Post on 24-Jun-2020
transcript
Topic
Part I : AAA Concepts
Part II : ISE Concepts
Part III : Layer 2 Authentication – MAB
Part IV : Layer 2 Authentication – EAP
Part V : ISE Identity Sources
Part VI : Layer 3 Authentication – HTTP / HTTPS
Part VII : EndPoint Profiling
Part VIII : Posture Assessment
Part IX : Layer 2 Encryption – MACSec
Part X : Security Group Tags - SGT
Part IAAA Concepts
What is AAA ?
• AAA stands for
• Authentication
• Authorization
• Accounting
• AAA can be used for multiple purposes
• Network Device administration
• Network Access (wired, wireless, VPN)
• Authentication
• Provide identification of who you are
• Various options: username and password , certificates
What is AAA ?
• Authorization
• Defines what you are allowed to do
• For network administration:
• privilege-level
• Allowed commands
• For network access:
• VLAN
• Access-list
• Security Group Tag
• Encryption
What is AAA ?
• Accounting
• Provides evidence of what you have done, like auditing
• For network administration:
• Typed commands for forensics analysis
• For network access:
• Session statistics for billing
• Session identification (MAC address, IP address, username)
• Session state (connected or disconnected)
AAA Model
• Three-party authentication model
• Supplicant / end-client
• Device requesting access
• Speaks with the authenticator
• Authenticator
• Device enforcing the authentication , known as NAD
• Bridges information between supplicant and authentication server
• Authentication Server
• Device performing the authentication
• Connected to identity sources: username/password, PKI
• Can behave like a proxy towards another authentication server
AAA Protocols
• Between supplicant and authenticator
• For device administration
• console
• Telnet / SSH
• HTTP / HTTPS
• For network access
• EAPOL
• HTTP / HTTPS
• Between authenticator and authentication server
• RADIUS
• TACACS+
RADIUS
• IETF standard (RFC2865)
• Has additional RFC’s for specific features
• Combines authentication and authorization in one process
• Uses UDP port 1645/1812 for authentication
• Uses UDP port 1646/1813 for accounting
• Initial ports of 1645/1646 were also used by data metrics service
• RADIUS key with MD5 used to hide the user’s password
• Performs its scope via RADIUS attributes
• IETF standard defined
• Vendor Specific Attributes (VSA’s)
TACACS+
• Developed by Cisco
• Mainly used for device administration
• Developed by Cisco from original TACACS protocol (RFC1492)
• Uses separate processes for authentication, authorization and accounting
• Uses TCP port 49
• Encrypts entire body of TACACS packet, leaves clear-text header
• RADIUS vs. TACACS
RADIUS vs. TACACS
Cisco’s Authentication Servers
• Access Control System (ACS)
• Supports both TACACS+ and RADIUS
• Mainly used for TACACS+
• Identity Services Engine (ISE – NGN RADIUS)
• Supports RADIUS with Change of Authorization (CoA)
• TACACS+ supported in ISE 2.0
• Mainly used for RADIUS
• Additional features not supported by ACS
• Profiling , posture assessment
• Web portal services
Part IIISE Concepts
What is ISE ?
• Provides a scalable and unified network access policy platform
• Centralized network access policy for any device, from anywhere, at anytime
• Wired access
• Wireless access
• VPN access
• Implements a flexible policy-based model
• Rule-based approach for authentication and authorization
• Rules are composed of conditions and results
ISE Personas
• It supports both physical and virtual environments
• Built of three major roles, named personas
• PSN (Policy Service Node)
• Responsible for network access request processing
• RADIUS, posture, profiling, web redirection, guest portal
• PAN (Policy Administration Node)
• Responsible for all configurations
• Conditions, results, policies, external identity store integration
• MnT (Monitoring and Troubleshooting Node)
• Collects logs from PAN, PSN, NAD
ISE Deployment Modes
• All personas residing on the same entity
• Personas are distributed for scalability or design requirements
• Multiple PSN’s
• 2 PAN’s (one active, one standby)
• 2 MnT’s (one active, one standby)
ISE Architecture
• Everything circles around two types of policies
• Authentication policies, processed first
• Authorization policies, processed second
• Inbound AAA request flow
• Authentication policy matching
• Single or rule-based policy
• Single model does not allow defining conditions
• Rules are processed top-down until first match
• Action “drop” means play dead, no RADIUS message sent back to NAD
• Action “continue” means act like authentication was successful, inspect authorization policies
ISE Architecture
• Inbound AAA request flow
• Authorization policy matching
• Standard and exception policies
• Exception policies are processed before standard policies
• Rules are processed top-down until first match by default
• Optionally multiple-rules can be matched with actions being combined
• Access-Accept takes precedence over Access-Reject
ISE Authentication Policy
• Authentication Policy format
• If condition
• Identify the RADIUS packet based on RADIUS attributes
• Then allowed protocols
• Which authentication protocol can be used by the supplicant
• And validate credentials
• Which identity source can be queried for authentication
ISE Authorization Policy
• Authorization Policy format
• If condition
• Identify the RADIUS session or supplicant by profiling
• And optionally if used identity store
• Store of user credentials
• Then apply authorization profile
• User/device authorization
Part IIILayer 2 Authentication - MAB
Network Access Authentication
• Layer 2
• Supplicant does not need an IP address
• MAB and 802.1x (EAP methods)
• Layer 3
• Supplicant requires an IP address
• Local Web Authentication (web portal on the NAD)
• Central Web Authentication (web portal on the authentication server)
MAB – MAC Authentication Bypass
• MAB (MAC Authentication Bypass) is used to…
• Authenticate non 802.1x capable devices
• Trigger CWA and BYOD enrollment
• Technically is NOT an authentication method…just bypasses authentication
• If MAB is enabled on the switch interface
• Switch takes each new MAC address and sends it to RADIUS for authentication
• RADIUS User- Name and RADIUS User-Password equals to the MAC address
• RADIUS Calling-Station-ID equals to the MAC address
• RADIUS Service Type is Call-Check (10) for MAB
MAB – MAC Authentication Bypass
• If “Process Host Lookup” is enabled on RADIUS server
• Authentication is done based on the RADIUS Calling Station-ID attribute value
• If “Process Host Lookup” is disabled on RADIUS server
• Authentication is done based on the RADIUS User Name and User-Password attributes value
MAB Configuration Steps on Supplicant
• None
• Because MAB is not a authentication protocol
• It is authentication bypass
• There is no negotiation between supplicant and NAD
MAB Configuration Steps on NAD
• Enable AAA
• aaa new-model
• Configure dot1x default authentication list
• aaa authentication dot1x default group
• Enable MAB on switch port facing the supplicant
• mab [eap]
• Enforce authentication on switch port facing the supplicant
• authentication port-control auto
• Define RADIUS server settings
• radius-server host <IP> key <radius key>
• Optionally configure other global/interface level settings
• radius-server attribute 31 mac format
MAB Configuration Steps on ISE
• Configure MAB authentication policy
• Optionally use a default one
• Configure authorization policy
• Optionally use a default one
• Add supplicant’s MAC address into Internal Endpoints Store
• Authentication performed based on RADIUS Calling Station-ID attribute value
MAB Verification and Troubleshooting
• Verification
• show mab all
• show authentication session
• show aaa servers
• Troubleshooting
• show authentication session interface <if_number>
• debug mab all
• debug radius authentication
MAB and 802.1x Common Authorizations
• VLAN
• Data VLAN (by name or number)
• Optional, it overrides the VLAN locally configured on NAD switch port
• Voice VLAN permission
• Mandatory for voice domain, allows Phone to join the voice VLAN as configured locally on NAD
MAB and EAP Common Authorizations
• Access-Lists
• dACL (Cisco Proprietary, uses AV pairs)
• Before 12.2(55)SE code, switch port required a pre-auth ACL to be applied
• ACL configured on ISE
• Filter-ID ACL (IETF standard)
• ACL configured on NAD
• Per-user ACL (Cisco proprietary, uses AV pairs)
• ACL configured on ISE and ACE’s pushed through authorization by ISE
• ACL configured on NAD and ACL name pushed through authorization by ISE
• ACL Common configuration requirements on NAD
• aaa authorization network default group
• radius-server vsa send authentication
• ip device tracking
Authorization Verification Troubleshooting
• Verification
• show ip access-list interface <if_number>
• show ip interface <if_number>
• show epm session interface <if_number>
• show authentication interface <if_number>
• show authentication session interface <if_number>
• Troubleshooting
• show ip device tracking all
• show aaa method-lists authorization
• debug radius authentication
• debug ip device tracking events
Part IVLayer 2 Authentication - EAP
EAP – Extensible Authentication Protocol
• EAP is an authentication framework
• Mainly used in Wi-Fi and wired
• 802.1x defines the encapsulation of EAP over IEEE802, namely EAP over LAN (EAPOL)
• 802.1x is a flexible layer 2 authentication mechanism
• Makes use of EAP methods, tunneled inside RADIUS packets
• Currently there are about 40 different methods defined
• EAP method types
• Tunneled (protects the supplicant’s identity and credentials)
• Non-tunneled (does not protect supplicant’s credentials)
Common EAP Tunneled Methods
• PEAP - Protected EAP (developed by Microsoft, Cisco, RSA)
• Two phase method
• Phase 1, called outer method, used to authenticate server and form the TLS channel
• Phase 2, called inner method, used to authenticate supplicant and protect its EAP identity
• Theoretically, inner authentication method can be any EAP type
• Mutual authentication
• Server is always authenticated by certificate
• Supplicant is authenticated by certificate (EAP-TLS), username/password (EAP- MSCHAPv2), or OTP (EAP-GTC)
• Requires server certificates, on client is optional
• Identity protection available only in PEAPv1 and PEAPv2
Common EAP Tunneled Methods
• EAP-FASTv1 (Flexible Authentication via Secure Tunneling)
• Cisco proprietary, similar with PEAP in scope but very different in functionality
• Developed to allow faster re-authentication and wireless roaming
• Based on PAC files (Protected Access Credentials)
• Can be seen as a cookie locally stored on the supplicant
• Generated by the RADIUS server from a master key known by itself only
• Three-phase method
• Phase 0 is optional and used to provision the supplicant with a PAC file
• Phase 1 is used to establish the TLS tunnel based on the PAC file
• Phase 2 is used to authenticate the supplicant within the TLS tunnel
• EAP-FASTv2 (EAP Chaining)
• Ties machine authentication to user authentication
• Relies on machine PAC and user PAC
• Performs double authentication within single EAP transaction
• Will become standard, known as EAP-TEAP (RFC draft) The image can
Common EAP Tunneled Methods
• EAP-TTLS - Tunneled TLS (RFC5281)
• Very similar with PEAP
• Two-phase method
• Requires server side certificate
• Major difference as compared to PEAP is that inner method can use any authentication
• Non-EAP methods such as PAP and CHAP supported
• Not widely implemented
• Two versions EAP-TTLSv0 and EAP-TTLSv1
Common EAP Non-Tunneled Methods
• EAP-TLS (RFC 5216)
• Single phase protocol
• Mutual authentication based on certificates
• Requires client and server certificates
• TLS tunneled created based on certificates
• The RFC requires only server side certificates
• No supplicant identity protection
• Passed in EAP-Identity and in certificate exchange
Common EAP Non-Tunneled Methods
• EAP-MD5 (RFC2284)
• The only EAP method defined in original EAP RFC
• Only supplicant authentication based on username/password
• Challenge-response through MD5
• EAP-GTC (RFC3748)
• Developed by Cisco as alternative to PEAP
• Supports OTP through challenge-response based authentication of supplicant
• EAP-LEAP (Light EAP)
• Cisco proprietary used only for wireless (WEP or TKIP keys)
• Mutual authentication based on shared secret which is client’s password
• Uses modified version of MS-CHAP, thus is challenge-response based
• Supplicant authenticated based on username/password
802.1x Configuration Steps on Supplicant
• Configure the supplicant to use appropriate EAP method
• It cannot be negotiated
• Two types of supplicants
• Built-in operating system supplicant
• Cisco AnyConnect NAM module
• Ideally do not let both supplicants configured
802.1x Configuration Steps on NAD
• Enable AAA
• aaa new-model
• Configure dot1x default authentication list
• aaa authentication dot1x default group
• Globally enable 802.1x
• dot1x system-auth-control
• Enable 802.1x on switch port facing the supplicant
• dot1x pae authenticator
• Enforce authentication on switch port facing the supplicant
• authentication port-control auto
• Define RADIUS server settings
• radius-server host <IP> key <radius key>
• Optionally configure other global/interface level settings
802.1x Configuration Steps on ISE
• Configure 802.1x authentication policy
• Optionally use a default one
• Enable same EAP method as on supplicant
• Configure authorization policy
• Optionally use a default one
• Enroll ISE into PKI infrastructure
• Only if tunneled EAP methods are used by supplicant
• Enroll ISE into Active Directory
• Only if EAP-TLS or EAP-MSCHAPv2 is the authentication method of supplicant
802.1x Verification and Troubleshooting
• Verification
• show dot1x all
• show authentication session
• show authentication interface <if_number>
• show aaa servers
• Troubleshooting
• show authentication session interface <if_number>
• debug dot1x all
• debug radius authentication
Part VISE Identity Sources
ISE Identity Sources
• To authenticate and authorize machines/users, ISE can validate their credentials in two ways
• Internally
• Externally
• Internal Store has two types of entries
• Endpoints (MAC database), organized into groups
• Blacklist, Guest End Points, Registered Devices, Profiled
• Users, organized into groups
• Guest, Activated Guest, Employee, Sponsor Groups
• Can be used as conditions in Authorization policies
• Additional groups can be created
External Authentication Support
• ISE can authenticate/proxy against several external sources
• RADIUS
• LDAP
• Active Directory
• PKI (ISE CA server support was added in ISE 1.3)
• Active Directory (AD) integration is the most common one
• ISE 1.2 supports a single AD integration
• Multiple AD supports if all within same forest and trust is configured
• ISE 1.3 supports up to 50 AD domains to be joined
• ISE joins AD just like a regular computer
• Requires administrative rights just for join process
• Afterwards join, it needs READ ALL rights at the top of the AD/forest schem
Active Directory Integration
• ISE and Domain Controller (DC) need to be NTP synchronized
• Maximum time skew can be 5 minutes
• In order to validate supplicant certificates
• Connectivity requirements between ISE and DC
• Global Catalog ( TCP 3268/3269)
• LDAP (UDP/TCP 389)
• LDAPS (TCP 636)
• SMB (TCP 445)
• KDC (TCP 88)
• KPASS (TCP 466)
Authentication against AD
• Supported authentication options
• EAP-TLS
• EAP-MSCHAPv2
• EAP-TLS
• Supplicant certificate can be stored in Active Directory schema
• ISE can be configured to validate supplicant certificate against AD
• Verify the identity of the machine or user
• By default in EAP-TLS, ISE just checks if certificate is valid
• Not expired (certificate validity time compared with ISE clock)
• Not revoked (uses CRL published by the supplicant’s CA issuer)
Authorization based on AD
• Users and computers are objects in the AD schema
• Identified by their attributes
• Attributes examples: username, hostname, group membership
• ISE can use there attributes in authorization policies
• Allows for authorization policy scalability
• Example: different authorization can be applied for different groups
• This is called contextual access
• Authorization done based on multiple inputs/conditions
• User and computer membership
• Type of device (identified via profiling)
• Method and time of network access
ISE Configuration for AD Integration
• Synchronize clock between AD DC and ISE
• Configure ISE with appropriate DNS server
• It has to be a Domain Controller
• Configure ISE with the AD domain name
• Test connectivity with AD DC
• Join ISE into AD
• Define object attributes to be used in authorization policies
• This step is optional but recommended
Part VILayer 3 Authentication – HTTP / HTTPS
About Layer 3 Authentication
• Performed through HTTP/HTTPS by redirecting users to a web portal
• not supported for machine authentication, only for user authentication
• Portal can reside on the NAD (switch, WLC)
• Named Local Web Authentication (LWA)
• Rarely implemented because it is decentralized
• Portal can reside on the ISE
• Named Central Web Authentication (CWA)
• Widely deployed as it is centralized
• User / supplicant requires IP address to complete the process
• Starting with IOS code 12.2(55)SE, switch enforces by default an ACL on the port, which allows DHCP traffic, named Auth-Default-ACL
• Otherwise static pre-authentication ACL needs to be deployed
About Layer 3 Authentication
• In both LWA and CWA
• Authentication is performed by the RADIUS server
• It is supported for wired and wireless access
• Not for VPN access yet
• For VPN, both ISE and VPN gateway need to support it
• Use-cases
• Mainly deployed for visitors, guest services
• Required for Bring Your Own Device implementation
• Alternative to Enterprise Mobility Management solution
• Supported only in CWA mode
Local Web Authentication
• Enterprise assets will perform MAB or 802.1x in general
• Also known as standalone web authentication
• Makes use of authentication-proxy service via HTTP
• MAB and 802.1x will thus also be enabled in most cases
• LWA will be used as a fallback method on the switch port
• Because you never know who connects on a switch port, employee or guest
• Can be used as the single authentication method, but rarely deployed
• Authorization restriction
• Does not support VLAN assignment, mainly because CoA is not
• supported in this deployment
• Per-user ACL not supported, instead use proxy-ACL
• same concept, still uses VSA’s, but different ACL syntax
LWA Configuration Steps on Supplicant
• None
• Just a browser, because LWA is not a authentication protocol
• It is just a web authentication method
• There is no negotiation between supplicant and NAD
• NAD just intercepts HTTP/HTTPS sessions from supplicant and redirects user to the web portal
• NAD requires a layer 3 address (SVI) for this to work
• Device Requirements
• IP address
• DNS resolution required for redirection-URL
LWA Configuration Steps on NAD
• Enable AAA
• aaa new-model
• Configure login default authentication list
• aaa authentication login default group
• Define LWA profile
• ip admission name <auth_name> proxy http
• fallback profile <profile_name>
• ip admission <auth_name>
• Enable LWA on switch port facing the user
• authentication order webauth
• authentication fallback <profile_name>
LWA Configuration Steps on NAD
• Enable device tracking and HTTP/HTTPS server
• ip device tracking
• ip http server
• ip http secure-server
• Enforce authentication on switch port facing the supplicant
• authentication port-control auto
• Define RADIUS server settings
• radius-server host <IP> key <radius key>
• Optionally configure other global/interface level settings
• RADIUS Service-Type will be Outbound
• In most IOS codes, it is not being send in the RADIUS Access-Request message, without commandradius-server attribute 6 on-forlogin-auth
LWA Configuration Steps on ISE
• Configure RADIUS integration with NAD
• Configure authentication policy
• Possibly match on RADIUS Service-Type to make the policy unique
• Configure authorization policy
• Optionally integrate with External Servers for authentication
• Otherwise define username/password in Local Users Store
Central Web Authentication Work Flow
• Uses a two phase process
• Phase 1
• Uses MAB authentication
• MAB will fail, as ISE is not aware of client’s MAC address
• ISE will be configured to authorize the client, even though it failed authentication
• Continue action in authentication policy for failed authentication
• Intermediate Authorization received from ISE will be
• Redirect-ACL, in order to capture client’s HTTP / HTTP traffic for redirection
• Redirect-URL, in order to redirect client to ISE portal
• Optionally, ACL in order to restrict client’s network access
Central Web Authentication Work Flow
• Phase 2 starts if user initiates HTTP / HTTPS traffic
• Phase 2
• User is redirected to ISE’s web portal
• It has to pass portal authentication via username/password
• If authentication succeeds, ISE will send a RADIUS Change of Authorization (CoA) message to the NAD
• As a result, NAD will perform a re-authentication of the client via MAB
• Authentication will fail again, just like in Phase 1
• Final authorization is received from ISE and applied by NAD on the port
• Final authorization uses the special condition of Network Access Use Case Equals GuestFlow
CWA Configuration Steps on Supplicant
• None
• Just an ISE supported browser, because CWA is not a authentication protocol
• It is just a web authentication method
• There is no negotiation between supplicant and NAD
• NAD just intercepts HTTP/HTTPS sessions from supplicant and redirects user to the web portal
• NAD requires a layer 3 address (SVI) for this to work
• Device Requirements
• IP address
• DNS resolution required for redirection-URL
CWA Configuration Steps on NAD
• Enable AAA
• aaa new-model
• Configure 802.1x default authentication list
• aaa authentication dot1x default group
• Configure authorization list, as Phase 1 always includes authorization
• aaa authorization network default group
• Enable MAB on switch port facing the supplicant
• mab [eap]
• Enforce authentication on switch port facing the supplicant
• authentication port-control auto
CWA Configuration Steps on NAD
• Enable device tracking and HTTP/HTTPS server
• ip device tracking
• ip http server
• ip http secure-server
• Define RADIUS server settings
• radius-server host <IP> key <radius key>
• Configure CoA with the same RADIUS server
• aaa server radius dynamic-author
• client <server_ip> server-key <string>
• Configure the redirect ACL on the switch (allow DHCP, DNS and ISE access on TCP port 8443)
• Optionally configure other global/interface level settings
CWA Configuration Steps on ISE
• Configure RADIUS integration with NAD
• also for CoA
• Configure authentication policy
• MAB authentication rule to pass, even though authentication fails
• Configure authorization policy for Phase1
• Redirect-URL and Redirect-ACL
• Configure authorization policy for Phase2
• Optional, just Access-Accept is enough
• Optionally integrate with External Servers for authentication
• Otherwise define username/password as Guest Account
CWA Verification and Troubleshooting
• Verification
• show authentication session
• show authentication interface <if_number>
• show aaa servers
• Troubleshooting
• show authentication session interface <if_number>
• show epm session ip
• show ip access-list interface
• debug radius authentication
• debug aaa coa
ISE Guest Services
• Nothing else but what we’ve seen in CWA
• ISE supports full lifecycle management for guest access
• Admin Portal, used to manage global policies for sponsors and guest users, runs on Admin Persona
• Sponsor Portal, used to manage guest user accounts, runs on PSN Persona
• Guest Portal, used to authenticate guests, runs on PSN persona
• All three portals run by default over TCP 8443, can be changed
• Guest Portal scalability
• Supports multiple guest portals
• Each guest portal is managed by one or multiple sponsors
• Each guest portal can be customized
Guest Services Configuration Steps
• On supplicant and NAD, same as in CWA
• On ISE, same as in CWA
• Optionally create sponsor accounts and groups
• Optionally configure guest account settings
• Optionally customize guest portal
• On ISE, same as in CWA
• Optionally create sponsor accounts and groups
• If guest credentials are stored on ISE
• Provision user credentials as Guest Account
• This default requirement can be changed
Bring Your Own Device - BYOD
• Enterprise assets will perform MAB or 802.1x in general
• Supplicant on assets is automatically deployed and configured
• Operation is transparent to the user
• Many enterprises are opening up for BYOD
• Allows you to come to work with your own device
• To be considered enterprise, it has to use 802.1x authentication
• Challenge is configuration of 802.1x on user’s devices
• ISE allows employees to enroll their own devices
• Supplicant on devices will be automatically configured for 802.1x and enrolled in PKI
• Process achieved through CWA with self-service and device registration being enabled
• Once enrolled, user will be assigned to the ActivatedGuest group of users, which can be used as a condition in authorization policies
BYOD Device Onboarding
• Mostly used for mobile assets
• Smartphones, tablets, laptops
• As mobile assets lack Ethernet card in general
• Deployment is done via Wi-Fi
• Wired is also supported
• Wireless Deployment Options
• Single SSID
• Dual SSID
Part VIIEndPoint Profiling
What is Profiling ?
• Profiling
• Allows ISE to learn attributes about network connected endpoints
• Based on the profile, it will assign endpoint to appropriate identity groups
• Groups can be used in authorization policy for smarter network access controldecisions
• Especially useful for devices that perform MAB, but not only
• Two types of profiling
• Static profiling, where endpoint is manually assigned to a group
• Dynamic profiling, where endpoint attributes are dynamically learned through the use of probes
• By default, dynamic profiling is turned off
• Endpoints are still automatically profiled based on MAC address
• However, only device vendor can be detected, so it’s not very specific
Dynamic Profiling
• Automatic fingerprinting of the endpoint based on several probes
• ISE needs to be configured to listen for probes
• NAD needs to be configured to send probes
• RADIUS, highly recommended
• Inspects RADIUS attributes from the authentication Request
• Inspects RADIUS accounting for IP-MAC binding, required for NMAP scanning or DNS resolution of endpoint
• Used also for IOS Device sensor feature, supported starting with 15.0(2) on switches and 7.2.110.0 on WLC
Most Commonly Used Probes
• HTTP
• ISE interprets HTTP messages from CWA or SPAN
• Gathers User-Agent from HTTP packet, used to identify the operating system on the device
• Crucial for mobile device profiling
• DHCP
• ISE interprets DHCP messages from DHCP-Relay or SPAN
• Gathers User-Agent from DHCP packet, used to identify the operating system on the device
• Gathers DHCP hostname
• Important for mobile device profiling
• Useful only in DHCP environments
Less Commonly Used Probes
• NMAP
• TCP/UDP port scanning for operating system detection
• SNMP query send by ISE
• Used only in case NAD does not support device sensor
• Triggered by RADIUS accounting or SNMP trap
• Reads CDP/LLDP/ARP/MAC data
• DNS resolution performed by ISE
• Reverse DNS query for PTR records to get the FQDN of the endpoint
• Query initiated only if device profiles through other probes: RADIUS, DHCP, HTTP, SNMP
• Netflow samples
• Detects abnormal traffic (profiled printer making skype calls on the Internet)
Profiling Policies
• ISE has a large database of built-in profiling policies
• Can profile many devices out-of-the-box, given that enough data is received from probes
• Additional policies can be manually configured, or you can edit the built-in ones
• Logical profile is a container with associated profiling policies
• ISE has a built-in hierarchy for device profiling, in the form of parentchild,for example
• Parent policy is named Apple-Device
• Child policy attached to the parent policy can be Apple-iPad or Apple-iPhone
• Profiling policies are built on a set of conditions for device identification
• In order to be profiled as Apple-iPad, conditions for both parent and child policy need to be satisfied
Profiling Policies Settings
• Minimum Certainty Factor
• How sure is ISE about endpoint being identified
• Integer value which needs to be met in order for endpoint to be assigned to be profile policy
• Associated CoA type
• When endpoint is profiled and assigned to a specific group, do you want CoA to be performed
• Rules
• Each rule is a condition matching on collected endpoint attributes
• Each rule ahs an associated action, most commonly being to increase the Certainty Factor
• NMAP SCAN is an alternative action
Profiling Result
• It can happen that the device is authorized by ISE before being accurately profiled
• Thus, usually CoA is also deployed with profiling
• Allows to change device authorization after being profiled
• In general, by deploying ISE in phases, all devices will be profiled before going to Closed Mode
• Because of profiling, CoA is triggered when
• Endpoint profiled for 1st time
• Endpoint statically assigned to a group
• Endpoint removed from ISE database
• Endpoint dynamically changed identity group membership
ISE Authorization Flow with Profiling
• How AAA order of processing is changed
• Endpoint Authentication
• Initial Authorization Policy pushed (endpoint not profiled yet)
• Profiling data is received or asked for
• Device is profiled and assigned to a identity group
• ISE triggers CoA requesting endpoint re-authentication
• Endpoint Authentication
• Final authorization matching the conditions for the identity group
• Because authorization rules are processed top-down
• Order of rules is very important
Profiling Configuration Steps on NAD
• Configure RADIUS accounting to ISE
• aaa accounting dot1x default start-stop group
• Configure NAD to relay endpoint IP address in RADIUS Access- Request message, requires device tracking to be enabled
• radius-server attribute 8 include-in-access-req
• Configure DHCP-Relay
• ip helper-address <ise_ip>
• Configure NAD to relay endpoint DHCP class attribute in RADIUS Access-Request message
• radius-server attribute 25 access-request include
• Configure NAD to send Netflow samples and SNMP traps to ISE
Profiling Configuration Steps on ISE
• Ensure that Enable Profiling Service check box is selected on the PSN
• By default it is
• Enable Profiling Probes
• Activates interpretation of probe messages
• Enable CoA for Profiling
• Optionally, tune the profiler conditions and policies
• Configure authorization policies using as condition the profiled endpoints
• Most deployments use a separate physical port on ISE to receive data from probes
• Probes may send hug amount of data, especially if SPAN is used
• SPAN is, in general not recommended for performance
• It leaves a dedicated port just for regular RADIUS authentication
NAD 802.1x Port Modes
• Single Host (default)
• Single MAC address allowed in data domain
• Second MAC address results in violation action
• Multi Domain
• Single MAC address allowed per domain (voice and data)
• Second MAC address for each domain results in violation action
• Multiple Authentication
• Single MAC address allowed in voice domain
• Multiple MAC addresses allowed in data domain
• VLAN authorization possible, single VLAN supported
• Multiple Host
• Only first MAC address is required to authenticate
• No ACL and Redirect URL support
IOS Device Sensor Overview
• Scales profiling service on ISE
• Highly recommended to be deployed
• Less data with more details for ISE to interpret
• The NAD gathers endpoint attributes through CDP, LLDP and DHCP
• CDP and LLDP need to be enabled on the NAD
• Sends the collected endpoint attributes to ISE through RADIUS accounting messages
• Uses Cisco AV pairs
DHCP Device Sensor Configuration Steps
• Configure a list of DHCP options to be collected
• device-sensor filter-list dhcp list <list_name>
• option name host-name
• option name client-identifier
• option name client-fqdn
• option name class-identifier
• Activate the DHCP sensor option
• device-sensor filter-spec dhcp include list <list_name>
CDP Device Sensor Configuration Steps
• Configure a list of CDP TLV’s to be collected
• device-sensor filter-list cdp list <list_name>
• tlv name device-name
• tlv name capabilities-type
• tlv name platform-type
• Activate the CDP sensor option
• device-sensor filter-spec cdp include list <list_name>
LLDP Device Sensor Configuration Steps
• Configure a list of LLDP TLV’s to be collected
• device-sensor filter-list lldp list <list_name>
• tlv name port-id
• tlv name system-name
• tlv name system-capabilities
• Activate the LLDP sensor option
• device-sensor filter-spec lldp include list <list_name>
Device Sensor Common Configuration
• Enable RADIUS accounting
• aaa accounting dot1x default start-stop group
• aaa accounting update newinfo
• radius-server vsa send accounting
• Globally activate IOS sensor
• device-sensor accounting
• device-sensor notify all-changes
• Globally activate CDP and LLDP
• cdp run
• lldp run
Device Sensor Verification
• Verify probe functionality
• show lldp
• show cdp
• show device-sensor cache all
• Verify collected data per endpoint
• show device-sensor cache mac <mac_address>
• Verify that collected data is being sent to ISE
• show aaa method-lists accounting
• debug radius accounting
Part VIIIPosture Assessment
Posture Services
• Posture Policy defines the health requirements of endpoints
• Through posture policies, ISE defines a Windows/Mac endpoint compliance requirements
• Antivirus, Antispyware, firewall, OS updates
• Processes running, file existence, registry entries
• ISE collects endpoint data and matches it against its posture policies
• Endpoint data collected through
• NAC Agent
• AnyConnect Posture module available in AnyConnect 4.0
NAC Agent Overview
• NAC Agent
• Temporary web agent based on ActiveX or Java (Windows)
• Limited remediation
• Permanent agent (Windows and Mac)
• Automatic remediation
• NAC Agent compliance module (OPSWAT) used for antivirus and antispyware vendor support
• NAC Permanent Agent deployment options
• Manual installation, not scalable
• Unattended installation, customization available
• ISE Client Provisioning Policy
• Can also be used to automatically update NAC Agent or compliance module
NAC Agent Connectivity Requirements
• NAC Agent communicates directly with ISE
• Supplicant requires IP connectivity to ISE
• NAD is completely bypassed, makes sense as it does not understand posture data
• TCP 8443 to ISE
• Required if NAC Agent is installed through CPP
• UDP / TCP 8909 to ISE
• Required for NAC Agent wizard installation via CPP
• UDP / TCP 8905 to ISE
• Used by SWISS protocol (report collected data to ISE)
• Required for ISE discovery and NAC Agent update
• ISE no longer uses legacy port 8906 for SWISS protocol
Posture Services
• Posture status options for an endpoint
• Unknown, no data was collected from the endpoint
• Usually means NAC Agent is not installed
• Could be that it is not running or does not have ISE connectivity
• Noncompliant, at least one requirement is not satisfied
• Remediation process can be started automatically
• Compliant, all requirements are satisfied
• Posture status is used as condition in authorization policies
• Network access is thus granted based on the health / security state of the endpoint
Posture Assessment Work Flow
• How AAA order of processing is changed
• Supplicant Authentication
• Initial Authorization Policy pushed (posture status Unknown)
• Posture Discovery and Assessment starts
• Posture data is received by ISE from NAC Agent
• Posture state is changed to Compliant or Noncompliant
• ISE triggers CoA requesting endpoint re-authentication
• Supplicant Authentication same as in first step
• Intermediate authorization is applied if posture status is Noncompliant
• Remediation starts, fixes problems, posture status changes to Compliant
• ISE triggers CoA requesting endpoint re-authentication
• Final authorization is applied if posture status is Compliant
Posture Configuration Steps on Supplicant
• Install NAC Agent
• Ideally, provision the FQDN of ISE PSN, to avoid ISE dynamicdiscovery
• FQDN automatically provisioned if Agent installed via CPP
• ISE Discovery process
• HTTP discovery probe on port 80 to ISE PSN, if configured
• HTTPS discovery probe on port 8905 to ISE PSN, if configured
• HTTP discovery probe on port 80 to default gateway
• HTTPS reconnect probe on 8905 to previously contacted ISE PSN
• To avoid endpoint being quarantined for remediation
• Ensure endpoint satisfies security policies configured on ISE
Posture Configuration Steps on NAD
• NAD is not aware of the posture process
• NAD just receives authentication status and authorization to be applied from ISE
• Allow NAC Agent connectivity with ISE
Posture Configuration Steps on ISE
• CoA is enabled by default for posture assessment
• Configure posture policies
• Per operating system
• Per group of users
• Configure authorization policies with posture status as condition
• For Unknown status, redirect to client provisioning portal
• For Noncompliant status, restrict access for remediation to work
• For Compliant status, grant network access as desired
• Optionally configure client provisioning policies
• Only when NAC Agent has not been pre-deployed
• Required downloading of NAC Agent and compliance module to ISE
Part IXLayer 2 Encryption - MACSec
Cisco TrustSec
• Stands for Trusted Security
• Consists of 802.1x, SGT and MACSec
• SGT stands for Security Group Tags
• MACSec stands for Mac Security (layer 2 encryption)
• MACSec offers line-rate layer2 hardware-based encryption on a hop-by-hop basis
• Host-to-switch
• Switch-to-switch
• MACSec is 802.1ae standard
• GCM-AES-128 algorithm
• EtherType value changed to 0x88e5
• Supports SGT embedded inside CMD (Cisco Meta Data) – layer 2 header
MACSec Implementation Options
• Host-to-switch (downlink)
• Requires host to perform 802.1x authentication via EAP-TLS, PEAP or EAP-FAST
• Native Windows supplicant does not support it
• AnyConnect offers software based encryption
• Negotiation and key derivation via MKA (MACsec Key Agreement)
• Standard per the RFC
• Switch-to-switch (uplink)
• Manual/static configuration
• Negotiation and key derivation via SAP (Security Association Protocol)
• Cisco proprietary based on 802.11i
MACsec Policy Enforcement
• MACsec policy is enforced per port
• Must-not-secure, do not negotiate MACsec
• Should-secure (default), negotiate MACsec, if failed allow clear-text traffic
• Must-secure, negotiate MACsec, if failed do not allow clear-text traffic
• Policy type received from ISE overrides locally configures settings on NAD
• Local Should-Secure is overridden by ISE Must-Not-Secure
• Based on host port mode, MACsec is
• Fully supported with single-host and multi-domain
• Partially supported with multiple-host, only first authenticated MAC address may negotiate MACsec
• Not supported with multiple-authentication, because MACsec is point-to-point
MACsec Configuration Steps Supplicant
• Requires AnyConnect
• Configure EAP-FAST with MacSec support
MACsec Configuration Steps on NAD
• Ensure 802.1x authentication requirements are configured
• Enable MACsec on the switch port (downlink)
• macsec
• mka default-policy
• Optionally define MACsec policies on switch port (downlink)
• authentication linksec policy
• authentication event linksec fail action authorizevlan <vlan_nr>
• Enable MACsec on the switch port (uplink)
• cts manual
• sap pmk <value> mode-list gcm-encrypt
MACsec Configuration Steps on ISE
• Ensure 802.1x authentication and authorizations are functional
• Configure MACsec policy in the authorization profile
MACsec Verification and Troubleshooting
• Verification
• show macsec summary
• show macsec interface <if_nr>
• show authentication session interface <if_nr>
• show mka sessions interface <if_nr> detail
• show mka default-policy detail
• show cts interface summary
• show cts interface if_nr>
• Troubleshooting
• debug radius authentication
• debug macsec event
Part XSecurity Group Tags - SGT
What is SGT ?
• A label / tag identifying a packet
• How is it different than a VLAN tag ?
• It is a tag used for security purposes
• It identifies the context of the user, because it is assigned based on
• How did the user access the network
• From which device did the user access the network
• At what time did the user access the network
• Was the user’s device profiled
• What is the posture of the user’s machine
SGT Building Blocks
• Classification
• SGT assignment, always done at the network ingress point
• Can be static or dynamic
• Transport
• Via inline tagging by the NAD
• Via SXP protocol, a control-plane protocol
• Used to propagate SGT across devices that do not support SGT inline tagging
• Runs over TCP 64999
• Connection can be unidirectional (speaker-listener)
• Connection can be bidirectional, both devices can play both roles
• Enforcement
• Policy is applied via SGACL or SGFW
How does SGT help ?
• Used to configure firewall rules
• Restrict network access
• Firewall rules
• Configured on layer 3 switches, named SGACL
• Configured on ASA firewall, named SGFW
• Configured on IOS Zone-Based Firewall, named SGFW
• Why is it better than regular firewall rules ?
• The tag identifies much more than the user, it identifies the health state of the user/device
• A user can have the same tag, regardless of point of connection, thus regardless of its IP address
• In the BYOD context, a user may actually have 1-10 IP addresses assigned, which presents a scalability problem with firewall rules
SGT Overview
• SGT
• Layer 2 tag, by default
• Can be copied and carried in the layer 3 header by using ESP encapsulation
• Helps keep the security tag across routing domains
• SGT is dynamically assigned by ISE as part of the authorization policy
• For authenticated endpoints
• SGT is statically assigned by NAD
• For non-authenticated endpoints, like servers
• It can be assigned per VLAN, per IP, per subnet
• SGT is always applied to the packet by the NAD
• Requires both hardware and software capabilities
SGT Configuration Steps
• Configure TrustSec (CTS) between ISE and NAD
• Configure ISE dynamic SGT classification
• Configure NAD static SGT classification
• Configure SGACL on ISE
• Configure SGACL and SGFW enforcement
• Optionally configure SXP session between network devices
THE END