Cisco ISE for BYOD and Secure Unified Access

• Copyright 2013
• Dimensions: 7-3/8" x 9-1/8"
• Pages: 752
• Edition: 1st

• Book
• ISBN-10: 1-58714-325-9
• ISBN-13: 978-1-58714-325-0

Plan and deploy identity-based secure access for BYOD and borderless networks

Using Cisco Secure Unified Access Architecture and Cisco Identity Services Engine, you can secure and regain control of borderless networks in a Bring Your Own Device (BYOD) world. This book covers the complete lifecycle of protecting a modern borderless network using these advanced solutions, from planning an architecture through deployment, management, and troubleshooting.

Cisco ISE for BYOD and Secure Unified Access begins by reviewing the business case for an identity solution. Next, you’ll walk through identifying users, devices, and security posture; gain a deep understanding of Cisco’s Secure Unified Access solution; and master powerful techniques for securing borderless networks, from device isolation to protocol-independent network segmentation.

You’ll find in-depth coverage of all relevant technologies and techniques, including 802.1X, profiling, device onboarding, guest lifecycle management, network admission control, RADIUS, and Security Group Access.

Drawing on their cutting-edge experience supporting Cisco enterprise customers, the authors present detailed sample configurations to help you plan your own integrated identity solution. Whether you’re a technical professional or an IT manager, this guide will help you provide reliable secure access for BYOD, CYOD (Choose Your Own Device), or any IT model you choose.

• Review the new security challenges associated with borderless networks, ubiquitous mobility, and consumerized IT
• Understand the building blocks of an Identity Services Engine (ISE) solution
• Design an ISE-Enabled network, plan/distribute ISE functions, and prepare for rollout
• Build context-aware security policies
• Configure device profiling, endpoint posture assessments, and guest services
• Implement secure guest lifecycle management, from WebAuth to sponsored guest access
• Configure ISE, network access devices, and supplicants, step-by-step
• Walk through a phased deployment that ensures zero downtime
• Apply best practices to avoid the pitfalls of BYOD secure access
• Simplify administration with self-service onboarding and registration
• Deploy Security Group Access, Cisco’s tagging enforcement solution
• Add Layer 2 encryption to secure traffic flows
• Use Network Edge Access Topology to extend secure access beyond the wiring closet
• Monitor, maintain, and troubleshoot ISE and your entire Secure Unified Access system

Online Sample Chapter

Authentication and Authorization Policies: Using Cisco Identity Services Engine in a BYOD World

Sample Pages

Download the sample pages (includes Chapter 13 and Index)

Table of Contents

Introduction xxvi

Section I The Evolution of Identity Enabled Networks

Chapter 1 Regain Control of Your IT Security 1

    Security: A Weakest-Link Problem with Ever More Links 2

    Cisco Identity Services Engine 3

        Sources for Providing Identity and Context Awareness 4

        Unleash the Power of Centralized Policy 5

    Summary 6

Chapter 2 Introducing Cisco Identity Services Engine 7

    Systems Approach to Centralized Network Security Policy 7

    What Is the Cisco Identity Services Engine? 9

    ISE Authorization Rules 12

    Summary 13

Section II The Blueprint, Designing an ISE Enabled Network

Chapter 3 The Building Blocks in an Identity Services Engine Design 15

    ISE Solution Components Explained 15

        Infrastructure Components 16

        Policy Components 20

        Endpoint Components 20

    ISE Personas 21

    ISE Licensing, Requirements, and Performance 22

        ISE Licensing 23

        ISE Requirements 23

        ISE Performance 25

    ISE Policy-Based Structure Explained 27

    Summary 28

Chapter 4 Making Sense of All the ISE Deployment Design Options 29

    Centralized Versus Distributed Deployment 29

        Centralized Deployment 30

        Distributed Deployment 32

    Summary 35

Chapter 5 Following a Phased Deployment 37

    Why Use a Phased Deployment Approach? 37

    Monitor Mode 38

    Choosing Your End-State Mode 40

        End-State Choice 1: Low-Impact Mode 42

        End-State Choice 2: Closed Mode 44

    Transitioning from Monitor Mode into an End-State Mode 45

    Summary 46

Section III The Foundation, Building a Context-Aware Security Policy

Chapter 6 Building a Cisco ISE Network Access Security Policy 47

    What Makes Up a Cisco ISE Network Access Security Policy? 47

        Network Access Security Policy Checklist 48

    Involving the Right People in the Creation of the Network Access Security Policy 49

    Determining the High-Level Goals for Network Access Security 51

    Common High-Level Network Access Security Goals 52

    Defining the Security Domains 55

    Understanding and Defining ISE Authorization Rules 57

        Commonly Configured Rules and Their Purpose 58

    Establishing Acceptable Use Policies 59

    Defining Network Access Privileges 61

        Enforcement Methods Available with ISE 61

        Commonly Used Network Access Security Policies 62

    Summary 65

Chapter 7 Building a Device Security Policy 67

    Host Security Posture Assessment Rules to Consider 67

        Sample NASP Format for Documenting ISE Posture Requirements 72

        Common Checks, Rules, and Requirements 74

        Method for Adding Posture Policy Rules 74

        Research and Information 75

        Establishing Criteria to Determine the Validity of a Security Posture Check, Rule, or Requirement in Your Organization 76

        Method for Determining Which Posture Policy Rules a Particular Security Requirement Should Be Applied To 77

        Method for Deploying and Enforcing Security Requirements 78

    ISE Device Profiling 79

        ISE Profiling Policies 80

        ISE Profiler Data Sources 81

        Using Device Profiles in Authorization Rules 82

    Summary 82

Chapter 8 Building an ISE Accounting and Auditing Policy 83

    Why You Need Accounting and Auditing for ISE 83

    Using PCI DSS as Your ISE Auditing Framework 84

        ISE Policy for PCI 10.1: Ensuring Unique Usernames and Passwords 87

        ISE Policy for PCI 10.2 and 10.3: Audit Log Collection 89

        ISE Policy for PCI 10.5.3, 10.5.4, and 10.7: Ensure the Integrity and Confidentiality of Log Data 90

        ISE Policy for PCI 10.6: Review Audit Data Regularly 91

    Cisco ISE User Accounting 92

    Summary 94

Section IV Configuration

Chapter 9 The Basics: Principal Configuration Tasks for Cisco ISE 95

    Bootstrapping Cisco ISE 95

    Using the Cisco ISE Setup Assistant Wizard 98

    Configuring Network Devices for ISE 106

        Wired Switch Configuration Basics 106

        Wireless Controller Configuration Basics 109

    Completing the Basic ISE Setup 113

        Install ISE Licenses 113

        ISE Certificates 114

    Installing ISE Behind a Firewall 116

    Role-Based Access Control for Administrators 121

        RBAC for ISE GUI 121

        RBAC: Session and Access Settings and Restrictions 121

        RBAC: Authentication 123

        RBAC: Authorization 124

    Summary 126

Chapter 10 Profiling Basics 127

    Understanding Profiling Concepts 127

        Probes 130

        Probe Configuration 130

        Deployment Considerations 133

        DHCP 134

        Deployment Considerations 135

        NetFlow 137

        Deployment Considerations 137

        RADIUS 137

        Deployment Considerations 138

        Network Scan (NMAP) 138

        Deployment Considerations 139

        DNS 139

        Deployment Considerations 139

        SNMP 140

        Deployment Considerations 140

        IOS Device-Sensor 141

        Change of Authorization 142

        CoA Message Types 142

        Configuring Change of Authorization in ISE 143

        Infrastructure Configuration 144

        DHCP Helper 145

        SPAN Configuration 145

        VLAN Access Control Lists (VACL) 146

        VMware Configurations to Allow Promiscuous Mode 148

        Best Practice Recommendations 149

    Examining Profiling Policies 152

        Endpoint Profile Policies 152

        Cisco IP Phone 7970 Example 155

    Using Profiles in Authorization Policies 161

        Endpoint Identity Groups 161

        EndPointPolicy 163

        Logical Profiles 164

    Feed Service 166

        Configuring the Feed Service 166

    Summary 168

Chapter 11 Bootstrapping Network Access Devices 169

    Bootstrap Wizard 169

    Cisco Catalyst Switches 170

        Global Configuration Settings for All Cisco IOS 12.2 and 15.x Switches 170

        Configure Certificates on a Switch 170

        Enable the Switch HTTP/HTTPS Server 170

        Global AAA Commands 171

        Global RADIUS Commands 172

        Create Local Access Control Lists 174

        Global 802.1X Commands 175

        Global Logging Commands (Optional) 175

        Global Profiling Commands 177

        Interface Configuration Settings for All Cisco Switches 179

        Configure Interfaces as Switch Ports 179

        Configure Flexible Authentication and High Availability 179

        Configure Authentication Settings 182

        Configure Authentication Timers 184

        Apply the Initial ACL to the Port and Enable Authentication 184

    Cisco Wireless LAN Controllers 184

        Configure the AAA Servers 185

        Add the RADIUS Authentication Servers 185

        Add the RADIUS Accounting Servers 186

        Configure RADIUS Fallback (High Availability) 187

        Configure the Airespace ACLs 188

        Create the Web Authentication Redirection ACL 188

        Create the Posture Agent Redirection ACL 191

        Create the Dynamic Interfaces for the Client VLANs 193

        Create the Employee Dynamic Interface 193

        Create the Guest Dynamic Interface 194

        Create the Wireless LANs 195

        Create the Guest WLAN 195

        Create the Corporate SSID 199

    Summary 202

Chapter 12 Authorization Policy Elements 205

    Authorization Results 206

        Configuring Authorization Downloadable ACLs 207

        Configuring Authorization Profiles 209

    Summary 212

Chapter 13 Authentication and Authorization Policies 215

    Relationship Between Authentication and Authorization 215

    Authentication Policies 216

        Goals of an Authentication Policy 216

        Accept Only Allowed Protocols 216

        Route to the Correct Identity Store 216

        Validate the Identity 217

        Pass the Request to the Authorization Policy 217

    Understanding Authentication Policies 217

        Conditions 218

        Allowed Protocols 220

        Identity Store 224

        Options 224

        Common Authentication Policy Examples 224

        Using the Wireless SSID 225

        Remote-Access VPN 228

        Alternative ID Stores Based on EAP Type 230

    Authorization Policies 232

        Goals of Authorization Policies 232

        Understanding Authorization Policies 233

        Role-Specific Authorization Rules 237

        Authorization Policy Example 237

        Employee and Corporate Machine Full-Access Rule 238

        Internet Only for iDevices 240

        Employee Limited Access Rule 243

    Saving Attributes for Re-Use 246

    Summary 248

Chapter 14 Guest Lifecycle Management 249

    Guest Portal Configuration 251

        Configuring Identity Source(s) 252

    Guest Sponsor Configuration 254

        Guest Time Profiles 254

        Guest Sponsor Groups 255

        Sponsor Group Policies 257

    Authentication and Authorization Guest Policies 258

        Guest Pre-Authentication Authorization Policy 258

        Guest Post-Authentication Authorization Policy 262

    Guest Sponsor Portal Configuration 263

        Guest Portal Interface and IP Configuration 264

        Sponsor and Guest Portal Customization 264

        Customize the Sponsor Portal 264

        Creating a Simple URL for Sponsor Portal 265

        Guest Portal Customization 265

        Customizing Portal Theme 266

        Creating Multiple Portals 268

    Guest Sponsor Portal Usage 271

        Sponsor Portal Layout 271

        Creating Guest Accounts 273

        Managing Guest Accounts 273

    Configuration of Network Devices for Guest CWA 274

        Wired Switches 274

        Wireless LAN Controllers 275

    Summary 277

Chapter 15 Device Posture Assessment 279

    ISE Posture Assessment Flow 280

    Configure Global Posture and Client Provisioning Settings 283

        Posture Client Provisioning Global Setup 283

        Posture Global Setup 285

        General Settings 285

        Reassessments 286

        Updates 287

        Acceptable Use Policy 287

    Configure the NAC Agent and NAC Client Provisioning Settings 288

    Configure Posture Conditions 289

    Configure Posture Remediation 292

    Configure Posture Requirements 295

    Configure Posture Policy 296

    Enabling Posture Assessment in the Network 298

    Summary 299

Chapter 16 Supplicant Configuration 301

    Comparison of Popular Supplicants 302

        Configuring Common Supplicants 303

        Mac OS X 10.8.2 Native Supplicant Configuration 303

        Windows GPO Configuration for Wired Supplicant 305

        Windows 7 Native Supplicant Configuration 309

        Cisco AnyConnect Secure Mobility Client NAM 312

    Summary 317

Chapter 17 BYOD: Self-Service Onboarding and Registration 319

    BYOD Challenges 320

    Onboarding Process 322

        BYOD Onboarding 322

        Dual SSID 322

        Single SSID 323

        Configuring NADs for Onboarding 324

        ISE Configuration for Onboarding 329

        End-User Experience 330

        Configuring ISE for Onboarding 347

        BYOD Onboarding Process Detailed 357

        MDM Onboarding 367

        Integration Points 367

        Configuring MDM Integration 368

        Configuring MDM Onboarding Policies 369

    Managing Endpoints 372

        Self Management 373

        Administrative Management 373

    The Opposite of BYOD: Identify Corporate Systems 374

        EAP Chaining 375

    Summary 376

Chapter 18 Setting Up a Distributed Deployment 377

    Configuring ISE Nodes in a Distributed Environment 377

        Make the Policy Administration Node a Primary Device 377

        Register an ISE Node to the Deployment 379

        Ensure the Persona of All Nodes Is Accurate 381

    Understanding the HA Options Available 382

        Primary and Secondary Nodes 382

        Monitoring and Troubleshooting Nodes 382

        Policy Administration Nodes 384

        Promoting the Secondary PAN to Primary 385

    Node Groups 385

        Create a Node Group 386

        Add the Policy Services Nodes to the Node Group 387

    Using Load Balancers 388

        General Guidelines 388

        Failure Scenarios 389

    Summary 390

Chapter 19 Inline Posture Node 391

    Use Cases for the Inline Posture Node 391

        Overview of IPN Functionality 392

        IPN Configuration 393

        IPN Modes of Operation 393

    Summary 394

Section V Deployment Best Practices

Chapter 20 Deployment Phases 395

    Why Use a Phased Approach? 395

        A Phased Approach 397

        Authentication Open Versus Standard 802.1X 398

    Monitor Mode 399

        Prepare ISE for a Staged Deployment 401

        Create the Network Device Groups 401

        Create the Policy Sets 403

    Low-Impact Mode 404

    Closed Mode 406

    Transitioning from Monitor Mode to Your End State 408

    Wireless Networks 409

    Summary 410

Chapter 21 Monitor Mode 411

    Endpoint Discovery 412

        SNMP Trap Method 413

        Configuring the ISE Probes 414

        Adding the Network Device to ISE 416

        Configuring the Switches 418

        RADIUS with SNMP Query Method 420

        Configuring the ISE Probes 420

        Adding the Network Device to ISE 421

        Configuring the Switches 422

        Device Sensor Method 424

        Configuring the ISE Probes 425

        Adding the Network Device to ISE 425

        Configuring the Switches 426

    Using Monitoring to Identify Misconfigured Devices 428

        Tuning the Profiling Policies 428

        Creating the Authentication Policies for Monitor Mode 430

        Creating Authorization Policies for Non-Authenticating Devices 433

        IP-Phones 433

        Wireless APs 435

        Printers 436

        Creating Authorization Policies for Authenticating Devices 438

        Machine Authentication (Machine Auth) 438

        User Authentications 439

        Default Authorization Rule 440

    Summary 441

Chapter 22 Low-Impact Mode 443

    Transitioning from Monitor Mode to Low-Impact Mode 445

    Configuring ISE for Low-Impact Mode 446

        Set Up the Low-Impact Mode Policy Set in ISE 446

        Duplicate the Monitor Mode Policy Set 446

        Create the Web Authentication Authorization Result 448

        Configure the Web Authentication Identity Source Sequence 451

        Modify the Default Rule in the Low-Impact Policy Set 451

        Assign the WLCs and Switches to the Low-Impact Stage NDG 452

        Modify the Default Port ACL on the Switches That Will Be Part of Low-Impact Mode 453

    Monitoring in Low-Impact Mode 454

    Tightening Security 454

        Creating AuthZ Policies for the Specific Roles 454

        Change Default Authentication Rule to Deny Access 456

        Moving Switch Ports from Multi-Auth to Multi-Domain 457

    Summary 458

Chapter 23 Closed Mode 459

    Transitioning from Monitor Mode to Closed Mode 461

    Configuring ISE for Closed Mode 461

        Set Up the Closed Mode Policy Set in ISE 461

        Duplicate the Monitor Mode Policy Set 462

        Create the Web Authentication Authorization Result 463

        Configure the Web Authentication Identity Source Sequence 466

        Modify the Default Rule in the Closed Policy Set 467

        Assign the WLCs and Switches to the Closed Stage NDG 468

        Modify the Default Port ACL on the Switches That Will Be Part of Closed Mode 469

    Monitoring in Closed Mode 469

    Tightening Security 469

        Creating Authorization Policies for the Specific Roles 470

        Change Default Authentication Rule to Deny Access 472

        Moving Switch Ports from Multi-Auth to MDA 473

    Summary 474

Section VI Advanced Secure Unified Access Features

Chapter 24 Advanced Profiling Configuration 475

    Creating Custom Profiles for Unknown Endpoints 475

        Identifying Unique Values for an Unknown Device 476

        Collecting Information for Custom Profiles 478

        Creating Custom Profiler Conditions 479

        Creating Custom Profiler Policies 480

    Advanced NetFlow Probe Configuration 481

        Commonly Used NetFlow Attributes 483

        Example Profiler Policy Using NetFlow 483

        Designing for Efficient Collection of NetFlow Data 484

        Configuration of NetFlow on Cisco Devices 485

Profiler COA and Exceptions 488

        Types of CoA 489

        Creating Exceptions Actions 489

        Configuring CoA and Exceptions in Profiler Policies 490

    Profiler Monitoring and Reporting 491

    Summary 494

Chapter 25 Security Group Access 495

    Ingress Access Control Challenges 495

        VLAN Assignment 495

        Ingress Access Control Lists 498

    What Is Security Group Access? 499

        So, What Is a Security Group Tag? 500

        Defining the SGTs 501

        Classification 504

        Dynamically Assigning SGT via 802.1X 504

        Manually Assigning SGT at the Port 506

        Manually Binding IP Addresses to SGTs 506

        Access Layer Devices That Do Not Support SGTs 507

    Transport: Security Group eXchange Protocol (SXP) 508

        SXP Design 508

        Configuring SXP on IOS Devices 509

        Configuring SXP on Wireless LAN Controllers 511

        Configuring SXP on Cisco ASA 513

    Transport: Native Tagging 516

        Configuring Native SGT Propogation (Tagging) 517

        Configuring SGT Propagation on Cisco IOS Switches 518

        Configuring SGT Propagation on a Catalyst 6500 520

        Configuring SGT Propagation on a Nexus Series Switch 522

    Enforcement 523

        SGACL 524

        Creating the SG-ACL in ISE 526

        Configure ISE to Allow the SGACLs to Be Downloaded 531

        Configure the Switches to Download SGACLs from ISE 532

        Validating the PAC File and CTS Data Downloads 533

        Security Group Firewalls 535

        Security Group Firewall on the ASA 535

        Security Group Firewall on the ISR and ASR 543

    Summary 546

Chapter 26 MACSec and NDAC 547

    MACSec 548

        Downlink MACSec 549

        Switch Configuration Modes 551

        ISE Configuration 552

        Uplink MACSec 553

    Network Device Admission Control 557

        Creating an NDAC Domain 558

        Configuring ISE 558

        Configuring the Seed Device 562

        Adding Non-Seed Switches 564

        Configuring the Switch Interfaces for Both Seed and Non-Seed 566

        MACSec Sequence in an NDAC Domain 567

    Summary 568

Chapter 27 Network Edge Authentication Topology 569

    NEAT Explained 570

    Configuring NEAT 571

        Preparing ISE for NEAT 571

        Create the User Identity Group and Identity 571

        Create the Authorization Profile 572

        Create the Authorization Rule 573

        Access Switch (Authenticator) Configuration 574

        Desktop Switch (Supplicant) Configuration 574

    Summary 575

Section VII Monitoring, Maintenance, and Troubleshooting

Chapter 28 Understanding Monitoring and Alerting 577

    ISE Monitoring 577

        Live Authentications Log 578

        Monitoring Endpoints 580

        Global Search 581

        Monitoring Node in a Distributed Deployment 584

        Device Configuration for Monitoring 584

    ISE Reporting 585

        Data Repository Setup 586

    ISE Alarms 587

    Summary 588

Chapter 29 Troubleshooting 589

    Diagnostics Tools 589

        RADIUS Authentication Troubleshooting 589

        Evaluate Configuration Validator 591

        TCP Dump 594

    Troubleshooting Methodology 596

        Troubleshooting Authentication and Authorization 596

        Option 1: No Live Log Entry Exists 597

        Option 2: An Entry Exists in the Live Log 603

        General High-Level Troubleshooting Flowchart 605

        Troubleshooting WebAuth and URL Redirection 605

        Active Directory Is Disconnected 610

        Debug Situations: ISE Logs 611

        The Support Bundle 611

    Common Error Messages and Alarms 613

        EAP Connection Timeout 613

        Dynamic Authorization Failed 615

        WebAuth Loop 617

        Account Lockout 617

    ISE Node Communication 617

    Summary 618

Chapter 30 Backup, Patching, and Upgrading 619

    Repositories 619

        Configuring a Repository 619

    Backup 625

    Restore 628

        Patching 629

        Upgrading 632

    Summary 634

Appendix A Sample User Community Deployment Messaging Material 635

Appendix B Sample ISE Deployment Questionnaire 639

Appendix C Configuring the Microsoft CA for BYOD 645

Appendix D Using a Cisco IOS Certificate Authority for BYOD Onboarding 669

Appendix E Sample Switch Configurations 675

TOC, 9781587143250, 5/15/2013

Errata

We've made every effort to ensure the accuracy of this book and its companion content. Any errors that have been confirmed since this book was published can be downloaded below.

Download the errata

Submit Errata