#CiscoLiveLA 2017 Presentacion de Jerome Henry

Presentation Title

Presenter Name and Title

Session ID

Securely DesigningYour Wireless LAN forThreat Mitigation, Policy and BYOD

Jerome Henry, Principal Engineer, CCIE – 27450

BRKEWN-2005

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Agenda

What this session will cover…

• AP and WLC secure connection;

• wireless radio threats;

• secure/open SSID fundamentals;

• client secure connection options;

• CUWN and AireOS use cases

…and what it won’t…

• configuration details;

• version discrepancies;

• roadmap;

• IPv6;

• not too much for guests.

…except when it does.


For your reference

• There are slides in your PDF that will not be presented, or quickly presented.

• They are valuable, but included only “For your reference”.

For your reference

For your reference

BRKEWN-2005 4

• Secure the infrastructure

• Protecting the air

• Secure the clients

• Network Services

• Use cases

Agenda


Cisco Digital Network Architecture for mobility

Automation

• Plug n Play

• EasyQOS

• ISE: .1x, BYOD and Guest

Open APIs: Modular Aps with Restful APIs

Cloud Service Management• CMX 10.x with Context and Guest

Platforms & Virtualization

Assurance

• Restful APIs on WLC

• Netflow Export

• Apple Network Optimization

& FastLane

Principles

• Modular AP’s with Restful API’s

• DNA Optimized Controllers: 3504, 5520, 8540

• Various VM Models: ESXi, KVM, HyperV, AWS

Insights and

Experiences

Automation

and Assurance

Security and

Compliance

Outcomes


WLAN portfolio with integrated security

PROTECT THE CLIENTS

PROTECT THE NETWORK

Integrated Security

within APs and WLCs

Advanced Security with Policies,

Segmentation, and Visibility

PROTECT THE AIR

Cisco Trustworthy Systems

Certifications

(FIPS, common criteria, DoD UC APL)

TRUST

Identity PSK

TrustSec (with ISE)

Base WIPS

Rogue Detection

Clean AIr

Adaptive WIPS

Default best practices

802.11w, DTLS

Cisco Umbrella

Wireless LAN

Cisco Stealthwatch


Embedded

Security

Built for

Today’s Threats

Security Expertise

and Innovation

Evidence

of Trust

Organizations can no longer rely on

perimeter devices to protect the network

from cyber intrusions… There has never

been a greater need to improve network

infrastructure security

Alert TA16-251A, September 2016

“

”

Trustworthy SystemsProtect the Device

Learn more:

• Visit trust.cisco.com

• See: BRKARC-1010 “Protecting the Device:

Cisco Trustworthy Systems & Embedded Security”

• Meet the Engineer: Topic: “Security and Trust Architecture”

https://www.cisco.com/c/en/us/about/trust-transparency-center/overview.html


Cisco Trustworthy Systems LevelsEnterprise Wireless

Protects

the Network

Counterfeit Protections

Image Signing

Secure Boot

ModernCrypto

Hardware Trust Anchor

Secure Device

Onboarding

ISE Stealthwatch

Solution Level Attack Protection

IP Source Guard ACLs

WIPS/RogueDHCP Snooping Secure Transport

Protections Against Attack

802.11w,r,i TrustSec Netflow

Security

CulturePSIRT

AdvisoriesSecurity Training

Product Security Baseline

Threat Modeling

Open Source Registration

Supply Chain Management

Umberlla

Learn more: BRKARC-1010 “Protecting the Device: Cisco Trustworthy Systems & Embedded Security”

Platform

Integrity


End to End Security: A Glimpse

AP

• Securing the Air through

accurate classification of Rogues

& Interference

• Secure communication with

other AP’s via 802.11w/MFP and

DTLS

• Security at the edge with AWIPS

Controller

Netflow Collection

Security & Insights

Lancope(NAAS)

CMX

Geo-fencing limits

access within

physical perimeter

ISE

Secure authentication with 802.1x

Securing personal devices BYOD Simple

Guest Deployment

Per Device & Application Policies

Easy segmentation with TrustSec

IOT Classification & Policy

Cisco UmbrellaContent filtering and

protection against

cyber-attacks

Switch

IOT Segmentation

with TrustSec

Devices

ISE + Meraki/Third party

MDM Prioritizes

applications

NAAE

Secure the Infrastructure


Secure Infrastructure Feature Highlights

Infrastructure

Hardening

Plug n Play

FIPS Support

Encryption

802.11

MFP, 802.11wCertificate storeBest Practices

Trustworthy Systems


Securing the infrastructure

• How to secure the AP connectivity and access.

• How to secure the communication between the WLC and the AP.

• How to secure the radio:

• intrusion detection/prevention;

• rogue access points;

• interferences.

CAPWAP

Access Point(AP)

Wireless LAN Controller(WLC)Data Encapsulation – UDP 5247

Control Messages – UDP 5246

BRKEWN-2005 14


Securing the AP-WLC communicationCAPWAP tunnels

BRKEWN-2010

Data DTLS

• CAPWAP Control encrypted by default

• CAPWAP Data encapsulated but not encrypted by default

• Option to encrypt data traffic for specific APs since 7.0

• Support for DTLS Data encryption between AP and WLC

• Performance impact: Without Data DTLS, avg vWLC throughput is 200Mbps. All APs using Data DTLS, throughput is 100Mbps

CAPWAPData Plane

(DTLS) UDP 5247

Control Plane

DTLS, UDP 5246

ControllerAccess Point

Wi-Fi Client


Securing the AP-WLC communicationManufacturer Installed Certificate (MIC)

CAPWAP Control

DTLS, UDP 5246

CAPWAP Data

(DTLS) UDP 5247

BRKEWN-2005 16


CAPWAP

Securing the AP-WLC communicationLocal Significant Certificate (LSC)

Your PKI

Example:

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110141-loc-sig-cert.html

BRKEWN-2005 17

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110141-loc-sig-cert.html


Out-of-Box

Berlin

AP GroupOut-of-Box

Out-of-Box

Out-of-

Box

Securing the AP-WLC communicationOut-of-Box AP Group and RF Profile (v7.3+)

Berlin AP Group > Radios Enabled

Out-of-Box AP Group > Radios Disabled

Example:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01011101.html#ID2870

BRKEWN-2005 18

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01011101.html#ID2870


APIC-EM Plug-n-Play (PnP)

Site-2

PnP Server

WLC-2a

WLC-2b

WLC-3a

WLC-3b

Site-3

Site Product ID Serial # Hostname Configuration

Site-2 AIR-CAP3702I-A-

K9

RFD0XP2T02

5

Site-2-AP Site-2-Config

Site-3 AIR-CAP3702I-A-

K9

RFE0ZP2T026 Site-3-AP Site-3-Config

Configuration WLC AP Group AP Mode

Site-2-Config WLC-2a Site-2-Group AP-Site-2

Site-3-Config WLC-3a Site-3-Group AP-Site-3

WLC IP: WLC-2a

AP Name: Site-2-AP

AP Mode: Local

AP Group: Site-2-Group

WLC IP: WLC-3a

AP Name: Site-3-AP

AP Mode: FlexConnect

AP Group: Site-3-Group

AireOS 8.2


Berlin AP Group

APIC-EM Plug-n-Play (PnP)

APIC-EM

AP SN #123 > Config. File (WLC IP, Berlin AP Group, etc.)

AP(SN #123)

WLC

AP(SN #456)

APIC-EM IP in DHCP option 43or DNS resolution for pnpserver.<dhcp-domain-option>

AP PnP Deployment Guide:

http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_APIC-EM-PNP-deployment-guide.html

AP SN #456 > Not in any Project list > Claim list

BRKEWN-2005 20

For secure provisioning of Access Points

http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_APIC-EM-PNP-deployment-guide.html


Berlin AP Group > WLAN Id 17+

Default AP Group > WLAN Id 1-16

Default

Berlin

AP Group

Securing the AP-WLC communicationDefault AP Group and WLAN Id > 16

For your reference

BRKEWN-2005 21


Wireless connection workflowEndpoint

CAPWAP

Access Point(AP)

Wireless LAN Controller(WLC)Data Encapsulation – UDP 5247

Control Messages – UDP 5246802.11

Probe Request

Probe Response

Probe Request (forwarded)

Authentication Request (not for 802.1X, but in case of PSK)

Authentication Response

(Re) Association Request

(Re) Association Response

802.1X phase if enabled

EAPoL Keys exchange in case of PSK or 802.1X

Other identity services

IDS/wIPS

focus

BRKEWN-2005 22


AP control at the access layerA few words on 802.1X

EAPoL Start

EAPoL Request Identity

Beginning

EAP-Response Identity: PrinterRADIUS Access Request

[AVP: EAP-Response: Printer]

EAP-Request: EAP-FAST

EAP-Response: EAP-FAST

RADIUS Access-Challenge

[AVP: EAP-Request EAP-FAST]

RADIUS Access Request

[AVP: EAP-Response: EAP-FAST]

Multiple

Challenge-

Request

Exchanges

Possible

Middle

EAP Success

RADIUS Access-Accept

[AVP: EAP Success]

[AVP: VLAN 10, dACL-n]End

Layer 2 Point-to-(Multi)Point Layer 3 Link

Authenticator AuthC ServerSupplicant EAP over LAN

(EAPoL)RADIUS

BRKEWN-2005 27


AP control at the access layer802.1X credentials for the AP *



(EAPoL)RADIUS

Access Point(AP)

AP# capwap ap dot1x username [USER] password [PWD]

* Not supported today on 1800/2800/3800 APs.

BRKEWN-2005 28


AP control at the access layerThe FlexConnect challenge



(EAPoL)RADIUS

FlexConnect AP “needs” a trunk port.

interface GigabitEthernet1/0/1switchport access vlan 100switchport mode accessauthentication port-control autodot1x pae authenticator...

802.1X (usually) needs an access port.

BRKEWN-2005 29


AP control at the access layerThe FlexConnect challenge



(EAPoL)RADIUS

“Here I am.”

“What do you think?”

“Accept. Here is the interface template *.”

* IOS 15.2(2)E.

LABSEC-2004

cisco-av-pair=interface-template-name=FLEXCONNECT_AP_TRUNK_TEMPLATE

template FLEXCONNECT_AP_TRUNK_TEMPLATEswitchport trunk native vlan 100switchport trunk allowed vlan 100,110,120,130switchport mode trunkspanning-tree portfast trunk

BRKEWN-2005 30

Security and Threat Mitigation


5GHzServing

2.4GHzServing

5/2.4GHzMonitor

• Enabled by Dual 5GHz

• Adjust Radio Bands to Better Serve the Environment

Security and Threat Mitigation P2P

Blocking

Client Exclusion

awIPS, ELM

Rogue Detection

Local, Monitor,

Security Module

2800/3800

XOR Radio

FRA

Cisco CleanAir®

Off-Channel

Scanning

Classification

TKIP Encryption

8.3 MR1

EDRM

Security and Threat

Mitigation


wIPS Process Flow and Component Interactions

33Presentation ID

1

WLC PI (Optional)wIPSAP

2 3

1

WLCwIPSAP

2 3

wIPS

MSE 8.x

4

PI

Solution

Components

Functions Licensing

Base WIPS WLC, AP and

Prime Infrastructure

(optional)

Supports 17 native

signatures.

Supports rogue

detection &

containment

Does not require

any licensing

Adaptive WIPS WLC, AP, MSE and

Prime Infrastructure

Offers

comprehensive

over the air threat

detection &

mitigation

Licensed feature on

MSE

Cisco WIPS solution=

Base WIPS

+

Adaptive WIPS


Intrusion Detection System (IDS)

• It works with basic WLC+AP.

• 17 pre-canned signatures.

• Additional custom signatures are supported.

BRKEWN-2005 34


AWIPS: Accurate Detection & Mitigation

Device Inventory AnalysisSignature & Anomaly Detection Network Traffic AnalysisOn/Off Channel Scanning

Cla

ssific

ation • Default tuning profiles

• Customizable event

auto-classification

• Wired-side tracing

• Physical location Notification

• Unified PI security

dashboard

• Flexible staff

notification

• Device location Mitig

ation

• Wired port disable

• Over-the-air mitigation

• Auto or manual

• Uses all APs for

superior scale

Managem

ent • Role-based with audit

trails

• Customizable event

reporting

• PCI reporting

• Full event forensics

Detection

Threats

Rogue

AP/Clients

Ad-Hoc

ConnectionsOver-the-Air Attacks

CrackingRecon

DoS


wireless Intrusion Prevention System (wIPS)

Denial of Service

Service disruption

Evil Twin/Honeypot APHACKER’S

AP

Reconnaissance

Seeking network vulnerabilities

HACKER

Cracking Tools

Sniffing and eavesdropping

HACKER

Non-802.11 Attacks

Backdoor access

BLUETOOTH AP RADARRF-JAMMERSBLUETOOTHMICROWAVEService disruption

Ad-hoc Wireless Bridge

Client-to-client backdoor access

HACKER

Rogue Access Points

HACKER

Detected by CleanAir and tracked by MSE

BRKEWN-2005 37


wIPS with Cisco Mobility Services Engine (MSE) 8.0Prime

WLCWLC

APAP AP AP

SOAP/XML over

HTTP/HTTPS

MSE

BRKEWN-2005 38


IDS and wIPS Signatures

wIPS on MSEIDS on WLC

For your reference

BRKEWN-2005 39


Supported AP modes for wIPS

Data on 2.4 and 5 GHz

wIPS on all channels



Data on 5GHz




“best effort”

Cisco Adaptive wIPS Deployment Guide:http://www.cisco.com/c/en/us/td/docs/wireless/technology/wips/deployment/guide/WiPS_deployment_guide.html#pgfId-43500

BRKEWN-2005 40

http://www.cisco.com/c/en/us/td/docs/wireless/technology/wips/deployment/guide/WiPS_deployment_guide.html#pgfId-43500


5GHz. / 2.4GHz.

.5GHz. / Security

Cisco Wireless Security Deployment with AP3800/2800 Maintains Capacity and Avoids Interference

Good Better Best

Features ELM Monitor Mode AP ELM with FRA

Monitor Mode

Deployment Density Per AP 1 in 5 APs 1 radio per 5 APs

Client Serving with Security

Monitoring

Y N Y

wIPS Security Monitoring 50 ms off-channel scan on selected

channels on 2.4 and 5 GHz

7 x 24 All Channels on 2.4GHz and

5GHz


5GHz

CleanAir Spectrum Intelligence 7 x 24 on client serving channel 7 x 24 All Channels on 2.4GHz and

5GHz


5GHz

Serving channel Serving channelOff-Ch Off-Ch

Serving channel Serving channelOff-Ch Off-Ch

Enhanced Local Mode

Access Point

GOOD

2.4 GHz

5 GHz

t

t

Monitor Mode

Access Point

BETTER

2.4 GHz

5 GHz

t

t

Ch11Ch2

Ch38

Ch1

Ch36

…Ch11Ch2Ch1

…

Ch11Ch2Ch1

…

…

Ch161Ch157 Ch38Ch36

…… …

t

2.4 GHz

5 GHz

tCh11Ch2Ch1

…

Ch38Ch36 Ch161Ch157

…… …ELM with FRA Wireless Security

Monitoring

BEST

Serving channel Serving channelOff-Ch Off-Ch5 GHz t


Rogue Access PointsWhat are they?

• A rogue AP is an AP that does not belong to our deployment.

• We might need to care (malicious/on network) or not (friendly).

• Sometimes we can disable them, sometimes we can mitigate them.

“I don’t know it.” “Me neither.”

BRKEWN-2005 47


Serve Client on 2.4 GHz

50 ms off-channel

Serve Clients on 5

GHz

50 ms off-channel

Rogue Detection and Mitigation

Rogue Classification and

Containment

• Rogue Rules

• Manual Classification –

Friendly/Malicious

• Manual and Auto

Containment

CleanAir with Rogue AP

Types

• WiFi Invalid Channel

• WiFi Inverted

Rogue Location

• Real-time with PI, MSE,

CleanAir

• Location of Rogue APs

and Clients , Ad-hoc

Rogue, Non-wifi

interferers

Data Serving AP

Scan

1.2s per channel

Monitor Mode AP

FRA with MM

Serve Client on dedicated 5

GHz

Scan 1.2s per channel


Rogue AP DetectionRogue Rules in the WLC and General Options

BRKEWN-2005 49


Containing Multiple Rogues with Single Click

• In 7.4, WLC allows manual containment for multiple rogue APs in a Single click !

• Rogues are classified and Admin alerted. Admin can then initiate containment in single click

• AP that is nearest to rogue AP sends containment packets to Rogue AP

• Rogue Client per Rogue AP has been increased from 16 to 256 (2504 supports 64 Rogue client per Rogue AP)

Click to

Select all

Click to

Contain all

Step.0. Create Rogue Policy Step 1.Select Rogues Step 2.Click [Contain] !


Policy Based Auto Containment

• Custom Rogue Policy allows administrator to generate multiple Custom Rogue Policy, which includes automated action

• Based on Administrative Rogue rule policy, Rogue AP/Client can be automatically classified as Internal or External Rogue and can trigger auto-containment

Rule Type Notify / Action Custom

Severity

Friendly • Alert

• Internal

• External

No

Malicious • Alert

• Contain

No

Custom • Alert

• Contain

Yes

(1…100)

Step1: Create Rogue Rule with

Containment Action

Step2: Filtered Rogue list will be automatically contained


Rogue AP DetectionRogue Location Discovery Protocol (RLDP)

Caveats:

• it only works if the rogue SSID is open;

• it does not work if the RLDP message gets filtered;

• while trying to associate to the rogue AP, the RLDP AP stops serving clients (up to 30 secs).

RLDP message (UDP:6352)

BRKEWN-2005 52


Rogue AP DetectionRogue Detector mode

Rogue Detector AP

Trunk with all monitored VLANs(WLC, AP, client, etc.)

ARP from Rogue Client

Caveats:

• it only works if the rogue client’s MAC is not behind NAT;

• it supports up to 500 rogue MACs.

Config. guide:

http://www.cisco.com/c/en/us/td/docs/wireless/technology/roguedetection_deploy/Rogue_Detection.html

BRKEWN-2005 53

http://www.cisco.com/c/en/us/td/docs/wireless/technology/roguedetection_deploy/Rogue_Detection.html


Rogue AP DetectionSwitch Port Tracing

Prime

CDP NeighborsCAM Table

CAM Table (next hop)

For your reference

BRKEWN-2005 54


CleanAir

6

11

1RRM

BRKEWN-2005 55


CleanAir

6

1RRM

11

6

11

1

BRKEWN-2005 56


CleanAir

6

1RRM

6

11

1

116

X

BRKEWN-2005 57


Event Driven RRM (EDRRM)

High: Air Quality ≤ 60

Medium: Air Quality ≤ 50

Low: Air Quality ≤ 35

Rogue AP’s duty cycle contribution, available as of AireOS 8.1.

BRKEWN-2005 58


CleanAir detectable AttacksSome examples

IP and Application

Attacks & Exploits

WiFi Protocol

Attacks & Exploits

RF Signaling

Attacks & Exploits

Traditional IDS/IPSLayer 3-7

wIPSLayer 2

CleanAirLayer 1

Dedicated to L1 Exploits

Rogue

Threats“undetectable” rogues

Wi-Fi

Jammers“classic” interferers

2.4

GHz

5

GHz

BRKEWN-3010

BRKEWN-2005 59


• Detecting extensive DoS attacks and security penetration – Base WIPS + Adaptive WIPS

• Locating Rogue APs, attackers and victims

• Manual or fixed auto containment policy for rogue AP/client

• Comprehensive wired rogue detection algorithm using Auto SPT, RLDP or Rogue Detector AP

Recap of Cisco WIPS

Open/Wired/NATed

Rogue AP Encrypted / Wired / +/- 1 or 2 and OUI

Based Ethernet MAC Rogue APRLDP

or Rogue Detector

Magic Packet

WLC PI

SNMP / Auto SPT

Locating, Tracking

and Tracing Rogue

APs MSE


Management Frame Protection (MFP)

• Infrastructure MFP, with additional Message Integrity Check (MIC) for management frames.

• Client MFP, with encryption of management frames for associated/authenticated clients.

MFP Protected

MFP Protected

Enterprise

NetworkCCXv5

For your reference

BRKEWN-2005 61


IEEE 802.11wProtected Management Frames (PMF)

• Client protection with additional cryptography for de-authentication and disassociation frames.

• Infrastructure protection with Security Association (SA) tear down mechanism.

802.11w Protected

Enterprise

Network

For your reference

BRKEWN-2005 62


Service ReadyFeature Highlights

Local Profiling

Bonjour

Apple Services

Solution level Attack

Protection

AVC/ Netflow

802.1x

Webauth

Guest Access

MAC Auth

BYOD

NAC RADIUS

Local Policy w/

AVC, Umbrella

AAA Override

VLAN, ACL, QoS

TrustSec SXP

Inline Tagging

OKC, CCKM

Roaming

Cisco Umbrella

URL Filtering

Securing Client Access


Identity AwarenessChoose the access control method

Authorized

UsersIP

PhonesTablets Network Device GuestsIoT Devices

Authentication Features

802.1x Identity PSKMac Auth Bypass Web Authentication


EAPoL Start


Beginning

EAP-Response Identity: AliceRADIUS Access Request

[AVP: EAP-Response: Alice]

EAP-Request: PEAP

EAP-Response: PEAP


[AVP: EAP-Request PEAP]


[AVP: EAP-Response: PEAP]

Multiple

Challenge-

Request

Exchanges

Possible

Middle

EAP Success

RADIUS Access-Accept

[AVP: EAP Success]

[AVP: VLAN 10, dACL-n]End

Layer 2 Point-to-Point Layer 3 Link

Authenticator Auth ServerSupplicant EAP over LAN

(EAPoL)RADIUS

IEEE 802.1XFor your reference

BRKEWN-2005 70


EAP Authentication Types Different Authentication Options Leveraging Different Credentials

Tunnel-Based

EAP-PEAP

EAP-FAST

Inner Methods

EAP-GTC EAP-TLS EAP-MSCHAPv2

• Tunnel-based – Common deployments use a tunneling protocol (EAP-PEAP) combined with an inner EAP type such as EAP-MSCHAPv2. PEAP Requires only a server-side certificate.

This provides security for the inner method, which may be vulnerable by itself.

• Certificate-based – For more security EAP-TLS provides mutual authentication of both the server and client.

Certificate-Based

EAP-TLS

BRKEWN-2005 71


RADIUS Change of Authorization (CoA)• RADIUS protocol is initiated by the network devices (NAD)

• No way to change authorization from the ISE

• Now the network device listens to CoA requests from ISE

RADIUS

CoA (UDP:1700/3799)

• Re-authenticate session

• Terminate session

• Terminate session with port bounce

• Disable host port

Now I can control

ports when I want to!(config)#aaa server radius dynamic-author

client {PSN} server-key {RADIUS_KEY}

For your reference

BRKEWN-2005 72


RADIUS Change of Authorization (CoA)


AuthenticatorSupplicantEAP over LAN

(EAPoL)

RADIUS

RADIUS CoA-Request

[VSA: subscriber: reauthenticate]

RADIUS CoA-Ack

Change of

Authorization

EAP-Response Identity: AliceRADIUS Access Request

[AVP: EAP-Response: Alice]

EAP-Request: PEAP

EAP-Response: PEAP


[AVP: EAP-Request PEAP]


[AVP: EAP-Response: PEAP]


Re-Authentication

Multiple

Challenge-

Request

Exchanges

Possible

AuthC Server

BRKEWN-2005 73


Identity PSK (AireOS 8.5 release)

74BRKEWN-2005

Increased demand for IoT devices

Identity security without 802.1x

High Scale

Cost Effective

Simple Operations

• Private PSK with RADIUS

integration

• Per client AAA override

(VLAN / ACL, QoS etc)


Identity PSK

75BRKEWN-2005

How it works!PSK WLAN

MAC Filtering

AAA Override

Employees

Sensors

WLAN PSK

xxyyzz

IoTDevices

aabbcc

Device MAC Group Private PSK

IOT Devices aabbcc

Sensors xxyyzz

Employees ---

Cisco-AVPair += "psk-mode=ascii”

Cisco-AVPair += "psk=aabbcc"

Cisco-AVPair += "psk-mode=ascii”

Cisco-AVPair += "psk=xxyyzz"


AP-WLC DHCP/DNSISE ServerOptional:

• MAB

• 802.1X

0

Pre-webauth

ACL2

Host Acquires IP Address, Triggers Session State3

Host Opens Browser

Login Page

Host Sends Password

4

WLC Queries AAA Server

AAA Server Returns Policy

Server

authorizes

user5

WLC Applies New WebAuth Policy (L3) 6

• SSID with

WebAuth1

Local Web Authentication (LWA)

LOCAL because the redirection URL and the pre-webauth ACL are locallyconfigured on the WLC.

MAB

(optional)

802.1X

(optional)

Local

Web Auth

BRKEWN-2005 77


AP-WLC DHCP/DNS ISE Server

Host Acquires IP Address, Triggers Session State

4

• Open SSID with

MAC Filtering

enabled

1

AuthC success; AuthZ for unknown MAC returned:

Redirect/filter ACL, portal URL

Host Opens Browser – WLC redirects browser to ISE web page

Login Page

Host Sends Username/Password

5

Web Auth Success results in CoA

Server

authorizes

user

6

MAB re-auth

MAB Success

Session lookup – policy matched

Authorization ACL/VLAN returned.7

First authentication session2

3

CENTRAL because the redirection URL and the pre-webauth ACL are centrallyconfigured on ISE and communicated to the WLC via RADIUS.

Central

Web Auth

Central Web Authentication (CWA)

BRKEWN-2005 79


Other URL-Redirect scenarios (posture, MDM, etc.)AP-WLC DHCP/DNS ISE Server

Host Acquires IP Address, Triggers Session State

4

• SSID configured

for 802.1X / MAB1

AuthC success; AuthZ returned:

Redirect/filter ACL, URL for posture/MDM/etc.

Host Opens Browser – WLC redirects browser to ISE for other services

Posture check, MDM check, client provisioning, etc.5

RADIUS CoA

Server

authorizes

user

6

802.1X/MAB re-auth

802.1X/MAB Success

Session lookup – policy matched

Authorization ACL/VLAN returned.7

First authentication session2

3 CWA is a URL-Redirect

scenario.

Thanks to RADIUS CoA we can apply other identity services after 802.1X, MAB or WebAuth.

BRKEWN-2005 81

Secure Network Services


How about policies?

Differentiating user groups.

Keeping untrusted devices out.

Basic access vs. Full access

BRKEWN-2005 85


Different wired and wireless security leaves you vulnerable to risk and malicious activity Latest Cisco wireless minimizes risk and works with switching and routing for end-to-end validation

Network Policy Enforcement Network as a Sensor and Enforcer

Access Policy

Created on Identity

Services Engine

Authorized user

accepts policy

1

2

Network validates activity

– serves as a sensor and

policy enforcer3


• Centralized Policy

• RADIUS Server

• Posture Assessment

• Guest Access Services

• Device Profiling

• Client Provisioning

• MDM

• Monitoring & Troubleshooting

• SIEM Integration

• Device Admin / TACACS+

ACS

NAC

Profiler

Guest

Server

NAC

Manager

NAC

Server

Identity

Services

Engine

Cisco Identity Services Engine (ISE)

BRKSEC-3697

BRKSEC-3699

BRKEWN-2005 87


Authentication and AuthorizationWhat are they?

802.1X /iPSK/ MAB / WebAuth

It tells who/what the

endpoint is.

It tells what the

endpoint has access to.

BRKEWN-2005 88


ISE Policy Rules

1. Authentication Rules

• Define what identity stores to reference.

• Example – Active Directory, CA Server, Internal DB,etc.

2. Authorization Rules

• Define what users and devices get access to resources.

• Example – All Employees, with Windows Laptops have full access.

For your reference

BRKEWN-2005 89


Guests and BYOD, can’t hide...

BRKEWN-2005 103


ROLE BASED APPLICATION POLICY

• Alice(User) and Bob(IT Admin) are both employees

• Both Alice and Bob are connected to the same SSID

• Bob can access certain applications (YouTube), Alice cannot

ROLE BASED + DEVICE TYPE APPLICATION POLICY

• Alice can access inventory info on an IT provisioned Windows Laptop

• Alice cannot access inventory info on her personal iPAD

ROLE BASED + DEVICE TYPE + APPLICATION SPECIFIC POLICY

• Alice has limited access (rate limit) to Jabber on her iPhone

7.4AVC

7.5Dynamic

protocol pack

update

7.6Jabber, Lync

2013 support

8.0• User and device aware

policies

• Ability to classify

Apple iOS, Windows,

Android upgrades

Per user-group, per device policy tie-in to AVC

8.1• User & device aware

policies

• Ability to classify Apple

iOS, Windows, Android

upgrades

8.2• Wi-Fi calling

• Skype for business

• UserId + IPFlow for

Netflow export

• Lancope Collector


Employee

YouTube

Employee Contractor

RADIUSWLC

Facebook Skype BitTorrent

AVC (Application Visibility and Control)Per-user profiles via AAA

Contractor

Facebook Skype

cisco-av-pair = avc-profile-name = AVC-Employee

cisco-av-pair = avc-profile-name = AVC-Contract

BRKEWN-2005 105

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106BRKEWN-2005

WLC integration with StealthWatchAs of AireOS 8.2 on 5520/8510/8540 WLC

ISE

WLC

BitTorrent

Netflow v9 records

pxGrid notifications

Quarantine

CoA

BRKSEC-3014


VLAN 100

MAB

WebAuth

Agent-less Device

Campus Network

Untagged Frame Tagged Frame

SGT Enforcement

Security Group Access (SGA)AireOS 8.3 and before – SXP peering from the WLC

802.1X

Users,

Endpoints

IT Portal (SGT 4)10.1.100.10

Catalyst 3k-X Cat 6500

Distribution

The WLC sends the IP-to-SGT binding table via SXP to SGT tagging or SGACL

capable devices (e.g. Catalyst 3750-X)

IP Address SGT

10.1.10.102 5

10.1.10.110 14

10.1.99.100 12

SXP

Speaker Listener

SGT=5SGT=5

ISE

SGT=5 SGT = Security Group Tag

SXP = SGT eXchange Protocol

SGACL = SGT ACL

deny sgt-src 5 sgt-dst 4

BRKEWN-2005 107


IP Address SGT

10.1.10.102 5

10.1.10.110 14

10.1.99.100 12

Security Group Access (SGA)AireOS 8.4 – SXP peering from the AP (802.11ac APs)

MAB

WebAuth

Agent-less Device

802.1X

Users,

Endpoints

ISE

WLC

AP

Campus Network

SGACL

Catalyst 3k-X

SXP

Speaker Listener


SGT = Security Group Tag


SGACL = SGT ACL

SGT=5

BRKEWN-2005 108


Security Group Access (SGA)AireOS 8.4 – SGT inline tagging at the WLC (5520/8540) or AP (802.11ac APs)

Tagged Frame



SGACL = SGT ACL

WLC

AP

SGT=5

MAB

WebAuth

Agent-less Device

802.1X

Users,

Endpoints

Campus Network

SGACL

Catalyst 3k-X


SGT=5SGT=5

ISE

BRKEWN-2005 109


Security Group Access (SGA)AireOS 8.4 – SGACL at the WLC (5520/8540) or AP (802.11ac APs)



SGACL = SGT ACLISE

WLC

AP

SGT=5

MAB

WebAuth

Agent-less Device

802.1X

Users,

Endpoints

SGACL


BRKSEC-2203

BRKSEC-3690

BRKEWN-2005 110


Internet

ACME

208.67.220.220ACME

Policiesblock gaming sites

DNS

Query

DNS

Response

Introducing Cisco Umbrella with WLC

208.67.220.220

DNS Server(or external DNS

proxy to)

10.1.1.1

BRKEWN-2005 112

Cisco Umbrella

Cloud


WLC integration with Cisco Umbrella

Cisco Umbrella

Cloud

DNS query

DNS response

BRKEWN-2005 113


WLC integration with OpenDNS

DNS query

DNS response

BRKSEC-2980

LABSEC-2006

BRKEWN-2005 114

Cisco Umbrella

Cloud


OpenDNS Policy Segmentation

ISR 4K

Contractor

Corp

Guest

Policy 1 Policy 3

Wireless Controller for Dynamic

Evaluation of Attributes for Access Control

Current ISR Implementation

Site specific Policy, Enforced per Interface

Identity Server

Returns attributes

Guest networkCorp network

Policy 2Policy

Cisco UmbrellaCisco

UmbrellaCisco

Umbrella

Cisco

Umbrella


Teacher NetworkStudent Network

AirPrint AirPlay File

Share

Teacher

Service Profile

AirPlay File

Share

Student

Service Profile

iTunes

SharingAirPrint

mDNS Service Instances Groups

Apple TV1 Apple TV1

Apple TV2

Teacher Service

Instance ListStudent Service

Instance List

mDNS and Bonjour Services

mDNS Profiles – Select

services

mDNS Profile with Local

Policy – Services per-user

and per-device

mDNS Policies – Services

based on AP Location and

user role

mDNS AP – Services Behind

a L3 boundary

Location Specific Services


Conclusion


Key Takeaways

• Security is an end-to-end concern

• Start by securing the infrastructure

• Use CleanAir, WIPS to protect the Air

• Protect your client access with CWA, ISE

• AVC Policies, TrustSec and SGTs protect your traffic

118BRKEWN-2005

Cisco SparkAsk Question, Get Answers

Use Cisco Spark to communicate with the speaker after the event!

What if I have a question after visiting Cisco Live? ... Cisco Spark

cs.co/ciscolive/#session ID

*Get the Cisco Spark app from iTunes store or Google Play store

1. Go to the Cisco Live Mobile app

2. Find this session

3. Click the join link in the session description

4. Navigate to the room, room name = Session ID

5. Enter messages in the room

Spark rooms will be available until Friday 17 November 2017

www.ciscospark.com

E.g: session ID = BRKACI-2001

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback about the session you just joined

Complete your session surveys through the Cisco Live mobile app:https://www.ciscolive.com/latam/attend/attendee-info/#mobile-app (English)

https://www.ciscolive.com/latam/attend-es/attendee-info/#mobile-app (Español)

or from the Session Catalog on CiscoLive.com/latam.

120Presentation ID

CiscoLive.com/Online

https://www.ciscolive.com/latam/attend/attendee-info/#mobile-app

https://www.ciscolive.com/latam/attend-es/attendee-info/#mobile-app

https://www.ciscolive.com/latam/learn/sessions/session-catalog/

http://ciscolive.com/Online

http://ciscolive.com/Online

Thank you

Technology

#CiscoLiveLA 2017 Presentacion de Jerome Henry