UA Roadshows— One Policy : ISE and TrustSec

© 2012 Cisco and/or its affiliates. All rights reserved.

UA Roadshows—One Policy:ISE and TrustSecNov 8, 2012

Bob Sayle

Principal Systems Engineer

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Session AgendaNeed for Contextual Access Policy

BYOD with Cisco ISE

Security Group Access and TrustSec

Cisco Access Device

ISE Under the Hood

Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 3

The Need For Contextual Access Policy


The Burden Falls on ITTop of Mind Concerns to enable BYOD

• How do we control and segment the device and users?

• How do we provide consistent policy across the network?

• How do we simplify the security in the BYOD process?


BYOD On-BoardingZero touch registration & provisioning of employee/guest devices

Consistent Network-wide SecurityCompliance including 802.1X ports, untrusted device access denial

Unified Policy-based ManagementPolicy-based governance , contextual control, guest lifecycle mgmt

Technology Utility Energy Healthcare Higher Ed Secondary Ed

Policy Access Control - Enabling BYOD

Allowing Users To Safely Go Where They Are Allowed To Go -- From AnywhereVisibility & contextual control across the network while blocking untrusted access --user authentication, device profiling, posture, location, access method

Applying Network Policy to Users from Entry to Destination (E2E) Control plane from access layer thru data center that is topology independent Policy platform for unified access, DC switches & FWs with ecosystem APIs

Getting BYOD Devices On-Net Without Wasting Their TimeZero-touch portal automates identity, profiling & provisioning to a users’ identity to get them

quickly & securely on-net while saving IT time.


Policy Management Solution

Unified Network Access Control

Turnkey BYOD Solution

1st System-wide Solution Deep network integration

System-wide Policy Control from One Screen

Award winning product! ’12 Cisco Pioneer Award

Over 400 Trained & Trusted ATP Partners

* Pronounced ‘ICE’. Stands for identity services engine, but just call it Cisco ISE

Meet Cisco ISE*


One Policy Platform: ComponentsPolicy

ManagementIdentity Services Engine (ISE) Prime Infrastructure

Policy Context

Corporate AssetsPersonal Devices Non-User DevicesUser Identity

Policy Information ,

Posture from NAC/AnyConnect AgentProfiling from Cisco InfrastructureUser Directory

Policy Enforcement

Cisco Infrastructure: Switches, Wireless Controllers, Firewalls, Routers


Authentication Services

Authorization Services

Guest Lifecycle Management

Profiling and BYOD Services

Posture Services

TrustSec SGA

One Policy

One Management

I only want to allow the “right” users and devices on my network

I want user and devices to receive appropriate network services

I want to allow guests into the network and control their behavior

I need to allow/deny iPads in my network (BYOD)

I want to ensure that devices on my network are clean

I need a scalable way of enforcing access policy across the network

One Policy Platform: Use Cases

One Network

Jay Bhansali

Add Cisco Prime to the left with ISE to highlight One Policy tying in to One Management.Also do the same to add links from One Policy to One netowrk


BYOD with Cisco ISE


Reduced Burden on Help

Desk Staff

Intuitive Management for End Users

• Device On-boarding• Self Registration • Certificate and Supplicant

Provisioning

• Seamless intuitive end user experience

• Support Windows, MAC OS X, iOS, Android

• My Devices Portal—register, blacklist, manage

• Guest Sponsorship Portal

Simplified BYOD with Cisco ISE

Reduced Burden on

IT Staff


Device Identity

BYOD On-boarding

Device Access Control

ISEDevice Access Control

Device Compliance

Mobile Application Management

Data Security Controls

MDMMobile Device Security Control

* Mobile Device Manager

MDM cannot ‘see’ non-registered devices to enforce device security – but the network can!

But What About MDM?*

Best Practice


BYOD FlowSingle SSID• User connects to

Secure SSID

• PEAP: Username/Password

• Redirected to Provisioning Portal

• User registers deviceDownloads CertificateDownloads Supplicant Config

• User reconnects using EAP-TLS

BYOD-Secure

Personal Asset

Access Point

ISE

Wireless LAN Controller

AD/LDAP


BYOD FlowDual SSID• User connects to

Open SSID

• Redirected to WebAuth portal

• User enters employee or guest credentials

• Guest signs AUP and gets Guest access

• Employee registers deviceDownloads CertificateDownloads Supplicant Config

• Employee reconnects using EAP-TLS

BYOD-SecureBYOD-Open

Personal Asset

Access Point

ISE

Wireless LAN Controller

AD/LDAP


A Retail Environment

BYOD Demo

Jay Bhansali

highlight PEAP to EAP-TLStalk about when authenitcating with PEAP you have different dACL with limited access !!You have to belong to a group that has BYOD access!



Jay Bhansali

description of device is different from demo !!!


Security Group Access


User and Device Roles

User and Device Role

Unregistered Device

Employee

Management

Credit Card Scanners

Any Device

General Web Server

Employee News Portal

Employee Time Card Application

Credit Card Server

Manager Portal

Registered Device

Corporate Device


Policy Definition for Roles

User and Device Role

Unregistered Device

Employee

Management

Credit Card Scanners

General Web

Server

Employee News Portal

Employee Time Card

Application

Credit Card Server

Manager Portal

Policy Definition

Credit_Card SSIDMember of group “Credit_Scanners”Profiled as “iphone”

Public SSID

Corporate SSIDMember of group “Employee”Certificate matches endpoint

Corporate SSIDMember of group Employee and ManagerCertificate matches endpoint

Any Device

Registered Device Corporate Device

Jay Bhansali

change Public access point to Open SSIDchange Corp AP to Corp SSID/ Secure SSIDchange CC AP to CC SSIDChnage employee to Contractor ?or allow manager access to Time card app


Policy Definition Inside ISE


Inside ISE: Management PolicyEmployee RegisteredSSID Access:

Corporate-wifi

AD Group: “Management”


Inside ISE: Credit Card Scanner Policy

Certificate Required

Profiled as an iPhone

AD Group: “Credit Card Scanners”

SSID Access: cc-secure-wifi


Enforcement: VLANs or ACLsACL ArchitectureHard to Maintain

100s-1000s of ACEs

VLAN ArchitectureScaling Concerns

Highly topology dependent

802.1X


Enforcement: Security Group Access (SGA)

User and Device RoleIngress Tag

Unregistered Device(Unregist_Dev_SGT)

Employee(Employee_SGT)

Management(Management_SGT)

Credit Card Scanners(CC_Scanner_SGT)

SGA TAG - Policy

Credit_Card SSIDMember of group “Credit_Scanners”Profiled as “iphone”

Public SSID

Corporate SSIDMember of group “Employee”Certificate matches endpoint

Corporate SSIDMember of group Employee and ManagerCertificate matches endpoint

Cisco ISE

Employee

Manager

Finance

who what where when how


SGA Inside ISE

Employee TAG

Manager TAG

Credit Card Scanner TAG


SGA Enforced at ASA Firewall

Manager TAG Credit Card Scanner TAG

Jay Bhansali

Follow up with slide on switches


SGA Enforced on Switches


TrustSec Scalable Context Aware Enforcement


SGA Policy Enforcement Flow

Security Group Based Access Control• ISE maps tags (SGT) with user identity

• ISE Authorization policy pushes SGT to ingress NAD ( switch/WLC)

• ISE Authorization policy pushes ACL (SGACL) to egress NAD (ASA or Nexus)

Time Card (SGT=4)

Credit card scanner (SGT=10)

I registered my deviceI’m a manager

SGT = 100

Manager SGT = 100

SGACL

SRC\DST Time card Credit card

Manager (100) Access No access

Cisco ISE


Migrating to Security Group AccessSGT eXchange Protocol (SXP)

Security Group Access ProtocolFor transport through a non SGT core

Time Card (SGT=4)

Credit card scanner (SGT=10)

I registered my deviceI’m a manager

Manager SGT = 100

SGACL

SRC\DST Time card Credit card

Manager (100) Access No access

SXP

IP Address SGT

10.1.100.3 100

CiscoInnovation

10.1.100.3

Cisco ISE


Cisco Access DevicesLeading the Industry by Providing Added Value


Industry Leading Identity Featuresa

CiscoInnovation

Authentication Features

Cisco Catalyst Switch

Network Device

IP PhonesAuthorized Users

GuestsTablets

802.1X MAB WebAuth

Identity Differentiators

Monitor Mode• Unobstructed access• No impact on productivity• Gain visibility

Flexible Authentication Sequence• Enables single configuration for most use cases• Flexible fallback mechanism and policies

Rich and Robust 802.1X

IP Telephony Support for Virtual Desktop Environments• Single host mode• Multihost mode• Multiauth mode• Multidomain authentication

Critical Data/Voice Authentication• Business continuity in case of failure


EAP Chaining

Machine and User Credentials Validated AD DatabaseRADIUS

Machine Credentials

UserCredentials

User Authentication (includes both user and machine identity types )

Machine Authentication

UserAuthentication

• EAP Chaining ties both the machine and user credentials to the device, thus the "owner" is using a corporate asset

Use Cases:• Restrict use of personal laptops on a corporate network• Corporate mandates where a corporate asset must be used and the user must

be authorized.


PersonaliPad Policy

[restricted access]

Access PointPrinter Policy

[place on VLAN X]

Device SensorAutomated Device Classification Using Cisco Infrastructure

CDPLLDPDHCPMAC

Printer Personal iPadISE

DEVICE PROFILINGFor wired and wireless networks

POLICY

`AccessPoint

CiscoInnovation

DEPLOYMENT SCENARIO WITH CISCO DEVICE SENSORSCOLLECTIONSwitch Collects Device Related Data and Sends Report to ISE

CLASSIFICATION ISE Classifies Device, Collects Flow Information and Provides Device Usage Report

AUTHORIZATIONISE Executes Policy Based on User and Device

Efficient Device Classification

Leveraging Infrastructure

The Solution

CDPLLDPDHCPMAC

CDPLLDPDHCPMAC

Supported Platforms:IOS 15.0(1)SE1 for Cat 3KIOS 15.1(1)SG for Cat 4K WLC 7.2 MR1 - DHCP data onlyISE 1.1.1

Jay Bhansali

Add platform support info


ISE Under The Hood


ISE Feature Demo

Jay Bhansali

highlight PEAP to EAP-TLStalk about when authenitcating with PEAP you have different dACL with limited access !!You have to belong to a group that has BYOD access!


Tying it All TogetherContextual Access Control

Device Type LocationUser Posture Time Access Method Custom


Market LeaderNAC, AAA, VPN, FW – we know security

Systems Solution vs. OverlayDeep integration vs. band aids

CommitmentExtensive engineering is funded

We are ReadyOver 400 ATP partners vigorously trained

“TrustSec and ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise today.”

Forrester 2011

Leader in Gartner NAC Magic Quadrant

Dec 2011

What’s the Cisco Advantage?

Fun Fact:Cisco has 4X more dedicated BYOD engineers than our competitors!


Unified Policy Access Control

Easy BYOD User Self Onboarding

Consistent Security

Contextual Policy & Access Control for Users & Guests

ISE – Securely Enabling BYOD

Compliance: Regulatory, Government, Corporate

Removes the IT Burden


Resources - Customers• ISE Information:

http://www.cisco.com/go/ise

• Cisco TrustSec:www.cisco.com/go/trustsec

• Application Notes and How-To Guides:http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html




http://www.cisco.com/go/trustsec

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html




Date post:	25-Feb-2016
Category:	Documents
Upload:	tabib
View:	52 times
Download:	3 times

UA Roadshows— One Policy : ISE and TrustSec

Documents