K.I.T.T. Know ISE Through Training

Similar documents
Take the Hassel out of your ISE deployment! K.I.T.T. Know ISE Through Training. BRKSEC Deploying ISE in a Dynamic Public Environment

Deploying ISE in a Dynamic Public Environment

Cisco Exam Questions & Answers

What Is Wireless Setup

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Universal Wireless Controller Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series

Cisco Exam Questions & Answers

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

P ART 3. Configuring the Infrastructure

ONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013

Guest Access User Interface Reference

Cisco ISE Features Cisco ISE Features

Identity Based Network Access

Cisco Tetration Analytics

Set Up Cisco ISE in a Distributed Environment

Set Up Cisco ISE in a Distributed Environment

Readme for ios 7 WebAuth on Cisco Wireless LAN Controller, Release 7.4 MR 2

Support Device Access

ISE Express Installation Guide. Secure Access How -To Guides Series

Architecting Network for Branch Offices with Cisco Unified Wireless Karan Sheth Sr. Technical Marketing Engineer

TopGlobal MB8000 Hotspots Solution

Routing Underlay and NFV Automation with DNA Center

New Windows build with WLAN access

Architecting Network for Branch Offices with Cisco Unified Wireless

Exam Questions Demo Cisco. Exam Questions

ArcGIS Server and Portal for ArcGIS An Introduction to Security

BYOD: BRING YOUR OWN DEVICE.

Benefits of SDN Modeling and Analytics tool for complex Service Provider Network

Configuring F5 LTM for Load Balancing Cisco Identity Service Engine (ISE)

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Deploy Webex Video Mesh

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

BRKCOC-2399 Inside Cisco IT: Integrating Spark with existing large deployments

ISE Primer.

Borderless Networks. Tom Schepers, Director Systems Engineering

CCIE Wireless v3 Lab Video Series 1 Table of Contents

ISE Identity Service Engine

ENHANCING PUBLIC WIFI SECURITY

2012 Cisco and/or its affiliates. All rights reserved. 1

CCIE Wireless v3 Workbook Volume 1

Introducing Cisco Network Assurance Engine

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Cisco Securing Cisco Wireless Enterprise Networks (WISECURE) Download Full Version :

ilight/gigapop eduroam Discussion Campus Network Engineering

CertKiller q

Configuring Layer2 Security

ForeScout Extended Module for Carbon Black

Cisco Hosted Collaboration Solution (HCS) and Cisco Collaboration Cloud

Cisco TrustSec How-To Guide: Central Web Authentication

Buna ISD Secure Wireless CougarNet+

How-To Threat Centric NAC Cisco AMP for Endpoints in Cloud and Cisco Identity Service Engine (ISE) Integration using STIX Technology

Deploying Cisco ISE for Guest Network Access

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

Network Deployments in Cisco ISE

Wireless Integration Overview

BYOD: Management and Control for the Use and Provisioning of Mobile Devices

Single Sign-On Showdown

Application Example (Standalone EAP)

Cisco EXAM Implementing Cisco Unified Wireless Networking Essentials (IUWNE) Buy Full Product.

CCIE Wireless v3.1 Workbook Volume 1

ForeScout CounterACT. Configuration Guide. Version 4.3

Manage Administrators and Admin Access Policies

Support Device Access

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo

Real time Location Services Overview and Use cases

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3

Cisco UCS Director and ACI Advanced Deployment Lab

SAML-Based SSO Solution

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

Configuring Hybrid REAP

Cisco Identity Services Engine (ISE) Mentored Install - Pilot

Forescout. Configuration Guide. Version 4.4

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

SAML-Based SSO Solution

Managing Rogue Devices

Identity Services Engine Guest Portal Local Web Authentication Configuration Example

Wireless LAN Security & Threat Mitigation

Cloud Mobility: Meraki Wireless & EMM

Resilient WAN and Security for Distributed Networks with Cisco Meraki MX

ISE with Static Redirect for Isolated Guest Networks Configuration Example

Cloud Systems and What They Mean to Your Company

Introduction to Cisco IoT Tools for Developers IoT 101

Network Deployments in Cisco ISE

Wireless BYOD with Identity Services Engine

Configuring the EAPs Globally via Omada Controller

Cisco Day Hotel Mons Wednesday

Cisco Container Platform

DumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download

Cisco Firepower NGIPS Tuning and Best Practices

Secure Mobility. Klaus Lenssen Senior Business Development Manager Security

Performing Administrative Tasks

Johns Hopkins

Cisco SD-Access Hands-on Lab

Configuring Client Profiling

Transcription:

Take the Hassel out of your ISE deployment! K.I.T.T. Know ISE Through Training BRKSEC-2059 - Deploying ISE in a Dynamic Public Environment BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

Deploying ISE in a Dynamic Public Environment Clark Gambrel, CCIE #18179 Technical Leader, Engineering, Security Business Group BRKSEC-2059

Introduction

Clark Gambrel, CCIE #18179 Technical Leader Engineering Security Business Group cgambrel@cisco.com @ClarkGambrel BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

KENTUCKY BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

Here BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

KENTUCKY Kentucky is known for BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

KENTUCKY BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

KENTUCKY BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

Agenda Introduction Public environments, Why are they so challenging? Advice Words to live by in any environment (Best Practice!) Education What we have learned Hospitals/Medical Protecting the heart of your network Public Transportation Tips for the thrifty traveler Conclusion

Please Fill Out The Survey! BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

Cisco ISE & TrustSec Sessions: Building Blocks BRKSEC-3699 Designing ISE for Scale & High Availability (Thurs 8:00 am) BRKCOC-2015 Cisco IT's Assured Network Access: (ISE) Deployment and Best Practices (Thurs 10:30am). BRKSEC-3697 Advanced ISE Services, Tips and Tricks (Wed 8:00am) (Thurs 8:00am) BRKSEC-2045 - Mobile Devices and BYOD Security - Deployment and Best Practices (Mon 4:00pm) (Tue 4:00pm) PSOSEC-2009- ISE 2.0 & 2.1 Features (Tue 12:30 pm + Wed 10:30 am) BRKSEC-2695 - Building an Enterprise Access Control Architecture using ISE and TrustSec (Mon 1:30 pm + Wed 8:00 am) BRKSEC-2059 Deploying ISE in a Dynamic Public Environment (Thurs 8:00 am) BRKCRS 1449 Enabling Security Everywhere on Enterprise Networks (Mon 4:00pm) BRKCRS-2893 Choice of Segmentation and Group-based Policies (Thurs 8:00am) BRKSEC-2203 Deploying TrustSec Security Group Tagging (Tue 1:30pm) BRKSEC-3690 Advanced Security Group Tags: The Detailed Walk Through (Wed 1:30pm) BRKSEC-2026 - Building Network Security Policy: Through Data Intelligence (Thurs 1:00pm) 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

Public environments, Why are they so challenging?

Public environments, Why are they so challenging? On average each person carries 2.9 devices BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

Public environments, Why are they so challenging? On average each person carries 2.9 devices Each year new devices are introduced Kenny Louie under Creative Commons License BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

Public environments, Why are they so challenging? On average each person carries 2.9 devices Each year new devices are introduced Devices add new technology enhancements, i.e. TLS versions, mini browsers New and Improved - http://tvtropes.org BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

Public environments, Why are they so challenging? On average each person carries 2.9 devices Each year new devices are introduced Devices add new technology enhancements, i.e. TLS versions, mini browsers Device behavior differs from one OS version to the next Dilbert 2010 BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

Public environments, Why are they so challenging? Devices are mostly unmanaged Source www.huffingtonpost.com BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

Public environments, Why are they so challenging? Devices are mostly unmanaged End users have different levels of knowledge when it comes to configuring their own devices Where s the ANY key? BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

Public environments, Why are they so challenging? Devices are mostly unmanaged End users have different levels of knowledge when it comes to configuring their own devices Users expect a simple experience, similar to home use BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

Public environments, Why are they so challenging? Devices are mostly unmanaged End users have different levels of knowledge when it comes to configuring their own devices Users expect a simple experience, similar to home use Lots of configuration parameters on ISE/Wireless Controller, which are correct? BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

Advice Words to live by in any environment (Best Practice)

Advice: Timers Displaying a Clock Collection - www.doityourself.com BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

Advice: Old Timers BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Advice: Timers BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

Advice: Timers WLC: Radius Default timer value of 2 seconds is too short During busy times, Authentication latency may increase and exceed the default value Use best practice value between 5-10 seconds, typically Use timers appropriate to the environment (tune for your environment) Some remote/cloud based radius servers may have higher authentication latency and require some tweaking. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

Advice: Timers WLC: Radius - Continued Setting timers too long and the client might restart its session, retries from radius server will be dropped Avoid unnecessary radius server flaps with timers that are too short PSN1 PSN2 Radius flapping can have some major impacts on an ISE deployment Superman II, Warner Brothers 1980 BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

Advice: Timers - Radius Typically 5-10 seconds BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

Advice: Timers - Radius Typically 5-10 seconds Usually matches Auth server timeout value BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

Advice: Timers WLC: Radius - Continued Make sure that Aggressive Failover is disabled in the command line of the WLC This can have a big impact on ISE and Wireless Auths in general (Cisco Controller) >config radius aggressive-failover disable BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

Advice: Timers - WLANs Increase Session Timeout to 2+ hours (7200+ sec), if Enabled (recommended) BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

Advice: Timers - WLANs This can also be sent as a Radius attribute in ISE under the AuthZ Profile BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

Advice: Timers - WLANs Increase Client Exclusion to 180+ seconds (3+ mins) BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

Advice: Timers - WLANs For 802.1X SSIDs, Increase Client Idle Timeout to 1 hour (3600 sec) For Guest/Hotspot SSIDs, leave this low (300 sec) to free up resources (http redirect sessions) for clients that have disconnected BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

Advice: Timers - WLANs Interim Update WLC 7.6: Recommended setting: Disabled Behavior: Only send update on IP address change Ensures we get critical IP updates (Framed-IP-Address) and Device Sensor updates. Device Sensor updates not impacted BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

Advice: Timers - WLANs Interim Update WLC 7.6: Recommended setting: Disabled WLC 8.0: Recommended setting: Enabled with Interval set to 0 Behavior: Only send update on IP address change Device Sensor updates not impacted Settings mapped correctly on upgrades BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. Specifications listed in ISE 1.3+ Installation Guide BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. Specifications listed in ISE 2.0.1+ Installation Guide BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. In 1.3 we added OVA Templates for deploying SNS-3415 and SNS-3495 equivalent hardware. That has been expanded to include the SNS-3515 and SNS- 3595 platforms as well. It is highly recommended that you use these templates! BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

Advice: VM Resources Reservations Admin and MnT nodes rely heavily on disk usage (read/writes). Deploying ISE in VMware environments where shared disk storage is utilized may not give a like disk performance when compared to physical appliances Increasing the number of disk shares that a node is allocated can in most cases increase performance of the node. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

Advice: VM Resources Reservations - Before & After Chart BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

Advice: VM Resources Reservations Before & After Graph BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

Advice: Avoid Meltdowns ISE Settings Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

Advice: Avoid Meltdowns ISE Settings Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications Administration Settings Protocols Radius BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

Advice: Avoid Meltdowns ISE Settings Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications Only use the profiling probes/information that you need. Don t have information overload. Avoid probes that use SPAN. Start with Radius only first. Use device sensors in network access device Administration Deployment Profiling BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

Advice: Avoid Meltdowns ISE Settings Enable EndPoint Attribute Filter Administration Settings Profiling BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

Advice: Avoid Meltdowns ISE Settings Enable EndPoint Attribute Filter Avoid Radius Flapping BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

Advice: Bugs!!! BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

Advice: Bugs CSCuu68490 - duplicate radius-acct update message sent while roaming If Radius NAC is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

Advice: Bugs CSCuu68490 - duplicate radius-acct update message sent while roaming If Radius NAC is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets These packets are unique (different radius IDs) but contain the same information 47ms Same data Different ID BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 53

Advice: Bugs CSCuu68490 - duplicate radius-acct update message sent while roaming If Radius NAC is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets These packets are unique (different radius IDs) but contain the same information Currently resolved in 8.1.131.0+ and 8.2.100.0+ WLC code versions. 8.0 MR3+ BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

Advice: Bugs CSCuz76370 - Purging of EP's dependency is on Oracle to determine EP Owner BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 55

Inter-Node Communications Radius Flapping can be a real mess! MnT Profiling sync leverages JGroup channels All replication outside node group must traverse PAN including Ownership Change! If Local JGroup fails, then nodes fall back to Global JGroup communication channel. MnT PAN PAN WLC PSN5 says I own this mac address PSN1 PSN PSN3 says L2 or L3 Ok PSN5 owns this mac address PSN PSN2 NODE GROUP A (JGROUP A) PSN4 PSN PSN PSN5 NODE GROUP B (JGROUP B) PSN PSN3 PSN PSN6 BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

Inter-Node Communications Radius Flapping can be a real mess! MnT Ok, now Radius flapping occurs. This could be due to timeouts received to WLC or due to the Radius NAC accounting bug This will also happen if a PSN receives profiling information for an endpoint that it doesn t own MnT PAN PAN WLC PSN5 says Ok PSN3 owns this mac address PSN1 PSN PSN3 says I L2 or L3 own this mac address PSN PSN2 NODE GROUP A (JGROUP A) PSN4 PSN PSN PSN5 NODE GROUP B (JGROUP B) PSN PSN3 PSN PSN6 BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

Avoid Radius Flapping USE BEST PRACTICE!!! BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 58

Education What we have learned

Education: High Authentication Latency eduroam eduroam allows users from participating organizations to use their local credentials while visiting other eduroam locations to access the internet. eduroam is a cloud based Radius proxy. It acts as a federation point between education/research based entities and their Radius servers. eduroam s Radius proxy is accessed via the internet. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

Education: High Authentication Latency eduroam jsmith@usau.edu username: jsmith@usau.edu Radius: Accept High Latency? BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

Education: High Authentication Latency eduroam Due to the high authentication latency sometimes associated with cloud based radius servers, it may be necessary to adjust your radius timers. If using a load balancer, create a separate VIP for eduroam (can contain the same PSNs) If no load balancer, dedicate PSNs for eduroam (or other high latency SSIDs), if possible BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 62

Education: Students Converge at Lunch High Density Student s roaming patterns especially during meal times and events can cause an increased load on your wireless and ISE infrastructure. Make sure that you have enough wireless density to handle this converged access. Distribute the load across multiple PSNs to avoid overwhelming a single server. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 63

Education: User w/multiple devices PEAP Problem Good reason to use EAP-TLS Students carry multiple devices PEAP-MSChapV2 as 802.1X Authentication Method may cause AD lockouts if not changed on all devices. Locked accounts generate Help desk calls. A single device with old password may cause repeated AD lockouts BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 64

Hospitals/Medical Protecting the heart of your network

Hospital: Medical Devices Securing and Profiling Most medical devices don t support 802.1X BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 66

Hospital: Medical Devices Securing and Profiling Encrypt! Most medical devices don t support 802.1X To protect patient data, use WPA2- PSK with Mac Filtering and Profiling BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

Hospital: Medical Devices Securing and Profiling Most medical devices don t support 802.1X To protect patient data, use WPA2- PSK with Mac Filtering and Profiling Use unique attributes to profile your medical devices Typical attributes that work well for medical devices are dhcp-classidentifier, dhcp-parameterrequest-list and host-name BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 68

Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Zebra Technologies Completes Acquisition of Motorola Solutions' Enterprise Business Press Releases 2014 ZIH Corp BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 69

Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. What this means Before acquisition: BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 70

Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. What this means After acquisition: BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 71

Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Device OS/Firmware updates www.apple.com BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Device OS/Firmware updates Spoofed MAC Addresses with new or different profiling attributes BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Device OS/Firmware updates Spoofed MAC Addresses with new or different profiling attributes BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 74

Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 75

Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) This policy would catch any device that was in the configured whitelist and allow network access, simple right? BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 76

Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) This policy would catch any device that was in the configured whitelist and allow network access, simple right? You can then add an alarm to send an email, whenever a device matches that policy. Currently we can enable for a single policy only. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 77

Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) This policy would catch any device that was in the configured whitelist and allow network access, simple right? You can then add an alarm to send an email, whenever a device matches that policy. Currently we can enable for a single policy only. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 78

Hospital: Paging Dr. Ihateloggingin Suggestions for better user experience Doctors by nature are usually very busy and the last thing they want to do is to spend time logging into a webportal or changing a PEAP password. Use EAP-TLS BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 79

Hospital: Paging Dr. Ihateloggingin Suggestions for better user experience Doctors by nature are usually very busy and the last thing they want to do is to spend time logging into a webportal or changing a PEAP password. Use EAP-TLS A better option, if available would be to use EAP-TLS and CWA-Chaining to a Single Sign On (SSO) server. This would allow the end user to leverage the SSO token for other portals as well. Add an AUP check rule to stay logged in. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 80

Hospital: Nurse Carts/IP Phones Advice on corporate devices Nurses typically use rolling computer carts for charting patient information. To ensure continuous connections for these devices, survey your wireless for Voice applications. For ease of use and manageability, use Active Directory Group Policy Objects (GPO) to manage the supplicants and certificates of AD joined devices. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 81

Hospital: Medical NAC Profiles custom built for medical devices Secure-access options for healthcare-specific devices Identification and classification of healthcarespecific devices (250+ devices) Profiling methods and best practices Thank s Craig! Segmentation of medical devices BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 82

Public Transportation Tips for the thrifty traveler

Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 84

Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients AP groups/names or some unique Radius attributes returned from the WLC during authentication can be used as location BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 85

Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients AP groups/names or some unique Radius attributes returned from the WLC during authentication can be used as location Matched policies based on these locations can send unique portals that advertise local businesses and shops near the user. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 86

Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients AP groups/names or some unique Radius attributes returned from the WLC during authentication can be used as location Matched policies based on these locations can send unique portals that advertise local businesses and shops near the user. Create unique portal pages for each area. Advertisements can be built into the portal page or referenced from an external server. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 87

Airport: Hotspot setup with custom redirect Using MSE and ISE 2.0 New to ISE 2.0, you can now leverage Mobility Services Engine (MSE) for physical location tracking Location information returned from the MSE can be used in the Authorization rule for directing clients to the portal serving their location. 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Soapbox: Buy Public Certificates Stop teaching users to accept Man-in-the-middle attacks! BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 89

Conclusion

Conclusion Review Public Environments can be challenging Avoid ISE meltdowns Keep up to date with versions and patches, be aware of software defects that might affect your environment Use advice in this guide to solve challenges in your environment Use Real Best Practice to ensure that you have a successful deployment. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 91

Public ISE Community Public ISE Community: http://cs.co/ise-community Monitored and Responded to by TME s on my Team Ask Questions There Get Answers by Cisco Experts & Partners BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 92

Security Joins the Customer Connection Program Customer User Group Program 19,000+ Who can join: Cisco customers, service providers, solution partners and training partners Private online community to connect with peers & Cisco s Security product teams Monthly technical & roadmap briefings via WebEx Opportunities to influence product direction Members Strong Join in World of Solutions Security zone Customer Connection stand Learn about CCP and Join New member thank-you gift* Customer Connection Member badge ribbon Local in-person meet ups starting Fall 2016 New member thank you gift * & badge ribbon when you join in the Cisco Security booth Other CCP tracks: Collaboration & Enterprise Networks Join Online www.cisco.com/go/ccp Come to Security zone to get your new member gift* and ribbon Presentation ID * While supplies last 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 93

Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 94

Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 95

Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback