Demystifying TrustSec, Identity, NAC and ISE

12,407 views

Published on

This presentation will help demystify the technology behind Cisco TrustSec System, including the Identity Service Engine.

Published in: Technology, Business

Demystifying TrustSec, Identity, NAC and ISE

  1. 1. Demystifying TrustSec,Identity, NAC and ISE Hosuk Won, TrustSec TME howon@cisco.com Secure Access & Mobility Product Group #CiscoPlus
  2. 2. Session Abstract• This session is a technical breakout that will help demystify the technology behind the Cisco TrustSec System, including the Identity Services Engine.• We will build use cases to introduce, compare, and contrast different access control features and solutions, and discuss how they are used within the TrustSec System.• The technologies that will be covered include user & device authorization, 802.1X, Profiling Technology, Supplicant‘s, certificates/PKI, Posture, CoA, RADIUS, EAP, Guest Access, Security Group Access (SGA), and 802.1AE (MacSec).• All of the technologies will be discussed in relation with Cisco‘s Identity Services Engine #CiscoPlus
  3. 3. Session Objectives At the end of the session, you should understand: • The many parts and pieces that make up Cisco‘s TrustSec Solution • How 802.1X and SGA work • The benefits of deploying TrustSec • The different deployment scenarios that are possible You should also: • Provide us with feedback! • Attend related sessions that interest you • Have a nice glossary of terms at your disposal #CiscoPlus
  4. 4. Cisco‘s Trusted Security (TrustSec) #CiscoPlus
  5. 5. What is TrustSec• Yes, it can be confusing • Think of it as ―Next-Generation NAC‖ • TrustSec is a System approach to Access Control: IEEE 802.1X (Dot1x) Profiling Technologies Guest Services Secure Group Access (SGA) MACSec (802.1AE) Identity Services Engine (ISE) Access Control Server (ACS) #CiscoPlus
  6. 6. So, TrustSec = Identity, Right? • Yes, but it refers to an Identity System (or solution) Policy Servers are only as good as the enforcement device (Switches, WLC‘s, Firewalls, etc…) • But what is ―Identity‖: • Understanding the Who / What / Where / When & How of a user or device‘s access to a network. #CiscoPlus
  7. 7. #CiscoPlus
  8. 8. Why Identity Is Important Who are you? Keep the Outsiders 1 802.1X (or supplementary method) Out authenticates the user Keep the Insiders Where can you go? Honest 2 Based on authentication, user is placed in correct VLAN What service level to you receive? Personalize the 3 The user can be given per-user Network services (ACLs, Macros, SGA) What are you doing? Increase Network 4 The user‘s identity and location can Visibility be used for tracking and accounting #CiscoPlus
  9. 9. What Is Authentication? • Authentication is the process of establishing and confirming the identity of a client requesting services I’d Like to Withdraw $200.00 Please. Do You Have Identification? Yes, I Do. Here It Is. An Authentication System Is Only as Strong as the Method of Verification Used #CiscoPlus
  10. 10. What Is Authorization? • Authorization is the process of granting a level of access to the network I’d Like to Withdraw $200.00 Please. Do You Have Identification? Yes, I Do. Here It Is. Thank You. Here is your money. #CiscoPlus
  11. 11. The Business Case #CiscoPlus
  12. 12. Business Case • Throughout the presentation, we will refer to a business case. One that will continue to evolve: Company: Retailer-X Problem Definition: The company stores credit card data from all sales transactions. As with all companies: Vendors & Guests are constantly visiting Retailer- X, to pitch new products to be sold, or even to sell network, security & collaboration equipment to Retailer-X. Company must ensure that only Retailer-X employees are gaining access to the network. Solution: Identity with 802.1X #CiscoPlus
  13. 13. Default Port State State withoutDefault Port without 802.1X 802.1X No Authentication Required  No visibility  No Access Control ? ? USER #CiscoPlus
  14. 14. Default Security withDefault Security with 802.1X 802.1X Before Authentication  No visibility (yet)  Strict Access Control One Physical Port ->Two Virtual ports Uncontrolled port (EAPoL only) Controlled port (everything else) ? ? USER ALL traffic except EAPoL is dropped #CiscoPlus
  15. 15. Default Security withDefault Security with 802.1X 802.1X After Authentication  User/Device is Known  Identity-based Access Control • Single MAC per port Looks the same as without 802.1X ? Authenticated User: Sally Having read your mind Sally, that Authenticated Machine: XP-ssales-45 is true, unless you apply an authorization, access is wide open. We will discuss restricting access at a later time. #CiscoPlus
  16. 16. Revisit: Business Case • Company: Retailer-X • Problem Definition: The company stores credit card data from all sales transactions. As with most companies: Vendors & Guests are constantly visiting Retailer-X, to pitch new products to be sold, or even to sell network, security & collaboration equipment to Retailer-X. Company must ensure that only Retailer-X employees are gaining access to the network. • Solution: Identity with 802.1X #CiscoPlus
  17. 17. Revisit: Business Case • Did we meet the business case? YES! • But what was missing? • What lessons have we learned? We called Dot1x an "access prevention" technology #CiscoPlus
  18. 18. What Happened? What went Wrong? @ Retailer-X, BEFORE Monitor Mode is available … I‘ve done my homework in Proof of Concept Lab and it looks good. I‘m turning on 802.1X tomorrow… Enabled 802.1X IT Mgr. I can‘t connect to my network. It says Authentication failed but I don‘t know how to fix. My presentation is in 2 hours… Help Desk call increased by 40% #CiscoPlus
  19. 19. What was missing? • What lessons were learned? • Access-Prevention Technology A Monitor Mode is necessary Must have ways to implement & see who would succeed & who would fail Determine why, and then remediate before taking Dot1x into a stronger enforcement mode. • Solution = Phased Approach to Deployment: Monitor Mode Authenticated Mode Enforcement Mode -or- Closed Mode #CiscoPlus
  20. 20. Monitor Mode A process, not just a mode. • Enables 802.1X Authentication on the Switch Interface Config • But: Even failed Authentication will gain interface GigabitEthernet1/0/1 authentication host-mode multi-auth Access authentication open • Allows Network Admins to see who authentication port-control auto mab would have failed, and fix it, before dot1x pae authenticator causing a Denial of Service  Pre-AuthC Post-AuthC SWITCHPORT SWITCHPORT P P DH C TFTP D HC TFTP 5 P 5 P KRB HT T KRB HT T oL oL E AP Permit All EA P Permit All Traffic always allowed #CiscoPlus
  21. 21. Authenticated Mode If Authentication is Valid, then Full Access! Interface Config • Monitor Mode + ACL to limit traffic flow interface GigabitEthernet1/0/1 • AuthC success = Full Access authentication host-mode multi-auth authentication open • Failed AuthC would only be able to authentication port-control auto communicate to certain services mab dot1x pae authenticator • WebAuth for non-Authenticated ip access-group default-ACL in Pre-AuthC Post-AuthC SWITCHPORT SWITCHPORT P P DH C TFTP DH C TFTP 5 P HT T P KRB 5 HT T KRB L Permit L E AP o E AP o Permit All Some #CiscoPlus
  22. 22. Enforcement Mode If Authentication is Valid, then Specific Access! Interface Config • AuthC Success = Role Specific Access interface GigabitEthernet1/0/1 • dVLAN Assignment / dACLs authentication host-mode multi-auth authentication open • Specific dACL, dVLAN authentication port-control auto • Secure Group Access mab dot1x pae authenticator • Still Allows for pre-AuthC Access for ip access-group default-ACL in Thin Clients, PXE, etc… • WebAuth for non-Authenticated Pre-AuthC Post-AuthC SWITCHPORT SWITCHPORT P P DHC TFTP DHC RDP KRB 5 HTT P KRB 5 HTT P SGT L Permit L E APo E AP o Some Role-Based ACL #CiscoPlus
  23. 23. Closed Mode No Access prior to Login, then Specific Access! Interface Config • Default 802.1X Behavior interface GigabitEthernet1/0/1 • No access at all prior to AuthC authentication host-mode multi-auth authentication port-control auto • Still use all AuthZ Enforcement Types mab • dACL, dVLAN, SGA dot1x pae authenticator • Must take considerations for Thin Clients & PXE, etc… Pre-AuthC Post-AuthC SWITCHPORT SWITCHPORT P DHC P T FT P DH C TFTP 5 HTT P SGT K RB 5 HT T P KR B Permit oL Permit All EA P oL E AP EAP - or - #CiscoPlus Role-Based ACL
  24. 24. What was missing? • What lessons were learned? • No visibility from the supplicant Little to no User-Interaction User saw an ―Authentication Failed‖ message, and that was all. When everything works – the user is unaware. But, when things stop working… No visibility. Just a call to the help-desk • Solution: 3rd Party Supplicants Cisco‘s AnyConnect Supplicant Provides a Diagnostic and Reporting Tool (DART) Detailed logs from the Client Side Unique hooks with RDP and VDI environments #CiscoPlus
  25. 25. What was missing? • What lessons were learned? • No Visibility at the RADIUS Server #CiscoPlus
  26. 26. What was missing? • What lessons were learned? • Solution: ACS VIEW  Identity Services Engine (ISE) #CiscoPlus
  27. 27. What was missing? • What lessons were learned? • Solution: ACS VIEW & ISE #CiscoPlus
  28. 28. What was missing? • What lessons were learned? • Solution: ACS VIEW  ISE #CiscoPlus
  29. 29. What was missing? • What lessons were learned? • Non-Authenticating Devices These are devices that were forgotten They don‘t have software to talk EAP on the network Or, they weren‘t configured for it Printers, IP Phones, Camera‘s, Badge Readers How to work with these? Don‘t configure Dot1x on the SwitchPort But, what about when it moves • Solution? Do not use dot1x on ports with Printers ---------------------------------------------------------------------- • Solution: MAC Authentication Bypass (MAB) #CiscoPlus
  30. 30. MAC Authentication Bypass (MAB) • What is it? • A list of MAC Addresses that are allowed to ―skip‖ authentication • Is this a replacement for Dot1X? No Way! • This is a ―Bandage‖ In a Utopia: All devices authenticate. • List may be Local or Centralized Can you think of any benefits to a centralized model? #CiscoPlus
  31. 31. What was missing? • What lessons were learned? • Guests: Guests will not have configured supplicants. Plus: they won‘t be authorized for access. Original Solution: Dot1x Timeouts How this works: After a timeout period, the switchport is automatically put into a Guest VLAN which provides Internet access. No Supplicant has responded for 90 seconds… So just AuthZ the port for the GUEST VLAN #CiscoPlus
  32. 32. What was missing? • What lessons were learned? • Missing or Misconfigured Supplicants: Group Policies may not have worked Software Distribution may have missed a machine that‘s been off- network for a period of time. Etc… Dot1x Timeouts would take effect Someone who should have been an authorized user would end-up in the Guest Network HelpDesk gets a call from an unhappy user. No Supplicant has responded for 90 seconds… So just AuthZ the port for the GUEST VLAN #CiscoPlus
  33. 33. Enter: Web Authentication • Used to identify users without supplicants Mis-configured, missing altogether, etc. • Guest Authentication #CiscoPlus
  34. 34. Business Case Continues to Evolve• Requirements: 1. Retailer-X must ensure that only Retailer-X employees are gaining access to the network. Solution: Identity with 802.1X 2. Authorized Non-Authenticating Devices must continue to have network access. Solution: Centralized MAB 3. Need to Automate the building of the MAB List Solution: <Let’s find out> #CiscoPlus
  35. 35. Profiling #CiscoPlus
  36. 36. Profiling Technology • The ability to classify devices • Why Classify? Originally: identify the devices that cannot authenticate and automagically build the MAB list. i.e.: Printer = Bypass Authentication Today: Now we also use the profiling data as part of an authorization policy. i.e.: Authorized User + i-device = Internet Only #CiscoPlus
  37. 37. Profiling PCs Non-PCs UPS Phone Printer AP • Visibility  Additional benefits of Profiling - Visibility: A view of what is truly on your network Tracking of where a device has been, what IP Addresses it has had, and other historical data. An understanding of WHY the device was profiled as a particular type (what profile signatures were matched) #CiscoPlus
  38. 38. Profiling Technology Visibility into what is on the network #CiscoPlus
  39. 39. Profiling Technology • How do we Classify a Device? • Profiling uses Signatures (similar to IPS) #CiscoPlus
  40. 40. Profiling • Determining required profile attributes #CiscoPlus
  41. 41. Profiling • Determining required profile attributes #CiscoPlus
  42. 42. Profiling • Best Practice Recommendations • HTTP Probe: Use URL Redirects over SPAN to centralize collection and reduce traffic load on net and ISE related to SPAN/RSPAN. Or use VACLs or other ways to filter HTTP only traffic  DHCP Probe: Use IP Helpers when possible—be aware that L3 device serving DHCP will not relay DHCP, also! For DHCP SPAN, make sure probe captures traffic to central DHCP Server.  SNMP Probe: ISE 1.1 added SNMP probe to pull ARP tables from Cisco Layer-3 Devices. Adds benefit when DHCP is not used. #CiscoPlus
  43. 43. Profiling Technology • Limitations of Profiling • Best Guess: The profiling is based on Best-Effort • MAB is a Filter: It was only used to determine what MAC Addresses were allowed to ―skip‖ Authentication Now we also use the profiling data as part of an authorization policy. i.e.: Authorized User + i-device = Internet Only #CiscoPlus
  44. 44. Business Case Continues to Evolve • Requirements: 1. Retailer-X must ensure that only Retailer-X employees are gaining access to the network. Solution: Identity with 802.1X 2. Authorized Non-Authenticating Devices must continue to have network access. Solution: Centralized MAB 3. Need to Automate the building of the MAB List Solution: Use Profiling technology to automate the building MAB list. #CiscoPlus
  45. 45. Business Case EvolutionImproving Guest Access #CiscoPlus
  46. 46. Guest Users‘ Needs WLC Wireless APs Internet LAN #CiscoPlus
  47. 47. How does it work? Access authorized for guest user Redirection of the guest web session to ISE guest portal for authentication ISE Policy Server WLC Guest account needs to be created: Open SSID • via a sponsor « guest » • or self service With Web authentication Guest user #CiscoPlus
  48. 48. Components of a Full Guest LifecycleSolution Provisioning: Guest accounts via sponsor portal Notify: Guests of account details by print, email, or SMS Manage: Sponsor privileges, guest accounts and policies, guest portal Authenticate/Authorize guest via a guest portal on ISE Guests Report: On all aspects of guest accounts #CiscoPlus
  49. 49. Guest Users DB – Account CreationMethods • Two Ways to Populate ISE Internal Guest Database • Self-Service Option on ISE ‗Guest Portal‘ • Sponsoring via ISE ‗Sponsor Portal‘ #CiscoPlus
  50. 50. For YourISE – Guest Self-Service Reference #CiscoPlus
  51. 51. ISE – Sponsor Portal  Customizable sponsor pages  Sponsor privileges tied to authentication/ authorization policy • Roles sponsor can create • Time profiles can be assigned • Management of other guest accounts • Single or bulk account creation  Sponsor and Guest reporting and audit #CiscoPlus
  52. 52. Sponsor Portal: Informing Guests • Sponsor will have three ways to inform guest 1. Printing the details 2. Sending the details via e-mail 3. Sending the details via SMS #CiscoPlus
  53. 53. Guest user roles • When need for different policies for users Guest Contractor • Internet access only • Internet access • Limited connection time: • Access to selected resources ½ day, one day • Longer connection time: one week, one month  Use of several user identity groups in ISE: #CiscoPlus
  54. 54. Sponsor groups and privileges Sponsor group1 Sponsor group2 • Can create user in groups: • Can create user in group ‗contractor‘ and ‗guest‘ ‗guest‘ only • Can use time profiles up to • Can use time profiles up to one one week day • Can see all accounts in group • Cannot do bulk creation #CiscoPlus
  55. 55. Components of a Full Guest LifecycleSolution Provisioning: Guest accounts via sponsor portal Notify: Guests of account details by print, email, or SMS Manage: Sponsor privileges, guest accounts and policies, guest portal Authenticate/Authorize guest via a guest portal on ISE Guests Report: On all aspects of guest accounts #CiscoPlus
  56. 56. ISE – Web Authentication #CiscoPlus
  57. 57. Components of a Full Guest LifecycleSolution Provisioning: Guest accounts via sponsor portal Notify: Guests of account details by print, email, or SMS Manage: Sponsor privileges, guest accounts and policies, guest portal Authenticate/Authorize guest via a guest portal on ISE Guests Report: On all aspects of guest accounts #CiscoPlus
  58. 58. Full Audit of Guest Lifecycle #CiscoPlus
  59. 59. Business Case EvolutionWe have Identity… We have Guests Lifecycle Management…Can we get more information? #CiscoPlus
  60. 60. Business Case Continues to Evolve • Requirements: 4. Employee‘s of Retailer-X Must be using a Corporate-owned asset. 5. All Corporate assets must be running Trend Micro Anti-Virus, and it must be up-to-date. 6. All guests must run Antivirus (any). Solution: Let’s find out  #CiscoPlus
  61. 61. Posture Assessment Posture • Does the device meet Security Requirements? • Posture = the state-of-compliance with the company‘s security policy. Is the system running the current Windows Patches? Anti-Virus Installed? Is it Up-to-Date? Anti-Spyware Installed? Is it Up-to-Date? • Now we can extend the user / system Identity to include their Posture Status. #CiscoPlus
  62. 62. ISE – Posture Assessment Checks Files • Microsoft Updates Service Packs Hotfixes OS/Browser versions • Antivirus Installation/Signatures • Antispyware Installation/Signatures • File data • Services • Applications/ Processes • Registry keys #CiscoPlus
  63. 63. Posture Assessment • What if a user fail the check? • New term: Remediation The act of correcting any missing or out-of-date items from the Posture Assessment. This can trigger the use of: Corporate Patching Systems (ex: BigFix, Altiris, etc.) Windows Software Update Service (WSUS) Windows Update Anti-Virus product Update Services (LiveUpdate.exe, etc.) #CiscoPlus
  64. 64. Posture Assessment Flow Posture Uname / Pwd = OK Posture = Unknown Authorization = Temporary Corp VLAN #CiscoPlus
  65. 65. Posture Assessment Flow Posture Uname / Pwd = OK Posture = Unknown Authorization = Temporary Corp VLAN Permit ip any host Remediation Permit ip any host PolicyServer Deny ip any any #CiscoPlus
  66. 66. Posture Assessment Flow Posture Uname / Pwd = OK Posture = Compliant Authorization = Full Access Corp VLAN Permit ip any host Remediation any Permit ip any host PolicyServer Deny ip any any #CiscoPlus
  67. 67. Making this work well • Change of Authorization (CoA) • CoA allows an enforcement device (switchport, wireless controller, VPN device) to change the VLAN/ACL/Redirection for a device/user without having to start the entire process all over again. • Without it: Remove the user from the network & then have the entire AAA process begin again. i.e.: disassociate wireless device & have to join wireless again. • RFC 3576 and 5176 #CiscoPlus
  68. 68. Creating a System out of theseTechnologies #CiscoPlus
  69. 69. Network Access Controls Multiple Options for Wired Access • Identity Based Network • Cisco NAC Appliance: Services (IBNS): VLAN control via SNMP Control Plane 802.1X for wired access Profiling by NAC Profiler Profiling by NAC Profiler Guest = NGS Guest = NGS Wired Wired IBNS NAC 802.1X SNMP ACS NAC #CiscoPlus
  70. 70. Network Access Controls Wireless and VPN Access • Wireless Access • Remote Access VPN 802.1X controlled by WLC Policy controlled by ASA, or: WLC has local enforcement Policy controlled by in-line NAC Separate Policies on ACS Separate Policies on ACS Wireless VPN 802.1X Policy ACS #CiscoPlus
  71. 71. Network Access Controls • TrustSec Brings it all Together TrustSec 802.1X #CiscoPlus
  72. 72. What is the Identity Services Engine? • ISE is a Next-Generation RADIUS Server = • Note: RADIUS for Network Access ONLY #CiscoPlus
  73. 73. Identity Services Engine • Policy Server Designed for TrustSec ACS • Centralized Policy • AAA Services NAC Profiler • Posture Assessment • Guest Access Services NAC Guest • Device Profiling Identity NAC Services • Monitoring Manager Engine • Troubleshooting NAC Server • Reporting #CiscoPlus
  74. 74. A ―Systems‖ Approach #CiscoPlus
  75. 75. A Systems Approach • Why is this so important? • When Identity is an overlay (like NAC Appliance) There is an appliance or some other device that is doing the enforcement. Called a Policy Enforcement Point (PEP) The trick is to ―shape‖ traffic towards those PEP‘s Some use DHCP or DNS Tricks Others use MAC Spoofing (Man-in-the-Middle) Cisco uses the network to get traffic to the Appliance: Virtual Networks (VRF‘s) Policy Based Routing (PBR), etc. #CiscoPlus
  76. 76. Overlay solution Internet ASA Set to Auth VLAN Trusted Set to Access VLAN NAC Server Global Network Untrusted DIRTY VRF Guest VRF Access Switch (Cat 3750) VLAN 100 (DIRTY_VLAN) VLAN 200 (EMPLOYEES) VLAN 210 (CONTRACTORS) VLAN 300 (GUESTS) Corporate PC Connects #CiscoPlus
  77. 77. A Systems Approach • Why is this so important? • When Identity is embedded (like 802.1X) The Switch, WLC, or VPN is the enforcement device Called a Policy Enforcement Point (PEP) The Switch does all the work, instead of an appliance URL Redirection Policy Enforcement with ACL‘s, SGT‘s, VLAN Assignment, etc… #CiscoPlus
  78. 78. A Systems Approach • Switch is the PEP #CiscoPlus
  79. 79. A Systems Approach • Switch is the PEP #CiscoPlus
  80. 80. Adding Power to Dot1X #CiscoPlus
  81. 81. Secure Group Access • Topology Independent Access Control • Term describing use of: Secure Group TAG (SGT‘s) Secure Group ACL‘s (SGACL‘s) When a user log‘s in they are assigned a TAG (SGT) that identifies their role The TAG is carried throughout the Network • Server Switch applies SGACL‘s based on a ―Matrix‖ (see below). SGT Public Private Staff Permit Permit Guest Permit Deny #CiscoPlus
  82. 82. Customer Challenges - Ingress AccessControl • Can I create / manage the new VLANs or IP Address scope? • How do I deal with DHCP refresh in new subnet? • How do I manage ACL on VLAN interface? • Does protocol such as PXE or WOL work with VLAN assignment? • Any impact to the route summarization? VLAN Assignment 802.1X/MAB/Web Auth ACL • Who‘s going to maintain ACLs? Download • What if my destination IP addresses are changed? • Does my switch have enough TCAM to handle all request?  Traditional access authorization methods leave some deployment concerns:  Detailed design before deployment is required, otherwise…  Not so flexible for changes required by today‘s business  Access control project ends up with redesigning whole network #CiscoPlus
  83. 83. What is Secure Group Access? • SGA is a part of TrustSec • Next-Generation Access Control Enforcement Removes concern TCAM Space for detailed Ingress ACLs Removes concern of ACE explosion on DC Firewalls • An Additional Enforcement allowing stickiness of Infrastructure Now adds stickiness of Cisco ASA Firewalls, too. • Assign a TAG at Login  Enforce that tag in the DataCenter. #CiscoPlus
  84. 84. What is a Secure Group Tag? A Role-Based TAG: 1. A user (or device) logs into network via 802.1X 2. ISE is configured to send a TAG in the Authorization Result – based on the ―ROLE‖ of the user/device 3. The Switch Applies this TAG to the users traffic. #CiscoPlus
  85. 85. Security Group Based Access Control • SGA allows customers: To keep existing logical design at access layer To change / apply policy to meet today‘s business requirement To distribute policy from central management server Ingress Enforcement SGT=100 Finance (SGT=4) 802.1X/MAB/Web Auth SGACL HR (SGT=100) I’m an employee HR SGT = 100 My group is HR Egress Enforcement #CiscoPlus
  86. 86. Security Group Based Access Control • Security Group Firewalling: Extends the Concept to the ASA Use Security-Group Tags (SGT‘s) in your ASA Firewall Policy! Available in Arsenal (1HCY2012) Ingress Enforcement Finance (SGT=4) SGT=100 802.1X/MAB/Web Auth I’m an employee HR SGT = 100 My group is HR Egress Enforcement HR (SGT=100) S-IP User S-SGT D-IP D-SGT DENY #CiscoPlus
  87. 87. Media Access Control Security • MACSec: Layer-2 Encryption (802.1AE) • Industry Standard Extension to 802.1X Encrypts the link between the host & the switch. Traffic in the backplane is unencrypted for inspection, etc. Requires a supplicant that supports MACSec and the encryption key-exchange Encrypted Link SWITCHPORT ######## #CiscoPlus
  88. 88. Business Case Evolution: B.Y.O.D. #CiscoPlus
  89. 89. #CiscoPlus
  90. 90. Business Case Continues to Evolve • The ―i-Revolution‖ • New Requirement: ―Our CEO went to a Retail Conference recently and won an iPad. He demands we allow it access to the network, because it is a productivity tool and we prohibiting his productivity without the iPad‖ • New Requirement: Allow access to i-devices • New Term: ―Bring Your Own Device‖ (BYOD) #CiscoPlus
  91. 91. Identity Services Engine • Policy Management for the Borderless Networks • Context-Based Access Who? What? How? Known users Device identity Wired (Employees, Sales, HR) Device classification Wireless Unknown users (Guests) (profile) VPN Device health (posture) Where? When? Other? Geographic location Date Custom attributes Department Time Device/User states SSID / Switchport Start/Stop Access Applications used • Policy Definition • Policy Enforcement • Monitoring and Troubleshooting #CiscoPlus
  92. 92. How do we Build a BYOD Policy? • What are the Required Parts of the Policy? Corp Asset? AuthC Type Profile AuthZ Result • AD • Machine • i-Device • Full Access Member? Certs? • Android • i-Net only • Static List? • User Certs? • Windows • VDI + i-Net • MDM? • Uname/Pwd • Other • Certificate? #CiscoPlus
  93. 93. Example BYOD Policy in ISE • Using a Pre-Defined List of Assets Device Type User Results #CiscoPlus
  94. 94. Example BYOD Policy in ISE • Using a Pre-Defined List of Assets Device Type User Results ANY User Any i-device Not in Above Identity Group Assign Guest VLAN #CiscoPlus
  95. 95. Summary #CiscoPlus
  96. 96. Links • Trustsec & ISE on Cisco.com http://www.cisco.com/go/trustsec http://www.cisco.com/go/ise http://www.cisco.com/go/isepartner • TrustSec & ISE Deployment Guide: http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/la nding_DesignZone_TrustSec.html • Youtube: Fundamentals of TrustSec: http://www.youtube.com/ciscocin#p/c/0/MJJ93N-3Iew #CiscoPlus
  97. 97. Q&A #CiscoPlus
  98. 98. We value your feedback. Please be sure to complete the Breakout Sessions Evaluation Form.Access today‘s presentations at cisco.com/ca/ciscoplusFollow @CiscoCanada and join the #CiscoPlus conversation #CiscoPlus

×