SISAS Slides Book

C C N P S e c u r i t y

I m p l e m e n t i n g C i s c o S e c u r e A c c e s s S o l u t i o n s

( 3 0 0 - 2 0 8 S I S A S )

T r u s t S e c O v e r v i e w

TrustSec System of multiple products deployed to secure access to the network regardless of its type

Identity Services Engine (ISE) NAD : switch, WLC, ASA or ISR router Supplicant External ID Store

Key technology used in TrustSec is 802.1x - three phases (modes) of deployment : 1. Monitor 2. Low Impact 3. Closed

Other TrustSec technologies Profiling, Guest Services, Posture & Client Provisioning

I S E L i c e n s i n g

ISE Licenses determine the following : Type of supported deployment (wired/wireless/VPN) Available features (e.g. posture, profiling) Number of supported endpoints (100, 250, 500, ..., 100 000)

Account for a number of employees, devices per employee, used switchports, APs, etc.

Types of ISE Licenses : 1. Evaluation (90 days) full feature support for wired+wireless+VPN access up to 100 endpoints 2. Base (perpetual) basic AAA, guest management & link encryption for wired+wireless+VPN 3. Advanced (1/3/5 years) full feature support for wired+wireless+VPN access 4. Wireless (1/3/5 years) full feature support for wireless only 5. Wireless Upgrade (1/3/5 years) installed on top of Wireless license to enable wired+VPN access

I S E A r c h i t e c t u r e

ISE Overview Fundamental TrustSec component

Combines several devices/technologies into a single unit : Cisco Secure ACS NAC Manager/Server/Collector/Guest Server/Profiler

Available in two different flavors 1. Physical Appliance

3315, 3355, 3395 - End of Life Cisco Secure Network Server 3415 (small companies) and 3495 (large companies)

2. VMware ESX/ESXi 4.x and 5.x image


Key Features Identity Enforcement

Discover, classify & locate connecting endpoints

Identity Management (RADIUS) Offers strong policy enforcement TACACS+ is not supported as of the current code relase (1.2)

Guest Management Service Includes My Devices portal for device onboarding/registration

Posture Services (NAC) Supports auto-remediation and periodic reassessment


ISE Deployment Terminology Node - single ISE instance (appliance or VMware) Node Type - ISE Node or Inline Posture Persona determines services provided by an ISE Node

1. Administration (Policy Administration Node PAN) 2. Monitoring (Monitoring Node MNT) 3. Policy (Policy Services Node PSN)

Inline Posture Node (IPN) cannot assume any Persona Role Affects the total number of supported endpoints

By default each ISE Node has a Standalone Role (PAN + MNT + PSN) PAN and/or MNT Node (not PSN) can have Primary/Secondary Role for redundancy


Deployment Modes & High Availability Small Networks

Standalone device (or two for redundancy) Active/Primary device handles all Personas 2000 10 000 endpoints are supported depending on the ISE Platform

Medium Networks PAN+MNT on a single ISE (two can be used for redundancy) Dedicated PSNs (up to 5) Up to 10 000 endpoints are supported depending on the platform

Large Networks Dedicated PAN, MNT and PSNs units Secondary PAN & MNT can be added for redundancy Up to 100k (3395) or 250k endpoints (3495) are supported total


ISE Design Centralized

All nodes are physically located in one location Recommended deployment

Distributed Nodes are dispersed in multiple locations (mostly PSNs) PAN & MNT devices are typically kept in a central location


Centralized Design


Distributed Design

I d e n t i t y S t o r e s

Identity Store Types : Local

Internal Users Internal Endpoints Certificate Store

External Active Directory LDAP Stores RSA SecurID Server

Ligthweight Directory Access Protocol (LDAP) vs Active Directory

LDAP is a protocol used to access directories. It uses TCP/UDP port 389 Active Directory is Microsofts Directory Service implementation (+more)

A A A B a s i c s

AAA Basics Architectural framework for configuring three different security functions

1. Authentication 2. Authorization 3. Accounting

Authentication is a process of verifying someones identity

Multiple factors (elements) can be used such as passwords, token cards, biometrics Authorization is used to determine a level of access for the user (enforcing a policy)

For example access to a particular service or command can be given or not Accounting is a process of tracking users activity

For example what services user accessed and when

A A A B a s i c s

AAA Security Protocols RADIUS

1. Transport : UDP 1645/1646 (legacy) or 1812/1813 2. Encryption : Users password. Usernames, services etc. are sent in clear 3. Protocol Design : Combines Authentication with Authorization. No command authorization 4. Standarization : Industry Standard

TACACS+

1. Transport : TCP 49 2. Encryption : Entire body (username & password). Only the header is sent in clear 3. Protocol Design : Seperates all AAA functions. Supports command authorization 4. Standarization : Cisco proprietary

R A D I U S A t t r i b u t e s

RADIUS Attributes Standard-defined protocol structures used to carry information between AAA Clients & Server

There are 255 attributes defined by the original specification (most pre-defined) Each attribute stores a certain value (implemented as TLV) One attribute (#26 or 0x1A), called Vendor-Specific, has a special usage

Vendor Specific Attribute (VSA) Allows vendors to define a set of additional 255 attributes to carry vendor-specific data It is composed of Vendor-ID, Vendor Type, Vendor Length and the attribute data An example of Cisco-specific attribute is Cisco AV-Pair (Vendor-ID 9, Vendor Type 1)

Cisco AV-Pair Designed to extend RADIUS authorization capabilities by TACACS+ features Formatted as : protocol:attribute=value e.g. shell:priv-lvl=15

A A A B a s i c s

Cisco Secure ACS 5.3 Centralized solution for AAA services

User management Administrative access and more

ACS 5.3 Characteristics Available as a 1-RU hardware appliance or VMware ESX/ESXi software image RADIUS & TACACS+ Server Networking devices act as AAA Clients (Network Access Servers NASes)

Supports integration with existing databases (Active Directory, LDAP) Uses rule-based Policy Model (as opposed to user/group-based seen in ACS 4.2) Policy Logic is decoupled from users/groups Authorization rules are used to enforce the policy (IF condition THEN result)

A A A C o n f i g u r a t i o n

AAA Configuration Initialize the AAA framework (aaa new-model) Define a Method List (method/database to use for a particular AAA service, e.g. login or exec)

Default Method List is automatically enabled/applied to all lines/protocols; user-defined is not User-defined List, once applied/enabled, overrides the Default Method List Enabling a User-defined List depends on the service; e.g. authorization under a line

1. Authentication (aaa authentication service [name|default] method) 2. Authorization (aaa authorization service [name|default] method) 3. Accounting (aaa accounting service [name|default] method)

Configure NAS for RADIUS/TACACS+ (radius-server/tacacs-server) or LOCAL database Configure AAA Server (ACS or ISE)


Authentication

Commonly used Authentication services : 1. IEEE 802.1x (dot1x) 2. Enable password (enable) 3. Login (login)

This method list (user-defined) must be applied to a line via login authentication

Fallback Authentication Works by specifying multiple methods in a single list. For example :

aaa authentication login default group tacacs+ local Only when no response is received from the first database (or an error is returned), subsequent methods will be checked


Authorization

Commonly used Authorization services : 1. Network (network) 2. EXEC/Shell (exec) 3. Command (commands)

Remember about aaa authorization config-commands

EXEC and Command lists must be applied to a line via authorization exec/commands Authorization for the Console Line is disabled by default (no aaa authorization console) Fallback Authorization can be configured. E.g. :

aaa authorization exec default group tacacs+ local


EXEC Authorization 1. Should the user be given access to the EXEC Shell? 2. What Shell attributes should be assigned to the user? For example :

Privilege Level (username privilege) CLI View (username view) Auto Command (username autocommand)

Supported by RADIUS, TACACS+ and LOCAL databases

Command Authorization Used to check if a particular CLI command should be available for a user LOCAL database can be used to mimic this feature

By default all commands reside at privilege levels 0, 1 and 15 Real Command Authorization comes with TACACS+


Accounting

Commonly used Accounting services : 1. EXEC/Shell (exec)

The start-stop option will send an accounting record in the beginning and end of the session

The stop-only option will only send an accounting record at the end 2. Command (commands)

EXEC and Command lists must be applied to a line via accounting exec/commands The only two methods supported for accounting are RADIUS and TACACS+

W i r e l e s s S e c u r i t y F u n d a m e n t a l s

Fundamental Wireless Security Solutions Layer 1

Client Exclusions (association, 802.1x authC failures, WebAuth failures, IP theft/reuse) Disabling SSID broadcasts

Layer 2 Authentication & Key Management 802.1x Encryption & Integrity WEP (never use it), WPA and WPA2 WPA and WPA2 can be configured in one of two modes :

a. Personal (PSK) b. Enterprise (requires 802.1x)

Layer 3 IPSec Web Authentication (WebAuth)


Other Solutions MAC Filtering

Local or with a RADIUS server Access-Lists

ACL direction (inbound, outbound) is based on WLCs perspective Can be applied per-user, to an interface, entire WLAN or the WLCs CPU

Management Frame Protection (MFP) Protects management packets

Rogue Management Detects, classifies and possibly contains rogue Access Points

AAA Override Enables Identity Networking


RADIUS Authentication Methods Non-EAP protocols (PAP, CHAP, MS-CHAPv1, MS-CHAPv2) EAP protocols Key Based

a. EAP-MD5 One-way client authentication with password Vulnerable to MiTM attacks (atacker sees the challenge and the hash)

b. Lightweight Extensible Authentication Protocol (LEAP) Used in wireless networks only Offers username-password mutual authentication

c. EAP-FAST Uses Protected Access Credentials (PAC) as a shared-secret Provides mutual authentication (encrypted with PAC tunnel) More secure than LEAP (it was designed to replace LEAP)


RADIUS Authentication Methods EAP protocols Certificate Based

a. Protected Extensible Authentication Protocol (PEAP) First a TLS tunnel is negotiated (server sends its certificate to the client) Then an inner method is used for authentication (EAP-MSCHAPv2, EAP-GTC or EAP-TLS) Provides mutual authentication

b. EAP-TLS Offers mutual certificate-based authentication (SSL v3.0) More complex to implement due to client-side certificates One of the most secure EAP standards Client-side certificates private key may be stored on a Smart Card for maximum security

C e n t r a l W e b A u t h e n t i c a t i o n ( C W A )

Central Web Authentication (CWA) Useful in Low Impact & Closed Mode as a last-resort authentication method (e.g. for guests)

CWA workflow :

User connects to the port/associates with AP MAB occurs (either success or fail) and the CWA Authorization Rule is matched (ISE) v For failed MAB to work make sure Continue is set for User Not Found option

RADIUS returns Redirection ACL name + Redirection URL (ISE Guest Portal webpage) User opens up a web browser and gets redirected to the ISE Guest Portal Successful authentication triggers CoA (UDP 3799); L2 reauthentication occurs (user) Upon successful authentication new authorization rule is matched and new policy is

returned

C e n t r a l W e b A u t h e n t i c a t i o n ( C W A )

CWA considerations Redirection ACL

DHCP & DNS traffic should NOT be redirected Switch permit entries determine what to redirect (deny DNS, permit HTTP, HTTPs) WLC deny entries determine what to redirect (permit DNS and DHCP, deny rest)

Authorization Rules To avoid Redirection Loop a portal-authenticated user should match new AuthZ Rule Two ways to accomplish this :

1. Match the guest-assigned ID Group 2. Match Advanced Condition Network Access:UseCase Equals GuestFlow

G u e s t S e r v i c e s

ISE Guest Services Exposes two different Web Portals designed to streamline the entire Guest User lifecycle

1. Sponsor Used to create, update and manage Guest Accounts (guests)

2. Guest Used for guest user authentication Optionally self-registration may be configured (no need for sponsors)

Multiple Sponsor Groups/Profiles can be created This way different sponsor users can assign guests to different roles (ID Group) Sponsor users are authenticated locally or via an External DB

I S E P r o f i l i n g

Profiling The process of detecting, classifying & localizing endpoints connecting/connected to the network

There are multiple methods used to discover devices & their attributes (aka Probes) Information about the detected devices is stored in the ISEs Endpoint Database Endpoints are uniquely represented by their MAC address

The main benefit of Profiling is associating endpoints with Identity Groups Allows to create per-device type policies, e.g. for IP Phones authenticated with MAB Allows to create policies for differentiated access - BYOD (Bring Your Own Device)

Profiling is an on-going process


Profiling Process Overview 1. Traffic is received by an actived Probe 2. ISE tries to associate the collected attributes with the appropriate endpoint :

If MAC address was present the endpoint will be updated or added to the DB (new device) If MAC address was not present (but only IP), there must be a device already in the DB with the corresponding IP address or the collected attributes will be lost

3. If a new endpoint was added to the DB (or existing updated with collected information), the attributes will be validated against the Profiling Policy Rules

As a result the device will be associated with a Profile (or the Profile may change for an existing device) The Identity Group will be selected for the device (or possibly updated) Profiling/Re-Profiling does NOT take place for endpoints assigned to a Policy statically


Profiling Policies (Profiles) Each Profiling Policy (Profile) consists of a set of Rules (if condition then action)

Three actions available are : 1. Increase Certainty Factor (CF) value 2. Take Network Scan (scan the endpoint via NMAP) 3. Take Exception Action (assign the endpoint to a Profile statically + optionally trigger CoA)

Initially all endpoints attributes are only compared against all CF-action Rules in all Profiles Since CF is cumulative, its value may be increased by multiple matching Rules This results in selecting a single Profile for the endpoint (highest-CF Profile wins as long as calculated CF >= Profiles Minimum CF value) Selected Profile determines Identity Group for the endpoint; Profiles Rules for two remaining actions are now considered (if any)


Change of Authorization (CoA) During Profile transition it is possible for the endpoint to get reassigned to a new Identity Group

This means device should be now re-authenticated and re-authorized

CoA (RFC 3576) is an unsolicited RADIUS message sent to NAD to enforce a new policy This process is triggered automatically (if enabled globally) under one of conditions below :

1. Endpoint is added/removed from an identity group that is used by an authorization policy 2. Endpoint is profiled for the first time 3. Endpoint is deleted from the ISE database

CoA can be also triggered by user-defined Exception Actions But these are typically used to *prevent* CoA after transition to a statically assigned Policy Static Policy assignment effectively disables Profiling of the endpoint


Profiling Probes A Probe (method) is an ISE component used to collect endpoint attributes

Different Probes collect different attributes (some overlap) Almost all Probes are passive; the only active Probe is NMAP Some Probes are only useful if an IP-MAC binding already exists (learned via other Probe)

Probe Types

RADIUS Probe v Key Profiling Attributes : MAC address, if available (OUI -> vendor), IP address v Provides IP to MAC bindings (Framed-IP, Calling-Station-ID) v RADIUS Probe functionality can can be extended by enabling the Device Sensor feature


Device Sensor Enables NAD (switch or WLC) to collect information through CDP, LLDP and DHCP These attributes are then send to ISE in a RADIUS Accounting packet Switch Configuration

RADIUS Accounting & VSA (aaa accounting dot1x + radius-s vsa send accounting) CDP, LLDP (lldp run, lldp receive), DHCP Snooping Activation : device-sensor accounting + device-sensor notify all-changes

WLC Configuration RADIUS Accounting : WLAN->WLAN_ID->Security->AAA Servers Activation : WLAN->WLAN_ID->Advanced; check Device Profiling Both DHCP Proxy and Bridged modes are supported


SNMP Trap Probe v Typically used to trigger SNMP Query Probe v MAC address can be collected if MAC Notifications are enabled for the port v Traps from WLCs & APs are currently not supported

SNMP Query Probe (GET) v Periodic or triggered on reception of a SNMP Trap/RADIUS Accounting message v Key Profiling Attributes : CDP/LLDP & ARP Table v Provides IP to MAC bindings (ARP Cache)

NetFlow Probe v Used to identify endpoints based on the traffic they generate v IP to MAC binding must be already known to ISE


DHCP & DHCP SPAN Probes v Use SPAN Probe if there is no Relay configured (e.g. DHCP Server is local to the VLAN) v Key Profiling Attributes : DHCP packet information v Provides IP to MAC bindings (client-ID MAC, assigned IP address)

HTTP Probe v Use SPAN Probe if URL Redirection or Client Provisioning is not available v Key Profiling Attributes : User-Agent (HTTP Request) v HTTP Traffic does not include MAC address; IP-MAC binding must already exists in ISE

DNS Probe v Used to acquire FQDN based on reverse DNS lookup v IP address of an endpoint must be already known to ISE


NMAP Probe v Active mechanism that communicates directly with the endpoint v Three types of scans available are : OS, SNMP & Common Ports v Scans can be started manually or dynamically by a Policy Rule Take Network Scan action v IP address of an endpoint must be already known to ISE


Profiling Configuration For distributed deployments make sure Profiling Service is enabled under System->Deployment Every needed Probe must be activated under System->Deployment->Profiling Configuration

The only exception is manual NMAP scan All Probes except DHCP & NMAP require a NAD to be added to Network Devices

Dont forget to configure the NADs themselves Remaining configuration (if any) depends on the type of Probe we want to use Last step is to validate/tune existing or add new Profiling Policy Rules

RADIUS

If you want to use Device Sensor, enable it


SNMP Trap Configure NAD to send SNMP Traps (snmp-server host; snmp-server enable traps) On ISE configure NAD to accept SNMP Traps (Network Device -> SNMP Settings)

SNMP Query Configure NAD to accept polls (snmp-server community) or according for version 3 For WLC this is under Management -> SNMP On ISE configure NAD with authentication credentials (Network Device -> SNMP Settings)

NetFlow

Configure NAD for NetFlow and then export collected data to ISE (e.g. flow exporter)


DHCP & DHCP SPAN For DHCP configure a Relay for real DHCP Server and ISE (ip helper-address twice) On WLC disable DHCP Proxy (Controller -> Advanced -> DHCP) For DHCP SPAN configure a SPAN/RSPAN session with ISE as the final destination

HTTP URL Redirection & HTTP SPAN For HTTP Redirect configure ISE & NAD for particular service (e.g. CWA, Client Provisioning) For HTTP SPAN configure a SPAN/RSPAN session with ISE as the final destination

DNS

Make sure ISE has a DNS server defined and that it supports Reverse IP Lookups

8 0 2 . 1 x

802.1x Port-Based (L2) authentication mechanism

Before the connecting client successfully authenticates, only EAPOL, CDP & STP packets are allowed across the port EAP frames are used to transport authentication information

Dot1x components : 1. Supplicant (installed on the client device) 2. Authenticator (policy enforcement point; typically a switch or an access point) 3. RADIUS Authentication Server (source of authentication information, e.g. ACS or ISE)

8 0 2 . 1 x

The Process Authentication can be initiated by both, supplicant or authenticator

Authenticator sends EAP Request Identity frames periodically and when the link goes up Supplicant can speed up the process by sending EAPOL Start packet asking for EAP Req ID

Once Authenticator receives EAP Response ID, it encapsulates the content of the EAP frame into RADIUS using two EAP-specific Attributes

First EAP Authentication method is negotiated Then credentials are validated :

1. Auth OK -> return Access-Accept with the policy (e.g. dACL, VLAN) 2. Auth Fail -> return Access-Reject (EAP Failure). Result depends on switch config : v Try next authentication method or assign the user to the Auth-Fail VLAN v Deny access; then after quiet-period authenticate again

8 0 2 . 1 x

Port Settings & Modes There are three configurable port settings for 802.1x (authentication port-control) :

1. force-authorized (default) disables 802.1x on the interface 2. force-unauthorized port is statically put into the 802.1x-unauthorized state 3. auto activates real 802.1x on a port

802.1x Port Modes (authentication host-mode) : 1. single-host allows only a single client behind the port 2. multiple-host allows multiple clients behind the port; only one needs to authenticate

to open access. Not recommended 3. multi-domain allows only two endpoints : one in Data & one in Voice VLAN 4. multi-auth allows one Voice device and multiple clients in Data VLAN. Each

device is authenticated separately

8 0 2 . 1 x

Port Violations & MAC Move Port Security feature is built-in into 802.1x (authentication violation)

1. shutdown (default) put interface into the err-disabled state 2. restrict generate a Syslog & drop the frames from new MAC 3. protect drop the frames from the new MAC 4. replace known as MAC Replace. Removes currently authenticated MAC and triggers

authentication for the new one Note that violations can be only triggered in two port modes : single-host or multi-domain

MAC Move (authentication mac-move permit globally) When enabled, re-connecting an already authenticated device to another port will trigger reauthentication instead of a Violation

8 0 2 . 1 x

MAC Authentication Bypass (MAB) Alternative method of authenticating clients connecting to a 802.1x-enabled port/WLAN

MAB (by default) is only triggered when 802.1x times out (no supplicant on the client) FlexAuth can be used to trigger MAB after 802.1x authentication failure (switches only) Authentication is based on the devices MAC address (username=password=MAC) Always make sure AAA server uses a separate database for MAB (typically Endpoint DB)

MAB authentication requests can be uniquely identified by RADIUS attributes : 1. Wired Service-Type set to 10 (Call-Check) and NAS-Port-Type to 15 (Ethernet) 2. Wireless Service-Type set to 10 (Call-Check) and NAS-Port-Type to 19 (Wireless)

Lowering the Tx-Period timeout is considered a best practice (dot1x timeout tx-period 10) 802.1x timeout is (max-reauth-req+1)*tx-period by default (90 seconds)

8 0 2 . 1 x

Flexible Authentication (FlexAuth) Alleviates the problems related to the default behavior of 802.1x & Auth-Fail VLAN

1. Allows to specify the order of authentication methods to be used authentication order [dot1x|mab] [webauth]*

2. If authentication using one method fails, next method can be used authentication event fail action next-method

3. Stronger method can be assigned higher priority to preemt once it becomes available authentication priority

Not available on WLC In wireless 802.1x if you fail authentication, you will not be given access to the WLAN

8 0 2 . 1 x

Guest, Auth-Fail & Critical VLANs (switches) Guest VLAN can be assigned to clients that dont have a supplicant installed (for limited access)

Compatible with MAB if MAB fails Guest VLAN will be assigned if one is configured Not supported on multi-auth ports Configure with authentication event no-response action authorize vlan

Auth-Fail (Restricted) VLAN can be assigned to clients who failed 802.1x authentication Not compatible with MAB or WebAuth v If Auth-Fail VLAN is configured any fallback method will NOT be used

Only supported on single-host ports Configure with authentication event fail action authorize vlan

Critical VLAN can be assigned to clients if AAA Server is unavailable Configure with authentication event server dead action authorize vlan

8 0 2 . 1 x - M o n i t o r M o d e

Monitor Mode (wired networks only) The goal of this Mode is to enable 802.1x authentication without affecting users and devices

Provides full visibility to the devices connecting to the network (MAB must be enabled) Allows to address any authentication issues prior to moving to the next deployment Phase Web Authentication is not used in this Phase Wireless clients are not supported (unless they all dont have a supplicant and use MAB)

Monitor Mode deployment process consists of multiple components/features : 1. Profiling 2. RADIUS Accounting (802.1x) 3. Multi-Auth port mode 4. Open Authentication (authentication open)

Open Authentication ensures everyone gets connected

8 0 2 . 1 x - M o n i t o r M o d e

Monitor Mode Configuration (Switch) Enable AAA framework, configure authentication, authorization & accounting with default lists

aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius

Configure RADIUS Server, enable CoA & VSAs : radius-server host 10.1.1.150 key ipexpert aaa server radius dynamic-author client 10.1.1.150 server-key ipexpert radius-server vsa send authentication radius-server vsa send accounting

8 0 2 . 1 x - M o n i t o r M o d e

Monitor Mode Configuration (Switch) Enable sending attributes useful for 802.1x & Posture assesment

radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include

Ensure RADIUS & SNMP Traps are sent from the correct interface : ip radius source-interface snmp-server trap-source

Create Permit-All access-list & turn Device Tracking on : access-list 199 permit ip any any ip device tracking [probe use-svi]

8 0 2 . 1 x - M o n i t o r M o d e

Monitor Mode Configuration (Switch) Enable 802.1x framework (globally) & configure 802.1x at the port level :

dot1x system-auth-control int f0/1 switchport host authentication order dot1x mab authentication priority dot1x mab authentication event fail action next-method authentication open authentication host-mode multi-auth ip access-group 199 in mab authentication port-control auto dot1x pae authenticator

8 0 2 . 1 x - M o n i t o r M o d e

Monitor Mode Configuration (ISE) Configure AD for 802.1x user authentication (if needed)

Enable all AD Groups you will be using when configuring Authorization Policy

Configure AuthC Policy to use AD for 802.1x Configure AuthC Policy to use Endpoint DB for MAB (if user is not found -> Continue)** Configure the Default Authentication Rule to use Internal DB / AD (or create a sequence for all databases)

Make sure Phones gets assigned to the correct (Voice) VLAN -> Voice Permission = True Create rules for other devices (APs, printers) and specific rules for users (RBAC) Make sure Default Authorization Rule denies all access (no dACLs or VLANs!!!)

8 0 2 . 1 x L o w I m p a c t M o d e

Low Impact Mode (wired networks only) At this stage all devices should be authenticating via 802.1x or MAB

Pre-Authentication access will be limited and extended to only authenticated users Users/devices that failed authentication will retain Pre-Authentication access

Successful authentication should result in policy enforcement Downloadable ACLs and/or VLAN assignment are commonly used

Pre-Authentication ACL should typically allow the following traffic : DHCP & DNS ICMP Microsoft ports if Machine Authentication is used (Kerberos, LDAP, RPC etc.)

8 0 2 . 1 x L o w I m p a c t M o d e

Low Impact Mode Configuration (Switch) Ensure CoA and Device Tracking features are enabled

aaa server radius dynamic-author client 10.1.1.150 server-key ipexpert ip device tracking

Tune the Host-Mode setting authentication host-mode [single-host|multi-domain]

Create VLANs (if you plan to use them to enforce policy) vlan

All other settings as in the Monitor Mode (Open Authentication is still enabled)

8 0 2 . 1 x L o w I m p a c t M o d e

Low Impact Mode Configuration (ISE) Profiling should be already enabled Authentication Policy Default Rule can be set to Deny (we only want MAB or 802.1x) Define dACLs

Appropriate RBAC/Device Authorization Profiles should be now tuned : Specify dACLs and/or VLANs (number or name) Also create a profile for CWA

Authorization Rules should be created/tuned as needed The Default AuthZ Rule should point to Central Web Authentication

8 0 2 . 1 x C l o s e d M o d e

Closed Mode (wired & wireless networks) No traffic (except for EAPOL/STP/CDP) flows through the port priort to successful authentication

Perfect mode for VLAN assignment VLAN assignment or dACLs enforce the policy

Make sure all assignable VLANs are defined on every switch v On WLC interfaces must be defined that correspond to the required VLANs

If a non-existing VLAN is attempted to be assigned, authorization fails Avoid using multi-auth mode only the first assigned DATA VLAN will be used

Auth-Fail (Restricted) VLAN can be configured to be assigned to users who failed 802.1x

8 0 2 . 1 x C l o s e d M o d e

Closed Mode Downloadable ACLs

Downloaded ACL overrides the Pre-Authentication ACL for the user/device For wired connections (switch) dACLs are defined locally on ISE For wireless (WLC) they are defined locally on WLC; ISE pushes the ACL name

For any type of ACLs on WLC remember about the Direction Inbound/Outbound/Any Implicit deny at the end is for Any If you only permit X -> Y Inbound, traffic Y -> X will get dropped

8 0 2 . 1 x C l o s e d M o d e

Closed Mode Configuration (Switch) Configure the starting VLAN it should provide DHCP service (needed for CWA)

switchport access vlan nr

Remove Pre-Authentication ACL and disable Open Authentication no ip access-group PRE_AUTH_ACL in no authentication open

Tune the Tx-Timer to speed up MAB; otherwise DHCP client timeout may expire dot1x timeout tx-period 10

Create appropriate VLANs. Assign names if needed vlan 500 name SALES_VLAN

8 0 2 . 1 x C l o s e d M o d e

Closed Mode Configuration (WLC) RADIUS Servers should be defined for Authentication & Accounting

Make sure CoA support (RFC 3576) is enabled Internal Network (Employee) WLAN should use 802.1x Guest WLAN should use L2 authentication of None but MAC Filtering should be enabled Both WLANs should be configured with RADIUS servers and the following :

Allow AAA Override checked RADIUS State set to RADIUS NAC DHCP Profiling checked

All required ACLs should be configured under Security -> Access Control Lists

8 0 2 . 1 x C l o s e d M o d e

Closed Mode Configuration (WLC cont.) Create interfaces; there must be one for each dynamic VLAN you may assign

If you are assigning VLANs by name, the name of the interface must match

Closed Mode Configuration (ISE) Add wireless MAB & 802.1x to the AuthC rules. Default AuthC rule should be set to Deny Modify the Authorization Profiles

Add/modify dACLs/VLANs Default AuthZ rule should be configured for CWA

Enable VLAN DHCP Release under the Guest Portal used (Multi-Portal section) Only works for Microsoft clients

M A C s e c

MAC Security (MACsec) IEEE 802.1AE

L2 encryption protocol (AES-GCM-128) Offers a significant advantage over higher-layer encryption protocols accurate QoS

MACsec types :

1. Host-to-Switch (aka downlink) Uses MAC Security Key Agreement (MKA)

2. Switch-to-Switch (aka uplink) Uses Security Association Protocol (SAP)

M A C s e c

Host-to-switch

If configured, follows regular 802.1x authentication Uses four encryption settings (switch & client) :

Must-secure, should-secure Must-not-secure, not-MACsec-capable

Configuration (in addition to 802.1x)

interface interface

mka [policy_name | default-policy]

authentication linksec policy [options]

macsec

M A C s e c

Switch-to-switch

Manual Mode (no 802.1x) Dynamic Mode (requires 802.1x and domain of trust / NDAC)

Configuration (Manual Mode)

interface interface

cts manual

sap pmk key mode [gscm-encrypt] [gmac] [null] [no-encap]

no propagate sgt

P o s t u r e A s s e s m e n t

Posture Assesment

Process of checking systems settings and applications OS patches Anti- virus/malware sofware (including file definitions) Personal firewall and more

Whats needed on ISE?

1. Client Provisioning setup 2. Posture setup 3. Authorization Policy update

B Y O D

Bring Your Own Device (BYOD)

Secure BYOD connectivity can be provided with TrustSec This applies to wired & wireless networks

wireless BYOD can be deployed with Single or Dual SSID

Two approaches to BYOD

1. Simple self-serve device registration (My Devices portal) 2. Full On-Boarding (browser-enabled endpoints)

Self-Provisioning Flow, Native Supplicant Profile (NSP), Client Provisioning Resources, Client Provisioning Policy AuthZ Policy

S e c u r i t y G r o u p A c c e s s ( S G A )

Security Group Based Access Control

Designed to reduce administrative cost and scalability problems related to ACLs (dACLs) Even with dACLs you can still run out of TCAM

SGA builds upon three components :

1. Security Group Tag (SGT) Attribute (16-bit value) returned by ISE upon successful login on ingress

2. Security eXchange Protocol (SXP) used by non-native-tagging switches TCP-based protocol used to propagate SGT-IP binding to upstream peers

3. Security Group ACL (SGACL) Matrix-like ACL downloaded from ISE to enforce policy on egress

S e c u r i t y G r o u p A c c e s s ( S G A )

SGT assignment methods :

1. Dynamically - as a result of ISE Authorization 2. Configured manually on a switchport

cts manual

policy static sgt tag_value

3. SGT-IP bindings are configured manually on ISE You then need to download this information to your NADs

Documents

SISAS Slides Book