WIXLIB

Managing the BYOD EvolutionBRKEWN-2020Scott Lee-GuardSystems Engineer

AgendaManaging the BYOD EvolutionPersonal Devices onNetworkNetwork ComponentsBRKEWN-2020Identification andSecurity PolicyEnforcementWirelessWiredSecurely On-Boardthe DeviceRemoteAccess 2014 Cisco and/or its affiliates. All rights reserved.ISESimplified BonjourOperationsPrime3rd PartyMDMCisco Public3

Wireless BYODDrivers and AssumptionsDrivers Majority of new network devices have no wired port Users will change devices more frequently than in the past Mobile devices have become an extension of our personality Guest / Contractor access and accountability has become amandatory business needAssumptions Guest and Contractors must be isolated and accounted for. Users will have 1 wired and 2 wireless devices moving forward The wireless network must be secure and as predictable as thewired networkBRKEWN-2020 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public4

Cisco Unique BYOD Value PropositionEnable Any Device, Any Access, Any Policy Through One NetworkMore Than Just PersonalDevicesDevice ownership is irrelevant: corporate, personal, guest, etc More Than Just WirelessAccessBYO devices need wired, wireless, remote and mobile accessMore Than Just iPadsBRKEWN-2020BYO devices can be any device: Windows PCs, Mac OSdevices, any tablet, any smartphone, gaming consoles,printers 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public

Spectrum of BYOD StrategiesDifferent Deployment Requirements for Different EnvironmentsCisco WLANControllerISECisco Catalyst SwitchASA FirewallController only BYODController ISE-Wireless BYODController ISE-Advanced BYODWireless OnlyWireless OnlyBasic Profiling and Policyon WLCWired Wireless Remote AccessAAA Advanced Profiling Device Posture Client On-board Guest MDMAAA Advanced Profiling Device Posture Client On-board Guest MDMBRKEWN-2020 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public6

Contextual Policy for BYOD DeploymentsControl and EnforcementIDENTITYPROFILINGISE1802.1x ionProfiling toidentify deviceCorporateResources4Access Point2:38pmPersonalassetSNMPVLAN 10VLAN 202CompanyassetHTTPWireless LANController3Postureof the deviceDHCPInternet Only5Unified AccessManagementEnforcementdACl, VLAN,SGA6Full or partialaccess grantedWith the ISE, Cisco wireless can support multiple usersand device types on a single SSID.BRKEWN-2020 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public7

Required Network Components and VersionsCisco Wireless LAN and Identity Services Engine Cisco Wireless LAN Controller– Version 7.0.116 or greater (440X, WiSM1, Flex 7500, 210X or later) Central Switching supported for device profiling and posture assessment. 802.1x WLANs only supported for CoA.– Version 7.2.X or greater (5508, WiSM2, Flex 7500, 8500 (7.3), 250X or later) Central and FlexConnect switching supported for device profiling and posture assessment. 802.1x and Open (L3 Web authentication) supported for CoA.– Version 7.5.X or greater (5508, WiSM2, Flex 7500, 8500 (7.3), 250X or later) Central and Flexconnect Switching for Controller only Profiling and Policy enforcement Cisco Identity Services Engine– Version 1.1.1 or later– Advanced Package License for Profiling and PostureBRKEWN-2020 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public8

Cisco BYOD Policy StepsEAPPhase 1AuthenticationPhase 2Device Identification andPolicy AssignmentISEMAC, DHCP, DNS, HTTPISEPhase 3Client SupplicantPosture assessmentISEPhase 0Device Policy EnforcementWLCQoSACLVLAN 2014 Cisco and/or its affiliates. All rights reserved. Silver Allow-All EmployeeCisco Public9

BYOD Policy Building Blocks:Tools of the Trade

Build BYOD Policy: Flexible OptionsPolicy FactorsAccess MethodPosturePolicy EnforcementUser RoleGuest ServicesBlackhole-URLVLANAccess ListQoSSession TimeoutDevice TypeTime AuthenticationActive Directory Member(Device or User)Client On-BoardLogin-URLdACLPosture RemediationSGAPolicy ManagementMyDevices PortalBRKEWN-2020Reporting 2014 Cisco and/or its affiliates. All rights reserved.MDM IntegrationCisco Public11

Extensible Authentication Protocol (EAP) —Protocol he EAP Type isnegotiated betweenClient and RADIUSServerBRKEWN-2020 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public12

EAP Authentication TypesDifferent Authentication Options Leveraging Different teBasedInner MethodsEAP-GTCEAP-TLSEAP-MSCHAPv2EAP-FAST Tunnel-based - Common deployments use a tunnelling protocol combined withan inner EAP type.– Provides security for the inner EAP type which may be vulnerable by itself. Certificate-based – Mutual authentication of both the server and client.BRKEWN-2020 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public13

Factors in Choosing an EAP MethodThe Most Common EAP Types are PEAP and EAP-TLSSecurity ortEAP Type(s)Deployed Most clients support EAP-TLS, PEAP (MS-CHAPv2).– Additional supplicants can add more EAP types (Cisco AnyConnect). Certain EAP types can be more difficult to deploy. Cisco ISE Supplicant Provisioning can aid deployment.BRKEWN-2020 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public14

Cisco Wireless LAN Controller ACLsLayer 3-4 Filtering at Line-rateInboundWiredLANOutbound ACLs provide L3-L4 policy and can be applied per interface or per user. Cisco 2500, 5508 and WiSM2 implement hardware, line-rate ACLs. Up to 64 rules can be configured per ACL.Implicit Deny All at the EndBRKEWN-2020 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public15

URL Redirection Example: TCP Traffic Flow for Login PageTCP port 80 SYNUser opens browserSYN-ACKACKHTTP GEThttp://www.google.comRedirect: HTTP Login PageUsername, PasswordHTTP GEThttp://www.google.comWLCHostBRKEWN-2020 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public16

Cisco Wireless User-Based QoS CapabilitiesAllowing Per-User and Per-Devices Limiting of the Maximum QoS LevelFor the contractor user, theAAA server returned QoSSilver so even packetsmarked with DSCP EF areconfined to the Best EffortQueue.WMM QueueFor the Employee user, theAAA server returnedQoS-Platinum so packetsmarked with DSCP EF areallowed to enter the WMMVoice Queue.VoiceVideoBest EffortBackgroundEmployee –Platinum QoSCall ManagerWLCAccessPointQoS Tagged PacketsBRKEWN-2020Contractor –Silver QoS 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public17

Change of Authorisation (CoA)Changing Connection Policy Attributes DynamicallyBefore –After –Posture Assessment and ProfilingEmployee Policy AppliedClient Status UnknownVLANACL Limited Access Posture-AssessmentClient Status Profiled, WorkstationVLANACL Employee NoneUser QoSand Device GoldSpecific AttributesUserQoSand Device SilverSpecific AttributesISEBRKEWN-2020 2014 Cisco and/or its affiliates. All rights reserved.ISECisco Public18

Profiling with ISE

Client Attributes Used for ISE ProfilingHow RADIUS, HTTP, DNS and DHCP (and Others) Are Used to Identify Clients.2The Client’s DHCP/HTTPAttributes are capturedby the AP and providedin RADIUS Accountingmessages.1 This provides theMAC Addresswhich is checkedagainst theknown vendorOUI database.DHCPHTTPDHCP/HTTPSensor The ISE uses multiple attributes tobuild a complete picture of the endclient’s device profile.DNS ServerRADIUS– The ISE can even kick off an NMAPscan of the host IP to determinemore details.4HTTP UserAgent3The device is redirected using acaptive portal to the ISE for webbrowser identification.BRKEWN-2020 Information is collected fromsensors which capture differentattributesISEA look up of the DNSentry for the client’sIP address revealsthe Hostname. 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public20

ISE Device Profiling Example - iPad Once the device is profiled, it is stored within theISE for future associations:Is the MAC Addressfrom Apple?Does the HostnameContain “iPad”?Is the Web BrowserSafari on an iPad?Apple iPadBRKEWN-2020 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public21

ISE Device Profiling CapabilitiesOver 200 Built-in Device Policies, Defined Hierarchically by VendorSmart PhonesMinimumConfidence for aMatchGamingConsolesMultipleRules to EstablishConfidence Level12WorkstationsBRKEWN-2020 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public22

Defining a Security Policy Within ISE23

Steps for Configuring ISE Policies1. Authentication Rules Define what identity stores to reference. Example – Active Directory, CA Server or Internal DB.2. Authorisation Rules Define what users and devices get access to resources. Example – All Employees, with Windows Laptops have fullaccess.BRKEWN-2020 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public24

ISE Authentication SourcesUser and/or MachineAuthenticationActive Directory,Generic LDAP or PKIEAPoLRADIUSLocal DBuser1C#2!ç@ E(User/Password Cisco ISE can referencevariety of backendidentity stores includingActive Directory, PKI,LDAP and RSASecureID. The local database canalso be used on the ISEitself for smalldeployments.RSA SecureIDCertificateTokenBackend Database(s)BRKEWN-2020 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public25

Authentication RulesExample for PEAP and EAP-TLS11Reference Active Directory for PEAPAuthentication2Create Another Profile to Reference theCertificate StoreBRKEWN-2020 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public26

Authorisation Rules ConfigurationFlexible Conditions Connecting Both User and Device1Policy Authorisation - Simple2Specific Device TypeGroups (such asWorkstations or iPods) CanBe UtilisedActive DirectoryGroups Can BeReferenced3BRKEWN-2020The Authorisation Rule Results in Attributes toEnforce Policy on End Devices 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public27

Authorisation Rule “Results”The Actual Permissions Referenced by the Authorisation Rules1Simple VLAN Override bySpecifying the Tag The authorisation rules providea set of conditions to select anauthorisation profile. The profile contains all of theconnection attributes includingVLAN, ACL and QoS.2 These attributes are sent to thecontroller for enforcement, andthey can be changed at a latertime using CoA (Change ofAuthorisation).All WLC Attributes areExposed to OverrideBRKEWN-2020 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public28

AgendaManaging the BYOD EvolutionPersonal Devices onNetworkNetwork ComponentsBRKEWN-2020Identification andSecurity PolicyEnforcementWirelessWiredSecurely On-Boardthe DeviceRemoteAccess 2014 Cisco and/or its affiliates. All rights reserved.ISEPrime3rd PartyMDMCisco Public29

BYOD Device Provisioning30

ISE BYOD ReleaseIdentity Services Engine 1.1.1 Provision a Certificate for the device.– Based on Employee-ID & Device-ID.CertProvisioning Provision the Native Supplicant for iceOnboarding– iOS, Android, Win & Mac OS X– Use EAP-TLS or PEAP Employees get Self-Service Portal– Lost Devices are BlacklistediOSAndroidWindowsMAC OSBRKEWN-2020 Self-Service ModelSelf-ServiceModel– IT does not need to be in the middle. 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public31

Apple iOS Device Provisioning1Initial ConnectionUsing PEAPWLCISECA-ServerDevice ProvisioningWizard2Change ofAuthorisationFuture ConnectionsUsing EAP-TLS3WLCBRKEWN-2020 2014 Cisco and/or its affiliates. All rights reserved.ISECisco PublicCA-Server32

Apple Captive Network Assistant (CNA) Prior to iOS7, Apple iOS and current Mac OS X attempt to discover publicInternet access using a crafted URL:– http://www.apple.com/library/test/success.html Captive Portal Bypass feature added in WLC 7.2– config network web-auth captive-bypass enable Starting in iOS7, multiple domains are tested to verify Internet access Solution:– ISE 1.2 Patch 2– WLC 7.4.121.0 or 7.6.100.0BRKEWN-2020 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public33