deep dive into trustsec/demo - cisco · presentation_id © 2009 cisco systems, inc. all rights...

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1

Deep Dive into TrustSec/Demo

Daniel Braine

Security CSE CCIE R/S:24663


Demo Architecture

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

Policy Profiling

Personal

Government User

Govt. Device

2106 WLC

Gov Resources

Restricted Internet Only

USER LOCATION TIME ATTRIBUTE X

DHCP RADIUS SNMP

NETFLOW

District Issued Device 1.  802.1x EAP User Authentication 2.  Profiling to identify device 3.  Policy decision 4.  Policy enforce to “VLAN 10” on same SSID 5.  Full access granted 6.  Full device visibility

PERSONAL Device 1.  802.1x EAP User Authentication 2.  Profiling to identify device 3.  Policy decision 4.  Policy enforce to “VLAN 10 or 20” on same SSID 5.  Full or Restricted access granted 6.  Full device visibility

HTTP DNS DEVICE

Identity Services Engine

Unified Access Management: NCS

SSID: Agency_Secured_Wire

Demo Architecture

3750X

ASA 5520


ISE Policy Architecture: Summary

Subject Resource PEP

PAP PIP PDP View/ Configure Policies

Query Attributes

Access Request

Resource Access

Logging

Request/Response Context

M&T

View Logs/ Reports

Logging

Logging

PDP PIP

PAP

M&T

iPEP


Simple

Unified

Single view

Siloed

Repetitive

Error Prone X

X

X

Single pane of glass view and management of Wired+Wireless network

Wireless

Wired

Wireless Wired

Cisco NCS = Common Wired+Wireless Device Management

Siloed Management Unified Wired+Wireless Management


Network Access Core Principals

IEEE 802.1X framework Extensible Authentication Protocol

(EAP)—RFC 3748 Use of RADIUS

(CoA)—RFC 3576


IEEE 802.1X

 Standard set by the IEEE 802.1 working group   Is a framework designed to address and provide

port-based access control using authentication  Primarily 802.1X is an encapsulation definition for

EAP over IEEE 802 media—EAPOL (EAP over LAN) is the key protocol

  Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point)

 Assumes a secure connection  Actual enforcement is via MAC-based filtering

and port-state monitoring


What Does EAP Do?

  Transports authentication information in the form of EAP payloads

  Establishes and manages connections; allows authentication by encapsulating various types of authentication exchanges

  Prevalent EAP types

– EAP-TLS: uses x.509 v3 PKI certificates and the TLS mechanism for authentication

– PEAP: protected EAP tunnel mode EAP encapsulator; tunnels other EAP types in an encrypted tunnel (TLS)

– EAP-FAST: designed to not require certificates; tunnels other EAP types in an encrypted tunnel (TLS)

802.1X Header Ethernet Header

RADIUS

IP Header

EAP Payload UDP

EAP Payload


How Is RADIUS Used Here?

  RADIUS acts as the transport for EAP, from the authenticator (switch) to the authentication server (RADIUS server)

  RFC for how RADIUS should support EAP between authenticator and authentication server—RFC 3579

  RADIUS is also used to carry policy instructions (authorization) back to the authenticator in the form of AV pairs

  Usage guideline for 802.1X authenticators use of RADIUS - RFC 3580

  AV Pairs : Attribute-Values Pairs.

RADIUS Header EAP Payload UDP Header IP Header

RADIUS Header EAP Payload UDP Header IP Header AV Pairs


  Challenges •  How are ports reauthorized once it is learned what the the port is? •  How is the access policy changed once the posture policy is learned? •  How do we reauthorize a port once the user’s identity is authorized through

central web?

  Problem: A RADIUS server cannot start a conversation with the authenticator. The authenticator (RADIUS Client) must start a conversation with the RADIUS server

  Solution: CoA (RFC 3576 – Dynamic Authorization Extensions to RADIUS) allows the RADIUS server to start the conversation with the authenticator.

  CoA allows an enforcement device (switchport, wireless conroller, vpn device) to change the VLAN/ACL/Redirection for a device/user without having to start the entire process all over again.

  CoA is supported on the WLC for 802.1x since 7.0.116 (Spring 2011) release. CoA for non 802.1x on the WLC will be supported in Q1 CY2012. CoA is supported on wired routers and switches for all authentication methods.

Change of Authorization (CoA)


RADIUS Change of Authorization (CoA)

SWITCHPORT

Guest VLAN

RADIUS Server (CoA) Dynamic session control from a Policy server  Re-authenticate session  Terminate session  Terminate session with port bounce  Disable host port  Session Query

  For Active Services   For Complete Identity   Service Specific

 Service Activate  Service De-activate  Service Query

Corp VLAN

Device

RADIUS Client


5) Accounting

802.1X EndUser Authentication Flow VLAN 100 = “DATACENTER” = 10.1.100.0 /24

1) Detection

3) Authentication

4) Authorization

2) Challenge & Response

802.1X / EAP RADIUS

ACCESS 10.1.10.x /24

Access Switch .1 AAA .21

EAPoL-Start

Access-Request

Protocol Negotiation (PEAP, EAP-FAST, EAP-TLS)

Access-Accept EAP Success

Username:cisco

Identity Challenge & Response

Cisco/Cisco123

Accounting-Start

Accounting-Stop

Open Mode: ACL-DEFAULT: permit DHCP ACL-PREPOSTURE

Service Selection: 802.1X NAS-IP: 10.1.10.5 RADIUS-Key: cisco123 IETF:NAS-Port-Type == Ethernet IETF:Service-Type == Framed Calling-Station-ID = dead:beef:feed

Success! Group: Internal Users

Authorization Policy: PREPOSTURE [27] = 86400 (24 hours) [29] = RADIUS-Request (1) [64,65,81] = VLAN, 802, “ACCESS” [26/9/1] = dACL=ACL-PREPOSTURE

Disconnect, Shutdown, Restart, Sleep

Timestamp, MAC, NAS IP, Port ID Username, Group, Session-ID, …

Trust Auth Server Cert?

Username & Password?

aaa authen dot1x default group RADIUS

Authorization applied Re-DHCP

ISE ISE


Deployment Considerations -Authentication


•  How can I restrict access to my network?

•  Can I manage the risk of using personal PCs?

•  Common access rights when on-premises, at home, on the road?

•  Are endpoints healthy?

•  Can I allow guests Internet-only access?

•  How do I easily create a guest account?

•  Can this work in wireless and wired?

•  How do I monitor guest activities?

•  How do I discover non-authenticating devices?

•  Can I determine what they are?

•  Can I control their access?

•  Are they being spoofed?


Non-802.1X Client Default Behavior

X No EAPOL 802.1X Process

X X

  A 802.1X-enabled switch port will send EAPOL-Identity-Request frames on the wire (whether a supplicant is there or not)

  No network access is given if the switch does not receive an EAPOL identity-response.

  Entire process continually repeats.

1

2

EAPOL-Request (Identity) D = 01.80.c2.00.00.03 3 30 Seconds

Upon Link Up

30 Seconds EAPOL-Request (Identity) D = 01.80.c2.00.00.03

EAPOL-Request (Identity) D = 01.80.c2.00.00.03

Switch(config-‐if)# authen4ca4on port-‐control auto


EAP Credentials Sent & Validated

Port Authorized

16

Flexible Authentication One Configuration Fits All

EAP 1X

MAB

URL

• One configuration addresses all use cases, all host modes

• Controllable sequence of access control mechanisms, with flexible failure and fallback authorization

• Choice of policy enforcement mechanisms: VLAN, dACL or named ACL, HTTP Redirect

• Support single-host and multi-auth scenarios

802.1x times out or fails

WEB

802.1X Client

IP Phone

Guest User

Employee Partner

Faculty

Sub Contractor

Network Printer

Guest User

802.1X Client IP Phone

Known MAC - Access Accept

Port Authorized

Host Change

ISE

Unknown MAC Access Accept Port Authorized w/ URL Redirect

MAB


Method What is it? Advantages Problems Use Case OUI Wildcards

Use 3-Byte Identifier

Easy to add lots of devices

No granularity ‘Add all HP printers’

ISE Local database with RADIUS Server

Readily available

No central repository for all IDs

‘RADIUS only’

Active Directory

Central Directory Service

Central repository

Should have support for [IEEE 802] object, password complexity GPO

‘All in one’

Device Profiling

Automatic building of MAC database

Automated Need certain methods to make it reliably identify devices

‘handle unknown devices’

LDAP Central directory

Standards based

Manually populated and maintained

‘leverage existing db’

MAC Databases Considerations Summary


Automated Identity & Analysis

Device Authentication – ISE Profiler PCs Non-PCs

UPS Phone Printer AP

Cisco ISE Profiler

DISCOVER and profile all devices

MONITOR device conformance to identity


Switch DHCP/DNS

ISE Policy Service node

Central Web Auth (CWA) for non-1X User “Flex Auth”:

Multiple Triggers Single Port Config

• 802.1X Timeout • 802.1X Failure • MAB Success

1

Host Acquires IP Address 3

Host Opens Browser – Switch redirects browser to ISE CWA page Login Page

Host Sends Username/Password

4

Web Auth Success results in CoA;

Server authorizes user

5

MAB re-auth

MAC Success

AuthC success; AuthZ for unknown user returned: URL Redirect + dACL/VLAN.

2

AUP process, if configured

Session lookup—policy matched

Authorization dACL/VLAN returned. 6


IPT & 802.1X: Fundamental Challenges

20

Two devices per port 1

IPT Breaks the Point-to-Point Model

Security Violation PC Link State is Unknown to Switch 2

?????

“The operation of Port Access Control assumes that the Ports on which it operate offer a point-to-point connection between a single Supplicant and a single Authenticator. It is this assumption that allows the authentication decision to be made on a per-Port basis.” IEEE 802.1X rev 2004

One device per port 1

Link State Dependency 2


802.1X and Voice Multi-Domain Authentication (MDA)

•  MDA replaces CDP Bypass •  Supports Cisco & 3rd Party Phones •  Phones and PCs use 802.1X or MAB

Data

Two Domains Per Port

802.1q

Phone authenticates in Voice Domain, tags traffic in VVID

PC authenticates in Data Domain, untagged traffic in PVID

Single device per port Single device per domain per port

3K: 12.2(35)SEE!4K: 12.2(37)SG!6K: 12.2(33)SXI!

IEEE 802.1X MDA

Voice


Summary: Multiple Hosts per Port Host Mode Enforcement Deployment Considera4ons

Single Single mac address per port • Second mac address triggers a security viola>on • VMs on the host must share the same mac address.

• CDP Bypass is the only IPT solu>on. Mul>-‐Domain Auth (MDA)

One Voice Device + One Data Device per port

• Same as single host mode except phone authen>cates

• Supports third party phones Mul>-‐Auth Superset of MDA with

mul>ple Data Devices per port

• Authen>cates every mac address in the data domain.

• VMs on the host may use different mac addresses.

• One VLAN (default port VLAN) for all devices on the port

Mul>-‐Host One authen>cated device allows any number of subsequent mac addresses.

• Not recommended • VMs on the host may use different mac addresses.

• CDP Bypass is the only IPT solu>on.


IPT & 802.1X: The Link-State Problem

23

A

B

Port authorized for 0011.2233.4455 only

Security Violation S:0011.2233.4455

S:6677.8899.AABB

1) Legitimate users cause security violation

A Security Hole

S:0011.2233.4455

S:0011.2233.4455

2) Hackers can spoof MAC to gain access without authenticating


EAPol-Logoff

Previous Solution: Proxy EAPoL-Logoff

24

Domain = DATA Supplicant = 0011.2233.4455 Port Status = AUTHORIZED Authentication Method = Dot1x

Domain = DATA Port Status = UNAUTHORIZED

A

Domain = DATA Supplicant = 6677.8899.AABB Port Status = AUTHORIZED Authentication Method = Dot1x

B

Caveats: •  Only for 802.1X

devices behind phone

Requires: Logoff-capable Phones

Session cleared immediately by

proxy EAPoL-Logoff

PC-A Unplugs

PC-B Plugs In


Previous Solution: MAB Inactivity Timeout

25

Domain = DATA Supplicant = 0011.2233.4455 Port Status = AUTHORIZED Authentication Method = MAB



Vulnerable to security violation and/or hole

Device Unplugs

Inactivity Timer Expires

Session cleared. Vulnerability closed.

interface GigE 1/0/5 switchport mode access switchport access vlan 2 switchport voice vlan 12 authentication host-mode multi-domain authentication port-control auto authentication timer inactivity 300 mab

Caveats: "   Quiet devices may have to re-

auth; network access denied until re-auth completes.

"   Still a window of vulnerability.

3K:12.2(35)SE!4K: 12.2(50)SG!6K: 12.2(33)SXI!


26

CDP Link Down



Domain = DATA Supplicant = 6677.8899.AABB Port Status = AUTHORIZED Authentication Method = Dot1x

Phone sends link down TLV to switch.

Device A Unplugs

Device B Plugs In

  Link status msg addresses root cause

  Session cleared immediately.

 Works for MAB and 802.1X

  Nothing to configure

IP Phone: 8.4(1)!3K: 12.2(50)SE !4K: 12.2(50)SG!6K: 12.2(33)SXI!


Post-Logon User Authentication (Microsoft WZC)

Power On

Kernel Loading Windows HAL Loading Device Driver Loading

Obtain Network Address (Static, DHCP)

Determine Site and DC (DNS, LDAP)

Establish Secure Channel to AD

(LDAP, SMB)

Kerberos Authentication (Machine Account)

Computer GPOs Loading (Async)

GPO based Startup Script Execution

Certificate Auto Enrollment Time Synchronization Dynamic DNS Update

GINA

Start / End of 802.1X authentication

Components that depend on network connectivity

Kerberos Auth (User Account)

User GPOs Loading (Async)

GPO based Logon Script Execution (SMB)

802.1X Machine Auth

802.1X User Auth + network connectivity


802.1X - Machine Access Restriction

  Machine authentication by itself does not prevent users from accessing the network with an unregistered machine

  MAR allows ISE to use prior machine authentication as a condition for user authorization

  To enforce this restriction, ISE caches the MAC address associated with a successful machine authentication

  User authentication is only successful if MAC address is cached from previous machine authentication from same computer

  This provides a way to deny authentication for a user because machine authentication to the network was not completed prior to a login attempt


Q & A Time


Authorization -Policies and Conditions -Enforcement Mechanisms -Confidentiality & Integrity


Other Conditions

Identity Information

+ Group: Contractor

Group: Full-Time Employee

Group: Guest

Context-Aware Policy

Time and Date

Access Type

Location Posture

Authorization (Controlling Access)

Broad Access

Limited Access

Guest/Internet

Deny Access

Quarantine

Track Activity for Compliance

Device Type

802.1x/Infrastructure

Vicky Sanchez Employee, Marketing Wireline 3 p.m.

Frank Lee Guest Wireless 9 a.m.

Security Camera G/W Agentless Asset MAC: F5 AB 8B 65 00 D4

Francois Didier Consultant HQ—Strategy Remote Access 6 p.m.


Tying it All Together ISE Authorization Policy Definition

Device Type Location User Posture Time Access Method Custom


Segmentation

Method

Segmentation Point

PROs CONs

VLANS Ingress •  Does not require switch port ACL management

•  Preferred choice for path isolation

•  Typically requires IP change, thus often disruptive to user access with potential delays and/or conflicts with other endpoint processes.

•  Requires the proliferation of common VLANs across access network and its associated VLAN management/maintenance.

•  VLANs still require some other enforcement mechanism(s) to be deployed to either isolate network traffic or provide access restrictions; VLANs alone do not limit traffic flow at L3 edge.

dACLs Ingress •  No IP address change required, thus minimal host disruption.

•  Does not require the proliferation of VLANs across access network and associated VLAN management

•  Provides access control directly at switch port versus reliance on upstream security device or mechanism

•  Resource limits per switch on ACE count per ACL, thus primary focus is on course-grained access restrictions and fine-grained restrictions resources permitting.

•  Requires centralized management and maintenance of ACLs applied to each switch port

SGA Egress •  Simplifies ACL management and reduces # ACLs required across entire network (single policy near resource versus policy deployed at ingress/intermediate point)

•  Uniformly enforces policy independent of source IP.

•  Provides fine-grained access control close to protected resource.

•  SGA support is not yet universal across Cisco platforms

Policy Enforcement


Confidentiality and Integrity 802.1AE based Encryption

* NIST Special Publication 800-38D (http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf)

802.1AE

  TrustSec provides Layer 2 hop-by-hop encryption and integrity, based on IEEE 802.1AE standard

  128bit AES-GCM (Galois/Counter Mode) – NIST Approved *

  Line rate Encryption / Decryption for both 10GbE/1GbE interface

  Replay Protection of each and every frame

  802.1AE encryption to protect CMD field (SGT value)

  Protects against man-in-the-middle attacks (snooping, tampering, replay)

  Standards based frame format and algorithm (AES-GCM)

  Network service amenable hop-by-hop approach compared to end-to-end approach (e.g. Microsoft Domain Isolation/IPsec)

Customer Benefits


802.1AE (MACSec) Tagging

MACSec Tag Format

TrustSec Frame Format

Encrypted Authenticated

0x88e5


Hop-by-Hop Encryption via IEEE802.1AE

128bit AES GCM Encryption 128bit AES GCM Encryption 128bit AES GCM Encryption

0110100100011000100100100010100100111010101 01101001000110001001001000 01001010001001001000101001001110101

everything in clear 011010010100010010 011010010100010010

ASIC

  “Bump-in-the-wire” model - Packets are encrypted on egress

- Packets are decrypted on ingress

- Packets are in the clear in the device

  Allows the network to continue to perform all the packet inspection features currently used

Decrypt at Ingress

Encrypt at Egress


Security Association Protocol

 Security Association Protocol (SAP) to negotiate keys and cipher suite for encryption automatically

 Negotiation starts after successful authentication / authorization for NDAC

 At the end of SAP, both supplicant and authenticator have same session key

 Session key is used to encrypt traffic on the link  Session key is derived from the PMK (learned by both

device from ACS during authentication) and some random numbers shared during SAP

 Perform rekey periodically


Q & A Time


Trusted Network -Security Group Access -Authenticated Network


Security Group Based Access Control

SGACL

  Security Group Based Access Control allows customers

  To keep existing logical design at access layer

  To change / apply policy to meet today’s business requirement

  To distribute policy from central management server

802.1X/MAB/Web Auth

Database (SGT=4)

IT Server (SGT=10)

I’m a contractor My group is IT Admin

Contactor & IT Admin SGT = 100

SGT = 100 SGT capable device


Security Group Based Access Control   Unique 16 bit (65K) tag assigned to unique role

  Represents privilege of the source user, device, or entity

 Tagged at ingress of TrustSec domain

SGACL SG

SecurityGroup

Tag

 Filtered (SGACL) at egress of TrustSec domain

 No IP address required in ACE (IP address is bound to SGT)

  Policy (ACL) is distributed from central policy server (ACS) or configured locally on TrustSec device

  Provides topology independentpolicy

  Flexible and scalable policy based on user role

  Centralized Policy Management for Dynamic policy provisioning

  Egress filtering results to reduce TCAM impact

Customer Benefits


Layer 2 SGT Frame Format

  are the L2 802.1AE + TrustSec overhead

  Frame is always tagged at ingress port of SGT capable device

  Tagging process prior to other L2 service such as QoS

  No impact IP MTU/Fragmentation

  L2 Frame MTU Impact: ~ 40 bytes = less than baby giant frame (~1600 bytes with 1552 bytes MTU)

Cisco Meta Data

Encrypted Authenticated

Ethernet Frame field


SGT Assignment

•  via 802.1X Authentication

•  via MAC Authentication Bypass

•  via Web Authentication Bypass

•  Or Static IP-to-SGT binding on SW

Campus/Mobile endpoints

Data Center / Servers

  Every endpoint that touches TrustSec domain is classified with SGT

  SGT can be sent to switch via RADIUS authorization after: Full integration

with Cisco Identity Solution

  Every server that touches TrustSec domain is classified with SGT

  SGT is usually assigned to those servers:

Just like VLAN Assignment or dACL, we assign SGT in

authorization process


SGT Exchange Protocol (SXP)

 SGT native tagging requires hardware (ASIC) support  SGT eXchange Protocol (SXP) is used to exchange IP-

to-SGT bindings between TrustSec capable and incapable device

 Currently supported on Catalyst 6500, 4500/4900, 3560/3750 and Nexus 7000 switch

 Based on TCP with MD5 authentication  Support single hop or multi-hop SXP  SXP accelerates initial deployment of SGT/SGACL

without immediate hardware upgrade


VLAN100

VLAN200

Doctor (SGT 7)

IT Admin (SGT 5)

MAB

LWA

Agent-less Device

Campus Network

Untagged Frame Tagged Frame

SGT=7 SGT Enforcement

IP-to-SGT Binding Info Exchange using SXP

Catalyst® 3750-E 802.1X

Users, Endpoints

Public Portal (SGT 8) Internal Portal (SGT 9)

Patient Record DB (SGT 10) 10.1.200.100

10.1.200.200 10.1.200.10

IT Portal (SGT 4) 10.1.100.10

Nexus® 7000 Core

Nexus® 7000 Distribution

ACS v5.1 Catalyst® 4948

If the switch supports SXP, switch can send IP-to-SGT binding table to SGT capable device (e.g. Nexus 7000)

Active Directory

IP Address SGT Source

10.1.10.102 5 LOCAL

10.1.10.110 14 LOCAL

10.1.99.100 12 LOCAL

SXP


10.1.100.10 4 CLI

10.1.200.10 8 CLI

10.1.200.100 10 CLI

10.1.200.200 9 CLI

SXP

Speaker Speaker Listener Listener

Statically configured

Locally Learned


VLAN100

VLAN200

Doctor (SGT 7)

IT Admin (SGT 5)

MAB

LWA

Agent-less Device

Campus Network


SGT Tagging

Catalyst® 3750-E 802.1X

Users, Endpoints



10.1.200.200 10.1.200.10

IT Portal (SGT 4) 10.1.100.10

Nexus® 7000 Core


ACS v5.1

When SGT capable device receives packet, it looks up SGT value in table, insert SGT tag to frame when it exits egress port

Active Directory


10.1.10.102 5 SXP

10.1.10.110 14 SXP

10.1.99.100 12 SXP


SRC=10.1.10.102

IP-to-SGT Binding Table

SGT=5

Catalyst® 4948


SGT Policy Download to SGT Capable Device

 Policy downloaded to SGT capable HW (e.g. Nexus 7000 switch) when

•  Device first authenticates to ACS (via NDAC)

•  Policy time expires (by default 1 day)

•  Manually queried to ACS (cts refresh role-based-policy)

•  When new IP-to-SGT mapping is configured manually on switch

•  When new SGT is seen on interface of the device doing SGACL enforcement and the current SGACL policy on switch does not have the policy for this source SGT


Doctor (SGT 7)

MAB

LWA

Agent-less Device

Campus Network

SXP



Policy Download

Catalyst® 3750-X 802.1X

Users, Endpoints



10.1.200.200 10.1.200.10

Nexus® 7000 Core


ACS v5.1

Catalyst® 4948 VLAN100

Active Directory

IT Portal (SGT 4) 10.1.100.10

VLAN200

CTS7K-DC# show cts role-based policy

sgt:5 dgt:4 rbacl:Permit IP permit ip



sgt:5 dgt:10 rbacl:IT_Maintenance_ACL permit tcp dst eq 20 log permit tcp dst eq 21 log permit tcp dst eq 22 log permit tcp dst eq 445 log permit tcp dst eq 135 log permit tcp dst eq 136 log permit tcp dst eq 137 log permit tcp dst eq 138 log permit tcp dst eq 139 log permit tcp dst eq 3389 log permit icmp log deny ip <skip>

IT Admin (SGT 5)


SGT is exchanged based on “Trust”

 Any member of CTS domain needs to establish trust relationship to its peer, otherwise not trusted

 Only SGT from trusted member can be “trusted” and processed by its peer

 SGT from distrusted device is tagged as “Unknown”, a special SGT (value is zero)

 A process of authenticating network device is called “Network Device Admission Control” or NDAC in short


Network Device Admission Control   Network Device Admission Control (NDAC) provides

strong mutual authentication (EAP-FAST) to form trusted domain

  Only SGT from trusted peer is honored

  Authentication leads to Security Association Protocol (SAP) to negotiate keys and cipher suite for encryption automatically (mechanism defined in 802.11i)

  802.1X-REV will succeed and replace SAP

  Trusted device acquires trust and policies from ACS server

  Mitigate rogue network devices, establish trusted network fabric to ensure SGT integrity and its privilege

  Automatic key and cipher suite negotiation for strong 802.1AE based encryption

NDAC


IT Portal (SGT 4)

Active Directory

10.1.100.10



10.1.200.200 10.1.200.10

Network Device Admission Control

Catalyst® 3750-E

Users, Endpoints

Campus Network

Nexus® 7000 Core


ISE

SGT=7

802.1X Authenticator

802.1X Supplicant

Device

802.1X

RADIUS

802.1X Authentication

Server

NDAC validates peer identity before peer becomes the circle of Trust!   NDAC uses EAP-FAST/MSCHAPv2 for authentication

  First peer to gain ISE server connectivity wins authenticator role. Once authenticator role is determined, the device terminates supplicant role by itself.


Q & A Time


RADIUS accounting logs provide visibility: •  Passed/Failed 802.1X/EAP attempts

•  List of valid dot1x capable •  List of non-dotx capable

•  Passed/Failed MAB attempts •  List of Valid MACs •  List of Invalid or unknown MACs

TO DO Before implementing access control: • Confirm that all these should be on network • Install supplicants on X, Y, Z clients • Upgrade credentials on failed 802.1X clients • Update MAC database with failed MABs …

Monitor the network, see who’s on, address future connectivity problems by installing supplicants and credentials, creating MAB database

Open Access Application 1: Monitor Mode


Segmenting Users, Devices and Networks How to Extend IBNS Policy into the Network…

  GRE tunnels and policy routing

  VRF-Lite end-to-end—(virtual route forwarding)

  VRF-Lite at the distribution with MPLS L3 VPNs at the core

  MPLS L3 VPNs end-to-end

Use the Network to Provide Isolation and

Simplified Policy Enforcement

Guest

Internet

Dept 1 Dept: ENGR

“Guest” VLAN Tunneled to Internet DMZ

VoIP on an Ultra-Secure

Segment

Overlapping Address Space in Dept-HR and Dept-ENGR Can Co-Exist


Session Directory APIs List of APIs

Session Directory Query • Count of concurrent session https://{hostname}/mnt/API/External/Session/ActiveCount • Count of sessions which have posture service involved https://{hostname}/mnt/API/External/Session/PostureCount • Count of sessions which have profiler service involved https://{hostname}/mnt/API/External/Session/ProfilerCount •  Active Session List – Provide MAC Address, NAS IP, user name, session ID information associated to a session. https://{hostname}/mnt/API/External/Session/ActiveList •  List of Active session List authenticated in a particular period of time https://{hostname}/mnt/API/External/Session/AuthList/{starttime}/{endtime} •  Detailed Session Attributes of an endpoint’s latest session with MAC Address https://{hostname}/mnt/API/External/Session/MACAddress/{mac} • Detailed Session Attributes of an endpoint’s latest session with Username https://{hostname}/mnt/API/External/Session/UserName/{username} • Detailed Session Attributes of an endpoint’s latest session with NAS IP Address https://{hostname}/mnt/API/External/Session/IPAddress/{nasip}


Change of Authorization API

List of APIs

CoA Allow Change of Authorization of an endpoint

• Session Reauth https://{hostname}/mnt/API/External/CoA/Reauth/{server host name}/{mac}/{option}/{nasip}

{option} can be one of the following (0-2) REAUTH_TYPE_DEFAULT = 0; REAUTH_TYPE_LAST = 1; REAUTH_TYPE_RERUN = 2;

• Session Disconnect https://{hostname}/mnt/API/External/CoA/Disconnect/{server host name}/{mac}/{option}/{nasip}

{option} can be one of the following (0-2) DYNAMIC_AUTHZ_PORT_DEFAULT = 0;

DYNAMIC_AUTHZ_PORT_BOUNCE = 1; DYNAMIC_AUTHZ_PORT_SHUTDOWN = 2;


802.1X with Posture

deep dive into trustsec/demo - cisco · presentation_id © 2009 cisco systems, inc. all rights...

Documents