© 2013 Cisco and/or its affiliates. All rights reserved. 1
Cisco TechAdvantage Webinars
Securing the Access Layer for
BYOD...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
•  Submit questions in Q&A panel and send to “All ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
PanelistsSpeakers
Ralph Schmieder
Technical Market...
Cisco Confidential 4© 2011 Cisco and/or its affiliates. All rights reserved.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Blurring
the Borders
Anyone,
Anywhere,
Anytime
Con...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Executive
Employee
IT
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
BUSINESS
IMPERATIVES
SECURITY IMPERATIVES
“I need ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Human Resources
Endpoint
Team
Network
Team
Applica...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
•  Where do we come from, where do we go to?
•  In...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
•  Rolling out Identity can be a Tedious Task
We ...
Cisco Confidential 11© 2011 Cisco and/or its affiliates. All rights reserved.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
•  User Devices
•  Wired Infrastructure
•  Wirele...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
•  Cisco Secure ACS: TACACS+ / RADIUS Veteran
  ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Monitor Mode
•  Authentication
without Access
Con...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Monitor Mode: How To
  Enable 802.1X & MAB
  En...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Should be fully configured:
  PKI (CA certs, cli...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
RADIUS Authentication & Accounting Logs
•  Passed...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Using ACS 5 as an Example Fix:
MAC.CSV
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
EAPoL: EAP Request-Identity
Any Packet
RADIUS Acc...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
RADIUS Access-Request
Differentiates MAB Request
...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
MAB enables differentiated access control
MAB lev...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Timeout
interface GigabitEthernet1/4
dot1x max-re...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Find It
•  Leverage Existing Asset Database
•  e....
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
SNMP, DHCP, MAC OUI
Profiler
ACS
SNMP, DHCP, MAC ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
00-04-0D-9D-BE-59
Organizationally Unique Identif...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Customize your MAB request
Allows MAC address for...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
mab request format attribute 32 vlan access-vlan
...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
•  Re-auth will start from beginning of method li...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Which Object Class to use?
•  Device Object (reco...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
•  Machine Access Restrictions
ISE / ACS specific...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Leveraging the MAB Database
•  Compare
Calling-St...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Two options for unknown MAC addresses
1) No Acces...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
•  Authentication without AuthorizationSummary
• ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Low Impact Mode: How-To
  Start from Monitor Mod...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Approach 1: Selectively block traffic
Selectively...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Configure downloadable ACLs for authenticated use...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
•  Whenever possible, use downloadable ACLs
Wired...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
SWITCHPORT
EAPoL
%AUTHMGR-5-FAILA switch that rec...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
SWITCHPORT
permit udp any any eq bootps
permit ud...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
•  Default open + pre-auth ACL
•  Differentiated ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Closed: How-To
  Return to default “closed” acce...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
•  If no VLAN sent, switch will use static switch...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
VLAN 10: DATA
VLAN 20: VOICE
VLAN 30: MACHINE
VLA...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Non-802.1X Endpoints
•  Unaware of VLAN changes, ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Access-Accept
VLAN: BLUE
SWITCHPORT
Access-Accept...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
“MAC based VLANs”
•  Before Cat3850: One port, on...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
•  Default is 'closed'
•  Differentiated access c...
Cisco Confidential 48© 2011 Cisco and/or its affiliates. All rights reserved.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
1 Monitor Mode
2 Low Impact Mode
3 Closed Mode
1 ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
A few Examples…
•  Flex Auth: Hard Coded Rules, T...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
In a Nutshell
New Identity Policy Engine
(Access ...
Cisco Confidential 52© 2011 Cisco and/or its affiliates. All rights reserved.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
•  What’s an Event? What’s a Class? What’s an Act...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
•  The concept still applies...
Event
session-sta...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Gi1/0/4 Access Point
Gi1/0/1 User Port
Configurat...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
•  Using a Critical Auth Example
•  Can be define...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Access-Accept
AV-Pair “subscriber:service-name=TE...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
ACS / any RADIUS Server
•  Incoming request tagge...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
•  Policy Configuration Elements
•  Glob, al Conf...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
•  Today
interface FastEthernet2/0/1
switchport a...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
.
[...]
policy-map type control subscriber POLICY...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
template identity-template
switchport access vlan...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Bridging the Gap between ‘Old World’ and ‘New Wor...
Cisco Confidential 64© 2011 Cisco and/or its affiliates. All rights reserved.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Event Class Action
AAA-DOWN
1X-FAIL
Match
First
D...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Event Class Action
Match
First
Do
All
session-sta...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Concurrent Authentication
Pro: Faster Onboarding
...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
•  New Session Display, Old Friends with new Name...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
•  And new Friends:
newton-1#sh policy-map type c...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
•  debug pre* all | error | event | ha | prr | ru...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Suppress ‘Success’ log messages, only log failure...
Cisco Confidential 72© 2011 Cisco and/or its affiliates. All rights reserved.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
•  Monitor mode before access control
•  Least re...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
•  Thank you!
•  Please complete the post-event s...
Upcoming SlideShare
Loading in …5
×

Securing the Access Layer: Cisco TechAdvantage Webinar

4,275 views

Published on

Since its invention over a decade ago IEEE802.1X has gone through three major revisions. Not only has the standard itself evolved, the supporting technologies complementing 802.1X have made significant progress. While initially more like 'bolted-on' solutions, technologies like MAC Authentication Bypass, Web Authentication, integration of Voice devices or making the overall solution failure-resistant have significantly enhanced Cisco's identity based networking solution.

With the introduction of the Identity Security Policy, Cisco has revamped these technologies into a consistent policy framework tightly interlocked with the AAA/RADIUS server back end. During this webinar we will explain the historical context, the policy model itself and give some practical policy examples including a short demonstration of the technology.

Download the replay from WebEx at: https://cisco.webex.com/ciscosales/lsr.php?AT=pb&SP=EC&rID=69783912&rKey=6818d6ba413f36a9

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
4,275
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
115
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Securing the Access Layer: Cisco TechAdvantage Webinar

  1. 1. © 2013 Cisco and/or its affiliates. All rights reserved. 1 Cisco TechAdvantage Webinars Securing the Access Layer for BYOD Mitesh Dalal Ralph Schmieder Follow us @GetYourBuildOn
  2. 2. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 •  Submit questions in Q&A panel and send to “All Panelists” Avoid CHAT window for better access to panelists •  Please complete the post-event survey •  For WebEx audio, select COMMUNICATE > Join Audio Broadcast •  Where can I get the presentation? Or send email to: ask_techadvantage@cisco.com •  Join us for upcoming TechAdvantage Webinars: www.cisco.com/go/techadvantage •  For WebEx call back, click ALLOW phone button at the bottom of participants side panel
  3. 3. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 PanelistsSpeakers Ralph Schmieder Technical Marketing Engineer rschmied@cisco.com Mitesh Dalal Product Manager mdalal@cisco.com Matthew King Technical Engineering Leader mattking@cisco.com Jason Frazier Technical Marketing Manager jafrazie@cisco.com
  4. 4. Cisco Confidential 4© 2011 Cisco and/or its affiliates. All rights reserved.
  5. 5. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Blurring the Borders Anyone, Anywhere, Anytime Consumer ↔ Workforce Employee ↔ Partner Physical ↔ Virtual 7 Billion New Wireless Devices by 2015 Mobile Devices IT Resources MOBILITY WORKPLACE EXPERIENCE Changing the Way We Work Video projected to quadruple IP traffic by 2014 to 767 exabytes VIDEO
  6. 6. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Executive Employee IT
  7. 7. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 BUSINESS IMPERATIVES SECURITY IMPERATIVES “I need to onboard consumerized IT devices to enable new services” “I need to enable my apps for a productive global and mobile workforce” “We must be compliant with regulations and able to show it” “Can I Manage the Risks of BYOD?” “Who and what is on my network, and needs access from where?” “I need to segment my network and DC assets to limit the scope of compliance”
  8. 8. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Human Resources Endpoint Team Network Team Application Team Security Operations Compliance Operations
  9. 9. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 •  Where do we come from, where do we go to? •  In the Dark Ages, there was IEEE 802.1X •  Then we had MAB, Auth-Fail VLAN, Guest VLAN, Deployment Modes, … •  We will be finally walking upright with the help of the new version of the Identity Engine for TrustSec (Identity Policy)
  10. 10. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 •  Rolling out Identity can be a Tedious Task We Deliver a Tonof useful and veryspecific Features Deployment Scenarios address 80% but the remaining 20% are the most complex Where’s my individual Assembly Instruction? What do I do if I’m missing a specific brick (feature)?
  11. 11. Cisco Confidential 11© 2011 Cisco and/or its affiliates. All rights reserved.
  12. 12. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 •  User Devices •  Wired Infrastructure •  Wireless Infrastructure •  PKI •  On-boarding •  Mobile Device Management •  Web Portals •  Guest Access •  Directory Integration •  RADIUS •  RADIUS Server Features (ISE) •  Security Policy •  Legal Compliance •  Teamwork & Organization •  NAC / Endpoint Compliance •  Supplicant Specifics •  Executive Support
  13. 13. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 •  Cisco Secure ACS: TACACS+ / RADIUS Veteran   Supports RADIUS and TACACS+   Two major versions: Windows based (< 5.0) and Linux based (>= 5.0)   As software only (< 5.0) and appliance (4.x and 5.x)   IPv6 Support for TACACS+, not for RADIUS •  Identity Services Engine (ISE): New Kid on the Block   Complete re-write (no TACACS+ as of today)   Focusing on access control / identity / TrustSec   Integrating formerly separate modules / products (profiler, guest services, RADIUS server, NAC)   Recommended going forward for Identity Projects •  This Webinar is mostly RADIUS server agnostic!
  14. 14. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Monitor Mode •  Authentication without Access Control •  'Baby Steps' Low Impact Mode •  Minimal Impact to Network and Users •  With Access Control Closed Mode •  Logical Isolation •  Formerly “High Security”
  15. 15. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Monitor Mode: How To   Enable 802.1X & MAB   Enable Open Access   All traffic in addition to EAP is allowed   Like not having 802.1X enabled except authentications still occur   Enable Multi-Auth Host-Mode   No Authorization Monitor Mode Goals   No Impact to Existing Network Access   See … … what is on the network … who has a supplicant … who has good credentials … who has bad credentials   Deterrence through accountability SSC
  16. 16. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Should be fully configured:   PKI (CA certs, client cert) or other credentials   Supplicants configured & installed everywhere supported   Enable machine authentication   Enable user authentication, if needed Should be fully configured except for authorization policy:   Communication with AAA clients (i.e. switches)   Communication with credential repository (e.g. AD, MAC Database)   PKI (CA certs, server cert)   EAP Configuration   MAB Configuration AAA Server Endpoints
  17. 17. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 RADIUS Authentication & Accounting Logs •  Passed / Failed 802.1X (Who has bad credentials? Misconfigurations?) •  Passed / Failed MAB attempts (What don’t I know?) Monitor Mode Next Steps   Improve Accuracy   Evaluate Remaining Risk   Leverage Information   Prepare for Access Control
  18. 18. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Using ACS 5 as an Example Fix: MAC.CSV
  19. 19. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 EAPoL: EAP Request-Identity Any Packet RADIUS Access-Accept RADIUS Access-Request [AVP: 00.0A.95.7F.DE.06 ] Switch RADIUS Server EAPoL: EAP Request-Identity EAPoL: EAP Request-Identity “Authentication” for Clientless Devices 00.0A.95.7F.DE.06 How Are MACs “Authenticated” ? MAB IEEE 802.1X Timeout
  20. 20. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 RADIUS Access-Request Differentiates MAB Request MAB as “Host Lookup” • ACS / ISE optimization • no need for fake passwords MAB as PAP • works with any RADIUS server • password = username
  21. 21. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 MAB enables differentiated access control MAB leverages centralized policy on AAA server •  Default timeout is 30 seconds with three retries (90 seconds total) •  90 seconds > DHCP timeout. Dependency on IEEE 802.1X timeout  delayed network access MAB requires a database of known MAC addresses Contractor VLAN Printer VLAN MAC Database RADIUS LDAP ISE
  22. 22. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Timeout interface GigabitEthernet1/4 dot1x max-reauth-req 2 dot1x timeout tx-period 30 First packet from device will trigger MAB 802.1X MAB MAB FailsMAB 802.1X interface GigabitEthernet1/4 authentication order mab dot1x authentication priority* dot1x mab (max-reauth-req + 1) * tx-period Change the Timeout “FlexAuth” *Priority Matters! www.cisco.com/go/ibns  Whitepapers Short Enough To Prevent Timeouts Long Enough To Allow 802.1X Devices to Authenticate Low Impact Deployment Scenario Prepare For Additional Control Plane Traffic
  23. 23. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Find It •  Leverage Existing Asset Database •  e.g. Purchasing Department, CUCM Build It •  Bootstrap methods to gather data •  e.g. SNMP, Syslog, Accounting Buy It •  Automated Device Discovery •  e.g. ISE
  24. 24. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 SNMP, DHCP, MAC OUI Profiler ACS SNMP, DHCP, MAC OUI Profiling Tools Are Evolving RADIUS Access-Request LDAP RADIUS Accounting IOS Sensor 15.0(1)SE1 ISE 1.1
  25. 25. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 00-04-0D-9D-BE-59 Organizationally Unique Identifier (OUI) •  Assigned by IEEE •  Identifies device vendor and possible device type ACS Rule Example ISE Profiler Example
  26. 26. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Customize your MAB request Allows MAC address format configuration to be used for MAB authentication •  Available Options access(config)#mab request format attribute ? 1 Username format used for MAB requests 2 Global Password used for all MAB requests 32 NAS-Identifier attribute •  Examples access(config)#mab request format attribute 1 groupsize 2 separator – access(config)#mab request format attribute 2 0 mymabpassword access(config)#mab request format attribute 32 vlan access-vlan 00-AA-CC-DD-EE-FF
  27. 27. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 mab request format attribute 32 vlan access-vlan •  Global Config adds the Access VLAN to the Access-Request •  Attribute used to carry VLAN info is NAS Identifier (32) •  RADIUS Policy can leverage this in its rules (multi-tenant policies, for example) •  MAB only as of today interface GigabitEthernet1/0/15 description toAccess port switchport access vlan 160 switchport mode access switchport voice vlan 180 access-session port-control auto mab dot1x pae authenticator spanning-tree portfast service-policy type control subscriber IPV6_POLICY end Access VLAN
  28. 28. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 •  Re-auth will start from beginning of method list. •  If order is changed (default 802.1X  MAB to MAB  802.1X), will start with MAB, even though 802.1X was successful •  If 'last successful' method must be used, RADIUS AVP needs to be applied http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/application_note_c27-573287.pdf
  29. 29. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Which Object Class to use? •  Device Object (recommended) No conflict with complex password policy Windows Server 2003 RC2 and Windows Server 2008 allows for macAddress attribute Otherwise use device class with CN=MAC Leverage lightweight directory services (LDS) on AD instance for this purpose •  User Objects (not recommended). The username and password will be the MAC address of the device Create User Objects for MAC addresses (licensing? Inappropriate object class?) May conflict with complex password policy May be exploited for interactive Login to workstations www.cisco.com/go/trustsec  Configuring MAB with LDAP User Device Binding
  30. 30. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 •  Machine Access Restrictions ISE / ACS specific feature Needs to see successful machine auth before user auth can succeed Windows specific Not very reliable (sleep mode, media change break MAR) •  EAP-Chaining Ideal and most secure solution, tying user auth and machine auth into one request Must be supported on RADIUS and on supplicant (Cisco AnyConnect NAM >= 3.1) •  User-Device Binding Simple solution, but not as secure as EAP-Chaining Needs DB maintenance (assign device MAC to user object) RADIUS and Supplicant agnostic http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html
  31. 31. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Leveraging the MAB Database •  Compare Calling-Station-ID (= MAC address of used Device) To Directory Attribute (= MAC address of allowed Device(s)) •  If matched then Allow Access Else Deny or Redirect to BYOD Registration •  Using MSFT AD? Use msNPCallingStationID, it’s already there for this…
  32. 32. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 Two options for unknown MAC addresses 1) No Access 2) Switch-based Web-Auth 3) Guest VLAN RADIUS-Access Request (MAB) RADIUS-Access Reject MAB Fails – control of session passes to switch RADIUS-Access Request (MAB) RADIUS-Access Accept Guest Policy Unknown MAC…Apply Guest Policy MAC is Unknown but MAB “passes” •  AAA server determines policy for unknown endpoints (e.g. network access levels, re-auth policy) •  Good for centralized control & visibility of guest policy (VLAN, ACL)
  33. 33. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 •  Authentication without AuthorizationSummary •  Extensive Network Visibility •  No Impact to Endpoints or Network •  No Access Control Benefits & Limitations •  Monitor the Network •  Evaluate Remaining Risk •  Prepare for Access Control Next Steps
  34. 34. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Low Impact Mode: How-To   Start from Monitor Mode   Add ACLs, dACLs and flex-auth   Limit number of devices connecting to port   Integrate phones Low Impact Mode Goals   Begin to control / differentiate network access   Minimize Impact to Existing Network Access   Retain Visibility of Monitor Mode   “Low Impact” == no need to re- architect your network Keep existing VLAN design Minimize changes
  35. 35. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Approach 1: Selectively block traffic Selectively protect certain assets / subnets Low risk of inadvertently blocking wanted traffic Example: Block unauthenticated users from Finance servers •  Pre-auth port ACL is arbitrary and can progress as you better understand the traffic on your network •  Recommendation: use least restrictive ACL that you can; time-sensitive traffic is a good candidate for ACL. Approach 2: Selectively allow traffic More secure, better control May block wanted traffic Example: Only allow pre-auth access for PXE devices to boot SWITCHPORT SWITCHPORT
  36. 36. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Configure downloadable ACLs for authenticated users SWITCHPORT permit ip host 10.100.20.200 any permit tcp any any established permit udp any any eq bootps permit udp any host 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp EAPoL Pre-Auth ACL Switch dynamically substitutes endpoint’s address: • Contents of dACL are arbitrary • Can have as many unique dACLs as there are user permission groups • Same principles as pre-auth port ACL • TCAM restrictions apply!
  37. 37. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 •  Whenever possible, use downloadable ACLs Wired environments Wired / Wireless environments with Catalyst 3850 / 5760 (Unified Access) Wired / Wireless environments (traditional) use dACLs for wired and Filter- id for the wireless part •  When dACLs are not possible (no ACS / ISE) Distributed Deployments: use Filter-id ACLs Centralized Deployments: use per-user ACLs •  Try to avoid WebAuth Proxy ACLs Remnants of the good ol' NAC Framework days
  38. 38. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 SWITCHPORT EAPoL %AUTHMGR-5-FAILA switch that receives a dACL for a port without a PACL will fail authorization. The switch will automatically attach a default PACL called “Auth-Default-ACL” and then apply dACL. %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL PERMIT_ANY Tip: Use For Graceful Transition from Monitor Mode Before 12.2(54)SG and 12.2(55)SE After 12.2(54)SG and 12.2(55)SE EAP-FailureEAP-Success
  39. 39. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 SWITCHPORT permit udp any any eq bootps permit udp any host 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp EAPoL port ACL Switch(config)#epm access-control open If the RADIUS server returns a dynamic ACL, dynamic ACL is applied. If no dynamic ACL returned, switch automatically creates a “permit” entry for the authenticated host. Default behavior: With “open directive” configured: 12.2(54)SG 12.2(55)SE permit ip any any If no dynamic ACL is downloaded, Pre-Auth Port ACL controls the port. Every endpoint must be assigned a dynamic ACL.
  40. 40. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 •  Default open + pre-auth ACL •  Differentiated access control using dynamic IPv4 ACLs Summary •  Minimal Impact to Endpoints •  Minimal Impact to Network •  No L2 Isolation •  Some access prior to authentication Benefits & Limitations •  Start with least restrictive port ACLs •  Use downloadable ACLs if you have ACS / ISE •  Use ‘Open’ Directive to reduce dACL config Recommendations
  41. 41. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Closed: How-To   Return to default “closed” access   Timers or authentication order change   Implement identity-based VLAN assignment Closed Mode Goals   No access before authentication   Rapid access for non-802.1X- capable corporate assets   Logical isolation of traffic at the access edge Network Virtualization Solution
  42. 42. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 •  If no VLAN sent, switch will use static switchport VLAN •  Configure dynamic VLANs for any user that should be in different VLAN SWITCHPORT MAC
  43. 43. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 VLAN 10: DATA VLAN 20: VOICE VLAN 30: MACHINE VLAN 40: ENG VLAN 50: UNAUTH 10.10.10.x/24 10.10.20.x/24 10.10.30.x/24 10.10.40.x/24 10.10.50.x/24 •  More VLANs To Trunk (Multi- Layer Deployments) •  More Subnets to Route •  Every Assignable VLAN Must Be Defined on Every Access Switch •  More DHCP Scopes (and addresses) to manage Best Practice: Use the Fewest Possible Number of VLANs Network Interface 10.10.10.x/24 Gi0/1 10.10.20.x/24 Gi0/2 10.10.30.x/24 Gi0/3 10.10.40.x/24 Gi0/4 10.10.50.x/24 Gi0/5
  44. 44. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 Non-802.1X Endpoints •  Unaware of VLAN changes, no mechanism to change IP address •  Best Practice: Dynamic VLAN in Closed Mode only Older 802.1X Endpoints (e.g. Windows XP) •  Supplicants can renew IP address on VLAN change but OS and underlying processes may not handle IP address change gracefully •  Best Practice: Use same VLAN for User and Machine Authentication (Windows) Newer 802.1X Endpoints (e.g. Windows Vista, 7) •  Supplicant and OS can handle VLAN / IP address changes •  Best Practice: Use the VLAN policy that best matches your security policy.
  45. 45. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 Access-Accept VLAN: BLUE SWITCHPORT Access-Accept VLAN: BLUE Access-Accept 12.2(55)SE 15.0(2)SG 12.2(33)SXJ •  First successful authentication “locks” the Data VLAN •  Subsequent endpoints must get assigned same VLAN or no VLAN •  Blue VLAN=Permit, No VLAN=Permit, Red VLAN=Deny (Local) VM Host Access-Accept VLAN: RED
  46. 46. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 “MAC based VLANs” •  Before Cat3850: One port, one VLAN per access port (1:1) •  Exception: Voice (one Data Device untagged, one Voice Device tagged w/ VVLAN) •  Later: Allowing VLAN assignment on multi- authentication ports, but first device ‘rules’ the port. •  Now with Catalyst 3850: Each session can have individual VLAN assigned 160 WIRED-EMPLOYEE active Gi1/0/13 VM Gi1/0/13 Not a trunk! 170 WIRED-GUEST active Gi1/0/13
  47. 47. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 •  Default is 'closed' •  Differentiated access control using dynamic VLANs Summary •  Logical Isolation at L2 •  No Access for Unauthorized Endpoints •  Impact to Network •  Impact to Endpoints Benefits & Limitations •  Use fewest VLANs possible •  Know which devices can’t change VLANs •  User Distribution helps with VLAN names •  Enable Critical Voice VLAN •  Consider NEAT as needed Recommendations
  48. 48. Cisco Confidential 48© 2011 Cisco and/or its affiliates. All rights reserved.
  49. 49. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 1 Monitor Mode 2 Low Impact Mode 3 Closed Mode 1 Monitor Mode 2 Low Impact Mode 3 Closed Mode •  Popular Deployment Scenarios Demonstrating Industry Leadership Phased Deployments  Clear Plan of Action High Visibility + Incremental Access Control •  Now You Want More! “What if AAA goes down?” What about IPv6 ACLs? •  The Need for Flexible Authorization ACL, VLAN, QoS, URL-Redirect, IPv6 enabled identity… Flex Authentication plus Flex Authorization Low Impact Mode SWITCH PORT KRB5 HTTP TFTPDHCP EAPoL Permit Some Pre-AuthC RADIUS Access-Accept, ACL=employee Low Impact Mode SWITCH PORT KRB5 HTTP TFTPDHCP EAPoL Permit More based on dACL Post-AuthC Local Service Template SWITCH PORT ANY Permit Any Critical Auth Critical ACL required!
  50. 50. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 A few Examples… •  Flex Auth: Hard Coded Rules, Timing / Order dependency, no concurrent authentication •  WebAuth: Auth in Access VLAN, no IPv6 support, Authorization by ACL only •  IPv6: Device Tracking, URL Redirect, IPv6 dACL, Guest Access, Local WebAuth •  Configuration: dynamic changes with NEAT / ASP, Configuration size 802.1X Fail MAB WebAuth Auth Fail VLAN Next Method First Class Web Auth
  51. 51. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 In a Nutshell New Identity Policy Engine (Access Policy) ANY Authentication Method with ANY Authorization Feature using ANY Media Leverages Templates for Sessions and Interfaces *Available on Catalyst 3850 at FCS and 2HCY13 on 2k/3k/4k and on 6k with MK2 1HCY14
  52. 52. Cisco Confidential 52© 2011 Cisco and/or its affiliates. All rights reserved.
  53. 53. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 •  What’s an Event? What’s a Class? What’s an Action? E-Mail Policy (aka Inbox Filtering) •  Event: E-Mail arrives •  Class: additional Attributes Sender is Wife Mail is Spam Mail is addressed to Mail List •  Action: Result, based on Class Wife: 1) Mark Urgent 2) Put in Inbox Spam: 1) Mark as Spam 2) Delete Marketing 1) Put in Marketing Folder
  54. 54. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 •  The concept still applies... Event session-started Class always Action authenticate via 802.1X authorize port Terminate 802.1X Assign Guest VLAN NO-RESPONSE Assign Guest VLANauthentication-failure AAA-DOWN 1X-FAIL FIRST ALL
  55. 55. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 Gi1/0/4 Access Point Gi1/0/1 User Port Configuration by Reference: •  Service Templates will be dynamically assigned to a session can be locally defined -or- downloaded via RADIUS •  Interface Templates** Cure for the Configuration Bloat Generic tool, not restricted to Session / Identity Like Port Profiles on NX-OS Gi1/0/2 User Port Gi1/0/3 User Port **Will be available in a future release
  56. 56. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 •  Using a Critical Auth Example •  Can be defined locally on the switch •  Can also be defined on the RADIUS server and downloaded dynamically as needed per authorization or during CoA (ISE 1.2 Feature) •  Used as one of the Actions per Control-Policy or as part of the RADIUS Authorization (AV Pair) •  Templates via AAA can contain arbitrary AV Pairs switch(config)#service-template CRITICAL switch(config-service-template)#? service-template configuration commands: absolute-timer Absolute timeout value in seconds access-group Access list to be applied description Enter a description exit Exit identity policy configuration submode inactivity-timer Inactivity timeout value in seconds no Negate a command or set its defaults redirect Redirect clients to a particular location tag tag name vlan Vlan to be applied switch(config-service-template)# service-template CRITICAL description allow all traffic access-group PERMIT-IPV4-ANY access-group PERMIT-IPV6-ANY ! Example and Available Commands
  57. 57. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 Access-Accept AV-Pair “subscriber:service-name=TEMPLATE” •  Similar to Applying a Port ACL via filter-id Switch RADIUS •  Can also be triggered via RADIUS CoA •  Service-Templates activation can be a local Control Policy action •  If it doesn’t exist, it can be downloaded like an dACL EAPoL Enforce DEFINED ON SWITCH service-template TEMPLATE access-group PERMIT-ANY vlan 100 inactivity-timer 360 Access-Request username=jdoe
  58. 58. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 ACS / any RADIUS Server •  Incoming request tagged with cisco-av- pair=“download-request=service-template” •  Template-Name = Username •  Trivially Pass Authentication (username is the template name) •  Template Content is defined by AV pairs returned in authorization rules ISE 1.2 and newer •  Template support is built-in ACS ISE
  59. 59. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 •  Policy Configuration Elements •  Glob, al Configuration (AAA, 802.1X, CoAACLs, etc.) •  Template Configuration (optional) •  Global Policy Configuration (policy-map referencing class- maps) •  Per-Interface Configuration •  References to other Policy Elements (static or dynamic) aaa […] radius […] dot1x system-auth-control ip access-list […] ipv6 access-list […] service-template […] service-template […] class-map […] class-map […] policy-map […] interface range gi1/0/1 – 48 mab access-session port-control […] service-policy type control subscriber […]
  60. 60. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60 •  Today interface FastEthernet2/0/1 switchport access vlan 201 switchport mode access ip access-group PREAUTH in authentication control-direction in authentication event fail action authorize vlan 201 authentication event server dead action authorize vlan 201 authentication event no-response action authorize vlan 201 authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer inactivity server dynamic authentication violation restrict mab dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast end Typical Identity Configuration This list can even get longer! For Every Interface
  61. 61. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 . [...] policy-map type control subscriber POLICY event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x retries 2 retry-time 0 priority 10 event authentication-failure match-first 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure 10 activate service-template VLAN201 20 authorize 30 pause reauthentication 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure 10 pause reauthentication 20 authorize 30 class DOT1X_NO_RESP do-until-failure 10 terminate dot1x 20 authenticate using mab priority 20 40 class MAB_FAILED do-until-failure 10 terminate mab 20 activate service-template VLAN201 30 authorize [...] . •  With Identity Policy . interface FastEthernet2/0/1 switchport access vlan 201 switchport mode access ip access-group PREAUTH in authentication periodic authentication timer reauthenticate server access-session host-mode single-host access-session port-control auto access-session control-direction in mab dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast service-policy type control subscriber POLICY end For Every Interface Global (once) Remaining Identity Config New Policy Model Common Config
  62. 62. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 template identity-template switchport access vlan 201 switchport mode access ip access-group PREAUTH in authentication periodic authentication timer reauthenticate server access-session host-mode single-host access-session port-control auto access-session control-direction in mab dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast service-policy type control subscriber POLICY ! •  Tomorrow with Identity Policy and Interface Templates . interface FastEthernet2/0/1 source template identity-template ! interface FastEthernet2/0/2 source template identity-template ! interface FastEthernet2/0/3 source template identity-template ! interface FastEthernet2/0/4 source template identity-template end . . . For Every Interface Global (once) REFERENCE TEMPLATE policy-map type control subscriber POLICY event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x retries 2 retry-time 0 priority 10 . . POLICY FUTURE Remaining Identity Config New Policy Model Common Config
  63. 63. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Bridging the Gap between ‘Old World’ and ‘New World’ •  Existing configurations ‘simply work’ •  Converting in the background to new Policy Mode •  Use CLI to change how configuration is shown: switch# authentication display ? legacy Legacy configuration new-style New style (c3pl) configuration •  If Policy Mode configuration is changed or rebooted in Policy Mode, the change is non-reversible •  No IPv6 capable WebAuth in 'Old Style' Mode •  This is transient and ‘Exec mode’ only (does not appear in configuration). Tip: Start with known good configuration and see how changes in ‘legacy mode’ change the new configuration!
  64. 64. Cisco Confidential 64© 2011 Cisco and/or its affiliates. All rights reserved.
  65. 65. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 Event Class Action AAA-DOWN 1X-FAIL Match First Do All session-started always authenticate via 802.1X violation always restrict agent-found always authenticate via 802.1X activate service-template authorize port Terminate 1X & MAB authenticate via MAB authentication-failure
  66. 66. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 Event Class Action Match First Do All session-started always authenticate via 802.1X violation always restrict agent-found always authenticate via 802.1X activate service-template authorize port Terminate 1X & MAB authenticate via MAB authentication-failure service-template CRITICAL access-group CRITICAL-V4 access-group CRITICAL-V6 ! ! policy-map type control subscriber DOT1X event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x event violation match-all 10 class always do-all 10 restrict event agent-found match-all 10 class always do-all 10 authenticate using dot1x event authentication-failure match-first 10 class AAA-DOWN do-all 10 activate service-template CRITICAL 20 authorize 30 terminate dot1x 40 terminate mab 20 class 1X-FAIL do-all 10 authenticate using mab AAA-DOWN 1X-FAIL
  67. 67. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 Concurrent Authentication Pro: Faster Onboarding Con: More auths per sec event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x priority 10 20 authenticate using mab priority 20 Differentiated Authentication Fallback to different user DB based on policy No restriction on single dot1x ID store anymore! event authentication-failure match-first 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-↵
 until-failure 10 terminate mab 20 terminate dot1x 30 authenticate using mab aaa authc-↵
 list mab-local authz-list mab-local IPv6 Device Discovery Enable IPv6 Device Tracking Make Identity Policy IPv6 aware Note: Define which VLANs to apply and also trust the uplink port ! ipv6 snooping policy v6-snoop trusted-port ! vlan configuration 100-180 ipv6 nd suppress ipv6 snooping ! interface TenGig1/1/1 description *** uplink *** [ ... ] ipv6 snooping attach-policy v6-snoop !
  68. 68. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 •  New Session Display, Old Friends with new Names: switch#sh access-session int gi1/0/13 detail Interface: GigabitEthernet1/0/13 IIF-ID: 0x103B240000000D9 MAC Address: 0800.27f0.7969 IPv6 Address: FE80::A00:27FF:FEF0:7969, 2001:DB8:1:170:C025:2462:AF2A:477B IPv4 Address: 172.16.30.66 User-Name: rschmied@stu.ibns.lab Status: Authorized Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Common Session ID: AC101D020000115B11DEEC8C Acct Session ID: 0x0000122B Handle: 0xD8000001 Current Policy: POLICY_Gi1/0/13 Server Policies: ACS ACL: xACSACLx-IP-permit-most-50b5f56e Template: EMPLOYEE_1 (priority 100) Vlan Group: Vlan: 160 ACS ACL: xACSACLx-IP-permit-most-50b5f56e Method status list: Method State dot1x Authc Success mab Stopped IPv6 awareness Applied Policies (here: with server assigned Template) ‘show access-session’ instead of ‘show authentication session’
  69. 69. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 •  And new Friends: newton-1#sh policy-map type control subscriber name POLICY_Gi1/0/13 Control_Policy: POLICY_Gi1/0/13 Event: event session-started match-all Class-map: 10 class always do-until-failure Action: 10 authenticate using dot1x retries 2 […] Executed: 2 Event: event authentication-failure match-first Class-map: 10 class DOT1X_NO_RESP do-until-failure Action: 10 terminate dot1x Executed: 43 Action: 20 authenticate using mab priority 20 Executed: 43 Class-map: 20 class MAB_FAILED do-until-failure Action: 10 terminate mab Executed: 0 Action: 20 authentication-restart 60 Executed: 0 […] ‘show policy-map type control’ to show the control policy See complete Policy (Events, Classes, Actions) Look for specific events and how often associated classes matched and actions have been executed
  70. 70. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 •  debug pre* all | error | event | ha | prr | rule •  To understand policy flow and identify events and actions •  Powerful in combination with conditional debugging (‘debug condition’) [PRE:RULE:EVENT:D8000001] Executing policy-map type control subscriber POLICY_Gi1/0/13 [PRE:RULE:EVENT:D8000001] event session-started match-all [PRE:RULE:EVENT:D8000001] class always do-until-failure policy instance 0x5A000038 [PRE:RULE:EVENT:D8000001] Evaluate: class-map type control match-all subscriber always [PRE:RULE:EVENT:D8000001] evaluated class map: success %AUTHMGR-5-START: Starting 'dot1x' for client (0800.27f0.7969) on Interface Gi1/0/13 AuditSessionID AC101D020C [PRE:RULE:EVENT:D8000001] Action authenticate using dot1x retries 2 retry-time 0 priority 10:sync:success [PRE:RULE:EVENT:D8000001] executed action handlers and returning with status:1, result:0 [PRE:RULE:EVENT:D8000001] Executing policy-map type control subscriber POLICY_Gi1/0/13 [PRE:RULE:EVENT:D8000001] event agent-found match-all [PRE:RULE:EVENT:D8000001] class always do-until-failure policy instance 0x5A000038 [PRE:RULE:EVENT:D8000001] Evaluate: class-map type control match-all subscriber always [PRE:RULE:EVENT:D8000001] evaluated class map: success [PRE:RULE:EVENT:D8000001] Action terminate mab:sync:success [PRE:RULE:EVENT:D8000001] Action authenticate using dot1x retries 2 retry-time 0 priority 10:sync:success [PRE:RULE:EVENT:D8000001] executed action handlers and returning with status:1, result:0 %DOT1X-5-FAIL: Authentication failed for client (0800.27f0.7969) on Interface Gi1/0/13 AuditSessionID AC101D0C switch# *PRE = Policy Rule Engine Single Event Next Event New Event Evaluated Class- Map & Match! Associated Action
  71. 71. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 Suppress ‘Success’ log messages, only log failure •  no authentication logging verbose •  no mab logging verbose •  no dot1x logging verbose •  Default is ‘verbose’! •  Some ISE troubleshooting tools depends on seeing these messages Selectively Debug •  debug interface Gi1/0/1 •  Limits effect of debug to given interface
  72. 72. Cisco Confidential 72© 2011 Cisco and/or its affiliates. All rights reserved.
  73. 73. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 •  Monitor mode before access control •  Least restrictive ACLs, fewest VLANs Start Simple and Evolve •  Know where every device & user should / could end up •  For troubleshooting: Start at a central point, work outward as required – a good AAA server is invaluable Design / Plan / Implement •  Adapt new features where available •  Familiarize with new policy model and capabilities Optimize Deployment Scenarios With New Features
  74. 74. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 •  Thank you! •  Please complete the post-event survey •  Join us for upcoming webinars: Register: www.cisco.com/go/techadvantage Follow us @GetYourBuildOn

×