Presentation is loading. Please wait.

Presentation is loading. Please wait.

7.4 Update - ISE Session.

Published bySamson Nichols Modified over 8 years ago

Similar presentations

Presentation on theme: "7.4 Update - ISE Session."— Presentation transcript:

1 7.4 Update - ISE Session

2 Session Objectives Introduction to CUWN release 7.4
Integration with ISE Review best practices for securing a Guest network with ISE. In-depth coverage on ISE features for Secure BYOD Demonstration Session Objectives – Best Practices: Every presentation should contain a Session Objective slide at the beginning and end of the presentation highlighting what the audience will get out of the session. Session Objectives help identify what the learner will be able to do or know, after listening to your presentation. Objectives are statements that contain action verbs and criteria statements. Basically, a good way to think about it - is each objective should be able to finish and flow from the lead in sentence on the screen.  For example, At the end of the session, the participants should be able to: Understand, Identify, Explain, Design, something from your presentation, when completing this objectives slide, you are basically letting them know, what they should be able to do. A Best Practice is to limit this slide to three to five Session Objectives that tell the audience what they will be able to do or know after they presentation. PLEASE DELETE YELLOW TEXT BOX, and TITLE “TEMPLATE” upon completion. SEE NEXT SLIDE For Examples

3 7.4 Update

4 In the Beginning Scenarios ISE 1.0 + WLC 7.0.116 ISE 1.1 + WLC 7.2
802.1X Auth Yes 802.1X with Posture Profiling Yes (802.1X only) 802.1x and Non-802.1X Local Web Auth (LWA) Central Web Auth (CWA) No MAC Filtering Open Auth for Radius NAC WLAN Yes (LWA and CWA) CoA 802.1x (VLAN, ACL) 802.1x (VLAN/ACL) LWA/CWA (ACL*) Posture for Guest Device Registration SXP

5 7.4 BYOD Matrix Functionality FlexConnect Local Switching
Central Switching Local Mode Authentication Central Auth Local Auth & Local EAP Central Auth Authorization VLAN only. Static ACL per VLAN supported. VLAN, ACL, QoS Profiling DHCP Native Sensor (DHCP info via Radius Acc) Ip Helper at the router DHCP Native Sensor Traffic Span IP Helper at the controller IP helper at the controller Posture CoA / VLAN only for 802.1x CWA for WebAuth CoA / VLAN and ACL CWA for WebAuth Device On-boarding Single SSID 802.1x Dual SSID (CWA+Secured)

6 Device Profiling - Traditional
802.1X SSIDs Only Require dedicated ISE interface for SPAN. L2 adjacency to WLC Management interface Physical Ports Physical Ports Port Channel Wireless Interfaces Wireless Interfaces GE0 GE0 SPAN Port ISE port dedicated to profiling (HTTP / DHCP probes)

7 New Device Sensors for Wireless
WLC Device Detection Based on DHCP / HTTP RADIUS Accounting ISE: Enable RADIUS probe DHCP WLC ISE config wlan profiling radius <attribute type> enable <wlan-id> Enable/Disable device profiling on all the clients that will join the WLAN. Attribute type is - DHCP/HTTP/Both FlexConnect limits: Central switching supported Local auth with local switching not supported

8 Controller Based Profiling
WLC updates ISE via RADIUS accounting

9 What: starting with 7.2 MR1 it is possible for WLC to perform Web authentication with an external server on a locally switched WLAN Why: This addresses BYOD requirement for FlexConnect where the portal is centralized but the traffic needs to exit locally to save WAN bandwidth How: A pre-auth Flex ACL at the AP is used to match the traffic that is allowed to be locally switched before authentication is completed. Central site Remote site

10 Local DHCP/DNS server Flex AP Centralized WLC ISE Policy Server
1) Flex pre-auth ACL is configured at the WLAN (for web auth only), Flex-Group or AP level 2) ACL is pushed to AP automatically. Traffic that is allowed by the ACL is locally switched, other traffic is sent to the WLC (DNS and DHCP are allowed by default) Local DHCP/DNS server Local network Flex AP 3. and 4. Corporate WAN Centralized WLC Local network 3) HTTP traffic to is not allowed by ACL so it goes to WLC in CAPWAP tunnel 4) WLC redirect traffic to external web page 5) Clients open HTTP session to external server, the traffic is allowed by ACL and hence is locally switched 6) Client is authenticated by WLC (internally or to external DB), upon successful authentication the ACL is removed and traffic is all locally switched ISE Policy Server

11 ISE Integration

12 Guest Use Cases How do I deploy Guest with FlexConnect?
Use case supported from 7.2MR1 onwards Guests Corporate Identity Internet MDM Servers Corporate Intranet ASA Firewall AP DMZ VLAN Cisco 3750 Switch If a standard hostname, domain name, or FQDN naming convention is deployed to specific endpoints, then these attributes could be used to classify them. For example, if all Windows XP clients are assigned a name such as “jsmith-winxp”, then the host-name attribute or client-fqdn attribute could be used in a condition to classify Windows CP endpoints. Similarly, if convention is to populate hostname for corporate endpoints to something like “jsmith-corp-dept”, then that could be used to validate a corporate asset. Caution must be taken to not confuse profile attributes as identity, but attributes can add a certain level of credence that the endpoint is a certain type. For example, the Authorization Policy could be used with profiling to deny full access privileges to employees where the host-name attribute of their PC (as indicated by matching Endpoint Identity group) does not include expected values. Note: This guide will discuss the relationship between profiles and Endpoint Identity groups in a later section. Anchor Controller EOIPTunnel WLC - Virtual Controller (FlexConnect Mode) Identity Services Engine Active Directory Server Certificate Authority Server © 2009, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

13 Guest Use Cases How do I deploy Guest with FlexConnect? Identity
Guests Corporate Identity Guests Corporate Identity AP Internet Branch VLAN MDM Servers Corporate Intranet ASA Firewall AP VLAN DMZ VLAN Cisco 3750 Switch If a standard hostname, domain name, or FQDN naming convention is deployed to specific endpoints, then these attributes could be used to classify them. For example, if all Windows XP clients are assigned a name such as “jsmith-winxp”, then the host-name attribute or client-fqdn attribute could be used in a condition to classify Windows CP endpoints. Similarly, if convention is to populate hostname for corporate endpoints to something like “jsmith-corp-dept”, then that could be used to validate a corporate asset. Caution must be taken to not confuse profile attributes as identity, but attributes can add a certain level of credence that the endpoint is a certain type. For example, the Authorization Policy could be used with profiling to deny full access privileges to employees where the host-name attribute of their PC (as indicated by matching Endpoint Identity group) does not include expected values. Note: This guide will discuss the relationship between profiles and Endpoint Identity groups in a later section. Anchor Controller EOIPTunnel WLC - Virtual Controller (FlexConnect Mode) Identity Services Engine Active Directory Server Certificate Authority Server © 2009, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

14 How Does Guest Work? Sponsor ISE Policy Server Foreign WLC 7.4 Anchor
Switches AP

15 with Web Authentication
How Does Guest Work? Sponsor Redirection of the guest Web session to ISE guest portal for authentication ISE Policy Server Guest Foreign WLC 7.4 Anchor Switches Open SSID « guest » with Web Authentication AP

16 CWA on Wireless Controllers
Contractor Guest Guest-SSID MAB Blocking non-HTTP/DHCP/DNS Traffic Access Point Default Policy WLC Redirect ACL & URL Redirect AD / CA ISE Guest DB ISE

17 Foreign Controller – Step-by-Step
Pre-Requisites

18 Foreign Controller – Step-by-Step
Configure Interfaces 1

19 Foreign Controller – Step-by-Step
1 Configure Interfaces Foreign WLC / 00:50:56:B0:01:0E 2 Configure Mobility Group Members Anchor WLC / D0:c2:82:dd:88:00

20 Foreign Controller – Step-by-Step
1 Configure Interfaces 2 Configure Mobility Group Members 3 Configure WLAN

21 Foreign Controller – Step-by-Step
1 Configure Interfaces 2 Configure Mobility Group Members 3 Configure WLAN Anchor WLC 4 Configure Mobility Anchors / D0:c2:82:dd:88:00

22 Anchor Controller – Step-by-Step
Pre-Requisites Not Required

23 Anchor Controller – Step-by-Step
Pre-Requisites Not Required

24 Anchor Controller – Step-by-Step
Pre-Requisites Not Required Allow Access to ISE for CWA (URL-Redirect)

25 Anchor Controller – Step-by-Step
1 Configure Interfaces

26 Anchor Controller – Step-by-Step
1 Configure Interfaces Foreign WLC / 00:50:56:B0:01:0E 2 Configure Mobility Group Members Anchor WLC / D0:c2:82:dd:88:00

27 Anchor Controller – Step-by-Step
1 Configure Interfaces 2 Configure Mobility Group Members 3 Configure WLAN

28 Anchor Controller – Step-by-Step
1 Configure Interfaces 2 Configure Mobility Group Members Anchor WLC 3 Configure WLAN / D0:c2:82:dd:88:00 Foreign WLC 4 Configure Mobility Anchors

29 Review Wireless CWA Config
Flex Auth: If host not found (MAB lookup fails), then Continue to Authorization Policy processing

30 Wireless URL Redirection Considerations Apple Captive Network Assistant (CNA)
Problem: URL redirection on Apple devices may fail due to Apple Captive Network Assistant (CNA) Background on CNA: Apple iOS feature to facilitate network access when captive portals present that requires login by automatically opening web browser in a controlled window. Feature attempts to detect the presence of captive portal by sending a web request upon WiFi connectivity to If response received, then Internet access assumed and no further interaction If no response received, Internet access is assumed to be blocked by captive portal and CNA auto-launches browser to requests portal login in a controlled window. Solutions: Disable Auto-Login under WLAN settings (requires user knowledge and interaction) Configure WLC to bypass CNA: > config network web-auth captive-bypass enable Command available in WLC 7.2: Brief Overview of CAN: Apple iOS feature to facilitate network access when captive portals present that requires login by automatically opening web browser. Feature attempts to detect the presence of captive portal by sending a web request upon wifi connectivity to If response received, then Internet access assumed and no further interaction If no response received, Internet access is assumed to be blocked by captive portal and CNA auto-launches browser to requests portal login in a controlled window.

31 Profiling Use Case How does Profiling work with FlexConnect?
Guests Corporate Identity Guests Corporate Identity AP Internet Branch VLAN MDM Servers Corporate Intranet ASA Firewall AP VLAN DMZ VLAN Cisco 3750 Switch If a standard hostname, domain name, or FQDN naming convention is deployed to specific endpoints, then these attributes could be used to classify them. For example, if all Windows XP clients are assigned a name such as “jsmith-winxp”, then the host-name attribute or client-fqdn attribute could be used in a condition to classify Windows CP endpoints. Similarly, if convention is to populate hostname for corporate endpoints to something like “jsmith-corp-dept”, then that could be used to validate a corporate asset. Caution must be taken to not confuse profile attributes as identity, but attributes can add a certain level of credence that the endpoint is a certain type. For example, the Authorization Policy could be used with profiling to deny full access privileges to employees where the host-name attribute of their PC (as indicated by matching Endpoint Identity group) does not include expected values. Note: This guide will discuss the relationship between profiles and Endpoint Identity groups in a later section. Anchor Controller EOIPTunnel Use case supported from 7.2MR1 onwards WLC - Virtual Controller (FlexConnect Mode) Identity Services Engine Active Directory Server Certificate Authority Server © 2009, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

32 Review ISE Profiler The Network ISE Profiling Probes
OUI, DHCP, Netflow, DNS, HTTP, CDP, LLDP The Network ISE

33 Review ISE Profiler The Network ISE Profiling Probes
OUI, DHCP, Netflow, DNS, HTTP, CDP, LLDP ID Group Assignment The Network ISE

34 Review ISE Profiler The Network Internet ONLY Video VLAN Printer VLAN
Profiling Probes OUI, DHCP, Netflow, DNS, HTTP, CDP, LLDP ID Group Assignment The Network ISE Apply Policies Video VLAN Voice VLAN Internet ONLY Printer VLAN More …….

35 Profiling CoA Allows ISE to Actively Enforce Policy Over Connected Endpoints aaa server radius dynamic-author client server-key xxxxxxx CoA Port-Bounce is downgraded to Re-Auth when multiple sessions are connected through the same switch port, (to minimize disruption to other sessions) © 2009, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

36 Profiling CoA Allows ISE to Actively Enforce Policy Over Connected Endpoints aaa server radius dynamic-author client server-key xxxxxxx CoA Port-Bounce is downgraded to Re-Auth when multiple sessions are connected through the same switch port, (to minimize disruption to other sessions) © 2009, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

37 Profiling CoA Allows ISE to Actively Enforce Policy Over Connected Endpoints CoA is triggered dynamically when: - Endpoint is profiled for the 1st time. - Endpoint is statically assigned with a new Policy - Endpoint is deleted from ISE DB. aaa server radius dynamic-author client server-key xxxxxxx CoA Port-Bounce is downgraded to Re-Auth when multiple sessions are connected through the same switch port, (to minimize disruption to other sessions) © 2009, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

38 Profiling – DHCP and HTTP
ISE Server Foreign WLC Anchor WLC EoIP Tunnel / 00:50:56:B0:01:0E / D0:c2:82:dd:88:00 Guest SSID CoA

39 Profiling – DHCP and HTTP
ISE Server Foreign WLC Anchor WLC EoIP Tunnel / 00:50:56:B0:01:0E / D0:c2:82:dd:88:00 User Open Browser CoA

40 ISE Profiling General Best Practice Recommendations SPAN

41 ISE Profiling Device Sensor General Best Practice Recommendations
Cisco Catalyst 4500 Supervisor Engine 7-E and Supervisor Engine 7L-E Cisco Catalyst 3560, 3560-E, 3560-X, 3750, 3750-E, 3750-X Device Sensor 7.2 MR1 15.1(1)SG 15.0(1)SE2

42 ISE Profiling Device Sensor General Best Practice Recommendations
Cisco Catalyst 4500 Supervisor Engine 7-E and Supervisor Engine 7L-E Cisco Catalyst 3560, 3560-E, 3560-X, 3750, 3750-E, 3750-X Device Sensor 7.2 MR1 15.1(1)SG 15.0(1)SE2 CDP HTTP CDP CDP DHCP LLDP DHCP LLDP DHCP LLDP

43 ISE Profiling Device Sensor General Best Practice Recommendations
Cisco Catalyst 4500 Supervisor Engine 7-E and Supervisor Engine 7L-E Cisco Catalyst 3560, 3560-E, 3560-X, 3750, 3750-E, 3750-X Device Sensor 7.2 MR1 15.1(1)SG 15.0(1)SE2 CDP HTTP CDP CDP DHCP LLDP DHCP LLDP DHCP LLDP

44 ISE Profiling Device Sensor DHCP General Best Practice Recommendations
Cisco Catalyst 4500 Supervisor Engine 7-E and Supervisor Engine 7L-E Cisco Catalyst 3560, 3560-E, 3560-X, 3750, 3750-E, 3750-X Device Sensor 7.2 MR1 15.1(1)SG 15.0(1)SE2 DHCP

45 ISE Profiling Device Sensor DHCP SNMP Probe
General Best Practice Recommendations Cisco Catalyst 4500 Supervisor Engine 7-E and Supervisor Engine 7L-E Cisco Catalyst 3560, 3560-E, 3560-X, 3750, 3750-E, 3750-X Device Sensor 7.2 MR1 15.1(1)SG 15.0(1)SE2 DHCP Watch out for High SNMP traffic due to triggered RADIUS Accounting updates Do NOT to set polling interval too low for polled queries Set optimal PSN for polling in ISE NAD config. SNMP Traps primary use case is non-radius appliances (e.g. NAC Appliance) SNMP Probe

46 ISE Profiling Device Sensor DHCP SNMP Probe Netflow
General Best Practice Recommendations Cisco Catalyst 4500 Supervisor Engine 7-E and Supervisor Engine 7L-E Cisco Catalyst 3560, 3560-E, 3560-X, 3750, 3750-E, 3750-X Device Sensor 7.2 MR1 15.1(1)SG 15.0(1)SE2 DHCP Watch out for High SNMP traffic due to triggered RADIUS Accounting updates Do NOT to set polling interval too low for polled queries Set optimal PSN for polling in ISE NAD config. SNMP Traps primary use case is non-radius appliances (e.g. NAC Appliance) SNMP Probe Use ONLY for specific use cases. Potential for high load on network devices and PSN. Netflow

47

Download ppt "7.4 Update - ISE Session."

Similar presentations

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.

1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.
Page 1 MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their.

Page 1 MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their.
Hotspot Customization

Hotspot Customization
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
How Purdue University Calumet maintains sanity in a campus BYOD environment Presented by: Tim Loudermilk - Supervisor of Network Administration.

How Purdue University Calumet maintains sanity in a campus BYOD environment Presented by: Tim Loudermilk - Supervisor of Network Administration.
Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Catalyst Smart Operations Automates the trivial and repetitive tasks.

Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Catalyst Smart Operations Automates the trivial and repetitive tasks.
Wireless. Module Objectives By the end of this module participants will be able to: Explain the differences between thick and thin access points List.

Wireless. Module Objectives By the end of this module participants will be able to: Explain the differences between thick and thin access points List.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—5-1 111 © 2003, Cisco Systems, Inc. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialBCMSN 6 - 6 1 Configuring Wireless LANs BCMSN Module 6 Lesson 6.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialBCMSN Configuring Wireless LANs BCMSN Module 6 Lesson 6.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.
IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.

IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.
Wi-Fi Structures.

Wi-Fi Structures.
Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.
All Rights Reserved © Alcatel-Lucent 2010 1 | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.

All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.

Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.

Similar presentations

Ads by Google