© 2012 Cisco and/or its affiliates. All rights reserved.
UA Roadshows—One Policy:ISE and TrustSecNov 8, 2012
Bob Sayle
Principal Systems Engineer
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Session AgendaNeed for Contextual Access Policy
BYOD with Cisco ISE
Security Group Access and TrustSec
Cisco Access Device
ISE Under the Hood
Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 3
The Need For Contextual Access Policy
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
The Burden Falls on ITTop of Mind Concerns to enable BYOD
• How do we control and segment the device and users?
• How do we provide consistent policy across the network?
• How do we simplify the security in the BYOD process?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
BYOD On-BoardingZero touch registration & provisioning of employee/guest devices
Consistent Network-wide SecurityCompliance including 802.1X ports, untrusted device access denial
Unified Policy-based ManagementPolicy-based governance , contextual control, guest lifecycle mgmt
Technology Utility Energy Healthcare Higher Ed Secondary Ed
Policy Access Control - Enabling BYOD
Allowing Users To Safely Go Where They Are Allowed To Go -- From AnywhereVisibility & contextual control across the network while blocking untrusted access --user authentication, device profiling, posture, location, access method
Applying Network Policy to Users from Entry to Destination (E2E) Control plane from access layer thru data center that is topology independent Policy platform for unified access, DC switches & FWs with ecosystem APIs
Getting BYOD Devices On-Net Without Wasting Their TimeZero-touch portal automates identity, profiling & provisioning to a users’ identity to get them
quickly & securely on-net while saving IT time.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Policy Management Solution
Unified Network Access Control
Turnkey BYOD Solution
1st System-wide Solution Deep network integration
System-wide Policy Control from One Screen
Award winning product! ’12 Cisco Pioneer Award
Over 400 Trained & Trusted ATP Partners
* Pronounced ‘ICE’. Stands for identity services engine, but just call it Cisco ISE
Meet Cisco ISE*
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
One Policy Platform: ComponentsPolicy
ManagementIdentity Services Engine (ISE) Prime Infrastructure
Policy Context
Corporate AssetsPersonal Devices Non-User DevicesUser Identity
Policy Information ,
Posture from NAC/AnyConnect AgentProfiling from Cisco InfrastructureUser Directory
Policy Enforcement
Cisco Infrastructure: Switches, Wireless Controllers, Firewalls, Routers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Authentication Services
Authorization Services
Guest Lifecycle Management
Profiling and BYOD Services
Posture Services
TrustSec SGA
One Policy
One Management
I only want to allow the “right” users and devices on my network
I want user and devices to receive appropriate network services
I want to allow guests into the network and control their behavior
I need to allow/deny iPads in my network (BYOD)
I want to ensure that devices on my network are clean
I need a scalable way of enforcing access policy across the network
One Policy Platform: Use Cases
One Network
Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 9
BYOD with Cisco ISE
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Reduced Burden on Help
Desk Staff
Intuitive Management for End Users
• Device On-boarding• Self Registration • Certificate and Supplicant
Provisioning
• Seamless intuitive end user experience
• Support Windows, MAC OS X, iOS, Android
• My Devices Portal—register, blacklist, manage
• Guest Sponsorship Portal
Simplified BYOD with Cisco ISE
Reduced Burden on
IT Staff
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Device Identity
BYOD On-boarding
Device Access Control
ISEDevice Access Control
Device Compliance
Mobile Application Management
Data Security Controls
MDMMobile Device Security Control
* Mobile Device Manager
MDM cannot ‘see’ non-registered devices to enforce device security – but the network can!
But What About MDM?*
Best Practice
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
BYOD FlowSingle SSID• User connects to
Secure SSID
• PEAP: Username/Password
• Redirected to Provisioning Portal
• User registers deviceDownloads CertificateDownloads Supplicant Config
• User reconnects using EAP-TLS
BYOD-Secure
Personal Asset
Access Point
ISE
Wireless LAN Controller
AD/LDAP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
BYOD FlowDual SSID• User connects to
Open SSID
• Redirected to WebAuth portal
• User enters employee or guest credentials
• Guest signs AUP and gets Guest access
• Employee registers deviceDownloads CertificateDownloads Supplicant Config
• Employee reconnects using EAP-TLS
BYOD-SecureBYOD-Open
Personal Asset
Access Point
ISE
Wireless LAN Controller
AD/LDAP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
A Retail Environment
BYOD Demo
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 17
Security Group Access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
User and Device Roles
User and Device Role
Unregistered Device
Employee
Management
Credit Card Scanners
Any Device
General Web Server
Employee News Portal
Employee Time Card Application
Credit Card Server
Manager Portal
Registered Device
Corporate Device
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Policy Definition for Roles
User and Device Role
Unregistered Device
Employee
Management
Credit Card Scanners
General Web
Server
Employee News Portal
Employee Time Card
Application
Credit Card Server
Manager Portal
Policy Definition
Credit_Card SSIDMember of group “Credit_Scanners”Profiled as “iphone”
Public SSID
Corporate SSIDMember of group “Employee”Certificate matches endpoint
Corporate SSIDMember of group Employee and ManagerCertificate matches endpoint
Any Device
Registered Device Corporate Device
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Policy Definition Inside ISE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Inside ISE: Management PolicyEmployee RegisteredSSID Access:
Corporate-wifi
AD Group: “Management”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Inside ISE: Credit Card Scanner Policy
Certificate Required
Profiled as an iPhone
AD Group: “Credit Card Scanners”
SSID Access: cc-secure-wifi
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Enforcement: VLANs or ACLsACL ArchitectureHard to Maintain
100s-1000s of ACEs
VLAN ArchitectureScaling Concerns
Highly topology dependent
802.1X
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Enforcement: Security Group Access (SGA)
User and Device RoleIngress Tag
Unregistered Device(Unregist_Dev_SGT)
Employee(Employee_SGT)
Management(Management_SGT)
Credit Card Scanners(CC_Scanner_SGT)
SGA TAG - Policy
Credit_Card SSIDMember of group “Credit_Scanners”Profiled as “iphone”
Public SSID
Corporate SSIDMember of group “Employee”Certificate matches endpoint
Corporate SSIDMember of group Employee and ManagerCertificate matches endpoint
Cisco ISE
Employee
Manager
Finance
who what where when how
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
SGA Inside ISE
Employee TAG
Manager TAG
Credit Card Scanner TAG
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
SGA Enforced at ASA Firewall
Manager TAG Credit Card Scanner TAG
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
SGA Enforced on Switches
Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 28
TrustSec Scalable Context Aware Enforcement
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
SGA Policy Enforcement Flow
Security Group Based Access Control• ISE maps tags (SGT) with user identity
• ISE Authorization policy pushes SGT to ingress NAD ( switch/WLC)
• ISE Authorization policy pushes ACL (SGACL) to egress NAD (ASA or Nexus)
Time Card (SGT=4)
Credit card scanner (SGT=10)
I registered my deviceI’m a manager
SGT = 100
Manager SGT = 100
SGACL
SRC\DST Time card Credit card
Manager (100) Access No access
Cisco ISE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Migrating to Security Group AccessSGT eXchange Protocol (SXP)
Security Group Access ProtocolFor transport through a non SGT core
Time Card (SGT=4)
Credit card scanner (SGT=10)
I registered my deviceI’m a manager
Manager SGT = 100
SGACL
SRC\DST Time card Credit card
Manager (100) Access No access
SXP
IP Address SGT
10.1.100.3 100
CiscoInnovation
10.1.100.3
Cisco ISE
Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 31
Cisco Access DevicesLeading the Industry by Providing Added Value
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Industry Leading Identity Featuresa
CiscoInnovation
Authentication Features
Cisco Catalyst Switch
Network Device
IP PhonesAuthorized Users
GuestsTablets
802.1X MAB WebAuth
Identity Differentiators
Monitor Mode• Unobstructed access• No impact on productivity• Gain visibility
Flexible Authentication Sequence• Enables single configuration for most use cases• Flexible fallback mechanism and policies
Rich and Robust 802.1X
IP Telephony Support for Virtual Desktop Environments• Single host mode• Multihost mode• Multiauth mode• Multidomain authentication
Critical Data/Voice Authentication• Business continuity in case of failure
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
EAP Chaining
Machine and User Credentials Validated AD DatabaseRADIUS
Machine Credentials
UserCredentials
User Authentication (includes both user and machine identity types )
Machine Authentication
UserAuthentication
• EAP Chaining ties both the machine and user credentials to the device, thus the "owner" is using a corporate asset
Use Cases:• Restrict use of personal laptops on a corporate network• Corporate mandates where a corporate asset must be used and the user must
be authorized.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
PersonaliPad Policy
[restricted access]
Access PointPrinter Policy
[place on VLAN X]
Device SensorAutomated Device Classification Using Cisco Infrastructure
CDPLLDPDHCPMAC
Printer Personal iPadISE
DEVICE PROFILINGFor wired and wireless networks
POLICY
`AccessPoint
CiscoInnovation
DEPLOYMENT SCENARIO WITH CISCO DEVICE SENSORSCOLLECTIONSwitch Collects Device Related Data and Sends Report to ISE
CLASSIFICATION ISE Classifies Device, Collects Flow Information and Provides Device Usage Report
AUTHORIZATIONISE Executes Policy Based on User and Device
Efficient Device Classification
Leveraging Infrastructure
The Solution
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
Supported Platforms:IOS 15.0(1)SE1 for Cat 3KIOS 15.1(1)SG for Cat 4K WLC 7.2 MR1 - DHCP data onlyISE 1.1.1
Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 35
ISE Under The Hood
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
ISE Feature Demo
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Tying it All TogetherContextual Access Control
Device Type LocationUser Posture Time Access Method Custom
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Market LeaderNAC, AAA, VPN, FW – we know security
Systems Solution vs. OverlayDeep integration vs. band aids
CommitmentExtensive engineering is funded
We are ReadyOver 400 ATP partners vigorously trained
“TrustSec and ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise today.”
Forrester 2011
Leader in Gartner NAC Magic Quadrant
Dec 2011
What’s the Cisco Advantage?
Fun Fact:Cisco has 4X more dedicated BYOD engineers than our competitors!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Unified Policy Access Control
Easy BYOD User Self Onboarding
Consistent Security
Contextual Policy & Access Control for Users & Guests
ISE – Securely Enabling BYOD
Compliance: Regulatory, Government, Corporate
Removes the IT Burden
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Resources - Customers• ISE Information:
http://www.cisco.com/go/ise
• Cisco TrustSec:www.cisco.com/go/trustsec
• Application Notes and How-To Guides:http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html