TT ISE AAA.pdf

8/10/2019 TT ISE AAA.pdf

1/101

Voice of the EngineerDeep Dive Series: AAA, 802.1X, MAB

Secure Access and Mobility Product Group (SAMPG)

Connected Architectures Partner Organization (CAPO)


2/101

2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicVoice of the Engineer : Deep DiveTrustSec & ISE

Partner Enablement through series of WebEx Training Sessions

Basics are introductory sessions open to AM, SE, FE Deep Dives are Field Engineer focus

Deployment information from the Experts for the Experts

Recordings and Slides will be Archived on the Partner Community

Voice of the EngineerDeep Dives

https://communities.cisco.com/docs/DOC-30977 Voice of the EngineerBasics

https://communities.cisco.com/docs/DOC-30718

Solutions approach to partner training
https://communities.cisco.com/docs/DOC-30977https://communities.cisco.com/docs/DOC-30718https://communities.cisco.com/docs/DOC-30718https://communities.cisco.com/docs/DOC-30718https://communities.cisco.com/docs/DOC-30718https://communities.cisco.com/docs/DOC-30718https://communities.cisco.com/docs/DOC-30977https://communities.cisco.com/docs/DOC-30977https://communities.cisco.com/docs/DOC-30977https://communities.cisco.com/docs/DOC-30977


3/101


Identity Services Engine (ISE)

TrustSec & ISE Overview - 9/25/12

AAA, 802.1X, MAB - 10/9/12

ISE Profiling10/23/12

Web Auth, Guest & Device Registration11/6/12

Bring Your Own Device & EAP Chaining11/20/12

Posture & Security Group Access12/4/12

Troubleshooting & Best Practices (Submit requests in survey)12/18/12

http://cisco.cvent.com/events/voice-of-the-engineer-series-security/event-summary-

d707f808c5124beb86ff59ebab996589.aspx

AnyConnectTentative Schedule

AnyConnect VPN11/13/12

AnyConnect NAM12/11/12

AnyConnect Mobile1/8/13

Advanced AnyConnect Configuration1/29/13

Content SecurityIn Planning

http://cisco.cvent.com/events/voice-of-the-engineer-series-security/event-summary-d707f808c5124beb86ff59ebab996589.aspxhttp://cisco.cvent.com/events/voice-of-the-engineer-series-security/event-summary-d707f808c5124beb86ff59ebab996589.aspxhttp://cisco.cvent.com/events/voice-of-the-engineer-series-security/event-summary-d707f808c5124beb86ff59ebab996589.aspxhttp://cisco.cvent.com/events/voice-of-the-engineer-series-security/event-summary-d707f808c5124beb86ff59ebab996589.aspxhttp://cisco.cvent.com/events/voice-of-the-engineer-series-security/event-summary-d707f808c5124beb86ff59ebab996589.aspxhttp://cisco.cvent.com/events/voice-of-the-engineer-series-security/event-summary-d707f808c5124beb86ff59ebab996589.aspxhttp://cisco.cvent.com/events/voice-of-the-engineer-series-security/event-summary-d707f808c5124beb86ff59ebab996589.aspxhttp://cisco.cvent.com/events/voice-of-the-engineer-series-security/event-summary-d707f808c5124beb86ff59ebab996589.aspxhttp://cisco.cvent.com/events/voice-of-the-engineer-series-security/event-summary-d707f808c5124beb86ff59ebab996589.aspxhttp://cisco.cvent.com/events/voice-of-the-engineer-series-security/event-summary-d707f808c5124beb86ff59ebab996589.aspxhttp://cisco.cvent.com/events/voice-of-the-engineer-series-security/event-summary-d707f808c5124beb86ff59ebab996589.aspxhttp://cisco.cvent.com/events/voice-of-the-engineer-series-security/event-summary-d707f808c5124beb86ff59ebab996589.aspxhttp://cisco.cvent.com/events/voice-of-the-engineer-series-security/event-summary-d707f808c5124beb86ff59ebab996589.aspxhttp://cisco.cvent.com/events/voice-of-the-engineer-series-security/event-summary-d707f808c5124beb86ff59ebab996589.aspxhttp://cisco.cvent.com/events/voice-of-the-engineer-series-security/event-summary-d707f808c5124beb86ff59ebab996589.aspxhttp://cisco.cvent.com/events/voice-of-the-engineer-series-security/event-summary-d707f808c5124beb86ff59ebab996589.aspxhttp://cisco.cvent.com/events/voice-of-the-engineer-series-security/event-summary-d707f808c5124beb86ff59ebab996589.aspx


4/101


ISE Registrationhttp://cisco.cvent.com/events/security-basics-ise/event-summary-7c9587527cea465fb40e76a08d9d28e3

ASA Registrationhttp://cisco.cvent.com/events/security-basics-asa/event-summary-47f2d80478f141a28cea9c5df3f4e2dd.

http://cisco.cvent.com/events/security-basics-ise/event-summary-7c9587527cea465fb40e76a08d9d28e3.aspxhttp://cisco.cvent.com/events/security-basics-asa/event-summary-47f2d80478f141a28cea9c5df3f4e2dd.aspxhttp://cisco.cvent.com/events/security-basics-asa/event-summary-47f2d80478f141a28cea9c5df3f4e2dd.aspxhttp://cisco.cvent.com/events/security-basics-asa/event-summary-47f2d80478f141a28cea9c5df3f4e2dd.aspxhttp://cisco.cvent.com/events/security-basics-asa/event-summary-47f2d80478f141a28cea9c5df3f4e2dd.aspxhttp://cisco.cvent.com/events/security-basics-asa/event-summary-47f2d80478f141a28cea9c5df3f4e2dd.aspxhttp://cisco.cvent.com/events/security-basics-asa/event-summary-47f2d80478f141a28cea9c5df3f4e2dd.aspxhttp://cisco.cvent.com/events/security-basics-asa/event-summary-47f2d80478f141a28cea9c5df3f4e2dd.aspxhttp://cisco.cvent.com/events/security-basics-asa/event-summary-47f2d80478f141a28cea9c5df3f4e2dd.aspxhttp://cisco.cvent.com/events/security-basics-asa/event-summary-47f2d80478f141a28cea9c5df3f4e2dd.aspxhttp://cisco.cvent.com/events/security-basics-asa/event-summary-47f2d80478f141a28cea9c5df3f4e2dd.aspxhttp://cisco.cvent.com/events/security-basics-ise/event-summary-7c9587527cea465fb40e76a08d9d28e3.aspxhttp://cisco.cvent.com/events/security-basics-ise/event-summary-7c9587527cea465fb40e76a08d9d28e3.aspxhttp://cisco.cvent.com/events/security-basics-ise/event-summary-7c9587527cea465fb40e76a08d9d28e3.aspxhttp://cisco.cvent.com/events/security-basics-ise/event-summary-7c9587527cea465fb40e76a08d9d28e3.aspxhttp://cisco.cvent.com/events/security-basics-ise/event-summary-7c9587527cea465fb40e76a08d9d28e3.aspxhttp://cisco.cvent.com/events/security-basics-ise/event-summary-7c9587527cea465fb40e76a08d9d28e3.aspxhttp://cisco.cvent.com/events/security-basics-ise/event-summary-7c9587527cea465fb40e76a08d9d28e3.aspxhttp://cisco.cvent.com/events/security-basics-ise/event-summary-7c9587527cea465fb40e76a08d9d28e3.aspxhttp://cisco.cvent.com/events/security-basics-ise/event-summary-7c9587527cea465fb40e76a08d9d28e3.aspxhttp://cisco.cvent.com/events/security-basics-ise/event-summary-7c9587527cea465fb40e76a08d9d28e3.aspx


5/101 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicVoice of the Engineer : Deep DiveTrustSec & ISE

TrustSec & ISE Overview

AAA, 802.1X, MAB

Profiling

Web Authentication, Guest & Device Re

Bring your own Device & EAP-Chaining

Posture & SGA

Troubleshooting & Best Practices



802.1X & MAB

Identity Sources

Authentication

Authorization

Accounting & Change of Authorization

Additional considerations for MS environment

Deployment Phases


7/101



EAPoL Start

EAPoL Request IdentityBeginning

EAP-Response Identity: AliceRADIUS Access Request

[AVP: EAP-Response: Alice]

EAP-Request: PEAP

EAP-Response: PEAP

RADIUS Access-Challenge

[AVP: EAP-Request PEAP]

RADIUS Access Request

[AVP: EAP-Response: PEAP]

Multiple

ChallengeRequest

Exchanges

Possible

Middle

EAP SuccessRADIUS Access-Accept

[AVP: EAP Success][AVP: VLAN 10, dACL-n]

End

Layer 2 Point-to-Point Layer 3 Link

Authenticator Auth ServerSupplicant EAP over LAN(EAPoL)

RADIUS

802.1X (EAPOL) is a delivery mechanism and it doesn't provide the actual authenticationmechanisms.

When utilizing 802.1X, you need to choose an EAP type, such as Transport Layer Security(EAP-TLS) or PEAP, which defines how the authentication takes place.

Port-Based Access control using Authentication



Employee(timed out certificate

renew certificate)

Filtered Employee

Access (ACL)

Guest

Devices without supplicants (UPS, POS,..)

RogueMeeting Room

Smart Phones

Tablet PCs

Supplicant

Switch

NEAT

What about all the special cases in the network?



EAPoL: EAP Request-Identity

Any Packet

RADIUS Access-Accept

RADIUS Access-Request

[AVP: 00.0a.95.7f.de.06]



IEEE 802.1X Times Out MAB Starts

Time until endpoint

sends first packet afterIEEE 802.1X timeout

Network Access Granted

Total TimeFrom Link

Up ToNetworkAccess

Authenticator RADIUS Server00.0a.95.7f.de.06

Can busing

contrcomm




Any Packet


Or Access-Reject

RADIUS Access-Request

[AVP: 00.0a.95.7f.de.06]



IEEE 802.1X Times Out

MAB Starts

Time until endpoint

sends first packet afterIEEE 802.1X timeout

Limited Network Access

Authenticator RADIUS Server

Unknow

DeWm



Switch

Hub

Endpoint 1

Single Host (802.1X)

Endpoint 2

Only one MAC Address is allowed.

2ndMAC Address causes Security

Violation

dACL

Switch

Hub

Endpoint 1

Multi-Host

Endpo

1stMAC Address is authenticated.

2ndendpoint piggybacks on 1st

MAC Address authentication and

bypass authentication

Authenticated Pigg

VLAN*

Swit

Endpoint 1

Multi-Domain Auth (MDA)

Endpoint

Each domain (Voice or Data)

authenticates one MAC address.2ndMAC address on each domain

causes security violation

Data

Voice

VLAN dACL

Switch

Endpoint 1

Multi-Authentication

Endpoint 2

Voice domain authenticates one

MAC address. Data domain

authenticates multiple MAC

addresses. dACL or single VLAN

Assignment for all devices are

supported

Data Data

Voice

dACLVLAN*

VLAN


13/101


14/101


aaa new-model // Enable AAAaaa authentication dot1x default group radius // use RADIUS for dot1X Authenticationaaa authorization network default group radius // use RADIUS for Authorizationaaa accounting dot1x default start-stop group radius // Use RADIUS for Accountingaaa accounting network default start-stop group radius

aaa server radius dynamic-author // Enable Change of Authorization (CoA)client {PSN} server-key {RADIUS_KEY}ip device tracking // Get IP addresses of endpoints for L3 enforcement method such redirect

dot1x system-auth-control // Enable dot1X on the switch globallyip radius source-interface {SOURCE_INT} // Specify source interface for sending RADIUradius-server attribute 6 on-for-login-auth // Sends the Service-Type attribute in tpackets.

radius-server attribute 8 include-in-access-req // To send the IP address of a user server in the access request

radius-server attribute 25 access-request include// To include the class attribute

radius-server dead-criteria time 5 tries 3 // Criteria to mark the RADIUS server as radius-server deadtime {DEADTIME} // Time to mark RADIUS server dead in minutesradius-server host {PSN} auth-port 1812 acct-port 1813 test username {TESTUSER} key {RADISpecify a RADIUS (ISE) server host/key and the ports to use, and the live/dead test usern

60 minutes)

radius-server vsa send accounting // Limits the set of recognized VSAs to only accouradius-server vsa send authentication // Limits the set of recognized VSAs to only aattributes

ip http server // Enable http server for CWAip http secure-server


15/101


ip dhcp snooping // Another way to get IP address for DHCP enabled endpoint (Optionato enable dhcp snooping on VLANs

no ip dhcp snooping information option

logging monitor informational // Send syslog to MnT node for syslog correlation with authentication eventslogging origin-id iplogging source-interface {SOURCE_INT}logging host {MnT} transport udp port 20514epm loggingusername {TESTUSER} password 0 {PASSWORD} // Setup RADIUS test user with passwordip http secure-active-session-modules none // Disallow web access to the switchip http active-session-modules nonesnmp-server community {SNMP_RO} RO // Accept SNMP read from PSN. Recommended to use Aaccesssnmp-server enable traps snmp authentication linkdown linkup coldstart warmstart // Sto PSN for profiling purpose. If RADIUS accounting is enabled, SNMP trap is optionalsnmp-server host publicsnmp-server host mac-notification snmpsnmp-server source-interface traps {SOURCE_INT}mac address-table notification changemac address-table notification change interval 0


16/101


interface GigabitEthernet x/y/zswitchport access vlan {VLAN_ID}switchport mode access // Set port to access mode, cannot run authentication commandaccess mode

switchport voice vlan {VLAN_ID}ip access-group DEFAULT_ACL in // Pre-authentication ACL for all unauthenticated tra

authentication host-mode multi-auth // Split port to Data/Voice domain and allow mulauthentication open // Forward unauthenticated traffic prior to authenticationauthentication periodic // Enable reauthentication on a portauthentication timer reauthenticate server // reauthentication timer is sent from PSauthentication timer inactivity server // inactivity timer is sent from PSNauthentication violation restrict // when a new device connects to a port, traffic faddresses are dropped. Default behavior is to shutdown the interface when new MAC address

authentication event fail action next-method // When dot1X fails, then start MABauthentication event server dead action reinitialize vlan {VLAN_ID} // PSN Server De(Critical VLAN)

authentication event server dead action authorize voice {VLAN_ID}authentication event server alive action reinitialize // When previously dead PSN bereinitialize the interface so connected endpoints can reauthenticate per ISE policy

mab // Enable MAC Authentication Bypassdot1x timeout tx-period 10 // Change the timeout before falling back to MABsnmp trap mac-notification change addedspanning-tree portfastauthentication port-control auto // Enable authentication on the port.

For more information go to http://www.cisco.com/go/trustsec


17/101


interface GigabitEthernet x/y/zswitchport access vlan {VLAN_ID}switchport mode access // Set port to access mode, cannot run authentication commandaccess mode

switchport voice vlan {VLAN_ID}

authentication host-mode multi-domain // Split port to Data/Voice domain and allow sauthentication periodic // Enable reauthentication on a portauthentication timer reauthenticate server // reauthentication timer is sent from PSauthentication timer inactivity server // inactivity timer is sent from PSNauthentication violation restrict // when a new device connects to a port, traffic faddresses are dropped. Default behavior is to shutdown the interface when new MAC address

authentication event fail action next-method // When dot1X fails, then start MABauthentication event server dead action authorize vlan {VLAN_ID} // PSN Server Dead (Critical VLAN)

authentication event server dead action authorize voice {VLAN_ID}

authentication event server alive action reinitialize // When previously dead PSN bereinitialize the interface so connected endpoints can reauthenticate per ISE policy

mab // Enable MAC Authentication Bypassdot1x timeout tx-period 10 // Change the timeout before falling back to MABsnmp trap mac-notification change addedspanning-tree portfastauthentication port-control auto // Enable authentication on the port.


18/101



19/101



20/101


802.1X & MAB

Identity Sources

Authentication

Authorization



Deployment Phases


21/101


22/101


23/101


Administration > Identity Management > External Identity Sources > LDA


24/101


Administration > Identity Management > External Identity Sources > Certificate Authentication

Domain suffix m

needed to differ

for further AD/L

lookup


25/101


CRL: Administration > System> Certificates > Certificate

Authority Certificates

OCSP: AdministrationCertificates > OCSP S


26/101


27/101


An account with rights to add/remove machines on the domain is needed

Once ISE node has been added to the domain the account information useto the domain is not stored on ISE

All nodes can be added from primary admin node

Unless ISE node is pre-created in AD, it will be added to Computers OU

It can be moved to other OU

However, GPO setting will not apply to ISE node

When Upgrading ISE, consider having a user with above rights presenISE node may need to be re-added

There is no service account for native AD integration


28/101


ISE will Join the Domain

PAN Policy Service Nodes

AD

Each ISE Node will join and Query AD separately, and have its own Computer Acc


29/101



30/101



31/101


Multiple Domains

Then only need to join one domain.

If Trust Relationship(s) Exist

Complicated. Depends on AuthenticationRequirements & EAP Methods.

One option: LDAP Other option: RADIUS-Proxy

If no Trust Relationships


32/101


Protocol InternalActive

DirectoryLDAP

RADTok

PAP Yes Yes Yes Y

CHAP Yes No No N

MS-CHAPv1/v2 Yes Yes No N

EAP-MD5 Yes No No N

PEAP-TLS No Yes* Yes* N

EAP-TLS No Yes* Yes* N

EAP-GTC Yes Yes Yes Y

* TLS authentication does not require an DB, but can be used for Authoriza


33/101


Questions to askidentity source se

Is there any way request using att

How long would authentication pr

Use if request cannot be differentiated


34/101


35/101


About thatsession

Whichone???

NAD: show authentication

ISE: Detailed Authentication Rep

https://ise11.example.com:8443/guestportal/gateway?C0A8013C00000618B3C1CAFB&port

Browser: url-redirect for webauth

https://ise11.example.com:8443/guestportal/gateway?C0A8013C00000618B3C1CAFB&port

NAC Agent: url-redirect for posture

RADIUS


36/101


Session is created when NAD sends RADIUS authentication requesserver

Used for correlation of events

Used for Change of Authorization (CoA)

Depends on time

C0A8013C00000618B3C1CAFBNAS IP Address Session Count Time Stamp


37/101


38/101


39/101


40/101


802.1X / MAB / WebAuth


41/101


802.1X / MAB

RADIUS AttributesService type

NAS IP

Username

SSID

EAP TypesEAP-FAST

EAP-TLS

PEAP

EAP-MD5Host lookup

Policy > Authentication


42/101


Well used attributes hi-lighted



43/101


802.1X RADIUS

Username != MAC address

Service-Type = Framed

NAS-Port-Type = Ethernet


44/101


MAB RADIUS

Username = MAC Address

Service-Type = Call-Check

NAS-Port-Type = Ethernet


45/101


Policy > Policy Elements > Conditions > Authentication > Compound Co


46/101


Authentication Method

EAP Method

Type of user

SSID

Service-Type Call-Check: MAB

Outbound: LWA

Framed: 802.1X

Username

Ends with @d

Starts with h

Tunnel-Type

EAP-FAST

PEAP

Called-Station-Id M

Aa-bb-cc-


47/101


This section can be used to enabauthentication protocols

Also, includes protocol specific coptions

This screen also allows enabling

If FIPS mode is enabled globally,protocols will not be available

Policy > Policy Elements > Results > Authentication > Allowed Protocols


48/101



EAP-TLS


49/101


Why would we want to Drop when processfails?

Why would we want to Continue when useris not found?

Reject: Send Access-Re

the NAD Continue: Continue to au

regardless of authenticat

Drop: Do not respond to NAD will treat as if RADIdead

As, note states, not all EAsupport Continue option

I will pretend I


50/101


When to drop RADIUS request

Global Config

radius-server host 1.1.1.1 key cisco123

radius-server host 2.2.2.2 key cisco123

Radius-server dead time .

1.1.1.1

2.2.2.2

I will pretend I available

RADIUS

RADIUS

1.1.1.1 is down, letme try 2.2.2.2


51/101


NAD controlled

ISE sends Access-Reject to the NAD

No-response VLAN (Guest VLAN)

Lack of visibility from ISE

CoA is not supported

ACL for enforcement

When to send Access-Accept for unknown MAB authentication

ACCESS-REJECT ACCESS-ACCEPT

RADIUS controlled

ISE sends Access-Aswitch

Can assign dynamic

User access visible f

Supports CoA operat


52/101


Use caseAuthCMethod

ID StoreAuthZConditions

P

EmployeeMachine

PEAP-MSCHAPv2 AD

Contractor EAP-FAST-GTC LDAP

GuestCentral WebAuthentication

ISE - Internal

Supplicantlessdevices

MAB ISE - Internal

IP Phone/LWAP MAB ISE - Internal

VPN Token SecurID


53/101



Where is the authentication policy for guest use case?


54/101


55/101


56/101


802.1X / MAB / WebAuth


57/101


What Permissbased on the C

802.1X / MAB

Policy > Authorization


58/101


AuthZCondition

ExternalIdentityGroups

PG

PostureState

RADIUS&

SessionAttributes

Ad i i t ti Id tit M t E t l Id tit S AD


59/101


Administration > Identity Management > External Identity Sources > AD

External AttributeExternal Groups


P li > P li El t > R lt > A th i ti


60/101


Policy > Policy Elements > Results > Authorization

Any

Pre

Well used PWe- With ACCESS-ACCEPT, NAD applies additional attributes

- With ACCESS-REJECT, no attributes can be set


61/101


62/101


MAB RADIUS

Downloadable ACL


63/101


MAB RADIUS

VLAN ID


64/101


65/101


Use caseAuthCMethod


P

Employee

Machine

PEAP-

MSCHAPv2 AD AD security group F

Contractor EAP-FAST-GTC LDAP AD security group L


ISE - Internal ISE Guest groupIa


MAB ISE - Internal Profiled group F

IP Phone/LWAP MAB ISE - Internal Profiled group F

VPN Token SecurID F



66/101

2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicVoice of the Engineer : Deep Dive TrustSec & ISE


Advanced Editing


67/101


Advanced Editing

Advanced Editing


68/101

2012 Cisco and/or its affiliates All rights reserved Cisco PublicVoice of the Engineer : Deep Dive TrustSec & ISE

Advanced Editing

Simple Conditions


69/101


70/101

2012 Cisco and/or its affiliates All rights reserved Cisco PublicVoice of the Engineer : Deep Dive TrustSec & ISE

802.1X & MAB

Identity Sources

Authentication

Authorization



Deployment Phases


71/101


72/101


Provides additional informationabout the session

Marks end of a session(Removes endpoint fromlicensing count)

Provides IP address

Profile

Device Sensor

RADI

Accoun

RADI

Accoun

Proxy EAPoL Logoff

CDP 2ndport

RADI

Accoun
http://findicons.com/files/icons/808/on_stage/128/symbol_check.pnghttp://findicons.com/files/icons/808/on_stage/128/symbol_check.png


73/101


74/101


Now network devices listens to CoA request from ISE

RADIUS

RADIUS protocol is initiated by the network devices

No way to change authorization from the ISE

CoA

Re-authen

Terminate

Terminate

bounce

Disable ho

Now Iports w

aaa server radius dynamic-author

client {PSN} server-key {RADIUS_KEY}


75/101


EAP Success


[AVP: EAP Success][AVP: VLAN 10, dACL-n]

InitialAuthentication

Layer 2 Point-to-Point Layer 3 Link

Authenticator Auth ServerSupplicant EAP over LAN(EAPoL)

RADIUS

RADIUS CoA-Request

[VSA: subscriber: reauthenticate ]

RADIUS CoA-Ack

Change of

Authorization

EAP-Response Identity: Alice


[AVP: EAP-Response: Alice]

EAP-Request: PEAP

EAP-Response: PEAP

RADIUS Access-Challenge

[AVP: EAP-Request PEAP]


[AVP: EAP-Response: PEAP]

EAPoL Request Identity

Re-

AuthenticationM

C

R

E

P


76/101


CoA802.1X / MAB / WebAuth


77/101


78/101


802.1X & MAB

Identity Sources

Authentication

Authorization



Deployment Phases


79/101


80/101


All attributes will befor all users

Use group tab for ginstead of attributes

For large AD, consname manually

Limited RegEx ava

GCS will have visibdomains; however,present on GCS

DN or Distinguished NameuserAccountControl

CN or Common Name

UPN

SPN

Indexed Attributes Non-indexed Attributes

dnsHostNameoperatingSystem

OperatingSystemServicePa

ck

operatingSystemVersion

For large AD/LDAP lookup for non-

indexed attributes can take a long time!

How do I ensure Local PSN is connecting to Local AD controller?


81/101


Without Site & Services

AD X

AD Y

Site X

Site Y

Which ADserver

should Iconnect to?

Which ADserver

should Iconnect to?

Properly conf

AD X

Site X

Sit

I wcommuwith loc

serv

I willcommunicatewith local AD

server

They are independent Consider following Au


82/101


MachineAuthentication

1. Machine boots up

2. Interface becomes active (not authenticated)

3. 802.1X authentication starts

4. Machine sends its credential

EAP-TLS: Machine Certificate (Supplicant may prefix host/)

PEAP-MSCHAPv2: Windows AD shared secret

EAP-FAST: Machine authentication name prefix host/

UserAuthentication

If user logs on to machine, machine sends EAPOL-start message to

notify the access point or switch that a new authentication is

being performed

Following EAP-TLS, PEAP-MSCHAPv2, EAP-FAST authentication will be

done with users credential

What is Machine Access Restriction (MAR)? Consider following Au


83/101


No way to deny access for

user only authentication

UserAuthentication

If user logs on to machine, machine sends EAPOL-start message to

notify the access point or switch that a new authentication is

being performed

Following EAP-TLS, PEAP-MSCHAPv2, EAP-FAST authentication will be

done with users credential

On Premise PC re imaging Bulk PC re imagin


84/101


On Premise PC re-imaging

Remote Support

Bulk PC re-imagin

PXE Boot

A thC A thZ


85/101


Use caseAuthCMethod


P

Employee

Machine

PEAP-

MSCHAPv2

AD AD security group F






IP Phone/LWAP MAB ISE - Internal Profiled group FVPN Token SecurID F

PC Re-Image MAB ISE - Internal Manual Whitelist L

Remote SupportCentral WebAuthentication

AD AD security group L

A thC A thZ


86/101


Use caseAuthCMethod


P

Employee

Machine

PEAP-

MSCHAPv2

AD AD security group F






IP Phone/LWAP MAB ISE - Internal Profiled group FVPN Token SecurID F

PC Re-Image MAB ISE - Internal Manual Whitelist L

Remote SupportCentral WebAuthentication

AD AD security group L


87/101


802.1X & MAB

Identity Sources

Authentication

Authorization



Deployment Phases


88/101


89/101


AccessUser TypeLocation


90/101


VP

Wire

Wir

Access

Guest

Access

Contractors

Employees

User Type

Conference

Rooms

CampusLAN

RemoteOffices

Location


91/101


MonitorLo

ImpLowRisk

High

Risk Monitor Clo

A Process, Not just a Command


92/101


SWITCHPORT

KRB5

HTTP

TFTPDHCP

EAPoL

Permit All

SWITCHPORT

KRB5

HTTP

TFTPDHCP

EAPoL

Permit All

Traffic always allowed

Pre-AuthC Post-AuthC

interface GigabitEthernet1/0/1authentication host-mode multi-authauthentication open

authentication port-control automabdot1x pae authenticator

Interface Config

Enables 802.1X Authentication on the But: Even failed Authentication will g

Allows Network Admins to see who wfailed, and fix it, before causing a Den

Address risks before enforcement


93/101


MonitorISE Logs

Addresssupplicant

issues

Add newprofiles

UpdateMAB list

Advan

Low-ImpClosed

Authenticatshould have

of success r

If Authentication is Valid, then FullAccess!


94/101


Monitor Mode + ACL to limit traffic flow AuthC success = Full Access

Failed AuthC would only be able to comcertain services WebAuthfor non-Authenticated


authentication port-control automabdot1x pae authenticatorip access-group default-ACL in

Interface Config

SWITCHPORT

KRB5

HTTP

TFTP

DHCP

EAPoL

SWITCHPORT

KRB5 HTT

P

TFTP

DHCP

EAPoL

Permit AllPermit

Some


If Authentication is Valid, then full or SpecificAccess!


95/101


SWITCHPORT

KRB5

HTTP

TFTP

DHCP

EAPoL

SWITCHPORT

KRB5

HTTP

RDP

DHCP

EAPoL

Role-Based ACL

Permit

Some


SGT

AuthC Success = Role Specific Access dVLAN Assignment / dACLs Specific dACL, dVLAN

Secure Group Access Still Allows for pre-AuthC Access for Th

PXE, etc WebAuthfor non-Authenticated


authentication port-control automabdot1x pae authenticatorip access-group default-ACL in

Interface Config

No Access prior to Login, then Full or SpecificAccess!


96/101


Default 802.1X Behavior No access at all prior to AuthC Still use all AuthZ Enforcement T

dACL, dVLAN, SGA Must take considerations for Thin

& PXE, etc

interface GigabitEthernet1/0/1authentication host-mode multi-authauthentication port-control auto

mabdot1x pae authenticator

Interface Config

SWITCHPORT

DHCP

TFTP

KRB5

HTTP

EAPoL

SWITCHPORT

KRB5

HTTP

EAPoL

DHCP

TFTP


Permit

EAP

Permit All

Role-Based ACL

- or -

SGT

TrustSec


97/101


802.1X802.1X

MACSec SGA

AnyConnect

ISE

Profiling Posture Guest

Who

How

When

Where

What Monitor

Monito

ISE ATP Portal: http://ciscosecurityatp.com/
http://www.ciscosecurityatp.com/http://www.ciscosecurityatp.com/


98/101


p y p

Cisco Partner ISE Resources: http://cisco.com/go/isepartner

ISE ATP HLD Webinar: https://communities.cisco.com/docs/DOC-27689 ISE HLD Help Alias (US): [email protected]

ATP requirements and guidelines for ISE:http://www.cisco.com/web/partners/partner_with_cisco/channel_partner_program/re

Sales Acceleration Center (SAC) for HLD submissions: sac-support@cisco

SAMPG Partner Team:Sheila Rone [email protected] Nguyen [email protected]

ISE Security Basics - https://communities.cisco.com/docs/DOC-307
http://www.ciscosecurityatp.com/http://cisco.com/go/isepartnerhttps://communities.cisco.com/docs/DOC-27689mailto:[email protected]://www.cisco.com/web/partners/partner_with_cisco/channel_partner_program/resale/atp/ise.htmlmailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]://www.cisco.com/web/partners/partner_with_cisco/channel_partner_program/resale/atp/ise.htmlmailto:[email protected]://communities.cisco.com/docs/DOC-27689https://communities.cisco.com/docs/DOC-27689https://communities.cisco.com/docs/DOC-27689https://communities.cisco.com/docs/DOC-27689http://cisco.com/go/isepartnerhttp://www.ciscosecurityatp.com/https://communities.cisco.com/docs/DOC-30718https://communities.cisco.com/docs/DOC-30718https://communities.cisco.com/docs/DOC-30718https://communities.cisco.com/docs/DOC-30718


99/101


y p

ISE Best Practices VoD - PVT Express 2010-2012 - Replays and Prhttps://communities.cisco.com/docs/DOC-18350

802.1X Training on PEC

http://tools.cisco.com/pecx/login?URL=searchOffering%3FcourseId=00028869



Team MIDAS Wireless ISE and BYOD classes

Tech Sessions: http://cisco.cvent.com/d/ccqs4s

Hands-On Lab Sessions: http://cisco.cvent.com/d/kcqs43

Lab Guide: https://communities.cisco.com/docs/DOC-30944

ISE Product - http://www.cisco.com/go/ise

TrustSec - http://www cisco com/go/trustsec
https://communities.cisco.com/docs/DOC-30718https://communities.cisco.com/docs/DOC-18350http://tools.cisco.com/pecx/login?URL=searchOffering?courseId=00028869http://tools.cisco.com/pecx/login?URL=searchOffering?courseId=00028870http://tools.cisco.com/pecx/login?URL=searchOffering?courseId=00028851http://cisco.cvent.com/d/ccqs4shttp://cisco.cvent.com/d/kcqs43https://communities.cisco.com/docs/DOC-30944https://communities.cisco.com/docs/DOC-30944https://communities.cisco.com/docs/DOC-30944https://communities.cisco.com/docs/DOC-30944http://cisco.cvent.com/d/kcqs43http://cisco.cvent.com/d/ccqs4shttp://tools.cisco.com/pecx/login?URL=searchOffering?courseId=00028851http://tools.cisco.com/pecx/login?URL=searchOffering?courseId=00028851http://tools.cisco.com/pecx/login?URL=searchOffering?courseId=00028851http://tools.cisco.com/pecx/login?URL=searchOffering?courseId=00028870http://tools.cisco.com/pecx/login?URL=searchOffering?courseId=00028870http://tools.cisco.com/pecx/login?URL=searchOffering?courseId=00028870http://tools.cisco.com/pecx/login?URL=searchOffering?courseId=00028869http://tools.cisco.com/pecx/login?URL=searchOffering?courseId=00028869http://tools.cisco.com/pecx/login?URL=searchOffering?courseId=00028869https://communities.cisco.com/docs/DOC-18350https://communities.cisco.com/docs/DOC-18350https://communities.cisco.com/docs/DOC-18350https://communities.cisco.com/docs/DOC-30718https://communities.cisco.com/docs/DOC-30718https://communities.cisco.com/docs/DOC-30718http://www.cisco.com/go/isehttp://www.cisco.com/go/trustsechttp://www.cisco.com/go/trustsechttp://www.cisco.com/go/ise


100/101


TrustSec http://www.cisco.com/go/trustsec

ISE 1.1.1 Demos

https://communities.cisco.com/community/partner/borderlessnetworks/security dCloud BYOD Hosted Demoshttp://www.cisco.com/go/byoddemo

Free NFR Lab Software for Partners (1.1.1 Update Coming Soon)

Cisco Marketplace - $24.95 VMware image, perpetual license, 20 endpointshttp://cisco.mediuscorp.com/ise

PDI Helpdesk - Webpage: http://www.cisco.com/go/pdihelpdesk Program-related questions: [email protected]

Your Cisco PDM and CSE
http://www.cisco.com/go/trustsechttps://communities.cisco.com/community/partner/borderlessnetworks/security?view=videohttp://www.cisco.com/go/byoddemohttp://cisco.mediuscorp.com/isehttp://www.cisco.com/go/pdihelpdeskmailto:[email protected]:[email protected]:[email protected]:[email protected]://www.cisco.com/go/pdihelpdeskhttp://cisco.mediuscorp.com/isehttp://www.cisco.com/go/byoddemohttps://communities.cisco.com/community/partner/borderlessnetworks/security?view=videohttps://communities.cisco.com/community/partner/borderlessnetworks/security?view=videohttp://www.cisco.com/go/trustsec


101/101


Date post:	02-Jun-2018
Category:	Documents
Upload:	gazawino1
View:	223 times
Download:	0 times

TT ISE AAA.pdf

Documents