Identity Based Network Access

• “What are my issues”

• Cisco ISE Power training

• “What have I achieved”

• “What do I want to do”

Identity Based Network Access - Agenda

What are the issues?

Staff

Student

Contractor

Guest

• Staff/Student• Contractor• Guest

ISE has answers for who, what, when, where, how and more..

Cisco Identity Services EnginePower Training

Any Threats from it?

Is it Vulnerable?Where is it located?

Network Access & Digitization

How is it connected?When did it connect?

MAC ADDRESS: 00-05-01-AA-E1-FF

IP ADDRESS: 192.168.2.101

Who owns that device? What device is it?

How to secure your network with so many unknowns?

Make fully informed decisions, using ISEWith rich contextual awareness

Without ISE With ISE

UNKNOWN KNOWN

IP ADDRESS: 192.168.2.101 WHO Bob (Employee)

Unknown WHAT Apple iPad/iOS/11.0.1

Unknown WHEN 10:30 AM PST

Unknown WHERE Floor-1, San Jose, Building 19

Unknown HOW Wireless

Unknown APPS Firefox, MS Word, AnyConnect

Unknown SPEC Serial number, CPU, memory

Access to any device/user

RESULT

Authorized network access

Poor context awareness Rich context awareness

? ??

Always-on Policy Compliance

Visibility

Guest Access Simplified Firewall Rule management with TrustSec

DEFCON Policy Enforcement

Rapid Threat Containment

TrustSec Software-Defined Segmentation

Ecosystem Integration

Next Gen Access Control

ISE Use CasesWho and what is on your network and to share with other security tools (e.g. StealthWatch) for better threat and behavioral clarity

When there is a security outbreak customers have one button to push to activate different policies network-wide – using software-defined segmentation

The number and complications of firewall rule can be reduced up to 80% which reduces errors and costs

Assurance that your network, devices and their behaviors are compliant with company and regulatory compliance requirements

Stop threats anywhere in the network from one console

Easily create segments on the network and NGFW to increase protection and reduce malware proliferation - Defined Segmentation

Control access to network and resources based on context for more accurate access policy options and enforcement

One framework to integrate different security products, share intel, see threats faster and take an action from the customer’s preferred product, such as FMC or Splunk

Authentication and AuthorizationsPROTECTED

SERVERSSHARED SERVICES PUBLIC NETWORK

AUTHENTICATION

Who are you?

AUTHORIZATION

What you can do?

EMPLOYEE

alice*****

CONTRACTOR

Certificates / Passwords

NET

WO

RK A

CCES

S

Active versus Passive Identity

Active Identity

Passive Identity

Jim

Cisco ISE

Alice

Alice?

Passive IdentityIP to User mapping got via passive means like AD WMI events, AD Agents, Syslog, SPAN sessions and more.

Active Identity

IP to User mapping got via active interaction between ISE and the client via 802.1X, Web authentication, Remote access VPN, etc.

1

Yes

23

DOMAIN\Jim(AD Login)

1

Jim Logged in

2

3

AD

Authentication Option 1- 802.1XOverview

Cisco ISE(Authentication Server)

Active Directory(Identity Store)

Credentials(Certificate /

Password / Token)

EAP

Network Device(Authenticator)

Endpoint(Supplicant)

Supplicant: Software running on the client that provides credentials to the authenticator (Network Device).

RADIUS: ACCESS-REQUEST

RADIUS SERVICE-TYPE: FRAMED

EAP: EAP-RESPONSE-IDENTITY

802.1XEAP

RADIUSEAP EAP

EAP: Extensible Authentication Protocol

Authentication Option 1- 802.1XFundamentals of 802.1X

Cisco ISE(Authentication Server)

Active Directory(Identity Store)

Network Device(Authenticator)

Endpoint(Supplicant)

Supplicant: Software running on the client that provides credentials to the authenticator (Network Device).

Port-Unauthorized(If authentication fails)

RADIUS: ACCESS-ACCEPT, VSA: Airespace-ACL = Employee-ACL

EAP: EAP-SUCCESS

RADIUSEAP

802.1XEAP

EAP: Extensible Authentication Protocol

Port-Authorized

Network Device

MAB

802.1X Timeout

Authentication Option 2- MAC Authentication Bypass (MAB)

LAN

Cisco ISE802.1X

No 802.1X

Endpoints without supplicant will fail 802.1X authentication!

MAB requires a MAC address database | ISE can build this database dynamically with profiling

Bypassing “Known” MAC Addresses

00-10-23-AA-1F-38 Network DeviceCisco ISE

EAP: What’s your Id?

Any Packet User: 00-10-23-AA-1F-38

ACCESS-ACCEPT

Authentication Type 3: ISE ‘Easy Connect’

EMPLOYEES

UNKNOWN LIMITED ACCESS

FULL ACCESS

DHCP DNS

NTP AD

DOMAIN\bob

Enterprise Network

CISCO ISESWITCH-1

DOMAIN CONTROLLER

LIMITED ACCESS

ISE retrieves user-ID and user’s AD membership

Limited AccessCoA: Full AccessFULL ACCESS

No 802.1X

Bob logged in

Increased visibility into active network sessions

Flexible deployment co-operates with other auth methods

Immediate valueLeverage existing infrastructure

Identity based network access without 802.1X

MAB

Authentication Type 4: Web Authentication Local or Central Web Authentication (LWA/CWA)

alice

…....

NETWORK

Initial packet MAB Request

Google.com

ISE login page

Username + password

CoA

Force ReAuth

Cisco ISENetwork DeviceEndpoint

Initial AuthZ

Limited Access ACL + URL-Redirect to ISE

Got your MAC, need your ID

MAB Request

Final AuthZ

Full Access ACL

Matches “session cache” of previous

successful WebAuth

Change of Authorization (CoA)

Initial access

Change in access

RFC 5176

RADIUS CoA (Change of Authorization) is a feature that allows ISE to adjust an active client session.

Requires endpoint’s ‘active session’ on ISE

Automatic / Manual initiation of CoA

Use cases: • Central Web Authentication (CWA)• Device Profiling• Posture assessment• Threat Centric NAC• Adaptive Network Control and more

Authorization OptionsBeyond RADIUS ‘ACCESS-ACCEPT’ / ‘ACCESS-REJECT’

Contractordeny ip host <critical>

permit ip any any

DACL or Named ACL

Employeepermit ip any any

Downloadable ACL (Wired) or Named ACL (Wired + Wireless)

VLANs

Remediation

Dynamic VLAN Assignments

EmployeesVLAN 3

Per port / Per Domain / Per MAC

GuestVLAN 4

Scalable Group Tags

16 bit SGT assignment and SGT based Access Control

Cisco TrustSec

A Typical ISE Authentication and Authorization policy

Authentication method Where to look for identities

How to handle Auth failures

Authorization conditions

End result

Building Identity & Context

Building Context: ‘User’

Harry

Bob

Alice

CONTRACTORS

EMPLOYEES

Cisco ISE

Harry connected via Switch-SJC01

Bob connected via AP-SJC03

Alice connected via VPN005

ISE Session Database

GUESTS

CONTRACTORS

GUESTS

EMPLOYEES

Active / Passive Identity

THREATVULNERABILITYAPPLICATIONSPOSTUREHOWWHEREWHENWHATWHO

Cisco ISE

Netflow DHCP DNS HTTP RADIUS NMAP SNMP

CDP LLDP DHCP HTTP H323 SIP MDNS

ACTIVE PROBES

DEVICE SENSOR

ANYCONNECT ACIDex

AD

ISE data collection methods for Device profiling

Profiler Policy

If CDP:Platform Name = Cisco IP Phone Cisco-IP-Phone

Authorization Policy

= true, then

If Endpoint ID Group = Cisco-IP-Phone Voice VLAN= true, then

Building Context: ‘Device-Type’

AnyConnect Identity Extensions (ACIDex) | Device Sensor (DS)

ACIDex

Feed Service(Online/Offline)

THREATVULNERABILITYAPPLICATIONSPOSTUREHOWWHEREWHENWHATWHO

Endpoints send

interesting data,

that reveal their

device identityCisco ISECisco ISE

DS

DS

ISE ‘Access Control’ solution overview

Authentication Methods Authorization Options

MAC Authentication Bypass Easy Connect ®

IEEE 802.1X Web Authentication

Central WebAuth Local WebAuth

Downloadable / Named ACL Air Space ACL VLAN Assignment Security Group Tags URL-Redirection Port Configuration

(ASP Macro / Interface-Template)

PASSIVEIDENTITY

ACTIVEIDENTITY

SAML iDPs

APIs

Single Sign-On

Certificate Authorities

SCEP / CRL

Certificate based Auth

LDAP / SQL

Active Directory

LDAP Servers

SQL Server

External Identity Stores

Passwords / Tokens

ASP: Auto Smart Port

Built-in CA

500,

000

con

curre

nt s

essi

ons

500,

000

Upto 100KNetwork Devices

Up to 50 distinct AD domain support300K Internal Users

Native Supplicants / Cisco AnyConnect

802.

1X ENTERPRISE NETWORK

What have we achieved?

• ISE is profiling all staff ports on my network;

• Rich endpoint context;

• Compliance that all devices attaching into staff vlan are CIT assets;

• Better network troubleshooting;

The wired network

Rich Endpoint Context

Rich Endpoint Context – AD, SNMP, DHCP, radius probes

Better Network Troubleshooting

Melbourn1#sh authentication sessions interface gi3/9 detail

Interface: GigabitEthernet3/9MAC Address: 14b3.1f13.275e

IPv6 Address: UnknownIPv4 Address: 157.190.153.89

User-Name: CIT\toks.lapiteStatus: AuthorizedDomain: DATA

Oper host mode: multi-authCurrent Policy: POLICY_Gi3/9

Vlan Group: Vlan: 120ACS ACL: xACSACLx-IP-StaffConnect_PermitAll

• Guest wireless (Self-service or managed portal);

• Single user identity, multiple devices (3 max);

• Conference identity;

The wireless network

What next?

• Currently, eduroam for staff and students, no differentiated access. However, staff want more access when on wireless, same access they have when on wired (20% of our staff never touch wired network, and increasing);

• Profile all wired ports on the network;

• Possibly all ports will be managed dynamically based on Identity;

• Use ISE in conjunction with Software defined access (SDA) to implement:• Security Group Tagging – enhanced authorised network access;• Vxlans;

• Compliance, managed staff and student devices must have certain software before network access, e.g. Malwarebytes

Coming soon to a network near “me”

Automated Network Fabric

Single Fabric for Wired & Wireless with Workflow-based Automation

Insights & Telemetry

Analytics and insights into user and application behavior

Identity-based Policy & Segmentation

Decoupled security policy definition from VLAN and IP Address

Software-Defined AccessNetworking at the speed of Software!

DNA Center

AnalyticsPolicy Automation

IoT Network Employee Network

SDA-Extension User Mobility

Policy stays with user

User to CloudSegmentationCampus and Branch Segmentation

User to Data Center Access Control

Single User Access Policy Across LAN, WAN, DC, and Cloud

Segmentation Policy AnalyticsHow do you learn how to segment your network?

• Discover current groups and policies by interacting with existing data sources

• Model non-invasive pilot of candidate groups and policies against a data lake of network activity

• Submit potential groups and policies into enforcement infrastructure (e.g. ISE)

• Visibility into policy usage in real-time, prove policies are working

Building your network capabilities is a journey

Network and Asset Visibility; Policy Monitoring

Automated Segmentation

Outcome:

Rapid Threat Containment

Guest, Wireless Access

Identity-based Services Device Management, IoT, BYOD

SDA Access

Thank you

Aidan McDonald (aidan.mcdonald@cit.ie)Brian O’Donoghue (bodonogh@cisco.com)