Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cisco ISE for Campus Security


Published on

Leveraging Cisco’s Identity Services Engine to maintain complete Visibility and Consistent Secure Control of all devices in a Campus Environment

Published in: Technology
  • Be the first to comment

Cisco ISE for Campus Security

  1. 1. Michael “Zig” Zsiga, CCIE # 44883 Lead Technical Architect (LTA) @ ePlus 03-23-2016 Leveraging Cisco’s Identity Services Engine to maintain complete Visibility and Consistent Secure Control of all devices in a Campus Environment
  2. 2. Today’s Agenda • Use Case Architecture • ISE Primer • Complete Visibility • Consistent Secure Control • BYOD • Guest Access • Guest Demo
  3. 3. Use Case Architecture
  4. 4. The Different Ways Customers Use ISE Guest Access Management Easily provide visitors secure guest Internet access BYOD and Enterprise Mobility Seamlessly classify & securely onboard devices with the right levels of access Secure Access across the Entire Network Streamline enterprise network access policy over wired, wireless, & VPN Software-Defined Segmentation with Cisco TrustSec® Simplify Network Segmentation and Enforcement to Contain Network Threats Visibility & Context Sharing with pxGrid Share endpoint and user context to Cisco and 3rd party system Network Device Administration Device administration and Network Access on a single platform
  5. 5. ISE Use Case Architecture - Overview Users Devices Permissions Trusted User Trusted Device Full Access Trusted User Untrusted Device Limited Access Untrusted User Trusted Device Limited Access Untrusted User Untrusted Device No Access WWW
  6. 6. Real Life Use Case from an ePlus K-12 Customer •Gaming Systems: Xbox, PS4, etc... •Soho Routers / Switches: Linksys, Belkin, Netgear, etc… Full Visibility of what is being connected to their network •An Employee gets access to a file share •A student gets access to internal printers only Secure Control with Security Policies being applied based on Business requirements •Self-sponsored guest access •Sponsored guest access •Predictable and intuitive Guest Access that is fluid and uses a Single Portal •Single Pane of Glass •Flexible Design and implementation Ease of Management that can minimize the overhead a small IT shop has traditionally encountered Customer Requirements Overview
  7. 7. Real Life Use Case from an ePlus K-12 Customer Customer Details Overview Network Devices • 200-plus (NAD)s • ~150 Cisco Switches • ~ 50 WLCs Trusted Users • An Employee (Staff / Faculty) • A Student Trusted Devices • School owned and managed Device Identity Permissions • What are you allowed to access: Printers, Servers, WWW • Trusted Users can have different access based on their needs
  8. 8. Real Life Use Case from an ePlus K-12 Customer Full Visibility • Implemented a Monitor Mode ISE Deployment • Nothing is blocked initially, just tracked in ISE Secure Control • Multiple levels of access for Trusted / Trusted Tiers. • Employees have more access than Students, both are Trusted Users Guest Access • Self-sponsored guest access - Anyone can use but is limited to internet access and a small subset of printers • Sponsored guest access - Specific use case for vendor access Ease of Management • Moving all security configuration to a single web portal front end • Previously touch 200-plus network devices to make the same change • Modular deployment with Policy Sets (Wired, Wireless, VPN) • Two (2) Wireless SSIDs only: Internal vs Guest Customer Solution Overview
  9. 9. ISE Primer
  10. 10. •Centralized Policy •RADIUS Server •Secure Group Access •Posture Assessment •Guest Access Services •Device Profiling •Monitoring •Troubleshooting •Reporting ACS Profiler Guest Server NAC Manager NAC Server Identity Services Engine Identity Services Engine Policy Server Designed for Secure Access 10 Device Registration Supplicant and Cert Provisioning Mobile Device Management Partner Ecosystem
  11. 11. Network Resources Role-Based Access Introducing Cisco Identity Services Engine A centralised security solution that automates context-aware access to network resources and shares contextual data Network Door Identity Profiling and Posture Who What When Where How Compliant Context Traditional Cisco TrustSec® Role-Based Policy AccessPhysical or VM Guest Access BYOD Access Secure Access ISE pxGrid Controller
  12. 12. Complete Visibility
  13. 13. Extensive Context Awareness Make Fully Informed Decisions with Rich Contextual Awareness Poor Context Awareness Context: BobIP address TabletUnknownWhat Building 200, first floorUnknownWhere 11:00 a.m. EST on April 10UnknownWhen WirelessUnknownHow The right user, on the right device, from the right place is granted the right access Any user, any device, anywhere gets on the networkResult
  14. 14. Many Different Visibility Variables Trust Gradient •Authentication •Certificate •Managed/Unmanaged •Compliance/Posture Threat/Risk •Threat score •Fidelity Reach •What services can be accessed •What other entities can be impacted Behaviour •Historical versus active. Now or before •Was I doing the expected or unexpected Users •Role •Permissions/rights •Importance Devices •Ownership – managed or unmanaged •Type of device •Function •Applications Connectivity •Medium (Wired/Wireless/VPN) •NAD/NAD Details •State (active session) Location •Physical •Logical Time •Time of Day •Day of week •Connection duration
  15. 15. PCs Non-PCs UPS Phone Printer AP PCs Non-PCs UPS Phone Printer AP How? Profiling • What ISE Profiling is: • Dynamic classification of every device that connects to network using the infrastructure. • Provides the context of “What” is connected independent of user identity for use in access policy decisions  What Profiling is NOT: ‒ An authentication mechanism. ‒ An exact science for device classification. 15
  16. 16. Profiling Technology Visibility Into What Is On the Network 16
  17. 17. Profiling Technology How Do We Classify a Device? • Profiling uses signatures (similar to IPS) • Probes are used to collect endpoint data RADIUS DHCP DNS HTTP SNMP Query NetFlow DHCPSPANSNMP Trap NMAP
  18. 18. Profiling Policy Overview Profile Policies Use a Combination of Conditions to Identify Devices 18 Is the MAC Address from Apple DHCP:host-name CONTAINS iPad IP:User-Agent CONTAINS iPad Profile Library Assign this MAC Address to the “iPad” Policy I am fairly certain this device is an iPad
  19. 19. Consistent Secure Control
  20. 20. ISE is a Standards-Based AAA Server Access Control System Must Support All Connection Methods 20 ISE Policy Server VPN Cisco Prime Wired Wireless VPN Supports Cisco and 3rd-Party solutions via standard RADIUS, 802.1X, EAP, and VPN Protocols RADIUS 802.1X = EAPoLAN 802.1X = EAPoLAN SSL / IPsec
  21. 21. Separation of Authentication and Authorization 21 Policy Groups Authentication Authorization Policy Set Condition Default from ISE 1.3
  22. 22. What About That 3rd “A” in “AAA”? Accounting 22
  23. 23. Detailed Visibility into Passed/Failed Attempts 23
  24. 24. Building the Architecture in Phases 24  Access-Prevention Technlogy – A Monitor Mode is necessary – Must have ways to implement and see who will succeed and who will fail  Determine why, and then remediate before taking 802.1X into a stronger enforcement mode.  Solution = Phased Approach to Deployment: – Monitor Mode – Low-Impact Mode -or- – Closed Mode
  25. 25. BYOD
  26. 26. Onboarding Personal Devices Registration, Certificate and Supplicant Provisioning 26 Device Onboarding Certificate Provisioning Supplicant Provisioning Self- Service Model iOS Android Windows MAC OS MyDevices Portal  Provisions device Certificates. ‒ Based on Employee-ID & Device-ID.  Provisions Native Supplicants: ‒ Windows: XP, Vista, 7 & 8 ‒ Mac: OS X 10.6, 10.7 & 10.8 ‒ iOS: 4, 5, 6 & 7 ‒ Android – 2.2 and above ‒ 802.1X + EAP-TLS, PEAP & EAP-FAST  Employee Self-Service Portal ‒ Lost Devices are Blacklisted ‒ Self-Service Model reduces IT burden  Single and Dual SSID onboarding.
  27. 27. What Makes a BYOD Policy? Sample Complete BYOD Policy Internet Only Employee Guest Access-Reject i-Device Registered? Access-Accept MAC address lookup to AD/LDAP Profiling Posture Machine certificates Non-exportable user certificate Machine auth with PEAP- MSCHAPv2’ EAP chaining 27 Y N N Y Y N
  28. 28. Guest Access
  29. 29. Improve Guest Experiences Without Compromising Security Guest Guest GuestSponsor Internet Internet Internet and Network Immediate, Uncredentialed Internet Access with Hotspot Simple Self-Registration Role-Based Access with Employee Sponsorship
  30. 30. ISE Built-in Portal Customisation? Create Accounts Print Email SMS Mobile and Desktop Portals Notifications Approved! credentials username: trex42 password: littlearms
  31. 31. Which Portals Are Customisable All Except The Admin Portal 1. Guest 2. Sponsor 3. BYOD (Device Registration) 4. My Devices 5. Client Provisioning (Desktop Posture) 6. MDM (Mobile Device Management) 7. Blacklist 8. Certificate Provisioning Portal
  32. 32. • 17 languages • All portal support (hotspot, self registered, BYOD, ... )
  33. 33. Access your portals to manage and share Choose from Pre-Built Portal Layouts
  34. 34. Supports all languages (plus RTL – Arabic & Hebrew) Supports all portal types
  35. 35. Guest Demo
  36. 36. Guest Demo • ISE_CLLE_SR_Demo • Self Registration Demo • ISE_CLLE_HS_Demo • Hotspot Demo • Access key is “ISE_DEMO!!” without quotes Two different SSIDs
  37. 37. Q & A
  38. 38. What to do next? • Email: • Phone: (603) 263-3568 • Twitter: @michael_zsiga Contact me or anyone else @ ePlus If you are bored and want to hang out with fellow Nerds and Geeks alike join BOSNOG: The Boston Network Operators Group (