CCNP Security SISAS - nsedu.irnsedu.ir/images/Cisco/Security/ISE/CCNP-Security-SISAS-Cisco-ISE.pdf · AAA Model • Three-party authentication model • Supplicant / end-client •

CCNP Security – SISAS(Cisco ISE)

F.Alizadeh

Source : INE.com

NSEDU.IR

Topic

Part I : AAA Concepts

Part II : ISE Concepts

Part III : Layer 2 Authentication – MAB

Part IV : Layer 2 Authentication – EAP

Part V : ISE Identity Sources

Part VI : Layer 3 Authentication – HTTP / HTTPS

Part VII : EndPoint Profiling

Part VIII : Posture Assessment

Part IX : Layer 2 Encryption – MACSec

Part X : Security Group Tags - SGT

Part IAAA Concepts

What is AAA ?

• AAA stands for

• Authentication

• Authorization

• Accounting

• AAA can be used for multiple purposes

• Network Device administration

• Network Access (wired, wireless, VPN)

• Authentication

• Provide identification of who you are

• Various options: username and password , certificates

What is AAA ?

• Authorization

• Defines what you are allowed to do

• For network administration:

• privilege-level

• Allowed commands

• For network access:

• VLAN

• Access-list

• Security Group Tag

• Encryption

What is AAA ?

• Accounting

• Provides evidence of what you have done, like auditing

• For network administration:

• Typed commands for forensics analysis

• For network access:

• Session statistics for billing

• Session identification (MAC address, IP address, username)

• Session state (connected or disconnected)

AAA Model

• Three-party authentication model

• Supplicant / end-client

• Device requesting access

• Speaks with the authenticator

• Authenticator

• Device enforcing the authentication , known as NAD

• Bridges information between supplicant and authentication server

• Authentication Server

• Device performing the authentication

• Connected to identity sources: username/password, PKI

• Can behave like a proxy towards another authentication server

AAA Protocols

• Between supplicant and authenticator

• For device administration

• console

• Telnet / SSH

• HTTP / HTTPS

• For network access

• EAPOL

• HTTP / HTTPS

• Between authenticator and authentication server

• RADIUS

• TACACS+

RADIUS

• IETF standard (RFC2865)

• Has additional RFC’s for specific features

• Combines authentication and authorization in one process

• Uses UDP port 1645/1812 for authentication

• Uses UDP port 1646/1813 for accounting

• Initial ports of 1645/1646 were also used by data metrics service

• RADIUS key with MD5 used to hide the user’s password

• Performs its scope via RADIUS attributes

• IETF standard defined

• Vendor Specific Attributes (VSA’s)

TACACS+

• Developed by Cisco

• Mainly used for device administration

• Developed by Cisco from original TACACS protocol (RFC1492)

• Uses separate processes for authentication, authorization and accounting

• Uses TCP port 49

• Encrypts entire body of TACACS packet, leaves clear-text header

• RADIUS vs. TACACS

RADIUS vs. TACACS

Cisco’s Authentication Servers

• Access Control System (ACS)

• Supports both TACACS+ and RADIUS

• Mainly used for TACACS+

• Identity Services Engine (ISE – NGN RADIUS)

• Supports RADIUS with Change of Authorization (CoA)

• TACACS+ supported in ISE 2.0

• Mainly used for RADIUS

• Additional features not supported by ACS

• Profiling , posture assessment

• Web portal services

Part IIISE Concepts

What is ISE ?

• Provides a scalable and unified network access policy platform

• Centralized network access policy for any device, from anywhere, at anytime

• Wired access

• Wireless access

• VPN access

• Implements a flexible policy-based model

• Rule-based approach for authentication and authorization

• Rules are composed of conditions and results

ISE Personas

• It supports both physical and virtual environments

• Built of three major roles, named personas

• PSN (Policy Service Node)

• Responsible for network access request processing

• RADIUS, posture, profiling, web redirection, guest portal

• PAN (Policy Administration Node)

• Responsible for all configurations

• Conditions, results, policies, external identity store integration

• MnT (Monitoring and Troubleshooting Node)

• Collects logs from PAN, PSN, NAD

ISE Deployment Modes

• All personas residing on the same entity

• Personas are distributed for scalability or design requirements

• Multiple PSN’s

• 2 PAN’s (one active, one standby)

• 2 MnT’s (one active, one standby)

ISE Architecture

• Everything circles around two types of policies

• Authentication policies, processed first

• Authorization policies, processed second

• Inbound AAA request flow

• Authentication policy matching

• Single or rule-based policy

• Single model does not allow defining conditions

• Rules are processed top-down until first match

• Action “drop” means play dead, no RADIUS message sent back to NAD

• Action “continue” means act like authentication was successful, inspect authorization policies

ISE Architecture

• Inbound AAA request flow

• Authorization policy matching

• Standard and exception policies

• Exception policies are processed before standard policies

• Rules are processed top-down until first match by default

• Optionally multiple-rules can be matched with actions being combined

• Access-Accept takes precedence over Access-Reject

ISE Authentication Policy

• Authentication Policy format

• If condition

• Identify the RADIUS packet based on RADIUS attributes

• Then allowed protocols

• Which authentication protocol can be used by the supplicant

• And validate credentials

• Which identity source can be queried for authentication

ISE Authorization Policy

• Authorization Policy format

• If condition

• Identify the RADIUS session or supplicant by profiling

• And optionally if used identity store

• Store of user credentials

• Then apply authorization profile

• User/device authorization

Part IIILayer 2 Authentication - MAB

Network Access Authentication

• Layer 2

• Supplicant does not need an IP address

• MAB and 802.1x (EAP methods)

• Layer 3

• Supplicant requires an IP address

• Local Web Authentication (web portal on the NAD)

• Central Web Authentication (web portal on the authentication server)

MAB – MAC Authentication Bypass

• MAB (MAC Authentication Bypass) is used to…

• Authenticate non 802.1x capable devices

• Trigger CWA and BYOD enrollment

• Technically is NOT an authentication method…just bypasses authentication

• If MAB is enabled on the switch interface

• Switch takes each new MAC address and sends it to RADIUS for authentication

• RADIUS User- Name and RADIUS User-Password equals to the MAC address

• RADIUS Calling-Station-ID equals to the MAC address

• RADIUS Service Type is Call-Check (10) for MAB

MAB – MAC Authentication Bypass

• If “Process Host Lookup” is enabled on RADIUS server

• Authentication is done based on the RADIUS Calling Station-ID attribute value

• If “Process Host Lookup” is disabled on RADIUS server

• Authentication is done based on the RADIUS User Name and User-Password attributes value

MAB Configuration Steps on Supplicant

• None

• Because MAB is not a authentication protocol

• It is authentication bypass

• There is no negotiation between supplicant and NAD

MAB Configuration Steps on NAD

• Enable AAA

• aaa new-model

• Configure dot1x default authentication list

• aaa authentication dot1x default group

• Enable MAB on switch port facing the supplicant

• mab [eap]

• Enforce authentication on switch port facing the supplicant

• authentication port-control auto

• Define RADIUS server settings

• radius-server host <IP> key <radius key>

• Optionally configure other global/interface level settings

• radius-server attribute 31 mac format

MAB Configuration Steps on ISE

• Configure MAB authentication policy

• Optionally use a default one

• Configure authorization policy


• Add supplicant’s MAC address into Internal Endpoints Store

• Authentication performed based on RADIUS Calling Station-ID attribute value

MAB Verification and Troubleshooting

• Verification

• show mab all

• show authentication session

• show aaa servers

• Troubleshooting

• show authentication session interface <if_number>

• debug mab all

• debug radius authentication

MAB and 802.1x Common Authorizations

• VLAN

• Data VLAN (by name or number)

• Optional, it overrides the VLAN locally configured on NAD switch port

• Voice VLAN permission

• Mandatory for voice domain, allows Phone to join the voice VLAN as configured locally on NAD

MAB and EAP Common Authorizations

• Access-Lists

• dACL (Cisco Proprietary, uses AV pairs)

• Before 12.2(55)SE code, switch port required a pre-auth ACL to be applied

• ACL configured on ISE

• Filter-ID ACL (IETF standard)

• ACL configured on NAD

• Per-user ACL (Cisco proprietary, uses AV pairs)

• ACL configured on ISE and ACE’s pushed through authorization by ISE

• ACL configured on NAD and ACL name pushed through authorization by ISE

• ACL Common configuration requirements on NAD

• aaa authorization network default group

• radius-server vsa send authentication

• ip device tracking

Authorization Verification Troubleshooting

• Verification

• show ip access-list interface <if_number>

• show ip interface <if_number>

• show epm session interface <if_number>

• show authentication interface <if_number>


• Troubleshooting

• show ip device tracking all

• show aaa method-lists authorization


• debug ip device tracking events

Part IVLayer 2 Authentication - EAP

EAP – Extensible Authentication Protocol

• EAP is an authentication framework

• Mainly used in Wi-Fi and wired

• 802.1x defines the encapsulation of EAP over IEEE802, namely EAP over LAN (EAPOL)

• 802.1x is a flexible layer 2 authentication mechanism

• Makes use of EAP methods, tunneled inside RADIUS packets

• Currently there are about 40 different methods defined

• EAP method types

• Tunneled (protects the supplicant’s identity and credentials)

• Non-tunneled (does not protect supplicant’s credentials)

Common EAP Tunneled Methods

• PEAP - Protected EAP (developed by Microsoft, Cisco, RSA)

• Two phase method

• Phase 1, called outer method, used to authenticate server and form the TLS channel

• Phase 2, called inner method, used to authenticate supplicant and protect its EAP identity

• Theoretically, inner authentication method can be any EAP type

• Mutual authentication

• Server is always authenticated by certificate

• Supplicant is authenticated by certificate (EAP-TLS), username/password (EAP- MSCHAPv2), or OTP (EAP-GTC)

• Requires server certificates, on client is optional

• Identity protection available only in PEAPv1 and PEAPv2


• EAP-FASTv1 (Flexible Authentication via Secure Tunneling)

• Cisco proprietary, similar with PEAP in scope but very different in functionality

• Developed to allow faster re-authentication and wireless roaming

• Based on PAC files (Protected Access Credentials)

• Can be seen as a cookie locally stored on the supplicant

• Generated by the RADIUS server from a master key known by itself only

• Three-phase method

• Phase 0 is optional and used to provision the supplicant with a PAC file

• Phase 1 is used to establish the TLS tunnel based on the PAC file

• Phase 2 is used to authenticate the supplicant within the TLS tunnel

• EAP-FASTv2 (EAP Chaining)

• Ties machine authentication to user authentication

• Relies on machine PAC and user PAC

• Performs double authentication within single EAP transaction

• Will become standard, known as EAP-TEAP (RFC draft) The image can


• EAP-TTLS - Tunneled TLS (RFC5281)

• Very similar with PEAP

• Two-phase method

• Requires server side certificate

• Major difference as compared to PEAP is that inner method can use any authentication

• Non-EAP methods such as PAP and CHAP supported

• Not widely implemented

• Two versions EAP-TTLSv0 and EAP-TTLSv1

Common EAP Non-Tunneled Methods

• EAP-TLS (RFC 5216)

• Single phase protocol

• Mutual authentication based on certificates

• Requires client and server certificates

• TLS tunneled created based on certificates

• The RFC requires only server side certificates

• No supplicant identity protection

• Passed in EAP-Identity and in certificate exchange

Common EAP Non-Tunneled Methods

• EAP-MD5 (RFC2284)

• The only EAP method defined in original EAP RFC

• Only supplicant authentication based on username/password

• Challenge-response through MD5

• EAP-GTC (RFC3748)

• Developed by Cisco as alternative to PEAP

• Supports OTP through challenge-response based authentication of supplicant

• EAP-LEAP (Light EAP)

• Cisco proprietary used only for wireless (WEP or TKIP keys)

• Mutual authentication based on shared secret which is client’s password

• Uses modified version of MS-CHAP, thus is challenge-response based

• Supplicant authenticated based on username/password

802.1x Configuration Steps on Supplicant

• Configure the supplicant to use appropriate EAP method

• It cannot be negotiated

• Two types of supplicants

• Built-in operating system supplicant

• Cisco AnyConnect NAM module

• Ideally do not let both supplicants configured

802.1x Configuration Steps on NAD

• Enable AAA

• aaa new-model

• Configure dot1x default authentication list


• Globally enable 802.1x

• dot1x system-auth-control

• Enable 802.1x on switch port facing the supplicant

• dot1x pae authenticator






802.1x Configuration Steps on ISE

• Configure 802.1x authentication policy


• Enable same EAP method as on supplicant



• Enroll ISE into PKI infrastructure

• Only if tunneled EAP methods are used by supplicant

• Enroll ISE into Active Directory

• Only if EAP-TLS or EAP-MSCHAPv2 is the authentication method of supplicant

802.1x Verification and Troubleshooting

• Verification

• show dot1x all




• Troubleshooting


• debug dot1x all


Part VISE Identity Sources

ISE Identity Sources

• To authenticate and authorize machines/users, ISE can validate their credentials in two ways

• Internally

• Externally

• Internal Store has two types of entries

• Endpoints (MAC database), organized into groups

• Blacklist, Guest End Points, Registered Devices, Profiled

• Users, organized into groups

• Guest, Activated Guest, Employee, Sponsor Groups

• Can be used as conditions in Authorization policies

• Additional groups can be created

External Authentication Support

• ISE can authenticate/proxy against several external sources

• RADIUS

• LDAP

• Active Directory

• PKI (ISE CA server support was added in ISE 1.3)

• Active Directory (AD) integration is the most common one

• ISE 1.2 supports a single AD integration

• Multiple AD supports if all within same forest and trust is configured

• ISE 1.3 supports up to 50 AD domains to be joined

• ISE joins AD just like a regular computer

• Requires administrative rights just for join process

• Afterwards join, it needs READ ALL rights at the top of the AD/forest schem

Active Directory Integration

• ISE and Domain Controller (DC) need to be NTP synchronized

• Maximum time skew can be 5 minutes

• In order to validate supplicant certificates

• Connectivity requirements between ISE and DC

• Global Catalog ( TCP 3268/3269)

• LDAP (UDP/TCP 389)

• LDAPS (TCP 636)

• SMB (TCP 445)

• KDC (TCP 88)

• KPASS (TCP 466)

Authentication against AD

• Supported authentication options

• EAP-TLS

• EAP-MSCHAPv2

• EAP-TLS

• Supplicant certificate can be stored in Active Directory schema

• ISE can be configured to validate supplicant certificate against AD

• Verify the identity of the machine or user

• By default in EAP-TLS, ISE just checks if certificate is valid

• Not expired (certificate validity time compared with ISE clock)

• Not revoked (uses CRL published by the supplicant’s CA issuer)

Authorization based on AD

• Users and computers are objects in the AD schema

• Identified by their attributes

• Attributes examples: username, hostname, group membership

• ISE can use there attributes in authorization policies

• Allows for authorization policy scalability

• Example: different authorization can be applied for different groups

• This is called contextual access

• Authorization done based on multiple inputs/conditions

• User and computer membership

• Type of device (identified via profiling)

• Method and time of network access

ISE Configuration for AD Integration

• Synchronize clock between AD DC and ISE

• Configure ISE with appropriate DNS server

• It has to be a Domain Controller

• Configure ISE with the AD domain name

• Test connectivity with AD DC

• Join ISE into AD

• Define object attributes to be used in authorization policies

• This step is optional but recommended

Part VILayer 3 Authentication – HTTP / HTTPS

About Layer 3 Authentication

• Performed through HTTP/HTTPS by redirecting users to a web portal

• not supported for machine authentication, only for user authentication

• Portal can reside on the NAD (switch, WLC)

• Named Local Web Authentication (LWA)

• Rarely implemented because it is decentralized

• Portal can reside on the ISE

• Named Central Web Authentication (CWA)

• Widely deployed as it is centralized

• User / supplicant requires IP address to complete the process

• Starting with IOS code 12.2(55)SE, switch enforces by default an ACL on the port, which allows DHCP traffic, named Auth-Default-ACL

• Otherwise static pre-authentication ACL needs to be deployed

About Layer 3 Authentication

• In both LWA and CWA

• Authentication is performed by the RADIUS server

• It is supported for wired and wireless access

• Not for VPN access yet

• For VPN, both ISE and VPN gateway need to support it

• Use-cases

• Mainly deployed for visitors, guest services

• Required for Bring Your Own Device implementation

• Alternative to Enterprise Mobility Management solution

• Supported only in CWA mode

Local Web Authentication

• Enterprise assets will perform MAB or 802.1x in general

• Also known as standalone web authentication

• Makes use of authentication-proxy service via HTTP

• MAB and 802.1x will thus also be enabled in most cases

• LWA will be used as a fallback method on the switch port

• Because you never know who connects on a switch port, employee or guest

• Can be used as the single authentication method, but rarely deployed

• Authorization restriction

• Does not support VLAN assignment, mainly because CoA is not

• supported in this deployment

• Per-user ACL not supported, instead use proxy-ACL

• same concept, still uses VSA’s, but different ACL syntax

LWA Configuration Steps on Supplicant

• None

• Just a browser, because LWA is not a authentication protocol

• It is just a web authentication method


• NAD just intercepts HTTP/HTTPS sessions from supplicant and redirects user to the web portal

• NAD requires a layer 3 address (SVI) for this to work

• Device Requirements

• IP address

• DNS resolution required for redirection-URL

LWA Configuration Steps on NAD

• Enable AAA

• aaa new-model

• Configure login default authentication list

• aaa authentication login default group

• Define LWA profile

• ip admission name <auth_name> proxy http

• fallback profile <profile_name>

• ip admission <auth_name>

• Enable LWA on switch port facing the user

• authentication order webauth

• authentication fallback <profile_name>

LWA Configuration Steps on NAD

• Enable device tracking and HTTP/HTTPS server


• ip http server

• ip http secure-server






• RADIUS Service-Type will be Outbound

• In most IOS codes, it is not being send in the RADIUS Access-Request message, without commandradius-server attribute 6 on-forlogin-auth

LWA Configuration Steps on ISE

• Configure RADIUS integration with NAD

• Configure authentication policy

• Possibly match on RADIUS Service-Type to make the policy unique


• Optionally integrate with External Servers for authentication

• Otherwise define username/password in Local Users Store

Central Web Authentication Work Flow

• Uses a two phase process

• Phase 1

• Uses MAB authentication

• MAB will fail, as ISE is not aware of client’s MAC address

• ISE will be configured to authorize the client, even though it failed authentication

• Continue action in authentication policy for failed authentication

• Intermediate Authorization received from ISE will be

• Redirect-ACL, in order to capture client’s HTTP / HTTP traffic for redirection

• Redirect-URL, in order to redirect client to ISE portal

• Optionally, ACL in order to restrict client’s network access

Central Web Authentication Work Flow

• Phase 2 starts if user initiates HTTP / HTTPS traffic

• Phase 2

• User is redirected to ISE’s web portal

• It has to pass portal authentication via username/password

• If authentication succeeds, ISE will send a RADIUS Change of Authorization (CoA) message to the NAD

• As a result, NAD will perform a re-authentication of the client via MAB

• Authentication will fail again, just like in Phase 1

• Final authorization is received from ISE and applied by NAD on the port

• Final authorization uses the special condition of Network Access Use Case Equals GuestFlow

CWA Configuration Steps on Supplicant

• None

• Just an ISE supported browser, because CWA is not a authentication protocol

• It is just a web authentication method


• NAD just intercepts HTTP/HTTPS sessions from supplicant and redirects user to the web portal

• NAD requires a layer 3 address (SVI) for this to work

• Device Requirements

• IP address

• DNS resolution required for redirection-URL

CWA Configuration Steps on NAD

• Enable AAA

• aaa new-model

• Configure 802.1x default authentication list


• Configure authorization list, as Phase 1 always includes authorization

• aaa authorization network default group

• Enable MAB on switch port facing the supplicant

• mab [eap]



CWA Configuration Steps on NAD

• Enable device tracking and HTTP/HTTPS server


• ip http server

• ip http secure-server



• Configure CoA with the same RADIUS server

• aaa server radius dynamic-author

• client <server_ip> server-key <string>

• Configure the redirect ACL on the switch (allow DHCP, DNS and ISE access on TCP port 8443)


CWA Configuration Steps on ISE

• Configure RADIUS integration with NAD

• also for CoA

• Configure authentication policy

• MAB authentication rule to pass, even though authentication fails

• Configure authorization policy for Phase1

• Redirect-URL and Redirect-ACL

• Configure authorization policy for Phase2

• Optional, just Access-Accept is enough

• Optionally integrate with External Servers for authentication

• Otherwise define username/password as Guest Account

CWA Verification and Troubleshooting

• Verification




• Troubleshooting


• show epm session ip

• show ip access-list interface


• debug aaa coa

ISE Guest Services

• Nothing else but what we’ve seen in CWA

• ISE supports full lifecycle management for guest access

• Admin Portal, used to manage global policies for sponsors and guest users, runs on Admin Persona

• Sponsor Portal, used to manage guest user accounts, runs on PSN Persona

• Guest Portal, used to authenticate guests, runs on PSN persona

• All three portals run by default over TCP 8443, can be changed

• Guest Portal scalability

• Supports multiple guest portals

• Each guest portal is managed by one or multiple sponsors

• Each guest portal can be customized

Guest Services Configuration Steps

• On supplicant and NAD, same as in CWA

• On ISE, same as in CWA

• Optionally create sponsor accounts and groups

• Optionally configure guest account settings

• Optionally customize guest portal

• On ISE, same as in CWA

• Optionally create sponsor accounts and groups

• If guest credentials are stored on ISE

• Provision user credentials as Guest Account

• This default requirement can be changed

Bring Your Own Device - BYOD

• Enterprise assets will perform MAB or 802.1x in general

• Supplicant on assets is automatically deployed and configured

• Operation is transparent to the user

• Many enterprises are opening up for BYOD

• Allows you to come to work with your own device

• To be considered enterprise, it has to use 802.1x authentication

• Challenge is configuration of 802.1x on user’s devices

• ISE allows employees to enroll their own devices

• Supplicant on devices will be automatically configured for 802.1x and enrolled in PKI

• Process achieved through CWA with self-service and device registration being enabled

• Once enrolled, user will be assigned to the ActivatedGuest group of users, which can be used as a condition in authorization policies

BYOD Device Onboarding

• Mostly used for mobile assets

• Smartphones, tablets, laptops

• As mobile assets lack Ethernet card in general

• Deployment is done via Wi-Fi

• Wired is also supported

• Wireless Deployment Options

• Single SSID

• Dual SSID

Part VIIEndPoint Profiling

What is Profiling ?

• Profiling

• Allows ISE to learn attributes about network connected endpoints

• Based on the profile, it will assign endpoint to appropriate identity groups

• Groups can be used in authorization policy for smarter network access controldecisions

• Especially useful for devices that perform MAB, but not only

• Two types of profiling

• Static profiling, where endpoint is manually assigned to a group

• Dynamic profiling, where endpoint attributes are dynamically learned through the use of probes

• By default, dynamic profiling is turned off

• Endpoints are still automatically profiled based on MAC address

• However, only device vendor can be detected, so it’s not very specific

Dynamic Profiling

• Automatic fingerprinting of the endpoint based on several probes

• ISE needs to be configured to listen for probes

• NAD needs to be configured to send probes

• RADIUS, highly recommended

• Inspects RADIUS attributes from the authentication Request

• Inspects RADIUS accounting for IP-MAC binding, required for NMAP scanning or DNS resolution of endpoint

• Used also for IOS Device sensor feature, supported starting with 15.0(2) on switches and 7.2.110.0 on WLC

Most Commonly Used Probes

• HTTP

• ISE interprets HTTP messages from CWA or SPAN

• Gathers User-Agent from HTTP packet, used to identify the operating system on the device

• Crucial for mobile device profiling

• DHCP

• ISE interprets DHCP messages from DHCP-Relay or SPAN

• Gathers User-Agent from DHCP packet, used to identify the operating system on the device

• Gathers DHCP hostname

• Important for mobile device profiling

• Useful only in DHCP environments

Less Commonly Used Probes

• NMAP

• TCP/UDP port scanning for operating system detection

• SNMP query send by ISE

• Used only in case NAD does not support device sensor

• Triggered by RADIUS accounting or SNMP trap

• Reads CDP/LLDP/ARP/MAC data

• DNS resolution performed by ISE

• Reverse DNS query for PTR records to get the FQDN of the endpoint

• Query initiated only if device profiles through other probes: RADIUS, DHCP, HTTP, SNMP

• Netflow samples

• Detects abnormal traffic (profiled printer making skype calls on the Internet)

Profiling Policies

• ISE has a large database of built-in profiling policies

• Can profile many devices out-of-the-box, given that enough data is received from probes

• Additional policies can be manually configured, or you can edit the built-in ones

• Logical profile is a container with associated profiling policies

• ISE has a built-in hierarchy for device profiling, in the form of parentchild,for example

• Parent policy is named Apple-Device

• Child policy attached to the parent policy can be Apple-iPad or Apple-iPhone

• Profiling policies are built on a set of conditions for device identification

• In order to be profiled as Apple-iPad, conditions for both parent and child policy need to be satisfied

Profiling Policies Settings

• Minimum Certainty Factor

• How sure is ISE about endpoint being identified

• Integer value which needs to be met in order for endpoint to be assigned to be profile policy

• Associated CoA type

• When endpoint is profiled and assigned to a specific group, do you want CoA to be performed

• Rules

• Each rule is a condition matching on collected endpoint attributes

• Each rule ahs an associated action, most commonly being to increase the Certainty Factor

• NMAP SCAN is an alternative action

Profiling Result

• It can happen that the device is authorized by ISE before being accurately profiled

• Thus, usually CoA is also deployed with profiling

• Allows to change device authorization after being profiled

• In general, by deploying ISE in phases, all devices will be profiled before going to Closed Mode

• Because of profiling, CoA is triggered when

• Endpoint profiled for 1st time

• Endpoint statically assigned to a group

• Endpoint removed from ISE database

• Endpoint dynamically changed identity group membership

ISE Authorization Flow with Profiling

• How AAA order of processing is changed

• Endpoint Authentication

• Initial Authorization Policy pushed (endpoint not profiled yet)

• Profiling data is received or asked for

• Device is profiled and assigned to a identity group

• ISE triggers CoA requesting endpoint re-authentication

• Endpoint Authentication

• Final authorization matching the conditions for the identity group

• Because authorization rules are processed top-down

• Order of rules is very important

Profiling Configuration Steps on NAD

• Configure RADIUS accounting to ISE

• aaa accounting dot1x default start-stop group

• Configure NAD to relay endpoint IP address in RADIUS Access- Request message, requires device tracking to be enabled

• radius-server attribute 8 include-in-access-req

• Configure DHCP-Relay

• ip helper-address <ise_ip>

• Configure NAD to relay endpoint DHCP class attribute in RADIUS Access-Request message

• radius-server attribute 25 access-request include

• Configure NAD to send Netflow samples and SNMP traps to ISE

Profiling Configuration Steps on ISE

• Ensure that Enable Profiling Service check box is selected on the PSN

• By default it is

• Enable Profiling Probes

• Activates interpretation of probe messages

• Enable CoA for Profiling

• Optionally, tune the profiler conditions and policies

• Configure authorization policies using as condition the profiled endpoints

• Most deployments use a separate physical port on ISE to receive data from probes

• Probes may send hug amount of data, especially if SPAN is used

• SPAN is, in general not recommended for performance

• It leaves a dedicated port just for regular RADIUS authentication

NAD 802.1x Port Modes

• Single Host (default)

• Single MAC address allowed in data domain

• Second MAC address results in violation action

• Multi Domain

• Single MAC address allowed per domain (voice and data)

• Second MAC address for each domain results in violation action

• Multiple Authentication

• Single MAC address allowed in voice domain

• Multiple MAC addresses allowed in data domain

• VLAN authorization possible, single VLAN supported

• Multiple Host

• Only first MAC address is required to authenticate

• No ACL and Redirect URL support

IOS Device Sensor Overview

• Scales profiling service on ISE

• Highly recommended to be deployed

• Less data with more details for ISE to interpret

• The NAD gathers endpoint attributes through CDP, LLDP and DHCP

• CDP and LLDP need to be enabled on the NAD

• Sends the collected endpoint attributes to ISE through RADIUS accounting messages

• Uses Cisco AV pairs

DHCP Device Sensor Configuration Steps

• Configure a list of DHCP options to be collected

• device-sensor filter-list dhcp list <list_name>

• option name host-name

• option name client-identifier

• option name client-fqdn

• option name class-identifier

• Activate the DHCP sensor option

• device-sensor filter-spec dhcp include list <list_name>

CDP Device Sensor Configuration Steps

• Configure a list of CDP TLV’s to be collected

• device-sensor filter-list cdp list <list_name>

• tlv name device-name

• tlv name capabilities-type

• tlv name platform-type

• Activate the CDP sensor option

• device-sensor filter-spec cdp include list <list_name>

LLDP Device Sensor Configuration Steps

• Configure a list of LLDP TLV’s to be collected

• device-sensor filter-list lldp list <list_name>

• tlv name port-id

• tlv name system-name

• tlv name system-capabilities

• Activate the LLDP sensor option

• device-sensor filter-spec lldp include list <list_name>

Device Sensor Common Configuration

• Enable RADIUS accounting

• aaa accounting dot1x default start-stop group

• aaa accounting update newinfo

• radius-server vsa send accounting

• Globally activate IOS sensor

• device-sensor accounting

• device-sensor notify all-changes

• Globally activate CDP and LLDP

• cdp run

• lldp run

Device Sensor Verification

• Verify probe functionality

• show lldp

• show cdp

• show device-sensor cache all

• Verify collected data per endpoint

• show device-sensor cache mac <mac_address>

• Verify that collected data is being sent to ISE

• show aaa method-lists accounting

• debug radius accounting

Part VIIIPosture Assessment

Posture Services

• Posture Policy defines the health requirements of endpoints

• Through posture policies, ISE defines a Windows/Mac endpoint compliance requirements

• Antivirus, Antispyware, firewall, OS updates

• Processes running, file existence, registry entries

• ISE collects endpoint data and matches it against its posture policies

• Endpoint data collected through

• NAC Agent

• AnyConnect Posture module available in AnyConnect 4.0

NAC Agent Overview

• NAC Agent

• Temporary web agent based on ActiveX or Java (Windows)

• Limited remediation

• Permanent agent (Windows and Mac)

• Automatic remediation

• NAC Agent compliance module (OPSWAT) used for antivirus and antispyware vendor support

• NAC Permanent Agent deployment options

• Manual installation, not scalable

• Unattended installation, customization available

• ISE Client Provisioning Policy

• Can also be used to automatically update NAC Agent or compliance module

NAC Agent Connectivity Requirements

• NAC Agent communicates directly with ISE

• Supplicant requires IP connectivity to ISE

• NAD is completely bypassed, makes sense as it does not understand posture data

• TCP 8443 to ISE

• Required if NAC Agent is installed through CPP

• UDP / TCP 8909 to ISE

• Required for NAC Agent wizard installation via CPP

• UDP / TCP 8905 to ISE

• Used by SWISS protocol (report collected data to ISE)

• Required for ISE discovery and NAC Agent update

• ISE no longer uses legacy port 8906 for SWISS protocol

Posture Services

• Posture status options for an endpoint

• Unknown, no data was collected from the endpoint

• Usually means NAC Agent is not installed

• Could be that it is not running or does not have ISE connectivity

• Noncompliant, at least one requirement is not satisfied

• Remediation process can be started automatically

• Compliant, all requirements are satisfied

• Posture status is used as condition in authorization policies

• Network access is thus granted based on the health / security state of the endpoint

Posture Assessment Work Flow

• How AAA order of processing is changed

• Supplicant Authentication

• Initial Authorization Policy pushed (posture status Unknown)

• Posture Discovery and Assessment starts

• Posture data is received by ISE from NAC Agent

• Posture state is changed to Compliant or Noncompliant


• Supplicant Authentication same as in first step

• Intermediate authorization is applied if posture status is Noncompliant

• Remediation starts, fixes problems, posture status changes to Compliant


• Final authorization is applied if posture status is Compliant

Posture Configuration Steps on Supplicant

• Install NAC Agent

• Ideally, provision the FQDN of ISE PSN, to avoid ISE dynamicdiscovery

• FQDN automatically provisioned if Agent installed via CPP

• ISE Discovery process

• HTTP discovery probe on port 80 to ISE PSN, if configured

• HTTPS discovery probe on port 8905 to ISE PSN, if configured

• HTTP discovery probe on port 80 to default gateway

• HTTPS reconnect probe on 8905 to previously contacted ISE PSN

• To avoid endpoint being quarantined for remediation

• Ensure endpoint satisfies security policies configured on ISE

Posture Configuration Steps on NAD

• NAD is not aware of the posture process

• NAD just receives authentication status and authorization to be applied from ISE

• Allow NAC Agent connectivity with ISE

Posture Configuration Steps on ISE

• CoA is enabled by default for posture assessment

• Configure posture policies

• Per operating system

• Per group of users

• Configure authorization policies with posture status as condition

• For Unknown status, redirect to client provisioning portal

• For Noncompliant status, restrict access for remediation to work

• For Compliant status, grant network access as desired

• Optionally configure client provisioning policies

• Only when NAC Agent has not been pre-deployed

• Required downloading of NAC Agent and compliance module to ISE

Part IXLayer 2 Encryption - MACSec

Cisco TrustSec

• Stands for Trusted Security

• Consists of 802.1x, SGT and MACSec

• SGT stands for Security Group Tags

• MACSec stands for Mac Security (layer 2 encryption)

• MACSec offers line-rate layer2 hardware-based encryption on a hop-by-hop basis

• Host-to-switch

• Switch-to-switch

• MACSec is 802.1ae standard

• GCM-AES-128 algorithm

• EtherType value changed to 0x88e5

• Supports SGT embedded inside CMD (Cisco Meta Data) – layer 2 header

MACSec Implementation Options

• Host-to-switch (downlink)

• Requires host to perform 802.1x authentication via EAP-TLS, PEAP or EAP-FAST

• Native Windows supplicant does not support it

• AnyConnect offers software based encryption

• Negotiation and key derivation via MKA (MACsec Key Agreement)

• Standard per the RFC

• Switch-to-switch (uplink)

• Manual/static configuration

• Negotiation and key derivation via SAP (Security Association Protocol)

• Cisco proprietary based on 802.11i

MACsec Policy Enforcement

• MACsec policy is enforced per port

• Must-not-secure, do not negotiate MACsec

• Should-secure (default), negotiate MACsec, if failed allow clear-text traffic

• Must-secure, negotiate MACsec, if failed do not allow clear-text traffic

• Policy type received from ISE overrides locally configures settings on NAD

• Local Should-Secure is overridden by ISE Must-Not-Secure

• Based on host port mode, MACsec is

• Fully supported with single-host and multi-domain

• Partially supported with multiple-host, only first authenticated MAC address may negotiate MACsec

• Not supported with multiple-authentication, because MACsec is point-to-point

MACsec Configuration Steps Supplicant

• Requires AnyConnect

• Configure EAP-FAST with MacSec support

MACsec Configuration Steps on NAD

• Ensure 802.1x authentication requirements are configured

• Enable MACsec on the switch port (downlink)

• macsec

• mka default-policy

• Optionally define MACsec policies on switch port (downlink)

• authentication linksec policy

• authentication event linksec fail action authorizevlan <vlan_nr>

• Enable MACsec on the switch port (uplink)

• cts manual

• sap pmk <value> mode-list gcm-encrypt

MACsec Configuration Steps on ISE

• Ensure 802.1x authentication and authorizations are functional

• Configure MACsec policy in the authorization profile

MACsec Verification and Troubleshooting

• Verification

• show macsec summary

• show macsec interface <if_nr>

• show authentication session interface <if_nr>

• show mka sessions interface <if_nr> detail

• show mka default-policy detail

• show cts interface summary

• show cts interface if_nr>

• Troubleshooting


• debug macsec event

Part XSecurity Group Tags - SGT

What is SGT ?

• A label / tag identifying a packet

• How is it different than a VLAN tag ?

• It is a tag used for security purposes

• It identifies the context of the user, because it is assigned based on

• How did the user access the network

• From which device did the user access the network

• At what time did the user access the network

• Was the user’s device profiled

• What is the posture of the user’s machine

SGT Building Blocks

• Classification

• SGT assignment, always done at the network ingress point

• Can be static or dynamic

• Transport

• Via inline tagging by the NAD

• Via SXP protocol, a control-plane protocol

• Used to propagate SGT across devices that do not support SGT inline tagging

• Runs over TCP 64999

• Connection can be unidirectional (speaker-listener)

• Connection can be bidirectional, both devices can play both roles

• Enforcement

• Policy is applied via SGACL or SGFW

How does SGT help ?

• Used to configure firewall rules

• Restrict network access

• Firewall rules

• Configured on layer 3 switches, named SGACL

• Configured on ASA firewall, named SGFW

• Configured on IOS Zone-Based Firewall, named SGFW

• Why is it better than regular firewall rules ?

• The tag identifies much more than the user, it identifies the health state of the user/device

• A user can have the same tag, regardless of point of connection, thus regardless of its IP address

• In the BYOD context, a user may actually have 1-10 IP addresses assigned, which presents a scalability problem with firewall rules

SGT Overview

• SGT

• Layer 2 tag, by default

• Can be copied and carried in the layer 3 header by using ESP encapsulation

• Helps keep the security tag across routing domains

• SGT is dynamically assigned by ISE as part of the authorization policy

• For authenticated endpoints

• SGT is statically assigned by NAD

• For non-authenticated endpoints, like servers

• It can be assigned per VLAN, per IP, per subnet

• SGT is always applied to the packet by the NAD

• Requires both hardware and software capabilities

SGT Configuration Steps

• Configure TrustSec (CTS) between ISE and NAD

• Configure ISE dynamic SGT classification

• Configure NAD static SGT classification

• Configure SGACL on ISE

• Configure SGACL and SGFW enforcement

• Optionally configure SXP session between network devices

THE END

Documents

CCNP Security SISAS - nsedu.irnsedu.ir/images/Cisco/Security/ISE/CCNP-Security-SISAS-Cisco-ISE.pdf · AAA Model • Three-party authentication model • Supplicant / end-client •