Cisco TrustSec How-To Guide: Phased Deployment Overview

Similar documents
Cisco TrustSec How-To Guide: Monitor Mode

Cisco TrustSec How-To Guide: Central Web Authentication

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

Monitor Mode Deployment with Cisco Identity Services Engine. Secure Access How -To Guides Series

Cisco TrustSec How-To Guide: Global Switch Configuration

2012 Cisco and/or its affiliates. All rights reserved. 1

P ART 3. Configuring the Infrastructure

Cisco TrustSec How-To Guide: Cisco ISE Base Configuration and Bootstrapping

ISE Primer.

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Cisco Trusted Security Enabling Switch Security Services

Cisco S802dot1X - Introduction to 802.1X(R) Operations for Cisco Security Professionals.

Exam Questions Demo Cisco. Exam Questions

Introduction to 802.1X Operations for Cisco Security Professionals (802.1X)

Securing BYOD with Cisco TrustSec Security Group Firewalling

Integrating Meraki Networks with

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo

Identity Based Network Access

P ART 2. BYOD Design Overview

Configuring IEEE 802.1x Port-Based Authentication

802.1x Port Based Authentication

Securing Cisco Wireless Enterprise Networks ( )

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Configuring 802.1X Port-Based Authentication

Simplifying your 802.1X deployment

Configuring MAC Authentication Bypass

TrustSec Configuration Guides. TrustSec Capabilities on Wireless 8.4 Software-Defined Segmentation through SGACL Enforcement on Wireless Access Points

ForeScout CounterACT. Configuration Guide. Version 4.3

Cisco Network Admission Control (NAC) Solution

With 802.1X port-based authentication, the devices in the network have specific roles.

MS Switch Access Policies (802.1X) Host Modes

Manage Authorization Policies and Profiles

With 802.1X port-based authentication, the devices in the network have specific roles.

ISE Version 1.3 Self Registered Guest Portal Configuration Example

Configuring IEEE 802.1x Port-Based Authentication

Cisco Identity Services Engine (ISE) Mentored Install - Pilot

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Configuring IEEE 802.1x Port-Based Authentication

Universal Wireless Controller Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series

User-to-Data-Center Access Control Using TrustSec Design Guide

Configuring Web-Based Authentication

Xerox and Cisco Identity Services Engine (ISE) White Paper

CertKiller q

Introducing Cisco Identity Services Engine for System Engineer Exam

Configuring Web-Based Authentication

ONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013

Contents. Introduction

Configuring 802.1X Port-Based Authentication

Forescout. Configuration Guide. Version 4.4

Manage Authorization Policies and Profiles

DumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download

Posture Services on the Cisco ISE Configuration Guide Contents

Identity-Based Networking Services Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

The Context Aware Network A Holistic Approach to BYOD

Authentication and Authorization Policies

Component Assessment

IEEE 802.1X Multiple Authentication

Configure Guest Flow with ISE 2.0 and Aruba WLC

Cisco.Actualtests v by.Ralph.174.vce

Configuring 802.1X. Finding Feature Information. Information About 802.1X

Network Segmentation Through Policy Abstraction: How TrustSec Simplifies Segmentation and Improves Security Sept 2014

Contents. Introduction. Prerequisites. Configure. Requirements. Components Used. Network Diagram

Cisco.Actualtests v by.Ralph.174.vce

Configuring Web-Based Authentication

Deploying Cisco ISE for Guest Network Access

ISE Version 1.3 Hotspot Configuration Example

Configuring Network Admission Control

Per-User ACL Support for 802.1X/MAB/Webauth Users

Configuring Web-Based Authentication

For Sales Kathy Hall

Network as an Enforcer (NaaE) Cisco Services. Network as an Enforcer Cisco and/or its affiliates. All rights reserved.

Cisco TrustSec 4.0:How to Create Campus and Branch-Office Segmentation

Layer 2 authentication on VoIP phones (802.1x)

Cisco ISE Features Cisco ISE Features

Reviewer s guide. PureMessage for Windows/Exchange Product tour

THE NETWORK. INTUITIVE. Powered by intent, informed by context. Rajinder Singh Product Sales Specialist - ASEAN August 2017

Cisco Exam Questions & Answers

Borderless Networks. Tom Schepers, Director Systems Engineering

RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions

Identity Services Engine Guest Portal Local Web Authentication Configuration Example

Configuring Web-Based Authentication

HP0-Y44. Implementing and Troubleshooting HP Wireless Networks.

Configuring VLANs CHAPTER

Cisco Deploying Basic Wireless LANs

Network Virtualization Access Control Design Guide

Implementing Cisco Edge Network Security Solutions ( )

Cisco Exam Questions & Answers

Cisco Exam Questions & Answers

Cisco Identity Services Engine

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

BEST PRACTICE - NAC AUF ARUBA SWITCHES. Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features

Universal Switch Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series

Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

LAN and WLAN 802.1X Deployment Guide. February 2012 Series

PassCollection. IT certification exam collections provider, High pass rate

Central Web Authentication on the WLC and ISE Configuration Example

Interoperability guide Phoenix Contact WLAN clients with Cisco Wireless LAN Controllers (WLC) Published:

802.1x EAP TLS with Binary Certificate Comparison from AD and NAM Profiles Configuration Example

Transcription:

Cisco TrustSec How-To Guide: Phased Deployment Overview For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012

Table of Contents Table of Contents... 2 Introduction... 3 What Is the TrustSec System?... 3 About the TrustSec How-To Guides... 3 What does it mean to be TrustSec Certified?... 4 Deployment s... 5 Overview... 5 Phase 1: Monitor... 5 Phase 2: Low-Impact... 7 Phase 2: Closed (formerly High-Security )... 9 Appendix A: References... 10 Cisco TrustSec System:... 10 Device Configuration Guides:... 10 HowTo-20-Phased_Deployments_Overview 2

Introduction What Is the TrustSec System? Cisco TrustSec, a core component of the Cisco SecureX Architecture, is an intelligent access control solution. TrustSec mitigates security risks by providing comprehensive visibility into who and what is connecting across the entire network infrastructure, and exceptional control over what and where they can go. TrustSec builds on your existing identity-aware access layer infrastructure (switches, wireless controllers, and so on). The solution and all the components within the solution are thoroughly vetted and rigorously tested as an integrated system. In addition to combining standards-based identity and enforcement models, such as IEEE 802.1X and VLAN control, the TrustSec system it also includes advanced identity and enforcement capabilities such as flexible authentication, Downloadable Access Control Lists (dacls), Security Group Tagging (SGT), device profiling, posture assessments, and more. Figure 1: TrustSec Architecture Overview Wireless user Ingress Enforcement RADIUS Guest Services Posture Profiler SXP Wired user MACsec Campus Network Security Group Tag Security Group Tag Ingress Enforcement Data Center About the TrustSec How-To Guides Egress Enforcement The TrustSec team is producing this series of How-To documents to describe best practices for TrustSec deployments. The documents in the series build on one another and guide the reader through a successful implementation of the TrustSec system. You can use these documents to follow the prescribed path to deploy the entire system, or simply pick the single use-case that meets your specific need. Each guide is this series comes with a subway-style You Are Here map to help you identify the stage the document addresses and pinpoint where you are in the TrustSec deployment process (Figure 2). Figure 2: How-To Guide Navigation Map HowTo-20-Phased_Deployments_Overview 3

What does it mean to be TrustSec Certified? Each TrustSec version number (for example, TrustSec Version 2.0, Version 2.1, and so on) is a certified design or architecture. All the technology making up the architecture has undergone thorough architectural design development and lab testing. For a How-To Guide to be marked TrustSec certified, all the elements discussed in the document must meet the following criteria: Products incorporated in the design must be generally available. Deployment, operation, and management of components within the system must exhibit repeatable processes. All configurations and products used in the design must have been fully tested as an integrated solution. Many features may exist that could benefit your deployment, but if they were not part of the tested solution, they will not be marked as TrustSec certified. The TrustSec team strives to provide regular updates to these documents that will include new features as they become available, and are integrated into the TrustSec test plans, pilot deployments, and system revisions. (i.e., TrustSec 2.2 certification). Additionally, many features and scenarios have been tested, but are not considered a best practice, and therefore are not included in these documents. As an example, certain IEEE 802.1X timers and local web authentication features are not included. Note: Within this document, we describe the recommended method of deployment, and a few different options depending on the level of security needed in your environment. These methods are examples and step-by-step instructions for TrustSec deployment as prescribed by Cisco best practices to help ensure a successful project deployment. HowTo-20-Phased_Deployments_Overview 4

Deployment s Overview Cisco TrustSec is a system of multiple Cisco products deployed to secure the access layer. The main types of access layer include WLAN, LAN, and VPN. WLANs have Service Set Identifiers (SSIDs), which endpoints or users select and use for access. A typical network has a guest SSID that provides Internet access only and an internal SSID through which access to the internal network is provisioned. The other benefit of SSID is that the IT team can decide to deploy a more secured WLAN by setting up new SSID and directing selected users to the newly created SSID for evaluation purposes. With the LAN access layer, a single interface has to deal with different endpoints and users; there is no concept of SSIDs in LAN switchports. So when the interface is enabled with TrustSec, it must be able to address different endpoints and users without the benefit of the SSIDs that are used in WLANs. On the wired access ports, switches or network access devices (NADs) are responsible for enforcing permissions based on credentials provided by endpoints. When 802.1X is enabled on the interface, the TrustSec system expects the endpoint to provide credentials to access the network. However, not all endpoints on the network support 802.1X. For instance, certain legacy devices on the network, such as printers, fax machines, and IP cameras, may not support 802.1X and are therefore denied access. Also, when you enable 802.1X on the switchport, the switchport may enforce a single-device-per-interface standard policy, which is likely to interfere with how the network is used by users. If switchports are enabled with 802.1X without consideration of such use cases, users with IP phones or unmanaged hubs will have trouble connecting to the network. You can resolve all of these challenges by following a phased approach to TrustSec deployment. With a phased deployment, you can provide secure network services with little-to-no impact on end users. As Figure 3 illustrates, the three main TrustSec deployment phases are Monitor, Low-Impact, and Closed. Deploying Monitor first allows the administrator to step through all the issues, gaining visibility into successful and failed authentications, with minimal impact to the users and endpoints. Once issues have been addressed through Monitor in Phase 1, you can provide secured network access in Phase 2 through Low-Impact or Closed. Figure 3 Phased Deployment of TrustSec For detailed guide on each respective phase, please refer to the specific corresponding how-to document. Phase 1: Monitor Monitor works like an audit mode. Using logging data for validation, administrators use this mode to ensure that all devices are authenticating correctly, either with 802.1X or MAC Authentication Bypass (MAB). At the same time, the open authentication command used on the switch interfaces in Monitor makes it possible to provide network access across your wired and wireless infrastructure, without impacting your wired users or devices. If a device is misconfigured or is missing an 802.1X supplicant, the Open Authentication feature ensures that access will not be denied and simply logged (Figure 4). When they deploy TrustSec in Monitor, most organizations are surprised at what devices they find connected to the network that they were unaware of previously. HowTo-20-Phased_Deployments_Overview 5

Figure 4 Monitor Port Behavior Using the Open Authentication Feature Pre-AuthC Post-AuthC Monitor Monitor Permit All Permit All Figure 5 shows a high-level flow of authentication in Monitor. Figure 5 Monitor Flow Traffic always allowed Wireless environments with 802.1X are binary (just like 802.1X was designed to be), so when a user is unable to authenticate, they simply do not get access to the wireless network. Most users can accept this behavior and are willing to find a location with a physical network connection (wired) instead. While end users are mostly willing to accept an inability to join a wireless environment, they are much less understanding when faced with a lack of access to a wired network port. As Figure 5 indicates, Monitor is a process, not just a command on a switch. The process will use a combination of RADIUS accounting packets and Open Authentication and Multi-Auth features on your Cisco infrastructure, coupled with device profiling, in order to provide visibility to the administrator into who and what is connecting to the network and from where. If a device should be authenticating successfully but fails due to a misconfiguration, the administrator will be informed based on logging data and can correct the issue without denying network access to the user. The goal of Monitor is to address any possible authentication issues prior to moving to next phases. HowTo-20-Phased_Deployments_Overview 6

Figure 6 Monitor Process Note: It is not possible to implement Monitor with wireless networks. Therefore, we will introduce wireless in the Low-Impact phase. For more information on moving from Monitor to Low-Impact mode, please refer the TrustSec How-To Guide: Migrating from Monitor. Phase 2: Low-Impact In the Low-Impact, we will add security on top of the framework that we built in Monitor by applying an (ACL) to the switchport to allow very limited network access prior to authentication. After a user or device has successfully authenticated, they will be granted additional network access. For example, Low-Impact may be used to give any host attaching to the network the ability to use Dynamic Host Configuration Protocol (), Domain Name System (DNS), and perhaps get to the Internet, all while blocking access to internal resources. When a device connected to that same switchport passes authentication, a downloadable ACL (dacl) is applied that will permit all traffic (see Figure 7). Figure 7 Low-Impact Port Behavior 1 Pre-AuthC Post-AuthC Authenticated Authenticated Permit Some Permit All This phase continues to use Open Authentication on the switchports, while providing very strong levels of security for nonauthenticated devices. However, since a limited set of traffic will always flow regardless of the authentication state of the device, this mode is a practical solution for today s enterprises because it allows regular IT operational activities to occur, such as the reimaging of workstations with Pre-Execution Environment (PXE) type solutions. Figure 8 shows a high-level flow of authentication in Low-Impact. HowTo-20-Phased_Deployments_Overview 7

Figure 8 Low-Impact Flow Wireless access in Low-Impact mode follows a very similar flow. A user or device authenticating to wireless with valid credentials will be authorized for full network access. This gets tightened down with additional security and specific access based on the user or device s role. Depending on the requirements, the administrator can increase the security level by adding more granular security and differentiated access to the Network. Within the Low-Impact, we replace the dacl or wireless ACL (wacl) that permits traffic with a more specific dacl or wacl that is assigned based on the user s group membership or other attributes of the user s context. Following diagram depicts granular access control based on authorization (Figure 9). Figure 9 Low-Impact Port Behavior 2 Pre-AuthC Post-AuthC Enforcement Enforcement Permit Some Role-Based Access-List Security Group Tag HowTo-20-Phased_Deployments_Overview 8

Phase 2: Closed (formerly High-Security ) The default 802.1X mode, which was previously called High-Security, is now referred to Closed. Closed is recommended only for IT environments that are experienced with 802.1X deployments and have considered all the nuances that go along with it. Closed should be deployed with caution (Figure 10). Figure 10 Closed Port Behavior Pre-AuthC Post-AuthC Default 802.1X Default 802.1X Permit EAP Permit All The main difference between Closed and Monitor or Low-Impact is that interface command authentication open is not used. That means any traffic prior to authentication will be dropped, including, DNS, and Address Resolution Protocol (ARP) traffic. Some endpoints without a supplicant will need to wait for the interface to time out before MAB authentication starts on the interface. This could cause some endpoints to give up on process, even after MAB succeeds. To address this problem, the 802.1X timer needs to be tweaked to accommodate for such endpoints. For detailed information about Closed, see the TrustSec How-To Guide: Closed. Figure 11 shows a high-level processing flow for Closed. Figure 11 Closed Flow HowTo-20-Phased_Deployments_Overview 9

Appendix A: References Cisco TrustSec System: http://www.cisco.com/go/trustsec http://www.cisco.com/en/us/solutions/ns340/ns414/ns742/ns744/landing_designzone_trustsec.html Device Configuration Guides: Cisco Identity Services Engine User Guides: http://www.cisco.com/en/us/products/ps11640/products_user_guide_list.html For more information about Cisco IOS Software, Cisco IOS XE Software, and Cisco NX-OS Software releases, please refer to following URLs: For Cisco Catalyst 2900 series switches: http://www.cisco.com/en/us/products/ps6406/products_installation_and_configuration_guides_list.html For Cisco Catalyst 3000 series switches: http://www.cisco.com/en/us/products/ps7077/products_installation_and_configuration_guides_list.html For Cisco Catalyst 3000-X series switches: http://www.cisco.com/en/us/products/ps10745/products_installation_and_configuration_guides_list.html For Cisco Catalyst 4500 series switches: http://www.cisco.com/en/us/products/hw/switches/ps4324/products_installation_and_configuration_guides_list.ht ml For Cisco Catalyst 6500 series switches: http://www.cisco.com/en/us/products/hw/switches/ps708/products_installation_and_configuration_guides_list.html For Cisco ASR 1000 series routers: http://www.cisco.com/en/us/products/ps9343/products_installation_and_configuration_guides_list.html For Cisco Wireless LAN Controllers: http://www.cisco.com/en/us/docs/wireless/controller/7.2/configuration/guide/cg.html HowTo-20-Phased_Deployments_Overview 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback