Identity Based Network Access

Similar documents
Cisco TrustSec How-To Guide: Central Web Authentication

Cisco Secure Access Control

P ART 3. Configuring the Infrastructure

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo

ONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

2012 Cisco and/or its affiliates. All rights reserved. 1

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Cisco TrustSec How-To Guide: Monitor Mode

Več kot SDN - SDA arhitektura v uporabniških omrežjih

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Integrating Meraki Networks with

ISE Version 1.3 Self Registered Guest Portal Configuration Example

Cisco ISE Ports Reference

BYOD: Management and Control for the Use and Provisioning of Mobile Devices

The Context Aware Network A Holistic Approach to BYOD

Monitor Mode Deployment with Cisco Identity Services Engine. Secure Access How -To Guides Series

Secure wired and wireless networks with smart access control

Implementing Cisco Edge Network Security Solutions ( )

BEST PRACTICE - NAC AUF ARUBA SWITCHES. Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features

Borderless Networks. Tom Schepers, Director Systems Engineering

CertKiller q

Support Device Access

DumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download

Cisco Exam Questions & Answers

Cisco ISE Ports Reference

How to Control Who Gets Onto Your Network A Large Systemic Bank s Security Case Study

Universal Wireless Controller Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series

Exam Questions Demo Cisco. Exam Questions

Cisco Exam Questions & Answers

Cisco Identity Services Engine (ISE) Mentored Install - Pilot

Access and Policy License Double Click

Guest Access User Interface Reference

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Introduction to ISE-PIC

ISE Primer.

Cisco ISE Features Cisco ISE Features

Support Device Access

Manage Authorization Policies and Profiles

Cisco TrustSec How-To Guide: Phased Deployment Overview

Authentication and Authorization Policies

Cisco Trusted Security Enabling Switch Security Services

Cisco ISE Ports Reference

Manage Authorization Policies and Profiles

Central Web Authentication on the WLC and ISE Configuration Example

Digital Network Architecture for Securing Enterprise Networks

A. Post-Onboarding. the device wit be assigned the BYOQ-Provision firewall role in me Aruba Controller.

How-To Threat Centric NAC Cisco AMP for Endpoints in Cloud and Cisco Identity Service Engine (ISE) Integration using STIX Technology

Cisco ISE Ports Reference

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

Configure Guest Access

Cisco SD-Access Policy Driven Manageability

ISE Version 1.3 Hotspot Configuration Example

Cisco Software Defined Access (SDA)

Configure Guest Access

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

Cisco S802dot1X - Introduction to 802.1X(R) Operations for Cisco Security Professionals.

ISE Identity Service Engine

Cisco TrustSec How-To Guide: Global Switch Configuration

Deploying Cisco ISE for Guest Network Access

Cisco Network Admission Control (NAC) Solution

ClearPass Ecosystem. Tomas Muliuolis HPE Aruba Baltics lead

Introducing Cisco Identity Services Engine for System Engineer Exam

Identity-Based Networking Services Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

Reviewer s guide. PureMessage for Windows/Exchange Product tour

Network Configuration Example

Configure Client Posture Policies

Cisco Software-Defined Access

Configure Guest Access

Introduction to 802.1X Operations for Cisco Security Professionals (802.1X)

Troubleshooting Cisco ISE

ARUBA CLEARPASS POLICY MANAGER

Compare Security Analytics Solutions

Securing Cisco Wireless Enterprise Networks ( )

Cisco Identity Services Engine

Identity Services Engine Guest Portal Local Web Authentication Configuration Example

What Is Wireless Setup

Pulse Policy Secure X Network Access Control (NAC) White Paper

TrustSec (NaaS / NaaE)

Universal Switch Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series

User Identity Sources

User-to-Data-Center Access Control Using TrustSec Design Guide

Configuring Client Profiling

Policy User Interface Reference

ClearPass Design Scenarios

Create Custom Guest Success Pages by Active Directory Group with Cisco Identity Services Engine 1.2

Catalyst 3850 Series Switch Session Aware Networking with a Service Template on the ISE Configuration Example

NAC: LDAP Integration with ACS Configuration Example

Configure Client Posture Policies

Inside Cisco IT: How Cisco IT Deploy ISE and TrustSec Throughout the Enterprise

Cisco.Actualtests v by.Ralph.174.vce

Enterprise Guest Access

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Wireless BYOD with Identity Services Engine

Delivering a Secure BYOD Solution with XenMobile MDM and Cisco ISE

SACM Information Model Based on TNC Standards. Lisa Lorenzin & Steve Venema

IEEE 802.1X with ACL Assignments

Getting the Most out of your BYOD Investment A Deep Dive of ISE BYOD Policy

ACCP-V6.2Q&As. Aruba Certified Clearpass Professional v6.2. Pass Aruba ACCP-V6.2 Exam with 100% Guarantee

Transcription:

Identity Based Network Access

Identity Based Network Access - Agenda What are my issues Cisco ISE Power training What have I achieved What do I want to do

What are the issues?

Guest Student Staff Contractor

Staff/Student Contractor Guest

ISE has answers for who, what, when, where, how and more..

Cisco Identity Services Engine Power Training

Network Access & Digitization How to secure your network with so many unknowns? Who owns that device? What device is it? Any Threats from it? IP ADDRESS: 192.168.2.101 Is it Vulnerable? MAC ADDRESS: 00-05-01-AA-E1-FF Where is it located? When did it connect? How is it connected?

Make fully informed decisions, using ISE With rich contextual awareness Poor context awareness Rich context awareness UNKNOWN Without ISE IP ADDRESS: 192.168.2.101 WHO Bob (Employee) Unknown WHAT Apple ipad/ios/11.0.1 Unknown WHEN 10:30 AM PST Unknown WHERE Floor-1, San Jose, Building 19 Unknown HOW Wireless Unknown APPS Firefox, MS Word, AnyConnect Unknown SPEC Serial number, CPU, memory KNOWN With ISE Access to any device/user??? RESULT Authorized network access

ISE Use Cases Visibility Next Gen Access Control TrustSec Software -Defined Segmentation Guest Access Simplified Firewall Rule management with TrustSec DEFCON Policy Enforcement Always-on Policy Compliance Who and what is on your network and to share with other security tools (e.g. StealthWatch) for better threat and behavioral clarity Control access to network and resources based on context for more accurate access policy options and enforcement Easily create segments on the network and NGFW to increase protection and reduce malware proliferation - Defined Segmentation The number and complications of firewall rule can be reduced up to 80% which reduces errors and costs When there is a security outbreak customers have one button to push to activate different policies network-wide using software-defined segmentation Assurance that your network, devices and their behaviors are compliant with company and regulatory compliance requirements Rapid Threat Containment Stop threats anywhere in the network from one console Ecosystem Integration One framework to integrate different security products, share intel, see threats faster and take an action from the customer s preferred product, such as FMC or Splunk

Authentication and Authorizations PROTECTED SERVERS SHARED SERVICES PUBLIC NETWORK Certificates / Passwords EMPLOYEE CONTRACTOR alice ***** NETWORK ACCESS AUTHENTICATION Who are you? AUTHORIZATION What you can do?

Active versus Passive Identity 1 DOMAIN\Jim (AD Login) Jim 3 2 Passive Identity Jim Logged in 1 3 Cisco ISE Alice? Yes 2 AD Active Identity Alice Passive Identity IP to User mapping got via passive means like AD WMI events, AD Agents, Syslog, SPAN sessions and more. Active Identity IP to User mapping got via active interaction between ISE and the client via 802.1X, Web authentication, Remote access VPN, etc.

Authentication Option 1-802.1X Overview Credentials (Certificate / Password / Token) Endpoint (Supplicant) Network Device (Authenticator) Cisco ISE (Authentication Server) Active Directory (Identity Store) EAP EAP 802.1X EAP RADIUS EAP RADIUS: ACCESS-REQUEST RADIUS SERVICE-TYPE: FRAMED EAP: EAP-RESPONSE-IDENTITY EAP: Extensible Authentication Protocol Supplicant: Software running on the client that provides credentials to the authenticator (Network Device).

Authentication Option 1-802.1X Fundamentals of 802.1X Endpoint (Supplicant) Network Device (Authenticator) Cisco ISE (Authentication Server) Active Directory (Identity Store) Port-Authorized EAP 802.1X EAP RADIUS RADIUS: ACCESS-ACCEPT, VSA: Airespace-ACL = Employee-ACL EAP: EAP-SUCCESS Port-Unauthorized (If authentication fails) EAP: Extensible Authentication Protocol Supplicant: Software running on the client that provides credentials to the authenticator (Network Device).

Authentication Option 2- MAC Authentication Bypass (MAB) Endpoints without supplicant will fail 802.1X authentication! Bypassing Known MAC Addresses 802.1X Network Device Cisco ISE 00-10-23-AA-1F-38 Network Device Cisco ISE LAN 802.1X Timeout EAP: What s your Id? No 802.1X MAB Any Packet User: 00-10-23-AA-1F-38 ACCESS-ACCEPT MAB requires a MAC address database ISE can build this database dynamically with profiling

Authentication Type 3: ISE Easy Connect Identity based network access without 802.1X DOMAIN\bob DOMAIN CONTROLLER Bob logged in DHCP NTP DNS AD ISE retrieves user-id and user s AD membership No 802.1X LIMITED FULL ACCESS ACCESS MAB SWITCH-1 Limited Access CoA: Full Access Enterprise Network CISCO ISE UNKNOWN EMPLOYEES LIMITED ACCESS FULL ACCESS Immediate value Leverage existing infrastructure Increased visibility into active network sessions Flexible deployment co-operates with other auth methods

Authentication Type 4: Web Authentication Local or Central Web Authentication (LWA/CWA) Endpoint Network Device Cisco ISE NETWORK Initial packet Google.com MAB Request Initial AuthZ Limited Access ACL + URL-Redirect to ISE Got your MAC, need your ID alice... ISE login page Username + password CoA Force ReAuth MAB Request Matches session cache of previous successful WebAuth Final AuthZ Full Access ACL

Change of Authorization (CoA) RFC 5176 Initial access Change in access RADIUS CoA (Change of Authorization) is a feature that allows ISE to adjust an active client session. Requires endpoint s active session on ISE Automatic / Manual initiation of CoA Use cases: Central Web Authentication (CWA) Device Profiling Posture assessment Threat Centric NAC Adaptive Network Control and more

Authorization Options Beyond RADIUS ACCESS-ACCEPT / ACCESS-REJECT DACL or Named ACL Downloadable ACL (Wired) or Named ACL (Wired + Wireless) VLANs Dynamic VLAN Assignments Scalable Group Tags Cisco TrustSec Remediation Employee permit ip any any Contractor deny ip host <critical> permit ip any any Employees VLAN 3 Guest VLAN 4 Per port / Per Domain / Per MAC 16 bit SGT assignment and SGT based Access Control

A Typical ISE Authentication and Authorization policy Authentication method Where to look for identities How to handle Auth failures Authorization conditions End result

Building Identity & Context

WHO WHAT WHEN WHERE HOW POSTURE APPLICATIONS VULNERABILITY THREAT Building Context: User CONTRACTORS Harry Active / Passive Identity GUESTS Bob Cisco ISE EMPLOYEES Alice ISE Session Database Harry connected via Switch-SJC01 Bob connected via AP-SJC03 CONTRACTORS GUESTS Alice connected via VPN005 EMPLOYEES

WHO WHAT WHEN WHERE HOW POSTURE APPLICATIONS VULNERABILITY THREAT Building Context: Device-Type ACTIVE PROBES Netflow DHCP DNS HTTP RADIUS NMAP SNMP AD DEVICE SENSOR CDP LLDP DHCP HTTP H323 SIP MDNS ANYCONNECT ACIDex ISE data collection methods for Device profiling Endpoints send DS interesting data, that reveal their device identity DS Cisco ISE Feed Service (Online/Offline) ACIDex Profiler Policy If CDP:Platform Name = Cisco IP Phone = true, then Cisco-IP-Phone Authorization Policy If Endpoint ID Group = Cisco-IP-Phone = true, then Voice VLAN AnyConnect Identity Extensions (ACIDex) Device Sensor (DS)

ISE Access Control solution overview Native Supplicants / Cisco AnyConnect SAML idps Single Sign-On Certificate based Auth 500,000 concurrent sessions 802.1X Upto 100K Network Devices ENTERPRISE NETWORK Authentication Methods Certificate Authorities APIs Passwords / Tokens SCEP / CRL External Identity Stores Active Directory SQL Server LDAP / SQL LDAP Servers Built-in CA 300K Internal Users Up to 50 distinct AD domain support Authorization Options PASSIVE IDENTITY ACTIVE IDENTITY MAC Authentication Bypass Easy Connect IEEE 802.1X Web Authentication Central WebAuth Local WebAuth Downloadable / Named ACL Air Space ACL VLAN Assignment Security Group Tags URL-Redirection Port Configuration (ASP Macro / Interface-Template) ASP: Auto Smart Port

What have we achieved?

The wired network ISE is profiling all staff ports on my network; Rich endpoint context; Compliance that all devices attaching into staff vlan are CIT assets; Better network troubleshooting;

Rich Endpoint Context

Rich Endpoint Context AD, SNMP, DHCP, radius probes

Better Network Troubleshooting Melbourn1#sh authentication sessions interface gi3/9 detail Interface: GigabitEthernet3/9 MAC Address: 14b3.1f13.275e IPv6 Address: Unknown IPv4 Address: 157.190.153.89 User-Name: CIT\toks.lapite Status: Authorized Domain: DATA Oper host mode: multi-auth Current Policy: POLICY_Gi3/9 Vlan Group: Vlan: 120 ACS ACL: xacsaclx-ip-staffconnect_permitall

The wireless network Guest wireless (Self-service or managed portal); Single user identity, multiple devices (3 max); Conference identity;

What next?

Coming soon to a network near me Currently, eduroam for staff and students, no differentiated access. However, staff want more access when on wireless, same access they have when on wired (20% of our staff never touch wired network, and increasing); Profile all wired ports on the network; Possibly all ports will be managed dynamically based on Identity; Use ISE in conjunction with Software defined access (SDA) to implement: Security Group Tagging enhanced authorised network access; Vxlans; Compliance, managed staff and student devices must have certain software before network access, e.g. Malwarebytes

Software-Defined Access Networking at the speed of Software! Policy DNA Center Automation Analytics Identity-based Policy & Segmentation Decoupled security policy definition from VLAN and IP Address Automated Network Fabric Single Fabric for Wired & Wireless with Workflow-based Automation SDA-Extension IoT Network User Mobility Policy stays with user Employee Network Insights & Telemetry Analytics and insights into user and application behavior

Single User Access Policy Across LAN, WAN, DC, and Cloud User to Data Center Access Control Campus and Branch Segmentation User to Cloud Segmentation

Segmentation Policy Analytics How do you learn how to segment your network? Discover current groups and policies by interacting with existing data sources Model non-invasive pilot of candidate groups and policies against a data lake of network activity Submit potential groups and policies into enforcement infrastructure (e.g. ISE) Visibility into policy usage in real-time, prove policies are working

Building your network capabilities is a journey Rapid Threat Containment SDA Access Outcome: Guest, Wireless Access Automated Segmentation Identity-based Services Device Management, IoT, BYOD Network and Asset Visibility; Policy Monitoring

Thank you Aidan McDonald (aidan.mcdonald@cit.ie) Brian O Donoghue (bodonogh@cisco.com)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback