Transcription
Cisco Expo2012Bezpečný přístupve WLANT-SECA5Jaroslav Čížek, CiscoCisco Expo 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public1
TrustSec, ISE, SGT, BYOD WLAN (& WIRED) 802.1X with Cisco ISE WLAN (& WIRED) Guest Access with Cisco ISE-Guest Access NeedsManaging and Provisioning Guest AccountsGuest PortalGuest Access DeploymentMonitoring SummaryAnotace: Zabezpečení přístupu do sítě by mělo být řešeno univerzálně pro LAN iWLAN. Jak lze využít centralizovaných nástrojů ISE pro aplikaci bezpečnostníchpolitik na bezdrátové síti pro trvalé i dočasné přístupy.CiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public2
Brief summary of previous sessionsCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public3
TrustSec, ISE, SGT, BYOD WLAN (& WIRED) 802.1X with Cisco ISE WLAN (& WIRED) Guest Access with Cisco ISE-Guest Access NeedsManaging and Provisioning Guest AccountsGuest PortalGuest Access DeploymentMonitoring SummaryAnotace: Zabezpečení přístupu do sítě by mělo být řešeno univerzálně pro LAN iWLAN. Jak lze využít centralizovaných nástrojů ISE pro aplikaci bezpečnostníchpolitik na bezdrátové síti pro trvalé i dočasné přístupy.CiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public4
Identifying a User or EndpointActive Directory,Generic LDAP, PKIUserISEAND/ORMachineEAPoLRADIUS, e.g.Safeword Token ServerRADIUSlocal DBuser1C#2!ç@ E(User/PasswordRSA SecureIDCertificateTokenIdentity Source SequencesBackend DatabaseCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public5
Port-Based Access Control Using AuthenticationLayer 2 Point-to-PointSupplicantLayer 3 LinkAuthenticatorEAP over LAN(EAPoL)RADIUSAuth ServerISE / ACSEAPoL StartBeginningEAPoL Request IdentityEAP-Response Identity: AliceRADIUS Access Request[AVP: EAP-Response: Alice]MiddleRADIUS Access-ChallengeEAP-Request: PEAP[AVP: EAP-Request PEAP]EAP-Response: PEAPRADIUS Access Request[AVP: EAP-Response: PEAP]EndEAP DIUS Access-Accept[AVP: EAP Success][AVP: VLAN 10, dACL-n] 802.1X (EAPOL) is a delivery mechanism and it doesn't provide the actualauthentication mechanisms. When utilizing 802.1X, you need to choose an EAP type, such as Transport LayerSecurity (EAP-TLS) or PEAP, which defines how the authentication takes place.CiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public6
RFC 3576 (obsolete) and 5176Layer 2 Point-to-PointSupplicantAuthenticatorEAP over LAN(EAPoL)InitialAuthenticationLayer 3 LinkEAP SuccessRADIUSAuth ServerRADIUS Access-Accept[AVP: EAP Success][AVP: VLAN 10, dACL-n]RADIUS CoA-Request[VSA: subscriber: reauthenticate]Change ofAuthorizationRADIUS CoA-AckEAPoL Request IdentityEAP-Response Identity: AliceRADIUS Access Request[AVP: EAP-Response: Alice]ReAuthenticationEAP-Request: PEAPRADIUS Access-Challenge[AVP: EAP-Request PEAP]EAP-Response: PEAPRADIUS Access Request[AVP: EAP-Response: PEAP]CiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All ssibleCisco Public7
ConfigurationCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public8
Default Network Access: Policy Policy Elements Results AuthenticationCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public9
Policy - AuthorizationCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public10
ISE 1.1Best Practice: Use RADIUS Attributes to Set VLAN (IETF Attributes)WLC Interfaces/ VLANNamemust matchTunnel-Private-Grp-Id3560X#sh vlan 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All tchVLAN Name-------- ase Sensitive onSwitch, but not WLCCiscoExpoExpoCiscoWLCUse same IETF attributesto set VLAN for wired andwirelessCisco Public11
Use VSA to Enforce ACL Name on WLCWLCVSAAttributeSwitchIETFAttributeACL NameMust matchACL can be pre-configured or downloadeddynamicallyACL mustbe preconfiguredCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public12
Allow ISE to Actively Enforce Policy Over Connected Endpointsaaa server radius dynamic-authorclient 10.100.7.20 server-key xxxxxxxCoA is triggered dynamically when a scenario is matched :- Endpoint is profiled for the 1st time.- Endpoint is statically assigned with a new Policy- Endpoint is deleted from ISE DB.CoACiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public13
TrustSec, ISE, SGT, BYOD WLAN (& WIRED) 802.1X with Cisco ISE WLAN (& WIRED) Guest Access with Cisco ISE-Guest Access NeedsManaging and Provisioning Guest AccountsGuest PortalGuest Access DeploymentMonitoring SummaryAnotace: Zabezpečení přístupu do sítě by mělo být řešeno univerzálně pro LAN iWLAN. Jak lze využít centralizovaných nástrojů ISE pro aplikaci bezpečnostníchpolitik na bezdrátové síti pro trvalé i dočasné přístupy.CiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public14
The company needs to provide guest access for visitors, both for the wiredand wireless infrastructure. Particular restrictions need to be assigned to guest contractors, with accessto specific resources onlyWLCWirelessAPsGuest authenticationportalInternetLAN switchesCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public15
Redirection of theguest Web sessionto ISE guest portalfor authenticationAccessauthorized forguest userISEPolicy serverWLCswitchesOpen SSID« guest »with WebauthenticationGuest account needsto be created: via a sponsor or self serviceGuest userCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public16
Identity ServiceEngineInternal DB Static entries Bulk import Enabled /disabledCiscoExpoExpoCiscoGuest DB Created bysponsors (bulkoption) Guest ‘selfservice’ Restrictedaccess duration 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.DatabaseExternal DB LDAP / AD Managedexternally Enabled/disabledCisco Public17
If Need for Different Policies Based on User Role‘Guest ‘‘Contractor’ Internet access only Created by any user Limited connection time:½ day, one dayCiscoExpoExpoCisco Internet access Created by select users Access to selected resources Longer connection time:one week, one month 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public18
Identity ServiceEngineExternalDatabase External groups mappedin ISE Multiple groups can be created in ISE Each group can contain: Guest users (created by Sponsor andSelf-service) Internal users (created byAdministrators)Mapping example for ADThose groups can be used in different authorizationrules to differentiate network accessCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public19
Two ways to populate ISE Internal guest DB:Self-ServiceOption on ISE ‘Guest Portal’Sponsoringvia ISE ‘Sponsor Portal’CiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public20
CiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public21
Customizablesponsor pages Sponsor privilegestied to definedsponsor policy Roles sponsor cancreate Time profiles can beassigned Management ofother guestaccounts Single or bulkaccount creationCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public22
Customizable fields Define if mandatoryor optional can add up to 5 othercustom attributesGuest roles and timeprofiles Pre-defined by adminCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public23
Username configuration Created from ‘first & last name’ or‘email’Password configuration Generated automatically Configurable password complexityCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public24
Sponsor Will Have Three Ways to Inform Guest1. Printing the details2. Sending the details via e-mail3. Sending the details via SMSCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public25
CiscoExpoExpoCiscoSponsor ‘AllAccounts’Sponsor ‘OwnAccounts’ Can create user in groups:‘contractor’ and ‘guest’ Can use time profiles up toone week Can see all accounts in group Can create user in group‘guest’ only Can use time profiles up to oneday Cannot do bulk creation 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public26
CiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public27
The sponsor account can be a Local ISE user LDAP user Active Directory user DB checking order can beconfigured via ‘Identity SourceSequence’ in ISEIn above example we interrogate the ISE DBfirst and then the ADCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public28
You can map any group: internal, AD, LDAP to a sponsor privilege group All users mapped to that group will log in with similar sponsor privileges asdefined in the selected sponsor groupMap internal groups tosponsor privilege groupsMap internal groupsMap AD groupsCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public29
CiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public30
Several Languages areSupportedNatively in ISE 1.1All guest user pages aretranslated: Authentication page Acceptable usage policy Success/failure page CiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public31
Portal allowing users to register theirown devicesAccess can be granted to guest,employees, studentsCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public32
Multiple portal might be neededbased on: Location / countryWhen several organizational entitiesType of device: WLC, switchesFor local language supportISE allows for : Default portalPortals customizationSimultaneous use of several portalsfor user authenticationSample customized portalCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public33
Deployment ConsiderationsWeb Authentication is only for users (not devices) Browser required Manual entry of username/passwordNetwork equipment must intercept http request and redirect toguest portal for authentication2 ways to enforce on the network equipment (WLC, switches)CiscoExpoExpoCiscoLocal Web Auth (LWA)Central Web Auth (CWA)Web auth done on thenetwork device (web-authfeature on devices)Web auth configurationpushed centrallyNo CoA supportCoA support (for posture,profiling, )Authorization only withACLsAuthorization can use VLANor ACLs 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public34
1 802.1X Timeout 802.1X Failure MAB Failure1 Open SSID With web authSwitch / AP-WLC2DHCP/DNSISE ServerPort Enabled,ACL AppliedHost Acquires IP Address, Triggers Session State3Host Opens Browser4Login PageHost Sends Password5Switch Queries AAA ServerAAA Server Returns PolicyServerauthorizesuser6 Switch Applies New ACL PolicyCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public35
LWA requires local configuration on each:WLCSwitchWireless LAN controller Extra method: web authentication No change possible until re-authentication: posture, profilingSwitchCentral Web Authentication (CWA) with ISEwas created by Cisco to improve deploymentISECiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public36
Switch configured for802.1X / MAB only1DHCP/DNSISE Server Open SSID forguest on WLC12Switch / AP-WLCFirst authentication session3AuthC success; AuthZ for unknown user returned:Redirect /filterACL, portal URLHost Acquires IP Address, Triggers Session State4Host Opens Browser – Switch redirects browser to ISE CWA pageLogin Page5Host Sends Username/Password6MAB re-auth7CiscoExpoExpoCiscoMAC Success 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.AUPprocess, ifconfiguredWeb Auth Success results in CoASession lookup—policy matchedAuthorization dACL/VLAN returned.ServerauthorizesuserCisco Public37
No extra local method like web authentication VLAN assignment is also supported Centralization and dynamic push of configurationPortal URLFiltering and redirection ACL until guest authentication occurs Support for posture and profiling Catalyst 2960 (LAN Base) & 3560/3750:12.2(55)SE3 Catalyst 4500 Series :15.0(2)SG1Sup 7E: CoA not currently supported Catalyst 6500 Series:12.2(33)SXI7CiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Wireless LAN Controller (WLC/WiSM):7.0.116.0 (CoA on 802.1X SSID only)7.2(CoA on Guest SSID)Cisco Public38
Shows guest URLactivity when Firewallsyslogs sent to ISECiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public39
Send syslogs to ISEM&TUDP port 20514Filter messages ID # 304001:accessed URLsCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public40
ASA to Send HTTPCreate ServicePolicy in ASA toinspect HTTP trafficfor guest subnetISE shows accessedURLs in reportsCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public41
TrustSec, ISE, SGT, BYOD WLAN & WIRED 802.1X with Cisco ISE WLAN & WIRED Guest Access with Cisco ISE-Guest Access NeedsManaging and Provisioning Guest AccountsGuest PortalGuest Access DeploymentMonitoring SummaryAnotace: Zabezpečení přístupu do sítě by mělo být řešeno univerzálně pro LAN iWLAN. Jak lze využít centralizovaných nástrojů ISE pro aplikaci bezpečnostníchpolitik na bezdrátové síti pro trvalé i dočasné přístupy.CiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public42
Device Profiling Dynamic PolicyWireless Device StateISEEmployees (CompanyAsset)Full AccessVLAN Corporate Machine /- CorpUserWIREDEmployee (PersonalLaptop) Non-Corporate Machine withEmployee User Logged InEmployee (iPad) Employee User via WPAAuthentication Device iPadWAPContractors Contractor dVLANWeb Apps Only InternetContractorVLANInternetOnly Guest AccountCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public43
Component of Cisco’s TrustSec architecture: Wired & Wireless solutions Architecture testing and validation (CVD) Flexible solution Account creation Guest authentication portals, customization Integrated & scalable guest access solution Guest / Posture / Profiling Configuration / MonitoringCiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public44
Cisco ISEhttp://www.cisco.com/go/ise Cisco TrustSechttp://www.cisco.com/go/trustsec Cisco TrustSec 2.0 Product Bulletin (supported SW version ral/ns170/ns896/ns1051/productbulletin c25-662693.html rprise/Borderless Networks/Unified Access/byodwp.html xpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public45
Twitterwww.twitter.com/CiscoCZ Talk2Cisco www.talk2cisco.cz/dotazy SMS721 994 600 Zveme Vás na Ptali jste se v sále LEO2.den 16:30 – 17:00CiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public46
T-SECA5Prosíme, ohodnoťtetuto přednášku.CiscoExpoExpoCisco 2011Ciscoand/orits affiliates.All rightsreserved. 2012Ciscoand/orits affiliates.All rightsreserved.Cisco Public47
Cisco Expo 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Cisco Expo 2012 Bezpečnýpřístup ve WLAN T-SECA5 Jaroslav Čížek, Cisco
