Identity Based Network Access
Identity Based Network Access - Agenda What are my issues Cisco ISE Power training What have I achieved What do I want to do
What are the issues?
Guest Student Staff Contractor
Staff/Student Contractor Guest
ISE has answers for who, what, when, where, how and more..
Cisco Identity Services Engine Power Training
Network Access & Digitization How to secure your network with so many unknowns? Who owns that device? What device is it? Any Threats from it? IP ADDRESS: 192.168.2.101 Is it Vulnerable? MAC ADDRESS: 00-05-01-AA-E1-FF Where is it located? When did it connect? How is it connected?
Make fully informed decisions, using ISE With rich contextual awareness Poor context awareness Rich context awareness UNKNOWN Without ISE IP ADDRESS: 192.168.2.101 WHO Bob (Employee) Unknown WHAT Apple ipad/ios/11.0.1 Unknown WHEN 10:30 AM PST Unknown WHERE Floor-1, San Jose, Building 19 Unknown HOW Wireless Unknown APPS Firefox, MS Word, AnyConnect Unknown SPEC Serial number, CPU, memory KNOWN With ISE Access to any device/user??? RESULT Authorized network access
ISE Use Cases Visibility Next Gen Access Control TrustSec Software -Defined Segmentation Guest Access Simplified Firewall Rule management with TrustSec DEFCON Policy Enforcement Always-on Policy Compliance Who and what is on your network and to share with other security tools (e.g. StealthWatch) for better threat and behavioral clarity Control access to network and resources based on context for more accurate access policy options and enforcement Easily create segments on the network and NGFW to increase protection and reduce malware proliferation - Defined Segmentation The number and complications of firewall rule can be reduced up to 80% which reduces errors and costs When there is a security outbreak customers have one button to push to activate different policies network-wide using software-defined segmentation Assurance that your network, devices and their behaviors are compliant with company and regulatory compliance requirements Rapid Threat Containment Stop threats anywhere in the network from one console Ecosystem Integration One framework to integrate different security products, share intel, see threats faster and take an action from the customer s preferred product, such as FMC or Splunk
Authentication and Authorizations PROTECTED SERVERS SHARED SERVICES PUBLIC NETWORK Certificates / Passwords EMPLOYEE CONTRACTOR alice ***** NETWORK ACCESS AUTHENTICATION Who are you? AUTHORIZATION What you can do?
Active versus Passive Identity 1 DOMAIN\Jim (AD Login) Jim 3 2 Passive Identity Jim Logged in 1 3 Cisco ISE Alice? Yes 2 AD Active Identity Alice Passive Identity IP to User mapping got via passive means like AD WMI events, AD Agents, Syslog, SPAN sessions and more. Active Identity IP to User mapping got via active interaction between ISE and the client via 802.1X, Web authentication, Remote access VPN, etc.
Authentication Option 1-802.1X Overview Credentials (Certificate / Password / Token) Endpoint (Supplicant) Network Device (Authenticator) Cisco ISE (Authentication Server) Active Directory (Identity Store) EAP EAP 802.1X EAP RADIUS EAP RADIUS: ACCESS-REQUEST RADIUS SERVICE-TYPE: FRAMED EAP: EAP-RESPONSE-IDENTITY EAP: Extensible Authentication Protocol Supplicant: Software running on the client that provides credentials to the authenticator (Network Device).
Authentication Option 1-802.1X Fundamentals of 802.1X Endpoint (Supplicant) Network Device (Authenticator) Cisco ISE (Authentication Server) Active Directory (Identity Store) Port-Authorized EAP 802.1X EAP RADIUS RADIUS: ACCESS-ACCEPT, VSA: Airespace-ACL = Employee-ACL EAP: EAP-SUCCESS Port-Unauthorized (If authentication fails) EAP: Extensible Authentication Protocol Supplicant: Software running on the client that provides credentials to the authenticator (Network Device).
Authentication Option 2- MAC Authentication Bypass (MAB) Endpoints without supplicant will fail 802.1X authentication! Bypassing Known MAC Addresses 802.1X Network Device Cisco ISE 00-10-23-AA-1F-38 Network Device Cisco ISE LAN 802.1X Timeout EAP: What s your Id? No 802.1X MAB Any Packet User: 00-10-23-AA-1F-38 ACCESS-ACCEPT MAB requires a MAC address database ISE can build this database dynamically with profiling
Authentication Type 3: ISE Easy Connect Identity based network access without 802.1X DOMAIN\bob DOMAIN CONTROLLER Bob logged in DHCP NTP DNS AD ISE retrieves user-id and user s AD membership No 802.1X LIMITED FULL ACCESS ACCESS MAB SWITCH-1 Limited Access CoA: Full Access Enterprise Network CISCO ISE UNKNOWN EMPLOYEES LIMITED ACCESS FULL ACCESS Immediate value Leverage existing infrastructure Increased visibility into active network sessions Flexible deployment co-operates with other auth methods
Authentication Type 4: Web Authentication Local or Central Web Authentication (LWA/CWA) Endpoint Network Device Cisco ISE NETWORK Initial packet Google.com MAB Request Initial AuthZ Limited Access ACL + URL-Redirect to ISE Got your MAC, need your ID alice... ISE login page Username + password CoA Force ReAuth MAB Request Matches session cache of previous successful WebAuth Final AuthZ Full Access ACL
Change of Authorization (CoA) RFC 5176 Initial access Change in access RADIUS CoA (Change of Authorization) is a feature that allows ISE to adjust an active client session. Requires endpoint s active session on ISE Automatic / Manual initiation of CoA Use cases: Central Web Authentication (CWA) Device Profiling Posture assessment Threat Centric NAC Adaptive Network Control and more
Authorization Options Beyond RADIUS ACCESS-ACCEPT / ACCESS-REJECT DACL or Named ACL Downloadable ACL (Wired) or Named ACL (Wired + Wireless) VLANs Dynamic VLAN Assignments Scalable Group Tags Cisco TrustSec Remediation Employee permit ip any any Contractor deny ip host <critical> permit ip any any Employees VLAN 3 Guest VLAN 4 Per port / Per Domain / Per MAC 16 bit SGT assignment and SGT based Access Control
A Typical ISE Authentication and Authorization policy Authentication method Where to look for identities How to handle Auth failures Authorization conditions End result
Building Identity & Context
WHO WHAT WHEN WHERE HOW POSTURE APPLICATIONS VULNERABILITY THREAT Building Context: User CONTRACTORS Harry Active / Passive Identity GUESTS Bob Cisco ISE EMPLOYEES Alice ISE Session Database Harry connected via Switch-SJC01 Bob connected via AP-SJC03 CONTRACTORS GUESTS Alice connected via VPN005 EMPLOYEES
WHO WHAT WHEN WHERE HOW POSTURE APPLICATIONS VULNERABILITY THREAT Building Context: Device-Type ACTIVE PROBES Netflow DHCP DNS HTTP RADIUS NMAP SNMP AD DEVICE SENSOR CDP LLDP DHCP HTTP H323 SIP MDNS ANYCONNECT ACIDex ISE data collection methods for Device profiling Endpoints send DS interesting data, that reveal their device identity DS Cisco ISE Feed Service (Online/Offline) ACIDex Profiler Policy If CDP:Platform Name = Cisco IP Phone = true, then Cisco-IP-Phone Authorization Policy If Endpoint ID Group = Cisco-IP-Phone = true, then Voice VLAN AnyConnect Identity Extensions (ACIDex) Device Sensor (DS)
ISE Access Control solution overview Native Supplicants / Cisco AnyConnect SAML idps Single Sign-On Certificate based Auth 500,000 concurrent sessions 802.1X Upto 100K Network Devices ENTERPRISE NETWORK Authentication Methods Certificate Authorities APIs Passwords / Tokens SCEP / CRL External Identity Stores Active Directory SQL Server LDAP / SQL LDAP Servers Built-in CA 300K Internal Users Up to 50 distinct AD domain support Authorization Options PASSIVE IDENTITY ACTIVE IDENTITY MAC Authentication Bypass Easy Connect IEEE 802.1X Web Authentication Central WebAuth Local WebAuth Downloadable / Named ACL Air Space ACL VLAN Assignment Security Group Tags URL-Redirection Port Configuration (ASP Macro / Interface-Template) ASP: Auto Smart Port
What have we achieved?
The wired network ISE is profiling all staff ports on my network; Rich endpoint context; Compliance that all devices attaching into staff vlan are CIT assets; Better network troubleshooting;
Rich Endpoint Context
Rich Endpoint Context AD, SNMP, DHCP, radius probes
Better Network Troubleshooting Melbourn1#sh authentication sessions interface gi3/9 detail Interface: GigabitEthernet3/9 MAC Address: 14b3.1f13.275e IPv6 Address: Unknown IPv4 Address: 157.190.153.89 User-Name: CIT\toks.lapite Status: Authorized Domain: DATA Oper host mode: multi-auth Current Policy: POLICY_Gi3/9 Vlan Group: Vlan: 120 ACS ACL: xacsaclx-ip-staffconnect_permitall
The wireless network Guest wireless (Self-service or managed portal); Single user identity, multiple devices (3 max); Conference identity;
What next?
Coming soon to a network near me Currently, eduroam for staff and students, no differentiated access. However, staff want more access when on wireless, same access they have when on wired (20% of our staff never touch wired network, and increasing); Profile all wired ports on the network; Possibly all ports will be managed dynamically based on Identity; Use ISE in conjunction with Software defined access (SDA) to implement: Security Group Tagging enhanced authorised network access; Vxlans; Compliance, managed staff and student devices must have certain software before network access, e.g. Malwarebytes
Software-Defined Access Networking at the speed of Software! Policy DNA Center Automation Analytics Identity-based Policy & Segmentation Decoupled security policy definition from VLAN and IP Address Automated Network Fabric Single Fabric for Wired & Wireless with Workflow-based Automation SDA-Extension IoT Network User Mobility Policy stays with user Employee Network Insights & Telemetry Analytics and insights into user and application behavior
Single User Access Policy Across LAN, WAN, DC, and Cloud User to Data Center Access Control Campus and Branch Segmentation User to Cloud Segmentation
Segmentation Policy Analytics How do you learn how to segment your network? Discover current groups and policies by interacting with existing data sources Model non-invasive pilot of candidate groups and policies against a data lake of network activity Submit potential groups and policies into enforcement infrastructure (e.g. ISE) Visibility into policy usage in real-time, prove policies are working
Building your network capabilities is a journey Rapid Threat Containment SDA Access Outcome: Guest, Wireless Access Automated Segmentation Identity-based Services Device Management, IoT, BYOD Network and Asset Visibility; Policy Monitoring
Thank you Aidan McDonald (aidan.mcdonald@cit.ie) Brian O Donoghue (bodonogh@cisco.com)