Transcription
Voice of the EngineerDeep Dive Series: Profiling1
Solutions approach to partner training Partner Enablement through series of WebEx Training Sessions Basics are introductory sessions open to AM, SE, FE Deep Dives are Field Engineer focusDeployment information from the Experts for the Experts Recordings and Slides will be Archived on the Partner Community Voice of the Engineer – Deep Diveshttps://communities.cisco.com/docs/DOC-30977 Voice of the Engineer – Voice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public2
https://communities.cisco.com/docs/DOC-30977 Identity Services Engine (ISE) TrustSec & ISE Overview - 9/25/12AAA, 802.1X, MAB - 10/9/12ISE Profiling – 10/23/12Web Auth, Guest & Device Registration – 11/6/12Bring Your Own Device & EAP Chaining – 11/20/12Posture & Security Group Access – 12/4/12Troubleshooting & Best Practices (Submit requests in survey) – 24beb86ff59ebab996589.aspx AnyConnect – Tentative Schedule AnyConnect VPN – 11/13/12 AnyConnect NAM – 12/11/12 AnyConnect Mobile – 1/8/13 Advanced AnyConnect Configuration – 1/29/13 Content Security – In PlanningVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public3
TrustSec & ISE OverviewAAA, 802.1X, MABProfilingWeb Authentication, Guest & Device RegistrationBring your own Device & EAP-ChainingPosture & SGATroubleshooting & Best PracticesVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public4
5
Why Profiling?Profiling PoliciesProbe OverviewEnhanced Profiling FeaturesBest Practices - Profiling in a Real NetworkMonitoring and ReportingVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public6
What is all this stuffon my network?!!!Voice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public7
Things are spinningout of control!Voice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public8
What ISE Profiling is:Dynamic classification of every device that connects to network using the infrastructure.Provides the context of “What” is connected independent of user identity for use in access policydecisionsPCsUPSNon-PCsPhonePrinterAPHow? What Profiling is NOT:‒ An authentication mechanism.‒ An exact science for device classification.Voice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public9
Differentiated Access Based on Device TypeKathy Corp Laptop Full Access toMarketing VLAN How can I restrict access to mynetwork? Can I manage the risk of usingpersonal PCs, tablets, smartdevices?Named ACL Internet OnlyVLAN MarketingCorpInternetWLANKathyMarketingGuestKathy PersonalTablet / Smartphone Limited Access(Internet Only)ISEVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public101
Dynamic Population of MAB Database Based on Device Type How do I discover non-user devices? Can I determine what they are? Can I control their access?Printers PrinterVLAN Are they being spoofed?Cameras VideoVLANManagementLANdACL Management OnlyISEVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public111
Network-connected devicesID GroupassignmentVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco PublicDynamicVLANsSNMP 2
13
Profile Policies Use a Combination of Conditions to Identify DevicesIs the MAC Addressfrom AppleDHCP:host-nameCONTAINS iPadI am fairly certainthis device is aniPadIP:User-AgentCONTAINS iPadAssign this MACAddress to IDGroup “iPad”Profile LibraryVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public14
ISE probes collect attributes fromendpoints that connect to the networkProbes CollectEndpoint AttributesSingle Attribute is matched against aConditionConditionsOne or more Conditions are combinedto form a Rule in Profiling PolicyPolicy Rules: CF/Exception/ScanException actions can be assignedto a Profile Policy based onmatching rules. Exception Actionsstatically assign endpoints toEndpoint ID Groups. Any furtherprofile changes will not result in IDgroup change for these static entriesEach matched Rule may be assigned a weight, orCertainty Factor(CF), or may trigger an Action.Endpoints assigned Profile with highest CF match.Profiling PoliciesProfile Change/Exception ActionEndpoints can be mapped to an Endpoint ID groupif their profile, or parent profile, is set to an ID groupEndpoint IdentityGroupsEndpoint IdentityGroup ChangeEndpoint ID groups can be used as a condition inthe Authorization Policy. Endpoints can receiveaccess policy based on ID group membershipAuthorization PolicyChange ofAuthorizationVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco PublicUnless staticallyassigned to agroup, endpointsmay pass in andout of group basedon profilingpolicies. CoA canbe used to effectnew policy basedon profile changes.15
RADIUSSNMPMACDHCPNMAPNetFlowLLDPIPCDPFor YourReferencePartial ListingVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public16
SampleDeviceAttributesVoice of the Engineer : Deep Dive – TrustSec & ISEFor YourReference 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public17
Any Combination of These Conditions Could be Use in Your PoliciesConditions aredefined by singlematching attributePolicy Policy Elements Conditions ProfilingVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public18
Parent PolicySelect this option to create amatching Identity groupVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public19
Identity groups directlyused as a policyconditionVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public20
Identity Groups are Defined as Conditions in Authorization RulesConditionsAndroid, iPhone,iPad or BlackBerryDevicesVoice of the Engineer : Deep Dive – TrustSec & ISEResultEnforce ACLTo permit only http on internet 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public21
Allows ISE to Actively Enforce Policy Over Connected Endpointsaaa server radius dynamic-authorclient 10.100.7.20 server-key xxxxxxxCoA is triggered dynamically for following profile transitions:- Endpoint is profiled for the 1st time.- Endpoint is statically assigned with a new Policy- Endpoint is deleted from ISE DB.CoAWLANs Edit (screenshot edited to fit)Voice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public22
Profile Transitions Default Exception Actions (Policy Policy Elements Results Profiling Exception Actions)Type of CoA sent for these events configured under global settings:Administration System Settings Profiling Predefined Exceptions are not configurable and cannot be assigned to a Profile.Administrator may define additional Exception Actions for use in Profiler Policy to triggerCoA and static Profiler Policy assignment. NEW to 1.1.1! CoA sent on any profile transition that results in change to endpoint access perAuthorization Policy. (Based on change of ID Group where ID Group used in Authorization Policy).Voice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public23
Draeger-M300 Heart Monitor – Default Profile Example of default profileVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public24
Create New Profiler Exception Add New Exception Go to Policy Policy Elements Results Profiling Exception Actions In this example, action statically assigns endpoint to policy “Draeger-M300”, but NO CoA will besent.Voice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public25
Define Rule Conditions to Trigger Exception Add Condition(s) to trigger Exception Action In this example, conditions that trigger Exception are identical to those used to match profile.Voice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public26
Set Exception Action Set action for new rule to “Take Exception Action” Set Exception Action to new exception, i.e. Draeger-M300Voice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public27
Voice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public28
For YourReference 300 (and growing) Pre-built Policies for Device ClassificationVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public29
Voice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public30
General Profile Design Planning1. Identify endpoints requiring device classification (authorization based on profile attributes)2. Determine required attributesMost popular endpoints have pre-built profiles. Determine requirements by reviewing default ISE profiles (Profile Xcontains conditions A, B, and C). Which data/probes are used to collect that data?Can often determine profiling requirements for similar endpoints types by reviewing existing profiles.If no existing profile, then temporarily enable probes, collect attributes, and see what device offers.Some devices may require traffic analysis to determine unique attributes for OUI, DHCP options, User Agent,TCP/UDP ports, or DNS naming3. Determine best option from available methods to collect required profile data Access Device Configuration:Profile Timing – impacted by MAB/802.1X order and deployment mode (auth open vs closed)Do access policies allow collection of attributes needed to match policy conditions? Exception Policies may be required to override dynamic ID group assignments.Voice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public31
Which Data Should I Collect to Match a Specific Profile Policy?Voice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public32
Profile Conditions Reveal Specific Probes and AttributesVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public33
For YourReferenceProfiling Policy / Requirements Example:Device ProfileCisco IP PhoneIP CameraPrinterPOS Station(static IP)Apple iPad/iPhoneDevice XUnique AttributesOUICDPOUICDPOUIDHCP Class IdentifierMAC AddressARP Cache for MAC to IP mappingDNS nameOUIBrowser User AgentDHCP Class Identifier MAC to IPmappingMAC AddressProbes UsedRADIUSSNMP QueryRADIUSSNMP QueryRADIUSDHCPRADIUS (MAC Addressdiscovery)SNMP QueryDNSRADIUSHTTPDHCPRADIUS (MAC Addressdiscovery)Requested IP Address for MAC to IP DHCPmappingOptional to acquire ARP Cache for SNMP QueryMAC to IP mappingPort # traffic to Destination IPNetFlowVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Collection MethodRADIUS AuthenticationTriggered by RADIUS StartRADIUS AuthenticationTriggered by RADIUS StartRADIUS AuthenticationIP Helper from local L3 switch SVIRADIUS AuthenticationTriggered by RADIUS StartTriggered by IP DiscoveryRADIUS AuthenticationAuthorization Policy posture redirect to central PolicyService node clusterIP Helper from local L3 switch SVIRADIUS AuthenticationRSPAN of DHCP Server ports to local Policy Service nodeTriggered by RADIUS StartNetFlow export from Distribution 6500 switch to centralPolicy Service nodeCisco Public34
35
ISE Probes ISE Profiler can use various probes to identifydevices. It may not be easy to choose which ones touse:RADIUSHTTPDHCPSPANDHCPSNMP QueryDNSNMAPVoice of the Engineer : Deep Dive – TrustSec & ISENetFlowSNMP Trap 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public36
2ISE Probes1Voice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public37
RADIUS Packets Received from Network Access DevicesEndpoint IP Address Common RADIUS ion-TimeAcct-Terminate-CauseDependent on NAD config, but usually Endpoint MAC Address MAC address - OUI for NIC vendor classification RADIUS Accounting provides MAC:IP binding to support otherprobes that rely on IP address (DNS, NetFlow, NMAP, and HTTP)aaa authentication dot1x default group radiusaaa authorization network default group radiusaaa accounting dot1x default start-stop group radius‒ Enable RADIUS Auth and Accountingip radius source-interface xxxfor ISE PSNs enabled for session andradius-server attribute 6 on-for-login-authprofiling services.radius-server attribute 8 include-in-access-reqradius-server attribute 25 access-request include‒ Include options to send variousradius-server host @PSN auth-port 1812 acct-port 1813 key xxxattributes via RADIUS.radius-server vsa send accounting38radius-servervsa send authenticationCisco Public 2012 Cisco and/or its affiliates.All rights reserved.Voice of the Engineer : Deep Dive – TrustSec & ISE Sample access switch configuration:
Sample Profiling TopologyVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public393
SNMP Traps Received from Network Access Devices SNMP Trap probe intended for use with SNMP Query probe totrigger queries against access device. Supports Link Down/Up, MAC Notification, and Informs.(ISE does not currently process WLC traps.) NAD config in ISE must be set to accept traps.interface Endpoint Interface snmp trap mac-notification addedsnmp trap mac-notification removedmac address-table notification changemac address-table notification mac-move Sample access switch configuration forsnmp-server trap-source Management Interface SNMP Link and MAC Notification traps:snmp-server enable traps snmp linkdown linkupsnmp-server enable traps mac-notification change move40snmp-server host @PSNversion 2c ciscoroCisco Public 2012 Cisco and/or its affiliates. All rights reserved.Voice of the Engineer : Deep Dive – TrustSec & ISE
Sample Profiling TopologyVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public414
SNMP Polling of Configured Network Access Devices System Query – Periodic per Polling Interval set in NAD configReads the following MIBs: System, cdpCacheEntry, lldpLocalSystemData,lldpRemoteSystemsData, cLApEntry (WLC only), and cldcClientEntry (WLC only)Polling distributed amongst all PSNs with SNMPQuery probe enabled.ARP info collected during to build IP ARP Cache table in ISE. Interface Query – Triggered by SNMP Trap or RADIUS AcctingStart for specific interface‒ Reads the following MIBs:Interface data (ifIndex, ifDesc, etc)CDP (if Cisco) and LLDP dataSession Data (for if type Ethernet)Send Interface Query30 sec after triggerPort, VLAN, dot1X data Sample access deviceconfiguration:Select optimal PSN toperform polling; only PSNsenabled for SNMP Queryprobe will display in list.snmp-server community ciscoro ROsnmp-server community ciscorw RWVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public42
Sample Profiling TopologyVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public434
CDP / LLDP Data Collection MIB Data Collected: CDPLLDP Broad Cisco/3rd-party device support Sample access switch configuration:– CDP:cdp runinterface Interface cdp enable– LLDP:lldp runinterface Interface lldp receiveNote: Wireless LAN Controllers do not support CDP/LLDP for wireless clients – only CDP on wiredconnection, so CDP info is not specific to connected wireless endpoints needed for wireless profiling.Voice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public44
Collect DHCP Request Attributes from User/Proxy/Helper DHCP Probe – Used when PSN interface is destination forDHCP relay traffic.DHCP Proxy also supported, but NAD typically cannot send to morethan one target at same time—only after failure or timeout of primary DHCP SPAN Probe – Captures DHCP packets from a mirroredport such as from SPAN/RSPAN/ERSPAN or network tap‒ Recommend dedicated ISE interface‒ Be sure to enable ISE interface from CLI and make anyneeded physical connections to SPAN port / tap. Sample L3 gateway device configuration:– Gateway is the access device if SVI present for client VLAN.interface X (Routed port or VLAN interface)ip helper-address @REAL DHCP SERVERip helper-address @PSN Probe InterfaceVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public45
Sample Profiling TopologyVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public464
Real Customer Example: Profiling Based on a Custom DHCP Attribute One customer decided to modify the DHCPClass Identifier on their Domain ComputersProvided a unique way to profile the device as a Corporate Asset. Manual Configuration Example:C:\ ipconfig /setclassid "Local AreaConnection" CorpXYZWindows XP IP ConfigurationDHCP ClassId successfully modified for adapter "Local Area ary/cc783756(WS.10).aspx GPO Script Configuration Example:Condition value must be expressed in hex.1 - Create a GPO which has the necessary IPCONFIG command in a startup script2 - Create a Domain Local group called something like 'Laptop Computer Accounts' and add all the laptop computer accounts3 - Modify the GPO by removing the 'Authenticated Users' from the permissions list4 - Add the 'Laptop Computer Accounts' group to the permissions list and assign 'Read' and 'Apply Group Policy' permissions.5 - Link the GPO to the domain root (or the highest level OU which will encompass all computer accounts)Voice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public47
Collect FQDN of Endpoint via Reverse Name Server Lookup If DNS Probe enabled, upon learning IP address of endpoint,reverse DNS lookup performed by PSN against its locallyconfigured name server to retrieve the endpoint FQDN. DNS Probe requires IP address for reverse DNS lookupobtained from one of the following sources:RADIUS Probe – “Framed-IP-Address”SNMP Probe – “cdpCacheAddress”DHCP Probes – “dhcp-requested-address” DNS Probe requires DNS reverse PTR records! DHCP clientswill require DDNS to be configured and enabled on Servers. Sample ISE PSN configuration (CLI):Voice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public48
Sample Profiling TopologyVoice of the Engineer : Deep Dive – TrustSec & ISE 2012 Cisco and/or its affiliates.
Cisco Public How? What ISE Profiling is: Dynamic classification of every device that connects to network using the infrastructure. Provides the context of “What” is connected independent of user identity for use in
