Date post: | 26-Jul-2015 |
Category: |
Technology |
Upload: | cisco-russia |
View: | 234 times |
Download: | 9 times |
Plus What’s New in ISE 1.4
Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Introduction
1.3 Best Practices
ATP Update
ISE Services / Champions
Licensing / ISE Express
What’s New in ISE 1.4
ISE Roadmap
Summary
Agenda
• Authentication • Profiling • Wireless/Wired • Cisco IT Case Study • Microsoft AD • Internal CA and Certificates • Guest • Posture • pxGrid • Serviceability • Virtual Appliance Deployments
Cisco Confidential 3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Why we are here today
Identity Services Engine (ISE) is a core component of Cisco’s Identity and Policy Management solution to secure access for everything that connects to the network.
The Focus of this session is to review ISE 1.3 deployment best practices and lessons learned and to provide an update on major feature enhancements in ISE 1.4. Session culminates in a roadmap briefing.
This session is targeted towards Systems and Field Engineers that have current experience in ISE configuration and deployment.
REQUIRED
Cisco Confidential 4 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
At the end of the session, you should be able to:
Implement ISE using best practices and leverage new techniques to optimize and manage its deployment.
Design and Deploy ISE for optimal scale, performance, and redundancy.
List the new capabilities in ISE 1.4 and articulate their technical benefits to customers
Know where to go for more information and get help on ISE
Key Takeaways REQUIRED
Cisco Confidential 5 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Differentiators
In a world where any device, user, or application can connect to the network from any where at any time, customer’s a faced with the challenge of detecting all connections and applying business compliance policies that monitor and secure access to their organization’s critical resources and data. ISE collects data from multiple sources to deliver on this requirement while sharing this rich content with other systems to enhance overall visibility and security.
REQUIRED
Differentiator Major Technical Outcome Major Business Outcome
Endpoint visibility and access control across Wired, Wireless, VPN
Single policy to manage all network access
Simplify operations while meeting organization compliance requirements.
Policy Enforcement embedded into network
Security is enacted across existing traffic channels where most beneficial
Customers leverage the intelligence and investment in existing infrastructure
Context Sharing Higher levels of security is gained through the sharing of rich contextual data across entire system.
Customers gain significant benefit from leveraging the capabilities of existing IT spend.
Cisco Confidential 6 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
What role do these differentiators play in a "Threat-centric Security Model”
REQUIRED
BEFORE Discover
Enforce
Harden
AFTER Scope
Contain
Remediate
Attack Continuum
Detect
Block
Defend
DURING
Description: How does your solution address Threats for our customers? Before: Identify and apply secure access policies to all connecting devices. During: Validate ongoing compliance and increase SIEM intel through context. After: Quarantine and remediation of offending and non-compliant users/devices.
Cisco Confidential 7 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Top ISE Deep Dive Resources
Partner
• Tech Talks / Voice of Engineer – Security Deep Dive Series: https://communities.cisco.com/docs/DOC-30977
• Cisco Live Online (Session Content and Vods): https://www.ciscolive.com/online/
Customer
• ISE Design Guides: http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html
Cisco Confidential 8 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 9 © 2013-2014 Cisco and/or its affiliates. All rights reserved. 9
Scaling Guest Authentications Using 802.1X
• Guests auth with 802.1X using EAP methods like PEAP-MSCHAPv2 / EAP-GTC
• 802.1X auth performance generally much higher than web auth
• ISE 1.2 Guest Role
• ISE 1.3 Guest Type
“Activated Guest” allows guest accounts to be used without ISE web auth portal
Note: AUP and PW change cannot be enforced since guest bypasses portal flow.
Optional: Redirect user to Hotspot for AUP only.
Cisco Confidential 10 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Scaling Web Authentication (ISE 1.3)
• Device/user logs in to hotspot or credentialed portal
• MAC address automatically registered into GuestEndpoint group
• Authz policy for GuestEndpoint ID Group grants access until device purged
“Remember Me” Guest Flows
10
For ISE 1.2, can “chain” CWA+DRW or NSP to auto-register web auth users, but no auto-purge
Cisco Confidential 11 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Automated Device Registration and Purge
11
• Web Authenticated users can be auto-registered and endpoints auto-purged.
• Allows re-auth to be reduced to one day, multiple days, weeks, etc.
• Improves Web Scaling and User Experience
New in ISE 1.3
For Your Reference
Cisco Confidential 12 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Endpoint Purging
Matching Conditions Purge by: # Days After
Creation # Days Inactive Specified Date
For Your Reference
Cisco Confidential 13 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Endpoint Purging Examples
On Demand Purge
Matching Conditions Purge by: # Days After
Creation # Days Inactive Specified Date
For Your Reference
Cisco Confidential 14 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 15 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Profiling Best Practices Whenever Possible…
• Use Device Sensor on Cisco switches & Wireless Controllers to optimize data collection.
• Ensure profile data for a given endpoint is sent to a single PSN (or maximum of 2) • Sending same profile data to multiple PSNs increases inter-PSN traffic and contention for endpoint ownership.
• For redundancy, consider Load Balancing and Anycast to support a single IP target for RADIUS or Profiling using… • DHCP IP Helpers • SNMP Traps • DHCP/HTTP with ERSPAN (Requires validation)
• Ensure profile data for a given endpoint is sent to the same PSN • Same issue as above, but not always possible across different probes
• Use node groups and ensure profile data for a given endpoint is sent to same node group. • Node Groups reduce inter-PSN communications and need to replicate endpoint changes outside of node group.
• Avoid probes that collect the same endpoint attributes
• Example: Device Sensor + SNMP Query/IP Helper
• Enable Profiler Attribute Filter
For Your Reference
15
Cisco Confidential 16 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Profiling Best Practices General Guidelines for Probes
• HTTP Probe:
• Use URL Redirects instead of SPAN to centralize collection and reduce traffic load related to SPAN/RSPAN.
• Avoid SPAN. If used, look for key traffic chokepoints such as Internet edge or WLC connection; use intelligent SPAN/tap options or VACL Capture to limit amount of data sent to ISE. Also difficult to provide HA for SPAN.
• DHCP Probe:
• Use IP Helpers when possible—be aware that L3 device serving DHCP will not relay DHCP for same!
• Avoid DHCP SPAN. If used, make sure probe captures traffic to central DHCP Server. HA challenges.
• SNMP Probe:
• Be careful of high SNMP traffic due to triggered RADIUS Accounting updates as a result of high re-auth (low session/re-auth timers) or frequent interim accounting updates.
• For polled SNMP queries, avoid short polling intervals. Be sure to set optimal PSN for polling in ISE NAD config.
• SNMP Traps primarily useful for non-RADIUS deployments like NAC Appliance—Avoid SNMP Traps w/RADIUS auth.
• NetFlow Probe:
Use only for specific use cases in centralized deployments—Potential for high load on network devices and ISE.
For Your Reference
16
Cisco Confidential 17 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Profiler Tuning for Polled SNMP Query Probe
• Set specific PSNs to periodically poll access devices for SNMP data.
• Choose PSN closest to access device.
17
PSN
PSN
SNMP Polling (Auto)
RADIUS
PSN1 (Amer)
PSN2 (Asia)
Switch
Cisco Confidential 18 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Profiler Tuning for Polled SNMP Query Probe
18
Disable/uncheck SNMP Settings: Disables all SNMP polling options [CSCur95329] • Polling Interval
1.2 Default: 3600 sec (1 hour)
1.3 Default: 28,800 sec (8 hours) *Recommend minimum
• Setting of “0”: Disables periodic poll but allows triggered & NMAP queries [CSCur95329]
• Triggered query auto-suppressed for 24 hrs per endpoint
Polled Mode = “Catch All”
Cisco Confidential 19 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Profiling Redundancy – Duplicating Profile Data
• Common config is to duplicate IP helper data at each NAD to two different PSNs or PSN LB Clusters
• Different PSNs receive data and may contend for ownership—increases replication
Sending Profile Data for the Same Endpoint to the Same Node Group / PSN
PSN3 (10.1.99.7)
PSN2 (10.1.99.6)
PSN1 (10.1.99.5)
User
PSN
PSN
PSN
interface Vlan10
ip helper-address <real_DHCP_Server
ip helper-address 10.1.98.8
ip helper-address 10.2.100.2
PSN3 (10.2.101.7)
PSN2 (10.2.101.6)
PSN1 (10.2.101.5) PSN
PSN
PSN
PSN-CLUSTER2 (10.2.100.2)
PSN-CLUSTER1 (10.1.98.8)
DC #2
DC #1
int Vlan10 DHCP Request
19
Load Balancer
Load Balancer
Cisco Confidential 20 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Scaling Profiling and Replication
• Load Balancer VIPs host same target IP for DHCP profile data
• Routing metrics determine which VIP receives DHCP from NAD
Using Anycast to Limit Profile Data to a Single PSN and Node Group
PSN3 (10.1.99.7)
PSN2 (10.1.99.6)
PSN1 (10.1.99.5)
User
PSN
PSN
PSN
interface Vlan10
ip helper-address <real_DHCP_Server>
ip helper-address 10.1.98.8
PSN3 (10.2.101.7)
PSN2 (10.2.101.6)
PSN1 (10.2.101.5) PSN
PSN
PSN
PSN-CLUSTER2 (10.1.98.8)
PSN-CLUSTER1 (10.1.98.8)
DC #2
DC #1
DHCP Request int Vlan10
20
Load Balancer
Load Balancer
Cisco Confidential 21 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 22 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
VLAN 99
(10.1.99.0/24
)
VLAN 98
(10.1.98.0/24)
High-Level Load Balancing Diagram
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
End User/Device
VIP: 10.1.98.8
10.1.99.5
10.1.99.6
10.1.99.7
Network Access
Device
22
NAS IP: 10.1.50.2
ISE-PAN-1 ISE-MNT-1
LB: 10.1.99.1
ISE-PAN-2 ISE-MNT-2
External
Logger AD/LDAP
DNS
NTP
SMTP
MDM
Load
Balancer
For Your Reference
Cisco Confidential 23 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
• Load Balancer is directly inline between PSNs and rest of network.
• All traffic flows through Load Balancer including RADIUS, PAN/MnT,Profiling, Web Services, Management, Feed Services, MDM, AD, LDAP… VLAN 99
(Internal) VLAN 98
(External)
Traffic Flow—Fully Inline: Physical Separation Physical Network Separation Using Separate LB Interfaces
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
End User/Device
Network Access
Device
ISE-PAN ISE-MNT External
Logger
AD
LDAP
MDM
DNS
NTP
SMTP
Network
Switch
Load
Balancer
10.1.98.1 10.1.98.2 10.1.99.1
10.1.99.5
10.1.99.6
10.1.99.7
NAS IP: 10.1.50.2
Fully Inline Traffic Flow
recommended—
physical or logical
Cisco Confidential 24 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
• LB is directly inline between ISE PSNs and rest of network.
• All traffic flows through LB including RADIUS, PAN/MnT, Profiling, Web Services, Management, Feed Services, MDM, AD, LDAP…
Load Balancer
10.1.98.1
10.1.98.2 10.1.99.1
VLAN 99
(Internal) VLAN 98
(External)
Traffic Flow—Fully Inline: VLAN Separation Logical Network Separation Using Single LB Interface and VLAN Trunking
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
VIP: 10.1.98.8
10.1.99.5
10.1.99.6
10.1.99.7
Network
Switch End User/Device
Network Access
Device
NAS IP: 10.1.50.2
ISE-PAN ISE-MNT External
Logger
AD
LDAP
MDM
DNS
NTP
SMTP
Cisco Confidential 25 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
• All inbound LB traffic such RADIUS, Profiling, and directed Web Services sent to LB VIP.
• Other inbound non-LB traffic bypasses LB including redirected Web Services, PAN/MnT, Management, Feed Services, MDM, AD, LDAP…
• All outbound traffic from PSNs sent to LB as DFGW.
• LB must be configured to allow Asymmetric traffic
ISE-PAN ISE-MNT External
Logger
AD
LDAP
MDM
DNS
NTP
SMTP
Load Balancer
Partially Inline: Layer 2/Same VLAN (One PSN Interface) Direct PSN Connections to LB and Rest of Network
ISE-PSN-2
ISE-PSN-1
End User/Device
Network Access
Device
L3
Switch
VLAN 98
10.1.98.2
VIP: 10.1.98.8
10.1.98.1
10.1.98.7
10.1.98.5
10.1.98.6
NAS IP: 10.1.50.2
Generally NOT RECOMMENDED due to
traffic flow complexity—must fully
understand path of each flow to ensure
proper handling by routing, LB, and
end stations.
ISE-PSN-3
Cisco Confidential 26 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Load Balancer
ISE-PAN ISE-MNT External
Logger
AD
LDAP
MDM
DNS
NTP
SMTP
Partially Inline: Layer 3/Different VLANs (One PSN Interface) Direct PSN Connections to LB and Rest of Network
• All inbound LB traffic such RADIUS, Profiling, and directed Web Services sent to LB VIP
• Other inbound non-LB traffic bypasses LB including redirected Web Services, PAN/MnT, Management, Feed Services, MDM, AD, LDAP…
• All outbound traffic from PSNs sent to LB as DFGW.
• LB must be configured to allow Asymmetric traffic ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
End User/Device
Network Access
Device
L3
Switch
VLAN 99
(Internal)
VLAN 98
(External)
10.1.98.2
10.1.99.2
10.1.98.1
VIP: 10.1.98.8
10.1.99.1 10.1.99.7
10.1.99.5
10.1.99.6
NAS IP:
10.1.50.2
Generally NOT RECOMMENDED due to
traffic flow complexity—must fully
understand path of each flow to ensure
proper handling by routing, LB, and
end stations.
For Your Reference
Cisco Confidential 27 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
10.1.99.2
Load Balancer
• All LB traffic sent to LB VIP including RADIUS, Profiling (except SPAN data), and directed Web Services
• All traffic initiated by PSNs sent to LB as global default gateway
• Redirected Web Services traffic bypasses LB
• For ISE 1.2, recommend SNAT redirected HTTPS traffic at L3 switch
• ISE 1.3+ supports symmetric traffic responses (set default gateway per interface)
ISE-PAN ISE-MNT External
Logger
AD
LDAP
MDM
DNS
NTP
SMTP
10.1.91.7
10.1.91.5
10.1.91.6
10.1.99.7
10.1.98.2
10.1.98.1
VIP:
10.1.98.8
10.1.91.1
Partially Inline: Multiple PSN Interfaces Separate PSN Connections to LB and Rest of Network
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
End User/Device
Network Access
Device
L3
Switch
VLAN 99
(Internal) VLAN 98
(External)
VLAN 91
(Web Portals)
10.1.99.5
10.1.99.6
NAS IP:
10.1.50.2
For Your Reference
Cisco Confidential 28 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE-PAN ISE-MNT External
Logger
AD
LDAP
MDM
DNS
NTP
SMTP
Load
Balance
r
Fully Inline – Multiple PSN Interfaces Network Separation Using Separate LB Interfaces
• All traffic sent to LB including RADIUS, Profiling (except SPAN data), and directed Web Services
• All traffic initiated by PSNs sent to LB as global default gateway
• LB sends Web Services traffic on separate PSN interface.
• For ISE 1.2 (and optionally 1.3), SNAT Web Services at LB
• ISE 1.3+ supports symmetric traffic responses (set default gateway per interface)
28
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
End User/Device
Network Access
Device
L3
Switch
VLAN 99
(Internal) VLAN 98
(External)
10.1.98.2 10.1.99.1
10.1.98.1
VIP: 10.1.98.8
10.1.99.7
10.1.99.5
10.1.99.6
10.1.91.7
10.1.91.5
10.1.91.6
VLAN 91
(Web Portals)
10.1.91.1
NAS IP:
10.1.50.2
For Your Reference
Cisco Confidential 29 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Request for service at single host ‘psn-cluster’
PSN Load Balancing Sample Topology and Flow
PSN
PSN
PSN
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
User
Load Balancer
Response from ise-psn-3.company.com
DNS Lookup = psn-cluster.company.com
DNS Response = 10.1.98.8
Request to psn-cluster.company.com
VIP: 10.1.98.8
PSN-CLUSTER
10.1.99.5
10.1.99.6
10.1.99.7
DNS
Server
VLAN 99 (10.1.99.0/24) VLAN 98 (10.1.98.0/24)
Access
Device
DNS request sent to resolve psn.cluster FQDN
Request sent to Virtual IP Address (VIP) 10.1.98.8 Response received from real server ise-psn-3 @ 10.1.99.7
For Your Reference
29
Cisco Confidential 30 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Load Balancing Policy Services
• RADIUS AAA Services
Packets sent to LB virtual IP are load-balanced to real PSN based on configured algorithm. Sticky algorithm determines method to ensure same Policy Service node services same endpoint.
• Web URL-Redirected Services: Posture (CPP) / Central WebAuth (CWA) / Native Supplicant Provisioning (NSP) / Hotspot / Device Registration WebAuth (DRW), Partner MDM.
No LB Required! PSN that terminates RADIUS returns URL Redirect with its own certificate CN name substituted for ‘ip’ variable in URL.
Exception cases: Want to obfuscate node names/IPs, use different cert, LB inspection, DMZ interfaces. Note: Since ISE requires HTTPS for web access, offload does not provide actual SSL perf increase.
• Web Direct HTTP/S Services: Local WebAuth (LWA) / Sponsor / MyDevices Portal, OCSP
Single web portal domain name should resolve to LB virtual IP for http/s load balancing.
• Profiling Services: DHCP Helper / SNMP Traps / Netflow / RADIUS
LB VIP is the target for one-way Profile Data (no response required). VIP can be same or different than one used by RADIUS LB; Real server interface can be same or different than one used by RADIUS
30
Cisco and F5 Deployment Guide: ISE Load Balancing using BIG-IP: http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-95-Cisco_and_F5_Deployment_Guide-ISE_Load_Balancing_Using_BIG-IP_DF.pdf
ISE How-To and Design Guides: http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html
Linked from F5 under Cisco Alliance page > White Papers: https://f5.com/solutions/technology-alliances/cisco
Cisco Confidential 32 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 33 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Sample Redirect ACLs for CWA Review from 2012 VT!
• ISE URL Redirect ACL: Cisco:cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT
• 2k/3k/4k Example:
ip access-list extended ACL-WEBAUTH-REDIRECT
deny udp any eq bootpc any eq bootpc
deny udp any any eq domain
deny tcp any host <PSN1> eq 8443
permit ip any any
Redirect ACL must be preconfigured and exist on the Catalyst switch or WLC.
Cisco WLC
HTTP Only Redirection
HTTP and HTTPS Redirection
Catalyst Switch: deny = Bypass Redirection permit = Allow Redirection
Catalyst Switch
Cisco WLC: deny = Deny / Redirect if HTTP permit = Allow / Bypass Redirection
WLC Example:
Update: HTTPS Redirect support added in 8.0MR1
Cisco Confidential 34 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Authorization Profiles for BYOD Review from 2012 VT! Single SSID: 802.1X Redirect to NSP Example
34
Redirect ACL must be defined on WLC
dACL only applies to wired users.
Airespace ACL not required for URL redirected (Web Auth state) on WLC.
Cisco Confidential 35 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
FlexConnect Configuration
• ACL Redirection:
When need to configure redirection for Flex config, do not send Airespace ACL—only send redirect ACL.
• In a standard non-Flex config, Airespace ACL is noise, but with Flex AP config, the Airspace ACL will cause redirect to fail. If sent in RADIUS authorization, AP will apply Airespace ACL, not redirect ACL.
• ACL Enforcement:
When need to send Flex AP ACL, be sure to set Airespace ACL and NOT set redirection/redirect ACL.
Alternatively, set VLAN ACL on AP gateway rather than apply to AP itself.
• Reference: Airespace ACLs in WLC 7.5+ http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/ACL_WLC76.html
URL Redirection and ACLs
Cisco Confidential 36 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Tune NAD Configuration
Rate Limiting at Wireless Source
36
Wireless (WLC)
• RADIUS Server Timeout: Increase from default of 2 to 5 sec
• RADIUS Aggressive-Failover: Disable aggressive failover
• RADIUS Interim Accounting: v7.6: Disable; v8.0: Enable with interval of 0. (Update auto-sent on DHCP lease or Device Sensor)
• Idle Timer: Increase to 1 hour (3600 sec)
• Session Timeout: Increase to 2+ hours (7200+ sec)
• Client Exclusion: Enable and set exclusion timeout to 180+ sec
• Roaming: Enable CCKM / SKC / 802.11r (when feasible)
• Bugfixes: Upgrade WLC software to address critical defects
Reauth period Quiet-period 5 min Held-period / Exclusion 5 min
Misbehaving supplicant
Roaming supplicant
Unknown users
Reauth phones
WLC
Client Exclusion
Quiet Period
Noise Suppression: NAD
Cisco Confidential 37 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Wireless Best Practices
• RADIUS Accounting with Anchor Controllers
• Guest Anchors: Disable RADIUS Accounting on Guest Anchor WLAN (Enable on Foreign Only)
• Campus Anchors: In campus roaming scenario where all controllers need to be “primary” for same SSID, cannot disable RADIUS Accounting.
• Open SSIDs will always issue new session ID with RADIUS accounting update with new ID, so disconnects original connection and user is re-authenticated.
• CSCul83594 Sev6 - Session-id is not synchronized across mobility if the network is open
• CSCue50944 Sev6 - CWA Mobility Roam Fails to Foreign with MAC Filtering BYOD
Anchor Configurations
For Your Reference
Cisco Confidential 38 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Wireless Best Practices
• Session IDs can change when roam between controllers (L2 or L3 roaming); Going between APs to same controller should fine.
• Secure SSIDs (802.1X): L2/L3 roaming between controllers should handle without reauth—all roams are basically symmetric with tunnel back to foreign controller
• Open SSIDs (MAB, WebAuth):
• Avoid multiple controllers with open SSIDs – otherwise, will get new session ID (reauth) regardless if L2 or L3 roam.
• Reauth any time change IP. For open SSID, it will always issue new SSID.
• Options:
• Stateful Controller Switchover
• Deploy higher-capacity controllers instead of many smaller ones.
• 802.11r will work with 7.6 or 8.0 and can be applied to entire WLAN—simply not tested under 7.6 so warning provided.
Roaming Considerations
For Your Reference
Cisco Confidential 39 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
RADIUS Accounting Update Behavior in WLC v7.x
• WLC 7.6:
• Recommended setting: Disabled
• Behavior: Only send update on IP address change
• Ensures we get critical IP updates (Framed-IP-Address) and Device Sensor updates.
• Device Sensor updates not impacted
Interim Update
Cisco Confidential 40 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
RADIUS Accounting Update Behavior in WLC v8.x
• WLC 7.6:
• Recommended setting: Disabled
• Behavior: Only send update on IP address change
• Device Sensor updates not impacted
• WLC 8.0:
• Recommended setting: Enabled with Interval set to 0
• Behavior: Only send update on IP address change
• Device Sensor updates not impacted
• Settings mapped correctly on upgrades
Interim Update
Cisco Confidential 41 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Techzone Articles
• ISE/WLC Version, Caveat and Timer Guide https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/ISE-WLC-Version-Caveat-and-Timer-Guide/ta-p/608346
• Prevent Large-Scale Wireless RADIUS Network Melt Downs https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/Prevent-Large-Scale-Wireless-RADIUS-Network-Melt-Downs/ta-p/712713#anc7
Cisco Confidential 42 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Public Articles
• Prevent Large-Scale Wireless RADIUS Network Melt Downs http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html
Cisco Confidential 43 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Which WLC Software Should My Customers Deploy?
• 7.6.130.0 (7.6 MR3) – Currently the most mature and reliable feature release for ISE.
• 8.0.110.0 (8.0 MR1) – Less mature but includes new feature support + some additional fixes.
• Key Defects Fixed in AireOS 7.6
43
CDETS Title
CSCuh03648 WLC sends different Framed-IP-Address in accounting updates
CSCui38627 BYOD Dual SSID flow broken: WLC sends session ID not created on that ISE
CSCuh20269 WLC sends accupdates too frequently, indicates user roams to itself
CSCue94442 WLC starts three authentications simultaneously for the same endpoint
CSCue37405 Rate limit radius request when Radius server is overloaded
CSCug36414 McAllen: PreAuth DNS based ACL enhancements - EDCS: 1241322
CSCun62368 Radius NAC Client auth issues for 7.6
CSCuo39416 1131/1242 not forwading CWA redirects on 7.6
CSCug14713 WLC sends acct-update twice in the same millisecond
CSCue37405 Rate limit radius request when Radius server is overloaded
CSCue49527 WLC should delete the session ID from PMK cache when client is removed
CSCud12582 Processing AAA Error 'Out of Memory'
Be aware of CSCur20154 HA SSO pair memory leak
Cisco Confidential 44 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
TAC Recommended AireOS 7.6 and 8.0 - 2Q CY15
In order to provide our customers with the most reliable Wireless LAN Controller software available, Cisco Wireless TAC is now offering TAC Recommended AireOS builds for 7.6 and 8.0. These "escalation" builds have several important bugfixes (beyond what is now available in CCO code) and have been operating in production at customer sites for several weeks. See the release notes for bugfix details.
At present, the TAC Recommended AireOS builds are:
• For AireOS 7.6 customers, 7.6.130.26 Release Notes
• For AireOS 8.0 customers, 8.0.110.11. (Note that this build has many bugfixes beyond what the CCO 8.0.115.0 release has) Release Notes
The TAC Recommended AireOS builds may be updated every week or two.
The migration plan, from the TAC Recommended AireOS builds to CCO code, will be to the 8.0 MR2 release, planned for later this year. (Cisco does not plan to release another 7.6 maintenance build to CCO.) 8.0 MR2 is in beta now (see https://supportforums.cisco.com/document/12492986/80mr2-beta-availability), but does not yet have all of the applicable fixes.
Cisco does not at present plan to post these builds to CCO. To request AireOS 7.6.130.26 and/or 8.0.110.11, open a Cisco TAC case on your Wireless LAN Controller contract.
https://supportforums.cisco.com/document/12481821/tac-recommended-aireos-76-and-80-2q-cy15
Cisco Confidential 45 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 46 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Tune NAD Configuration
Rate Limiting at Wired Source
46
Wired (IOS / IOS-XE)
• RADIUS Interim Accounting: Use newinfo parameter with long interval (for example, 24-48 hrs), if available. Otherwise, set 15 mins
• 802.1X Timeouts
• held-period: Increase to 300+ sec
• quiet-period: Increase to 300+ sec
• ratelimit-period: Increase to 300+ sec
• Inactivity Timer: Disable or increase to 1+ hours (3600+ sec)
• Session Timeout: Disable or increase to 2+ hours (7200+ sec)
• Reauth Timer: Disable or increase to 2+ hours (7200+ sec)
• Bugfixes: Upgrade software to address critical defects.
Reauth period Quiet-period 5 min Held-period / Exclusion 5 min
Misbehaving supplicant
Roaming supplicant
Unknown users
Reauth phones
Switch
Quiet Period
Noise Suppression: NAD
Cisco Confidential 47 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
PSN Filtering and Noise Suppression
Flag misbehaving supplicants when fail auth more than once per interval
– Send Alarm with failure stats every interval.
– Stop sending logs for repeat auth failures for same endpoint during rejection interval.
– Successful auth clears flag
Reject matching requests during interval
– Match these attributes:
– Excludes CoA messages / bad credentials
– Next request after interval is fully processed.
Misconfigured Client Dynamic Detection and Suppression
47
• Supplicant (Calling-Station-ID) • NAS (NAS-IP-Address) • Failure reason
Administration > System > Settings > Protocols > RADIUS
CSCuj03131 Lower "Request Rejection Interval" minimum to 5 minutes (from 30 minutes)
For Your Reference
Cisco Confidential 48 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
MnT Noise Suppression Suppress Successful Auths and Accounting
Original Range 1 – 30 seconds
New Range 1 sec – 1 day
Do not save repeated successful auth events to DB (Events will not display in Live Auth log).
Stop sending Accounting logs for same session during interval.
Detect and log NAS retransmission timeouts for auth steps that exceed threshold. (Step latency is visible in Detailed Live Logs)
Noise Suppression: MnT
Administration > System > Settings > Protocols > RADIUS
48
CSCur42723
Allow 2 updates, then suppress if get more updates in interval up to 24hrs
Cisco Confidential 49 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 50 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Current Cisco IT ISE Production Deployment Metrics
Infrastructure (Production) Guest Services ISE 1.2, P13 9 VM servers in one dedicated deployment
Production ISE 1.2, P13 29 VM servers in one global deployment
Pre-Production ISE 1.3, P1 24 VM servers in one global deployment
(migration ongoing)
Services Guest services (ION) (440 sites, potential 136K users & 14K guests per week)
802.1X Wire Monitor Mode (192 devices, 83 sites)
802.1X Wireless Auth Mode (400 wlan sites, 90K+ end-users, All IT owned WLCs except couple sites)
802.1X Wireless Auth CVO* (~15K CVO sites, ~15K global users – 60% completion)
Wireless Policy Enforcement (2 Extranet Partner sites in BGL; Pilot mode)
Total of ~600K+ Profiled Endpoints in database; Max of 60K+ Concurrent Endpoints Globally
*CVO is Cisco Virtual Office, or small office/home office
Correct as of 08 March 2015
Cisco Confidential 51 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Significant progress has been made in stabilizing ISE 1.2
Replication is now working across the deployment w RADIUS probing and SNMP polling enabled
Next steps (*after shutdown):
Apply ISE SNMP fixes and enable SNMP polling – reduce traffic from CVO sites*
Cisco IT to continue update network devices and endpoints to reduce “traffic”
Resume production rollout (CVOs and wired devices)
Post mortem to review lessons learned and “product enhancements” *
Executive Summary
Item Owner Impact Status
Configure ACE for accounting “stickiness”
Cisco IT High – reduced accounting traffic from 6M to 3M txns per day
Done
Implement eng fix to enable accounting suppression
SAMPG High – further reduction in accounting traffic
Done
Remove “IP” as a significant attribute
SAMPG (design change)
High – removed traffic from “noisy” endpoints
Done
Implement WLC OS updates to fix duplicate accounting issue
Cisco IT High – reduce traffic from wireless network accounting txns
90% complete (12/17)
Implement eng fix for SNMP polling
SAMPG High – reduce # of SNMP traffic to enable CVO
TBD after shutdown
Cisco Confidential 52 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Impact of Config Changes and Engineering Fixes Reduction of Transaction load on ISE IT Deployment
Cisco Confidential 53 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco IT and the Identity Services Engine
• WhitePaper: http://www.cisco.com/c/en/us/solutions/collateral/enterprise/cisco-on-cisco/wp-en-02092015-identity-services-engine.html
• Attend Cisco on Cisco session on Friday by Bassem Khalife
• Look for Cisco IT Deployment Case Study session at Live San Diego!
PSOSEC 2001
A multiyear deployment journey
Cisco Confidential 54 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 55 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Enable EAP Session Resume / Fast Reconnect Major performance boost, but not a complete auth so avoid excessive timeout value
55
Skip inner method
Cache TLS session
Cache TLS (TLS Handshake Only/Skip Cert)
For Your Reference
Cisco Confidential 56 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Scaling AD Integration w/ Sites & Services
How do I ensure Local PSN is connecting to Local AD controller?
56
Without Site & Services
AD ‘X’
AD ‘Y’
Site ‘X’
Site ‘Y’
Which AD server should I connect to?
Which AD server should I connect to?
Properly Configured
AD ‘X’
AD ‘Y’
Site ‘X’
Site ‘Y’
I will connect with local AD
server X!
I will connect with local AD
server Y
For Your Reference
Cisco Confidential 57 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AD Sites and Services
Links AD Domain Controllers to Client IP Networks
DNS and DC Locator Service work together to return list of “closest” Domain Controllers based on client Site (IP address)
57
Cisco Confidential 58 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Multi–Forest Active Directory Support
Join up to 50 Forests or Domains without mutual trusts
No need for 2-way trust relationship between domains
Advanced algorithms for dealing with identical usernames
SID-Based Group Mapping
PAP via MS-RPC
Support for disjointed DNS namespace
Scales AD Integration through Multiple Join Points and Optimized Lookups
58
domain-1.com domain-2.com domain-n.com
ISE
New in ISE 1.3 For Your
Reference
Cisco Confidential 59 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AD Authentication Flow
AuthC
Policy to
AD
Scope (Optional)
AD Instance
Domain List (Optional)
Identity
Rewrite
(Optional)
Target AD
59
For Your Reference
Cisco Confidential 60 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AD Authentication Flow
AuthC
Policy to
AD
Scope (Optional)
AD Instance
Domain List (Optional)
Identity
Rewrite
(Optional)
Target AD
60
For Your Reference
Cisco Confidential 61 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Authentication Domains (Whitelisting)
61
Enable r1.dom
And disable the rest
• “Whitelist” only the domains of interest—those used for authentication!
• In this example, the join point can see many trusted domains but we only care about r1.dom
Cisco Confidential 62 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Authentication Domains – Unusable Domains
62
• Domains that are unusable, e.g. 1-way trusts, are hidden automatically
• There’s an option to reveal these and see the reason
Cisco Confidential 63 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Run the AD Diagnostic Tool
Check AD Joins Upon Install and Periodically to Verify Potential AD Connectivity Issues
• The DNS SRV errors can actually mean something else
• The response was too big…and retried with TCP, etc.
• A sniffer can confirm
• AD Sites or DNS configuration changes are required to get that optimized
Cisco Confidential 64 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Validating DNS from ISE node CLI
• Checking SRV records for Global Controllers (GC)
psn/admin# nslookup _ldap._tcp.gc._msdcs.myADdomain.com querytype SRV
• Checking SRV records for Domain Controllers (DC)
psn/admin# nslookup _ldap._tcp.dc._msdcs.myADdomain.com querytype SRV
• More details on Microsoft AD DNS queries: https://technet.microsoft.com/en-us/library/cc959323.aspx
For Your Reference
Cisco Confidential 65 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Debug Active Directory Log Elevate to DEBUG log level (TRACE is overkill)
65
For Your Reference
Cisco Confidential 66 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Getting AD Captures – Using Advanced Tuning This will disable AD encryption temporarily
66
We do not publish the available Advanced Tuning parameters as expect to be used only under TAC guidance for exceptional issues.
Cisco Confidential 67 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AD Integration Best Practices
• DNS servers in ISE nodes must have all relevant AD records (A, PTR, SRV)
• Ensure NTP configured for all ISE nodes and AD servers
• Configure AD Sites and Services
(with ISE machine accounts configured for relevant Sites)
• Configure Authentication Domains (Whitelist domains needed) (ISE 1.3)
• Use UPN/fully qualified usernames when possible to expedite use lookups
• Use AD indexed attributes* when possible to expedite attribute lookups
• Run Diagnostics from ISE Admin interface to check for issues.
* Microsoft AD Indexed Attributes: http://msdn.microsoft.com/en-us/library/ms675095%28v=vs.85%29.aspx http://technet.microsoft.com/en-gb/library/aa995762%28v=exchg.65%29.aspx
Cisco Live Online: www.ciscolive.com/online
BRKSEC-2132 - What's New in ISE Active Directory
Connector presented by Chris Murray
Cisco Confidential 68 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 69 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Internal Certificate Authority
• Microsoft Public Key Infrastructure via a 2003/2008 Enterprise Server can add significant complexity and expense to an ISE deployment.
Benefits of internal CA:
• Internal CA simplifies ISE deployment
• ISE can deliver certificates directly to endpoints
• No need to rely on integrating ISE to PKI for BYOD Cert provisioning
• Internal CA can still work with existing PKI Infrastructure
• Closed Loop BYOD Solution
• Focused on BYOD and MDM use-cases only, not a general purpose CA
Why use ISE as a Certificate Authority?
Certificate Authority
69
For Your Reference
Cisco Confidential 70 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Configuring the Native Certificate Authority
• Yes, that’s really it!
So easy
Enabled by Default
Certificate Authority
70
For Your Reference
Cisco Confidential 71 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Certificate sent to ISE
NSP Flow – Internal CA
Employee PSN
SSID = CORP
CSR sent to ISE PSN (RA) via SCEP
CSR is Generated on iOS
Password = SessionID + Random Key (from ISE)
RA
PSN
CA
User Certificate Issued: CN = AD UserName
SAN = Values from Template
Sent to Internal CA
Signing Certificate + User Certificate:
Wi-Fi Profile with EAP-TLS configured
ISE sends Certificate to Endpoint
ISE sends Profile to Endpoint
Signing Certificate + User Certificate: Wi-Fi Profile with EAP-TLS configured SCEP Password = SessionID + Random
EAP-TLS: User Cert
CoA: ReAuth
RADIUS Access-Accept
RADIUS Access-Request
CA Selection
CPP Certificate Template = Internal
Validate Password Challenge
(session + random key)
Certificate Authority
For Your Reference
Cisco Confidential 72 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Certificate sent to ISE
NSP Flow – External CA
Employee PSN
SSID = CORP
CSR sent to ISE PSN (RA) via SCEP
CSR is Generated on iOS
Password = SessionID + Random Key (from ISE)
RA
PSN
CA
User Certificate Issued: CN = AD UserName
SAN = Values from Template
SCEP Proxy to External Cert Authority
Signing Certificate + User Certificate:
Wi-Fi Profile with EAP-TLS configured
ISE sends Certificate to Endpoint
ISE sends Profile to Endpoint
Signing Certificate + User Certificate: Wi-Fi Profile with EAP-TLS configured SCEP Password = SessionID + Random
EAP-TLS: User Cert
CoA: ReAuth
RADIUS Access-Accept
RADIUS Access-Request
CA Selection
CPP Certificate Template = External
Validate Password Challenge
(session + random key)
Certificate Authority
72
For Your Reference
Cisco Confidential 73 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE CA: Multiple Personalities/Identities
Root CA
OCSP Server
Subordinate CA
Registration Authority
Certificate Authority
73
Cisco Confidential 74 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
PSN PSN PSN PSN
Primary ISE CA
PAN
Subordinate CA SCEP RA
Subordinate CA SCEP RA
Subordinate CA SCEP RA
Subordinate CA SCEP RA
ISE Certificate Authority Architecture
Standby PAN Root CA
Root CA is Used to Sign the certificates for the Subordinate CAs. Subordinate CA signs the actual Endpoint Certs Secondary PAN is another Root CA! Ensure you export Primary PAN and import on Secondary
Certificate Authority
74
OCSP Server OCSP Server OCSP Server OCSP Server
Cisco Confidential 75 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Node Registration Process Overview
PAN PSN
3x CSR’s sent to Root CA
CSR’s are Generated on PSN
OCSP, Sub_CA_Endpoint, Registration Authority
PSN is Joined to ISE Deployment
PAN tells PSN to Generate 3x CSR’s (OCSP, Sub_CA_Endpoint, RA)
3x Certificates: OCSP > Root; Sub_CA_EP > Root; RA > Root
All PSNs are instructed by PAN to Generate the CSRs PAN (Root CA) signs all three certs per-node Secondary PAN does not generate CSRs to Root CA MnT does not generate any CSRs to Root CA
Each PSN will get three certificates for CA functions: • Subordinate CA – To sign endpoint certificates • OCSP – To identify node with OCSP service • Registration Authority (RA) – To identify sub-ca when
requesting certificates for endpoints.
Certificate Authority
75
For Your Reference
Cisco Confidential 76 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Issue & Revoke Endpoint Certificates
Lists all the endpoint certificates issued by the Internal CA.
Status – Active, Revoked, Expired
Quick Overview of certificate details, Including the Template Used
Automatically Revoked when an Endpoint is marked as “Stolen”
Certificates may be Manually Revoked
Certificate Authority
76
For Your Reference
Cisco Confidential 77 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
View Endpoint Certificate contents Certificate Authority
77
For Your Reference
Cisco Confidential 78 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Revoke certificates Certificate Authority
78
For Your Reference
Cisco Confidential 79 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Certificate Operations Administration > System > Certificates > Certificate Signing Requests
• Re-gen Root CA
• Make ISE a subordinate CA
• Renew OCSP Responder Certs
• Generate CSRs for Certs used for …
• Portals
• Admin
• pxGrid
• EAP
Cisco Confidential 80 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Re-generate the Root CA
• The Entire certificate chain can be re-generated if needed.
• Old CA certificates remain in the Trust store to ensure authentication of previously provisioned endpoints work successfully.
Certificate Authority
80
For Your Reference
Cisco Confidential 81 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE as an Intermediate CA
• ISE’s internal CA can work seamlessly with an existing CA in your deployment.
• Just make it an intermediate CA (sub-ordinate CA) to your existing CA.
• Create a CSR for the ISE node and get a certificate issued by the existing CA.
Certificate Authority
81
For Your Reference
Cisco Confidential 82 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE as an Intermediate (Subordinate) CA
Ensure that you get a certificate from your existing CA with Key Certificate signing capabilities (Sub_CA Template) Ensure the Existing Root CA has a Tree Size >= 3 (ISE is 2-tiers)
Certificate Authority
82
Cisco Confidential 83 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Certificate Revocation
• Online Certificate Status Protocol (OCSP)
• Certificate Revocation List (CRL)
Certificate Authority
83
For Your Reference
Cisco Confidential 84 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
• Preferred method
• Provides near real-time updates
• Allows near real-time request
• Think: Policeman checking from laptop in squad-car, with live query into DMV Database.
• A signed document published on website
• Periodically downloaded and stored locally
• The server examines the CRL to see if the client’s cert was revoked already.
• Think: Policeman having a list of suspended drivers in his squad car.
Note: ISE does not use the CRL field in the cert, only the local configuration.
Certificate Authority
84
For Your Reference
Cisco Confidential 85 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Default Internal OCSP Configuration Certificate Authority
85
For Your Reference
Cisco Confidential 86 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
OCSP Check Certificate Authority
86
For Your Reference
Cisco Confidential 87 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
CA Server status Certificate Authority
87
For Your Reference
Cisco Confidential 88 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Native Supplicant Profile Certificate Authority
TLS-template
TLS-template
BYOD-NSP
88
For Your Reference
Cisco Confidential 89 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Certificate Template(s)
• Define Internal or External CA
• Set the Key Sizes
• SAN Field Options:
• MAC Address
• No Free-Form Adds..
• Set length of validity
Certificate Authority
89
TLS-template
For Your Reference
Cisco Confidential 90 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE CA: Dual Root Phenomenon
PSN PSN PSN
P-PAN PAN
S-PAN
Subordinate CA SCEP RA
Subordinate CA SCEP RA
Subordinate CA SCEP RA
Subordinate CA SCEP RA
Promoted
• The 4th PSN added to deployment while S-PAN temporarily the root.
• Now is a different chain of trust!
Different Chain of Trust
Certificate Authority
90
Cisco Confidential 91 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE CA: Dual Root Phenomenon
91
PSN PSN PSN
P-PAN PAN
S-PAN
PSN
Subordinate CA SCEP RA
Subordinate CA SCEP RA
Subordinate CA SCEP RA
Subordinate CA SCEP RA
Promoted
• Export Root CA & Import into S-PAN
• The 4th PSN added to deployment while S-PAN temporarily the root.
• S-PAN has same Chain of Trust
lab-ise/admin# application configure ise Selection ISE configuration option <Snip> [7]Export Internal CA Store [8]Import Internal CA Store </Snip> [12]Exit
Single Chain of Trust
Certificate Authority
Cisco Confidential 92 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Exporting the CA Certs to a Repository Will be an Encrypted GPG Bundle Four Key Pairs
Export CA Certs Certificate Authority
Ise-pan1/admin# application configure ise Selection ISE configuration option <SNIP> [7]Export Internal CA Store [8]Import Internal CA Store </SNIP> [12]Exit 7 Export Repository Name: NAS Enter encryption-key for export: ########## Export on progress............... The following 4 CA key pairs were exported to repository 'NAS' at 'ise_ca_key_pairs_of_atw-lab-ise': Subject:CN=Certificate Services Root CA - atw-lab-ise Issuer:CN=Certificate Services Root CA - atw-lab-ise Serial#:0x6012831a-16794f11-b1248b9b-c7e199ef Subject:CN=Certificate Services Endpoint Sub CA - atw-lab-ise Issuer:CN=Certificate Services Root CA - atw-lab-ise Serial#:0x3e4d9644-934843af-b5167e76-cc0256e0 Subject:CN=Certificate Services Endpoint RA - atw-lab-ise Issuer:CN=Certificate Services Endpoint Sub CA - atw-lab-ise Serial#:0x13511480-9650401a-8461d9d7-5b8dbe17 Subject:CN=Certificate Services OCSP Responder - atw-lab-ise Issuer:CN=Certificate Services Root CA - atw-lab-ise Serial#:0x10d18efb-92614084-895097f2-9885313b ISE CA keys export completed successfully
Root CA
Sub CA
RA
OCSP
92
Cisco Confidential 93 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Always perform the certificate import to the secondary PAN Ensures that the same PKI Tree is always used
Import of CA Certs Certificate Authority
ise-pan1/admin# application configure ise Selection ISE configuration option <SNIP> [7]Export Internal CA Store [8]Import Internal CA Store </SNIP> [12]Exit 8 Import Repository Name: NAS Enter CA keys file name to import: ise_ca_key_pairs_of_atw-lab-ise Enter encryption-key: ######## Import on progress............... The following 4 CA key pairs were imported: Subject:CN=Certificate Services Root CA - atw-lab-ise Issuer:CN=Certificate Services Root CA - atw-lab-ise Serial#:0x6012831a-16794f11-b1248b9b-c7e199ef Subject:CN=Certificate Services Endpoint Sub CA - atw-lab-ise Issuer:CN=Certificate Services Root CA - atw-lab-ise Serial#:0x3e4d9644-934843af-b5167e76-cc0256e0 Subject:CN=Certificate Services Endpoint RA - atw-lab-ise Issuer:CN=Certificate Services Endpoint Sub CA - atw-lab-ise Serial#:0x13511480-9650401a-8461d9d7-5b8dbe17 Subject:CN=Certificate Services OCSP Responder - atw-lab-ise Issuer:CN=Certificate Services Root CA - atw-lab-ise Serial#:0x10d18efb-92614084-895097f2-9885313b Stopping ISE Certificate Authority Service... Starting ISE Certificate Authority Service... ISE CA keys import completed successfully
93
• After an upgrade, immediately Export/Import CA certs.
• If want original PPAN to stay Primary after upgrade, promote Secondary after CA certs imported.
• Or… Promote Secondary before upgrade, upgrade ISE, and then export/import CA certs
Cisco Confidential 94 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Certificate Authority
Deleting ISE CA Certs
• Under ISE 1.3, Delete will Revoke the Certificate from CA
• All Endpoint Certificates will now be Invalid & Rejected
• Cannot Undo
• Under ISE 1.4, separate options for Delete and Delete+Revoke.
94
For Your Reference
Cisco Confidential 95 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
For Your Reference
Cisco Confidential 96 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
What is an X.509 Certificate
• A Certificate is a signed document…
• Think of it like a government form of identity
96
X.509
username
organization
location
Certificates
For Your Reference
Cisco Confidential 97 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Provides an Identity
Who is user
What is endpoint
WebSite Identity
…
What is the Purpose of an X.509 Certificate?
97
Acts as a seed value for encryption
Certificates
For Your Reference
Cisco Confidential 98 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE and Certificates: Multiple Identities
Secure Web Server
Internal Communications
Root CA
Supplicant Authenticator Authentication
Server
Layer 2
Link
Layer 3
Link
EAPoL Start
EAP-Request/Identity Start
EAP-Response/Identity RADIUS Access Request
EAP-Request/PEAP
EAP-Response/PEAP
RADIUS Access-Challenge
[AVP: EAP-Request PEAP]
RADIUS Access Request
[AVP: EAP-Response: PEAP]
Multiple
Challenge-
Request
Exchanges
Possible
Middle
Port Unauthorized
Authentication Server
Certificates
98
For Your Reference
Cisco Confidential 99 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Certificates and Web Portals
All Web Portals (Admin, WebAuth, MyDevices, Sponsor, CPP, etc.)
Client/Browser
SSID
NAD ISE
Step 1: Initiate Request to Establish HTTPS Tunnel with Portal (https://ISE/admin)
Step 2: Certificate sent to Browser
Step 3: User is Prompted to Accept Certificate.
Once accepted, it is Stored in Browser, KeyChain, or Trusted Store
Step 4: SSL Tunnel is Formed, Encrypting the HTTP Communications (HTTPS)
Certificates
99
For Your Reference
Cisco Confidential 100 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Certificates and EAP Communication
EAP Connections (PEAP, FAST, EAP-TLS)
Client/Supplicant
SSID
NAD ISE
Step 1: Initiate Request to Establish TLS Tunnel with Authenticator
Step 2: Certificate sent to Supplicant
Step 3: User is Prompted to Accept Certificate.
If accepted, it is Stored in WiFi Profile
Step 4: TLS Tunnel is Formed, EAP happens next
Certificates
100
For Your Reference
Cisco Confidential 101 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Admin/EAP/Portal Certificate Examination Certificates
Purpose is for Client and Server Auth
SAN includes Wildcard and the CN
Publically Signed Certificate
Used for Admin, Portal and EAP. Any Portal using Portal-Tag uses Cert.
*.company.com
ise.company.com
ise.company.com
ise.company.com
ise.company.com Portal-TAG ISE Wildcard Cert
ise-lab.company.com ise-lab.company.com
101
For Your Reference
Cisco Confidential 102 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Root Certificate Examination Certificates
Self Signed Certificate (It’s a Root Cert)
Purpose is for Cert Signing / It is a CA
ise/admin# application configure ise Selection ISE configuration option <Snip> [7]Export Internal CA Store [8]Import Internal CA Store </Snip> [12]Exit
Only way to Access The Root Certificate
ise-ca
ise-ca
ise-ca
ise-ca-#0002
ise-ca-#00002
ise-ca-#0002
102
For Your Reference
Cisco Confidential 103 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Endpoint Certificate Examination Certificates
Purpose is for Client Auth
SAN includes MAC Address
Signed by ISE Sub-CA
employee1
CN=employee1 employee1
ise-ca
ise-ca
ise-ca
employee1
103
For Your Reference
Cisco Confidential 104 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Certificate Provisioning User Experience in ISE 1.0 – 1.2
Primary PAN
PSN #1
PSN #20
PSN #40
• Generate CSR for PSN #40 • Bind CA-signed cert for PSN #40
• Generate CSR for PSN #1 • Bind CA-signed cert for PSN #1
• Generate CSR for PSN #20 • Bind CA-signed cert for PSN #20
• Generate CSR for Primary PAN
• Bind CA-signed cert for Primary PAN
Certificates
104
For Your Reference
Cisco Confidential 105 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Centralized Certificate Management in 1.3
Primary PAN
PSN #1
• Generate CSRs for ALL NODES at Primary PAN
• Bind CA-signed certs for ALL NODES at Primary PAN
• Manage System (Local) certs for ALL NODES at primary PAN
PSN #20
PSN #40
Certificates
105
Cisco Confidential 106 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Manage System Certificates
• Certificates used by: Admin, HTTPS Portals, pxGrid, EAP • These are Private/Public Key Pairs – i.e. they Identify ISE Personalities
Certificates
ise.company.com Portal-Tag ISE Wildcard Cert
ise-lab.company.com ise-lab.company.com
106
Cisco Confidential 107 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Certificates your ISE Deployment will “Trust”
• Trust for EAP, MDM, etc. • These are copies of their Public Certs. i.e.: They Identify Other Systems
Certificates
Cisco Confidential 108 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Trusted Certificates
• In 1.3, trusted certificates have a new “Trusted For” attribute.
Security Goal: To prevent the public certificates used for Cisco Services from being used internally.
• When importing a trust certificate, the user must specify what the certificate is trusted for.
• It is important to select at least one category, or the cert will not be used in any trust store.
Certificates
108
For Your Reference
Cisco Confidential 109 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
System Certificate Roles – ISE 1.3
1.2 Role Name 1.3 Role Name How Many May Use Wildcard (*) in Subject
May use Wildcard (*) in SAN
HTTPS Admin 1 Yes Yes
EAP EAP Authentication 1 No1 Yes
- pxGrid 1 No No
- Portal Many Yes Yes
• Admin cert is the server cert for the Admin Console
• pxGrid cert is the server cert for authenticating the ISE node to pxGrid clients
• Portal cert is a server cert associated with a particular ISE portal (Guest, Sponsor, My Devices, …)
• In a freshly installed node, the default self-signed cert has all four roles
Certificates for all roles are managed from the Primary PAN node.
Certificates
1 While ISE technically allows wildcard in the CN, Microsoft supplicants will reject, so never recommended
Cisco Confidential 110 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE 1.3: Multiple Web Portals
• Each Portal Exists on ALL PSN’s
• Each Portal Requires a Certificate
• One Certificate per Interface > IP:Port
• Each PSN Could Have Unique Certificates (Identity)
Each Portal Could Use A Different Certificate
110
ISE PSN-1
ISE PSN-2
ISE PSN-3
Certificates
Cisco Confidential 111 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Problem: Assign Certificate on All PSNs to Portal?
• New UI Paradigm with ISE 1.3 is to Keep All Portal Configuration Together.
• Options:
• Add complexity to the Portal Configuration Page by Choosing Certificates on Each Node?
• What about Large Deployments (40 PSNs)?
• Configure it entirely outside of the Portal Configuration screen?
• Some way to combine?
How To Assign “At Scale”
PSN-1: Cert1
PSN-2: Cert2
PSN-3: Cert3
Certificates
X
Hotspot-DRW
111
Cisco Confidential 112 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Solution: Portal (Certificate) Group Tag
• Portal Group Tag provides a solution to configure node-specific certificates for Portal configuration by associating node certificates to a logical name.
Referred to as Certificate Group Tag in 1.3 Portal Group Tag in 1.4
Certificates
Portal Group Tag
(Grouping Certificates to a Logical Name)
GuestPortalCerts Node 2 – Sec Admin, MNT and PSN
Node 3 - PSN
Node 1 – Pri Admin, MNT and PSN Portal Configuration
Cisco Confidential 113 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE 1.4 Enhancement – Portal Tag “Where Used”
Cisco Confidential 114 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Certificate Chains • For Scalability, X.509 Certificate Authorities
may have hierarchy
• ISE will present full signing chain to client during authentication
• Client must trust each CA within the chain
Root CA
Subordinate CA
Cert
Root Sub ISE
Certificates
ise.company.com
ise.company.com
ise.company.com
Cisco Confidential 115 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ise.company.com
Always Add the Root and Subordinate CAs Import All Certificates in Chain, One at-a-Time (Individually—not as a single file), in PEM format !!!
Root CA
Subordinate CA
ISE Cert
If you must use a PKCS chain, it needs to be in PEM format (not DER)
Subordinate CA
Certificates
Cisco Confidential 116 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Joining an ISE Deployment
• In order to join an ISE node to an existing ISE deployment:
• You must trust the PAN certificate on the Secondary node(s)
• Secondary nodes must trust PAN certs
Mutual Trust Required
PAN PSN1
PSN2
Trusted Certs Trusted Certs
PAN PSN PSN
Certificates
For Your Reference
Cisco Confidential 117 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Joining an ISE Deployment
• In order to join an ISE node to an existing ISE deployment:
• You must trust the PAN certificate on the Secondary node(s)
• Secondary nodes must trust PAN certs
• Then you upgrade all certs
• Delete the old Self-Signed Certificates from the System Certs
• Delete the old Self-Signed Certs from the Trusted Cert Store
Mutual Trust Required
PAN PSN1
PSN2
Certificates
Trusted Certs
PSN PSN X X 117
For Your Reference
Cisco Confidential 118 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Joining an ISE Deployment
• In order to join an ISE node to an existing ISE deployment:
• You must trust the PAN certificate on the Secondary node(s)
• Secondary nodes must trust PAN certs
• Then you upgrade all certs
• Delete the old Self-Signed Certificates from the System Certs
• Delete the old Self-Signed Certs from the Trusted Cert Store
• So, it is often easier to upgrade to a CA-Signed & Trusted Cert before Joining the deployment.
Mutual Trust Required
PAN PSN1
PSN2
Certificates
118
For Your Reference
Cisco Confidential 119 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Simple URL for My Devices & Sponsor Portals
• In 1.3: Sponsor Portal and My Devices Portal accessed via a user-friendly URL and selectable port.
• Ex: http://mydevices.company.com
Automatic redirect to https://fqdn:port
• FQDN for URL must be added to DNS and resolve to the Policy Service node(s) used for Guest Services.
• Recommend populating Subject Alternative Name (SAN) field of PSN local cert with this alternative FQDN or Wildcard to avoid SSL cert warnings due to name mismatch.
Certificates
mydevices.company.com
119
Cisco Confidential 120 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Certificate without SAN Certificate Warning - Name Mismatch
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
SPONSOR
Load Balancer
http://sponsor.company.com
https://sponsor.company.com:8443/sponsorportal
DNS Lookup = sponsor.company.com
DNS Response = 10.1.99.5
http://sponsor.company.com
100.1.98.8
100.1.99.5
100.1.99.6
100.1.99.7
Name Mismatch! Requested URL = sponsor.company.com
Certificate Subject = ise-psn-3.company.com
DNS
Server
Certificates
For Your Reference
Cisco Confidential 121 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
100.1.99.5
100.1.99.6
100.1.99.7
ISE Certificate with SAN No Certificate Warning
121
Load Balancer
http://sponsor.company.com
https://sponsor.company.com:8443/sponsorportal
DNS Lookup = sponsor.company.com
DNS Response = 10.1.99.5
http://sponsor.company.com
100.1.99.8
Certificate OK! Requested URL = sponsor.company.com Certificate SAN = sponsor.company.com
DNS
Server
SPONSOR
Certificates
For Your Reference
Cisco Confidential 122 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Certificate with SAN – “Universal Certs”
CN must also exist in SAN
Other FQDNs or wildcard as “DNS Names”
IP Address is also option
Certificates
ise-psn.company.com
mydevices.company.com
sponsor.company.com
ise-psn/Admin ise-psn
Universal Cert options: • UCC / Multi-SAN • Wildcard SAN
Cisco Confidential 123 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
“Traditional” Wildcard Certificates
• Wildcard Certificates are used to identify any secure web site that is part of the domain:
• Ex: *.domain.com works for:
• www.domain.com
• mydevices.domain.com
• sponsor.domain.com
• AnyThingIWant.domain.com
Certificates
!= psn.[ise].domain.com
Position in FQDN is fixed
*.company.com
*.company.com
*.company.com
https://ise-psn-1.company.com/admin/login.jsp
123
For Your Reference
Cisco Confidential 124 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Wildcard Certificates – Why use with ISE?
Use of all portals & friendly URL’s without Certificate Match Errors.
Most Importantly: Ability to host the exact same certificate on all ISE PSNs for EAP authentications
• Why, you ask?.......
Certificates
124
For Your Reference
Cisco Confidential 125 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Clients Misbehave!
• Example education customer:
• ONLY 6,000 Endpoints (all BYOD style)
• 10M Auths / 9M Failures in a 24 hours!
• 42 Different Failure Scenarios – all related to clients dropping TLS (both PEAP & EAP-TLS).
• Supplicant List:
• Kyocera, Asustek, Murata, Huawei, Motorola, HTC, Samsung, ZTE, RIM, SonyEric, ChiMeiCo, Apple, Intel, Cybertan, Liteon, Nokia, HonHaiPr, Palm, Pantech, LgElectr, TaiyoYud, Barnes&N
• 5411 No response received during 120 seconds on last EAP message sent to the client
• This error has been seen at a number of Escalation customers
• Typically the result of a misconfigured or misbehaving supplicant not completing the EAP process.
125
Certificates
For Your Reference
Cisco Confidential 126 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Clients Misbehave: Apple Example
Apple iOS & MacOS
SSID
NAD
ISE-1 ISE-2
1
WiFi Profile
5
• Multiple PSNs • Each Cert signed by Trusted Root • Apple Requires Accept on all certs!
• Results in 5411 / 30sec retry
1. Authentication goes to ISE-1 2. ISE-1 sends certificate 3. Client trusts ISE-1 4. Client Roams 5. Authentication goes to ISE-2 6. Client Prompts for Accept
Cert Authority ise-psn-1.domain.com ise-psn-2.domain.com
Certificates
ise-psn-1.domain.com
126
Cisco Confidential 127 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Solution: Common Cert, Wildcard in SAN Certificates
Wildcard allows anything ending with the Domain Name. Same EXACT Private / Pub Key may be installed on all PSNs
127
Cisco Confidential 128 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Solution: Common Cert, Wildcard in SAN
Apple iOS & MacOS
SSID
NAD
ISE-1 ISE-2
1
WiFi Profile
5
• CN = ise-psn.domain.com • SAN contains
• ise-psn.domain.com • *.domain.com, or • all PSN FQDNs
• Wildcard SAN support: comodo.com CA SSL.com CA Digicert.com CA Symantec/Verisign CA Microsoft 2008 CA
• Failed with GoDaddy CA Do not support * in SAN Only support * in CN
1. Authentication goes to PSN-1 2. PSN-1 sends certificate 3. Client trusts PSN-1 4. Client Roams 5. Authentication goes to PSN-2 6. Client Already Trusts Cert
Cert Authority
Already Trusted
Certificates
ise-psn.domain.com
ise-psn-1.domain.com ise-psn-2.domain.com
128
Cisco Confidential 129 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
SSL Certificates for Internal Server Names
After November 1, 2015 Certificates for Internal Names Will No Longer Be Trusted
In November 2011, the CA/Browser Forum (CA/B) adopted Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates that took effect on July 1, 2012. These requirements state:
CAs should notify applicants prior to issuance that use of certificates with a Subject Alternative Name (SAN) extension or a Subject Common Name field containing a reserved IP address or internal server name has been deprecated by the CA/B
CAs should not issue a certificate with an expiration date later than November 1, 2015 with a SAN or Subject Common Name field containing a reserved IP address or internal server Name
Source: Digicert – https://www.digicert.com/internal-names.htm
Certificates
129
Cisco Confidential 130 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Use Publicly-Signed Certs for Guest Portals!
• In 1.3, HTTPS cert for Admin can be different from web portals
• Guest portals can use a different, public certificate
• Admin and internal employee portals (or EAP) can still use certs signed by private CA.
c Certs assigned to this group signed by 3rd-party CA
Redirection based on first service-enabled interface; if eth0, return host FQDN; else return interface IP. c
Public Portal Certificate Group
Certificates
130
Cisco Confidential 131 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
CWA Example
• CWA Guest Portal access for ISE-PSN1 configured for eth1
• IP Address for eth1 on ISE-PSN1 is 10.1.91.5
• Resulting URL Redirect = ???
DNS and Port Settings – Single Interface Enabled for Guest Portal
ISE Node IP Address Interface
ISE-PSN1 10.1.99.5 # eth0
ISE-PSN1 10.1.91.5 # eth1
ISE-PSN1 10.1.92.5 # eth2
ISE-PSN1 10.1.93.5 # eth3
Certificates
https://10.1.91.5:8443/...
I have a feeling this is going to end badly!
131
Cisco Confidential 132 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
CWA Example with FQDNs in SAN URL Redirection Uses First Guest-Enabled Interface (eth1)
User
RADIUS authorization: URL redirect =
https://10.1.91.5:8443/...
RADIUS request to ise-psn1 @ 10.1.99.5
Switch Access
Device
1. RADIUS Authentication requests sent to ise-psn1 @ 10.1.99.5. 2. RADIUS Authorization received from ise-psn1 @ 10.1.99.5 with
URL Redirect to https://10.1.91.5:8443/... 3. User sends web request directly to ise-psn1 @ 10.1.99.5. 4. User receives cert name mismatch warning.
ISE Certificate
Subject= ise-psn1.company.com SAN = ise-psn1.company.com sponsor.company.com mydevices.company.com
https://10.1.91.5:8443/...
HTTPS response from 10.1.91.5
1
2
3
PSN
ISE-PSN1
Guest eth1: 10.1.91.5
MyDevices eth2: 10.1.92.5
Sponsor eth3: 10.1.93.5
Admin/RADIUS: eth0: 10.1.99.5
Name Mismatch! Requested URL = 10.1.91.5
Certificate SAN = ise-psn1.comany.com = sponsor.company.com
= mydevices.company.com 4
Certificates
132
Cisco Confidential 133 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Interface Aliases
• Aliases assigned to interfaces using ip host global config command in ADE-OS:
(config)# ip host <interface_ip_address> <hostname|FQDN> <hostname|FQDN>
• Up to two values can be specified—hostname and/or FQDN; if specify hostname, then globally configured ip domain-name appended for use in URL redirection. FQDN can have different domain than global domain!!!
• GigabitEthernet1 (GE1) Example:
ise-psn1/admin(config)# ip host 10.1.91.5 ise-psn1-guest ise-psn1-guest.company.com
• Host entry for Gigabit Ethernet 0 (eth0) cannot be modified
• Use show run to view entries; Use no ip host <ip_address> to remove entry.
• Change in interface IP address or alias requires application server restart.
Specify alternate hostname/FQDN for URL redirection
Certificates
Available in ISE 1.2
133
Cisco Confidential 134 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Interface Alias Example
• Interface eth1 enabled for Guest Portal
• ip host 10.1.91.5 ise-psn1-guest.company.com
• URL redirect = https://ise-psn1-guest.company.com:8443/...
• Guest DNS resolves FQDN to correct IP address
DNS and Port Settings – Single Interface Enabled for Guest
134
DNS SERVER DOMAIN = COMPANY.LOCAL
ISE-PSN1 IN A 10.1.99.5 # eth0
ISE-PSN1-MDP IN A 10.1.92.5 # eth2
ISE-PSN1-SPONSOR IN A 10.1.93.5 # eth3
ISE-PSN2 IN A 10.1.99.6 # eth0
ISE-PSN2-MDP IN A 10.1.92.6 # eth2
ISE-PSN2-SPONSOR IN A 10.1.93.6 # eth3
ISE-PSN3 IN A 10.1.99.7 # eth0
ISE-PSN3-MDP IN A 10.1.92.7 # eth2
ISE-PSN3-SPONSOR IN A 10.1.93.7 # eth3
DNS SERVER DOMAIN = COMPANY.COM
ISE-PSN1-GUEST IN A 10.1.91.5 # eth1
ISE-PSN2-GUEST IN A 10.1.91.6 # eth1
ISE-PSN3-GUEST IN A 10.1.91.7 # eth1
Certificates
Cisco Confidential 135 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
CWA Example using Interface Alias URL Redirection Uses First Guest-Enabled Interface (eth1)
User
RADIUS authorization: URL redirect =
https://ise-psn1-guest.company.com:8443/...
RADIUS request to ise-psn1 @ 10.1.99.5
Switch Access
Device https://ise-psn1-guest.company.com:8443/...
HTTPS response from 10.1.91.5
1
2
3
PSN
ISE-PSN1
All Web Portals eth1: 10.1.91.5
All Web Portals eth2: 10.1.92.5
All Web Portals eth3: 10.1.93.5
Certificate OK! Requested URL = ise-psn1-guest.company.com Certificate SAN = ise-psn1-guest.company.com
ISE Certificate
Subject =
ise-psn1.company.com
SAN= ise-psn1-guest.company.com
1. RADIUS Authentication requests sent to ise-psn1 @ 10.1.99.5. 2. RADIUS Authorization received from ise-psn1 @ 10.1.99.5 with
URL Redirect to https://ise-psn1-guest:8443/... 3. DNS resolves alias FQDN ise-psn1-guest to 10.1.91.5 and sends
web request to ise-psn1-guest @ 10.1.99.5. 4. No cert warning received since SAN contains interface alias FQDN.
4
Admin/RADIUS: eth0: 10.1.99.5
Could also use wilcard SAN or UCC cert
Certificates
135
Cisco Confidential 136 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
BYOD Fails if Admin & Portal Certs Different
• Problem Statement:
CSCut36534 ISE 1.3 in BYOD provisions Admin cert instead of BYOD portal Cert
CSCut30037 ISE should use portal certificate for provisioning (duplicate)
• Background:
ISE Admin (HTTPS) certificate of the PSN is used for:
1. Responding to requests on HTTPS provisioning
2. Signing the configuration profile for Apple iOS during BYOD onboarding
• Workaround:
Configure PSNs to use same certificate for Admin and Provisioning Portals
Cisco Confidential 137 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
BYOD Fails For “Unsupported Device”
• Problem Statement:
ISE relies on Posture Feed to update information on Client OS support based on browser user agent strings
• Solution:
Update Posture Feed information under Administration > System > Settings > Posture > Updates
• Notes:
BYOD is Plus feature, but access to Posture updates is available without Apex License.
Devices not supported for Supplicant/Cert provisioning can still be registered using BYOD if “Allow Network Access” under Settings > Client Provisioning page.
Cisco Confidential 138 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 139 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Original URL Redirect and HTTPS Redirection Support
WLC Status Update
• Both HTTPS Redirection and Original URL Redirect fixed in WLC 8.0MR1, but for HTTPS only.
Open defect for Original URL Redirect using HTTP.
• CSCur13703 Central Webauth with HTTPS redirect fails
Fixes support for HTTPS redirection AND fixes URL Redirect for Original URL but for HTTPS only.
• CSCur13713 CWA Original URL feature not working
Outstanding defect for HTTP Original URL Redirect support.
ISE Guest Portal Setting
Cisco Confidential 140 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 141 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Which Portals Are Customizable? All except the Admin portal
Customization of portals is available for all end-user portals. Another way to say this is any portal other than the administration portal can be customized with the concepts I’m about to show you. But wait! There’s more! Along with the customization of portals you’ll be able to customize notifications in email print at SMS format that are sent from ISE.
1. Guest 2. Sponsor 3. BYOD (Device Registration) 4. My Devices 5. Client Provisioning (Desktop Posture) 6. MDM (Mobile Device Management) 7. Blacklist
Your credentials username: trex42 password: littlearms
Customized notifications
For Your Reference
Cisco Confidential 142 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Guest/Sponsor Portals configured under Guest Workcenter
Other Portals configured here:
Blacklist
BYOD (NSP)
Client Provisioning (Posture)
Partner MDM
My Devices
Portal Customization for Guest & Other User-Facing Pages
Note: Admin Portal is NOT customizable
Cisco Confidential 143 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Portal Customization
• Portal changes immediately reflected in ISE Admin UI including theme changes, logos, custom HTML, fields selected for use or display…
Desktop and Mobile Preview Options
Don’t Forget about the Settings option! It includes page specific customization settings
Cisco Confidential 144 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
The context of specific settings that effect sponsor users in the flow of the Sponsor portal are better set from the specific pages in Customization. Therefore, the admin must drill into Customization to locate certain important settings, such as: • Required fields for
creating users • SMS providers available
to sponsors • Separate notifications for
Username and Password
Settings Option in Customization Sponsor Portal Example
Cisco Confidential 145 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Test Portal URLs Launch portal in new window for testing
https://server.company.com:8443/sponsorportal/PortalSetup.action?portal=44d99ef0-ef7d-11e3-bc94-005056bf2f0a
Cisco Confidential 146 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Logos, Banners, Titles, and Languages Export/Import Properties File for Each Language
Banners/Icons/Logos
For Your Reference
Cisco Confidential 147 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Customize Using Themes
Select Existing Theme
For Your Reference
Cisco Confidential 148 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Portal Customization via Export/Import Theme CSS
Advanced Customization by editing CSS Themes using JQuery Mobile tools
For Your Reference
Cisco Confidential 149 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Mini Editor
The mini editor is a field available on almost every customizable page. It looks like a text area with basic word processing buttons at the top. It allows the administrator to create WYSIWYG text by typing and using the editor buttons at the top of the editor.
The editor has the ability to change the font, font size, color, and add bold, italic, underline, bullets and links as if you were using a word processor.
Most pages will have “Optional content" section at the top and the bottom of the page. This means that in addition to being able to edit everything that's already visible on the page they have the ability to add content at the top and bottom with full WYSIWYG markup.
These sections are often used to provide custom instructional text to guests or sponsors right in their pages and can dramatically reduce training costs by eliminating the need for a separate training effort.
For Your Reference
Cisco Confidential 150 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Mini Editor - Variables
Customers will often want to add variable information to portal pages. Variables are text that looks like $some_variable_name$
in the mini editor and is replaced with an actual value when the page or notification is rendered to the end-user.
You can pick from a list of available variables using the X button in the mini editor. Different variables are available on different pages. (You don’t know the first name of the user if they haven’t logged in yet.) In the depicted example, the text: Welcome back $ui_first_name$! You have $ui_time_left$ before your
network access is revoked and we unleash a giant serpent to chase you out of the building. would be rendered for Harry Potter as: Welcome back Harry! You have 7 hours, 24 minutes before your network access is revoked and we unleash a giant serpent to chase you out of the building.
For Your Reference
Cisco Confidential 151 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Mini Editor - HTML Source Mode
In addition to WYSIWYG editing capabilities the mini editor also supports the ability to view and edit the HTML source of that content area.
This is a powerful tool for Coders because they can enter in their own CSS, JavaScript, HTML directly into content areas on any given page to do just about anything you’ve seen on the internet.
Clicking on the source button will toggle back and forth between the WYSIWYG and HTML source versions.
Using CSS it is possible to create conditional display logic on a portal page. For example you can show a Boston skyline banner when a guest logs in form Boston and a Chicago skyline banner when a guest logs in from Chicago. While this is an advanced concept it's pretty concise CSS that makes it work. Details and examples are being added to the Guest Admin documentation.
• Make sure you click out of the HTML mode after you paste in your code, otherwise it will not save.
• Save portal for changes to be seen in portal test url • Not all Javascript changes are shown in mini-preview.
For Your Reference
Cisco Confidential 152 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Enabling Javascript for Portal Customization
Administration > System > Admin Access > Settings > Portal Customization
For Your Reference
Cisco Confidential 153 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Portal Customization Examples
Partner/Public
• ISE How-To Guides: http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html
For Your Reference
Cisco Confidential 154 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Initial Auth Examples: NDG Type
NDG Location
Access/Auth Method
WLAN
NAD
Source IP
Profile
Post Auth Examples: Above + other session
attributes (for example, identity, AD group, guest role)
How Can Different Users Be Redirected to Different Portals?
https://supportforums.cisco.com/document/12215996/ise-and-location-based-web-authentication-portals
Cisco Confidential 155 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
https://isepb.cisco.com
Cisco Confidential 156 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Portal Builder - Online Tool isepb.cisco.com For Your Reference
Cisco Confidential 157 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Portal Builder - Multiple Prebuilt Templates
Cisco Confidential 158 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Portal Builder – Customize > Export > Import > Done!
Cisco Confidential 159 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Portal Builder Usage Notes
• 100% Online Web-based Tool
• Allows saving and sharing portal and portal content in web.
• Available to Cisco, Partners, and Customers (Requires Registration)
• Extremely easy to use with Online Help, FAQ, and Blog, Demos, Contact link
• Not TAC supported--Support provided on best-effort basis using above tools.
• Firefox Uploader Plugin simplifies import into ISE.
• With plugin loaded, Portal Builder automatically pops small window to import content when add portal in ISE admin UI.
• Currently uses Posture File Remediation to store portal content. (Requires Adv/Apex to view)
• Do NOT click Save on portal else lose custom portal settings—the upload takes care of this.
• Do NOT make changes to these portals in ISE Admin UI. Make changes in PB and re-import. If need to make changes like FQDN or cert, then edit in ISE, Save, and reimport PB portal.
Cisco Confidential 160 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Migrating Custom Portals from ISE 1.2 to 1.3
On ISE Upgrade…
Previous customized HTML pages are copied in as an existing portal
Pages that are migrated are not accessible for further edits
No tools to export/import old HTML pages.
To edit a custom portal that has been migrated will require the portal to be rebuilt.
Portal Builder 1.2 files are not compatible with PB 1.3. No PB portal migration.
Cisco Confidential 161 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 162 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Sponsor Groups - Define Privileges for Using Guest Type & Location
• Select Guest Types and Locations that can be used by this group of sponsors
• New pill box selector
Cisco Confidential 163 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Guest Locations and SSIDs
Type to search time zone list
Locations = Usable Time Zones
TZs impact Guest Start/End times
SET THESE UP FIRST !!!
SSIDs are simply for Sponsor/Guest reference Can include SSID info in guest notifications.
Cisco Confidential 164 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Select and Edit to replace
Location Details For Your
Reference
Cisco Confidential 165 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Sponsor Groups: Permissions
• Determine group permissions
• Limit bulk creation up to 10,000
• Sending SMS and API user are OFF by default
• Viewing Passwords also affects sending credentials
Cisco Confidential 166 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Prior to ISE 1.3, Sponsor Group Policy used to assign users to Sponsor Groups and assign sponsor privileges
Multiple conditions supported in addition to group membership.
Pre-ISE 1.3 Sponsor Auth
Cisco Confidential 167 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Sponsor Groups: Membership
• No more Sponsor Group Policy, now just pick you member groups
• IDG that map to AD/LDAP
• In ISE 1.3, Sponsor Group configuration is greatly simplified but limits assignment to group membership only.
Cisco Confidential 168 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Solution: Configure ISE as an Authentication Source for Sponsors and define custom conditions that will either permit or deny sponsor access.
Configuration Steps:
Define Local ISE PSN(s) as RADIUS Token Server
Add ISE RADIUS Server to Sponsor Auth Sequence
Add ISE PSN(s) as RADIUS Clients
Add Authorization Policy Rules for Sponsor Auth
Challenge #1: How Limit Sponsor Access Based on Secondary Attributes?
Cisco Confidential 169 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Define Local ISE PSN(s) as RADIUS Token Server For Your
Reference
Cisco Confidential 170 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Add ISE RADIUS Server to Sponsor Auth Sequence For Your
Reference
Cisco Confidential 171 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Add ISE PSN(s) as RADIUS Clients For Your
Reference
Cisco Confidential 172 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Define specific conditions to allow / deny sponsor access.
Permit_Access authorization will allow sponsor to successfully authenticate to Sponsor Portal
Deny_Access authorization will return Access-Reject and cause sponsor to fail portal authentication
Policy example matches requests where:
ISE is the RADIUS client
AD locale attribute matches City location defined under AD user properties.
Add Authorization Policy Rules for Sponsor Auth For Your
Reference
Cisco Confidential 173 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Employee1 is AD user where City = Cleveland
Employee2 is AD user where City = San Jose
Live Authentications Log For Your
Reference
Cisco Confidential 174 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Employee1 is allowed access to Sponsor Portal
Employee2 receives error regarding invalid credentials for portal access
Sponsor Portal User Experience For Your
Reference
Cisco Confidential 175 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Solution: Configure a separate LDAP ID Store that maps Group Names to secondary attributes rather than AD/LDAP Group membership.
Configuration Steps:
Define new LDAP Identity Store in ISE with Custom Schema
Add new Groups in ISE LDAP Store as “Pointer” objects
Update AD/LDAP user accounts with custom attribute values that map to new group pointer objects
Add New LDAP Store Pointer groups to ISE Sponsor Group configuration
Challenge #2: How to Map Sponsor Groups Based on Secondary Attributes?
Cisco Confidential 176 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Set New Group Attribute Values under AD/LDAP User
Cisco Confidential 177 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Add New Group Attribute Values under AD/LDAP User
Cisco Confidential 178 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Verify New User Attributes in AD/LDAP from LDAP Browser
employee1 mapped to Cleveland employee2 mapped to San Jose
For Your Reference
Cisco Confidential 179 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Create New LDAP Identity Store for Sponsor Auth in ISE
Group Map Attribute is user attribute which contains group reference,
l = locale in this example
Cisco Confidential 180 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Manually enter names (not fetch) to match desired user attribute values
Groups do NOT need to exist in AD/LDAP—They are “pointers” only!
Add New LDAP “Pointer” Groups to ISE LDAP Store
Cisco Confidential 181 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Add/Edit Sponsor Groups using New LDAP Group Names
For Your Reference
Cisco Confidential 182 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Guest Access > Configure > Sponsor Groups
Add the LDAP “Pointer” Groups as Members
Cisco Confidential 183 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Add the LDAP “Pointer” Groups as Members (configured under the Sponsor Group settings)
Value Matches any AD/LDAP user with city/locale attribute set to
“San Jose” in their user record.
Cisco Confidential 184 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Add the LDAP “Pointer” Groups as Members
Value Matches any AD/LDAP user with city/locale attribute set to
“Cleveland” in their user record.
For Your Reference
Cisco Confidential 185 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Employee1 (mapped to Cleveland) only sees Guests they created (Currently 0)
Sponsor Portal User Experience For Your
Reference
Cisco Confidential 186 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Employee2 (mapped to San Jose) is able to manage ALL Accounts including those created by other Sponsors
Sponsor Portal User Experience For Your
Reference
Cisco Confidential 187 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 188 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
NAC 4.9 Discovery Sequence: 1. http discovery probe on port 80 to discovery host (ISE with HTTP Redirect)
2. https discovery probe on port 8905 to discovery host (if configured)(ISE & NAC Appliance)
3. http discovery probe on port 80 to default gateway(ISE with HTTP Redirect)
4. https discovery probe on port 8905 to default gateway (NAC Appliance)
5. L2 UDP Swiss discovery probe port 8905 to default gateway (NAC Appliance)
6. L3 UDP Swiss discovery probe port 8906 to discovery host (if configured)(NAC Appliance)
7. https reconnect probe on port 8905 to previously contacted FQDN: ISE PSN / NAC Server (ISE & NAC)
8. GoTo 1
NAC Agent Discovery Sequence as it pertains to ISE only: 1. http discovery probe on port 80 to discovery host, if configured (via HTTP Redirect)
2. https discovery probe on port 8905 to discovery host, if configured
3. http discovery probe on port 80 to default gateway (via HTTP Redirect)
4. https reconnect probe on port 8905 to previously contacted ISE Policy Services node
5. GoTo 1
NAC Agent Discovery – Sequential Probing
Most common way Posture Agent discovers PSN is via URL Redirection
Cisco Confidential 189 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AnyConnect Discovery – Parallel Probing
Default Gateway of primary interface. Such as 10.86.116.1, (/auth/discovery, redirection expected.
Discovery Host If it was set in the agent profile ISEPostureCFG.xml /auth/discovery, redirection expected
enroll.cisco.com hard coded /auth/discovery, redirection expected
Previously connected headends From ConnectionData.xml No redirection expected
Is the endpoint on the ISE network?
[acise][debug][SwiftHttpRunner::startHttpDiscovery] [MSG_NS_INTERFACE_CHANGE(0x90a0004)], Start HTTP Discovery [acise][debug][SwiftHttpRunner::addPreviouslyConnectedHeadendsToTargetList] Probe previous connected headend jiajlu-ise-nat.chaos.test. [acise][debug][SwiftHttpRunner::collectTargets] Probe targets: 192.168.1.1 enroll.cisco.com 10.0.0.10 - Default route 192.168.1.1, #wifi=0, #nonWifi=2, wlanDot1x=-1, bestDefaultRouteIsWifi=0, #targets=4 [acise][debug][SwiftHttpRunner::probeTarget] Target 10.0.0.10, status is 1. failure [acise][debug][SwiftHttpRunner::probeTarget] Target enroll.cisco.com, status is 0. success
Redirection is the ONLY supported method for initial discovery!
Cisco Confidential 190 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Discovery Host
• ISE Posture REQUIRES URL redirection for Client Provisioning and for posture agent discovery
• The Discovery Host (DH) is a single target host/IP where discovery packets are sent.
• Cases where Discovery Host is needed or helpful to facilitate URL Redirection process
IPN deployments
NAD (Default GW unable to redirect). DH packet are redirected by IPN when packet hits IPN
Split Tunnel RA VPN
With ASA 9.2.1+ deployments, ASA can redirect when it is the default gateway. In split tunnel, gateway discovery may fail and DH required for interception by ASA.
Minimize Redirection Impact
Redirect DH only to limit redirect to CP / Posture only, not general access.
Browser Proxy Workaround
When Do I Need to Configure the Discovery Host?
Cisco Confidential 191 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Discovery Host for IPN Deployments
Internet
PSN IPN
Internal Network
ASA VPN User
IPN PSN
Server Farm
Protected Net/DMZ
Posture Discovery to Default Gateway
No URL Redirection, so packet dropped
IPN in packet path to internal host, so packet redirected
before reaches host Posture Discovery to
Discovery Host
Potential DH targets for IPN
deployment
Cisco Confidential 192 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Discovery Host for Split Tunnel VPN ASA 9.2.1+ Example
Internet
PSN
Internal Network
ASA VPN User
PSN
Server Farm
Protected Net/DMZ
Posture Discovery to Default Gateway (No Split Tunnel)
ASA Redirects Discovery Packet to Default GW
ASA in packet path to internal host, so packet redirected
before reaches host
Posture Discovery to Discovery Host
Potential DH targets for ASA
deployment
Posture Discovery to Default Gateway
(Split Tunnel)
Redirection Fails from remote router
Cisco Confidential 193 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Discovery Host “Open Mode”
• Redirect ACL Example
ip access-list extended ACL-POSTURE-REDIRECT
permit ip any host X.X.X.X
(deny ip any any)
• Endpoint with NAC Agent pre-installed
• Set Discovery Host to universal DNS entry (Ex: dh.company.com) that resolves to X.X.X.X
• Endpoint with without agent pre-installed
• Create universal DNS entry (Ex: getagent.company.com) that resolves to X.X.X.X
Minimize Redirection Impact
For Your Reference
Cisco Confidential 194 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
By default NAC Agent discovery on port 80 (or 8905 for DH), but possible to override using syntax DH:port
Proxy Application on Wired Switches: Exclude PSN targets from Proxy config.
Set HTTP port on switch to proxy port. For example 8080, instead of default port 80: (config)# ip port-map http port 8080
For NAC Agent, Set DH port to the proxy port. Note: For AnyConnect, all discovery on port 80 including DH; port option needs validation.
Switch now redirects on HTTP traffic sent to proxy port.
Proxy now works with CWA but Posture agent does not use browser proxy settings(CSCuj65787), so need to change DH port to allow redirection for both CWA and Posture discovery packets.
Discovery Host with Proxies For Your
Reference
Cisco Confidential 195 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Redirect ACL Best Practice (Wired)
• Defines Traffic to be Redirected or to Bypass redirection
• Configured on Switch, referenced from ISE Authorization Profile
ip access-list extended ACL-POSTURE-REDIRECT
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny tcp any host <PSN_IP> eq 8443
deny udp any host <PSN_IP> eq 8905
deny tcp any host <PSN_IP> eq 8905
deny tcp any host <Remediation_Server> eq www
permit ip any any
• NOTE: You may often see ACLs that simply permit or deny all ip access to PSN. This method will work, although less restrictive.
• Recommended Redirect ACL (Wired Switch) - Allows remediation and redirects ALL HTTP/S
ip access-list extended ACL-POSTURE-REDIRECT
deny tcp any host <Remediation_Server> eq www
permit tcp any any eq www
permit tcp any any eq 443
Posture Example, but applies to all Wired Redirection
All remaining traffic gets punted for redirection, not just HTTP/S
Can cause high CPU, especially in entry level switches
Redirect only HTTP/S not destined for remediation servers
Implicit Deny All at end of ACL
Cisco Confidential 196 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 197 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
HA for pxGrid
Steady State Primary
PAN Secondary
PAN
Secondary MnT
Active pxGrid
Controller
pxGrid Client
(Subscriber)
Primary MnT
PAN PAN MnT MnT
PXG PXG
TCP/5222
TCP/5222
Standby pxGrid
Controller
197
pxGrid Clients
(Publishers)
• pxGrid clients can be configured with up to 2 servers.
• Clients connect to single active controller
• Maximum two pxGrid nodes per deployment
• Active / Standby
TCP/5222
TCP/12001
PAN Publisher Topics: • Controller Admin • TrustSec/SGA • Endpoint Profile
MnT Publisher Topics: • Session Directory • Identity Group • ANC (EPS)
Cisco Confidential 198 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
HA for pxGrid
Failover and Recovery Primary
PAN Secondary
PAN
Secondary MnT
Active pxGrid
Controller
pxGrid Client
(Subscriber)
Primary MnT
PAN PAN MnT MnT
PXG PXG
PAN Publisher Topics: • Controller Admin • TrustSec/SGA • Endpoint Profile
Standby pxGrid
Controller
TCP/5222
MnT Publisher Topics: • Session Directory • Identity Group • ANC (EPS)
If active pxGrid Controller fails, clients automatically attempt connection to standby controller.
198
pxGrid Clients
(Publishers)
TCP/5222
TCP/12001 TCP/5222
Cisco Confidential 199 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Important pxGrid Setup Notes
Certificates
• ISE 1.3: If using self-signed certificates (default ISE-issued cert for pxGrid/Admin), then PPAN does not trust its own cert. So need to export its self-signed cert and import into ISE trust store--fixed in ISE 1.4 If using CA-signed certs for pxGrid, then import CA cert into Trust store.
• ISE 1.4: Should only need to import CA trust cert, or the self-signed for other nodes into the PPAN. Trust certs replicated to other nodes (pxGrid and PAN).
• Wildcard certs not supported for pxGrid.
WSA Integration
• WSA 8.7: pxGrid persona must be on same node as MnT so it can use REST API for initial connection, then uses pxGrid. Target fix 8.8 or sooner.
Cisco Confidential 200 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 201 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Right Click in Live Log & Live Sessions Adds Right-Click > Copy for the Endpoint ID & Identity Fields in Live Log
201
Serviceability
Cisco Confidential 202 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Debug Endpoint
• Creates debug file of all activity for all services related to that specific endpoint
• Executes and stored per PSN
• Can be downloaded as separate files per-PSN
• Or Merged as a single file
202
Serviceability
For Your Reference
Cisco Confidential 203 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Off-Line Examination of Configuration
Exportable Policy
203
Quick Link to Export Page
Serviceability
For Your Reference
Cisco Confidential 204 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Per-Endpoint Time-Constrained Suppression
204
Right Click
Cisco Confidential 205 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 206 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Sizing Production VMs to Physical Appliances Summary
206
Appliance used for sizing comparison
CPU Memory (GB)
Physical Disk
(GB)* # Cores Clock Rate
SNS Large (ISE-3495)
8 2.4 32 600
SNS Small (ISE-3415)
4 2.4 16 600
ISE Large (ISE-3395)
8 2.0 4 600
ISE Medium (ISE-3355)
4 2.0 4 600
ISE Small (ACS-1121/ISE-3315)
4 2.66 4 500
* Actual disk requirement is dependent on persona(s) deployed and other factors. See slide on Disk Sizing.
For Your Reference
Cisco Confidential 207 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Configuring CPUs in VMware
• ESXi 4.1 Example
• ESXi 5.x Example Configure CPU based on cores. If HT enabled, logical CPUs effectively doubled, but # cores is same.
207
For Your Reference
Cisco Confidential 208 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Setting CPU and Memory Allocations in VMware
Guest VM Resource Reservations and Limits
• CPU Example
Optionally set CPU allocation limit >= Min ISE VM specs to prevent over-allocation when actual CPU assigned exceeds ISE VM requirements.
Set Reservation to Minimum VM appliance specs to ensure required CPU resources available and not shared with other VMs.
Similar settings apply to Max Allocation and Min Reservations for Memory.
Memory Example
208
For Your Reference
Cisco Confidential 209 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE 1.3 VMware OVA Templates
• OVA Templates map to Small and Large hardware appliances
• EVAL (Evaluation / Lab testing)
• SNS-3415 (Small)
• SNS-3495 (Large)
• Simplifies VM deployment
• Ensures proper VMware settings
Presets:
• vCPU cores
• Memory
• Disk Storage
• Network Interfaces
ISE-1.3.x.x-Eval-100-endpoint.ova: • 2 CPU cores
• 4 GB RAM
• 200 GB disk
• 4 NICs
ISE-1.3.x.x-Virtual-SNS-3415.ova: • 4 CPU cores
• 16 GB RAM
• 600 GB disk
• 4 NICs
ISE-1.3.x.x-Virtual-SNS-3495.ova: • 8 CPU cores
• 32 GB RAM
• 600 GB disk
• 4 NICs
With Reservations
Cisco Confidential 210 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Virtual OS and NIC Support
• ISE 1.3
• VMware ESX 4.x
• VMware ESX 5.x
• ISE 1.4
• VMware ESX 5.x only
• ISE 2.0
• VMware ESX 5.x
• VMware ESX 6.x
• KVM
Today and Tomorrow
Notes for ISO installs using VMware Virtual Appliance:
• Choose Redhat Linux 6 (64-bit)
• Manually enter resource reservations
• Choose either E1000 or VMXNET3 (default)
• ESX Adapter Ordering Based on NIC Selection
ADE-OS ISE E1000 VMXNET3
eth0 GE0 1 4
eth1 GE1 2 1
eth2 GE2 3 2
eth3 GE3 4 3
* Note: Issue not seen with < 4 VM NICs. This is why we are using E1000 NICs in OVAs.
Cisco Confidential 211 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE VM Production Disk Size Requirements by Persona
* Upper range sets #days MnT log retention; 500GB min recommended for production. Max hardware appliance disk size = 600GB—Max VM disk size = 2TB
** Variations depend on where backups saved or upgrade files staged (local or repository), debug, local logging, and data retention requirements.
Persona Disk (GB)
Standalone 200+*
Administration Only 200-300**
Monitoring Only 200+*
Policy Service Only 200
Admin + MnT 200+*
Admin + MnT + PSN 200+*
211
For Your Reference
Cisco Confidential 212 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
MnT Node Log Storage Requirements
Days Retention Based on # Endpoints and Disk Size
200 GB 400 GB 600 GB 1024 GB 2048 GB
10,000 126 252 378 645 1,289
20,000 63 126 189 323 645
30,000 42 84 126 215 430
40,000 32 63 95 162 323
50,000 26 51 76 129 258
100,000 13 26 38 65 129
150,000 9 17 26 43 86
200,000 7 13 19 33 65
250,000 6 11 16 26 52
Tota
l Endpoin
ts
Total Disk Space Allocated to MnT Node
For Your Reference
212
Cisco Confidential 213 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
VM Appliance Resource Validation Before Install
Validate VM Readiness BEFORE Install & Deploy
For Your Reference
Cisco Confidential 214 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
VM Appliance Resource Validation During Install
• ISE 1.3 install will not even proceed without:
• 4GB RAM
• 2 CPU Cores
• 100GB Disk
(EVAL settings)
For Your Reference
Cisco Confidential 215 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ise-psn2/admin# show tech | begin "disk IO perf" Measuring disk IO performance ***************************************** Average I/O bandwidth writing to disk device: 194 MB/second Average I/O bandwidth reading from disk device: over 1024 MB/second I/O bandwidth performance within supported guidelines Disk I/O bandwidth filesystem test, writing 300 MB to /opt: 314572800 bytes (315 MB) copied, 1.47342 s, 213 MB/s Disk I/O bandwidth filesystem read test, reading 300 MB from /opt: 314572800 bytes (315 MB) copied, 0.0504592 s, 6.2 GB/s
VM Appliance Resource Validation After Install
• ISE continues to test I/O read/write performance on intervals
Alarm generated if 24-hr average below requirements
For Your Reference
Cisco Confidential 216 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ise-psn2/admin# show tech | begin "disk IO perf" Measuring disk IO performance ***************************************** Average I/O bandwidth writing to disk device: 194 MB/second Average I/O bandwidth reading from disk device: over 1024 MB/second I/O bandwidth performance within supported guidelines Disk I/O bandwidth filesystem test, writing 300 MB to /opt: 314572800 bytes (315 MB) copied, 1.47342 s, 213 MB/s Disk I/O bandwidth filesystem read test, reading 300 MB from /opt: 314572800 bytes (315 MB) copied, 0.0504592 s, 6.2 GB/s
VM Appliance Resource Validation After Install
• ISE continues to test I/O read/write performance on intervals
Alarm generated if 24-hr average below requirements
For Your Reference
Cisco Confidential 217 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Current ISE VM Deployment Guidance
• Thin Provisioning officially supported in ISE 1.3
• Hyper-Threading not required, but can TPS
• IO Performance Requirements:
Read 300+ MB/sec
Write 50+ MB/sec
• Recommended disk/controller:
10k RPM+ disk drives
Caching RAID Controller
RAID mirroring (RAID 5 slower writes)
RAID perf levels: http://www.datarecovery.net/articles/raid-level-comparison.html
217
• ISE 1.4 removes storage restrictions. This means, for example, that VMFS is not required and NFS is allowed provided storage is supported by VMware and meets ISE IO performance requirements.
• Customers with VMware expertise may choose to disable resource reservations and over-subscribe, but do so at own risk
Cisco Confidential 218 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
General ISE VM Configuration Guidelines
• Oversubscription of CPU, Memory, or Disk storage NOT recommended – All VMs should have 1:1 mapping between virtual hardware and physical hardware.
• CPU: Map 1 VM vCPU core to 1 physical CPU core.
• Total CPU allocation should be based on physical CPU cores, not logical cores. if HT enabled, then basis of vCPU allocation is based on physical cores, not logical cores.
• Memory: Sum of VM vRAM may not exceed total physical memory on the physical server.
• Additional 1 GB+ of physical RAM must be provisioned for VMware ESXi itself (this is to cover ESXi overhead to run VMs) *See Notes Page for details.
• Disk: Map 1 GB of VM vDisk to 1 GB of physical storage.
• Additional disk space may be required for VMware operations including snapshots.
218
For Your Reference
Cisco Confidential 219 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 220 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
What’s the Core Message to the Field?
ISE Express offers the same dynamic Guest features of the market-leading Cisco ISE in an entry-level bundle at an aggressive 70-80%
discount over the competition.
Cisco Confidential 221 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Features / Capabilities?
ATP Required for Initial Sale?*
Platform Included w/Licensing?
List Price?
Cisco ISE Base vs. Cisco ISE Express
Same
NO
YES – Bundle includes 1 ISE VM + 150 Licenses
$2,500 US
Cisco ISE Express
Guest Access; RADIUS/AAA
YES
NO – Purchase HW or VM and licensing
$6,990 US (ISE VM:$5,990 + Base: $1,000, for 200 licenses)
Cisco ISE Base
* NOTE: ATP certification or partner involvement is needed for additional ISE license sales
Cisco Confidential 222 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Easy, Affordable Guest Services Now Available: Entry-Level Bundle for the Market-Leading Cisco ISE
The Offer: One (1) ISE VM with ISE Base Licenses for 150 Endpoints for Single Site Deployment (non-distributed, no HA)
The Features: Guest, RADIUS/AAA, Unlimited Custom Portals with ISE Portal Builder
The Price: $2,500 US
Cisco ISE Express Enterprise Guest for Less
Cisco Confidential 223 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 224 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE 1.4 Feature List
• Automatic Admin Node Switchover
• Certificate Management Enhancements
• FIPS Support
• Posture Enhancements
• AnyConnect AMP Enabler
• Multi-MDM Phase 1
• Off-Prem MDM On-boarding
• Guest Enhancements
• SAML SSO for Portals with OAM
• KPM Scripts
Cisco Confidential 225 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Automatic PAN Switchover
• Primary PAN (PAN-1) down or network link down.
• If Health Monitor unable to reach PAN-1 but can reach PAN-2, then triggers failover
• Secondary PAN (PAN-2) is promoted by Health Monitor
• PAN-2 becomes Primary and takes over PSN replication.
PAN
PSN
MnT
WAN
PSN PSN
PSN
PAN-2 Secondary
MNT-2 Secondary
DC-1 DC-2
PAN MnT
PAN-1 Primary
MNT-1 Primary
X 1
PAN Health Monitor
Direct failover detection
PAN Health Monitor
2
Note: Switchover is NOT immediate. Total time based on polling intervals and promotion time. Expect ~ 30 minutes.
Don’t forget, after switchover admin must connect to PAN-2 for ISE management!
Cisco Confidential 226 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Admin Failover (Automated Promotion/Switchover)
• Primary PAN and secondary PAN can be in different subnets/locations
• Secondary nodes close to the respective PANs act as their health monitors
• Health Monitors • Maximum 2; Could be same node (recommend 2 if available)
• Requires distributed deployment.
• Can be any node—other than Admin node (or same node where Admin persona present)
• Recommend node(s) close to PAN to be monitored to differentiate between local versus broader network outage, but should not be on SAME server if virtual appliance.
• Monitor Process:
• Secondary node monitoring the health of the Primary PAN node is the Active monitor
• On Failure detection, Health Monitor for Primary PAN node initiates switchover by sending request to the Secondary PAN to become new primary PAN
For Your Reference
Cisco Confidential 227 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
PAN Failover Scenario Scenario 1
• Primary PAN (PAN-1) down
• Secondary PAN (PAN-2) takes over
PAN
PSN
MnT
WAN
PSN PSN
PSN
PAN-2 Secondary
MNT-2 Secondary
DC-1 DC-2
PAN MnT
PAN-1 Primary
MNT-1 Primary
X 1
PAN Health Monitor
Direct failover detection
PAN Health Monitor
2
For Your Reference
Cisco Confidential 228 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
PAN Failover Scenario Scenario 2
• Connection between Primary PAN and Secondary PAN is down.
• Connection between PAN and Health Monitor is up
• Direct Failover detection between PANs will cause false switchover and data out of sync
• Using an external monitor can avoid false switchover
PAN
PSN
MnT
WAN
PSN PSN
PSN
PAN-2 Secondary
MNT-2 Secondary
DC-1 DC-2
PAN MnT
PAN-1 Primary
MNT-1 Primary
X
PAN Health Monitor
Direct failover detection
PAN Health Monitor
For Your Reference
Cisco Confidential 229 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
PAN Failover Scenario Scenario 3
• Connectivity between the data centers is down
Complete network split
Cannot be handled by PAN Failover
Local WAN survivability required
PAN
PSN
MnT
WAN
PSN PSN
PSN
PAN-2 Secondary
MNT-2 Secondary
DC-1 DC-2
PAN MnT
PAN-1 Primary
MNT-1 Primary
X PAN Health Monitor
Direct failover detection
PAN Health Monitor
For Your Reference
Cisco Confidential 230 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
PAN Failover Configuration
Configuration using GUI only under Administration > System > Deployment > PAN Failover
Cisco Confidential 231 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Alarms in PAN Auto-Failover
Critical Alarms
Health check node finds primary PAN down
Health check node makes a promotion call to secondary PAN
Health check node is not able to make promotion request to secondary PAN
Secondary PAN rejects the promotion request made by the health check node
Warning Alarms
Invalid auto-failover monitoring
Mostly because health check node is out of sync
PAN Auto-failover is disabled but primary PAN is receiving health check probes
Primary PAN receives health probes from invalid health check node
Secondary PAN info with the health check node is not correct
Node receiving the health probe says it is not the correct primary PAN node
No health-check probes received
Primary PAN does not receive the health check probes though it is configured
Promotion of secondary PAN is called by the health check node
Cisco Confidential 232 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
PAN Auto-Failover Alarm Details
Drill down on specific alarm to get Detailed Alarm information in a new page
For Your Reference
Cisco Confidential 233 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Certificate Management Enhancements
• Multiple certificate management enhancements to help simplify operations including:
• Certificate to portal correlation for admins
• Simplifying the deletion and replacement of certificates
• New “Multi-Use” certificate type (Admin, pxGrid, Portal, EAP)
• API for manual certificate provisioning for non-NSP supported BYOD devices (e.g. Linux PC).
Cisco Confidential 234 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
System Certificate Showing Portals and Nodes details
• Info ‘i’ icon is added next to the portal tag on system certificates listing page.
• Hovering over the ‘i’ icon will show the portals and nodes information, if the tag is assigned to one or more portals.
• ‘none’ will be shown when the tag is not associated with any portals
For Your Reference
Cisco Confidential 235 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
CSR Generation: ‘Multi-Use’ usage
‘Multi-Use’ is a new usage that is added in CSR page. This option will be used for the following:
• Single Certificate may be used for multiple services
• User may not know at the time of generating CSR that what service(s) the certificate would be used for.
Note: Default option is ‘Multi-Use’
Cisco Confidential 236 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Certificate Bind Page: Ability to deselect Usage
An usage is selected in CSR generation. However that can be deselected at the time of binding, in case, there is something changed between the time of CSR Generation and Certificate Binding.
When the earlier selected usage is deselected during bind, the certificate will be bound with ‘Not in use’ usage. User may edit the certificate later to add the usage(s).
‘Allow Wildcard Certificate’ is selected in CSR generation for the Wildcard certificates. Hence it is not required to select this option again in binding page. ‘Allow Wildcard Certificate’ selection is removed from binding page.
‘Allow Wildcard Certificate’ selection removed
For Your Reference
Cisco Confidential 237 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Portal Tag Re-Assignment
• User is allowed to choose an existing and/or in use portal group tag to a portal certificate that is being added to the system by CSR & Bind, Import or Generate Self-Signed Certificate.
• In Edit, user is allowed to assign an existing and/or in use portal group tag to a portal certificate, only when the portal tag of the certificate that is being edited is not in use by any portal.
• When tag re-assignment is submitted, a confirmation dialog with certificate name shown to user to confirm the change
• Once confirmed, the portals will be restarted with changed certificates
For Your Reference
Cisco Confidential 238 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Wildcard Certificate: Changes Replicated to All Copies
For Your Reference
Cisco Confidential 239 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ERS API for Issuing Endpoint Certificates
• Supports devices that cannot go through BYOD flow.
• REST API used to manually generate certificates
• Enable ERS for Read/Write under Administration > System > Settings
• Leverage ERS SDK for usage.
• Don’t forget the “Accept” header!
Cisco Confidential 240 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Authentication
• Basic Access Authentication
• RFC 2617
• https://www.base64encode.org/
• In: “bob:Lab123”
• Out: “YWRtaW46TGFiMTIz”
• *NOTE: Most other ERS resources only allow operations by an ERS Admin or ERS Operator. The ERS API for certificate provisioning is open to ALL internal users, ALL AD users, and ALL LDAP users. The difference is that only ERS Admin’s can request a certificate for any CN. All other users must request a certificate with the CN equal to his/her username. This is also true for Guest users.
For Your Reference
Cisco Confidential 241 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Authentication – ERS Admin vs Normal User
• Putting any value into the CN is a security concern.
• CN MUST equal the requester’s username.
• Users with “ERS Admin” role can request a certificate for Any CN.
• “Validation Error - Illegal values: [The provided CN MUST match your User Name. Only ERS Admins can create certificates for any CN.]”
For Your Reference
Cisco Confidential 242 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Payload
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ns3:endpointcert description="Created in ERS" xmlns:ns2="ers.ise.cisco.com" xmlns:ns3="cisco.com"> <certTemplateName>EAP_Authentication_Certificate_Template</certTemplateName> <certificateRequest> <entry> <key>san</key> <value>11-22-33-44-55-66</value> </entry> <entry> <key>cn</key> <value>bob</value> </entry> </certificateRequest> <format>PKCS12_CHAIN</format> <password>Cisco123</password> </ns3:endpointcert>
For Your Reference
Cisco Confidential 243 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
REST Call (curl command)
• curl -X PUT -H "Authorization: Basic Ym9iOkxhYjEyMw=="
-H "Accept: application/vnd.com.cisco.ise.ca.endpointcert.1.0+xml; charset=utf-8"
-H "Content-Type: application/vnd.com.cisco.ise.ca.endpointcert.1.0+xml; charset=utf-8"
--data @payload -v https://172.21.77.91:9060/ers/config/endpointcert/certRequest >
result.zip
• -X: This option specifies the HTTP method to use, this needs to be PUT.
• -H: This option specifies a header. You need Authorization, Accept, and Content-Type headers.
• --data: This option specifies the payload file to use. @ specifies filename to follow
• -v: This option specifies to give extra details in the output (verbose).
• result.zip: File containing the results. This should be a zip file with the certificates and keys, but it can also contain error messages if the request wasn’t successful.
For Your Reference
Cisco Confidential 244 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
• User is allowed to select and delete multiple CSRs in CSR page, and Certificates in Trust and System Certificate pages.
• ‘Delete’ button is enabled when multiples of CSRs or Certificates are selected.
• Delete submit checks for certificates that are in-use, before deleting them.
• If one or more selected certificates is in-use, an error message will be displayed, will not delete any certificate.
• In case of a wildcard certificate, if any one copy wildcard certificate in any one node selected to delete as part of multi delete will delete copies of the same wildcard certificate in all nodes in the deployment.
• There will be a confirmation dialog for wildcard certificate delete. User needs to confirm it.
• Audit log will be generated for deletion of certificates as part of the multi delete.
CSR, Trust and System Certificate page: Multi-Delete
For Your Reference
Cisco Confidential 245 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
FIPS 140-2 Level 1 Support: Federal Information Processing Standard 140-2 is a United States government computer security standard for the use of cryptographic modules to collect, store, transfer, share and disseminate sensitive but unclassified information in government deployments (as well as regulated industries such as finance and health care)
USGv6 Certification: USGv6 is a US National Institute of Standards and Technology (NIST) developed technical standards profile for US Government(USG) acquisition of IPv6 hosts and routers, and a specification for network protection devices. This certification carries forward from ISE 1.3
Common Criteria and Unified Capabilities Approved Product List (UC APL): Cisco intends to pursue these certifications with June submission of first patch release to the Joint Interoperability Test Command (JITC) – (stretch for June)
Government Certification Support
Cisco Confidential 246 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Posture Enhancements Mac OS Support Added for Custom Checks: File / Service / Application
• File, Service (daemon), and
Application (process) checks now available for Mac OS.
• When Mac OSX selected…
• File condition, file path can have home or root follow with path.
• Service condition, service operator change to loaded/unloaded.
• Operating system policy selector can select specific Mac OS versions.
Cisco Confidential 247 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Posture Enhancements
• File integrity check, already supported by AC and ASA hostscan.
• Supported for both Windows and Mac OS X.
• Add file type named CRC32
• Add “File CRC Data” text to enter the CRC data.
CRC data inside File Condition
Cisco Confidential 248 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Adds patch management conditions and remediation similar to AV/AS.
Supported for Windows and Mac OS
Remediation currently supported for Windows only.
Uses OPSWAT technology (like AV/AS posture) to allow AnyConnect to communicate with local agent.
ISE does NOT communicate to Patch Manager directly
Do not confuse with MDM Partner support where ISE uses API to talk to external servers.
The full list of supported applications of OPSWAT OESIS can be found at: https://www.opswat.com/products/oesis-framework/supported-applications#!product=patch-management
ISE Posture - Patch Management Support For Your
Reference
Cisco Confidential 249 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Posture – Patch Management Windows OS Example
Product Name and Version
Install is default support for all Optionally may support checks for “Enabled” or “Up to Date”
Min Version of compliance module that provides support
Cisco Confidential 250 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Posture – Patch Management Mac OS Example
Cisco Confidential 251 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Patch Management
Windows and MAC OSX supported.
List of vendors is loaded from the OPSWAT update. Selected list is updated according to selected operating system.
• Is this patch installed? • Is this patch enabled on the client? • Is this patch up to date?
• Installed is always supported, • Enabled and Up-to-date not supported by all
products.
For Your Reference
Cisco Confidential 252 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Patch Management Remediation
Remediation type – same as AV and AS remediation.
Operation System –Windows only supported.
Vendor Name – List is loaded from the OPSWAT update.
Remediation options:
Enabled
Install missing patches
Activate patch management software GUI
Product list is updated according to selected vendor and Remediation option. Product can be selected only if supported for related option.
Cisco Confidential 253 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AnyConnect Configuration Profile for AMP Enabler Client Provisioning CP Resource Configuration with AnyConnect
• Facilitates Client Provisioning of AMP client module.
• When adding new AnyConnect configuration, you will be able to select AMP Enabler module and select the AMP Enabler profile to use.
AMP Enabler
Cisco Confidential 254 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AMP Enabler Profile Page
ISE Posture services now supports the download and provisioning of the AMP client module
AMP Enabler profile is added under: “Policy -> Policy Elements -> Results -> CP -> Resources”
Supported on Windows and OSX. Installation location URLs should be updated with location of external hosting server.
Provide URLs should be trustd by ISE. Related certificate should be install in ISE Administration->Certificates->Trusted Certificates.
Cisco Confidential 255 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AMP Enabler Profile Page
AMP Enabler FA will be installed via AnyConnect
To configure AMP Enabler on ISE 1.4, add AMP Enabler Profile in “Policy -> Policy Elements -> Results -> CP -> Resources”
User can select install or uninstall.
AMP Enabler profile can be configure from ISE 1.4 or from local xml file. Both generate xml will load with AnyConnect to the client.
If install was selected, provide URLs for Windows and Mac OS installation
Provided URLs should be trusted by ISE. Related certificate should be installed in ISE under Administration->Certificates->Trusted Certificates.
3 checkboxes for installation configuration on the client.
More info about the AMP Enabler use case, please contact AnyConnect.
For Your Reference
Cisco Confidential 256 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Multiple MDM Support
Multiple Partner MDM servers can be made active on ISE
Different MDM portals can be created for different MDM servers
Authorization profiles are used to route traffic to different portals.
One Authorization policy for un-enrolled devices required per MDM server
New MDM dictionary attributes are available – UDID, MEID, MDM Server Name
Note: In a brown field environment where the devices are already enrolled in to multiple MDM’s and then ISE is deployed for network enforcement. ISE 1.4 does not have support for automatically detecting which MDM endpoint belongs to and may result in a re-enrollment process for the user. There are multiple workarounds e.g. exporting MAC addresses from MDM and importing in to ISE etc …
This is not an issue for Green Field Deployments.
Cisco Confidential 257 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Multiple MDM Support
Multiple MDM vendors can be added to ISE and used simultaneously in policy
Cisco Confidential 258 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
MDM Authorization Profiles
Redirection authorization profile example for MobileIron and Meraki
MDM Server
Selection added to
Authorization Profile
Cisco Confidential 259 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
MDM enrollment and compliance example using multiple MDMs
Meraki policies shown
Multi MDM Policy Example
Cisco Confidential 260 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
New MDM dictionary attributes
UDID
MEID
MDM Server Name
MDM Dictionary Attributes For Your
Reference
Cisco Confidential 261 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Multiple MDM – Runtime
Periodic Jobs run for each active MDM server on PAP and PSNs
Heartbeat runs every 5 minutes
Compliance Check Verifier runs as per admin user configuration
Device Enrollment
Enrollment page redirecting to specific MDM server
Device query job every 2 minutes
API version switching
API v2 supporting MDM vendors switch from API v1 to API v2 on ISE
Endpoint Devices switched between vendors
Reports include LiveLogs, External MDM Report, RADIUS Authentications, Endpoints GUI
For Your Reference
Cisco Confidential 262 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
In General
• Serviceability feature to test APIs – Test Connection button on MDM Settings tests Get MDM Info API
– Refresh MDM Partner on Endpoints gui page tests Get Device Info API
• MDM server Info and device attributes data logged at Trace level in ise-psc.log
• The heartbeat periodic job constantly monitors and reports MDM servers’ availability
• Endpoints GUI and other reports show MDM servers associated with the endpoints
• For endpoint enrollment issues:
– check the MDM vendor’s portal page for device status
– check if the ISE application has a valid session for this user
For Your Reference
Cisco Confidential 263 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
MDM Serviceability - Get Device Info API
For Your Reference
Cisco Confidential 264 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
MDM Onboarding Off-Premise Devices
Allows onboarding of mobile devices to partner MDM with AnyConnect VPN
Leverages AnyConnect Identity Extensions (ACIDEX) data sent to ASA from AC VPN then forwarded to ISE in RADIUS Accounting
Requires ASA 9.3.2 and AnyConnect 4.1 and above
AnyConnect 4.1 adds support for UDID, MEID, IMEI
AnyConnect 4.1 supports only a minimum Android version 4.0+ and iOS v7.0+.
MDM Server needs to support MDM API version 2
Currently (as of 1.4 release time) supported only by Meraki
AirWatch, MobileIron to add support soon
Cisco Confidential 265 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Support onboarding of clients to partner MDM when connecting over remote access VPN.
Requires AnyConnect and ASA to collect and transmit AnyConnect Identity Extensions (ACIDEX) attributes via RADIUS to ISE.
In absence of MAC address, ISE is able to now use UDID (Apple iOS) or IMEI / MEID data (Android) to query partner MDM server for enrollment and compliance status.
Windows, MacOS, and Android (connected over WiFi) can already be correlated using MAC address with ISE 1.2 Patch 5, ASA 9.2.1, and AnyConnect 3.1MR5 (and above).
Additional iOS and Android support requires ASA 9.3.2 and AbyConnect 4.1.
AnyConnect 4.1 adds support for Apple iOS and Android (connected over Broadband wireless)
Off-Prem Partner MDM Onboarding
For Your Reference
Cisco Confidential 266 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Sample ACIDEX Attributes Received by ISE from AC via ASA
Android
iOS
Windows
For Your Reference
Cisco Confidential 267 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Use case
Personal Device is BYOD registered and using EAP-TLS Administrator requires an AUP every 72 hours for legal Redirected to hotspot portal to accept and update LastAUPAcceptanceHours Hotspot registers device into RegisteredDevices Group
Guest Enhancements Require an AUP every X hours
Cisco Confidential 268 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Use Case A device is redirected to an error page after exceeding maximum simultaneous logins Authorization policy keyed off attribute SessionsLimitExceeded required for redirection Redirected to same portal as initial webauth. portal has intelligence to show error page as this device has exceeded the count This only works for webauth flow and won’t work for authorization of endpoint only as they are not required to go through portal. ISE only counts with webauth flow.
Guest Enhancements Error on maximum connections exceeded
Cisco Confidential 269 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Use Case Need to change the guest type after the accounts has been created This can be done by any sponsor, there is no setting under the sponsor group that restricts this Sponsor Group can be restricted on what guest types a sponsor can use
Guest Enhancements Change guest type after account created
Cisco Confidential 270 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Oracle Access Manager SAML SSO User Login for Sponsor, Guest, and Device Registration Portals
• ISE is the Service Provider. OAM is the ID Provider (IDP)
• User connects to any end-user portal served by the IDP (Ex: Oracle Weblogic) interface and then can access any portal again using SSO. SAML session stored in cookie on end-user device
• When accessing ISE portals set with SAML, built-in logic checks for session cookie.
• If cookie exists then SSO!
• If no cookie exists then redirected to IDP for auth. After SSO, user flow continues as normal
• Supported with ISE Sponsored Guest, Sponsor, BYOD, and My Devices portals
• Supported Providers for ISE 1.4:
• Oracle Access Manager (OAM)
• Oracle Identity Federation (OIF)
Cisco Confidential 271 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
SAML Flow
• In diagram,
• ISE is Service Provider for different portal access.
• Oracle OAM is the IDP
• Request sent to portal.
• If no cookie (SAML assertion) in request, then user redirected to IDP for authentication
• After successful auth to IDP, user redirected back to original portal with assertion.
• ISE uses ‘username’ assertion value for authorization against AD/LDAP stores.
For Your Reference
Cisco Confidential 272 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
SAML Flow
ISE 1.4 as a SAML Service Provider
For Your Reference
Cisco Confidential 273 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE SAML Configuration Configuration Checklist (1 of 2)
• Import IDP’s cert or its CA signing certificate into ISE for mutual trust
• Export the IDP Metadata file from IDP
• Import IDP Provier Config (Metadata) file into ISE
• Update logout settings if needed, but typically leave the IDP defaults
• Add IDP as the portal ID store (cannot be part of ID sequence)
For Your Reference
Cisco Confidential 274 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE SAML Configuration Configuration Checklist (2 of 2)
• Export ISE Provider Metadata Info
• Import into IDP
• Must re-export and re-import this metadata for any of the following updates:
• Node is registered to deployment
• IP address change of one of the nodes in deployment
• Host name change of one to the nodes in deployment
• Portal FQDN is set or modified
• Make sure ‘username’ assertion is defined in external IDP
• Username required for ISE AuthZ
For Your Reference
Cisco Confidential 275 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
‘username’ Attribute Assertion
As part of the SAML Assertion (which is return back as a response from the IDP) ISE expects to get ‘username’ attribute assertion ‘username’ attribute assertion should provide the user name which made the authentication and will be shown at ISE logs ‘username’ attribute assertion is mandatory and should be returned by the IDP
For Your Reference
Cisco Confidential 276 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Oracle Access Manager SAML SSO
Portal Settings choose IDP as Authentication Method
Authz Policy using SAML IDP & LDAP
For Your Reference
Cisco Confidential 277 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Oracle Access Manager SAML SSO Sponsored Guest Portal flow using test URL
1
2
Reflected at Authentication logs
For Your Reference
Cisco Confidential 278 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Key Performance Metrics (KPM)
• Generate performance metrics:
• Endpoints Onboarding
• Endpoints Transactional Load
• Saves to local disk
• Can copy to repository for viewing
• Reports are suffixed with date parameter
• If run in same day, will overwrite
• Can be resource intensive on CPU/Memory, so advised to run during non-peak hours
# application configure ise (Option 12 and 13)
Cisco Confidential 279 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
KPM in a Nutshell
What is KPM?
• KPM stands for Key Performance Metrics. These are the metrics collected from the MNT nodes about the Endpoints and its artifacts
Benefits of KPM:
• There are two flavors captured in two separate spreadsheets.
• Endpoints Onboarding data: Measure key performance metrics about Endpoints, like Total, Active, Successful, Failures, Endpoints on-boarded/day
• Endpoints Transactional Load data: # radius requests at a PSN level/hr, Radius requests to # Active EP ratio, How much of these data was persisted in the MNT table and how many of them were suppressed to determine the suppression ratio, what was the Avg and Max load on the PSN during that hour, what was the latency and Avg TPS.
For Your Reference
Cisco Confidential 280 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
KPM Attributes
KPM OnBoarding Results:
• Total Endpoints : Total number of endpoints in the deployment
• Successful Endpoints : How many of them were on boarded successfully
• Failed Endpoints : How many failed to on board
• New EP/day : New endpoints seen in the deployment for a given day
• Total Onboarded/day : Total endpoints on-boarded for a given day
• KPM Trx Load
• Timestamp: Date/Time, This is an hourly window, extrapolated from the syslogs sent by the PSNs
• PSN name : Hostname of the PSN sending syslogs to the MNT collector
• Total Endpoints: Total number of endpoints in the deployment
• Active Endpoints: Active number of endpoints in the deployment for that hour.
• Radius Requests : Number of Radius requests sent by the PSNs for that hour.
• RR_AEP_ratio : Ratio of Radius Requests to the number of Active endpoints on an hourly basis. This will give the number of radius request an Active EP makes on an average.
• Logged_to_MNT/hr : Number of Radius Request persisted in the DB
• Noise/hr : Number of Radius Request suppressed, only the counter increases but the data is not persisted in the DB.
• Supression_hr % : % of suppression
• Avg_Load (avg) : Average load of the PSNs during that hourly window
• Max Load (avg): Max load of the PSNs during that hourly window
• Latency_per_request: Latency per radius request (average)
• Avg TPS : Average number of transactions per second on that PSN.
For Your Reference
Cisco Confidential 281 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Sample KPM Stats Output
• KPM_TRX_LOAD_<DATE>.xls
• KPM_ONBOARDING_RESULTS_<DATE>.xls
For Your Reference
Cisco Confidential 282 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
But Wait! There’s More!
Other ISE 1.4 Enhancements
• MDM: Test Connection Button (MDM page)
• MDM: Refresh Endpoint Button (Endpoints page)
• MDM: Which Authorization Profiles use this server (MDM page)
• Profiler: Feed Test Button (Profiler Feed Services page)
• EPS is now rebranded as ANC
Cisco Confidential 283 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
EPS is Now ANC
• Under ISE 1.3, Endpoint Protection Service (EPS) is used to quarantine endpoints based on MAC or IP address. System also supports partner APIs to perform remote quarantine actions.
• Under ISE 1.4, EPS is now Adaptive Network Control (ANC) to better reflect the broader application of services which may be applied to endpoints by ISE and partners via pxGrid.
For Your Reference
Cisco Confidential 284 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Profile Feed Test Button
• Used to test connection to feed service
• May require a proxy server to be set up
• Provides an error message if connection fails
• Error message provided by feed server
• Provides a success message when successful
• Administration > Feed Service > Profiler
For Your Reference
Cisco Confidential 285 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 286 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Differentiators Summary REQUIRED
Differentiator Major Technical Outcome Major Business Outcome
Endpoint visibility and access control across Wired, Wireless, VPN
Single policy to manage all network access
Simplify operations while meeting organization compliance requirements.
Policy Enforcement embedded into network
Security is enacted across existing traffic channels where most beneficial
Customers leverage the intelligence and investment in existing infrastructure
Context Sharing Higher levels of security is gained through the sharing of rich contextual data across entire system.
Customers gain significant benefit from leveraging the capabilities of existing IT spend.
In a world where any device, user, or application can connect to the network from any where at any time, customer’s a faced with the challenge of detecting all connections and applying business compliance policies that monitor and secure access to their organization’s critical resources and data. ISE collects data from multiple sources to deliver on this requirement while sharing this rich content with other systems to enhance overall visibility and security.
Cisco Confidential 287 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE/TrustSec Demonstration Options
Partners:
• ATP Resource Center: http://www.ciscosecurityatp.com
>> Includes links to dCloud Demo, POD Links for ISE Training, ISE NFR Download Links, ISE Configured Limited Deployment (COLD) Program, ISE ATP Lab demo equipment
Public
• Video On Demand Demos: http://www.cisco.com/c/en/us/products/security/identity-services-engine/ise_demos.html
• QuickStart Demo Series on YouTube “CiscoISE” channel: https://www.youtube.com/user/CiscoISE
Cisco Confidential 288 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Partner
Tech Talks / Voice of Engineer – Security Deep Dive Series: https://communities.cisco.com/docs/DOC-30977
ATP Resource Center: http://www.ciscosecurityatp.com
Customer
ISE Design Guides: http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-
design-guides-list.html
ISE Collateral, Links to Docs, Software, Support options: http://www.cisco.com/go/ise
Where To Go for Self Help
Cisco Confidential 289 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Where To Go for Interactive Help
Partner
• Your local Channel SE or Cisco account SE team for specific customer
• Cisco Communities > Partners > Security: https://communities.cisco.com/community/partner/security
• UNTIL Conversion to TSN….Sales Assistance Center (SAC) -- 24 x 7 All countries, All timezones
Email: [email protected]
Phone: +1-408-902-4872 (International) 800-225-0905 (US Toll Free ) Live Chat: http://tinyurl.com/sacise Website: sac.cisco.com (Cisco Internal)
Customer:
• Their local Cisco or ATP Partner SE team
• Cisco Support Communities: supportforums.cisco.com
• TrustSec: cs-trustsec
• ACS: cs-ciscosecure
• Switch Identity Features: cs-ibns
• Wireless Features: cs-wlan
Thank You !