BRKSEC-3697
Advanced ISE Services,
Tips & Tricks
Aaron T. Woland, CCIE #20113
Principal Engineer, Security Business Group
This is a Deep Dive. It may get Intense!
-Ritchie Blackmore
*Balance of Technical Bits & Bytes Without “Brain-Frying”
3
“If we can’t laugh at
ourselves, Then we
cannot laugh at
anything at all”
4
Aaron Woland, CCIE# 20113
Principal Engineer
Security Business Group
loxx@cisco.com
@AaronWoland
http://www.networkworld.com/blog/secure-network-access/
6
Multiple ISE Sessions to Choose From:
7
Important: Hidden Slide Alert
Look for this “For Your Reference”
Symbol in your PDF’s
There is a tremendous amount of
hidden content, for you to use later!
ForYour
Your
For
Reference
Reference
**~250 Slides in PDF
8
Lots of NEW Content
9
Watch Recordings of Prior Sessions
10
Tweet out to #CLEUR #ISE
Tweet:
@aaronwoland #CLEUR
#MyFavoriteSpeaker
loxx@cisco.com
**Please tell me what you thought
Tweet Pics!
11
Complete Your Online Session Evaluation
•
Please complete your online session
evaluations after each session.
Complete 4 session evaluations
& the Overall Conference Evaluation
(available from Thursday)
to receive your Cisco Live T-shirt.
•
All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
12
Roadmap and Futures
13
Roadmap and Futures
14
Next Session!
Room 732
Cisco ISE Sessions: Building Blocks
BRKSEC-3697
You are Here! 
(Thur 9:00am)
BRKSEC-2060
TACACS+ Dev Admin
(Thur 11:30am)
BRKSEC-3699
ISE Scale & HA
(Tue 2:15pm)
COCSEC-2015
LALSEC-0003 Lunch and Learn - Cisco Identity Services
Engine (ISE) (Tue 12:45pm)
Inside Cisco IT: Cisco IT’s Assured Network Access: Identity
Services Engine (ISE) Deployment and Best Practices
(Tue 11:15am)
BRKSEC-2059
Real World ISE
(Wed 4:30pm)
TECSEC-3672
Advanced - Network
Access Control with
ISE (Identity Service
Engine) 2.0
(Mon 9:00 am)
BRKSEC-2132
ISE & Active Directory
(Wed 4:30pm)
15
TrustSec – Network aa a Sensor/Enforcer sessions
BRKSEC-2203
Intermediate –
Enabling TrustSec
Software-Defined
Segmentation
(Thur 2:30pm)
BRKSEC-3690
Advanced TrustSec –
Deep dive on software
defined segmentation
(Fri 9:00am)
LTRSEC-2016
The Essentials of Cisco TrustSec (Tue 2:15pm)
BRKSEC-2026
Network as a Sensor
and Enforcer (Thur
9:00am)
BRKCRS-2891
Enterprise Network
Segmentation with
Cisco TrustSec
(Wed 2:30pm)
LALSEC-0006 Lunch and Learn - Network as a
Sensor / Enforcer (Thur 1:00pm)
BRKCRS-1449
TECSEC-2222
Securing Networks
with Cisco Trustsec
(Mon 2:15 pm)
Introductory - Network as a
Sensor / Enforcer : Cisco's
End-to-End Analysis and
Security Architectures
BRKGS-2606 Securing the
Enterprise with Network
Intelligence
(Tue 4:15pm)
(Wed 11:30am)
16
Other Complimentary Sessions
BRKSEC-3053
Practical PKI for
Remote Access VPN
with ISE
(Fri 11:30am)
BRKSEC-2051
It's all about Securing
the Endpoint!
(Tue 11:15 am)
PSOSEC-4003
Stop Threats Before They Stop You: Gain visibility and control as you speed
time to containment of infected endpoints. (Wed 1:15pm)
LTRSEC-2017
Simplified IBNS 2.0
with Auto-identity
(Advanced dot1x) Lab
(Tue 9:00am)
BRKSEC-2073
NetFlow Security
Monitoring with Cisco
Threat Defense (CTD)
(Wed 2:30pm)
LALCRS-0001 Lunch and Learn
- Cisco TrustSec for the
Enterprise (Tue 12:45pm)
LTRCRS-2006
Network as a Sensor
and Enforcer Lab
(Thur 2:00pm)
17
Agenda
•
Introduction
•
Certificates, Certificates, Certificates
•
BYOD in Practice
•
Integrating with Cisco and Non-Cisco
•
Active Directory Best Practices (Limited)
•
Serviceability & Troubleshooting
•
Upgrade Tips from the Field
•
Conclusion
18
ISE and Certificate Usage
19
Your Feedback is Heard!
•
Other Resources:
•
http://www.networkworld.com/blog/securenetwork-access/
• http://amzn.com/1587144263
• My Previous Cisco Live Sessions (ciscolive.com)
Pre-Order
20
Certificates
What is an X.509 Certificate
•
ForYour
Your
For
Reference
Reference
A Certificate is a signed document…
•
Think of it like a government form of
identity
X.509
username
organization
location
21
Certificates
ForYour
Your
For
Reference
Reference
What is the purpose of an X.509 Certificate?
Provides an
Identity
Who is
user
What is
endpoint
WebSite
Identity
…
Contains the Public Key for Encryption
22
Certificates
ForYour
Your
For
Reference
Reference
Other Usages of X.509 Certificates
Key Usages
Extended Key Usages (EKUs)
Server
Auth
Client
Auth
Key Cert
Signing
…
23
ISE and Certificates: Multiple Identities
Certificates
ForYour
Your
For
Reference
Reference
Authentication Server
Layer 2
Link
Supplicant
Layer 3
Link
Authenticator
Authentication
Server
Port Unauthorized
EAPoL Start
Start
EAP-Request/Identity
EAP-Response/Identity
RADIUS Access Request
RADIUS Access-Challenge
EAP-Request/PEAP
Middle
[AVP: EAP-Request PEAP]
EAP-Response/PEAP
RADIUS Access Request
[AVP: EAP-Response: PEAP]
Multiple
ChallengeRequest
Exchanges
Possible
Secure
Web Server
Root CA
Internal
Communications
Certificates
Managing Local Certificates
ForYour
Your
For
Reference
Reference
ISE 1.0-1.2
PSN #1
•
•
Generate CSR
for PAN/MnT
Bind CA-signed cert
for PAN/MnT
PAN’s
MnT’s
•
•
Generate CSR for PSN #1
Bind CA-signed cert for PSN #1
•
•
Generate CSR for PSN #20
Bind CA-signed cert for PSN #20
PSN #20
•
PSN #40
•
Generate CSR for
PSN #40
Bind CA-signed cert
for PSN #40
25
Certificates
Centralized Certificate Management in 1.3+
PSN #1
• Generate CSRs for ALL NODES
at Primary PAN
• Bind CA-signed certs for ALL NODES at
Primary PAN
• Manage System (Local) certs for ALL
NODES at primary PAN
Primary
PAN
PSN #20
PSN #40
26
Manage System Certificates
•
•
Certificates used by: Admin, HTTPS Portals, pxGrid, EAP
These are Private/Public Key Pairs – i.e.: They Identify ISE Personalities
Certificates
ForYour
Your
For
Reference
Reference
Certificates your ISE Cube will “Trust”
•
•
Trust for EAP, MDM, etc.
These are copies of their Public Certs. I.e.: They Identify Other Systems
Certificates
ForYour
Your
For
Reference
Reference
Certificates
Trusted Certificates
•
ForYour
Your
For
Reference
Reference
In 1.3+, trusted certificates have a new “Trusted For” attribute.
•
Security Goal: to prevent the public certificates used for Cisco Services from being
used internally.
•
When importing a trust certificate, the user must specify what the certificate is
trusted for.
•
It is important to select at least one category, or the cert will not be used in any
trust store.
29
Certificates
System Certificate Roles – ISE 1.3+
1.2 Role Name
1.3 Role Name
How Many
May Use Wildcard
(*) in SAN
May use Wildcard
(*) in Subject
HTTPS
Admin
1
Yes
Yes
EAP
EAP Authentication
1
Yes
No1
-
pxGrid
1
No
No
-
Portal
Many
Yes
Yes
• ‘Admin’ cert is the server cert for the Admin Console
• ‘pxGrid’ cert is the server cert for authenticating the ISE node to pxGrid clients
• ‘Portal’ cert is a server cert associated with a particular ISE portal (Guest, Sponsor,
My Devices, …)
• In a freshly installed node, the default self-signed cert has all four roles
Certificates for all roles are managed from the Primary PAN node.
1
While ISE technically allows wildcard in the CN, Microsoft supplicants will reject, so never recommended
ForYour
Your
For
Reference
Reference
Certificates
ISE 1.3: Multiple Web Portals
ForYour
Your
For
Reference
Reference
Each Portal Could Use A Different Certificate
•
Each Portal Exists
on ALL PSN’s
•
Each Portal
Requires a
Certificate
ISE PSN-1
•
One Certificate per
Interface > IP:Port
•
Each PSN Could
Have Unique
Certificates
(Identity)
ISE PSN-2
ISE PSN-3
Certificates
Problem: Assign Certificate on All PSNs to Portal?
How To Assign “At Scale”
•
New UI Paradigm with ISE 1.3 is to
Keep All Portal Configuration
Together.
•
Options:
•
ForYour
Your
For
Reference
Reference
Add complexity to the Portal
Configuration Page by Choosing
Certificates on Each Node?
•
What about Large Deployments (40 PSNs)?
•
Configure it entirely outside of the Portal
Configuration screen?
• Some way to combine?
X
PSN-1: Cert1
PSN-2: Cert2
PSN-3: Cert3
Certificates
ForYour
Your
For
Reference
Reference
Solution: Portal Certificate Group Tag
•
Portal Certificate Group Tag provides a solution to configure node-specific
certificates for Portal configuration by associating node certificates to a logical
name.
Node 1 – Pri Admin, M&T and PSN
Node 2 – Sec Admin, M&T and PSN
Node 3 - PSN
Portal Configuration
Group Tag
GuestPortalCerts
(Grouping Certificates to a
Logical Name)
33
Certificates
ForYour
Your
For
Reference
Reference
Certificate Chains
Root CA
•
For Scalability, X.509 Certificate
Authorities may have hierarchy
•
ISE will present full signing chain to
client during authentication
•
Client must trust each CA within the chain
Subordinate
CA
Cert
Root  Sub  ISE
34
Pro Tip: Always Add the Root & Sub CA’s
•
Certificates
Import All Certificates in Trust Path, One at-a-Time
Root CA
Subordinate CA
Subordinate CA
ISE Cert
If you must use a PKCS chain, it needs to be in PEM format (not DER)
Certificates
PEM versus DER
PEM Encoded
DER Encoded
Convert DER to PEM: openssl x509 -inform der –in DER.cer -out NewFile.pem
36
Certificates
Joining an ISE Cube: Mutual Trust Required
•
ForYour
Your
For
Reference
Reference
In order to join an ISE node to an
existing ISE Cube:
•
You must trust the PAN Cert on the
2ndary node(s)
• And vice-versa.
PSN1
PAN
PSN2
PAN
Trusted Certs
PSN
PSN
Trusted Certs
37
Certificates
Joining an ISE Cube: Mutual Trust Required
•
ForYour
Your
For
Reference
Reference
In order to join an ISE node to an
existing ISE Cube:
•
•
You must trust the PAN Cert on the
2ndary node(s)
• And vice-versa.
PSN1
Then you upgrade all Certs
PSN2
PAN
•
Delete the old Self-Signed Certificates
from the System Certs
• Delete the old Self-Signed Certs from
the Trusted Cert Store
X X
PSN
PSN
Trusted Certs
38
Joining an ISE Cube: Mutual Trust Required
•
Certificates
ForYour
Your
For
Reference
Reference
In order to join an ISE node to an
existing ISE Cube:
•
•
You must trust the PAN Cert on the
2ndary node(s)
• And vice-versa.
PSN1
Then you upgrade all Certs
PSN2
PAN
•
Delete the old Self-Signed Certificates
from the System Certs
• Delete the old Self-Signed Certs from
the Trusted Cert Store
•
So, it’s often easiest to upgrade to a
CA-Signed & Trusted Cert Before
Joining the Cube.
39
Certificates
Simple URL for My Devices & Sponsor Portals
•
In 1.3+: Sponsor Portal and My
Devices Portal must be accessed via
a user-friendly URL and selectable
port.
•
Ex: http://mydevices.company.com
Automatic redirect to https://fqdn:port
•
FQDN for URL must be added to DNS
and resolve to the Policy Service
node(s) used for Guest Services.
•
Recommend populating Subject
Alternative Name (SAN) field of PSN
local cert with this alternative FQDN or
Wildcard to avoid SSL cert warnings
due to name mismatch.
40
Certificates
ISE Certificate without SAN
Certificate Warning - Name Mismatch
http://sponsor.company.com
DNS Lookup = sponsor.company.com
DNS Response = 10.1.99.5
SPONSOR
100.1.100.5
DNS
Server
ISE-PSN-1
http://sponsor.company.com
100.1.100.6
https://sponsor.company.com:8443/sponsorportal
Load Balancer
100.1.99.5
ISE-PSN-2
100.1.100.7
Name Mismatch!
Requested URL = sponsor.company.com
Certificate Subject = ise-psn-3.company.com
ISE-PSN-3
41
Certificates
ISE Certificate with SAN
No Certificate Warning
http://sponsor.company.com
DNS Lookup = sponsor.company.com
DNS Response = 10.1.99.5
SPONSOR
100.1.100.5
DNS
Server
ISE-PSN-1
http://sponsor.company.com
100.1.100.6
https://sponsor.company.com:8443/sponsorportal
Load Balancer
100.1.99.5
Certificate OK!
Requested URL = sponsor.company.com
Certificate SAN = sponsor.company.com
ISE-PSN-2
100.1.100.7
ISE-PSN-3
42
ISE Certificate with SAN
Certificates
CN must also exist in SAN
Other FQDNs as “DNS
Names”
IP Address is also option
Certificates
“Traditional” Wildcard Certificates
•
Wildcard Certificates are used
to identify any secure web site
that is part of the domain:
•
e.g.: *.woland.com works for:
•
•
•
•
www.woland.com
mydevices.woland.com
sponsor.woland.com
AnyThingIWant.woland.com
!= psn.[ise].woland.com
Position in FQDN is fixed
Certificates
Wildcard Certificates – Why use with ISE?
Use of all portals & friendly URL’s without Certificate
Match Errors.
Most Importantly: Ability to host the exact same certificate
on all ISE PSNs for EAP authentications
• Why, you ask?.......
Certificates
Clients Misbehave!
•
Example education customer:
•
•
•
•
Supplicant List:
•
•
ONLY 6,000 Endpoints (all BYOD style)
10M Auths / 9M Failures in a 24 hours!
42 Different Failure Scenarios – all related to
clients dropping TLS (both PEAP & EAP-TLS).
Kyocera, Asustek, Murata, Huawei, Motorola, HTC, Samsung, ZTE, RIM, SonyEric, ChiMeiCo,
Apple, Intel, Cybertan, Liteon, Nokia, HonHaiPr, Palm, Pantech, LgElectr, TaiyoYud, Barnes&N
5411 No response received during 120 seconds on last EAP message sent to the client
•
•
This error has been seen at a number of Escalation customers
Typically the result of a misconfigured or misbehaving supplicant not completing the EAP process.
46
Certificates
Recreating the Issue
Yes, my Wife
was
Absolutely
THRILLED
That this was
completed
In the
kitchen!!

47
Certificates
Recreating the Issue
Cisco Cius
Galaxy Player
Galaxy TAB 10.1
Galaxy Tab 2
Acer A110 Tab
Google Nexus7
iPod Touch 1Gen
Android 2.2.2 / Kernel 2.6.31.6-mrst
Android 2.3.5 / Kernel 2.6.35.7
Android 4.0.4 / Kernel 3.1.10
Android 4.1.1 / Kernel 3.0.31
Android 4.1.2 / Kernel 3.1.10
Android 4.2.2 / Kernel 3.1.10-g05b777c
iOS 3.1.3 (7E18)
MacBook Pro 17
MacBook Air
Kindle Fire HD
Microsoft Surface
Win7 Native
WinXP Native
Windows 8 Native
iPad1
iPad2
iPad Mini
iPhone 4
iPhone 5
Nook HD
iOS 5.1.1 (9B206)
iOS 6.0.1 (10A523)
iOS 6.1.2 (10B146)
iOS 6.0 (10A403)
iOS 6.1.3 (10B329)
Nook 2.1.0
OSX 10.7.5
OSX 10.8.2 (12C30006)
Version 7.3.0_user_3013320
WindowsRT
Windows7 Ultimate ServicePack1
WindowsXP SP3
Windows 8 Native Supplicant
48
Certificates
Clients Misbehave: Apple Example
ISE-2
ISE-1
Cert Authority
• Multiple PSNs
• Each Cert signed by Trusted Root
• Apple Requires Accept on all certs!
• Results in 5411 / 30sec retry
ise2.ise.local
ise1.ise.local
1
5
NAD
SSID
Apple iOS & MacOS
WiFi Profile
1.
2.
3.
4.
5.
6.
Authentication goes to ISE-1
ISE-1 sends certificate
Client trusts ISE-1
Client Roams
Authentication goes to ISE-2
Client Prompts for Accept
49
Certificates
Solution: Common Cert, Wildcard in SAN
Allows anything
ending with
The Domain
Name.
Same EXACT Priv
/ Pub Key
May be installed
on all PSNs
50
Certificates
Coining a New Term
51
Certificates
Solution: Common Cert, Wildcard in SAN
ISE-1
Cert Authority
ISE-2
psn.ise.local
psn.ise.local
1
5
NAD
SSID
Already Trusted
Apple iOS & MacOS
WiFi Profile
• CN= psn.ise.local
• SAN contains all PSN FQDNs
psn.ise.local
*.ise.local
• Tested and works with:
comodo.com CA
SSL.com CA
Microsoft 2008 CA
• Failed with: GoDaddy CA
-- they don’t like * in SAN
-- they don’t like non-* in CN
1.
2.
3.
4.
5.
6.
Authentication goes to ISE-1
ISE-1 sends certificate
Client trusts ISE-1
Client Roams
Authentication goes to ISE-2
Client Already Trusts Cert
52
Certificates
1.4+ Certificate Management Improvements
•
‘Multi-Use’ usage in CSR Generation
•
Ability to deselect the usage in Certificate Bind page
•
Removal of ‘Allow Wildcard Certificate’ in Certificate Bind page
•
Portal Tag re-assignment
•
Multi Delete in CSR, Trust and System Certificate pages
•
Enhanced delete error messages in Trust and Portal Certificates
•
Wildcard Certificate changes replicated in a deployment
•
Showing Portals and Nodes details in System Certificate Listing
•
Showing Portals details in CSR, Import, Bind and Edit Certificate pages
•
System Certificates Listing: ‘Not in Use’ for ‘Used By’ instead of ‘Unknown’
ForYour
Your
For
Reference
Reference
Certificates
Pro Tip: Don’t use Internal Domains Anymore
After November 1, 2015 Certificates for Internal Names Will No Longer Be
Trusted
In November 2011, the CA/Browser Forum (CA/B) adopted Baseline Requirements for the
Issuance and Management of Publicly-Trusted Certificates that took effect on July 1, 2012.
These requirements state:
CAs should notify applicants prior to issuance that use of certificates with a Subject
Alternative Name (SAN) extension or a Subject Common Name field containing a reserved
IP address or internal server name has been deprecated by the CA/B
CAs should not issue a certificate with an expiration date later than November 1, 2015 with a
SAN or Subject Common Name field containing a reserved IP address or internal server
Name
Source: Digicert – https://www.digicert.com/internal-names.htm
54
Certificates
Apple OS’s and ”Internal Domain Names”
/etc/hosts
psn.ise.local 10.1.100.1
DNS
DNS Servers
Apple iOS & MacOS
Bonjour!
55
Certificates
SSL Certificates for Internal Server Names
•
An internal name is a domain or IP address that is part of a private network. Common
examples of internal names are:
•
Any server name with a non-public domain name suffix. For example, psn.ise.local or
server1.ise.internal.
•
NetBIOS names or short hostnames, anything without a public domain. For example,
Web1, ExchCAS1, or Frodo.
•
Any IPv4 address in the RFC 1918 range.
•
Any IPv6 address in the RFC 4193 range.
Source: Digicert – https://www.digicert.com/internal-names.htm
56
Internal CA
57
Certificate Authority
Internal Certificate Authority
ForYour
Your
For
Reference
Reference
Why use ISE as a Certificate Authority?
•
Microsoft Public Key Infrastructure via a 2003/2008 Enterprise Server can add
significant complexity and expense to an ISE deployment.
Benefits of internal CA:
•
Internal CA simplifies ISE deployment
•
ISE can deliver certificates directly to endpoints
•
No need to rely on integrating ISE to PKI for BYOD Cert provisioning
•
Internal CA can still work with existing PKI Infrastructure
•
Closed Loop BYOD Solution
•
Focused on BYOD and MDM use-cases only, not a general purpose CA
Certificate Authority
Configuring the Native Certificate Authority
•

ForYour
Your
For
Reference
Reference
Yes, that’s really it!
So easy
Enabled by Default
59
NSP Flow – Internal CA
Certificate Authority
PSN
SSID = CORP
RA
Employee
ForYour
Your
For
Reference
Reference
CA
PSN
Signing Certificate + User Certificate:
Wi-Fi Profile with EAP-TLS configured
ISE sends Profile to Endpoint
SCEP Password = SessionID + Random
CSR is Generated on iOS
Password = SessionID + Random Key (from ISE)
Validate Password Challenge
(session + random key)
CSR sent to ISE PSN (RA) via SCEP
CA Selection
CPP Certificate Template = Internal
Sent to Internal CA
Certificate sent to ISE
User Certificate Issued:
CN = AD UserName
SAN = Values from Template
ISE sends Certificate to Endpoint
Signing Certificate + User Certificate:
Wi-Fi Profile with EAP-TLS configured
CoA: ReAuth
EAP-TLS: User Cert
RADIUS Access-Request
RADIUS Access-Accept
60
NSP Flow – External CA
Certificate Authority
PSN
SSID = CORP
RA
Employee
ForYour
Your
For
Reference
Reference
CA
PSN
ISE sends Profile to Endpoint
Signing Certificate + User Certificate:
Wi-Fi Profile with EAP-TLS configured
SCEP Password = SessionID + Random
CSR is Generated on iOS
Password = SessionID + Random Key (from ISE)
Validate Password Challenge
(session + random key)
CSR sent to ISE PSN (RA) via SCEP
CA Selection
CPP Certificate Template = External
User Certificate Issued:
CN = AD UserName
SAN = Values from Template
SCEP Proxy to External Cert Authority
ISE sends Certificate to Endpoint
Certificate sent to ISE
Signing Certificate + User Certificate:
Wi-Fi Profile with EAP-TLS configured
CoA: ReAuth
EAP-TLS: User Cert
RADIUS Access-Request
RADIUS Access-Accept
61
ISE CA: Multiple Personalities/Identities
Certificate Authority
Root CA
Subordinate CA
OCSP Server
Registration Authority
Certificate Authority
Root CA is Used to
Sign the certificates
for the Subordinate
CA’s.
ISE Certificate Authority Architecture
Standby PAN
Primary
ISE CA
PSN
Subordinate CA
SCEP RA
OCSP
PSN
Subordinate CA
SCEP RA
OCSP
Subordinate CA
signs the Actual
Endpoint Certs
PAN
Root CA
PSN
PSN
Subordinate CA
SCEP RA
Subordinate CA
SCEP RA
OCSP
OCSP
Secondary PAN is
another Root CA!
Ensure you export
Primary PAN and
import on
Secondary
Node registration process Overview
Each PSN will get three certificates for CA functions:
•
•
•
Subordinate CA – To sign endpoint certificates
OCSP – To identify node with OCSP service
Registration Authority (RA) – To identify sub-ca when
requesting certificates for endpoints.
PAN
PSN
PSN is Joined to ISE Cube
PAN tells PSN to Generate 3x CSR’s (OCSP, Sub_CA_Endpoint, RA)
CSR’s are Generated on PSN
OCSP, Sub_CA_Endpoint, Registration Authority
3x CSR’s sent to Root CA
3x Certificates: OCSP > Root; Sub_CA_EP > Root; RA > Root
Certificate Authority
All PSNs are
instructed by PAN to
Generate the CSR’s
PAN (Root CA)
signs all three certs
per-node
Secondary PAN
does not generate
CSR’s to Root CA
MnT does not
generate any CSRs
to Root CA
Issue & Revoke Endpoint Certificates
 Lists all the endpoint certificates issued by the Internal CA.
 Status – Active, Revoked, Expired
 Quick Overview of certificate details, Including the Template Used
 Automatically Revoked when an Endpoint is marked as “Lost”
 Certificates may be Manually Revoked
Certificate Authority
ISE 1.3/1.4 Device w/ Cert Issued By ISE
Certificate Authority
ISE Cube
Traffic is Still
Flowing Until
Next Re-Auth
PSN-1
MnT
NGFW
PSN-2
PAN
i-Net
Admin Revokes
Certificate
ISE Admin
66
ISE 2.0 Device w/ a Cert Issued By ISE
2. If Cert has
Active Session,
Send CoA
Certificate Authority
ISE Cube
PSN-1
MnT
NGFW
PSN-2
PAN
i-Net
1. Admin Revokes
Certificate
ISE Admin
67
ISE 2.0 Device w/ a Cert Issued By ISE
X
2. If Cert has
Active Session,
Send CoA
Certificate Authority
ISE Cube
PSN-1
MnT
NGFW
PSN-2
PAN
i-Net
ISE Admin
68
Certificate Authority
CoA-Terminate after Certificate revocation
ForYour
Your
For
Reference
Reference
•
When an internal CA issued endpoint certificate is revoked, If there is an
endpoint using that particular certificate, currently on the network, then ISE
should send a CoA-Terminate to remove those from the network
•
ISE will query MNT for all the active sessions based on the certificate serial
number and issue CoA on all the active sessions
•
After the CoA-Terminate issuance, endpoint will be disconnected from the
network and prohibited from connecting back to the network using the revoked
endpoint certificate
•
If there are no active sessions for the corresponding endpoint certificate then
no CoA will be issued.
Certificate Authority
Endpoint Certificate Revocation
ForYour
Your
For
Reference
Reference
Re-generate the Root CA
•
The Entire certificate chain can be re-generated if needed.
•
Old CA certificates remain in the Trust store to ensure
authentication of previously provisioned endpoints work
successfully.
Certificate Authority
ISE as an Intermediate CA
Certificate Authority
•
ISE’s internal CA can work seamlessly with an existing CA in your deployment.
•
Just make it an intermediate CA (sub-ordinate CA) to your existing CA.
•
Create a CSR for the ISE node and get a certificate issued by the existing CA.
Certificate Authority
ISE as an Intermediate CA
Ensure that you get
a certificate from
your existing CA
with Key Certificate
signing capabilities
(Sub_CA Template)
Ensure the Existing
Root CA has a Tree
Size >= 3
(ISE is 2-tiers)
73
Certificate Authority
Certificate Revocation
• Online Certificate Status
Protocol (OCSP)
• Certificate Revocation List
(CRL)
74
Certificate Authority
•
Preferred method
•
Provides near real-time updates
•
Allows near real-time request
•
•
A signed document published on
website
•
Periodically downloaded and stored
locally
•
The server examines the CRL to
see if the client’s cert was revoked
already.
•
Think: Policeman having a list of
suspended drivers in his squad car.
Think: Policeman checking from
laptop in squad-car, with live query
into DMV Database.
Note: ISE does not use the CRL field
in the cert, only the local configuration.
75
Default Internal OCSP Configuration
Certificate Authority
Certificate Authority
OCSP Check
77
Certificate Authority
CA Server status
ForYour
Your
For
Reference
Reference
78
Certificate Authority
Export CA Certs – ISE 1.3 – 1.4
ForYour
Your
For
Reference
Reference
atw-lab-ise/admin# application configure ise
Selection ISE configuration option
<SNIP>
[7]Export Internal CA Store
[8]Import Internal CA Store
</SNIP>
[12]Exit
7
Export Repository Name: NAS
Enter encryption-key for export: ##########
Export on progress...............
The following 4 CA key pairs were exported to repository 'NAS' at
'ise_ca_key_pairs_of_atw-lab-ise':
Subject:CN=Certificate Services Root CA - atw-lab-ise
Issuer:CN=Certificate Services Root CA - atw-lab-ise
Serial#:0x6012831a-16794f11-b1248b9b-c7e199ef
Subject:CN=Certificate Services Endpoint Sub CA - atw-lab-ise
Issuer:CN=Certificate Services Root CA - atw-lab-ise
Serial#:0x3e4d9644-934843af-b5167e76-cc0256e0
Subject:CN=Certificate Services Endpoint RA - atw-lab-ise
Issuer:CN=Certificate Services Endpoint Sub CA - atw-lab-ise
Serial#:0x13511480-9650401a-8461d9d7-5b8dbe17
Root CA
Sub CA
RA
Exporting the CA
Certs to a
Repository
Will be an
Encrypted GPG
Bundle
OCSP
Four Key Pairs
Subject:CN=Certificate Services OCSP Responder - atw-lab-ise
Issuer:CN=Certificate Services Root CA - atw-lab-ise
Serial#:0x10d18efb-92614084-895097f2-9885313b
ISE CA keys export completed successfully
79
Import of CA Certs – ISE 1.3 – 1.4
Certificate Authority
ForYour
Your
For
Reference
Reference
atw-lab-ise/admin# application configure ise
Selection ISE configuration option
<SNIP>
[7]Export Internal CA Store
[8]Import Internal CA Store
</SNIP>
[12]Exit
8
Import Repository Name: NAS
Enter CA keys file name to import: ise_ca_key_pairs_of_atw-lab-ise
Enter encryption-key: ########
Import on progress...............
The following 4 CA key pairs were imported:
Subject:CN=Certificate Services Root CA - atw-lab-ise
Issuer:CN=Certificate Services Root CA - atw-lab-ise
Serial#:0x6012831a-16794f11-b1248b9b-c7e199ef
Subject:CN=Certificate Services Endpoint Sub CA - atw-lab-ise
Issuer:CN=Certificate Services Root CA - atw-lab-ise
Serial#:0x3e4d9644-934843af-b5167e76-cc0256e0
Always perform the
certificate import to
the secondary PAN
Ensures that the
same PKI Tree is
always used
Subject:CN=Certificate Services Endpoint RA - atw-lab-ise
Issuer:CN=Certificate Services Endpoint Sub CA - atw-lab-ise
Serial#:0x13511480-9650401a-8461d9d7-5b8dbe17
Subject:CN=Certificate Services OCSP Responder - atw-lab-ise
Issuer:CN=Certificate Services Root CA - atw-lab-ise
Serial#:0x10d18efb-92614084-895097f2-9885313b
Stopping ISE Certificate Authority Service...
Starting ISE Certificate Authority Service...
ISE CA keys import completed successfully
80
Native Supplicant Profile
Certificate Authority
ForYour
Your
For
Reference
Reference
Certificate Template(s)
•
Define Internal or
External CA
•
Set the Key Sizes
•
SAN Field Options:
Certificate Authority
•
MAC Address
• No Free-Form Adds..
•
Set length of validity
ForYour
Your
For
Reference
Reference
82
Certificate Authority
Other Factoids
•
ForYour
Your
For
Reference
Reference
No temporary revocations (cannot un-revoke)
•
Use Blacklist instead
•
ISE does not publish a CRL, OCSP only
•
ISE does not use the CRL distributions listed in endpoint Certs, it uses the
manual configured CRL distribution point
•
Cannot selectively enable/disable CA service on PSNs. All or nothing.
•
When issuing cert from PSN, it will be subordinate to the PAN
83
Certificate Authority
ISE CA: Dual Root Phenomenon
Different Chain of Trust
Promoted
S-PAN
P-PAN
PSN
Subordinate CA
SCEP RA
Subordinate CA
SCEP RA
OCSP
PAN
PSN
Subordinate CA
SCEP RA
OCSP
•
The 4th PSN added
to Cube while S-PAN
temporarily the root.
•
Now is a different
chain of trust!
PSN
Subordinate CA
SCEP RA
OCSP
84
Certificate Authority
ISE CA: Dual Root Phenomenon
Single Chain of Trust
Promoted
P-PAN
S-PAN
PSN
Subordinate CA
SCEP RA
OCSP
PSN
Subordinate CA
SCEP RA
OCSP
PAN
PSN
Subordinate CA
SCEP RA
OCSP
•
Export Root CA &
Import into S-PAN
•
The 4th PSN added
to Cube while S-PAN
temporarily the root.
•
S-PAN has same
Chain of Trust
PSN
Subordinate CA
SCEP RA
OCSP
atw-lab-ise/admin# application configure ise
Selection ISE configuration option
<Snip>
[7]Export Internal CA Store
[8]Import Internal CA Store
</Snip>
[12]Exit
85
Certificate Authority
CA Hierarchy in 2.0
• A new certificate type called
NODE_CA has been introduced
- ROOT_CA – The Root CA for the entire
ISE PKI Hierarchy
- NODE_CA – Responsible for issuing the
subordinate EP_CA certificate and the
OCSP certificate
- EP_CA – Responsible for issuing the
Endpoints their identity and device
certificates
- OCSP – Responsible for signing the
OCSP responses
- EP_RA – Registration Authority for SCEP
to external CA’s
Certificate Authority
CA Hierarchy in 2.0
•
Multi Node Deployment with 2 PANs and a Single PSN
P-PAN
S-PAN
PSN1
•
PSN2
PSN3
The NODE_CA on the Primary and Secondary PAN are signed by the ROOT_CA on the
Primary PAN
• The NODE_CA on the Primary PAN is also responsible for signing the EP_CA and
OCSP certificate for the PSNs
Certificate Authority
When does CA Hierarchy switch from 2 Roots to 1 Root?

Fresh Install:


Upgrade:


Single Root Hierarchy for all New Installs.
No changes on Upgrade
To switch to the Single Root Hierarchy:



Administration > System > Certificate > Certificate Signing Requests > Replace ISE
Root CA
Note: If after an upgrade, the administrator does not trigger the “Replace ISE Root
CA” operation then any new PSN registering into the deployment will get its EP_CA
and OCSP certificates signed by the ROOT CA on the Primary PAN.
This behavior is the same as 1.3/1.4
Certificate Authority
Example of Exported Keys
The following 5 CA key pairs were exported to repository 'disk' at 'ise_ca_key_pairs_of_atw-ise242':
Subject:CN=Certificate Services Root CA - atw-ise242
Issuer:CN=Certificate Services Root CA - atw-ise242
Serial#:0x06c4fb0a-812b4f07-8fc3361a-2c57ae24
Subject:CN=Certificate Services Node CA - atw-ise242
Issuer:CN=Certificate Services Root CA - atw-ise242
Serial#:0x7386ba45-9d754b69-9c82f764-d3263ca7
Subject:CN=Certificate Services Endpoint Sub CA - atw-ise242
Issuer:CN=Certificate Services Node CA - atw-ise242
Serial#:0x793e7b17-a0ec40e7-9bfc47f0-974fc909
Subject:CN=Certificate Services Endpoint RA - atw-ise242
Issuer:CN=Certificate Services Endpoint Sub CA - atw-ise242
Serial#:0x7e3c09ba-9168441f-a16f219f-6e62cbca
Subject:CN=Certificate Services OCSP Responder - atw-ise242
Issuer:CN=Certificate Services Node CA - atw-ise242
Serial#:0x08fcc154-b8414b25-a50ca00d-13994488
ISE CA keys export completed successfully
ForYour
Your
For
Reference
Reference
Certificate Authority
Do Not Delete ISE CA Certs
•
Will Revoke the Certificate from CA
•
All Endpoint Certificates will now be
Invalid & Rejected
• Cannot Undo
90
pxGrid & Grid Certificate
Tips
91
Deployment
pxGrid Bulk Downloads
(peer-to-peer)
WWW
Splunk
>
Controller
1. I need
Bulk Session
Data
FMC
MnT
92
Deployment
pxGrid Bulk Downloads
(peer-to-peer)
WWW
2. Get it
From MnT
3. Direct
Data Transfer
Splunk
>
Controller
FMC
MnT
92
Deployment
pxGrid Topic Extensibility
Topic
Publisher
Subscribers
Session_Directory
MnT
Splunk, FMC, WSA
WWW
ISE Admin
Splunk
>
Controller
FMC
1. Req: Add New
Topic:
“Vulnerable
Hosts”
MnT
94
Deployment
pxGrid Topic Extensibility
Topic
Publisher
Subscribers
Session_Directory
MnT
Splunk, FMC, WSA
Vulnerable Hosts
Rapid7
WWW
ISE Admin
Splunk
>
Controller
FMC
MnT
3. Publish Topic
94
Deployment
pxGrid Topic Extensibility
Topic
Publisher
Subscribers
Session_Directory
MnT
Splunk, FMC, WSA
Vulnerable Hosts
Rapid7
WWW
ISE Admin
Splunk
>
Controller
FMC
4. Announce:
New Topic
Available
MnT
94
Deployment
pxGrid Topic Extensibility
Topic
Publisher
Subscribers
Session_Directory
MnT
Splunk, FMC, WSA
Vulnerable Hosts
Rapid7
FMC
WWW
ISE Admin
Splunk
>
Controller
FMC
1. Subscribe
Vulnerable
Hosts
MnT
97
Deployment
pxGrid Topic Extensibility
Topic
Publisher
Subscribers
Session_Directory
MnT
Splunk, FMC, WSA
Vulnerable Hosts
Rapid7
FMC
WWW
ISE Admin
Splunk
>
Controller
2. Direct
Transfer
FMC
MnT
97
Deployment
CAVEATS
ForYour
Your
For
Reference
Reference

pxGrid clients must be updated to understand the topic
Schema by the vendor

Currently no existing topics known – there are a few in the
works

Remember: pxGrid clients must trust each other’s
certificates for bulk downloads, not just the ISE (pxGrid
controller)
So, How to we “Certificate-ify” This Scenario?
Deployment
WWW
1.
Required 2-Way Trust Between
Controller & pxGrid Clients
2.
IF Bulk Downloads THEN 2-Way
Trust Client-to-Client
3.
In Other Words: A Full MESH
(“MESS”) of Trusts
Splunk
>
Controller
FMC
MnT
100
So, How to we “Certificate-ify” This Scenario?
Deployment
WWW
1.
Use a Single Certificate Authority
2.
Each pxGrid Participant Trust That
Certificate Authority
3.
Each pxGrid Client use a ‘pxGrid’
Certificate from that CA
4.
*Controller Must still Authorize the
Communication
Splunk
>
Controller
FMC
Instant Full Mesh Trust!
pxGrid Cert =
Client Auth Policy
Server Auth Policy
X.509
X.509
X.509
X.509X.509
pxGrid
pxGrid
pxGrid
pxGrid
pxGrid
X.509
pxGrid
MnT
101
pxGrid Certificate Template (MS Cert Authority)
Deployment
102
Fire & ISE
103
Deployment
Rapid Threat Containment with Firepower Management Center and ISE

Fully Supported on FMC 5.4 and ISE 1.3+

Uses pxGrid + Endpoint Protection Services (EPS)

Note: ANC is Next Gen version of the older EPS
 EPS functions are still there for Backward Compatibility

Loads as a Remediation Module on FMC

Remediation Module Takes Action via the EPS call through pxGrid
Deployment
Remediation Module from Talos Labs
ForYour
Your
For
Reference
Reference
Deployment
Remediation Options

Quarantine- quarantines an endpoint based on
source ip address

portBounce- temporarily bounces the endpoint
or host port

Terminate- terminates the end-user session

Shutdown- initiates a host port shutdown, this
will insert a “shutdown” command on the switch
port configuration

reAuthenticate- reAuthenticates the end-user

UnQuarantine- unquarantines the endpoint
ForYour
Your
For
Reference
Reference
Deployment
Rapid Threat Containment with Firepower
Management Center and ISE
WWW
Controller
NGFW
i-Net
MnT
3. pxGrid EPS
Action: Quarantine
+ Re-Auth
1. Security
Events / IOCs
Reported
FMC
2. Correlation
Rules Trigger
Remediation Action
107
Deployment
Rapid Threat Containment with Firepower
Management Center and ISE
WWW
4. Endpoint
Assigned Quarantine
+ CoA-Reauth Sent
Controller
MnT
NGFW
i-Net
FMC
108
Deployment
Resources for pxGrid / ANC / RTCwFMCnISE
ForYour
Your
For
Reference
Reference

How-To Guide:
https://cisco.box.com/s/qfyll81bxtox6j3uyx19dc9u5c777pno

pxGrid FMC Remediation Module:
https://cisco.box.com/s/wds9o1kjnjpqsftggvfsyy1j2etw4udq

pxGrid FMC Agent File:
https://cisco.box.com/s/ehvt7jght1m1o2xg16uvdkumnwiga32k

Slide Deck: https://cisco.box.com/s/n7lek08048vciytjgg9u09mhsj9dnlyx

VoD: https://cisco.app.box.com/files/0/f/0/1/f_37758751634
Agenda
•
Introduction
•
Certificates, Certificates, Certificates
•
BYOD in Practice
•
Integrating with Cisco and Non-Cisco
•
Active Directory Best Practices
•
Serviceability & Troubleshooting
•
Upgrade Tips from the Field
•
Conclusion
110
BYOD in Practice
111
BYOD
BYOD Security Practices from the Field
If you can, Create an Identity Group for your Corporate
Owned Devices.
• May be populated by .CSV import, or REST API
• Uses the Endpoint ID Group for what it was designed to do: MAC Address
Management
Provision Different Certificates for Corporate Owned Assets
• Available 1.3+, or if you use MDM to distribute the certificates
Don’t Trust ONLY the Certificate
• That is technically only authenticating the device, not the user
112
BYOD
Android-M (Marshmallow Release) CSCuw03007
Problem: Marshmallow Removes
•
Ability for Apps to Read the Endpoint’s MAC address
•
Update Existing Wi-Fi Network Configuration (that was not created by itself).
•
Network Setup Assistant App needs these permissions for BYOD onboarding
•
The MAC address is used while requesting for a certificate (via SCEP)
• Ability to overwrite an existing network is required since the network being provisioned
could exist on the device already (eg: Single SSID flow).
Result: Broken BYOD Onboarding for Android-M
Cough,
Cough
113
BYOD
Solution
•
NSA App 1.2.47+ uses MAC in Profile instead
of Reading it From Device
•
NSA Prompts to Delete/Forget the WiFi
Network via “overlay” message
114
BYOD
Solution
•
NSA App 1.2.47+ uses MAC in Profile instead
of Reading it From Device
•
NSA Prompts to Delete/Forget the WiFi
Network via “overlay” message
114
BYOD
Solution
•
NSA App 1.2.47+ uses MAC in Profile instead
of Reading it From Device
•
NSA Prompts to Delete/Forget the WiFi
Network via “overlay” message
114
BYOD
Solution
•
NSA App 1.2.47+ uses MAC in Profile instead
of Reading it From Device
•
NSA Prompts to Delete/Forget the WiFi
Network via “overlay” message
114
BYOD
Solution
•
NSA App 1.2.47+ uses MAC in Profile instead
of Reading it From Device
•
NSA Prompts to Delete/Forget the WiFi
Network via “overlay” message
114
BYOD
Solution
•
NSA App 1.2.47+ uses MAC in Profile instead
of Reading it From Device
•
NSA Prompts to Delete/Forget the WiFi
Network via “overlay” message
114
BYOD
ForYour
Your
For
Reference
Reference
120
BYOD
MDM Integration Tips – Things to Know
•
ForYour
Your
For
Reference
Reference
ISE caches previous MDM state to grant access at Auth time
•
A few seconds later: ISE does a look-up via MDM API.
• If there is any change, ISE issues a COA.
•
Multiple MDM rely on MDM redirects to find the correct MDM Server
•
•
ISE 1.4 cannot perform a MDM API look-up with a new device without MDM
redirect.
ISE can on-board Brown Field devices, no need to on-board devices
again
•
Again, relies on the MDM redirect
121
122
123
The Opposite of BYOD:
How to differentiate corporate provisioned devices?
124
BYOD
Corporate Assets
ForYour
Your
For
Reference
Reference
Provide differentiated access for IT-managed systems.
Start Here
Employee
No
Registered
GUEST
No
Access-Reject
Yes
Yes
Domain
Member
?
No
YES
Access-Accept
Internet Only
125
BYOD
Identifying the Machine AND the USER
Machine Access Restrictions (MAR)
•
MAR provides a mechanism for the RADIUS server to search the previous
authentications and look for a machine-authentication with the same CallingStation-ID.
•
This means the machine must do authenticate before the user.
•
•
i.e. Must log out, not use hibernate, etc….
See the reference slides for more possible limitations.
BYOD
Machine Access Restrictions (MAR)
Rule Name
Conditions
Permissions
MAR Cache
Calling-Station-ID 00:11:22:33:44:55 – Passed
IP Phones
if
Cisco-IP-Phone
then
Cisco_IP_Phone
MachineAuth
if
Domain Computers
then
MachineAuth
Employee
if
Employee &
WasMachineAuthenticated =
true
then
Employee
GUEST
if
GUEST
then
GUEST
Default
If no matches, then
WEBAUTH
NAD
PSN
SWITCHPORT
RADIUS Access-Request
[EAP-ID=CorpXP-1]
RADIUS Access-Accept
Matched Rule = MachineAuth
[cisco-av-pair] = dACL=Permit-All
127
BYOD
Machine Access Restrictions (MAR)
Rule Name
Conditions
Permissions
MAR Cache
Calling-Station-ID 00:11:22:33:44:55 – Passed
IP Phones
if
Cisco-IP-Phone
then
Cisco_IP_Phone
MachineAuth
if
Domain Computers
then
MachineAUth
Employee
if
Employee &
WasMachineAuthenticated =
true
then
Employee
GUEST
if
GUEST
then
GUEST
Default
If no matches, then
WEBAUTH
NAD
PSN
SWITCHPORT
Matched Rule = Employee
EAPoL Start
RADIUS Access-Request
[EAP-ID = Employee1]
RADIUS Access-Accept
[cisco-av-pair] = dACL=Permit-All
128
BYOD
Machine Access Restrictions (MAR)
ForYour
Your
For
Reference
Reference
Potential Issues with MAR
•
Potential Issues with MAR:
•
Wired/WiFi transitions: Calling-Station-ID (MAC address) is used to link machine and
user authentication; MAC address will change when laptop moves from wired to
wireless breaking the MAR linkage.
• Machine state caching: The state cache of previous machine authentications is
neither persistent across ACS/ISE reboots nor replicated amongst ACS/ISE instances
• Hibernation/Standby: 802.1X fails when the endpoint enters sleep/hibernate mode
and then moves to a different location, or comes back into the office the following day,
where machine auth cache is not present in new RADIUS server or has timed out.
BYOD
Machine Access Restrictions (MAR)
ForYour
Your
For
Reference
Reference
Potential Issues with MAR
•
Spoofing: Linkage between user authentication and machine authentication is
tied to MAC address only. It is possible for endpoint to pass user
authentication only using MAC address of previously machine-authenticated
endpoint.
•
MAR description (from ACS guide):
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_ser
ver_for_windows/4.2/user/guide/UsrDb.html#wp354105
BYOD
Identifying the Machine AND the User
ForYour
Your
For
Reference
Reference
Real Customer Example: Custom DHCP Attribute & use of Profiler
C:\>ipconfig /setclassid "Local Area
Connection" CorpXYZ
Windows XP IP Configuration
DHCP ClassId successfully modified for adapter"Local Area Connection"
http://technet.microsoft.com/en-us/library/cc783756(WS.10).aspx
131
BYOD
Identifying the Machine AND the User
The next chapter of authentication: EAP-Chaining
•
RFC-7170: Tunneled EAP (TEAP).
•
Next-Generation EAP method that provides all benefits of current EAP Types.
• Also provides EAP-Chaining.
• http://www.rfc-editor.org/rfc/rfc7170.txt
•
Cisco did it YEARS before TEAP is ready
•
EAP-FASTv2
• AnyConnect 3.1+
• Identity Services Engine 1.1.1+
• **Adopted & in Production at Organizations World-Wide!
•
Only True Chain of Machine + User
BYOD
EAP-Chaining
Rule Name
With AnyConnect 3.1.1 and ISE 1.1.1
1. Machine Authenticates
2. ISE Issues Machine
AuthZ PAC
Conditions
Permissions
IP Phones
if
Cisco-IP-Phone
then
Cisco_IP_Phone
MachineAuth
if
Domain Computers
then
MachineAuth
Employee
if
Employee &
Network
Access:EAPChainingResult =
User and machine suceeded
then
Employee
GUEST
if
GUEST
then
GUEST
Default
If no matches, then
WEBAUTH
NAD
SWITCHPORT
EAPoL Start
EAP-Request:TLV
EAP-Response
TLV = “Machine”
PSN
RADIUS Access-Request
[EAP-Tunnel = FAST]
RADIUS Access-Challenge
[EAP-TLV = “Machine”]
RADIUS Access-Request
[EAP-TLV= “Machine”]
[EAP-ID=Corp-Win7-1]
RADIUS Access-Accept
PAC
EAP Success
133
BYOD
EAP-Chaining
Rule Name
With AnyConnect 3.1.1 and ISE 1.1.1
3. User Authenticates
4. ISE receives Machine PAC
5. ISE issues User AuthZ PAC
Conditions
Permissions
IP Phones
if
Cisco-IP-Phone
then
Cisco_IP_Phone
MachineAuth
if
Domain Computers
then
MachineAuth
Employee
if
Employee &
Network
Access:EAPChainingResult =
User and machine suceeded
then
Employee
GUEST
if
GUEST
then
GUEST
Default
If no matches, then
WEBAUTH
NAD
SWITCHPORT
PSN
PAC
EAPoL Start
EAP-Request:TLV
PAC
EAP-Response
TLV = “User”
RADIUS Access-Request
[EAP-Tunnel = FAST]
RADIUS Access-Challenge
[EAP-TLV = “Machine”]
RADIUS Access-Request
[EAP-TLV= “User”]
[EAP-ID=Employee1]
RADIUS Access-Accept
PAC
EAP Success
134
BYOD
EAP-Chaining FAQ
ForYour
Your
For
Reference
Reference
Q: I use MSChapV2 today, can I use that with EAP-Chaining?
A: TEAP & EAP-FAST are tunneled EAP methodologies, you may use whichever
inner-methods you would like, as long as both the supplicant and RADIUS sever
support the protocol(s). I.e.: EAP-TLS, EAP-MSChapV2, EAP-GTC.
Q: What Supplicants Support EAP-Chaining Today?
A: Today, only Cisco AnyConnect NAM has support through EAP-FASTv2.
Please talk to your OS Vendors about supporting TEAP in their native supplicants!
Q: Can I chain certificates with username/pwd’s?
A: Yes! You may mix and match the machine and user credential types however
you see fit. I.e.: Machine Certificates + User Certificates, or Machine Certificates
+ Username/PWDs, or Machine Passwords + Username/PWDs, etc.
135
BYOD
Identifying the Machine AND the User
What to do when EAP-Chaining is not Available?
•
There are many needs to determine Machine AND the User
•
Windows is the only current OS that can run EAP-Chaining (with AnyConnect)
• What about iOS or Android based Tablets?
•
Chain together 802.1X with Centralized Web Authentication (CWA)
•
Can validate the device using a user-issued certificates
• Will validate the ‘actual user’ with username/password or smartcard or other method
that validates the user
BYOD
Mobile Device w/ Certificate
What Identifies the Actual User?
Mobile Device
w/ Certificate
137
802.1X and CWA Chaining
BYOD
Rule Name
Conditions
IP Phones
1. EAP-TLS Authentication
2. ISE Sends AccessAccept w/ URL-Redirect
Permissions
if
Cisco-IP-Phone
then
Cisco_IP_Phone
Employee_CWA
if
AD:ExternalGroup=Employees
AND
CWA:CWA_ExternalGroup=
Employees
then
Employee & SGT
Employee_1X
if
Employee &
Network Access:
EAPAuthentication = EAP-TLS
then
CWAchain
Default
If no matches, then
WEBAUTH
NAD
SWITCHPORT
EAP-ID Response
PSN
RADIUS Access-Request
[EAP-Protocol= “TLS”]
CN=employee1 || Cert is Valid
Session Data
User Identity = employee1
RADIUS Access-Accept
[AVP:url-redirect, dacl]
User Group = employees
802.1X and CWA Chaining
BYOD
Rule Name
Conditions
IP Phones
3. User Enters Uname/PWD
4. ISE Sends CoA-reauth
Permissions
if
Cisco-IP-Phone
then
Cisco_IP_Phone
Employee_CWA
if
AD:ExternalGroup=Employees
AND
CWA:CWA_ExternalGroup=
Employees
then
Employee & SGT
Employee_1X
if
Employee &
Network Access:
EAPAuthentication = EAP-TLS
then
CWAchain
Default
If no matches, then
WEBAUTH
BobSmith
xxxxxxxxx
NAD
SWITCHPORT
PSN
Session Data
User Identity = employee1
EAP-ID Req
RADIUS CoA
[AVP:reauth]
User Group = employees
CWA Identity = BobSmith
CWA Group = employees
802.1X and CWA Chaining
BYOD
Rule Name
Conditions
IP Phones
3.
4.
5.
6.
User Enters Uname/PWD
ISE Sends CoA-reauth
Supplicant Responds with Cert
ISE sends Accept, dACL & SGT
if
Cisco-IP-Phone
then
Cisco_IP_Phone
Employee_CWA
if
AD:ExternalGroup=Employees
AND
CWA:CWA_ExternalGroup=
Employees
then
Employee & SGT
Employee_1X
if
Employee &
Network Access:
EAPAuthentication = EAP-TLS
then
CWAchain
Default
If no matches, then
WEBAUTH
CN=employee1 || Cert is Valid
NAD
SWITCHPORT
EAP-ID Response
Permissions
PSN
RADIUS Access-Request
[EAP-Protocol= “TLS”]
Session Data
User Identity = employee1
RADIUS Access-Accept
[AVP: dacl + SGT]
Access-Granted
User Group = employees
CWA Identity = BobSmith
CWA Group = employees
Following the Flow
BYOD
1. Initial EAP-TLS Auth
ForYour
Your
For
Reference
Reference
Redirection to CWA Portal
Following the Flow
BYOD
2. WebAuth from User
ForYour
Your
For
Reference
Reference
CoA
Not Required to be Different Username
Following the Flow
BYOD
3. Final Auth with Full Result
ForYour
Your
For
Reference
Reference
Final Authorization
See NW Blog for More on User vs. Machine
BYOD
Agenda
•
Introduction
•
Certificates, Certificates, Certificates
•
BYOD in Practice
•
Integrating with Cisco and Non-Cisco
•
Active Directory Best Practices
•
Serviceability & Troubleshooting
•
Upgrade Tips from the Field
•
Conclusion
145
Non-Cisco NAD
Integration
146
Session IDs and
Sessionization
147
Deployment
Cisco Session ID
Also Known as Audit Session ID or CPM Session ID
C0A8013C00000618B3C1CAFB
NAS IP Address
Session Count
Time Stamp
•
96 bits / 12-bytes (Concatenation of three 32-bit fields)
•
Audit Session ID is created when NAD sends RADIUS authentication request to
the RADIUS server
•
Used for correlation of events (i.e.: RADIUS + HT
•
Used for Change of Authorization (CoA)
148
Cisco Session ID
Deployment
•
Glue That Binds Client Session to Access Device and ISE
•
Can persist across multiple RADIUS Access Requests and reauth events.
NAD: “show authentication session”
Which
one???
About that
session…
ISE: Detailed Authentication Report
RADIUS
Browser: URL-redirect for Web Auth
https://ise14.example.com:8443/guestportal/gateway?C0A8013C00000618B3C1CAFB&portal=&action=cwa
Deployment
Cisco Session ID vs ACS Session ID
ForYour
Your
For
Reference
Reference
•
Cisco Session ID – Also known as CPM or Audit Session ID. Can persist across
multiple RADIUS Access Requests and reauth events.
•
AcsSessionID is a legacy session ID – Lifetime is from the first Access-Request
until Access-Accept/Access-Reject. AcsSessionID is constructed from ISE node
unique prefix and a counter.
Cisco Session ID vs IETF RADIUS Accounting
Session ID
•
Cisco Session ID
•
EDCS-509295
• 12 bytes
• Can traverse multiple IETF
Acct-Session-Id’s
•
IETF Acct Session ID
•
RFC 2866
Deployment
cat3750x#sh auth sess int gi1/0/9 det
Interface:
GigabitEthernet1/0/9
MAC Address: 0050.56a0.0b3a
IPv6 Address: Unknown
IPv4 Address: 10.1.10.101
User-Name: 00-50-56-A0-0B-3A
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A010A010000009751894E3B
Acct Session ID: 0x000000A6
Handle: 0x4900006F
Current Policy: POLICY_Gi1/0/9
ForYour
Your
For
Reference
Reference
https://tools.ietf.org/html/rfc2866#section-5.5
•
>= 3 Octets/Bytes
• Unique per RADIUS
Accounting Start->Stop
•
ISE supports BOTH since
1.0FCS
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority
150)
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
ACS ACL: xACSACLx-IP-AD_LOGIN_ACCESS-55f5cb00
Method status list:
Method
State
Deployment
Cisco Session-ID for
3rd
Party NADs
New
in 2.0
•
A Synthesized Cisco Session-ID is Created when NAD does not send Cisco-AVPair:Audit-Session-ID
•
24-Byte ASCII String
A45E60EB9A450033AC108601
Calling-StationID
attr(31)
NASPort
attr(5)
NAS-IP-Addr
attr(4)
152
Change of Authorization
153
Deployment
Change of
Authorization (CoA)
•
RFC 3576 (Cisco, Microsoft)
defined “Dynamic Authorization”
commonly known as Change of
Authorization (CoA). Updated in
RFC 5176 (Cisco, MS, RSA).
•
Finally have the ability for a Policy
Server to initiate communication
into the Network Device.
•
•
•
Previously, RADIUS only allowed
flows from the NAD  Policy
Server.
Only 1 useful CoA Message Type
CoA-Disconnect Message (CoADM)
154
Advanced CoAs
•
Cisco Advanced CoA’s (+/- 3 years before these are
standards)
•
•
•
•
•
Reauth
Quarantine
Terminate with Port Shut Down
Port Bounce (Helps tremendously with Non-802.1X
devices)
SAnet Session Query
155
Deployment
What would happen with only CoA-DM Messaging
Step 1:
Step 2:
Step 3:
Step 4:
Step 5:
AuthC to SSID Corp
AuthZ Result = Quarantine
NAC Posture Communication
CoA-DM
Disconnected from SSID
Endpoint
Posture
00-00-0C-00-00-01
compliant
unknown
CoA-DM
Policy
802.1X Authentication
X
Corp
CAPWAP
AP
Traffic Flow
WLC
Internet-Only
RFC 5176 (Obsoletes RFC 3576)
Deployment
Dynamic Authorization Extensions to RADIUS
•
Disconnect Message (DM)
Also known as “Packet of Disconnect (PoD)” or “CoA Session Terminate”
• Terminate user session(s) on a NAS and discard all associated session context.
•
Disconnect-Request
Disconnect-ACK/NAK
•
Change-of-Authorization (CoA) Messages
•
Also known as “Authorize Only” or “CoA Push”
•
CoA-Request packets contain information for dynamically changing session authorizations.
CoA-Request
CoA-ACK/NAK
RFC 5176
2.1. Disconnect Messages (DMs) s
Deployment
ForYour
Your
For
Reference
Reference
A Disconnect-Request packet is sent by the Dynamic Authorization Client in order to terminate user session(s) on a NAS
and discard all associated session context. The Disconnect-Request packet is sent to UDP port 3799, and identifies the NAS
as well as the user session(s) to be terminated by inclusion of the identification attributes described in Section 3.
The NAS responds to a Disconnect-Request packet sent by a Dynamic Authorization Client with a Disconnect-ACK if all
associated session context is discarded and the user session(s) are no longer connected, or a Disconnect-NAK, if the NAS
was unable to disconnect one or more sessions and discard all associated session context. A Disconnect- ACK MAY contain
the Acct-Terminate-Cause (49) Attribute [RFC2866] with the value set to 6 for Admin-Reset.
RFC 5176
2.2. Change-of-Authorization (CoA) Messages
Deployment
ForYour
Your
For
Reference
Reference
CoA-Request packets contain information for dynamically changing session authorizations. Typically, this is used to change
data filters. The data filters can be of either the ingress or egress kind, and are sent in addition to the identification attributes
as described in Section 3. The port used and packet format (described in Section 2.3) are the same as those for DisconnectRequest packets.
The following attributes MAY be sent in a CoA-Request:
Filter-ID (11) - Indicates the name of a data filter list to be applied for the session(s) that the identification attributes map to.
NAS-Filter-Rule (92) - Provides a filter list to be applied for the session(s) that the identification attributes map to [RFC4849].
The NAS responds to a CoA-Request sent by a Dynamic Authorization Client with a CoA-ACK if the NAS is able to
successfully change the authorizations for the user session(s), or a CoA-NAK if the CoA- Request is unsuccessful. A NAS
MUST respond to a CoA-Request including a Service-Type Attribute with an unsupported value with a CoA-NAK; an ErrorCause Attribute with value "Unsupported Service" SHOULD be included.
CoA Examples
Cisco Wireless Example
Deployment
CoA Examples
Aruba Wireless Example
Disconnect and Reauth at same time? Huh?
…more on this under NAD Profiles topic…
Deployment
CoA Examples
Deployment
RFC 5176 “CoA Push”
•
Example shows Authorization Result “pushed” to NAD as part of CoA, not a
result of Reauth.
ForYour
Your
For
Reference
Reference
URL Redirection
163
Deployment
•
URL Redirection has
become a key technology for
the seamless integration of
multiple services with the
strong authentication
capabilities of 802.1X and
the flexible authentications of
RADIUS.
•
This has been critical to
successfully creating and
maintaining a positive enduser experience.
URL Redirection as
a RADIUS
Authorization
164
Deployment
Dynamic URL Redirection
Dynamic redirection instructs endpoint to “Come back to me — the RADIUS
session owner — and here is the Session ID to include in request”
• URL Redirection includes PSN-specific…
•
• FQDN
• Portal
• SessionID
• Port Number
• Flow Type (CWA, CPP, etc)
165
Deployment
Where URL Redirection is Used
•
Posture Discovery
NAC Agents (any vendor) have a need to “find” the NAC Server to communicate
posture
• There is also the complication of what to do when no agent is installed
• Need to
•
•
Captive Portal
•
The URL Redirection with Session Awareness is critical to a successful transition of
states (change of authorizations) during web logins and authentications
•
Device Registration / Onboarding
•
Mobile Device Management Integration
•
Supplicant & Certificate Provisioning
166
Deployment
URL Redirection
Cisco found it was CRITICIAL to customer success to accomplish at L2 Edge
167
In-Efficient at Scale w/o Sessionization
Radius Server-Farm 1
Deployment
Radius Server-Farm 2
X
802.1X Authentication
Network Device
Must have posture replicated
To the box making the decision
Before the decision is made
How busy are boxes?
Will replication happen fast enough?
Too many unknowns!!!!
Deployment
Efficiency w/ URL-Redir & Sessionization
Radius Server-Farm 1
Radius Server-Farm 2
802.1X Authentication
Network Device
Posture/Profiling is sent to
The PSN that owns the login
Automatically no replication
Race-conditions exists & no
Replication needed.
MAC Authentication
Bypass (MAB)
170
MAB is NOT A
STANDARD!
171
Deployment
ISE and Endpoint Lookup
•
ISE maintains a separate User and Endpoint
“store”.
•
•
By default: endpoint store may only be accessed if
the incoming request was identified as a MAB.
(Service-Type = Call-Check)
•
•
User store may be queried at any time.
ISE also ignores the u-name/pwd fields, but uses the
calling-station-id (mac-address of the endpoint)
Why?
•
Security! Before this, malicious users would be able to put
a mac-address into the username & password fields of
WebAuth (or non-Cisco switches even in the supplicant
identity).
172
Deployment
Why Restrict MAB to Calling-Station-ID?
RADIUS Access-Request
uname: 11:22:33:44:55:66 | pwd 11:22:33:44:55:66
Internal ID’s
Mix of Users &
Endpoints
11:22:33:44:55:66
11:22:33:44:55:66
Note: Possible to configure
supplicant for same thing!
173
Deployment
Cisco MAB – MAC Authentication Bypass
RADIUS Access-Request
Users
Endpoints
= MAB
= MAC
174
Deployment
MAB Compatibility Settings
•
ISE 1.2 included changes for Non-Cisco device (3rd Party MAB) handling
•
Relevant for PAP, CHAP and EAP-MD5
•
•
Identity (User-Name) = MAC Address
Check Password
•
•
ForYour
Your
For
Reference
Reference
Checking of the trivial MAB password authenticates the sending network device where
Password = User-Name = MAC address
Check Calling-Station-Id equals MAC address.
•
When Calling-Station-Id is being sent, keep this check enabled as an extra safeguard.
175
Deployment
MAB Settings Reference
ForYour
Your
For
Reference
Reference
Process Host Lookup
Used for mac-auth bypass of Cisco devices. Will allow User-Name
lookup of a MAC address in the endpoints store. It will also check that
RADIUS:
• Calling-Station-Id equals MAC address
• Service-type equals Call-Check
Detect <protocol> as Host
Lookup
Used for mac-auth bypass of non-Cisco devices. Will allow User-Name
lookup of a MAC address in the endpoints store.
Check Password
Checking of the trivial MAB password authenticates the sending
network device. Disabling this setting is not recommended.
Password format
The default setting “%User-Name%” uses the MAC address in the
User-Name, as the password to check. Only modify if the network
device adds other characters to the password, e.g. “.%User-Name%.”
shows the User-Name with periods (full stops) on either side.
Check Calling-Station-Id
equals MAC address
When Calling-Station-Id is being sent, keep this check enabled as an
extra safeguard.
Deployment
ISE 1.2-1.4 Method for 3rd Party MAB
•
Many 3rd parties use Service-Type
= Login for 802.1X, MAB and
WebAuth
•
Some 3rd Parties do not populate
Calling-Station-ID with MAC
address.
•
With ISE 1.2, MAB can work with
different Service-Type, CallingStation-ID values, and “password”
settings.
Cisco
3rd Party
Recommendation is to keep as many checkboxes
enabled as possible for increased security
177
Setup a Policy Set for 3rd Party NADs
Deployment
Create a separate Policy Set for 3rd
Party devices – to keep a clean
policy table and separate unrelated
policy results
Use Network Device Groups to
make the distinction
178
3rd Party MAB Authentication Policy
Deployment
ISE 1.2-1.4 Example
Deny non-matches
Network Device Group =
“Third Party”
For “better” security, lock PAP &
CHAP into MAB lookups
(Internal Endpoints)
All other authentications are sent to
an Identity Sequence
(Internal Users > Guest > AD)
Deployment
Third Party Vendors VSA Attributes
Available Since ISE 1.0
•
You may import other RADIUS Dictionaries into ISE:
Policy > Policy Elements > Dictionaries > System > RADIUS > RADIUS Vendors
FreeRADIUS
dictionaries work
https://github.com/FreeRADIUS/freeradius-server/tree/master/share
180
Authorization Profiles for Third Party
Deployment
ForYour
Your
For
Reference
Reference
Go to “Advanced
Attribute Settings” to
use the 3rd Party
Dictionaries
181
MAB and VSA Support Matrix
ServiceType
CID =
MAC?
PW=UN
?
Alcatel Wired
Call-Check
N
Alcatel Wired
(OmniSwitch docs)
Call-Check
Y
Vendor
All data subject to vendor hardware/software
versions!
ForYour
Your
For
Reference
Reference
ACL
VLAN
Redirect
CoA
Y
(CHAP)
None
Alcatel-Lucent:Alcatel-AuthGroup
Dynamic
N
Y
Filter-Id = Universal
Network Profile (UNP)
IETF
Dynamic
Y (3576)
(Alcatel-Redirect-URL)
Aruba Wireless
Login
Y (PAP)
N
Aruba:Aruba-UserRole
Aruba:Aruba-User-Vlan
Static
Y (3576)
Aruba Wireless
(6.4.2.5+)
Call-Check
Y
N
Aruba:Aruba-UserRole
Aruba:Aruba-User-Vlan
Static
Y (3576)
Login
N
N
?
IETF
?
?
Cisco Wired
Call-Check
Y
N
dACL/Filter-Id/inacl
(Nas-Filter-Rule?)
IETF
Dynamic
Y
(3576/Cisco)
Cisco Wireless
Call-Check
Y
N
Airespace:AirespaceACL-Name
IETF / Airespace-WlanId
Dynamic
Y
(3576/Cisco)
HP (ProCurve)
Wired
Framed /
Call-Check
?/Y
(CHAP)
?/Y
(CHAP)
Filter-Id / Nas-FilterRule
IETF
Static
Y (3576)
HP (H3C) Wired
Call-Check
N(CHAP
)
(Y-PAP)
Y
(CHAP)
(N-PAP)
None
(Filter-Id)
IETF
None
Y (3576)
Call-Check
Y (PAP)
N
None
IETF
Dynamic
Y (3576)
Login
Y
Y
IETF Filter-Id
IETF
Static
Y (3576)
Avaya/Nortel Wired
HP (H3C) Wireless
Juniper EX Wired
(Static but unworthy)
ISE 2.0 & 3rd Party NADs
183
How Does Cisco Deviate from Standards?
•
Session ID -> IETF RADIUS Accounting Session ID (RFC 2866)
•
•
Cisco supports both RFC 2866 and Cisco Audit Session ID
URL Redirection/Captive Portal -> NO STANDARD, BUT…
•
ISE 2.0 supports specific vendor implementations of URL Redirection
• Different Methods used by Cisco and 3rd-party vendors:
•
•
•
•
•
Redirect as a RADIUS Authorization (Cisco, Motorola)
Local NAD Redirect (Cisco-LWA, Aruba, HP, others)
L3/Inline device (Cisco NAC Appliance, WSA, IOS/ASA Auth Proxy, IPN)
DHCP/DNS sinkholes (PacketFence)
CoA -> IETF RADIUS CoA (RFC 3576 -> 5176)
Cisco CoA “pre-standard” before 2.0. ISE 2.0 adds support for RFC 5176 and
configurable CoA port
• Note that many Cisco NADs already support RFC 3576 / 5176)
•
•
MAB -> NO STANDARD, BUT…
•
ISE 1.2 supports different vendor implementations of MAB
• ISE 2.0 includes pre-built profiles for different vendor implementations of MAB
Deployment
ForYour
Your
For
Reference
Reference
Deployment
How Does ISE 2.0 Deviate from Standards?
Feature/Function
Cisco Compliance with Standard
IETF RADIUS AAA
Yes
3rd-Party RADIUS Dictionaries
Yes
(ISE 2.0 includes many
IETF RADIUS Session ID
IETF RADIUS CoA
IEEE 802.1X
ForYour
Your
For
Reference
Reference
3rd-party
dictionaries out-of-the-box)
Yes
Yes
(ISE 2.0 adds RFC 5176 support)
Yes
URL Redirection / Captive Portal
No Standard
(ISE 2.0 Phase 1 supports specific vendor implementations)
MAC Authentication / MAC Auth
Bypass (MAB)
No Standard
(ISE 1.2 supports different vendor implementations)
NAD Profiles
186
Deployment
3rd Party Work Flow
ForYour
Your
For
Reference
Reference
NAD Profile
Dynamic MAB
VLAN
ACL
Smart Policy Eval
URL Redirect
Attribute Aliasing
COA
Deployment
3rd Party Work Flow
• Lookup NAD profile
for access device
• Dynamically match
auth flow (MAB,
802.1X, Web Auth)
PSN
• Match conditions on
user-friendly names
(attribute aliases).
NAD Profile
Common or VendorSpecific permissions:
• VLAN
• ACL
• URL-Redirect
• CoA
• Smart policy applies
policy according to
NAD’s capabilities
Network Device Profiles
Deployment
Ready-to-Use 3rd-Party Packages
Create new profiles “from scratch” or duplicate existing
Import/Export simplifies sharing of custom profiles
NAD Profiles
Protocols and Dictionaries
•
Define Protocols
and Services
supported by NADs
using this profile
•
Specify Vendor and
select all relevant
dictionaries
•
•
IETF RADIUS
dictionary included
by default
Optionally change
icon associated to
vendor/profile.
Deployment
NAD Profiles
Deployment
Templates Define NAD Characteristics, Capabilities and Feature Support
RADIUS Attributes that Define MAB/1X/Web Flows
Attribute Aliases
MAB Lookup Settings
RADIUS Authorization Attributes – VLAN / ACL
CoA Type, Port, Timers for Disconnect/Reauth/Push
URL Redirect Type (Static/Dynamic) and URI Format
Generate new policy elements based on profile
Summary of Feature Support
3rd-Party NADs – Supported Features
Deployment
ForYour
Your
For
Reference
Reference
Features Vary By Vendor, Platform, and Versions !
•
AAA
•
•
•
802.1X (since 1.0)
MAB (since 1.2.)
LWA to local portal (since 1.0)

Posture

BYOD

Device registration
•
CoA

Supplicant Provisioning
•
Profiling (with CoA)

Certificate Provisioning
•
Guest

Self-Service device management
(MyDevices)

Single/Dual SSID
•
•
Hotspot
Central Web Authentication (CWA)
•
•
•
Sponsored guest flow
Self-Registration guest flow
ISE hosted portals

TrustSec

Dynamic SGT and SXP Listener
Deployment
Current Vendor Test Results
Your
ForYour
For
Reference
Reference
Supported / Validated use cases
Vendor
Verified Series
Tested Model /
Firmware
CoA
Profiler
Aruba Wireless
7000, InstantAP
7005-US/6.4.1.0
✔
✔
✔
✔
Motorola Wireless
RFS 4000
Wing v5.5
✔
✔
✔
✔
HP Wireless
830 (H3C)
8P/3507P35
✔
✔
✔
✔
HP Wired
HP 5500 HI Switch
Series (H3C)
A5500-24G-4SFP
HI/5.20.99
✔
✖
✖
✖
HP Wired
HP 3800 Switch
Series (ProCurve)
3800-24G-POE-2SFP
(J9573A)
KA.15.16.000. 6
✖
✖
✖
✖
Brocade Wired
ICX 6610
24/08.0.20aT7f3
✔
✔
✖
✖
Ruckus Wireless
ZD1200
9.9.0.0 build 205
✔
✔
✖
✖
✔
Requires
CoA
support
Requires
CoA & urlredirect
support
Requires
CoA & urlredirect
support
Additional 3rd party NAD Support:
 Requires identification of device properties/capabilities and to creation of a
custom NAD profile in ISE. More detailed guide to be published.
Posture
Guest
/BYOD
Agenda
•
Introduction
•
Certificates, Certificates, Certificates
•
BYOD in Practice
•
Integrating with Cisco and Non-Cisco
•
Active Directory Best Practices
•
Serviceability & Troubleshooting
•
Upgrade Tips from the Field
•
Conclusion
194
BRKSEC-2132 What's
new in ISE Active
Directory connector
(Wed 16:30pm)
Active Directory Best
Practices
Thanks to: Christopher Murray
195
BRKSEC-2132 What's
new in ISE Active
Directory connector
(Wed 16:30pm)
Active Directory Best
Practices
Thanks to: Christopher Murray
196
Active Directory
What would make your life easier?
•
Having worked on 100s of cases
•
Majority of AD ones were environment
•
I was thinking what would be the best
piece of advice?
•
AD and its dependencies are complex with
many variables…
BRKSEC-2132 What's
new in ISE Active
Directory connector
(Wed 16:30pm)
197
Agenda
•
Introduction
•
Certificates, Certificates, Certificates
•
BYOD in Practice
•
Integrating with Cisco and Non-Cisco
•
Active Directory Best Practices
•
Serviceability & Troubleshooting
•
Upgrade Tips from the Field
•
Conclusion
198
Serviceability: ISE 1.3+
199
Serviceability
Serviceability User Stories
To make ISE easier to troubleshoot
To make ISE easier to deploy
To make ISE easier to use
200
Our Goal… Always:
201
Serviceability
Tree View
AuthC
Protocols
Identity
Store
202
Serviceability
Tree View
AuthC
Protocols
203
Serviceability
Filters in Live Log & Live Sessions
At Long Last! Regex in Filters
204
Serviceability
Right Click in Live Log & Live Sessions
Adds Right-Click > Copy for the Endpoint ID & Identity Fields in Live Log
205
Serviceability
Debug Endpoint
•
Creates debug file of all
activity for all services
related to that specific
endpoint
•
Executes and stored per
PSN
•
Can be downloaded as
separate files per-PSN
•
Or Merged as a single file
206
Serviceability
Bypass Suppression From Live-Log
•
Ensures that all Activity
for Endpoint shows in
Live Log
•
Removes Endpoint from
“Reject Anomalous
Endpoints” Conviction
•
SOOOO USEFUL!!
207
Serviceability
Off-Line Examination of Configuration
Exportable Policy
Quick Link to
Export Page
208
Serviceability
Exports as XML
209
Serviceability
VMWare OVA Templates!
•
Finally! We have supported OVA Templates
•
Ensures customers will not mis-configure their VMWare settings
Preset: Reservations, vCPU’s, Storage
•
•
Based on following Specs:
ISE-1.4.x.x-Eval-100-endpoint.ova:
•
•
•
•
4 CPU cores
4 GB RAM
200 GB disk
4 NICs
ISE-1.4.x.x-Virtual-SNS-3415.ova:
ISE-1.4.x.x-Virtual-SNS-3495.ova:
•
•
•
•
•
•
•
•
4 CPU cores
16 GB RAM
600 GB disk
4 NICs
8 CPU cores
32 GB RAM
600 GB disk
4 NICs
210
Serviceability
Set Logging Levels to Default
Serviceability
Test Repository from GUI
Serviceability
Test Button for Feed Service
Serviceability
Certificate Details
See Complete Chain
Certificate Status
Scroll Through Details
Serviceability
Certificate View showing incomplete trust chain
Serviceability
Certificate View showing certificate expiration warning
Serviceability
Cisco
Support Tunnels
Customer Location
s.tunnels.ironport.com
Bastion
Internet
SSH to Tunnels Server
Enable Tunnel
Set Key
Internal
tunnels.ironport.com
SSH Tunnel established to Cisco Datacenter
Establishes
Session
ISE Admin
SSH and Port Forwarding for HTTPS
TAC Engineer
Serviceability
Tabular View of Processes
ForYour
Your
For
Reference
Reference
218
Agenda
•
Introduction
•
Certificates, Certificates, Certificates
•
BYOD in Practice
•
Integrating with Cisco and Non-Cisco
•
Active Directory Best Practices
•
Serviceability & Troubleshooting
•
Upgrade Tips from the Field
•
Conclusion
219
Upgrade Tips from the
Field
220
Upgrade
Upgrade Tips from the Field
Only Upgrade What you Must
Reinstall the Rest
221
Upgrading ISE to 1.4
•
•
•
Cisco ISE, Release 1.2 patch 14 or later
Cisco ISE, Release 1.2.1 patch 5 or later
Cisco ISE, Release 1.3 or later
PAN
PAN
PAN1
PAN2
MnT
MnT
MNT1
MNT2
PSN
PSN
PSNs**
Upgrade
Upgrade
Step 1: Upgrade S-PAN First, then S-MnT
New 1.4.0
Cube
Existing “Cube”
PAN
PAN
PAN2
PAN1
PAN2
MnT
MnT
MNT2
MNT1
MNT2
PSN
PSN
PSNs**
Optional
Step 2: Install Patch on PAN & MnT + TEST
Upgrade
New 1.4
Patched Cube
Existing “Cube”
PAN
PAN2
PAN1
MnT
MNT2
MNT1
PSN
PSN
PSNs**
TEST, TEST, TEST
Upgrade
Do your Post Upgrade Procedures from Install Doc
http://www.cisco.com/c/en/us/td/docs/security/ise/13/upgrade_guide/b_ise_upgrade_guide_13/b_ise_upgrade_guide_13_chapter
_0100.html
Step 3: Install ISE 1.4 Cleanly on PSN2
1.4 Standalones
Existing “Cube”
Upgrade
New 1.4
Patched Cube
PAN
PAN2
PAN1
MnT
MNT2
MNT1
PSN
PSNs**
Install Patch
Before you Join
To Cube
*Don’t allow PSN2 to receive RADIUS yet
Step 4: Join the PSN to the new Cube
1.4 Standalones
Existing “Cube”
Upgrade
New 1.4
Patched Cube
PAN
PAN2
PAN1
MnT
MNT2
MNT1
PSN
PSNs**
*Join PSN to Domain after it joins the Cube
Step 5: Join the PSN to the new Cube
Existing “Cube”
1.4 Standalones
Upgrade
New 1.4
Patched Cube
PAN
PAN2
PAN1
MnT
Install Patch1
Before you Join
To Cube
MNT2
MNT1
PSN
*Don’t allow PSN1 to receive RADIUS yet
PSNs**
Upgrade
Guest Upgrade/Migration
229
Upgrade
Upgrade/Migration Experience
•
•
•
FOR YOUR REFERENCE
HTML/CSS/Logos are copied to the upgraded portal directory
•
Images: /portals/<portal_id>/images
•
CSS: /portals/<portal_id>/custom
•
HTML: /portals/<portal_id>/custom
References within HTML files have to be updated to new directory
structure
If problem with migration due to advanced customization or referencing
another flow or file path then will need to build a new portal in 1.3
230
Upgrade
Upgrade/Migration Experience – Migrated Portal
231
Upgrade
Upgrade/Migration Experience
FOR YOUR REFERENCE
•
Previous customized HTML pages are copied in as an existing portal
•
Pages that are migrated are not accessible for further edits
•
Outside of upgrade process, no tools to export/import old HTML pages
•
To edit an HTML portal that has been migrated, you will need to be
rebuild into new portal and format (read-only)
232
Upgrade
Best Practice for 1.2.x (or below)
• Create brand-new Portals in 1.3+
•
Cut over the redirect to the new portal when ready
• Nuke the older portals from orbit
233
Upgrade
Key Migration Concepts
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
FOR YOUR REFERENCE
Not all 1.2 values have an equivalent setting in 1.3
New 1.3 items that don’t have a 1.2 equivalent will be set to default values
1.3 Guest Types ~= 1.2 Guest Roles + 1.2 Time Profiles
AD Sponsor Group members mapped to 1.3 GUID after admin rejoins AD
Guest User Time Zones are input to 1.3 Global Location Settings
No 1.2 SSID information is ported to 1.3
1.3 Password Policies have separate lower and upper Alphabetic options
Optional Data fields under Guest Details Policy migrated to Global Custom Fields
Authorization Profiles: url-redirect format changed (hotspot)
Authorization Policy: Addition of new Guest Type Identity Groups for existing Identity
Group for a policy
234
ISE 2.0+
Better
Upgrades!
Upgrade
New Upgrade
Upgrade
New Upgrade
Upgrade
New Upgrade
Upgrade
New Upgrade
Upgrade
New Upgrade
Pro Tip:
Combining AND & OR
241
Policy Tips & Tricks
Combining AND with OR in AuthZ Policies
Cannot
Mix??
242
Policy Tips & Tricks
Combining AND with OR in AuthZ Policies
Advanced Editing
Advanced Editor
243
Policy Tips & Tricks
Combining AND with OR in AuthZ Policies
Advanced Editing
Simple Conditions
244
Pro Tip:
WLC Best Practices
245
Tips & Tricks
Network Device Versions
•
TAC Recommended AireOS
https://supportforums.cisco.com/document/12481821/tacrecommended-aireos
•
Switches
•
Use ISE compatibility matrix along with recommended CCO switch versions.
• http://www.cisco.com/c/en/us/support/security/identity-services-engine/productsdevice-support-tables-list.html
246
Tips & Tricks
WLC Recommended Configuration

Do not configure interim accounting to ISE servers
 Interim accounting set by default when needed by ISE
 Increases load with no added benefit
 Pre 8.0 leave the interim accounting setting disabled
 Post 8.0 check the interim accounting box with a timer of 0 seconds

Use public certificates on ISE and WLC Virtual IP to reduce client messaging.

When using an Anchor/Foreign Setup do not configure AAA on the Anchor
Controller.
ForYour
Your
For
Reference
Reference
Tips & Tricks
Recommended WLC Timers
ForYour
Your
For
Reference
Reference

Idle timeout: Leave global at 300 seconds, Open networks 300 seconds, Dot1x
networks 3600s can be used

Client Exclusions: Enable them and set for 180 seconds

Session Timeout: Set it per security policy preferably 7200+ seconds

Aggressive Failover: Disabling reduces load on ISE but can increase failover times

Configure Fast Secure Roaming to reduce RADIUS load during roam

Advanced EAP Timers:

config advanced eap identity-request-timeout 3
 config advanced eap identity-request-retries 10
 config advanced eap request-timeout 3

config advanced eap request-retries 10
Agenda
•
Introduction
•
Certificates, Certificates, Certificates
•
BYOD in Practice
•
Integrating with Cisco and Non-Cisco
•
Active Directory Best Practices
•
Serviceability & Troubleshooting
•
Staged Deployments (Time Permitting)
•
Conclusion
249
Continue Your Education
•
Demos in the Cisco campus
•
Walk-in Self-Paced Labs
•
Table Topics
•
Meet the Engineer 1:1 meetings
•
Related sessions
250
Shameless Plug
251
Recommended Reading
•
Buy our book, help us afford more beer!
http://amzn.com/1587144263
http://amzn.com/1587143259
252
Complete Your Online Session Evaluation
•
Please complete your online session
evaluations after each session.
Complete 5 session evaluations
& the Overall Conference Evaluation
(available from Thursday)
to receive your Cisco Live T-shirt.
•
All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
@aaronwoland #CLEUR
loxx@cisco.com
**Please tell me what you thought
253
Thank you
254