Getting the Most out of your BYOD Investment A Deep Dive of ISE BYOD Policy

Similar documents
Integrating Meraki Networks with

CCIE Collaboration Lab

P ART 3. Configuring the Infrastructure

Intelligent WAN Sumanth Kakaraparthi Principal Product Manager PSOCRS-2010

Manage Authorization Policies and Profiles

Borderless Networks. Tom Schepers, Director Systems Engineering

P ART 2. BYOD Design Overview

Architecting Network for Branch Offices with Cisco Unified Wireless

Monitor Mode Deployment with Cisco Identity Services Engine. Secure Access How -To Guides Series

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

Resilient WAN and Security for Distributed Networks with Cisco Meraki MX

Cisco TrustSec How-To Guide: Monitor Mode

Authentication and Authorization Policies

2012 Cisco and/or its affiliates. All rights reserved. 1

Manage Authorization Policies and Profiles

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo

Identity Based Network Access

BYOD: Management and Control for the Use and Provisioning of Mobile Devices

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

ISE Version 1.3 Self Registered Guest Portal Configuration Example

Architecting Network for Branch Offices with Cisco Unified Wireless Karan Sheth Sr. Technical Marketing Engineer

Configure Guest Flow with ISE 2.0 and Aruba WLC

IEEE 802.1X Multiple Authentication

Distributed Branch Deployment Costs

Enabling Quality of Service with Cisco SDN. Jon Snyder

ISE Primer.

Universal Wireless Controller Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series

Identity Services Engine Guest Portal Local Web Authentication Configuration Example

Cisco TrustSec How-To Guide: Central Web Authentication

Implementing Cisco Edge Network Security Solutions ( )

IEEE 802.1X with ACL Assignments

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Posture Services on the Cisco ISE Configuration Guide Contents

Verify Radius Server Connectivity with Test AAA Radius Command

802.1x Port Based Authentication

UCS Management Deep Dive

Configuring Client Profiling

Cloud Mobility: Meraki Wireless & EMM

Central Web Authentication on the WLC and ISE Configuration Example

ONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013

Vendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo

ISE Version 1.3 Hotspot Configuration Example

Cisco TrustSec How-To Guide: Phased Deployment Overview

Wireless BYOD with Identity Services Engine

DumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download

Nexus 7000 F3 or Mx/F2e VDC Migration Use Cases

Cisco ISE Features Cisco ISE Features

ISE with Static Redirect for Isolated Guest Networks Configuration Example

DMVPN for R&S CCIE Candidates Johnny Bass CCIE #6458

Deploying Intrusion Prevention Systems

Exam Code: Exam Code: Exam Name: Advanced Borderless Network Architecture Systems Engineer test.

Cisco Exam Questions & Answers

CCIE Wireless v3 Lab Video Series 1 Table of Contents

Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3

ACCP-V6.2Q&As. Aruba Certified Clearpass Professional v6.2. Pass Aruba ACCP-V6.2 Exam with 100% Guarantee

RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions

Agile Controller-Campus V100R002C10. Permission Control Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Configuring IEEE 802.1x Port-Based Authentication

Network Deployments in Cisco ISE

For Sales Kathy Hall

Securing Cisco Wireless Enterprise Networks ( )

Delivering a Secure BYOD Solution with XenMobile MDM and Cisco ISE

SD-Access Wireless: why would you care?

DMVPN for R&S CCIE Candidates

What Is Wireless Setup

Cisco SD-Access Hands-on Lab

CCIE Wireless v3 Workbook Volume 1

Troubleshooting Web Authentication on a Wireless LAN Controller (WLC)

Support Device Access

Key Security Measures to Enable Next-Generation Data Center Transformation

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Policy User Interface Reference

Per-User ACL Support for 802.1X/MAB/Webauth Users

Introduction to 802.1X Operations for Cisco Security Professionals (802.1X)

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Virtualized Video Processing: Video Infrastructure Transformation Yoav Schreiber, Product Marketing Manager, Service Provider Video BRKSPV-1112

Cisco Exam Questions & Answers

Network Deployments in Cisco ISE

Wireless LAN Controller Web Authentication Configuration Example

FortiNAC. Cisco Airespace Wireless Controller Integration. Version: 8.x. Date: 8/28/2018. Rev: B

Cloud Intelligent Network

Cisco Prime for Enterprise Innovative Network Management

802.1x EAP TLS with Binary Certificate Comparison from AD and NAM Profiles Configuration Example

Cisco Exam Questions & Answers

Cisco Secure Access Control

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

User Directories and Campus Network Authentication - A Wireless Case Study

CCIE Wireless v3.1 Workbook Volume 1

What do you want for Christmas?

ITCertMaster. Safe, simple and fast. 100% Pass guarantee! IT Certification Guaranteed, The Easy Way!

Configuring FlexConnect Groups

Configure Maximum Concurrent User Sessions on ISE 2.2

Create Custom Guest Success Pages by Active Directory Group with Cisco Identity Services Engine 1.2

BEST PRACTICE - NAC AUF ARUBA SWITCHES. Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features

HPE IMC UAM BYOD Quick Deployment on Mobile Device Configuration Examples

Your wireless network

AAA Administration. Setting up RADIUS. Information About RADIUS

Routing Underlay and NFV Automation with DNA Center

Transcription:

Getting the Most out of your BYOD Investment A Deep Dive of ISE BYOD Policy Kevin Redmon System Test Engineer

Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 3

Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 4

Introduction About me 13+ year veteran of Cisco BYOD Smart Solution Test Team for 2 years From Ohio (Go BUCKEYES!!!) now living in North Carolina (Go Pirates/Wolfpack/Blue Devils/Tarheels!!!) Youngest of 12 children with 9 sisters, 2 brothers Married 6 WONDERFUL years to my beautiful wife, Sonya A princess of a daughter, Melody, 3 ½ years old. 6

Introduction About Cisco s BYOD System Design The Cisco s BYOD System Design Version 2.6 released in March 2014 Key Updates from 2.5: Feature parity between Converged Access and CUWN 802.11ac WiFi Support on AP3600 Location/Context Enabled via Mobility Services Engine (MSE) Mobility AVC and QoS for Jabber Collaboration Cisco s Identity Services Engine (ISE) is at the center of the solution. Next version of the CVD to come out Summer 2014. 7

Check your gear before diving in Before implementing the concepts in this presentation, be sure to test in a controlled environment Certain features and capabilities were released in particular versions/license of code The behavior may vary slightly between different platforms Tweak configurations as needed to achieve desired result I m Human Ensure that your company s security policy is sufficiently executed in the configured BYOD policy 8

BYOD Network Overview Branch WAN Campus Internet Edge Cisco 5508 Series Wireless Controller (Guest Controller) Internet Primary GETVPN Tunnel SP Network Internet Backup DMVPN Tunnel Cisco ASR 1000 Series Aggregation Routers ASA Firewall Campus Core Services Module Cisco ISR Series Router (Primary Router) Cisco SR Series Router (Backup Router) Catalyst 3850, 3750- X, 3650-X, or 2960-S Series Switches Cisco Aironet 2600, 3500, and 3600 Series Access Points Application & File Servers Data Center RSA DNS DHCP Prime Infra CA AD ISE CUCM Mobility Services Engine Campus 5500/5760 Series Wireless Controller(s) Campus Aironet Access Points Branch Flex 7500 Series Wireless Controller(s) Building Module 9

Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 10

RADIUS RFC2865 states: RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user. Four Packet Types Access-Request Access-Accept Access-Reject Access-Challenge RFC3576 Dynamic Authorization Extensions to RADIUS 12

Identity Services Engine (ISE) AAA Authentication (AuthC), Authorization (AuthZ), Accounting AuthC confirms who you (as the user of the endpoint) or the endpoint itself are. AuthZ determines what network resources you (as the user) and/or the endpoint are allowed to access RADIUS is the underlying protocol that allows this all to happen 13

Typical BYOD Flow 1. CWA/NSP ISE portal authenticates, authorizes, and/or registers the endpoint and enrolls the endpoint with the Certificate Authority 2. MDM Enrollment (Advanced Use Case) enroll with MDM 3. ISE Quarantine (Advanced Use Case) ensure endpoint adheres to ISE endpoint policy 4. MDM Quarantine (Advanced Use Case) ensure endpoint adheres to MDM endpoint policy 5. Final Access Level each future access to the network will be automatic with the certificate authentication at the configured access level

Endpoint Onboarding (Single SSID) Endpoint NAS ISE CA Username via PEAP RADIUS Access-Request RADIUS Access-Challenge RADIUS Access-Request RADIUS Access-Request RADIUS Access-Accept User Accesses Webpage Redirect to ISE NSP Portal User Provides Info about Endpoint to ISE Public key and X.509 for SCEP enrollment Certificate deployed to endpoint certificate store SCEP proxy SCEP proxy Endpoint = Registered 15

Endpoint Access (BYOD_Employee) Endpoint NAS ISE CA Endpoint AuthC via EAP-TLS RADIUS Access-Request RADIUS Access-Challenge RADIUS Access-Request RADIUS Access-Request CRL Check RADIUS Access-Accept Valid Certificate User granted Full Access 16

Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 18

BYOD Network Overview Branch WAN Campus Internet Edge Cisco 5508 Series Wireless Controller (Guest Controller) Internet Primary GETVPN Tunnel SP Network Internet Backup DMVPN Tunnel Cisco ASR 1000 Series Aggregation Routers ASA Firewall Campus Core Services Module Cisco ISR Series Router (Primary Router) Cisco SR Series Router (Backup Router) Catalyst 3850, 3750- X, 3650-X, or 2960-S Series Switches Cisco Aironet 2600, 3500, and 3600 Series Access Points Application & File Servers Data Center RSA DNS DHCP Prime Infra CA AD ISE CUCM Mobility Services Engine Campus 5500/5760 Series Wireless Controller(s) Campus Aironet Access Points Branch Flex 7500 Series Wireless Controller(s) Building Module 20

Authentication Policy 22

Authentication Conditions 23

Authentication Condition Wireless 802.1x 24

Authentication Attribute Value Pairs (AVPs) in BYOD Method of Access Method of Access Wired RADIUS NAS-Port-Type Ethernet Wireless Wireless IEEE 802.11 RADIUS:NAS-Port-Type Equals Ethernet 25

Authentication Attribute Value Pairs (AVPs) in BYOD Method of Authentication Method of Authentication RADIUS Service-Type 802.1x Framed Web Authentication MAC Authentication Bypass Login Call-Check RADIUS:Service-Type Equals Framed 26

Authentication Protocols 27

Default Network Access 28

Authentication Policy 29

Authentication AVPs in BYOD Authentication Protocol Authentication Protocol EAP-TLS PEAP Network Access EapAuthentication = EAP-TLS EapTunnel = PEAP Network Access:EapAuthentication = EAP-TLS Network Access:EapTunnel = PEAP 30

Authorization Policy 31

Authorization Profiles 32

Authorization Profile Wireless CWA 33

Authorization Profile Wireless CWA AVPs 34

Authorization AVPs Access Type = ACCESS_ACCEPT Airespace-ACL-Name = ACL_Provisioning cisco-av-pair = url-redirect-acl=acl_provisioning_redirect cisco-av-pair = urlredirect=https://ip.port/guestportal/gateway?sessionid=sessionidvalue&action= cwa 35

BYOD CVD Authorization Common Tasks/AVPs Common Task DACL Name VLAN Web Redirection Filter-ID Airespace ACL Name Radius AV Pair DACL = <ACL_NAME> Tunnel-Private-Group-ID = 1:<VLAN#> Tunnel-Type = 1:13 (VLAN) Tunnel-Medium-Type = 1:6 (IEEE-802) cisco-av-pair = url-redirect-acl=<acl_name> cisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionid=sessionidvalue& action=<cwa nsp mdm> Filter-ID = <ACL_NAME>.in Airespace-ACL-Name = <ACL_NAME> 36

Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 37

Authentication Request PEAP Packet capture Single SSID Onboarding, BYOD_Employee, Full Access User Note 1: EAP Method Types - http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml 39

Authentication Response PEAP Packet capture Single SSID Onboarding, BYOD_Employee, Full Access User 40

PEAP Overview Method of Access (Wired/Wireless) and Method of Authentication (802.1x/MAB/WebAuth) happens in the Access-Request Authentication Protocol takes a few packets the 2 nd Access-Request contains PEAP The TLS exchange takes several additional packets The Access_Accept contains the Authorization for the endpoint Contains a Redirect ACL Contains a Redirect URL Contains a Access Control ACL The SessionID is the unique identifier for the session Over 13 different fields in the Access-Request to flag off of for Authentication 41

Authentication Request PEAP So many fields to choose from!!! Note 1: EAP Method Types - http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml 42

Authentication Request - MAB Packet capture Dual SSID Onboarding, BYOD_Provisioning, Partial Access User 43

Authentication Response - MAB Packet capture Dual SSID Onboarding, BYOD_Provisioning, Partial Access User 44

Authentication Request EAP-TLS Packet capture BYOD_Employee, Partial Access User 45

Authentication Response EAP-TLS Packet capture BYOD_Employee, Partial Access User 46

Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 47

Configuration Options Authentication Enable the sending of Vendor Specific Attributes (VSAs) radius-server vsa send accounting radius-server vsa send authentication Configure the Cisco VSAs radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include Adjust MAC address format radius-server attribute 31 {append-circuit-id mac format {default ietf unformatted} remote-id send nas-port-detail [mac-only]} http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/m1/sec-m1-cr-book/sec-cr-r1.html 49

Configuration Options Authentication (cont d) Send NAS-identifier radius-server attribute 32 include-in-access-req Non-RFC-compliant NAS-Port-Types radius-server attribute 61 extended radius-server attribute nas-port format Enable Change of Authorization aaa server radius dynamic-author client 10.225.49.15 server-key 7 032A4802120A701E1D5D4C http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/m1/sec-m1-cr-book/sec-cr-r1.html 50

Configuration Options Authorization Authorization Profile DACL VLAN Web Redirect Filter-ID Airespace ACL Wireless Wired 51

RADIUS Dictionaries 86 pre-defined RADIUS IETF Attributes By default, ISE provides the following RADIUS-vendor dictionaries: Airespace (Cisco Wireless) Cisco (General Cisco RADIUS) Cisco-BBSM (Cisco Building Broadband Service Manager) Cisco-VPN3000 (Cisco VPN) Microsoft (Microsoft Authentication) Additional RADIUS-vendor dictionaries can be added 1 Export/Import functionality or manual configuration Note 1: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_resources.html#wp1131581 52

Authorization Profiles Custom Attribute Value Pairs 53

Troubleshooting Your Configuration Authentication Live Logs Details 54

Troubleshooting Your Configuration Authentication Live Logs Details - Overview 55

Troubleshooting Your Configuration Authentication Live Logs Details Authentication Details 56

Troubleshooting Your Configuration Authentication Live Logs Details Authentication Details (cont d) 57

Troubleshooting Your Configuration Authentication Live Logs Details Other Attributes 58

Troubleshooting Your Configuration Authentication Live Logs Details Other Attributes (cont d) 59

Troubleshooting Your Configuration Authentication Live Logs Details Result 60

Troubleshooting Your Configuration Authentication Live Logs Details Steps 61

Best Practices Dive in but don t get the bends Do a packet capture of relevant RADIUS traffic Audit any fields that may be missing yet needed Can you get the additional fields via another method? Supplementary attributes via ISE Profiling Do a proof of concept in a controlled environment Second instance of ISE and an indicative network Singular instance of ISE with a unique alpha user/endpoint/port/ssid 62

Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 63

Additional Reference Material Cisco Bring Your Own Device (BYOD) Design Guide www.cisco.com/go/designzone 65

Additional Reference Material Cisco Bring Your Own Device (BYOD) Design Guide www.cisco.com/go/designzone Cisco Bring Your Own Device (BYOD) Networking LiveLessons Video Series http://www.informit.com/store/cisco-bring-your-owndevice-byod-networking-livelessons-9781587144219 66

Additional Reference Material Cisco Bring Your Own Device (BYOD) Design Guide www.cisco.com/go/designzone Cisco Bring Your Own Device (BYOD) Networking LiveLessons Video Series http://www.informit.com/store/cisco-bring-your-owndevice-byod-networking-livelessons-9781587144219 Cisco ISE for BYOD and Secure Unified Access by Aaron Woland and Jamey Heary www.ciscopress.com/store/cisco-ise-for-byod-andsecure-unified-access-9781587143250 67

Participate in the My Favorite Speaker Contest Promote Your Favorite Speaker and You Could be a Winner Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress) Send a tweet and include Your favorite speaker s Twitter handle <@EE_KDawg> Two hashtags: #CLUS #MyFavoriteSpeaker You can submit an entry for more than one of your favorite speakers Don t forget to follow @CiscoLive and @CiscoPress View the official rules at http://bit.ly/cluswin 68

Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online 69

Continue Your Education Demos in the Cisco Campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings 70

Conclusion RADIUS is the glue for ISE s Security Policy ISE is highly customizable Confirm any changes to your BYOD policy in a controlled environment Leverage Authentication Live Logs for troubleshooting and further insight 71

Backup Slides

BYOD CVD Authorization Summary Onboarding Scenarios Authorization Profile DACL VLAN Web Redirect Filter-ID Airespace ACL Access-Type Wireless CWA CWA ACCESS_ACCEPT Wireless NSP NSP ACCESS_ACCEPT Wired CWA CWA ACCESS_ACCEPT Internet Until MDM MDM ACCESS_ACCEPT ISE Quarantine MDM ACCESS_ACCEPT MDM Quarantine MDM ACCESS_ACCEPT 78

BYOD CVD Authorization Summary Network Access Scenarios - Campus Authorization Profile DACL VLAN Web Redirect Filter-ID Airespace ACL Access-Type Campus Wifi Full Access ACCESS_ACCEPT Campus Wifi Partial Access ACCESS_ACCEPT Campus Wifi Internet Only ACCESS_ACCEPT Campus WiFi MAB ACCESS_ACCEPT Campus Wired Full Access ACCESS_ACCEPT Campus Wired Partial Access ACCESS_ACCEPT Campus Wired Internet Only ACCESS_ACCEPT Campus Wired MAB ACCESS_ACCEPT 79

BYOD CVD Authorization Summary Network Access Scenarios Branch (FlexConnect mode) Authorization Profile DACL VLAN Web Redirect Filter-ID Airespace ACL Access-Type Branch Wifi Full Access 1 ACCESS_ACCEPT Branch Wifi Partial Access 1 ACCESS_ACCEPT Branch Wifi Internet Only 1 ACCESS_ACCEPT Branch Wifi Internet Only 1 ACCESS_ACCEPT Branch Wired Full Access ACCESS_ACCEPT Branch Wired Partial Access ACCESS_ACCEPT Branch Wired Internet Only ACCESS_ACCEPT Branch Wired MAB ACCESS_ACCEPT Note 1: Access control (ie ACLs) is supplemented by FlexConnect ACLs for these scenarios. 80

BYOD CVD Authorization Summary Lost/Stolen Devices, Guest Access, and Miscellaneous Authorization Profile DACL VLAN Web Redirect Filter-ID Airespace ACL Access-Type EPS Quarantine ACCESS_REJECT Blackhole WiFi Access Blackhole ACCESS_ACCEPT Blackhole Wired Access Blackhole ACCESS_ACCEPT Sponsored Guest Access 1 ACCESS_ACCEPT Basic Access 1 ACCESS_ACCEPT PermitAccess ACCESS_ACCEPT DenyAccess ACCESS_REJECT Note 1: Access control (ie ACLs) is managed by the Edge ASA for these scenarios. 81

82 The End

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback