HAPPY BOOKSGIVING
Use code BOOKSGIVING during checkout to save 40%-55% on books and eBooks. Shop now.
Register your product to gain access to bonus material or receive a coupon.
Plan and deploy identity-based secure access for BYOD and borderless networks
Using Cisco Secure Unified Access Architecture and Cisco Identity Services Engine, you can secure and regain control of borderless networks in a Bring Your Own Device (BYOD) world. This book covers the complete lifecycle of protecting a modern borderless network using these advanced solutions, from planning an architecture through deployment, management, and troubleshooting.
Cisco ISE for BYOD and Secure Unified Access begins by reviewing the business case for an identity solution. Next, you’ll walk through identifying users, devices, and security posture; gain a deep understanding of Cisco’s Secure Unified Access solution; and master powerful techniques for securing borderless networks, from device isolation to protocol-independent network segmentation.
You’ll find in-depth coverage of all relevant technologies and techniques, including 802.1X, profiling, device onboarding, guest lifecycle management, network admission control, RADIUS, and Security Group Access.
Drawing on their cutting-edge experience supporting Cisco enterprise customers, the authors present detailed sample configurations to help you plan your own integrated identity solution. Whether you’re a technical professional or an IT manager, this guide will help you provide reliable secure access for BYOD, CYOD (Choose Your Own Device), or any IT model you choose.
Authentication and Authorization Policies: Using Cisco Identity Services Engine in a BYOD World
Download the sample pages (includes Chapter 13 and Index)
Introduction xxvi
Section I The Evolution of Identity Enabled Networks
Chapter 1 Regain Control of Your IT Security 1
Security: A Weakest-Link Problem with Ever More Links 2
Cisco Identity Services Engine 3
Sources for Providing Identity and Context Awareness 4
Unleash the Power of Centralized Policy 5
Summary 6
Chapter 2 Introducing Cisco Identity Services Engine 7
Systems Approach to Centralized Network Security Policy 7
What Is the Cisco Identity Services Engine? 9
ISE Authorization Rules 12
Summary 13
Section II The Blueprint, Designing an ISE Enabled Network
Chapter 3 The Building Blocks in an Identity Services Engine Design 15
ISE Solution Components Explained 15
Infrastructure Components 16
Policy Components 20
Endpoint Components 20
ISE Personas 21
ISE Licensing, Requirements, and Performance 22
ISE Licensing 23
ISE Requirements 23
ISE Performance 25
ISE Policy-Based Structure Explained 27
Summary 28
Chapter 4 Making Sense of All the ISE Deployment Design Options 29
Centralized Versus Distributed Deployment 29
Centralized Deployment 30
Distributed Deployment 32
Summary 35
Chapter 5 Following a Phased Deployment 37
Why Use a Phased Deployment Approach? 37
Monitor Mode 38
Choosing Your End-State Mode 40
End-State Choice 1: Low-Impact Mode 42
End-State Choice 2: Closed Mode 44
Transitioning from Monitor Mode into an End-State Mode 45
Summary 46
Section III The Foundation, Building a Context-Aware Security Policy
Chapter 6 Building a Cisco ISE Network Access Security Policy 47
What Makes Up a Cisco ISE Network Access Security Policy? 47
Network Access Security Policy Checklist 48
Involving the Right People in the Creation of the Network Access Security Policy 49
Determining the High-Level Goals for Network Access Security 51
Common High-Level Network Access Security Goals 52
Defining the Security Domains 55
Understanding and Defining ISE Authorization Rules 57
Commonly Configured Rules and Their Purpose 58
Establishing Acceptable Use Policies 59
Defining Network Access Privileges 61
Enforcement Methods Available with ISE 61
Commonly Used Network Access Security Policies 62
Summary 65
Chapter 7 Building a Device Security Policy 67
Host Security Posture Assessment Rules to Consider 67
Sample NASP Format for Documenting ISE Posture Requirements 72
Common Checks, Rules, and Requirements 74
Method for Adding Posture Policy Rules 74
Research and Information 75
Establishing Criteria to Determine the Validity of a Security Posture Check, Rule, or Requirement in Your Organization 76
Method for Determining Which Posture Policy Rules a Particular Security Requirement Should Be Applied To 77
Method for Deploying and Enforcing Security Requirements 78
ISE Device Profiling 79
ISE Profiling Policies 80
ISE Profiler Data Sources 81
Using Device Profiles in Authorization Rules 82
Summary 82
Chapter 8 Building an ISE Accounting and Auditing Policy 83
Why You Need Accounting and Auditing for ISE 83
Using PCI DSS as Your ISE Auditing Framework 84
ISE Policy for PCI 10.1: Ensuring Unique Usernames and Passwords 87
ISE Policy for PCI 10.2 and 10.3: Audit Log Collection 89
ISE Policy for PCI 10.5.3, 10.5.4, and 10.7: Ensure the Integrity and Confidentiality of Log Data 90
ISE Policy for PCI 10.6: Review Audit Data Regularly 91
Cisco ISE User Accounting 92
Summary 94
Section IV Configuration
Chapter 9 The Basics: Principal Configuration Tasks for Cisco ISE 95
Bootstrapping Cisco ISE 95
Using the Cisco ISE Setup Assistant Wizard 98
Configuring Network Devices for ISE 106
Wired Switch Configuration Basics 106
Wireless Controller Configuration Basics 109
Completing the Basic ISE Setup 113
Install ISE Licenses 113
ISE Certificates 114
Installing ISE Behind a Firewall 116
Role-Based Access Control for Administrators 121
RBAC for ISE GUI 121
RBAC: Session and Access Settings and Restrictions 121
RBAC: Authentication 123
RBAC: Authorization 124
Summary 126
Chapter 10 Profiling Basics 127
Understanding Profiling Concepts 127
Probes 130
Probe Configuration 130
Deployment Considerations 133
DHCP 134
Deployment Considerations 135
NetFlow 137
Deployment Considerations 137
RADIUS 137
Deployment Considerations 138
Network Scan (NMAP) 138
Deployment Considerations 139
DNS 139
Deployment Considerations 139
SNMP 140
Deployment Considerations 140
IOS Device-Sensor 141
Change of Authorization 142
CoA Message Types 142
Configuring Change of Authorization in ISE 143
Infrastructure Configuration 144
DHCP Helper 145
SPAN Configuration 145
VLAN Access Control Lists (VACL) 146
VMware Configurations to Allow Promiscuous Mode 148
Best Practice Recommendations 149
Examining Profiling Policies 152
Endpoint Profile Policies 152
Cisco IP Phone 7970 Example 155
Using Profiles in Authorization Policies 161
Endpoint Identity Groups 161
EndPointPolicy 163
Logical Profiles 164
Feed Service 166
Configuring the Feed Service 166
Summary 168
Chapter 11 Bootstrapping Network Access Devices 169
Bootstrap Wizard 169
Cisco Catalyst Switches 170
Global Configuration Settings for All Cisco IOS 12.2 and 15.x Switches 170
Configure Certificates on a Switch 170
Enable the Switch HTTP/HTTPS Server 170
Global AAA Commands 171
Global RADIUS Commands 172
Create Local Access Control Lists 174
Global 802.1X Commands 175
Global Logging Commands (Optional) 175
Global Profiling Commands 177
Interface Configuration Settings for All Cisco Switches 179
Configure Interfaces as Switch Ports 179
Configure Flexible Authentication and High Availability 179
Configure Authentication Settings 182
Configure Authentication Timers 184
Apply the Initial ACL to the Port and Enable Authentication 184
Cisco Wireless LAN Controllers 184
Configure the AAA Servers 185
Add the RADIUS Authentication Servers 185
Add the RADIUS Accounting Servers 186
Configure RADIUS Fallback (High Availability) 187
Configure the Airespace ACLs 188
Create the Web Authentication Redirection ACL 188
Create the Posture Agent Redirection ACL 191
Create the Dynamic Interfaces for the Client VLANs 193
Create the Employee Dynamic Interface 193
Create the Guest Dynamic Interface 194
Create the Wireless LANs 195
Create the Guest WLAN 195
Create the Corporate SSID 199
Summary 202
Chapter 12 Authorization Policy Elements 205
Authorization Results 206
Configuring Authorization Downloadable ACLs 207
Configuring Authorization Profiles 209
Summary 212
Chapter 13 Authentication and Authorization Policies 215
Relationship Between Authentication and Authorization 215
Authentication Policies 216
Goals of an Authentication Policy 216
Accept Only Allowed Protocols 216
Route to the Correct Identity Store 216
Validate the Identity 217
Pass the Request to the Authorization Policy 217
Understanding Authentication Policies 217
Conditions 218
Allowed Protocols 220
Identity Store 224
Options 224
Common Authentication Policy Examples 224
Using the Wireless SSID 225
Remote-Access VPN 228
Alternative ID Stores Based on EAP Type 230
Authorization Policies 232
Goals of Authorization Policies 232
Understanding Authorization Policies 233
Role-Specific Authorization Rules 237
Authorization Policy Example 237
Employee and Corporate Machine Full-Access Rule 238
Internet Only for iDevices 240
Employee Limited Access Rule 243
Saving Attributes for Re-Use 246
Summary 248
Chapter 14 Guest Lifecycle Management 249
Guest Portal Configuration 251
Configuring Identity Source(s) 252
Guest Sponsor Configuration 254
Guest Time Profiles 254
Guest Sponsor Groups 255
Sponsor Group Policies 257
Authentication and Authorization Guest Policies 258
Guest Pre-Authentication Authorization Policy 258
Guest Post-Authentication Authorization Policy 262
Guest Sponsor Portal Configuration 263
Guest Portal Interface and IP Configuration 264
Sponsor and Guest Portal Customization 264
Customize the Sponsor Portal 264
Creating a Simple URL for Sponsor Portal 265
Guest Portal Customization 265
Customizing Portal Theme 266
Creating Multiple Portals 268
Guest Sponsor Portal Usage 271
Sponsor Portal Layout 271
Creating Guest Accounts 273
Managing Guest Accounts 273
Configuration of Network Devices for Guest CWA 274
Wired Switches 274
Wireless LAN Controllers 275
Summary 277
Chapter 15 Device Posture Assessment 279
ISE Posture Assessment Flow 280
Configure Global Posture and Client Provisioning Settings 283
Posture Client Provisioning Global Setup 283
Posture Global Setup 285
General Settings 285
Reassessments 286
Updates 287
Acceptable Use Policy 287
Configure the NAC Agent and NAC Client Provisioning Settings 288
Configure Posture Conditions 289
Configure Posture Remediation 292
Configure Posture Requirements 295
Configure Posture Policy 296
Enabling Posture Assessment in the Network 298
Summary 299
Chapter 16 Supplicant Configuration 301
Comparison of Popular Supplicants 302
Configuring Common Supplicants 303
Mac OS X 10.8.2 Native Supplicant Configuration 303
Windows GPO Configuration for Wired Supplicant 305
Windows 7 Native Supplicant Configuration 309
Cisco AnyConnect Secure Mobility Client NAM 312
Summary 317
Chapter 17 BYOD: Self-Service Onboarding and Registration 319
BYOD Challenges 320
Onboarding Process 322
BYOD Onboarding 322
Dual SSID 322
Single SSID 323
Configuring NADs for Onboarding 324
ISE Configuration for Onboarding 329
End-User Experience 330
Configuring ISE for Onboarding 347
BYOD Onboarding Process Detailed 357
MDM Onboarding 367
Integration Points 367
Configuring MDM Integration 368
Configuring MDM Onboarding Policies 369
Managing Endpoints 372
Self Management 373
Administrative Management 373
The Opposite of BYOD: Identify Corporate Systems 374
EAP Chaining 375
Summary 376
Chapter 18 Setting Up a Distributed Deployment 377
Configuring ISE Nodes in a Distributed Environment 377
Make the Policy Administration Node a Primary Device 377
Register an ISE Node to the Deployment 379
Ensure the Persona of All Nodes Is Accurate 381
Understanding the HA Options Available 382
Primary and Secondary Nodes 382
Monitoring and Troubleshooting Nodes 382
Policy Administration Nodes 384
Promoting the Secondary PAN to Primary 385
Node Groups 385
Create a Node Group 386
Add the Policy Services Nodes to the Node Group 387
Using Load Balancers 388
General Guidelines 388
Failure Scenarios 389
Summary 390
Chapter 19 Inline Posture Node 391
Use Cases for the Inline Posture Node 391
Overview of IPN Functionality 392
IPN Configuration 393
IPN Modes of Operation 393
Summary 394
Section V Deployment Best Practices
Chapter 20 Deployment Phases 395
Why Use a Phased Approach? 395
A Phased Approach 397
Authentication Open Versus Standard 802.1X 398
Monitor Mode 399
Prepare ISE for a Staged Deployment 401
Create the Network Device Groups 401
Create the Policy Sets 403
Low-Impact Mode 404
Closed Mode 406
Transitioning from Monitor Mode to Your End State 408
Wireless Networks 409
Summary 410
Chapter 21 Monitor Mode 411
Endpoint Discovery 412
SNMP Trap Method 413
Configuring the ISE Probes 414
Adding the Network Device to ISE 416
Configuring the Switches 418
RADIUS with SNMP Query Method 420
Configuring the ISE Probes 420
Adding the Network Device to ISE 421
Configuring the Switches 422
Device Sensor Method 424
Configuring the ISE Probes 425
Adding the Network Device to ISE 425
Configuring the Switches 426
Using Monitoring to Identify Misconfigured Devices 428
Tuning the Profiling Policies 428
Creating the Authentication Policies for Monitor Mode 430
Creating Authorization Policies for Non-Authenticating Devices 433
IP-Phones 433
Wireless APs 435
Printers 436
Creating Authorization Policies for Authenticating Devices 438
Machine Authentication (Machine Auth) 438
User Authentications 439
Default Authorization Rule 440
Summary 441
Chapter 22 Low-Impact Mode 443
Transitioning from Monitor Mode to Low-Impact Mode 445
Configuring ISE for Low-Impact Mode 446
Set Up the Low-Impact Mode Policy Set in ISE 446
Duplicate the Monitor Mode Policy Set 446
Create the Web Authentication Authorization Result 448
Configure the Web Authentication Identity Source Sequence 451
Modify the Default Rule in the Low-Impact Policy Set 451
Assign the WLCs and Switches to the Low-Impact Stage NDG 452
Modify the Default Port ACL on the Switches That Will Be Part of Low-Impact Mode 453
Monitoring in Low-Impact Mode 454
Tightening Security 454
Creating AuthZ Policies for the Specific Roles 454
Change Default Authentication Rule to Deny Access 456
Moving Switch Ports from Multi-Auth to Multi-Domain 457
Summary 458
Chapter 23 Closed Mode 459
Transitioning from Monitor Mode to Closed Mode 461
Configuring ISE for Closed Mode 461
Set Up the Closed Mode Policy Set in ISE 461
Duplicate the Monitor Mode Policy Set 462
Create the Web Authentication Authorization Result 463
Configure the Web Authentication Identity Source Sequence 466
Modify the Default Rule in the Closed Policy Set 467
Assign the WLCs and Switches to the Closed Stage NDG 468
Modify the Default Port ACL on the Switches That Will Be Part of Closed Mode 469
Monitoring in Closed Mode 469
Tightening Security 469
Creating Authorization Policies for the Specific Roles 470
Change Default Authentication Rule to Deny Access 472
Moving Switch Ports from Multi-Auth to MDA 473
Summary 474
Section VI Advanced Secure Unified Access Features
Chapter 24 Advanced Profiling Configuration 475
Creating Custom Profiles for Unknown Endpoints 475
Identifying Unique Values for an Unknown Device 476
Collecting Information for Custom Profiles 478
Creating Custom Profiler Conditions 479
Creating Custom Profiler Policies 480
Advanced NetFlow Probe Configuration 481
Commonly Used NetFlow Attributes 483
Example Profiler Policy Using NetFlow 483
Designing for Efficient Collection of NetFlow Data 484
Configuration of NetFlow on Cisco Devices 485
Profiler COA and Exceptions 488
Types of CoA 489
Creating Exceptions Actions 489
Configuring CoA and Exceptions in Profiler Policies 490
Profiler Monitoring and Reporting 491
Summary 494
Chapter 25 Security Group Access 495
Ingress Access Control Challenges 495
VLAN Assignment 495
Ingress Access Control Lists 498
What Is Security Group Access? 499
So, What Is a Security Group Tag? 500
Defining the SGTs 501
Classification 504
Dynamically Assigning SGT via 802.1X 504
Manually Assigning SGT at the Port 506
Manually Binding IP Addresses to SGTs 506
Access Layer Devices That Do Not Support SGTs 507
Transport: Security Group eXchange Protocol (SXP) 508
SXP Design 508
Configuring SXP on IOS Devices 509
Configuring SXP on Wireless LAN Controllers 511
Configuring SXP on Cisco ASA 513
Transport: Native Tagging 516
Configuring Native SGT Propogation (Tagging) 517
Configuring SGT Propagation on Cisco IOS Switches 518
Configuring SGT Propagation on a Catalyst 6500 520
Configuring SGT Propagation on a Nexus Series Switch 522
Enforcement 523
SGACL 524
Creating the SG-ACL in ISE 526
Configure ISE to Allow the SGACLs to Be Downloaded 531
Configure the Switches to Download SGACLs from ISE 532
Validating the PAC File and CTS Data Downloads 533
Security Group Firewalls 535
Security Group Firewall on the ASA 535
Security Group Firewall on the ISR and ASR 543
Summary 546
Chapter 26 MACSec and NDAC 547
MACSec 548
Downlink MACSec 549
Switch Configuration Modes 551
ISE Configuration 552
Uplink MACSec 553
Network Device Admission Control 557
Creating an NDAC Domain 558
Configuring ISE 558
Configuring the Seed Device 562
Adding Non-Seed Switches 564
Configuring the Switch Interfaces for Both Seed and Non-Seed 566
MACSec Sequence in an NDAC Domain 567
Summary 568
Chapter 27 Network Edge Authentication Topology 569
NEAT Explained 570
Configuring NEAT 571
Preparing ISE for NEAT 571
Create the User Identity Group and Identity 571
Create the Authorization Profile 572
Create the Authorization Rule 573
Access Switch (Authenticator) Configuration 574
Desktop Switch (Supplicant) Configuration 574
Summary 575
Section VII Monitoring, Maintenance, and Troubleshooting
Chapter 28 Understanding Monitoring and Alerting 577
ISE Monitoring 577
Live Authentications Log 578
Monitoring Endpoints 580
Global Search 581
Monitoring Node in a Distributed Deployment 584
Device Configuration for Monitoring 584
ISE Reporting 585
Data Repository Setup 586
ISE Alarms 587
Summary 588
Chapter 29 Troubleshooting 589
Diagnostics Tools 589
RADIUS Authentication Troubleshooting 589
Evaluate Configuration Validator 591
TCP Dump 594
Troubleshooting Methodology 596
Troubleshooting Authentication and Authorization 596
Option 1: No Live Log Entry Exists 597
Option 2: An Entry Exists in the Live Log 603
General High-Level Troubleshooting Flowchart 605
Troubleshooting WebAuth and URL Redirection 605
Active Directory Is Disconnected 610
Debug Situations: ISE Logs 611
The Support Bundle 611
Common Error Messages and Alarms 613
EAP Connection Timeout 613
Dynamic Authorization Failed 615
WebAuth Loop 617
Account Lockout 617
ISE Node Communication 617
Summary 618
Chapter 30 Backup, Patching, and Upgrading 619
Repositories 619
Configuring a Repository 619
Backup 625
Restore 628
Patching 629
Upgrading 632
Summary 634
Appendix A Sample User Community Deployment Messaging Material 635
Appendix B Sample ISE Deployment Questionnaire 639
Appendix C Configuring the Microsoft CA for BYOD 645
Appendix D Using a Cisco IOS Certificate Authority for BYOD Onboarding 669
Appendix E Sample Switch Configurations 675
TOC, 9781587143250, 5/15/2013
We've made every effort to ensure the accuracy of this book and its companion content. Any errors that have been confirmed since this book was published can be downloaded below.