WebAuth Employee MAB + Trusted Device Profile AD_PC_MAB AD_Computer BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 144

145 ISE 2.2 Context Visibility

Context Visibility Authenticated Devices Filter by Trusted Device/Trusted User

Context Visibility Registered / Onboarded Devices Device and Registered User Info

department location job title state address BRKSEC-3697 2017

149 Context Visibility User Record Details Automatically Fetched from AD/LDAP Data includes: firstname lastname telephone department location job title state address BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 149

Complete Your Online Session Evaluation Give us your feedback and receive a Cisco 2017 T-Shirt by completing the Overall Event Survey and 5 Session Evaluations.

150 Complete Your Online Session Evaluation Give us your feedback and receive a Cisco 2017 T-Shirt by completing the Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site Visit any Cisco Live Internet Station located throughout the venue T-Shirts can be collected Friday 10 March at Registration Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 150

151 Q & A

152 Thank you

153

Introduction to ISE-PIC

Introduction to ISE-PIC User identities must be authenticated in order to protect the network from unauthorized threats. To do so, security products are implemented on the networks. Each security product has its own method of