Getting the Most out of your BYOD Investment A Deep Dive of ISE BYOD Policy Kevin Redmon System Test Engineer
Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 3
Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 4
Introduction About me 13+ year veteran of Cisco BYOD Smart Solution Test Team for 2 years From Ohio (Go BUCKEYES!!!) now living in North Carolina (Go Pirates/Wolfpack/Blue Devils/Tarheels!!!) Youngest of 12 children with 9 sisters, 2 brothers Married 6 WONDERFUL years to my beautiful wife, Sonya A princess of a daughter, Melody, 3 ½ years old. 6
Introduction About Cisco s BYOD System Design The Cisco s BYOD System Design Version 2.6 released in March 2014 Key Updates from 2.5: Feature parity between Converged Access and CUWN 802.11ac WiFi Support on AP3600 Location/Context Enabled via Mobility Services Engine (MSE) Mobility AVC and QoS for Jabber Collaboration Cisco s Identity Services Engine (ISE) is at the center of the solution. Next version of the CVD to come out Summer 2014. 7
Check your gear before diving in Before implementing the concepts in this presentation, be sure to test in a controlled environment Certain features and capabilities were released in particular versions/license of code The behavior may vary slightly between different platforms Tweak configurations as needed to achieve desired result I m Human Ensure that your company s security policy is sufficiently executed in the configured BYOD policy 8
BYOD Network Overview Branch WAN Campus Internet Edge Cisco 5508 Series Wireless Controller (Guest Controller) Internet Primary GETVPN Tunnel SP Network Internet Backup DMVPN Tunnel Cisco ASR 1000 Series Aggregation Routers ASA Firewall Campus Core Services Module Cisco ISR Series Router (Primary Router) Cisco SR Series Router (Backup Router) Catalyst 3850, 3750- X, 3650-X, or 2960-S Series Switches Cisco Aironet 2600, 3500, and 3600 Series Access Points Application & File Servers Data Center RSA DNS DHCP Prime Infra CA AD ISE CUCM Mobility Services Engine Campus 5500/5760 Series Wireless Controller(s) Campus Aironet Access Points Branch Flex 7500 Series Wireless Controller(s) Building Module 9
Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 10
RADIUS RFC2865 states: RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user. Four Packet Types Access-Request Access-Accept Access-Reject Access-Challenge RFC3576 Dynamic Authorization Extensions to RADIUS 12
Identity Services Engine (ISE) AAA Authentication (AuthC), Authorization (AuthZ), Accounting AuthC confirms who you (as the user of the endpoint) or the endpoint itself are. AuthZ determines what network resources you (as the user) and/or the endpoint are allowed to access RADIUS is the underlying protocol that allows this all to happen 13
Typical BYOD Flow 1. CWA/NSP ISE portal authenticates, authorizes, and/or registers the endpoint and enrolls the endpoint with the Certificate Authority 2. MDM Enrollment (Advanced Use Case) enroll with MDM 3. ISE Quarantine (Advanced Use Case) ensure endpoint adheres to ISE endpoint policy 4. MDM Quarantine (Advanced Use Case) ensure endpoint adheres to MDM endpoint policy 5. Final Access Level each future access to the network will be automatic with the certificate authentication at the configured access level
Endpoint Onboarding (Single SSID) Endpoint NAS ISE CA Username via PEAP RADIUS Access-Request RADIUS Access-Challenge RADIUS Access-Request RADIUS Access-Request RADIUS Access-Accept User Accesses Webpage Redirect to ISE NSP Portal User Provides Info about Endpoint to ISE Public key and X.509 for SCEP enrollment Certificate deployed to endpoint certificate store SCEP proxy SCEP proxy Endpoint = Registered 15
Endpoint Access (BYOD_Employee) Endpoint NAS ISE CA Endpoint AuthC via EAP-TLS RADIUS Access-Request RADIUS Access-Challenge RADIUS Access-Request RADIUS Access-Request CRL Check RADIUS Access-Accept Valid Certificate User granted Full Access 16
Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 18
BYOD Network Overview Branch WAN Campus Internet Edge Cisco 5508 Series Wireless Controller (Guest Controller) Internet Primary GETVPN Tunnel SP Network Internet Backup DMVPN Tunnel Cisco ASR 1000 Series Aggregation Routers ASA Firewall Campus Core Services Module Cisco ISR Series Router (Primary Router) Cisco SR Series Router (Backup Router) Catalyst 3850, 3750- X, 3650-X, or 2960-S Series Switches Cisco Aironet 2600, 3500, and 3600 Series Access Points Application & File Servers Data Center RSA DNS DHCP Prime Infra CA AD ISE CUCM Mobility Services Engine Campus 5500/5760 Series Wireless Controller(s) Campus Aironet Access Points Branch Flex 7500 Series Wireless Controller(s) Building Module 20
Authentication Policy 22
Authentication Conditions 23
Authentication Condition Wireless 802.1x 24
Authentication Attribute Value Pairs (AVPs) in BYOD Method of Access Method of Access Wired RADIUS NAS-Port-Type Ethernet Wireless Wireless IEEE 802.11 RADIUS:NAS-Port-Type Equals Ethernet 25
Authentication Attribute Value Pairs (AVPs) in BYOD Method of Authentication Method of Authentication RADIUS Service-Type 802.1x Framed Web Authentication MAC Authentication Bypass Login Call-Check RADIUS:Service-Type Equals Framed 26
Authentication Protocols 27
Default Network Access 28
Authentication Policy 29
Authentication AVPs in BYOD Authentication Protocol Authentication Protocol EAP-TLS PEAP Network Access EapAuthentication = EAP-TLS EapTunnel = PEAP Network Access:EapAuthentication = EAP-TLS Network Access:EapTunnel = PEAP 30
Authorization Policy 31
Authorization Profiles 32
Authorization Profile Wireless CWA 33
Authorization Profile Wireless CWA AVPs 34
Authorization AVPs Access Type = ACCESS_ACCEPT Airespace-ACL-Name = ACL_Provisioning cisco-av-pair = url-redirect-acl=acl_provisioning_redirect cisco-av-pair = urlredirect=https://ip.port/guestportal/gateway?sessionid=sessionidvalue&action= cwa 35
BYOD CVD Authorization Common Tasks/AVPs Common Task DACL Name VLAN Web Redirection Filter-ID Airespace ACL Name Radius AV Pair DACL = <ACL_NAME> Tunnel-Private-Group-ID = 1:<VLAN#> Tunnel-Type = 1:13 (VLAN) Tunnel-Medium-Type = 1:6 (IEEE-802) cisco-av-pair = url-redirect-acl=<acl_name> cisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionid=sessionidvalue& action=<cwa nsp mdm> Filter-ID = <ACL_NAME>.in Airespace-ACL-Name = <ACL_NAME> 36
Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 37
Authentication Request PEAP Packet capture Single SSID Onboarding, BYOD_Employee, Full Access User Note 1: EAP Method Types - http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml 39
Authentication Response PEAP Packet capture Single SSID Onboarding, BYOD_Employee, Full Access User 40
PEAP Overview Method of Access (Wired/Wireless) and Method of Authentication (802.1x/MAB/WebAuth) happens in the Access-Request Authentication Protocol takes a few packets the 2 nd Access-Request contains PEAP The TLS exchange takes several additional packets The Access_Accept contains the Authorization for the endpoint Contains a Redirect ACL Contains a Redirect URL Contains a Access Control ACL The SessionID is the unique identifier for the session Over 13 different fields in the Access-Request to flag off of for Authentication 41
Authentication Request PEAP So many fields to choose from!!! Note 1: EAP Method Types - http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml 42
Authentication Request - MAB Packet capture Dual SSID Onboarding, BYOD_Provisioning, Partial Access User 43
Authentication Response - MAB Packet capture Dual SSID Onboarding, BYOD_Provisioning, Partial Access User 44
Authentication Request EAP-TLS Packet capture BYOD_Employee, Partial Access User 45
Authentication Response EAP-TLS Packet capture BYOD_Employee, Partial Access User 46
Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 47
Configuration Options Authentication Enable the sending of Vendor Specific Attributes (VSAs) radius-server vsa send accounting radius-server vsa send authentication Configure the Cisco VSAs radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include Adjust MAC address format radius-server attribute 31 {append-circuit-id mac format {default ietf unformatted} remote-id send nas-port-detail [mac-only]} http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/m1/sec-m1-cr-book/sec-cr-r1.html 49
Configuration Options Authentication (cont d) Send NAS-identifier radius-server attribute 32 include-in-access-req Non-RFC-compliant NAS-Port-Types radius-server attribute 61 extended radius-server attribute nas-port format Enable Change of Authorization aaa server radius dynamic-author client 10.225.49.15 server-key 7 032A4802120A701E1D5D4C http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/m1/sec-m1-cr-book/sec-cr-r1.html 50
Configuration Options Authorization Authorization Profile DACL VLAN Web Redirect Filter-ID Airespace ACL Wireless Wired 51
RADIUS Dictionaries 86 pre-defined RADIUS IETF Attributes By default, ISE provides the following RADIUS-vendor dictionaries: Airespace (Cisco Wireless) Cisco (General Cisco RADIUS) Cisco-BBSM (Cisco Building Broadband Service Manager) Cisco-VPN3000 (Cisco VPN) Microsoft (Microsoft Authentication) Additional RADIUS-vendor dictionaries can be added 1 Export/Import functionality or manual configuration Note 1: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_resources.html#wp1131581 52
Authorization Profiles Custom Attribute Value Pairs 53
Troubleshooting Your Configuration Authentication Live Logs Details 54
Troubleshooting Your Configuration Authentication Live Logs Details - Overview 55
Troubleshooting Your Configuration Authentication Live Logs Details Authentication Details 56
Troubleshooting Your Configuration Authentication Live Logs Details Authentication Details (cont d) 57
Troubleshooting Your Configuration Authentication Live Logs Details Other Attributes 58
Troubleshooting Your Configuration Authentication Live Logs Details Other Attributes (cont d) 59
Troubleshooting Your Configuration Authentication Live Logs Details Result 60
Troubleshooting Your Configuration Authentication Live Logs Details Steps 61
Best Practices Dive in but don t get the bends Do a packet capture of relevant RADIUS traffic Audit any fields that may be missing yet needed Can you get the additional fields via another method? Supplementary attributes via ISE Profiling Do a proof of concept in a controlled environment Second instance of ISE and an indicative network Singular instance of ISE with a unique alpha user/endpoint/port/ssid 62
Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The Great Blue Yonder What else is Possible with RADIUS Diving in to Make it Happen the Configuration Conclusion 63
Additional Reference Material Cisco Bring Your Own Device (BYOD) Design Guide www.cisco.com/go/designzone 65
Additional Reference Material Cisco Bring Your Own Device (BYOD) Design Guide www.cisco.com/go/designzone Cisco Bring Your Own Device (BYOD) Networking LiveLessons Video Series http://www.informit.com/store/cisco-bring-your-owndevice-byod-networking-livelessons-9781587144219 66
Additional Reference Material Cisco Bring Your Own Device (BYOD) Design Guide www.cisco.com/go/designzone Cisco Bring Your Own Device (BYOD) Networking LiveLessons Video Series http://www.informit.com/store/cisco-bring-your-owndevice-byod-networking-livelessons-9781587144219 Cisco ISE for BYOD and Secure Unified Access by Aaron Woland and Jamey Heary www.ciscopress.com/store/cisco-ise-for-byod-andsecure-unified-access-9781587143250 67
Participate in the My Favorite Speaker Contest Promote Your Favorite Speaker and You Could be a Winner Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress) Send a tweet and include Your favorite speaker s Twitter handle <@EE_KDawg> Two hashtags: #CLUS #MyFavoriteSpeaker You can submit an entry for more than one of your favorite speakers Don t forget to follow @CiscoLive and @CiscoPress View the official rules at http://bit.ly/cluswin 68
Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online 69
Continue Your Education Demos in the Cisco Campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings 70
Conclusion RADIUS is the glue for ISE s Security Policy ISE is highly customizable Confirm any changes to your BYOD policy in a controlled environment Leverage Authentication Live Logs for troubleshooting and further insight 71
Backup Slides
BYOD CVD Authorization Summary Onboarding Scenarios Authorization Profile DACL VLAN Web Redirect Filter-ID Airespace ACL Access-Type Wireless CWA CWA ACCESS_ACCEPT Wireless NSP NSP ACCESS_ACCEPT Wired CWA CWA ACCESS_ACCEPT Internet Until MDM MDM ACCESS_ACCEPT ISE Quarantine MDM ACCESS_ACCEPT MDM Quarantine MDM ACCESS_ACCEPT 78
BYOD CVD Authorization Summary Network Access Scenarios - Campus Authorization Profile DACL VLAN Web Redirect Filter-ID Airespace ACL Access-Type Campus Wifi Full Access ACCESS_ACCEPT Campus Wifi Partial Access ACCESS_ACCEPT Campus Wifi Internet Only ACCESS_ACCEPT Campus WiFi MAB ACCESS_ACCEPT Campus Wired Full Access ACCESS_ACCEPT Campus Wired Partial Access ACCESS_ACCEPT Campus Wired Internet Only ACCESS_ACCEPT Campus Wired MAB ACCESS_ACCEPT 79
BYOD CVD Authorization Summary Network Access Scenarios Branch (FlexConnect mode) Authorization Profile DACL VLAN Web Redirect Filter-ID Airespace ACL Access-Type Branch Wifi Full Access 1 ACCESS_ACCEPT Branch Wifi Partial Access 1 ACCESS_ACCEPT Branch Wifi Internet Only 1 ACCESS_ACCEPT Branch Wifi Internet Only 1 ACCESS_ACCEPT Branch Wired Full Access ACCESS_ACCEPT Branch Wired Partial Access ACCESS_ACCEPT Branch Wired Internet Only ACCESS_ACCEPT Branch Wired MAB ACCESS_ACCEPT Note 1: Access control (ie ACLs) is supplemented by FlexConnect ACLs for these scenarios. 80
BYOD CVD Authorization Summary Lost/Stolen Devices, Guest Access, and Miscellaneous Authorization Profile DACL VLAN Web Redirect Filter-ID Airespace ACL Access-Type EPS Quarantine ACCESS_REJECT Blackhole WiFi Access Blackhole ACCESS_ACCEPT Blackhole Wired Access Blackhole ACCESS_ACCEPT Sponsored Guest Access 1 ACCESS_ACCEPT Basic Access 1 ACCESS_ACCEPT PermitAccess ACCESS_ACCEPT DenyAccess ACCESS_REJECT Note 1: Access control (ie ACLs) is managed by the Edge ASA for these scenarios. 81
82 The End