Cisco TrustSec How-To Guide: ISE Integration With .

Transcription

Cisco TrustSec How-To Guide:ISE integration with XenMobile MDMCurrent Document Version: 3.0December 11th, 2012

Table of ContentsIntroduction . 3What Is the Cisco TrustSec System? . 3About the TrustSec How-To Guides . 4Mobile Device Management (MDM) . 5Overview . 5Sample Network Topology . 6Using MDM Integration Configuration Steps . 8Appendix A: XenMobile Configuration. 18Appendix B: End User Flow . 21Appendix C: References . 26Cisco TrustSec System: . 26Device Configuration Guides: . 26How-To: Cisco ISE Integration with XenMobile MDM2

IntroductionWhat Is the Cisco TrustSec System?Cisco TrustSec , a core component of the Cisco SecureX Architecture , is an intelligent accesscontrol solution. TrustSec mitigates security risks by providing comprehensive visibility into who andwhat is connecting across the entire network infrastructure, and exceptional control over what and wherethey can go.TrustSec builds on your existing identity-aware access layer infrastructure (switches, wirelesscontrollers, and so on). The solution and all the components within the solution are thoroughly vettedand rigorously tested as an integrated system.In addition to combining standards-based identity and enforcement models, such as IEEE 802.1X andVLAN control, the TrustSec system it also includes advanced identity and enforcement capabilities suchas flexible authentication, Downloadable Access Control Lists (dACLs), Security Group Tagging(SGT), device profiling, posture assessments, and more.Figure 1: TrustSec Architecture OverviewRADIUSGuest ServicesPostureProfilerIngress EnforcementWirelessuserSXPWireduseryrit agcu TSe oupGrCampusNetworkMACsecIngress EnforcementSGr ecou urip tyTagData CenterEgress EnforcementHow-To: Cisco ISE Integration with XenMobile MDM3

About the TrustSec How-To GuidesThe TrustSec team is producing this series of How-To documents to describe best practices for TrustSecdeployments. The documents in the series build on one another and guide the reader through asuccessful implementation of the TrustSec system. You can use these documents to follow theprescribed path to deploy, or simply pick the single use-case that meets your specific need.Each guide is this series comes with a subway-style “You Are Here” map to help you identify the stagethe document addresses and pinpoint where you are in the TrustSec deployment process (Figure 2).Figure 2: How-To Guide Navigation MapWhat does it mean to be ‘TrustSec Certified’?Each TrustSec version number (for example, TrustSec Version 2.0, Version 2.1, and so on) is a certifieddesign or architecture. All the technology making up the architecture has undergone thorougharchitectural design development and lab testing. For a How-To Guide to be marked “TrustSeccertified,” all the elements discussed in the document must meet the following criteria: Products incorporated in the design must be generally available.Deployment, operation, and management of components within the system must exhibitrepeatable processes.All configurations and products used in the design must have been fully tested as an integratedsolution.Many features may exist that could benefit your deployment, but if they were not part of the testedsolution, they will not be marked as “TrustSec “certified”. The TrustSec team strives to provide regularupdates to these documents that will include new features as they become available, and are integratedinto the TrustSec test plans, pilot deployments, and system revisions. (i.e., TrustSec 2.2 certification).Additionally, many features and scenarios have been tested, but are not considered a best practice, andtherefore are not included in these documents. As an example, certain IEEE 802.1X timers and localweb authentication features are not included.Note: Within this document, we describe the recommended method of deployment, and a few different optionsdepending on the level of security needed in your environment. These methods are examples and step-bystep instructions for TrustSec deployment as prescribed by Cisco best practices to help ensure a successfulproject deployment.How-To: Cisco ISE Integration with XenMobile MDM4

Mobile Device Management (MDM)OverviewMobile Device Management (MDM) software secures, monitors, manages and supports mobile devicesdeployed across mobile operators, service providers and enterprises. A typical MDM product consistsof a policy server, a mobile device client and an optional inline enforcement point that controls the useof some applications on a mobile device (like email) in the deployed environment. However thenetwork is the only entity that can provide granular access to endpoints (based on ACL’s, trust secSGT’s etc). It is envisaged that Cisco Identity Services Engine (ISE) would be an additional networkbased enforcement point while the MDM policy server would serve as the policy decision point. ISEexpects specific data from MDM servers to provide a complete solutionThe following are the high level use cases in this solution.Device registration- Non registered endpoints accessing the network on-premises will be redirected toregistration page on MDM server for registration based on user role, device type, etcRemediation-Non compliant endpoints will be given restricted access based on compliance statePeriodic compliance check – Periodically check with MDM server for complianceAbility for administrator in ISE to issue remote actions on the device through the MDM server (e.g.:remote wiping of the managed device)Ability for end user to leverage the ISE My Devices Portal to manage personal devices, e.g. FullWipe, Corporate Wipe and PIN Lock.How-To: Cisco ISE Integration with XenMobile MDM5

Sample Network TopologyFigure 3: ISE MDM Integration TopologyMDM Integration use-case overview1. User associates device to SSID2. If user device is not registered, user goes through the BYOD on-boarding flow, details listed inAppendix3. ISE makes an API call to MDM server4. This API call returns list of devices for this user and the posture status for the devices – Please notethat we can pass MAC address of endpoint device as input parameter.5. If user’s device is not in this list, it means device is not registered with the MDM provider. ISE willsend an authorization to NAD to redirect to ISE, Users will be re-directed to MDM server (homepage or landing page)6. ISE will know that this device needs to be provisioned using MDM and will present an appropriatepage to user to proceed to registration.7. User will be transferred to the MDM policy engine where registration will be completed by the user.Control will transfer back to ISE either through automatic redirection by MDM server or by userrefreshing their browser again.8. ISE will query MDM again to gain knowledge of posture status9. If the user device is not in compliant to the posture (compliance) policies configured on MDM, theywill be notified that the device is out of compliance, reason for non-compliance and the need to be incompliance to access network resources10. Once user’s device becomes compliant, MDM server will update the device state in its internaltables.11. At this stage user can refresh the browser at which point control would transfer back to ISE.How-To: Cisco ISE Integration with XenMobile MDM6

12. ISE would also poll the MDM server periodically to get compliance information and issue COA’sappropriately.ComponentsTable 1: Components Used in this DocumentComponentHardwareFeatures TestedCisco IOS SoftwareReleaseThe Cisco IdentityServices Engine (ISE)Any: 1121/3315, 3355,3395, VMwareIntegrated AAA, policy server, and services(guest, profiler, and posture)ISE 1.2MDM ServerMDMCertificate AuthorityServer (Optional)Any per specification ofMicrosoft (Windows 2008R2 Enterprise SP2)SCEP, Certificate Authority ServerN/AWireless LANController (WLC)5500-seriesProfiling and Change of Authorization (CoA)Unified Wireless7.2.?N/AApple iOS 5.0 andhigher2500-seriesWLSM-2Virtual ControllerTest Devices: E.g.Apple iOS, GoogleAndroid .Apple & GoogleGoogle Android 2.3and higherNote: Within this document, we have demonstrated MDM configuration only. We recommend using our How-ToGuide to configure ISE and WLC to a recommended o 60 byod certificates.pdfMore guides are available /ns742/ns744/landing DesignZone TrustSec.htmlHow-To: Cisco ISE Integration with XenMobile MDM7

Using MDM Integration Configuration StepsCisco ISE and MDM integration configuration.Figure 3 shows the main steps in configuring MDM Integration.Figure 4 MDM Configuration FlowAdd External MDM Server to ISE.MDM Servers can be used as a cloud service or installed locally on premises. Once the installation,basic setup and compliance checks are configured on the MDM server, it can then be added to ISEProcedure 1Export MDM Server CertificateStep 1: Export MDM Server Certificate and save it on local machineHow-To: Cisco ISE Integration with XenMobile MDM8

Figure 5 Export MDM CertificateStep 2: Import the certificate in to ISENavigate to: Administration - Certificates - Certificate Store - ImportOptional: Add a friendly name and then click SubmitHow-To: Cisco ISE Integration with XenMobile MDM9

Figure 6 Import MDM Certificate to Cisco ISEStep 3: Verify that Certificate is in Certificate StoreFigure 7 Verify MDM Certificate in Cisco ISEStep 4: Add MDM ServerAdministration - MDMFigure 8.1 ADD MDM Server in Cisco ISEClick ADD, then enter MDM Server detailsHow-To: Cisco ISE Integration with XenMobile MDM10

Figure 8.2 ADD MDM Server in Cisco ISEClick Test Connection first, ISE will confirm that connection is workingFigure 8.3 ADD MDM Server in Cisco ISEClick OK on this pop-up and then select the checkboxClick the Submit button, the server will be added , the following success message with the presented tothe adminFigure 8.4 ADD MDM Server in Cisco ISEHow-To: Cisco ISE Integration with XenMobile MDM11

Review the MDM dictionariesOnce the MDM server is added, the supported dictionaries now show-up in ISE, which could be laterused in to ISE Authorization Policies.Navigate to: Policy - Policy Elements - Dictionaries - MDM - Dictionary AttributesFigure 9 Review MDM Dictionaries in Cisco ISEConfigure ISE Authorization PoliciesOnce MDM server is added in to ISE, we can configure authorization polices in ISE to leverage thenew dictionaries added for MDM servers.Note: Within this document, we have demonstrated using dictionary attributes MDM:DeviceRegisterStatusEQUALS UnRegistered and MDM:DeviceCompliantStatus EQUALS NonCompliant. Please configure andtest additional attributes as wellHow-To: Cisco ISE Integration with XenMobile MDM12

Step 1: Create an ACL named “NSP-ACL” in the Wireless LAN Controller, which would be used inthe policy later to redirect clients selected for BYOD supplicant provisioning, Certificate provisioningand MDM Quarantine.The Cisco Identity Services Engine IP address 10.35.50.165Internal Corporate Networks 192.168.0.0, 172.16.0.0 (to redirect)MDM Server subnet 204.8.168.0Figure 10: Access Control List for re-directing client to BYOD flowExplanation of the NSP-ACL in Figure 17 is as follows1. Allow all traffic “outbound” from Server to Client2. Allow ICMP traffic “inbound” from Client to Server for trouble shooting, it is optional3. Allow access to MDM server for un-registered and non-compliant devices to download the MDM agent andproceed with compliance checks4. Allow all traffic “inbound” from Client to Server to ISE for Web Portal and supplicant and Certificateprovisioning flows5. Allow DNS traffic “inbound” from Client to Server for name resolution.6. Allow DHCP traffic “inbound” from Client to Server for IP addresses.How-To: Cisco ISE Integration with XenMobile MDM13

7. Deny all traffic “inbound” from Client to Server to corporate resources for redirection to ISE (As per companypolicy)8. Deny all traffic “inbound” from Client to Server to corporate resources for redirection to ISE (As per companypolicy)9. Deny all traffic “inbound” from Client to Server to corporate resources for redirection to ISE (As per companypolicy)10. Deny all traffic “inbound” from Client to Server to corporate resources for redirection to ISE (As per companypolicy)11. Deny all traffic “inbound” from Client to Server to corporate resources for redirection to ISE (As per companypolicy)12. Deny all traffic “inbound” from Client to Server to corporate resources for redirection to ISE (As per companypolicy)13. Permit all the rest of traffic (Optional)Step 2: Create an Authorization Profile named “MDM Quarantine” for devices which are not incompliant to MDM polices. In this case all non-compliant devices will be redirected to ISE andpresented with a messageClick Policy Policy Elements Results, Click Authorization Authorization Profiles Click “ADD”Figure 11: Authorization Profiles NavigationFigure 12.1: Authorization Policy ConfigurationHow-To: Cisco ISE Integration with XenMobile MDM14

Figure 12.2: Authorization Policy ConfigurationNote: NSP-ACL needs to be defined on the Wireless LAN Contoller, sample is attachedStep 3: Create Authorization Policy, Click Policy Authorization Authorization Profiles.Click “Insert New Rule Below”Figure 13: Insert New RuleHow-To: Cisco ISE Integration with XenMobile MDM15

Please add the following Authorization PolicyMDM Un Registered This Authorization Rule is added for devices which are not yet registered with an MDMserver. Once the device hits this rule, it will be forwarded to ISE MDM landing page, which will present user withinformation on registering the device with MDM.MDM Non Compliant This Authorization Rule is added for devices which are not in compliant to MDMpolicies. Once the Android device hits the “Register” button during device registration, ISE sends a Re-Auth COAto the controller. Once the device hits this rule, it will be forwarded to ISE MDM landing page, which will presentuser with information on compliance failure.PERMIT Once the device is registered with ISE, registered with MDM and is in compliance to ISE and MDMpolicies it will be granted access to the network.Figure 14: Authorization Policy Configuration viewYou are done!Please see the how-to-guide “BYOD-Using Certificates for Differentiated Access” If interested inprovisioning Certificates along with the supplicant profile.Note: MDM policies could also be defined in more granular details on Cisco ISE, e.g.How-To: Cisco ISE Integration with XenMobile MDM16

Demonstrations.If interested in looking at the end-user experience for on-boarding i-devices, Android, Windows andMAC OSx, please visit the following s/ise/#sectionName 4How-To: Cisco ISE Integration with XenMobile MDM17

Appendix A: XenMobile ConfigurationIn this section we will review configuration of the XenMobile Server for the corporate policies. This highlight thefollowing:Step 1 Verify admin account privileges for REST API, i.e. account used by ISE to send a REST API callto XenMobile Server Review the Default Security Policies Review the iOS APP installation configuration (AnyConnect)Access the XenMobile administrative web interface.a. On Admin PC, launch Mozilla Firefox web browser. Enter XenMobile URL address in theaddress : URL listed here is a sample URLb. Login with username and password. Once you login, you will see the dashboard as shown below.How-To: Cisco ISE Integration with XenMobile MDM18

Step 2User Managementa. Navigate to USERS. Create users (admin or client users)b. Assign the roles accordingly (see the below screen )c.Step 3Admin role user can be used for APISecurity Policies on XenMobile Servera. Navigate to POLICIES iOS ConfigurationHow-To: Cisco ISE Integration with XenMobile MDM19

b. Create default passcode policyc.Create selfserver corporate app store policies as shown belowd. Review the Policies e.g. Password, Type, Length, Data Encryption etc .How-To: Cisco ISE Integration with XenMobile MDM20

Appendix B: End User FlowBelow are the steps to follow during enrolling the device to the MDM server.Step 1 : Hit Enroll tab.Step 2 : Select the device type. (IOS in this case.)How-To: Cisco ISE Integration with XenMobile MDM21

Step3: The browser will take you to the app store to install the Citrix app fro enrolling the device. As perCitrix you have to install both “Wox Home and Citirx Mobile enroll app”. As shown below.Step 4 : Once installed both the above apps, run the Citrix Mobile Enroll app and it will take you to thebelow screen. Hit Enroll and follow the next steps.Step 5 : Enter the user credentials and server details and hit on nextHow-To: Cisco ISE Integration with XenMobile MDM22

Step 6: Follow the instructions as displayed on the screen to enroll the device as below.Step 7 : Once installed all the above three steps you will see the below screen.How-To: Cisco ISE Integration with XenMobile MDM23

Step 8 : You will get the below screen once you hit next after the step7 and the device is enrolled.Step 9 : Once the device is enrolled close the current tab and go back the enrollment page which you gotduring step1 and hit continue to get the permit access on the device which will make the deice to accesscorporate network.How-To: Cisco ISE Integration with XenMobile MDM24

Step 10 : Make sure you have the following profiles installed on the device. (settings- General Profiles)How-To: Cisco ISE Integration with XenMobile MDM25

Appendix C: ReferencesCisco TrustSec System: http://www.cisco.com/go/trustsec s742/ns744/landing DesignZone TrustSec.htmlDevice Configuration Guides:Cisco Identity Services Engine User /products user guide list.htmlFor more information about Cisco IOS Software, Cisco IOS XE Software, and Cisco NX-OS Softwarereleases, please refer to following URLs: For Cisco Catalyst 2900 series 6/products installation and configuration guides list.html For Cisco Catalyst 3000 series 7/products installation and configuration guides list.html For Cisco Catalyst 3000-X series 45/products installation and configuration guideslist.html For Cisco Catalyst 4500 series itches/ps4324/products installation and configuration guides list.html For Cisco Catalyst 6500 series itches/ps708/products installation and configuration

Cisco ISE and MDM integration configuration. Figure 3 shows the main steps in configuring MDM Integration. Figure 4 MDM Configuration Flow Add External MDM Server to ISE. MDM Servers can be used as a cloud service