Identity Services Engine (ISE)
 

Identity Services Engine (ISE)

on

  • 1,861 views

Identity Services Engine- ISE (Nathan Boyd)

Identity Services Engine- ISE (Nathan Boyd)

Statistics

Views

Total Views
1,861
Slideshare-icon Views on SlideShare
1,860
Embed Views
1

Actions

Likes
0
Downloads
83
Comments
0

1 Embed 1

http://www.slideee.com 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Identity Services Engine (ISE) Identity Services Engine (ISE) Presentation Transcript

    • Identity Services Engine – Policy based access Nathan Boyd Consulting Systems Engineer
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public §  BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=76566 §  BRKSEC-2044 - Building an Enterprise Access Control Architecture with ISE (2014 Milan) - 2 Hours https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=76593 §  BRKSEC-3035 - Successful designing and deploying Cisco's ISE 1.2/MDM integration (2014 Milan) - 90 Mins https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=76611 §  BRKSEC-2692 - Identity Based Networking: IEEE 802.1X and Beyond (2014 Milan) - 90 Mins https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=76607 For your Reference
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public •  Centralized Policy •  RADIUS Server •  Posture Assessment •  Guest Access Services •  Device Profiling •  Client Provisioning •  MDM •  Monitoring Troubleshooting Reporting ACS NAC Profiler Guest Server NAC Manager NAC Server Identity Services Engine Cisco Identity Services Engine (ISE) 4
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Authentication and Authorization What are they? 5 802.1X / MAB / WebAuth It tells what/who the endpoint/user is. It tells what the endpoint/user can access.
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public ISE Policy Rules 6 1. Authentication Rules •  Define what identity stores to reference. •  Example – Active Directory, CA Server, Internal DB,etc. 2. Authorization Rules •  Define what users and devices get access to resources. •  Example – All Employees, with Windows Laptops have full access.
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Policy Sets on ISE 7
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Policy Sets on ISE 8
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Authentication Rules 9 If this/these condition(s) is/are matched, then… …allow this list of authentication protocols, and… …optionally check further (sub)rule(s)… …or just use the default rule… …to pick the database for verifying the endpoint/user’s identity.
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Factors in Choosing an EAP Method The Most Common EAP Types are PEAP and EAP-TLS 10 EAP Type(s) Deployed Client Support Security vs. Complexity Authentication Server Support §  Most clients such as Windows, Mac OS X, Apple iOS devices support EAP-TLS, PEAP (MS-CHAPv2). ‒  Additional supplicants can add more EAP types (Cisco AnyConnect). §  Certain EAP types (TLS) can be more difficult to deploy than others depending on device type. §  Cisco ISE Supplicant Provisioning can aid in the deployment.
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public ISE’s Identity Stores 11 §  Cisco ISE can reference variety of backend identity stores including Active Directory, PKI, LDAP, RSA SecurID and RADIUS Token. §  ISE’s local database can also be used and ERS APIs are supported for remote management. EAPoL User/ Password user1 C#2!ç@_E( Certificate RADIUS Token Active Directory, Generic LDAP or PKI RSA SecurID Local DB Backend Database(s) Machine / User / MAC Authentication
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Authorization rules 12 Rule Name Condition(s) Result(s)
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Authorization Conditions 13 AuthZ Condition External Identity Groups Directory Attributes Profiled Groups Posture State RADIUS & Session Attributes
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Authorization Results – Permissions 14 Pre-canned attributes and user defined.
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Converged Access – Downloadable ACL Support 15 Download - http://www.miercom.com/2013/05/cisco-wlc-5760/
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Cisco Wireless LAN Controller ACLs Layer 3-4 Filtering at Line-rate. 16 §  ACLs provide L3-L4 policy and can be applied per interface or per user. §  Cisco 2500, 5508 and WiSM2 implement hardware, line-rate ACLs. §  Up to 64 rules can be configured per ACL. Wired LAN Implicit Deny All at the End Inbound Outbound
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public FlexConnect and AAA Override Setting the VLAN for Locally Switched Clients 17 WAN VLAN 502 ISE IETF 81 IETF 64 IETF 65 interface GigabitEthernet0/37 description AP_3702 switchport trunk encapsulation dot1q switchport trunk native vlan 100 switchport trunk allowed vlan 100,502-504 switchport mode trunk Create Sub-Interface on FlexConnect AP and (optional) set the ACL on the VLAN
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Cisco Wireless User-Based QoS Capabilities 18 Allowing Per-User and Per-Devices Limiting of the Maximum QoS Level Voice Video Best Effort Background Call Manager Access Point Employee – Platinum QoS WMM Queue QoS Tagged Packets Contractor – Silver QoSWLC For the Employee user, the AAA server returned QoS-Platinum so packets marked with DSCP EF are allowed to enter the WMM Voice Queue. For the contractor user, the AAA server returned QoS- Silver so even packets marked with DSCP EF are confined to the Best Effort Queue.
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public VLAN 100 MAB WebAuth Agent-less Device SGT Enforcement Security Group Access (SGA) Converged Access (CA) architecture 19 3850 / 5760802.1X Users, Endpoints IT Portal (SGT 4) 10.1.100.10 IP Address SGT 10.1.10.102 5 10.1.100.10 4 10.1.99.100 12 SGT-IP Active Directory ISE SGT=5 SGT = Security Group Tag SXP = SGT eXchange Protocol SGACL = SGT ACL deny  sgt-­‐src  5  sgt-­‐dst  4   BRKEWN-2022 BRKSEC-2203
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public VLAN 100 MAB WebAuth Agent-less Device Campus Network Untagged Frame Tagged Frame SGT Enforcement Security Group Access (SGA) Cisco Unified Wireless Network (CUWN) architecture 20 2504 / 5508802.1X Users, Endpoints IT Portal (SGT 4) 10.1.100.10 Catalyst 3750-X Cat 6500 Distribution The WLC sends the IP-to-SGT binding table via SXP to SGT tagging or SGACL capable devices (e.g. Catalyst 3750-X) IP Address SGT 10.1.10.102 5 10.1.10.110 14 10.1.99.100 12 SXP Speaker Listener SGT=5SGT=5 Active Directory ISE SGT=5 SGT = Security Group Tag SXP = SGT eXchange Protocol SGACL = SGT ACL deny  sgt-­‐src  5  sgt-­‐dst  4   BRKSEC-2203 BRKSEC-3690
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public ISE Profiling 21 Is the MAC Address from Apple? Does DHCP-Hostname contain “iPad”? Is the HTTP user-agent from an iPad? Apple iPad
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public ISE Profiling Example of built-in policies 22 Smart Phones Gaming Consoles Workstations Multiple Rules to Establish Certainty Level Minimum Certainty for a Match 1 2
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Client attributes and traffic for Profiling How RADIUS, HTTP, DNS and DHCP (and other traffic) are used to classify clients 23 §  The ISE uses multiple attributes to build a complete picture of the end client’s device profile. §  Information is collected from sensors which capture different attributes –  The ISE can even kick off an NMAP scan of the host IP to determine more details. RADIUS DHCP DNS Server A look up of the DNS entry for the client’s IP address reveals the Hostname. HTTP UserAgent Mobile devices are quite chatty for web applications, or they can also be redirected to one of ISE’s portals. ISE 3 4 DHCP/ HTTP Sensor The Client’s DHCP/HTTP Attributes are captured by the AP and provided in RADIUS Accounting messages by the WLC. 2 The MAC address is checked against the known vendor OUI database. 1 HTTP
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Local Client Profiling and Local Policy since WLC 7.5 24 Device Type Cisco WLC configuration Enable DHCP and HTTP Local Client Profiling on the WLAN 88 Pre-Defined Client Profiles Local Policy based on Device Type Step 1 Step 3 Step 2
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Assigning WLC Local Policy based on Role 25 Role Controller Radius Employee Contractor role=Employee role=Contractor
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Other Local Policy Options 26 Time of Day Authentication LEAP EAP-FAST EAP-TLS PEAP Wireless Client Authentication EAP Type Active hours for Policy Time based policy
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Local Policy Actions 27 ACL VLAN QoS Session Timeout Enforced Policy
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 28 Restriction: First Matched Rule Applies Maximum 16 polices can be created per WLAN / AP Groups and 64 globally Native Profiling per WLAN Native Profiling per AP Group Applying Local Policies to WLANs and AP Groups
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Differentiating Guest Access via User Groups External Database §  Multiple groups can be created in ISE §  Each group can contain: §  Guest DB users (created by Sponsor and Self-service) §  Internal DB users (created by Administrators) §  External groups mapped in ISE Mapping example for AD Those groups can be used in different authorization rules to differentiate network access Identity Service Engine 29
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public ISE – Sponsor Portal §  Customizable sponsor pages §  Sponsor privileges tied to defined sponsor policy • Roles sponsor can create • Time profiles can be assigned • Management of other guest accounts • Single or bulk account creation 30
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public ISE – Guest Self-Service 31
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Client Provisioning Simplifying device management 32 Reduced Burden on IT Staff Device On-Boarding Self Registration Supplicant Provisioning Certificate Provisioning Self Service Model My Devices Portal for registration Guest Sponsor Portal Device Black Listing User initiated control their devices, black-listing, re-instate device, etc.) Support for: iOS (6.0+) MAC OSX (10.6+) Android (2.2+) Windows (XP+)
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public “My Devices” Portal Self-Registration and Self-Blacklisting of BYOD Devices 33 Devices can be Blacklisted By the User. Devices Can be Self-Registered, Up to an Administrator Defined Limit 3 2 New Devices Can be Added with a Description 1
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public CA-Server Apple iOS Device Provisioning 34 Initial Connection Using PEAP ISEWLC 1 Device Provisioning Wizard 2 Future Connections Using EAP-TLS 3 Change of Authorization CA-ServerISEWLC
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Android Device Provisioning 35 Initial Connection Using PEAP 1 Redirection to Android Marketplace to Install Provisioning Utility 2 Future Connections Using EAP-TLS 4 Provisioning using Cisco Wi-Fi Setup Assistant 3 Change of Authorization CA-ServerISEWLC CA-ServerISEWLC
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Client Provisioning Policy 36 UserOS Supplicant
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public MDM Integration 37 Jail BrokenPIN Locked EncryptionISE Registered PIN LockedMDM Registered Jail Broken © 2014 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) BRKSEC-3035
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Visibility with Prime Infrastructure and ISE Integration 38 Device Identity from ISE Integration Policy Information Including Windows AD Domain AAA Override Parameters Applied to Client Both Wired + Wireless Clients in a Single List 2 3 1
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Which Policy for which Endpoint/User §  Corporate PCs §  Other Corporate Machines and Mobile Devices §  Employee Owned Devices §  Guests §  Contractors §  Others 39
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Corporate Machines and Users – Identities 40 MAC address Certificate Login/Password Other
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Got AD? §  If using AD machine GPOs on a Windows environment, you may want to enable 802.1X machine authentication.* §  User authentication can be added on top, still through 802.1X, or be delegated to Windows logon (even if not outside the company domain). 41 Active Directory * Microsoft introduced the concept of machine authentication also for this purpose.
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Machine and User Authentication 42 With the native Windows 802.1X supplicant: §  The same EAP method is used for both machine and user. §  Once logged in to Windows, since the user’s identity is available, only user authentication is triggered. With Cisco AnyConnect NAM: §  Different, separate EAP methods can be used for the machine and the user. §  EAP Chaining supports authenticating both the machine and the user, in the same session, whenever 802.1X is triggered. How to force a user to authenticate from an already authenticated machine?
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Machine Access Restriction (MAR) 43 •  Supplicant agnostic. •  The network access device (NAD) sends the endpoint’s MAC in the RADIUS attribute [31] Calling-Station-ID. •  ISE caches the MAC address of the authenticated machine in the MAR cache. •  When the user authenticates from the same device, ISE can tell it’s from the previously authenticated machine thanks to the MAR cache. Machine Access Restriction
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public EAP Chaining 44 •  Supported with AnyConnect 3.1 and ISE. •  It relies on advanced options of EAP-FAST to authenticate both the machine and the user in the same EAP(-FAST) session. •  If no user information is available (logged out), only machine credentials are used. •  If also the user’s identity is available, both machine and user information will be used for 802.1X authentication. EAP Chaining
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Access Enforcement §  Changing VLAN between machine and user authentication is supported. *  Some supplicants (XP SP2/3) do not detect it and do not trigger IP renewal. §  While keeping the same VLAN, a different ACL/SGT can be applied to the machine and the user. ü This is more “client agnostic” as it does not require IP renewal. 45 Machine VLAN User VLAN 5760
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Corporate non-Windows Machines §  There is no concept of machine authentication as with Windows. §  Through ISE we could still link some attributes of the user’s identity/account to the machine. 46
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Corporate Mobile Devices 47 Specific EAP methods and account/certificate attributes. Force 802.1X through a device-specific certificate, then WebAuth to verify the user behind. Go for MDM.
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Asking the External DB 48
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Find Something Special on Corporate Devices 49 dhcp-user-class-id = 43:6f:72:70:50:43 è Profiling Policy = “corp_laptop” dhcp-user-class-id = 62:6c:61:62:6c:61 C:>ipconfig /setclassid "Local Area Connection" CorpPC http://technet.microsoft.com/en-us/library/cc783756(WS.10).aspx
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Empower your Employees 50 DOMAINemployee On the WLC config advanced eap max-login-ignore-identity-response disable
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Empower your Employees 51
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Empower your Employees §  Dedicated guest account groups can be used to authenticate via 802.1X. §  External guests won’t be able to obtain the same type of credentials. 52 federico@cisco.com U45&%ci3@d
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Guests §  Lobby ambassador and sponsor capabilities on the WLC, Cisco Prime and ISE. 53
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Guests –  Guest management services through a dedicated Sponsor interface. –  The guest identity store (local or external) is supported with LWA and CWA. –  Captive portals can be customized and localized (more in the next slides…). –  Guest users can be assigned to dedicated VLANs, ACLs, QoS profiles, etc. –  Guests can go through additional checks, such as compliance, MDM, etc. Some options to manage them 54
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Differentiating Guest Portals §  How could we redirect guests from a specific WLAN or a specific location to separate portals? 55
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Differentiating Guest Portals §  How could we redirect guests to separate portals based on their location or their WLAN? 56 RADIUS [30] Called-Station-ID
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Differentiating Guest Portals §  How could we redirect guests from a specific WLAN or a specific location to separate portals? 57
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Restricting Guests from a Specific Sponsor and Site §  Create a sponsor group on ISE restricting guest creation for a specific group. §  Assign sponsor users with specific attributes to the sponsor group. 58
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Restricting Guests from a Specific Sponsor and Site §  Authorize guests based on their group managed by that same sponsor. 59
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Contractors and “more than guest” Users 60 Guest groups flagged as “ActivatedGuest” are enabled to authenticate through other (802.1X) methods, not just through the web portal.
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Contractors Additional Checks 61
    • Additional Configuration Notes for Your Reference 63 For Your Reference
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Steps for Integrating the WLC and ISE 64 1. Configure WLAN for 802.1X Authentication •  Configure RADIUS Server on Controller •  Setup WLAN for AAA Override, Profiling and RADIUS NAC 2. Configure ISE Profiling •  Enable profiling probes 3. Setup Access Restrictions •  Configure ACLs to filter and control network access. For Your Reference
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public AAA Override Attributes 65 Network Access •  RADIUS “Tunnel-Type” + “Tunnel-Medium-Type” + “Tunnel-Private-Group-ID” •  Set the Interface to which the client is connected (VLAN). Network Restrictions •  Cisco “Airespace-ACL-Name” •  Sets the Access Control List used to filter traffic to/from the client. Quality of Service •  Cisco “Airespace-QOS-Level” •  Sets the maximum QoS queue level available for use by the client (Bronze, Silver, Gold or Platinum). •  Cisco “Airespace-802.1p-Tag” and/or “Airespace-DSCP-Tag” •  Sets the maximum QoS tagging level available for use by the client. Cisco Wireless LAN Controller For Your Reference
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public URL Redirection Central Web Auth, Client Provisioning, Posture 66 §  Url-Redirect: for CWA, Client Provisioning, Posture and MDM, the URL value is returned as a Cisco AV-pair RADIUS attribute. Ex: cisco:cisco-av-pair=url-redirect= https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa §  Url-Redirect-Acl: this ACL specifies the traffic to be permitted (i.e., bypass redirection) or denied (i.e., trigger redirection). The ACL is returned as a named ACL on the WLC. Ex: cisco-av-pair=url-redirect-acl=ACL-POSTURE-REDIRECT ACL entries define traffic subject to redirection (deny) and traffic to bypass redirection (permit). For Your Reference
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Configuring ISE as the Authentication and Accounting Server 67 Enable “RFC 3576” to support RADIUS Change of Authorization. Add to Accounting Servers to Receive Session Statistics and profiling data. 1 2 For Your Reference
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Configuring the WLAN for Secure SSID Enabling Secure Authentication and Encryption with WPA2-Enterprise 68 WPA2 Security with AES Encryption 1 For Your Reference 802.1X as the authentication key management (CCKM optional) 2
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Setting the WLAN QoS Level Using WMM, the QoS Level is Based on the Marking of the Packet. 69 §  If WMM is set to Allowed, the Quality of Service configuration serves as a limit for the entire SSID. §  Ensure all controller uplinks, media servers and Access Points have proper Quality of Service trust commands on the switch ports. This Acts As An Upper Limit, or Ceiling for the WLAN’s QoS Configuration 1 For Your Reference
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Configuring the WLAN for ISE Identity-based Networking Cont’d 70 Allow AAA Override to support dynamic RADIUS attributes Enable RADIUS NAC to accept RADIUS Change of Authorization messages for this SSID. Enable Radius Client Profiling to Send DHCP and HTTP attributes to ISE via RADIUS accounting. 1 2 3 For Your Reference
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Configuring ISE Profiling Probes 71 §  Profiling relies on a multitude of “probes” to classify the client’s device type. §  Profiling can always be achieved through a span port, more efficient profiling is achieved through probes that selectively forward attributes. §  For DHCP Profiling: –  Option A: Use at least WLC version 7.2.110.0 to send DHCP attributes to ISE through RADIUS accounting. –  Option B: Use Cisco IOS “ip helper” addressed to ISE on switches adjacent to the WLC (with DHCP proxy disabled). §  For HTTP Profiling: –  Use at least WLC version 7.3 to send the HTTP user agent info to ISE through RADIUS accounting. For Your Reference
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 1. Configure Integration with External CA Server •  Define SCEP URL and certificates. http://www.cisco.com/en/US/products/ps11640/ products_tech_note09186a0080bff108.shtml and http://www.cisco.com/en/US/docs/solutions/Enterprise/ Borderless_Networks/Unified_Access/BYOD_ISE.html#wp1024207 2. Define Supplicant Provisioning Profile •  Define what security and EAP type is deployed to end devices. http://www.cisco.com/en/US/docs/solutions/Enterprise/ Borderless_Networks/Unified_Access/BYOD_ISE.html#wp1024291 Steps for Configuring Device Provisioning 72 For Your Reference
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Configuring SCEP Integration on the ISE The ISE Must Point to the SCEP Server and Have a Valid Certificate Signed by the CA 73 Configure the SCEP URL Pointing to the MS Server or other CA 1 Request a Certificate for the ISE from the CA Server 2 For Your Reference
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Configuring Certificates on the ISE Certificates are Used for HTTPS and/or EAP 74 Use the Certificate from Your CA Server for EAP Authentication 2 The Web Server Certificate Can Be The Same, or Different than the EAP Certificate 1 For Your Reference
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Configuring the Web-Auth Redirect ACL 75 Use the ISE server’s IP address (optionally restricted to a specific port too) to allow traffic to the web portal. 2 This ACL will be referenced by name by ISE to restrict the user before web portal login. 1 For Your Reference
    • © 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public Defining the Supplicant Provisioning Authorization Profile 76 Configure Redirect ACL On WLC 2 Choose “Supplicant Provisioning” for the Redirect Portal 1 For Your Reference