Advanced ISE Services, Tips & Tricks
Advanced ISE Services, Tips & Tricks
BRKSEC-3697
Craig Hyps (chyps@cisco.com)
Senior Technical Marketing Engineer
Session Abstract
Cisco's Identity Services Engine (ISE) delivers context-based access control for
every endpoint that connects to your network. This advanced session will focus on
the advanced services of ISE, successful deployment strategies, integration with
Cisco as well as third party network infrastructure, as well as deployment tips and
tricks.
We will examine best practices for Bring Your Own Device (BYOD) deployments
with the most common mobile platforms, including multiple tiers of registered
devices. We will perform a detailed examination of certificate usage including
integration of ISE with your enterprise certificate authority (CA), endpoint
certificate usage, and wildcard certificates. There will be a detailed examination of
guest life-cycle management, including self-service and sponsored guest access
models. Lastly, attendees will be introduced to troubleshooting and serviceability
tips.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
3
Cisco Live Melbourne: ISE and TrustSec Sessions
BRKSEC-3697
Advanced ISE
Services, Tips and
Tricks
(Fri 2:00pm)
BRKSEC-3699
Designing ISE for
Scale & High
Availability
(Fri 8:45am)
BRKSEC-2690
Deploying Security
Group Tags
(Wed 2:30pm)
BRKSEC-3690
Advanced Security
Group Tags: The
Detailed Walk Through
(Fri 8:45am)
BRKSEC-2044 Building an Enterprise Access Control Architecture Using ISE & TrustSec (Thurs 8:30am)
BRKSEC-1011
Written to Realised
Security Policy
(Thurs 2:45pm)
BRKSEC-3697
BRKSEC-2691
IBNS 2.0: New-style
802.1X and more
(Thurs 4:30pm)
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
4
DEVNET-1618
Cisco pxGrid: A New
Architecture for
Security Platform
Integration
(Thurs 2:00pm)
Important: Hidden Slide Alert
Look for this “For Your Reference”
Symbol in your PDF’s
There is a tremendous amount of
hidden content, for you to use later!
ForYour
Your
For
Reference
Reference
**200 +/- Slides in PDF
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
5
Agenda
• Introduction
• Certificates, Certificates, Certificates
• BYOD Best Practices
• Integrating with Cisco and Non-Cisco
• ISE in a Security EcoSystem
• Serviceability & Troubleshooting
• Staged Deployments (Time Permitting)
• Conclusion
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
6
ISE and Certificate Usage
Certificates
What is an X.509 Certificate
• A Certificate is a signed document…
– Think of it like a government form of
identity
X.509
username
organization
location
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
8
Certificates
What is the purpose of an X.509 Certificate?
Provides an
Identity
Who is
user
What is
endpoint
WebSite
Identity
Acts as a seed value for encryption
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
9
…
Certificates
ISE and Certificates: Multiple Identities
Authentication Server
Layer 2
Link
Supplicant
Layer 3
Link
Authenticator
Authentication
Server
Secure
Web Server
Port Unauthorized
EAPoL Start
Start
EAP-Request/Identity
EAP-Response/Identity
RADIUS Access Request
RADIUS Access-Challenge
EAP-Request/PEAP
Middle
[AVP: EAP-Request PEAP]
EAP-Response/PEAP
RADIUS Access Request
[AVP: EAP-Response: PEAP]
Multiple
ChallengeRequest
Exchanges
Possible
Root CA
BRKSEC-3697
Internal
Communications
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
10
Certificates
Certificates and Web Portals
• All Web Portals (Admin, WebAuth, MyDevices, Sponsor, CPP, etc.)
Client/Browser
NAD
ISE
SSID
Step 1: Initiate Request to Establish HTTPS Tunnel with Portal (https://ISE/admin)
Step 2: Certificate sent to Browser
Step 3: User is Prompted to Accept Certificate.
Once accepted, it is Stored in Browser, KeyChain, or Trusted Store
Step 4: SSL Tunnel is Formed, Encrypting the HTTP Communications (HTTPS)
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
11
Certificates
Certificates and EAP Communication
• EAP Connections (PEAP, FAST, EAP-TLS)
Client/Supplicant
NAD
ISE
SSID
Step 1: Initiate Request to Establish TLS Tunnel with Authenticator
Step 2: Certificate sent to Supplicant
Step 3: User is Prompted to Accept Certificate.
If accepted, it is Stored in WiFi Profile
Step 4: TLS Tunnel is Formed, EAP happens next
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
12
Certificates
ISE Admin/EAP/Portal Certificate Examination
ise.company.com
ISE Wildcard Cert
Portal-TAG
ise.company.com
ise-lab.company.com ise-lab.company.com
ise.company.com
Used for Admin, Portal and EAP.
Any Portal using Portal-Tag uses Cert.
Publically Signed Certificate
Purpose is for Client and Server Auth
SAN includes Wildcard and the CN
ise.company.com
*.company.com
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
13
ISE Root Certificate Examination
ise-ca
Only way to Access
The Root Certificate
Certificates
ise/admin# application configure
ise
Selection ISE configuration option
<Snip>
[7]Export Internal CA Store
[8]Import Internal CA Store
</Snip>
[12]Exit
ise-ca
ise-ca
ise-ca-#0002
ise-ca-#0002
ise-ca-#00002
Self Signed Certificate (It’s a Root Cert)
Purpose is for Cert Signing / It is a CA
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
14
Certificates
Endpoint Certificate Examination
employee1
ise-ca
employee1
CN=employee1
employee1
ise-ca
Signed by ISE Sub-CA
Purpose is for Client Auth
ise-ca
SAN includes MAC Address
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
15
Certificates
Certificate Provisioning User Experience in ISE 1.0 – 1.2
PSN #1
•
•
Generate CSR
for Primary PAN
Bind CA-signed cert
for Primary PAN
Primary
PAN
•
•
Generate CSR for PSN #1
Bind CA-signed cert for PSN #1
•
•
Generate CSR for PSN #20
Bind CA-signed cert for PSN #20
•
•
Generate CSR for PSN #40
Bind CA-signed cert for PSN #40
PSN #20
PSN #40
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
16
Certificates
Centralized Certificate Management in 1.3
PSN #1
Primary
PAN
• Generate CSRs for ALL NODES
at Primary PAN
• Bind CA-signed certs for ALL NODES at
Primary PAN
• Manage System (Local) certs for ALL
NODES at primary PAN
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
PSN #20
PSN #40
17
Certificates
Manage System Certificates
•
•
Certificates used by: Admin, HTTPS Portals, pxGrid, EAP
These are Private/Public Key Pairs – i.e. they Identify ISE Personalities
ISE Wildcard Cert
Portal-Tag
ise.company.com
ise-lab.company.com
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
18
ise-lab.company.com
Certificates your ISE Deployment will “Trust”
•
•
Trust for EAP, MDM, etc.
These are copies of their Public Certs. i.e.: They Identify Other Systems
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Certificates
Certificates
Trusted Certificates
• In 1.3, trusted certificates have a new “Trusted For” attribute.
– Security Goal: To prevent the public certificates used for Cisco Services from being
used internally.
• When importing a trust certificate, the user must specify what the certificate is
trusted for.
• It is important to select at least one category, or the cert will not be used in any
trust store.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
20
Certificates
System Certificate Roles – ISE 1.3
1.2 Role Name
1.3 Role Name
How Many
May Use Wildcard
(*) in SAN
May use Wildcard
(*) in Subject
HTTPS
Admin
1
Yes
Yes
EAP
EAP Authentication
1
Yes
No1
-
pxGrid
1
No
No
-
Portal
Many
Yes
Yes
• Admin cert is the server cert for the Admin Console
• pxGrid cert is the server cert for authenticating the ISE node to pxGrid clients
• Portal cert is a server cert associated with a particular ISE portal (Guest, Sponsor,
My Devices, …)
• In a freshly installed node, the default self-signed cert has all four roles
Certificates for all roles are managed from the Primary PAN node.
BRKSEC-3697
1 While ISE technically allows wildcard in the CN,
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Microsoft supplicants will reject, so never recommended
Certificates
ISE 1.3: Multiple Web Portals
Each Portal Could Use A Different Certificate
• Each Portal Exists
on ALL PSN’s
ISE PSN-1
• Each Portal
Requires a
Certificate
ISE PSN-2
• One Certificate per
Interface > IP:Port
• Each PSN Could
Have Unique
Certificates
(Identity)
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
ISE PSN-3
Cisco Public
22
Certificates
Problem: Assign Certificate on All PSNs to Portal?
How To Assign “At Scale”
• New UI Paradigm with ISE 1.3 is to
Keep All Portal Configuration
Together.
Hotspot-DRW
• Options:
– Add complexity to the Portal
Configuration Page by Choosing
Certificates on Each Node?
• What about Large Deployments (40 PSNs)?
– Configure it entirely outside of the Portal
Configuration screen?
– Some way to combine?
X
PSN-1: Cert1
PSN-2: Cert2
PSN-3: Cert3
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
23
Certificates
Solution: Certificate Group Tag
•
Certificate Group Tag provides a solution to configure node-specific
certificates for Portal configuration by associating node certificates to a logical
name.
Node 1 – Pri Admin, M&T and PSN
Portal Configuration
Group Tag
Node 2 – Sec Admin, M&T and PSN
GuestPortalCerts
(Grouping Certificates to a
Logical Name)
Node 3 - PSN
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
24
Certificates
• For Scalability, X.509 Certificate
Authorities may have hierarchy
Certificate Chains
• ISE will present full signing chain to
client during authentication
Root CA
– Client must trust each CA within the chain
Subordinate
CA
ise.company.com
ise.company.com
Cert
Root Sub ISE
ise.company.com
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
25
Always Add the Root and Subordinate CA’s
Certificates
• Import All Certificates in Chain, One at-a-Time
Root CA
ise.company.com
Subordinate CA
Subordinate CA
ISE Cert
BRKSEC-3697
If you must use a PKCS chain, it needs to be in PEM format (not DER)
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Certificates
PEM versus DER
PEM
DER
root.cer
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
27
Certificates
Joining an ISE Deployment
Mutual Trust Required
• In order to join an ISE node to an existing ISE
deployment:
– You must trust the PAN certificate on the
Secondary node(s)
– Secondary nodes must trust PAN certs
PSN1
PAN
PSN2
PAN
Trusted Certs
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
28
PSN
PSN
Trusted Certs
Certificates
Joining an ISE Deployment
Mutual Trust Required
• In order to join an ISE node to an existing ISE
deployment:
– You must trust the PAN certificate on the
Secondary node(s)
– Secondary nodes must trust PAN certs
PSN1
PAN
PSN2
• Then you upgrade all certs
– Delete the old Self-Signed Certificates from the
System Certs
– Delete the old Self-Signed Certs from the Trusted
Cert Store
X X
PSN
PSN
Trusted Certs
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
29
Certificates
Joining an ISE Deployment
Mutual Trust Required
• In order to join an ISE node to an existing ISE
deployment:
– You must trust the PAN certificate on the
Secondary node(s)
– Secondary nodes must trust PAN certs
PSN1
PAN
PSN2
• Then you upgrade all certs
– Delete the old Self-Signed Certificates from the
System Certs
– Delete the old Self-Signed Certs from the Trusted
Cert Store
• So, it is often easier to upgrade to a CA-Signed
& Trusted Cert before Joining the deployment.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
30
Certificates
Simple URL for My Devices & Sponsor Portals
• In 1.3: Sponsor Portal and My Devices
Portal accessed via a user-friendly
URL and selectable port.
• Ex: http://mydevices.company.com
Automatic redirect to https://fqdn:port
• FQDN for URL must be added to DNS
and resolve to the Policy Service
node(s) used for Guest Services.
mydevices.company.com
• Recommend populating Subject
Alternative Name (SAN) field of PSN
local cert with this alternative FQDN or
Wildcard to avoid SSL cert warnings
due to name mismatch.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
31
Certificates
ISE Certificate without SAN
Certificate Warning - Name Mismatch
http://sponsor.company.com
DNS Lookup = sponsor.company.com
DNS Response = 10.1.99.5
SPONSOR
100.1.99.5
DNS
Server
ISE-PSN-1
http://sponsor.company.com
100.1.99.6
https://sponsor.company.com:8443/sponsorportal
Load Balancer
100.1.98.8
ISE-PSN-2
100.1.99.7
Name Mismatch!
Requested URL = sponsor.company.com
Certificate Subject = ise-psn-3.company.com
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
32
ISE-PSN-3
Certificates
ISE Certificate with SAN
No Certificate Warning
http://sponsor.company.com
DNS Lookup = sponsor.company.com
DNS Response = 10.1.99.5
SPONSOR
100.1.99.5
DNS
Server
ISE-PSN-1
http://sponsor.company.com
100.1.99.6
https://sponsor.company.com:8443/sponsorportal
Load Balancer
100.1.99.8
Certificate OK!
Requested URL = sponsor.company.com
Certificate SAN = sponsor.company.com
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
33
ISE-PSN-2
100.1.99.7
ISE-PSN-3
ISE Certificate with SAN
Certificates
CN must also exist in SAN
ise-psn
ise-psn/Admin
ise-psn.company.com
mydevices.company.com
sponsor.company.com
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Other FQDNs as “DNS
Names”
IP Address is also option
Certificates
“Traditional” Wildcard Certificates
https://ise-psn-1.company.com/admin/login.jsp
• Wildcard Certificates are used
to identify any secure web site
that is part of the domain:
*.company.com
– e.g.: *.domain.com works for:
•
•
•
•
*.company.com
www.domain.com
mydevices.domain.com
sponsor.domain.com
AnyThingIWant.domain.com
*.company.com
!= psn.[ise].domain.com
Position in FQDN is fixed
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
35
Certificates
Wildcard Certificates – Why use with ISE?
Use of all portals & friendly URL’s without Certificate
Match Errors.
Most Importantly: Ability to host the exact same certificate
on all ISE PSNs for EAP authentications
• Why, you ask?.......
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
36
Certificates
Clients Misbehave!
• Example education customer:
– ONLY 6,000 Endpoints (all BYOD style)
– 10M Auths / 9M Failures in a 24 hours!
– 42 Different Failure Scenarios – all related to
clients dropping TLS (both PEAP & EAP-TLS).
• Supplicant List:
– Kyocera, Asustek, Murata, Huawei, Motorola, HTC, Samsung, ZTE, RIM, SonyEric, ChiMeiCo,
Apple, Intel, Cybertan, Liteon, Nokia, HonHaiPr, Palm, Pantech, LgElectr, TaiyoYud, Barnes&N
• 5411 No response received during 120 seconds on last EAP message sent to the client
– This error has been seen at a number of Escalation customers
– Typically the result of a misconfigured or misbehaving supplicant not completing the EAP process.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
37
Certificates
Recreating the Issue
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
38
Certificates
Clients Misbehave: Apple Example
ISE-1
Cert Authority
ISE-2
• Multiple PSNs
• Each Cert signed by Trusted Root
• Apple Requires Accept on all certs!
• Results in 5411 / 30sec retry
ise-psn-2.domain.com
ise-psn-1.domain.com
1
5
NAD
ise-psn-1.domain.com
Apple iOS & MacOS
BRKSEC-3697
WiFi Profile
© 2014 Cisco and/or its affiliates. All rights reserved.
SSID
1.
2.
3.
4.
5.
6.
Cisco Public
39
Authentication goes to ISE-1
ISE-1 sends certificate
Client trusts ISE-1
Client Roams
Authentication goes to ISE-2
Client Prompts for Accept
Certificates
Solution: Common Cert, Wildcard in SAN
Wildcard allows
anything ending
with the Domain
Name.
Same EXACT
Private / Pub Key
may be installed
on all PSNs
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
40
Certificates
Solution: Common Cert, Wildcard in SAN
ISE-1
Cert Authority
ISE-2
ise-psn-2.domain.com
ise-psn-1.domain.com
1
5
NAD
SSID
ise-psn.domain.com
• Failed with GoDaddy CA
Do not support * in SAN
Only support * in CN
Already Trusted
Apple iOS & MacOS
BRKSEC-3697
WiFi Profile
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
• CN = ise-psn.domain.com
• SAN contains
• ise-psn.domain.com
• *.domain.com, or
• all PSN FQDNs
• Wildcard SAN support:
comodo.com CA
SSL.com CA
Digicert.com CA
Symantec/Verisign CA
Microsoft 2008 CA
41
1.
2.
3.
4.
5.
6.
Authentication goes to PSN-1
PSN-1 sends certificate
Client trusts PSN-1
Client Roams
Authentication goes to PSN-2
Client Already Trusts Cert
Certificates
SSL Certificates for Internal Server Names
After November 1, 2015 Certificates for Internal Names Will No Longer Be
Trusted
In November 2011, the CA/Browser Forum (CA/B) adopted Baseline Requirements for the
Issuance and Management of Publicly-Trusted Certificates that took effect on July 1, 2012.
These requirements state:
CAs should notify applicants prior to issuance that use of certificates with a Subject
Alternative Name (SAN) extension or a Subject Common Name field containing a reserved
IP address or internal server name has been deprecated by the CA/B
CAs should not issue a certificate with an expiration date later than November 1, 2015 with a
SAN or Subject Common Name field containing a reserved IP address or internal server
Name
Source: Digicert – https://www.digicert.com/internal-names.htm
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
42
Certificates
Use Publicly-Signed Certs for Guest Portals!
• In 1.3, HTTPS cert
for Admin can be
different from web
portals
• Guest portals can
use a different,
public certificate
c
Public Portal Certificate
Group
c
• Admin and internal
employee portals
(or EAP) can still
use certs signed by
private CA.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
43
Redirection based on first
service-enabled interface;
if eth0, return host FQDN;
else return interface IP.
Certs assigned to
this group signed by
3rd-party CA
Certificates
CWA Example
DNS and Port Settings–Single Interface Enabled for Guest Portal
• CWA Guest Portal access for ISE-PSN1 configured for eth1
• IP Address for eth1 on ISE-PSN1 is 10.1.91.5
ISE Node
ISE-PSN1
ISE-PSN1
ISE-PSN1
ISE-PSN1
IP Address
10.1.99.5
10.1.91.5
10.1.92.5
10.1.93.5
Interface
# eth0
# eth1
# eth2
# eth3
https://10.1.91.5:8443/...
• Resulting URL Redirect = ???
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
44
I have a feeling this is
going to end badly!
Certificates
CWA Example with FQDNs in SAN
URL Redirection Uses First Guest-Enabled Interface (eth1)
1.
2.
3.
4.
1
RADIUS Authentication requests sent to ise-psn1 @ 10.1.99.5.
RADIUS Authorization received from ise-psn1 @ 10.1.99.5 with
URL Redirect to https://10.1.91.5:8443/...
User sends web request directly to ise-psn1 @ 10.1.99.5.
User receives cert name mismatch warning.
PSN
RADIUS request to ise-psn1 @ 10.1.99.5
RADIUS authorization: URL redirect =
https://10.1.91.5:8443/...
2
Access
Device
User
Admin/RADIUS:
eth0: 10.1.99.5
ISE-PSN1
3
Switch
https://10.1.91.5:8443/...
HTTPS response from 10.1.91.5
ISE Certificate
Name Mismatch!
Requested URL = 10.1.91.5
Certificate SAN = ise-psn1.comany.com
= sponsor.company.com
= mydevices.company.com
Subject=
ise-psn1.company.com
SAN =
ise-psn1.company.com
sponsor.company.com
mydevices.company.com
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
4
Cisco Public
45
Guest
eth1: 10.1.91.5
MyDevices
eth2: 10.1.92.5
Sponsor
eth3: 10.1.93.5
Certificates
Interface Aliases
Available in ISE 1.2
Specify alternate hostname/FQDN for URL redirection
• Aliases assigned to interfaces using ip host global config command in ADE-OS:
(config)# ip host <interface_ip_address> <hostname|FQDN> <hostname|FQDN>
• Up to two values can be specified—hostname and/or FQDN; if specify
hostname, then globally configured ip domain-name appended for use in URL
redirection. FQDN can have different domain than global domain!!!
• GigabitEthernet1 (GE1) Example:
ise-psn1/admin(config)# ip host 10.1.91.5 ise-psn1-guest ise-psn1-guest.company.com
• Host entry for Gigabit Ethernet 0 (eth0) cannot be modified
• Use show run to view entries; Use no ip host <ip_address> to remove entry.
• Change in interface IP address or alias requires application server restart.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
46
Certificates
Interface Alias Example
DNS and Port Settings – Single Interface Enabled for Guest
• Interface eth1 enabled for Guest Portal
• ip host 10.1.91.5 ise-psn1-guest.company.com
• URL redirect = https://ise-psn1-guest.company.com:8443/...
• Guest DNS resolves FQDN to correct IP address
DNS SERVER
DOMAIN = COMPANY.LOCAL
DNS SERVER
DOMAIN = COMPANY.COM
ISE-PSN1-GUEST
IN
A
10.1.91.5
# eth1
ISE-PSN2-GUEST
IN
A
10.1.91.6
# eth1
ISE-PSN3-GUEST
IN
A
10.1.91.7
# eth1
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
47
ISE-PSN1
ISE-PSN1-MDP
ISE-PSN1-SPONSOR
IN
IN
IN
A
A
A
10.1.99.5
10.1.92.5
10.1.93.5
# eth0
# eth2
# eth3
ISE-PSN2
ISE-PSN2-MDP
ISE-PSN2-SPONSOR
IN
IN
IN
A
A
A
10.1.99.6
10.1.92.6
10.1.93.6
# eth0
# eth2
# eth3
ISE-PSN3
ISE-PSN3-MDP
ISE-PSN3-SPONSOR
IN
IN
IN
A
A
A
10.1.99.7
10.1.92.7
10.1.93.7
# eth0
# eth2
# eth3
Certificates
CWA Example using Interface Alias
URL Redirection Uses First Guest-Enabled Interface (eth1)
1.
2.
3.
4.
RADIUS Authentication requests sent to ise-psn1 @ 10.1.99.5.
RADIUS Authorization received from ise-psn1 @ 10.1.99.5 with
URL Redirect to https://ise-psn1-guest:8443/...
DNS resolves alias FQDN ise-psn1-guest to 10.1.91.5 and sends
web request to ise-psn1-guest @ 10.1.99.5.
No cert warning received since SAN contains interface alias FQDN.
1
2
3
HTTPS response from 10.1.91.5
Subject =
SAN= ise-psn1-
guest.company.com
BRKSEC-3697
Switch
All Web Portals
eth1: 10.1.91.5
Certificate OK!
Requested URL = ise-psn1-guest.company.com
Certificate SAN = ise-psn1-guest.company.com
ISE Certificate
ise-psn1.company.com
PSN
RADIUS request to ise-psn1 @ 10.1.99.5
RADIUS authorization: URL redirect =
https://ise-psn1-guest.company.com:8443/...
Access
Device https://ise-psn1-guest.company.com:8443/...
User
Admin/RADIUS:
eth0: 10.1.99.5
ISE-PSN1
4
All Web Portals
eth2: 10.1.92.5
All Web Portals
eth3: 10.1.93.5
Could also use wilcard SAN or UCC cert
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
48
Internal CA Details
Certificate Authority
Internal Certificate Authority
Why use ISE as a Certificate Authority?
• Microsoft Public Key Infrastructure via a 2003/2008 Enterprise Server can add
significant complexity and expense to an ISE deployment.
Benefits of internal CA:
• Internal CA simplifies ISE deployment
• ISE can deliver certificates directly to endpoints
• No need to rely on integrating ISE to PKI for BYOD Cert provisioning
• Internal CA can still work with existing PKI Infrastructure
• Closed Loop BYOD Solution
• Focused on BYOD and MDM use-cases only, not a general purpose CA
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
50
Certificate Authority
Configuring the Native Certificate Authority
• Yes, that’s really it!
So easy
Enabled by Default
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
51
NSP Flow – Internal CA
Certificate Authority
PSN
SSID = CORP
RA
Employee
CA
PSN
Signing Certificate + User Certificate:
Wi-Fi Profile with EAP-TLS configured
ISE sends Profile to Endpoint
SCEP Password = SessionID + Random
CSR is Generated on iOS
Password = SessionID + Random Key (from ISE)
Validate Password Challenge
(session + random key)
CSR sent to ISE PSN (RA) via SCEP
CA Selection
CPP Certificate Template = Internal
Sent to Internal CA
Certificate sent to ISE
ISE sends Certificate to Endpoint
Signing Certificate + User Certificate:
Wi-Fi Profile with EAP-TLS configured
CoA: ReAuth
EAP-TLS: User Cert
RADIUS Access-Request
RADIUS Access-Accept
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
52
User Certificate Issued:
CN = AD UserName
SAN = Values from Template
NSP Flow – External CA
Certificate Authority
PSN
SSID = CORP
RA
Employee
CA
PSN
Signing Certificate + User Certificate:
Wi-Fi Profile with EAP-TLS configured
ISE sends Profile to Endpoint
SCEP Password = SessionID + Random
CSR is Generated on iOS
Password = SessionID + Random Key (from ISE)
Validate Password Challenge
(session + random key)
CSR sent to ISE PSN (RA) via SCEP
CA Selection
CPP Certificate Template = External
User Certificate Issued:
CN = AD UserName
SAN = Values from Template
SCEP Proxy to External Cert Authority
Certificate sent to ISE
ISE sends Certificate to Endpoint
Signing Certificate + User Certificate:
Wi-Fi Profile with EAP-TLS configured
CoA: ReAuth
EAP-TLS: User Cert
RADIUS Access-Request
RADIUS Access-Accept
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
53
ISE CA: Multiple Personalities/Identities
Certificate Authority
Root CA
Subordinate CA
OCSP Server
Registration Authority
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
54
Certificate Authority
Root CA is Used to
Sign the certificates
for the Subordinate
CAs.
ISE Certificate Authority Architecture
Standby PAN
PSN
PAN
Subordinate CA
SCEP RA
© 2014 Cisco and/or its affiliates. All rights reserved.
Subordinate CA
signs the actual
Endpoint Certs
Root CA
PSN
Subordinate CA
SCEP RA
BRKSEC-3697
Primary
ISE CA
PSN
Subordinate CA
SCEP RA
Cisco Public
55
PSN
Subordinate CA
SCEP RA
Secondary PAN is
another Root CA!
Ensure you export
Primary PAN and
import on
Secondary
Node Registration Process Overview
Each PSN will get three certificates for CA functions:
•
•
•
Subordinate CA – To sign endpoint certificates
OCSP – To identify node with OCSP service
Registration Authority (RA) – To identify sub-ca when
requesting certificates for endpoints.
PAN
PSN
PSN is Joined to ISE Deployment
PAN tells PSN to Generate 3x CSR’s (OCSP, Sub_CA_Endpoint, RA)
CSR’s are Generated on PSN
OCSP, Sub_CA_Endpoint, Registration Authority
3x CSR’s sent to Root CA
3x Certificates: OCSP > Root; Sub_CA_EP > Root; RA > Root
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
56
Certificate Authority
All PSNs are
instructed by PAN to
Generate the CSRs
PAN (Root CA)
signs all three certs
per-node
Secondary PAN
does not generate
CSRs to Root CA
MnT does not
generate any CSRs
to Root CA
Issue & Revoke Endpoint Certificates
Lists all the endpoint certificates issued by the Internal CA.
Status – Active, Revoked, Expired
Quick Overview of certificate details, Including the Template Used
Automatically Revoked when an Endpoint is marked as “Stolen”
Certificates may be Manually Revoked
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
57
Certificate Authority
Certificate Authority
View Endpoint Certificate contents
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
58
Certificate Authority
Revoke certificates
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
59
Certificate Authority
Re-generate the Root CA
• The Entire certificate chain can be re-generated if needed.
• Old CA certificates remain in the Trust store to ensure
authentication of previously provisioned endpoints work
successfully.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
60
ISE as an Intermediate CA
Certificate Authority
• ISE’s internal CA can work seamlessly with an existing CA in your deployment.
• Just make it an intermediate CA (sub-ordinate CA) to your existing CA.
– Create a CSR for the ISE node and get a certificate issued by the existing CA.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
61
Certificate Authority
ISE as an Intermediate CA
Ensure that you get
a certificate from
your existing CA
with Key Certificate
signing capabilities
(Sub_CA Template)
Ensure the Existing
Root CA has a Tree
Size >= 3
(ISE is 2-tiers)
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
62
Certificate Authority
Certificate Revocation
• Online Certificate Status
Protocol (OCSP)
• Certificate Revocation List
(CRL)
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
63
Certificate Authority
•
Preferred method
•
Provides near real-time updates
•
Allows near real-time request
•
•
A signed document published on
website
•
Periodically downloaded and stored
locally
•
The server examines the CRL to see if
the client’s cert was revoked already.
•
Think: Policeman having a list of
suspended drivers in his squad car.
Think: Policeman checking from
laptop in squad-car, with live query into
DMV Database.
Note: ISE does not use the CRL field in
the cert, only the local configuration.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
64
Certificate Authority
Default Internal OCSP Configuration
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
65
Certificate Authority
OCSP Check
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
66
Certificate Authority
CA Server status
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
67
Certificate Authority
Export CA Certs
Ise-pan1/admin# application configure ise
Selection ISE configuration option
<SNIP>
[7]Export Internal CA Store
[8]Import Internal CA Store
</SNIP>
[12]Exit
7
Export Repository Name: NAS
Enter encryption-key for export: ##########
Export on progress...............
Root CA
Sub CA
The following 4 CA key pairs were exported to repository 'NAS' at
'ise_ca_key_pairs_of_atw-lab-ise':
Subject:CN=Certificate Services Root CA - atw-lab-ise
Issuer:CN=Certificate Services Root CA - atw-lab-ise
Serial#:0x6012831a-16794f11-b1248b9b-c7e199ef
RA
Subject:CN=Certificate Services Endpoint Sub CA - atw-lab-ise
Issuer:CN=Certificate Services Root CA - atw-lab-ise
Serial#:0x3e4d9644-934843af-b5167e76-cc0256e0
Four Key Pairs
Subject:CN=Certificate Services OCSP Responder - atw-lab-ise
Issuer:CN=Certificate Services Root CA - atw-lab-ise
Serial#:0x10d18efb-92614084-895097f2-9885313b
ISE CA keys export completed successfully
© 2014 Cisco and/or its affiliates. All rights reserved.
Will be an
Encrypted GPG
Bundle
OCSP
Subject:CN=Certificate Services Endpoint RA - atw-lab-ise
Issuer:CN=Certificate Services Endpoint Sub CA - atw-lab-ise
Serial#:0x13511480-9650401a-8461d9d7-5b8dbe17
BRKSEC-3697
Exporting the CA
Certs to a
Repository
Cisco Public
68
Certificate Authority
Import of CA Certs
ise-pan1/admin# application configure ise
Selection ISE configuration option
<SNIP>
[7]Export Internal CA Store
[8]Import Internal CA Store
</SNIP>
[12]Exit
8
Import Repository Name: NAS
Enter CA keys file name to import: ise_ca_key_pairs_of_atw-lab-ise
Enter encryption-key: ########
Import on progress...............
Always perform the
certificate import to
the secondary PAN
The following 4 CA key pairs were imported:
Subject:CN=Certificate Services Root CA - atw-lab-ise
Issuer:CN=Certificate Services Root CA - atw-lab-ise
Serial#:0x6012831a-16794f11-b1248b9b-c7e199ef
Ensures that the
same PKI Tree is
always used
Subject:CN=Certificate Services Endpoint Sub CA - atw-lab-ise
Issuer:CN=Certificate Services Root CA - atw-lab-ise
Serial#:0x3e4d9644-934843af-b5167e76-cc0256e0
Subject:CN=Certificate Services Endpoint RA - atw-lab-ise
Issuer:CN=Certificate Services Endpoint Sub CA - atw-lab-ise
Serial#:0x13511480-9650401a-8461d9d7-5b8dbe17
Subject:CN=Certificate Services OCSP Responder - atw-lab-ise
Issuer:CN=Certificate Services Root CA - atw-lab-ise
Serial#:0x10d18efb-92614084-895097f2-9885313b
Stopping ISE Certificate Authority Service...
Starting ISE Certificate Authority Service...
ISE CA keys import completed successfully
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
69
Certificate Authority
Native Supplicant Profile
TLS-template
BYOD-NSP
TLS-template
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
70
Certificate Authority
Certificate Template(s)
• Define Internal or
External CA
TLS-template
• Set the Key Sizes
• SAN Field Options:
– MAC Address
– No Free-Form Adds..
• Set length of validity
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
71
Certificate Authority
Other Factoids
ForYour
Your
For
Reference
Reference
• No temporary revocations (cannot un-revoke)
– Use Blacklist instead
• ISE does not publish a CRL, OCSP only
• ISE does not currently use the CRL distributions listed in endpoint Certs,
– ISE uses the manually configured CRL distribution point
• Cannot selectively enable/disable CA service on PSNs. All or nothing.
• When issuing cert from PSN, it will be subordinate to the PAN
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
72
Certificate Authority
ISE CA: Dual Root Phenomenon
Different Chain of Trust
Promoted
P-PAN
S-PAN
PAN
PSN
PSN
Subordinate CA
SCEP RA
BRKSEC-3697
Subordinate CA
SCEP RA
© 2014 Cisco and/or its affiliates. All rights reserved.
Subordinate CA
SCEP RA
Cisco Public
73
PSN
Subordinate CA
SCEP RA
•
The 4th PSN
added to
deployment while
S-PAN temporarily
the root.
•
Now is a different
chain of trust!
Certificate Authority
ISE CA: Dual Root Phenomenon
Single Chain of Trust
Promoted
P-PAN
S-PAN
PSN
Subordinate CA
SCEP RA
Export Root CA &
Import into S-PAN
•
The 4th PSN
added to
deployment while
S-PAN temporarily
the root.
•
S-PAN has same
Chain of Trust
PAN
PSN
PSN
Subordinate CA
SCEP RA
•
Subordinate CA
SCEP RA
PSN
Subordinate CA
SCEP RA
atw-lab-ise/admin# application configure ise
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
74
Selection ISE configuration option
<Snip>
[7]Export Internal CA Store
[8]Import Internal CA Store
</Snip>
[12]Exit
Certificate Authority
Do Not Delete ISE CA Certs
• Will Revoke the Certificate from CA
– All Endpoint Certificates will now be
Invalid & Rejected
– Cannot Undo
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
75
Agenda
• Introduction
• Certificates, Certificates, Certificates
• BYOD Best Practices
• Integrating with Cisco and Non-Cisco
• ISE in a Security EcoSystem
• Serviceability & Troubleshooting
• Staged Deployments (Time Permitting)
• Conclusion
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
76
BYOD in Practice
BYOD
Walk Through BYOD Onboarding
• Out of the box flow walks
users through onboarding.
• Fully customizable user
experience with Themes.
• My Devices gives end
users control to add an
manage their devices.
• Mobile and desktop ready
out of the box.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
78
ForYour
Your
For
Reference
Reference
BYOD
Java-Less Provisioning
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
79
BYOD
Java-Less Provisioning
• Downloads as DMG
• Double-Click to Run
App
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
80
BYOD
Java-Less Provisioning
• Downloads as DMG
• Double-Click to Run
App
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
81
Native Supplicant Provisioning (iOS use-case)
BYOD
ForYour
Your
For
Reference
Reference
PSN
Employee
ISE / SCEP Proxy
SSID = BYOD-Open / CWA
HTTPS to the NSP Portal
CA / SCEP Server
RegisteredDevices
Device Registration
CENTRAL_WEB_AUTH state
ISE sends CA certificate to endpoint for trust with OTA
User clicks register.
ISE sends Profile Service to iOS
Device
CSR is
Generated on
iOS
Device Enrollment
Encrypted Profile Service:
https://ISE:8905/auth/OTAMobileConfig?sessionID
CSR sent to ISE
SCEP to MS Cert Authority
ISE sends Device Certificate to iOS
Device
Certificate sent to ISE
CSR sent to ISE
SCEP to MS Cert Authority
Device Certificate Issued
CN =
74ba333ef6548dfc82054d0c7fec36e6ddddcbf1#employee1
SAN = 00-0a-95-7f-de-06
Device Provisioning
Certificate sent to ISE
ISE sends User Certificate to iOS
Device
Signing Cert + User Cert: Wi-Fi Profile + EAP-TLS configured
SSID = CTS-CORP / EAP-TLS
CN = Employee
SAN = 00-0a-95-7fde-06
Connect using EAP-TLS
RUN
state
User Certificate Issued
Access-Accept
BYOD
NSP (Android use-case)
ForYour
Your
For
Reference
Reference
PSN
Wireless Controller
Employee
SSID = BYOD-Open / CWA
RegisteredDevice
ISE / SCEP Proxys
CA / SCEP Server
CWA Redirect / Redirect ACL = CWA
Google Play
Device Registration
CENTRAL_WEB_AUTH
User opens browser
state
Redirect to ISE for CWA
CWA login
CWA login successful / Redirect to NSP Portal
User clicks Register
CoA to WLC
Sample WLC ACL:
ALLOW_GOOGLE
Redirect browser to http://play.google.com (Session:DeviceOS=Android)
permit udp any any dns
Access-Request
permit tcp any <ISE_PSN>
NSP Redirect / Redirect ACL =
deny ip any <internal_network>
SUPPLICANT_PROVISIONING
ALLOW_GOOGLE
permit tcp any 74.125.0.0
state
Download Supplicant Provisioning Wizard (SPW) app from255.255.0.0
Google Playstore
permit tcp any 173.194.0.0
User installs application and launches
255.255.0.0
App sends request to
Redirect Discovery to ISE
permit tcp any 206.111.0.0
http://DFG/auth/discovery
255.255.0.0
ISE sends Device BYOD_Profile to Android Device
deny ip any any
SCEP to MS Cert
CSR sent to ISE
Authority
Certificate sent to
ISE sends User Certificate to Android
ISE
Device
SSID = CTS-CORP / EAP-TLS
Connect using EAP-TLS
RUN
state
Access-Accept
Download SPW
Device Provisioning
User Cert Issued
CN = Employee
SAN = 00-0a-95-7fde-06
BYOD
Refresher: Native Supplicant Provisioning Flow
Single-SSID Flow
AuthZ Policy
AuthZ
Result
Redirect to
NSP Portal
Client Provisioning
Policies for OS Type
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
NSA APP or
iOS OTA Process
(Next Slide)
Cisco Public
84
BYOD
Refresher: Native Supplicant Provisioning Flow
Certificate
Template
NSA App
Or Apple OTA
Native Supplicant
Profile
SCEP Certificate
Provisioning & Native
Supplicant Profile
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
85
New: Windows & iOS Settings in NSP
TLS-Profile
TLS-Profile
TLS-template
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
86
BYOD
BYOD
Renewing Certificates
Works
Comments
Before Expiry
iOS
Android
Windows
Mac OSX
After Expiry
iOS
Android
Windows
Supplicant will not use an expired cert
Mac OSX
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
87
1.2.1
BYOD
Allowing Expired Certificates
Option to allow expired certs for:
• Pure EAP-TLS
• EAP-TLS as an Inner Method
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
88
BYOD
Redirect Expired Certs
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
BYOD
BYOD Security Practices from the Field
If you can, Create an Identity Group for your Corporate
Owned Devices.
• May be populated by .CSV import, or REST API
• Uses the Endpoint ID Group for what it was designed to do: MAC Address
Management
Provision Different Certificates for Corporate Owned Assets
• Available 1.3+, or if you use MDM to distribute the certificates
Don’t Trust ONLY the Certificate
• That is technically only authenticating the device, not the user
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
90
The Opposite of BYOD:
How to differentiate corporate provisioned devices?
Corporate versus Personal Assets
Provide differentiated access for IT-managed systems
Start Here
Employee
Registered
Guest
No
No
Access-Reject
Yes
Yes
BYOD
Device
Yes
No
Workstation
_Corp
No
BYOD-Device
Yes
Endpoint = Corp device
User = Employee
Access-Accept
Internet Only
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
92
BYOD
Identifying Corporate Assets using Profiler
Using Profiling Attributes Based on RADIUS, DNS, DHCP
radius-server host @IP_ISE key xxxx
ip device tracking
DNS
Server
RADIUS probe
DNS probe
EAP-ID=Uname/PW
DHCP
ISE
Probe
DHCP
RADIUS
DHCP
DNS
ForYour
Your
For
Reference
Reference
Attribute
Hostname (12) = jsmith-win7
AD Domain =
myompany.com
Client FQDN (81) =
jsmith.win7.mycompany.com
FQDN = jsmith.win7.mycompany.com
.
DHCP probe
Multiple probes or
probe attributes can
produce required
attribute values
interface Vlan20
ip helper-address @IP DHCP server
ip helper-address @IP_ISE
BRKSEC-3697
DHCP Server
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
BYOD
Identifying Corporate Assets using Profiler
• Custom Profile
Workstation_Corp
• Duplicate profile
Workstation
• Add rule to match any
(OR) of these
conditions to
mycompany.com:
– DNS FQDN
– DHCP client-fqdn
– DHCP domain-name
• Increase CF by 20
• Minimum CF=30
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
ForYour
Your
For
Reference
Reference
BYOD
Identifying the Machine AND the User
ForYour
Your
For
Reference
Reference
Real Customer Example: Custom DHCP Attribute & use of Profiler
C:\>ipconfig /setclassid "Local Area
Connection" CorpXYZ
Windows IP Configuration
DHCP ClassId successfully modified for adapter"Local Area Connection"
http://technet.microsoft.com/en-us/library/cc783756(WS.10).aspx
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
95
BYOD
Identifying Corporate Assets using Posture
Check for Domain Attribute
• ISE Posture checks
Windows registry for
domain value.
– Ex: mycompany.com.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
96
ForYour
Your
For
Reference
Reference
BYOD
Identifying Corporate Assets using Posture
Check for Unique Corp Attributes
• ISE Posture checks registry for
pre-populated or unique entries.
– Example: Check for key Terces with
value YNAPMOC under
HKLM\SOFTWARE\
Microsoft\Bmurc\Daerb\
• Optional Checks:
– Files unique to
corporate image
– Applications/
Services specific to
organization’s SOE.
SOE=Standard Operating Environment
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
ForYour
Your
For
Reference
Reference
ForYour
Your
For
Reference
Reference
Identity Certificates
Client
BYOD
Non-Exportable Certificate (Private Key)
• Assumption is that certificate is locked to trusted device
• Determined/knowledgeable can often find ways to export.
Server
Windows CA Server
> MMC > Certificate
Templates:
Template does not
allow private key to
be exported
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Windows Client > User Certificate Store:
If attempt to export certificate, not given option
to export private key (required for import into
another client).
Cisco Public
BYOD
Identifying the Machine AND the USER
Machine Access Restrictions (MAR)
• MAR provides a mechanism for the RADIUS server to search the previous
authentications and look for a machine-authentication with the same CallingStation-ID.
• This means the machine must authenticate before the user.
– i.e. Must log out, not use hibernate, etc….
• See the reference slides for more possible limitations.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
99
BYOD
Machine Access Restrictions (MAR)
Rule Name
MAR Cache
Calling-Station-ID 00:11:22:33:44:55 – Passed
Conditions
Permissions
IP Phones
if
Cisco-IP-Phone
then
Cisco_IP_Phone
MachineAuth
if
Domain Computers
then
MachineAuth
Employee
if
Employee &
WasMachineAuthenticated =
true
then
Employee
GUEST
if
GUEST
then
GUEST
Default
If no matches, then
WEBAUTH
NAD
PSN
SWITCHPORT
RADIUS Access-Request
[EAP-ID=CorpXP-1]
RADIUS Access-Accept
Matched Rule = MachineAuth
[cisco-av-pair] = dACL=Permit-All
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
BYOD
Machine Access Restrictions (MAR)
Rule Name
MAR Cache
Calling-Station-ID 00:11:22:33:44:55 – Passed
Conditions
Permissions
IP Phones
if
Cisco-IP-Phone
then
Cisco_IP_Phone
MachineAuth
if
Domain Computers
then
MachineAUth
Employee
if
Employee &
WasMachineAuthenticated =
true
then
Employee
GUEST
if
GUEST
then
GUEST
Default
If no matches, then
WEBAUTH
NAD
PSN
SWITCHPORT
Matched Rule = Employee
EAPoL Start
RADIUS Access-Request
[EAP-ID = Employee1]
RADIUS Access-Accept
[cisco-av-pair] = dACL=Permit-All
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
BYOD
Machine Access Restrictions (MAR)
Potential Issues with MAR
– Wired/WiFi transitions: Calling-Station-ID (MAC address) is used to link machine
and user authentication; MAC address will change when laptop moves from wired to
wireless breaking the MAR linkage.
– Machine state caching: The state cache of previous machine authentications is
neither persistent across PSN reboots nor replicated amongst PSN nodes
– Hibernation/Standby: 802.1X fails when the endpoint enters sleep/hibernate mode
and then moves to a different location, or comes back into the office the following
day, where machine auth cache is not present in new RADIUS server or has timed
out.
– Spoofing: Linkage between user authentication and machine authentication is tied to
MAC address only. It is possible for endpoint to pass user authentication only using
MAC address of previously machine-authenticated endpoint.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
BYOD
Identifying the Machine AND the User
The Next Chapter of Authentication: EAP-Chaining
• IETF working group has published standard on Tunneled EAP (TEAP).
– Next-Generation EAP method that provides all benefits of current EAP Types.
– Also provides EAP-Chaining.
– RFC-7170 http://www.rfc-editor.org/rfc/rfc7170.txt
• Cisco has done it before TEAP is ready
– EAP-FASTv2
– AnyConnect 3.1
– Identity Services Engine 1.1.1 (1.1 Minor Release)
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
BYOD
EAP-Chaining
Rule Name
With AnyConnect 3.1.1 and ISE 1.1.1
1. Machine Authenticates
2. ISE Issues Machine
AuthZ PAC
EAPoL Start
if
Cisco-IP-Phone
then
Cisco_IP_Phone
MachineAuth
if
Domain Computers
then
MachineAuth
Employee
if
Employee &
Network
Access:EAPChainingResult =
User and machine suceeded
then
Employee
GUEST
if
GUEST
then
GUEST
Default
If no matches, then
EAP-Request:TLV
EAP-Response
TLV = “Machine”
PSN
RADIUS Access-Request
[EAP-Tunnel = FAST]
RADIUS Access-Challenge
[EAP-TLV = “Machine”]
RADIUS Access-Request
[EAP-TLV= “Machine”]
[EAP-ID=Corp-Win7-1]
RADIUS Access-Accept
EAP Success
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Permissions
IP Phones
NAD
SWITCHPORT
Conditions
PAC
WEBAUTH
BYOD
EAP-Chaining
Rule Name
With AnyConnect 3.1.1 and ISE 1.1.1
3. User Authenticates
4. ISE receives Machine PAC
5. ISE issues User AuthZ PAC
if
Cisco-IP-Phone
then
Cisco_IP_Phone
MachineAuth
if
Domain Computers
then
MachineAuth
Employee
if
Employee &
Network
Access:EAPChainingResult =
User and machine suceeded
then
Employee
GUEST
if
GUEST
then
GUEST
Default
If no matches, then
PSN
PAC
EAPoL Start
EAP-Request:TLV
PAC
EAP-Response
TLV = “User”
RADIUS Access-Request
[EAP-Tunnel = FAST]
RADIUS Access-Challenge
[EAP-TLV = “Machine”]
RADIUS Access-Request
[EAP-TLV= “User”]
[EAP-ID=Employee1]
RADIUS Access-Accept
EAP Success
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Permissions
IP Phones
NAD
SWITCHPORT
Conditions
PAC
WEBAUTH
BYOD
EAP-Chaining FAQ
ForYour
Your
For
Reference
Reference
Q: I use MSChapV2 today, can I use that with EAP-Chaining?
A: TEAP & EAP-FAST are tunneled EAP methodologies, you may use whichever
inner-methods you would like, as long as both the supplicant and RADIUS sever
support the protocol(s). I.e.: EAP-TLS, EAP-MSChapV2, EAP-GTC.
Q: What Supplicants Support EAP-Chaining Today?
A: Today, only Cisco AnyConnect NAM has support through EAP-FASTv2.
Please talk to your OS Vendors about supporting TEAP in their native supplicants!
Q: Can I chain certificates with username/pwd’s?
A: Yes! You may mix and match the machine and user credential types however
you see fit. i.e.: Machine Certificates + User Certificates, or Machine Certificates
+ Username/PWDs, or Machine Passwords + Username/PWDs, etc.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
BYOD
Identifying the Machine AND the User
What to do when EAP-Chaining is not Available?
• There are many needs to determine Machine AND the User
– Windows is the only current OS that can run EAP-Chaining (with AnyConnect)
– What about iOS or Android based Tablets?
• Chain together 802.1X with Centralized Web Authentication (CWA)
– Can validate the device using a user-issued certificates
– Will validate the ‘actual user’ with username/password or smartcard or other method
that validates the user
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
BYOD
Mobile Device w/ Certificate
What Identifies the Actual User?
Mobile Device
w/ Certificate
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
108
802.1X and CWA Chaining
Rule Name
Conditions
IP Phones
1. EAP-TLS Authentication
2. ISE Sends AccessAccept w/ URL-Redirect
Permissions
if
Cisco-IP-Phone
then
Cisco_IP_Phone
Employee_CWA
if
AD:ExternalGroup=Employees
AND
CWA:CWA_ExternalGroup=
Employees
then
Employee & SGT
Employee_1X
if
Employee &
Network Access:
EAPAuthentication = EAP-TLS
then
CWAchain
Default
If no matches, then
WEBAUTH
NAD
SWITCHPORT
EAP-ID Response
PSN
CN=employee1 || Cert is Valid
Session Data
RADIUS Access-Request
[EAP-Protocol= “TLS”]
User Identity = employee1
RADIUS Access-Accept
[AVP:url-redirect, dacl]
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
User Group = employees
109
802.1X and CWA Chaining
Rule Name
Conditions
IP Phones
3. User Enters Uname/PWD
4. ISE Sends CoA-reauth
Permissions
if
Cisco-IP-Phone
then
Cisco_IP_Phone
Employee_CWA
if
AD:ExternalGroup=Employees
AND
CWA:CWA_ExternalGroup=
Employees
then
Employee & SGT
Employee_1X
if
Employee &
Network Access:
EAPAuthentication = EAP-TLS
then
CWAchain
Default
If no matches, then
WEBAUTH
BobSmith
xxxxxxxxx
NAD
SWITCHPORT
PSN
Session Data
User Identity = employee1
EAP-ID Req
RADIUS CoA
[AVP:reauth]
User Group = employees
CWA Identity = BobSmith
CWA Group = employees
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
110
802.1X and CWA Chaining
Rule Name
Conditions
IP Phones
3.
4.
5.
6.
User Enters Uname/PWD
ISE Sends CoA-reauth
Supplicant Responds with Cert
ISE sends Accept, dACL & SGT
if
Cisco-IP-Phone
then
Cisco_IP_Phone
Employee_CWA
if
AD:ExternalGroup=Employees
AND
CWA:CWA_ExternalGroup=
Employees
then
Employee & SGT
Employee_1X
if
Employee &
Network Access:
EAPAuthentication = EAP-TLS
then
CWAchain
Default
If no matches, then
WEBAUTH
CN=employee1 || Cert is Valid
NAD
SWITCHPORT
EAP-ID Response
Permissions
PSN
Session Data
RADIUS Access-Request
[EAP-Protocol= “TLS”]
User Identity = employee1
RADIUS Access-Accept
[AVP: dacl + SGT]
User Group = employees
Access-Granted
CWA Identity = BobSmith
CWA Group = employees
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
111
BYOD
Following the Flow
1. Initial EAP-TLS Auth
Redirection to CWA Portal
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
112
BYOD
Following the Flow
2. WebAuth from User
CoA
Not Required to be Different Username
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
113
BYOD
Following the Flow
3. Final Auth with Full Result
Final Authorization
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
114
Agenda
• Introduction
• Certificates, Certificates, Certificates
• BYOD Best Practices
• Integrating with Cisco and Non-Cisco
• ISE in a Security EcoSystem
• Serviceability & Troubleshooting
• Staged Deployments (Time Permitting)
• Conclusion
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
115
Non-Cisco NAD Integration
Deployment
ISE and Endpoint Lookup
• ISE maintains a separate User and Endpoint “store”.
– User store may be queried at any time.
• By default: endpoint store may only be
accessed if the incoming request was
identified as a MAB:
(Service-Type = Call-Check)
– ISE also ignores the u-name/pwd fields, but uses the callingstation-id (mac-address of the endpoint)
• Why?
– Security! Before this, malicious users would be able to put a macaddress into the username & password fields of WebAuth (or nonCisco switches even in the supplicant identity).
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
117
Deployment
Why Restrict MAB to Calling-Station-ID?
RADIUS Access-Request
uname: 11:22:33:44:55:66 | pwd 11:22:33:44:55:66
Internal ID’s
Mix of Users &
Endpoints
11:22:33:44:55:66
11:22:33:44:55:66
Note: It is possible to configure
supplicant for same thing!
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
118
Deployment
Cisco MAB – MAC Authentication Bypass
RADIUS Access-Request
Users
= MAB
= MAC
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
119
Endpoints
Deployment
3rd-Party Devices and MAB
• Many 3rd parties use Service-Type
= Login for 802.1X, MAB and
WebAuth
Cisco
• Some 3rd Parties do not populate
Calling-Station-ID with MAC
address.
• With ISE 1.2, MAB can work with
different Service-Type, CallingStation-ID values, and “password”
settings.
3rd Party
Recommendation is to keep as many checkboxes
enabled as possible for increased security
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
120
Deployment
Setup a Policy Set for 3rd Party NADs
Create a separate Policy Set for 3rd
Party devices – to keep a clean
policy table and separate unrelated
policy results
Use Network Device Groups to
make the distinction
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
121
Deployment
Example: Nortel & Alcatel Authentication Policy
Network Device Group = “Nortel”
For “better” security, lock PAP &
CHAP into MAB lookups
(Internal Endpoints)
All other authentications are sent to
an Identity Sequence
(Internal Users > Guest > AD)
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
122
Deployment
Example: Rest of 3rd Party Authentication Policy
Deny non-matches
Network Device Group =
“Third Party”
For “better” security, lock PAP &
CHAP into MAB lookups
(Internal Endpoints)
All other authentications are sent to
an Identity Sequence
(Internal Users > Guest > AD)
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
123
Deployment
Third Party Vendors VSA Attributes
• You may import other RADIUS Dictionaries into ISE:
Policy > Policy Elements > Dictionaries > System > RADIUS > RADIUS Vendors
Dictionaries for
FreeRADIUS
will work
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
124
Deployment
Authorization Profiles for Third Party
Go to “Advanced
Attribute Settings” to
use the 3rd Party
Dictionaries
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
125
Deployment
3rd-Party MAB Configuration Examples
Alcatel Switch:
Juniper EX Switch:
Uncheck both Calling-Station-ID & Password
Leave Calling-Station-ID & Password Checked
ForYour
Your
For
Reference
Reference
To set VLAN:
HP (H3C) Switch:
Tunnel-Medium-Type = IEEE-802
Tunnel-Type = VLAN
Tunnel-Private-Group-ID = 100
Uncheck Calling-Station-ID, Leave Password Checked
Avaya (Nortel) Switch:
RuggedCom Switch:
Uncheck both Calling-Station-ID & Password
Uncheck Calling-Station-ID, Leave Password Checked
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
126
BYOD Onboarding for 3rd Party NADs
Deployment
Using a Cisco Catalyst Switch as Inline PeP
1. Join
Open SSID
3rd Party
NAD
Catalyst
Switch
PSN
124
Port Configured as
Access Port + Multi-Auth
2. Browse
RADIUS Access-Request
[USER=1122.3344.5566]
Caution:
• Each switch will vary in its
resource limits that impact
scaling
• In general, limit endpoint
sessions per port to a few.
MAB
RADIUS Access-Accept
[cisco-av-pair] = url-redirect
HTTP Request
Redirection to PSN
Submit Credentials
CWA
3. WebAuth
Native Supplicant Provisioning Process
4. NSP
NSP
5. Join
Corp SSID
124
802.1X Devices are Authorized to
a different VLAN / Port
Dot1X
128
Deployment
Using a Cisco Catalyst Switch as Inline PeP
ForYour
Your
For
Reference
Reference
1. Join
Open SSID
3rd Party
NAD
Catalyst
Switch
PSN
124
Port Configured as
Access Port + Multi-Auth
2. Browse
RADIUS Access-Request
[USER=1122.3344.5566]
MAB
RADIUS Access-Accept
[cisco-av-pair] = url-redirect
HTTP Request
Redirection to PSN
Submit Credentials
3. WebAuth
RADIUS CoA - reauth
CWA
RADIUS Access-Request
[USER=1122.3344.5566]
RADIUS Access-Accept
[cisco-av-pair] = dACL=inetOnly
4. GUEST
Access
Guest Access Granted
129
CoA
DETAILS ON
3rd
PARTY On-Boarding Process
ForYour
Your
For
Reference
Reference
interface X
description For 3rd Party OnBoarding
switchport access vlan 41
switchport mode access
switchport voice vlan 99
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 2274
authentication event server alive action reinitialize
authentication host-mode multi-auth
To authenticate virtually unlimited endpoints
authentication open
authentication order mab dot1x
authentication priority dot1x mab
Since 99.9999% MAB, try MAB First
authentication port-control auto
authentication violation restrict
Will clear the mac-address after 5 minutes
mab
dot1x pae authenticator
dot1x timeout quiet-period 300
Enabled Provisioning from CWA Flow
dot1x timeout tx-period 10
spanning-tree portfast
ip dhcp snooping information option allow-untrusted
end
130
Deployment
Deployment
3rd Party Onboarding, WLC Configuration
Dedicated Physical Port
Open WLAN
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
131
ForYour
Your
For
Reference
Reference
Deployment
Inline Posture Node
ForYour
Your
For
Reference
Reference
Special ISE Node deployed behind a RADIUS NAD for POSTURE ONLY!
VPN Example
VPN User
eth0
eth1
Internet
3rd Party
VPN
VPN
Wired
Trusted
Network
L3 Switch
ISE Inline
Posture
Node
Policy Services
1) RADIUS auth for VPN
headend
2) Auth/Posture for Inline
Posture Node
rd
• IPN
provides
key functions
to support
Entry
Point for Third
Party Wireless
ExamplePosture behind 3 -party access devices:
– RADIUS Proxy
eth1
eth0
– URL Redirection for Client Provisioning,
Discovery,
and Posture Assessment
Controller
– dACLs AP
for traffic enforcement
Wireless
L3 Switch
Policy Services
ISE Inline
User
1)
802.1X
auth for WLC
Posture
– CoA to apply new access policy after
posture state change
Wireless
BRKSEC-3697
Wired
© 2014 Cisco and/or its affiliates. All rights reserved.
2) Auth/Posture for Inline
Posture Node
Node
Cisco Public
132
Agenda
• Introduction
• Certificates, Certificates, Certificates
• BYOD Best Practices
• Integrating with Cisco and Non-Cisco
• ISE in a Security EcoSystem
• Serviceability & Troubleshooting
• Staged Deployments (Time Permitting)
• Conclusion
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
133
ISE in a Security EcoSystem
Using ISE in a Security EcoSystem
Endpoints
Access
Distribution
Edge
Branch
Mobile
Provider
Guest
Campus
Bad USB
Internet
Data Center
pxGrid
EPS
Lancope
Stealthwatch
NetFlow (
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
135
)
SourceFire Nation Remediation Plugins
•
•
•
Modules are BETA
Community Supported
Not TAC Supported
https://supportforums.cisco.com/community/12226126/sourcefire-api#quicktabs-community_activity=1
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
BRKSEC-3697
Add the Remediation Module to FireSight
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
137
FireSIGHT to ISE Remediation Explained
Remediation API supports programmatic responses to ‘Correlation Rules’ in FireSIGHT Management Center
ISE Remediation Module is uploaded to the FireSIGHT Management Center
User defines rules on one or more triggering conditions i.e., Malware, IPS, connection, application events etc.
Multiple actions can be configured to initiate different responses from ISE
Quarantining or disconnecting user among possible actions
Module download here: ISE 1.2 Rem Module
ISE - Dynamic Network Control
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
138
Splunk ISE App
http://apps.splunk.com/app/1589
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
LanCope StealthWatch
Monitor Mode
• Open Mode, Multi-Auth
• Unobstructed Access
• No impact on productivity
• Profiling, posture assessment
• Gain Visibility
StealthWatch
Management
Console
syslog
BRKSEC-3697
Authenticated Session Table
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
140
•
•
•
Maintain historical session table
Correlate NetFlow to username
Build User-centric reports
Agenda
• Introduction
• Certificates, Certificates, Certificates
• BYOD Best Practices
• Integrating with Cisco and Non-Cisco
• ISE in a Security EcoSystem
• Serviceability & Troubleshooting
• Staged Deployments (Time Permitting)
• Conclusion
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
141
Serviceability: ISE 1.3
Serviceability
Serviceability User Stories
To make ISE easier to troubleshoot
To make ISE easier to deploy
To make ISE easier to use
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
143
Serviceability
Tree View
AuthC
Protocols
Identity
Store
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Tree View
AuthC
Protocols
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Serviceability
Filters in Live Log & Live Sessions
At Long Last! Regex in Filters
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Serviceability
Right Click in Live Log & Live Sessions
Adds Right-Click > Copy for the Endpoint ID & Identity Fields in Live Log
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
147
Serviceability
Debug Endpoint
• Creates debug file of all
activity for all services
related to that specific
endpoint
• Executes and stored per
PSN
• Can be downloaded as
separate files per-PSN
• Or Merged as a single file
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
148
Serviceability
Off-Line Examination of Configuration
Exportable Policy
Quick Link to
Export Page
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
149
Serviceability
Exports as XML
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Serviceability
VMWare OVA Templates!
• Finally! We have supported OVA Templates
• Ensures customers will not mis-configure their VMWare settings
– Preset: Reservations, vCPU’s, Storage
• Based on following Specs:
ISE-1.3.x.x-Eval-100-endpoint.ova:
•
•
•
•
4 CPU cores
4 GB RAM
200 GB disk
4 NICs
ISE-1.3.x.x-Virtual-SNS-3415.ova:
ISE-1.3.x.x-Virtual-SNS-3495.ova:
•
•
•
•
•
•
•
•
4 CPU cores
16 GB RAM
600 GB disk
4 NICs
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
151
8 CPU cores
32 GB RAM
600 GB disk
4 NICs
Serviceability
Tabular View of Processes
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
152
ForYour
Your
For
Reference
Reference
Combining AND & OR
Policy Tips & Tricks
Combining AND with OR in AuthZ Policies
Cannot
Mix??
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
154
Policy Tips & Tricks
Combining AND with OR in AuthZ Policies
• Advanced Editing
Advanced Editor
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
155
Policy Tips & Tricks
Combining AND with OR in AuthZ Policies
• Advanced Editing
Simple Conditions
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Agenda
• Introduction
• Certificates, Certificates, Certificates
• BYOD Best Practices
• Integrating with Cisco and Non-Cisco
• ISE in a Security EcoSystem
• Serviceability & Troubleshooting
• Staged Deployments (Time Permitting)
• Conclusion
Jump to Conclusion
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
157
Staged Deployments
Phased Deployments
Monitor Mode Policies
• BE CAREFUL
• Monitor Mode needs to keep Authorization Results simple
– Access-Accept / Reject
– For Phones, needs: Voice Domain also
• Local Authorizations Still Possible (be careful):
interface X
authentication
authentication
authentication
authentication
authentication
event fail action next-method
event server dead action reinitialize vlan 11
event server dead action authorize voice
event server alive action reinitialize
violation restrict
interface X
authentication
authentication
authentication
Dangerous for
authentication
Monitor Mode
authentication
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Good for Monitor
Mode
event fail action authorize vlan 4096
event server dead action reinitialize vlan 11
event server dead action authorize voice
event server alive action reinitialize
violation restrict
Phased Deployments
Moving from Monitor to Low-Impact Mode
• Monitor Mode
Rule Name
interface GigabitEthernet1/0/1
authentication open
mab
dot1x pae authenticator
NAD
PSN
SWITCHPORT
Conditions
IP Phones
if
Cisco-IP-Phone
then
Cisco_IP_Phone
BYOD
if
BYOD and Employee
then
Employee
Non_AuthZ
if
i-device or Android
then
GUEST
Contractor
if
Contractor
then
Contractor
Employee
if
Employee
then
Employee
Default
If no matches, then
RADIUS Access-Request
[AVP: 00.0a.95.7f.de.06 ]
No Supplicant
MAC-Addr is Unknown…
Continue to AuthZ table
© 2014 Cisco and/or its affiliates. All rights reserved.
Deny Access
Matched Rule = Default
RADIUS Access-Reject
BRKSEC-3697
Permissions
Cisco Public
160
Phased Deployments
Moving from Monitor to Low-Impact
• Low-Impact
Rule Name
interface GigabitEthernet1/0/1
authentication open
mab
dot1x pae authenticator
ip access-group ACL-DEFAULT in
NAD
PSN
SWITCHPORT
Conditions
IP Phones
if
Cisco-IP-Phone
then
Cisco_IP_Phone
BYOD
if
BYOD and Employee
then
Employee
Non_AuthZ
if
i-device or Android
then
GUEST
Contractor
if
Contractor
then
Contractor
Employee
if
Employee
then
Employee
Default
If no matches, then
RADIUS Access-Request
[AVP: 00.0a.95.7f.de.06 ]
No Supplicant
© 2014 Cisco and/or its affiliates. All rights reserved.
WEBAUTH
Matched Rule = Default
RADIUS Access-Accept
[AVP:url-redirect, dacl]
MAC-Addr is Unknown…
Continue to AuthZ table
BRKSEC-3697
Permissions
Cisco Public
161
Phased Deployments
Network Device Groups
• Creation of many: Organize & Why use them
• A little up-front work, can really help you get specific
in your policies.
• Organize by:
– Device Type
• Wired / Wireless / Firewall / VPN
• OEAP / CVO
– Place in Network
• Access-Layer / Data Center
– Geographic Location
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
162
Phased Deployments
Moving from Monitor to Low-Impact
• Low-Impact: An Entire Switch at a Time
• Create a Network Device Group for all Switches that will use Low-Impact.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
163
Phased Deployments
Moving from Monitor to Low-Impact
ForYour
Your
For
Reference
Reference
Low-Impact: An Entire Switch at a Time
Rule Name
interface GigabitEthernet1/0/1
authentication open
mab
dot1x pae authenticator
ip access-group ACL-DEFAULT in
Conditions
Permissions
IP Phones
if
Cisco-IP-Phone
then
Cisco_IP_Phone
BYOD
if
BYOD and Employee
then
Employee
Non_AuthZ
if
i-device or Android
then
GUEST
Contractor
if
Contractor
then
Contractor
Employee
if
Employee
then
Employee
Conf_Rooms
if
DEVICE:Stage EQUALS Stage#LowImpact
then
WEBAUTH
Default
If no matches, then
NAD
PSN
SWITCHPORT
RADIUS Access-Request
[AVP: 00.0a.95.7f.de.06 ]
Matched Rule = Conf_Rooms
RADIUS Access-Accept
[AVP:url-redirect, dacl]
No Supplicant
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Deny Access
MAC-Addr is Unknown…
Continue to AuthZ table
Cisco Public
164
All Other Switches
Will still be in Monitor
Mode!
Phased Deployments
ForYour
Your
For
Reference
Reference
ISE 1.2: Policy Sets
Separate Set of Policies for Each Mode of Deployment
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
165
ISE 1.2+
Phased Deployments
ISE 1.2: Policy Sets
ISE 1.2+
• Separate Set of Policies for Each Mode of Deployment
Authentication Policy
Authorization Policy
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Phased Deployments
Moving from Monitor to Low-Impact
• Specifying NAD + Interfaces in AuthZ Policy
• When you are willing to enable it a switch at a time, it’s easy.
– Most want to enable it a port at a time (Conference rooms only, for example).
• How can we identify which port(s) should be treated differently?
– We can build a static list of Switches and their Ports
– Requires 1 AuthZ rule line Per Switch
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
167
ForYour
Your
For
Reference
Reference
Phased Deployments
Moving from Monitor to Low-Impact
• Specifying NAD + Interfaces in AuthZ Policy
• When you are willing to enable it a switch at a time, it’s easy.
– Most want to enable it a port at a time (Conference rooms only, for example).
• How can we identify which port(s) should be treated differently?
– We can build a static list of Switches and their Ports
– Requires 1 AuthZ rule line Per Switch
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
ForYour
Your
For
Reference
Reference
Phased Deployments
Moving from Monitor to Low-Impact
• mab eap Trick of the Trade
• What is “mab eap”?
– Option of MAB configuration uses EAP-MD5 to transmit the MAB data.
• Behavior with ISE will be the same.
– We can use this as a differentiator ports that should be in Low-Impact.
C3750X(config-if)#mab ?
eap Use EAP authentication for MAC Auth Bypass
<cr>
C3750X(config-if)#mab eap
C3750X(config-if)#description Conference Room B
Available
with
ISE 1.1+
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
*6500 added support in
SXJ4
Cisco Public
169
Phased Deployments
Moving from Monitor to Low-Impact
• MAB EAP Trick of the Trade
• Policy Policy Elements Authentication Results Allowed Protocols
– Allow EAP-MD5
– Detect EAP-MD5 as
Host Lookup
Note: Best-Practice
is to never modify
default objects
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
170
Phased Deployments
Moving from Monitor to Low-Impact
• MAB EAP Trick of the Trade
Rule Name
interface GigabitEthernet1/0/1
authentication open
mab eap
dot1x pae authenticator
ip access-group ACL-DEFAULT in
PSN
RADIUS Access-Request
[AVP: 00.0a.95.7f.de.06 ]
No Supplicant
if
Cisco-IP-Phone
then
Cisco_IP_Phone
BYOD
if
BYOD and Employee
then
Employee
Non_AuthZ
if
i-device or Android
then
GUEST
Contractor
if
Contractor
then
Contractor
Employee
if
Employee
then
Employee
Conf_Rooms
if
Network Access:EapAuthentication
EQUALS EAP-MD5
then
WEBAUTH
Default
If no matches, then
RADIUS Access-Accept
[AVP:url-redirect, dacl]
© 2014 Cisco and/or its affiliates. All rights reserved.
Deny Access
Matched Rule = Conf_Rooms
MAC-Addr is Unknown…
Continue to AuthZ table
BRKSEC-3697
Permissions
IP Phones
NAD
SWITCHPORT
Conditions
Cisco Public
171
All Other Switches
Will still be in Monitor
Mode!
Phased Deployments
Moving from Monitor to Low-Impact
• MAB EAP Trick of the Trade
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Phased Deployments
Packet Capture
ForYour
Your
For
Reference
Reference
• Comparing MAB to MAB EAP
MAB
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
MAB EAP
Cisco Public
173
Agenda
• Introduction
• Certificates, Certificates, Certificates
• BYOD Best Practices
• Integrating with Cisco and Non-Cisco
• ISE in a Security EcoSystem
• Serviceability & Troubleshooting
• Staged Deployments (Time Permitting)
• Conclusion
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
174
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco Live 2015 T-Shirt!
Complete Overall Event Survey + 5 Session Evaluations.
• Directly from your mobile device on the Cisco Live
Mobile App
• By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/clmelbourne2015
• Visit any Cisco Live Internet Station located
throughout the venue
T-Shirts can be collected in the World of Solutions
on Friday 20 March 12:00pm - 2:00pm
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
175
Learn online with Cisco Live!
Visit us online after the conference for full
access to session videos and
presentations. www.CiscoLiveAPAC.com
Recommended Reading
• http://amzn.com/1587143259
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
176
Questions ?
177
Additional Reference Slides
Agenda
• Introduction
• Certificates, Certificates, Certificates
• BYOD Best Practices
• Integrating with Cisco and Non-Cisco
• Multi-Join Active Directory
• Serviceability & Troubleshooting
• Staged Deployments (Time Permitting)
• Conclusion
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
181
Multi-Join AD Connector
Multi-AD
ISE 1.3 Multi-AD Enhancement
Multiple Un-trusted AD Forests:
• Ability to join up to 50 un-trusted Active Directory forests/domains. (Not required to be untrusted)
Domain Diagnostic:
• A new utility that can be run either prior to joining a domain or subsequent to this action to determine whether
there are any environmental issues related to the domain.
Test Authentication:
• Allows an authentication for a specific user to be directed to specific node and return results together with
authorization related information such as groups and attributes.
Username Lookup:
• Ability for administrator to lookup all group memberships and attributes of a user from AD, without requiring
the user’s password. Similar to the authorization-only test in the ASA.
SID Based Group Mapping:
• Group related policy functionality will be modified so that it is based on SIDs (Security Identifier) of the group
and not simply the textual group name as was done previously. This has significant performance advantages.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
183
Key Terminology
AD Instance
• ISE Joined to an AD Domain (i.e.: cisco.com)
• May Join up to 50
Scope
• Group or Subset of your AD Instances
• Useful for Shortcut in Policies
Authentication Domain List
• Whitelist of Domains within AD Instance
• Used to Limit Which Domain(s) to Use
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
184
Multi-AD
Terminology Illustrated
- In ISE 1.2, we called this tree an
“AD connector:.
- ISE 1.3, each tree would be
referred to as an AD Instance
- ISE 1.3 supports up to 50 AD
Instances
- Here we have the ise1 node
joined to aspac.cisco.com domain
within cisco.com AD Instance
cisco.com
cisco.com
ise1.aspac.cisco.com
aspac.cisco.com
ise1.na.cisco.com
emea.cisco.com
emerging.cisco.com
na.cisco.com
- Same ISE node can connect to
the same AD multiple times as
long as domain is different
- Here we have ise1 node also
joined to na.cisco.com domain
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
185
Multi-AD
Terminology Continued
acs.com
A
Scope
Instances
All AD
acs.com
acs.com
acs.com
amer.acs.com
Company-B.com
brazil.south.amer.acs.com
Company-C.com
oceania.acs.com
Company-D.com
australia.oceania.acs.com
Company-E.com
canberra.australia.oceania.acs.com
1.3 AD Instance == 1.2 AD
186
Multi-AD
Terminology Continued
acs.com
acs.com
acs.com
Scope A
amer.acs.com
Company-B.com
brazil.south.amer.acs.com
Company-C.com
oceania.acs.com
Company-D.com
australia.oceania.acs.com
Company-E.com
canberra.australia.oceania.acs.com
1.3 AD Instance == 1.2 AD
Scope defines selected instances.
Here we have 3 AD instances for
Scope A out of 5 AD instances
configured on the ISE
187
Multi-AD
Terminology Continued
acs.com
acs.com
acs.com
Scope A
amer.acs.com
Company-B.com
brazil.south.amer.acs.com
Company-C.com
oceania.acs.com
Company-D.com
australia.oceania.acs.com
Company-E.com
canberra.australia.oceania.acs.com
1.3 AD Instance == 1.2 AD
Domain Whitelist defines domains within the AD
instance to be used for authentication. Here we
have 2 domains to be used for authentication out
of 5 domains found within acs.com AD instance
188
Multi-AD
AD Authentication Flow
AuthC
Policy to
AD
BRKSEC-3697
Scope
(Optional)
© 2014 Cisco and/or its affiliates. All rights reserved.
Identity
Rewrite
(Optional)
AD
Instance
Domain List
(Optional)
Cisco Public
189
Target
AD
Multi-AD
Authentication Policy
Individual AD
Instance can be
selected
Scopes can be selected
(All_AD_Instances, is a
synthetic scope created
automatically to select all
configured AD instances)
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
190
Multi-AD
AD Authentication Flow - Scope
AuthC
Policy to
AD
BRKSEC-3697
Scope
(Optional)
© 2014 Cisco and/or its affiliates. All rights reserved.
Identity
Rewrite
(Optional)
AD
Instance
Domain List
(Optional)
Target AD
- Scopes allow a single policy to be written
- Scope also allow multiple AD instances to be
selected without having to lookup against all
configured AD instance
- Single AD instance can be part of multiple scopes
at the same time
Cisco Public
Multi-AD
Scope management
•
•
•
ForYour
Your
For
Reference
Reference
ISE installs in single scope mode, where all AD instance is part of single scope
Adding a scope enables multi-scope mode and moves all of the AD instances into
automatically created ‘Default_Scope’
You may always delete all other scopes & return to single scope mode
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
192
Multi-AD
Scope Fun Facts
ForYour
Your
For
Reference
Reference
• Scopes Can (and usually do) Contain > 1 AD instances
• The Lookup Fans out From a Scope
– Evaluating each until it’s got all the results
• Then it decides if it’s ok (e.g. unique username).
– It may stop prematurely if it hits a stopper
– I.e.: > 1 users same name and password == ambiguous
• Scopes can be used in ID-Sequences
– Can put >1 Scope in an ID-Sequence, but not recommended.
• Not as efficient as creating one scope with all the relevant AD instances and calling into AD once.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
193
Multi-AD
AD Authentication Flow – AD Instance
AuthC
Policy to
AD
Scope
(Optional)
Identity
Rewrite
(Optional)
AD
Instance
Domain List
(Optional)
Target AD
AD Instance is the domain the ISE node is part of
With ISE 1.3 ISE can be part of 50 domains
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
194
Multi-AD
AD Instance Fun Facts
• 1.3 can be joined to 50 different un-trusted ADs
– Usually Separate Forests
• Fun Fact: You can join the same forest more than once
– In some cases it’s useful to bypass a permission issue
• e.g. caused by a 1-way trust.
– You can join either side of the trust thereby seeing domains on both sides
• Have used this trick at a customer site to get around an issue
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
195
Multi-AD
Configuring AD Instance
ForYour
Your
For
Reference
Reference
Admin account requirement
Permission for Join Operations
- Search Active Directory (to see if ISE machine account already exists)
- Add workstation to domain (if does not already exist)
- Set attributes on the new machine account (OS type and version – optional)
Permission for Leave Operations
- Search Active Directory (to see if ISE machine account already exists)
- Remove workstation from domain
Permission for the Resulting Machine Account
- Ability to change its own password
- Read the user/machine objects relevant to the customer’s needs
- Query the Active Directory schema to learn about namespaces
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
196
Multi-AD
Configuring AD Instance
ForYour
Your
For
Reference
Reference
DNS Requirement
- DNS should be able to resolve AD nodes for both forward & reverse.
- Note: for Kerberos referrals to work properly, it is usually necessary to make sure the
DNS server can resolve (both forward and backward) the machine names for ISE
- i.e. DNS records should be created for these ISE generated machine accounts.
- DNS should be able to resolve A & SRV record of all AD servers consistently
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
197
Multi-AD
Configuring AD Instance
ForYour
Your
For
Reference
Reference
OU can be
specified during
Domain join
process
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
198
Multi-AD
DC Selection Process
ForYour
Your
For
Reference
Reference
1. Acts like any other AD-Joined PC, and follows that process much closer than ever
before.
2. Does leverage AD Sites & Services to leverage the best DC.
3. Sends CLDAP ping requests to domain controllers according to priorities in SRV record
and processes only the first response, if any. Note: The CLDAP response contains DC
site and Client site (e.g. site to which ISE machine is assigned).
4. If DC site and Client site are the same then response originator (i.e. DC) is selected.
5. If DC site and Client site are not the same then AD Connector performs DNS SRV query
scoped to the discovered Client site, gets list of domain controllers serving the client site,
sends CLDAP ping requests to these domain controllers and processes only the first
response, if any. The response originator (i.e. DC) is selected. Note: If no DC in client’s
site serving the site or no DC currently available in the site then DC detected in #2 is
selected.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
199
Multi-AD
Network Ports
Protocol
Port (remotelocal)
DNS (TCP/UDP)
53
MSRPC
445
Kerberos (TCP/UDP) 88
Kpasswd
464
LDAP (TCP/UDP)
389
NTP
123
IPC
80
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
ForYour
Your
For
Reference
Reference
Exposure
Authenticated
Network Infra
Network Infra
Network infra
Network infra
Network infra
Network infra
ISE internode
No
May use DNSSEC
Yes
Yes (Kerberos)
MS AD/KDC
No
Yes
No
Yes, using creds
ISE REST Library.
from RBAC system.
Cisco Public
200
Notes
Multi-AD
AD Authentication Flow – Authentication Domains
Whitelist of Domains within AD Instance.
Used to Limit Which Domain(s) to perform lookups against.
The default setting is not to use the domain list (i.e.: All)
AuthC
Policy to
AD
BRKSEC-3697
Scope
(Optional)
© 2014 Cisco and/or its affiliates. All rights reserved.
Identity
Rewrite
(Optional)
AD
Instance
Domain List
(Optional)
Cisco Public
201
Target
AD
Multi-AD
Authentication Domains
- This is a white-list of AD
domains that ISE should
use.
- These domains are the
“Trusted Domains” as
defined by Microsoft AD.
- By Default, the page will
be set to permit
authentication to all
Trusted Domains, in
which case the table is
ignored
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
202
Multi-AD
AD Authentication Flow – ID Rewrite
AuthC
Policy to
AD
Scope
(Optional)
Identity
Rewrite
(Optional)
AD
Instance
Domain List
(Optional)
Target
AD
Identity Rewrite allows username to
be manipulated before being sent to
AD for authentication
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
203
Multi-AD
Identity Rewrite
ID Rewrite rules are
applicable per AD
instance
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
204
Multi-AD
Identity Re-Write Fun Facts
ForYour
Your
For
Reference
Reference
• Can Re-Write from EAP-TLS as well
– Used already to work with mis-provisioned certificates
– We collate all identity attributes, whether from inner EAP, inside candidate cert fields,
etc. and offer them to rewrite
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
205
Multi-AD
SID Based Group Mapping
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
206
Multi-AD
Test Authentication
Can run
from
scope
level
Can run from
AD instance
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
207
Multi-AD
Test Authentication
Different authentication types
ISE node can be selected to run the test auth
Can provide group & attribute details if options are
selected
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
208
Multi-AD
Domain Diagnostics
Can run
from
scope
level
Can run from
AD instance
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
209
Multi-AD
Domain Diagnostics
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
210
Multi-AD
Domain Diagnostics Continued
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
211
ForYour
Your
For
Reference
Reference
Multi-AD
Certificate (EAP-TLS) Smart Search
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
212
Multi-AD
Smart Search Fun Facts
ForYour
Your
For
Reference
Reference
• You can have a mix of TLS certs with identity in different X509 fields
– ISE will figure it out
– Even if usernames are ambiguous, say two “johnsmith” from an acquisition, if the client
certs are in AD it will auto-magically use them to rule out the ambiguity
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
213
Multi-AD
Identity Resolution
ForYour
Your
For
Reference
Reference
What to do with usernames without domain markup
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
214
Multi-AD
Note about ‘Ambiguous Identity’
ForYour
Your
For
Reference
Reference
• SAM Names:
- If the identity is a SAM name (username or machine name without any domain
markup), we will search the forest of each join point (once) looking for the identity. If
there is one (unique) match, we determine their domain / unique name and continue
the AAA flow.
- If the SAM name is not unique and we are using a password-less protocol like EAPTLS, we have no other criteria to locate the right user so we fail with an ‘Ambiguous
identity’ error.
- If we are using a password based protocol like (EAP)PAP/MSCHAP, then we continue
to check the passwords. If there is only one account with the supplied password, we
have a unique match and can continue the AAA flow. However, if there is more than
one account with the same password, we fail with ‘Ambiguous identity’ error.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
215
Multi-AD
Note about ‘Ambiguous Identity’
ForYour
Your
For
Reference
Reference
• Avoiding Issues
- The customer should be encouraged to use UPNs or FQDN host identities if they hit
ambiguity errors frequently. In some cases, it will be the only way to resolve their
issue. In others, it may be sufficient to guarantee the users have unique passwords
and the hunting algorithm will work, although it will be more efficient and lead to less
password lockout issues if unique identities are used in the first place.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Multi-AD
Note about ‘Ambiguous Identity’ continued
ForYour
Your
For
Reference
Reference
• Uniqueness Enforcement
- Unqualified identities can result in non-unique user or machine identities, which would
lead to potentially incorrect policy being returned if we do not catch them. Therefore,
we must verify if an identity is unique and if it is not, the authentication must fail with an
‘ambiguous username’ error.
- This has performance implications because we need to search each of our join points’
forests for a possible match to the unqualified identity. Therefore, customers should
be encourage to use qualified identities in the first place to avoid the performance hit.
- A secondary issue is what if a domain is unavailable and we are resolving an
ambiguous username. We cannot know for certain if the identity is unique (it could
exist in the domain that’s unavailable)
- If SAM names must be used, the ‘Authentication Domains’ feature should be used to
define the account domains that really matter. This will limit the search scope to just
those and ignore errors from domains outside of the Authentication Domain list.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
217
Multi-AD
Other Details
ForYour
Your
For
Reference
Reference
• Rediscovery Frequency: The discovery process should run at startup and at no
more than 24 hour intervals. If possible, Active Directory notifications should be
employed to trigger rediscovery only when needed, e.g. if a new UPN or domain
is created
• Supported Group Types: Due to the complexity of resolving Domain Local
Groups efficiently at runtime, they will not be supported in this release. All other
group types (Universal, Global, Builtin), will be supported
• GUI based advanced tuning (Only with TAC supervision!!!)
-
Preferred DCs
Preferred GCs
DC Failover parameters
Timeouts
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
218
Multi-AD
Advanced Tuning
ForYour
Your
For
Reference
Reference
Should only be
performed under
TAC supervision!!!!
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
219
Multi-AD
Caveats
ForYour
Your
For
Reference
Reference
• When using UPN usernames, the UPN suffix or AD domain suffix must be unique.
• When using NetBIOS domain prefix in identities, the NetBIOS domain must be unique.
• When using machine authentication with a fully qualified machine name, e.g.
host/machine.domain.com, the DNS domain (domain.com) must be unique.
• If not using any domain markup in identities, i.e. using ‘SAM’ names, they should be unique
to improve performance. They must be unique if using password-less protocols such as
EAP-TLS. The {username,password} combination must be unique if using a password
based protocol.
• The DNS names (forward lookup such ‘A” and ‘SRV” records) of Active Directory servers
must be unique and lead to consistent results.
• The IP addresses (reverse lookup) of servers used by AD connector must be unique and
lead to consistent results.
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
220
Multi-AD
Supported username format
• User Principal Name (aka ‘UPN’)
– Example: chyps@cisco.com
• Alternative UPN
– Example: chyps@alt.upn
• NetBIOS prefixed name
– Examples: CISCO\chyps and CISCO\machine$
• SAM name
– Examples: chyps and machine$
• Host/ prefix, unqualified machine
– Example: host/machine
• Host/ prefix, fully qualified machine
– Example: host/machine.cisco.com
BRKSEC-3697
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
221
ForYour
Your
For
Reference
Reference
© Copyright 2025