Tag Archives: ACS5.0

September 17, 2012

802.1X Challenges For Department of Defense

DISA 802.1X Challenges For Department of DefenseAamir Lakhani wrote a fantastic post on 802.1x for DOD. You can find the original posting at www.cloudcentrics.com

The Department of Defense added a requirement that all network ports, or on-ramps need to be protected. Applications, server, and data are normally protected; however, most network ports are left open. You get on to a network by plugging into a port and a network address is allocated for the connection. Computers without proper are free to launch attacks from the network.  Network port protection lock down restricts anonymous access and prevents these “attacks”.

When network protection is turned on, a machine plugs into the network; no network access is given until the machine is authenticated to the network.

A few years ago, NAC solutions tried to accomplish goals for locking down networks. Most of my customers hated NAC. It added a layer of complexity that made the network behave unnatural and harder to support. It used a variety of ports, protocols, and physical boxes to implement. In short, it was complicated.  NAC supported networks broke down often, causing nightmares for those legitimate users trying to get access and the people supporting those networks.

What are people doing to support port lockdown today at the Department of Defense and other large enterprise organizations? Surprisingly, the solution has been around for a long time to help secure wireless networks. It is called 802.1x. Historically, 802.1x has worked great on wireless networks and has always been a little troublesome on the wired ports. But things have changed with enterprise policy servers (Cisco Identity Services) that make the connection more easily configurable on modern day operating systems such as Mac OS X Mountain Lion and Windows 8.

How does 802.1x work? According to Wikipedia, IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. It is part of the IEEE 802.1 group of networking protocols.

802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN.  The term ‘supplicant’ is also used interchangeably to refer to the software running on the clients’ device that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point. And the authentication server is typically a host running software supporting the RADIUS and EAP protocols.

The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized. A similar comparison to this would be providing a valid visa at the airport’s arrival immigration booth before being allowed to enter the country. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines that the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network. Continue reading

VN:F [1.9.22_1171]
Rating: 4.0/5 (1 vote cast)

3 Comments

Filed under Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

July 11, 2012

Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now – Update Reviewed

Cisco has posted the next release of their flagship security solution Identity Services Engine ISE 1.1.1 or ISE 1.1MR. ISE 1.1.1  is coined a maintenance release however includes some important new features such as some themed around Bring Your Own Device (BYOD).

You can find the ISE 1.1.1 release HERE and latest ISE 1.1.1 documents HERE or go to

www.cisco.com/go/ise for more information and

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html for ISE 1.1.1 documentation

Here is a breakdown of what is new with ISE 1.1.1

  • New Default Authorization Profile (“Blacklist”) - ISE 1.1.1 can now “blacklist” user devices that get “lost,” or otherwise become unusable or taken out of circulation, until the device can be reinstated or has been completely removed from the network. Cisco ISE 1.1.1 removes “blacklisted” devices from the network and thay are not allowed back on until the device is reinstated Screen Shot 2012 07 11 at 3.28.19 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • Dictionary Attribute-to-Attribute Authorization Policy Configuration - You now have the option, when constructing policy conditions in an Authorization Policy, to specify another Dictionary Attribute to which you can associate the source Attribute during policy configuration Screen Shot 2012 07 11 at 3.32.10 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • New Device Registration Task Manager - New visual path through the various Cisco ISE 1.1.1 administration and configuration processes necessary to enable administrators to set Cisco ISE 1.1.1 up to provide multiple, configurable device support for end usersnew2 Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • Native Supplicant Provisioning Profile Configuration - Configure native supplicant profiles for client provisioning in addition to the existing “ISE Posture Agent Profiles” currently available in Cisco ISE Releases 1.0.4 and 1.1. This profile type allows you to specify settings for user registration via personal devices like iPhones/iPads and AndroidScreen Shot 2012 07 11 at 4.29.25 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • Enhanced Client Provisioning Policy Configuration - You can now create or edit client provisioning policies to allow for expanded personal device support, including iPhones/iPads and Android. For the personal device support, specifically, you can configure the policy to upload the appropriate configuration wizard necessary to enable the user’s device to negotiate and register with Cisco ISE 1.1.1 (NOTE: In my example below, I’m using the IOS and Android native while I downloaded from Cisco wizards for MAC OX and Windows.)newnew Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • SCEP Authority Profile Configuration Page - Enables you to configure one or more Simple Certificate Enrollment Protocol (SCEP) authority profiles. Cisco ISE 1.1.1 verifies maintains connectivity with the SCEP authority server(s) you specify, and even performs load-balancing among multiple servers to ensure optimal connectivity for users when they use their personal devices to access the networkScreen Shot 2012 07 11 at 4.22.41 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • RADIUS Proxy Attribute - Enhance the RADIUS sequence flows and processing. When Access-Accept is received from an external RADIUS server, Cisco ISE 1.1.1 continues to the configured authorization policy for further decisions making based on additional attributes and groups queried from AD and LDAP.
  • EAP Chaining - Allows authenticating both machine and user in the same EAP-FAST authentication in a configurable order. When EAP-FAST authentication result is determined, Cisco ISE 1.1.1 allows you to apply authorization policy depending on the result of both authentications. When EAP chaining is turned off, Cisco ISE 1.1.1 performs usual EAP-FAST authentication. Screen Shot 2012 07 11 at 4.02.58 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • EAP-TLS as an Inner Method for EAP-FAST- Allows usage of EAP-TLS protocol as an inner method for EAP-FAST protocol. The implementation is equal to usage of EAP-TLS as inner method of PEAP Screen Shot 2012 07 11 at 4.00.15 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • Device Registration Portal - A standalone portal that can be completely customized to suite your organization. A network access user who is configured as an employee in an organization can access the portal that allows them to bring in their personal devices into an enterprise network through an employee authentication, and then a device registration process. An employee can manage their devices to add, edit, reinstate, and delete their devices through this portal. Cisco ISE 1.1.1 adds these devices to the endpoints database, and profile them like any other endpoint. The Cisco ISE 1.1.1 administrators can manage the registered endpoints from the administrator user interface, by using the identities list and reports
    Screen Shot 2012 07 11 at 4.38.34 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • New Reports in Cisco ISE 1.1.1
    • Supplicant Provisioning Report—This report provides information about a list of endpoints that are registered through the Asset Registration Portal (ARP) for a specific period of time.Screen Shot 2012 07 11 at 4.07.51 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update ReviewedScreen Shot 2012 07 11 at 4.08.24 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
    • Registered Endpoint Report—This report provides information about a list of endpoints that are registered through the Asset Registration Portal (ARP) by a specific user for a selected period of time. Screen Shot 2012 07 11 at 4.09.43 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update ReviewedScreen Shot 2012 07 11 at 4.09.30 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • Change of Authorization - Triggers a CoA when an endpoint is added or removed from an endpoint identity group that is used by authorization policy. Any change in an endpoint identity group assignment for an endpoint that occurs due to dynamically profiling or a static assignment to an endpoint identity group, a CoA is triggered in both the cases

Go download the latest ISE 1.1.1 release. The upgrade process will take you around 30 minutes to complete. Here what it will look like.

ISE-10MR2/admin# application upgrade ise-appbundle-1.1.1.268.i386.tar.gz ftp
Save the current ADE-OS running configuration? (yes/no) [yes] ?
Generating configuration…
Saved the ADE-OS running configuration to startup successfully
Initiating Application Upgrade…
Stopping ISE application before upgrade…
Running ISE Database upgrade…
Upgrading ISE Database schema…
Upgrading Session Directory… Completed.
ISE Database schema upgrade completed.
Running ISE Global data upgrade as this node is a STANDALONE…
Running ISE data upgrade for node specific data…
% NOTICE: Upgrading ADEOS. Appliance will be rebooted after upgrade completes successfully.
The mode is licensed.
 % This application Install or Upgrade requires reboot, rebooting now…
 Broadcast message from root (pts/0) (Wed Jul 11 15:27:38 2012):
 The system is going down for reboot NOW!

VN:F [1.9.22_1171]
Rating: 5.0/5 (7 votes cast)

23 Comments

Filed under Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

May 14, 2012

Cisco Identity Services Engine ISE 1.1 Profiling – Identify And Monitor What Is On Your Network

Cisco Identity Services Engine ISE 1.1 Profiling Identify And Monitor What Is On Your NetworkMany network administrators do not have a method to know what is on their network. Devices may be very basic yet use IP for updates or heartbeat purposes (examples are printers, card readers, even some refrigerators). Other issues could be users not having administrator privileges to their systems or recently the demand to bring personal mobile devices onto the network. For these and other reasons, the visibility on what is on the network is becoming blurred.

Cisco released its flagship access control solution Cisco Identity Services Engine ISE last year with the goal of using identity as a means to provision network access. Many people evaluating Network Admission Control solutions get caught up with the concept of denying rather than understanding a core purpose of these solutions is identification. Cisco ISE is able to profile devices using a number of network probes that analyze the behavior of devices on the network to determine what they are. Probes are optional yet best practice is to enable as much as possible to gain the best network visibility. Some options for probes are Netflow, DHCP, DHCP SPAN, HTTP, Radius, NMAP, DNS, SNMP Query and SNMP Traps. Ports used are configurable as well as device profiles. For example, if a Avaya phone requires DHCP as a requirement for identification, that requirement can be adjusted if DHCP is not available.

ports Cisco Identity Services Engine ISE 1.1 Profiling Identify And Monitor What Is On Your Network
To prove the ISE network monitoring concept, I stood up a ISE system on a small server, enabled all profiling probes and let it sit on my network overnight. ISE did not have AAA setup, user information, 802.1x or device management enabled. Consider this ISE system a server / laptop plugging into a DHCP port and sniffing the wire using profiling probes.shot11 Cisco Identity Services Engine ISE 1.1 Profiling Identify And Monitor What Is On Your Network

My network is very basic. I have a small Cisco Firewall providing LAN access with a ROKU Netflixs player, Blue Ray device (off during test) and Cisco Access Point powered from the firewall. ISE was able to identify my laptop as a Apple Workstation running Lion, my printer as a Canon device (I turned it on for 5 minutes to scan a document and powered it down), MACMINI as a apple device hosting VMWare, Apple iPad connecting to the Access Point and iPhone connected but not surfing the internet (seen as Apple iDevice since it generated little network traffic). This was done without using the new NMAP feature.

I verified findings by launching a NMAP scan and found a consolidated list of active devices. (Note this is the MR1.1 release however 1.1 includes NMAP as well)nmap Cisco Identity Services Engine ISE 1.1 Profiling Identify And Monitor What Is On Your Networkshot2 Cisco Identity Services Engine ISE 1.1 Profiling Identify And Monitor What Is On Your Network

Cisco Identity Services Engine ISE is a very powerful access control tool yet many forget the simple things in life. Consider ISE for identifying what is on your network using profiling as a network monitoring tool. Its a great first step to establish your network policy.

VN:F [1.9.22_1171]
Rating: 5.0/5 (2 votes cast)

1 Comment

Filed under Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

March 20, 2012

Cisco Identity Services Engine 1.1 Update Is Now Available – Some Details On The Release | ISE

Cisco Identity Solutions Engine 1.1 Update Is Now Available ISE

ISE 1.04Screen Shot 2012 03 19 at 5.22.17 PM Cisco Identity Services Engine 1.1 Update Is Now Available Some Details On The Release | ISE
Screen Shot 2012 03 19 at 5.22.52 PM Cisco Identity Services Engine 1.1 Update Is Now Available Some Details On The Release | ISEISE 1.1

Cisco recently released the latest update for Identity Solutions Engine (ISE). Below are some features and findings. My team has been running this in the lab for a while and so far it’s been rock solid. For those who have seen Cisco Prime Network Control System (NCS), the ISE GUI now has the same theme (see the pictures above and below).

ISE 1.04

Screen Shot 2012 03 19 at 5.23.02 PM 1024x543 Cisco Identity Services Engine 1.1 Update Is Now Available Some Details On The Release | ISE

ISE 1.1

Screen Shot 2012 03 19 at 5.24.01 PM1 1024x537 Cisco Identity Services Engine 1.1 Update Is Now Available Some Details On The Release | ISE

FEATURES

  • Common Criteria Certification – This release will be submitted for Common Criteria Certification, which is a requirement for many federal agencies.
  • FIPSISE 802.1x services with Common Access Card (CAC) including NAC & AnyConnect Agent
  • IOS Sensor on 15.0(1) SE1 for Cat 3000 and IOS 15.1(1) SG for CAT 4000. This is a huge for Profiling since it’s the first time Cisco is leveraging the switches for profiling data rather than probing from the ISE server down (like all other profiling type solutions). It makes sense to do this since typical information being probed is already available on switches.* Catalyst 2000 support and DHCP data for IOS Sensor will come later.
  • Active Endpoint Scanning – Manual scan and specific scan action per profile template
  • Endpoint protection services aka (Blacklisting devices) – Enable administrators to quarantine devices by IP or MAC address.

Screen Shot 2012 03 19 at 5.24.23 PM 300x191 Cisco Identity Services Engine 1.1 Update Is Now Available Some Details On The Release | ISE

  • Multiple language support for guest, sponsor and client provisioning portals.
  • NAC agent, AnyConnect NAM client, ISE user input fields and reports.
  • Guest without Logon (Device registration WebAuth). Simple URL for Sponsor Portal Access (A simple, short link). Custom Portal Theme
  • OCSP Support
  • NTP Server authentication
  • External Authentication for Administrators (including CAC)
  • ISE VM Appliance will include VMWare Tools
  • SGA Out Of Band PAC Provisioning
  • SGACL Monitor Mode
  • NMAP added to profiling
Screen Shot 2012 03 24 at 9.31.47 PM 300x148 Cisco Identity Services Engine 1.1 Update Is Now Available Some Details On The Release | ISE

SOME OTHER THINGS TO NOTE ABOUT THE ISE 1.1 RELEASE:

  • There are some Internet Explorer 8 problems that are performance related. The current release notes claim “be patient” and “click several times”.
  • There are some disk space and performance issues on the UCS SATA-2 storage systems.
  • We have been running it on vshpare 5.0 without a problem even though 4 is the supported platform. Same goes for ISE 1.04
  • ISE IPEP will need to be disconnect and use Certificate Based Authetnication to connect to a PAP prior to upgrade  http://www.cisco.com/en/US/docs/security/ise/1.1/release_notes/ise1.1_rn.html#wp248769 - IPEP Bug CSCtu39612

ISE 1.1 release notes can be found HERE

VN:F [1.9.22_1171]
Rating: 5.0/5 (2 votes cast)

5 Comments

Filed under Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

March 1, 2012

Are you 802.1x ready? What it takes to enable 802.1x using Cisco ISE

Are you 802.1x ready? What it takes to enable 802.1x using Cisco ISEThere is a lot of interest in enabling 802.1x for access control. Certificate based security is an industry standard and mandated by many federal agencies. Cisco’s first 802.1x based access control solution started with ACS and currently is enforced by their flagship access control solution Identity Services Engine ISE .

We have heard some administrators heard 802.1x is almost impossible to enable and something they don’t have the staff to maintain. The truth is 802.1x is like most technologies, which requires a basic understanding of core concepts and must be designed correctly in order for a project to be successful. Here are some concepts to take into considering while looking at Cisco or other 802.1x solutions for your network.

1) MONITOR ONLY – 802.1x can be deployed in a Monitor Only mode meaning you can turn it on and not impact the network. This is huge because it dramatically reduces the risk of 802.1x deployment issues by troubleshooting error messages before going live. Unlike many technologies, you don’t have to “cut over and troubleshoot”.

2) PROFILINGCisco ISE offers network profiling, which has two key benefits. ISE can identify all devices on the network so you can plan for how access control can be handled for device types prior to enforcement. ISE can also maintain monitoring of those devices meaning if a hacker spoofs a printer, the spoofed IP will act differently on the network and be blocked. This is a more secure option than white listing devices. Best practice is planning device security via VLANs, ACLs, etc. prior to moving from 802.1x monitor mode.

3) SUPPLICANT – 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The authenticator acts like a security guard while the supplicant (example laptop) is not permitted access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized. The supplicant provides credentials, such as user name, password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. The most common used supplicants are built into windows operating systems meaning you don’t have to distribute any new software or clients. Some devices don’t support 802.1x which best practice is using a combination of MAC address and profiling to provision and maintain credibility of those devices.

4) SYSTEM MANAGEMENT – A common question is “how many people does it take to maintain a Access Control solution such as 802.1x?”. The answer varies on the size, level of desired security and other factors. Regardless, the goal of an Access Control solution is to automate and enforce existing security infrastructure. For example, port security is a form of access control that typically requires manual efforts to maintain. Access Control solutions should reduce the required management hours by automating user and device access.  The same concept goes for troubleshooting and locating rouge devices.

5) CONFIGURATION – 802.1x is an industry standard and uses switch level commands. Best practice is to build a template in a network management tool and push out the 802.1x Access Control configurations to switches to reduce the chance of misconfiguration.

Here is a line-by-line example of configuring a switch for monitor only 802.1x

//Enable =AAA, Enable Port-based authentication, VLAN/ACL and 802.1x / MAB

Switch(config)# aaa new-model

Switch(config)# aaa authentication dot1x default group radius

Switch(config)# aaa authorization network default group radius

Switch(config)# aaa accounting dot1x default start-stop group radius

//Specify the IP and Ports of RADIUS server, pre-shared key, attributes, and RADIUS request source interface

Switch(config)# radius-server host ise-1.demo.local auth-port 1812 acct-port 1813

Switch(config)# radius-server key thesecurityblogger

Switch(config)# radius-server attribute 6 on-for-login-auth

Switch(config)# radius-server attribute 8 include-in-access-req

Switch(config)# radius-server attribute 25 access-request include

Switch(config)# radius-server dead-criteria time 5 tries 3

Switch(config)# ip radius source-interface g0/24

//Test 802.1x

switch#test aaa group radius usertest password new-code

Switch(config)# dot1x system-auth-control

//port level commands

Switch(config)# interface range g0/1-3, g0/5

Switch(config-if-range)# switchport mode access

Switch(config-if-range)# authentication port-control auto

Switch(config-if-range)# dot1x pae authenticator

Switch(config-if-range)# mab

//ISE monitor only mode config.

Switch(config-if-range)# authentication open

Switch(config-if-range)# authentication host-mode multi-auth

Switch(config-if-range)# switchport access vlan 10

switch(config-if-range)# authentication order mab dot1x

switch(config-if-range)# authentication priority dot1x mab

 

Hopefully this helps with the confusion around considering 802.1x and Cisco ISE.

VN:F [1.9.22_1171]
Rating: 4.0/5 (6 votes cast)

7 Comments

Filed under Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

December 15, 2011

Addressing Bring Your Own Device (BYOD): How to manage and secure mobile endpoints

Addressing Bring Your Own Device (BYOD): How to manage and secure mobile endpointsThe majority of today’s workforce uses multiple devices such as laptops, tablets and smartphones (IE brings their own device or BYOD). Leadership from most industries is being asked to permit these devices on the network in some limited or full fashion. Common BYOD questions are “how do I support growth for users with multiple devices?”, “what type of access should guest and employees use for mobile devices?”, “how do I provision corporate mobile devices?”, and “what security vulnerabilities am I exposed to by permitting mobile devices?”. All are good questions and can be addressed by focusing on three core BYOD concepts: Infrastructure, Access Control and Device Management.

The first thing to consider for BYOD is if your wireless network can support growing from one device per user to potentially 2-4 devices. The best way to find out is by performing a wireless assessment to verify capabilities and potential risks caused by obstacles and nearby rouge networks (IE Starbucks using a similar RFID channel).  Security features such as wireless intrusion detection and prevention (WIDS /WIPS) as well as controlling the number of permitted associated devices per user should be considered for BYOD to guarantee scalability and service.

Another common area of concern for BYOD is provisioning access to employees and guests. The first BYOD question typically asked is “should all mobile devices be handled by a separate network or should employee owned mobile devices share the same core network while guest devices use another network?”. However you plan to permit mobile devices, best practice for BYOD is to automate the process based on multiple factors such as device type, user authentication and risk status. Policies permitting employee access using personal devices should have a process to register and track those devices (IE web registration page like in hotels) rather than an “employee wireless password” that could get compromised and not associated to a device. Many solutions such as Cisco Identity Services Engine (ISE) offer self-registration to eliminate the need for employee or guest users to deal with an IT member to gain network access. Solutions that leverage profiling technologies can automatically assigned specific access types based operating system, device type and other details (IE provide different access for iPhones and Androids) so you know who and what is on your network. “Knowing is half the battle”, GI JOE Addressing Bring Your Own Device (BYOD): How to manage and secure mobile endpoints


The final piece to the BYOD puzzle is device management. Most mobile hardware vendors give power to device owners meaning Apple, Android, etc. device users can take themselves out of compliance at anytime (blackberry is the only exception). Solutions such as Mobile Iron and AirWatch provide methods to assess devices for high risk factors such as jailbreaking or using unapproved applications which is crucial for BYOD. Application based endpoint management solutions verify devices and either permit or deny corporate services such as providing email based on policy status (IE no email service while angry birds is installed). Common BYOD policies are enforcing the use of passwords, remote locking devices, denying hacked devices, provisioning specific applications and having the ability to remote wipe only corporate data. The mobile security market leaders offer a breath of operating systems and hardware options as well as easy methods to communicate when end users fall out of compliance.

Addressing Bring Your Own Device (BYOD): How to manage and secure mobile endpointsIndustry leaders for security are focusing on BYOD by developing solutions for mobile devices. RSA and Symantec recently released data loss prevention (DLP) for mobile devices to deny sensitive information such as social security numbers from moving to or from mobile devices. Network vendors such as Cisco are partnering with mobile manufactures to address BYOD by offering VPN technology that encrypt traffic from mobile devices while off the corporate network. There are many options for endpoint security when looking at BYOD, which the investment for mobile security should match protecting laptops and desktops regardless if the employee owns the asset.
VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

5 Comments

Filed under Bring Your Own Device BYOD, Host And Mobile Device Security, Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

October 30, 2011

Configuring Cisco ISE With Wireless For Mobile Device Access Control : iPad Android Etc.

My team built a Cisco Identity Services Engine ISE demo lab designed to secure mobile devices such as iPads, Androids, etc. We ran into a few snags however in the end got the system to work nicely. Here is a guide to help you build a Cisco ISE lab for securing mobile devices.

First the assumption is you have a standard Cisco ISE configuration built. In our lab, we use Cisco UCS to host a virtualized ISE appliance, Active Directory and other services. For hardware, we had a Cisco 3560 switch running 12.2 55E (downgraded from 12.2 58), ASA 5505 (for outbound NATing, info HERE) and Cisco Wireless network consisting of two APs and WLC appliance (NOTE: WLC MUST run 7.X code for Radius between ISE and WLC to work!!!). The ISE system was synched with AD for three identity groups (employees, contractors and guests). We used the default 90-day demo license and enabled all profiling probes. The wireless system was built in a standard fashion.
ISE 1 Configuring Cisco ISE With Wireless For Mobile Device Access Control : iPad Android Etc.

To start off, its VERY important to check the time in AD (windows clock) and ISE (show clock command). If time is not synched, your radius authentication will fail with a variation of funky error messages (see ISE monitor image above). Once groups are added, test AD users in ISE under external identity store, AD, Connect to make sure the AD / ISE integration is working. Next go to Authentication and verify you have a default 802.1x policy. Click the little triangle and change the ISE identity sources to AD (see below). This will tell ISE to query AD for any device accessing the network using 802.1x. Next go to Network Devices under Administration and add a new network device. Fill out the form for your Wireless LAN controller and configure a shared radius key (cisco guides explain this).ISE 2 Configuring Cisco ISE With Wireless For Mobile Device Access Control : iPad Android Etc.

On WLC, go to security and add ISE for radius authentication and accounting. Make sure to match the shared secret used in ISE! Next create the WLAN for your environment. Under Security and Layer 2 in your WLAN, make sure Auth Key Mgmt is set to 802.1x. Under the AAA Server tab add your services via selecting from the scroll down section or manually. Under advanced, check AAA override and scroll down to radius NAC under NAC state. Enable your WLAN and save.

Back in ISE, go to Profiling under Policy and select the mobile profiles you want to include in your lab. Each profile by default will state “Use Hierarchy”. Change this to “Create Matching Identity Group” (see image below). ISE 4 Configuring Cisco ISE With Wireless For Mobile Device Access Control : iPad Android Etc.

Next go to Rules under Policy and click down into the Authorization Profiles section under Authorization. This section tells what to do with authorized users. In our ISE lab, we created an iPad Employe and iPad Guest policy which employees were put into VLAN 10 and guests in VLAN 20. You can put users on the same vlan and apply ACLs for control, create a redirection if posture is desired or other combinations of security. Spend time learning the different options for authorization. ISE 5 Configuring Cisco ISE With Wireless For Mobile Device Access Control : iPad Android Etc.

The final step is buiding your ISE Authorization policy under the Policy tab. We created rules for specified devices as the Identity Source such as Apple-iPad and Apple-Device as seen in the default profiling section. NOTE: The device profiles you changed to “Create Matching Identity Group” will appear here. Under conditions, click new condition, select your AD, select = and whichever group of users should apply. Below is our ISE policy covering general Apple Devices, Ipads, Iphones and PC workstations for employees and guests. An example is the Identity Group is Apple-iPad, Condition is AD users = to AD_group_employes then apply iPadEmployees which means all iPads used by Employees will end up in Vlan 10 as specified by the iPadEmployee policy.

ISE 3 Configuring Cisco ISE With Wireless For Mobile Device Access Control : iPad Android Etc.Hopefully this guide helps you with your ISE mobile device testing.

VN:F [1.9.22_1171]
Rating: 5.0/5 (4 votes cast)

21 Comments

Filed under Bring Your Own Device BYOD, Host And Mobile Device Security, Network Admission Control, Wireless Topics

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

October 11, 2011

Cisco Identity Services Engine ISE Profiling: Profiler Explained

photo 300x224 Cisco Identity Services Engine ISE Profiling: Profiler ExplainedI’ve received a handful of support cases from engineers and customers around Cisco Identity Services Engine ISE Profiling. Questions range from “why are my devices showing up as UNKNOWN” to “How does ISE Profiling work?” Here is a breakdown of how ISE Profiling works for version 1.0.

NOTE: There are some VERY cool things coming from Cisco in the near future on this topic so stay tuned.

profilerblog1 300x279 Cisco Identity Services Engine ISE Profiling: Profiler ExplainedCisco ISE Profiling is an advance subscription license feature used to identify what endpoints are based on network data obtained from a number of enabled probes. Use cases range from managing access rights for devices that don’t authenticate (IE Printers, Card Readers, etc.) to developing policies around device types (IE handling iPads differently from Laptops). Accuracy about device types increases as more probes are enabled. Cisco ISE probe options are NetFlow, DHCP, DHCP SPAN, HTTP, Radius, DNS and a few SNMP TRAP/Query options. Probes view network traffic seen by designated sensors (IE a ISE enabled switch). If you quickly plug and unplug a laptop into a switch, most likely ISE Profiling will only see the SNMP link up trap and know very little about the device. If the device is plugged in and attempts to access the Web, ISE Profiling will see more data and be able to make a more accurate determination of the device’s identity.

IpadFlow 195x300 Cisco Identity Services Engine ISE Profiling: Profiler ExplainedCisco ISE profiling has categories for devices obtained from the cloud or through customization. Each category has specific “weights” assigned that are measured against the device data. As Cisco ISE profiling captures data, different specifications trigger categories as assign weight values are met. For example, a iPad will move from UNKNOWN to APPLE DEVICE based on MAC, network card manufacture type and other info. As more data is collected about the iPad, Cisco ISE profiling will use other attributes to match it from APPLE DEVICE to iPad. Custom categories can be created from UNKNOWN or existing profiles however the majority of device profiles are obtained through the cloud.  Profiling is continuous meaning if a device is spoofed, its behavior will give away it’s true identity to provide continuous monitoring of device types on your network.

NOTE: If certain probes or data is not available, you may need to tune a category’s weight. I had a customer who did not use DHCP on their network, which is weighted very high for the AVAYA PHONE category. I had to adjust DHCP to a lower weight in the default AVAYA category before all phones were profiled properly.

Some common issues I have seen in the field are:

1)   Profiling is not working:

  1. Check to see ISE Profiling Services is enabled under General Settings
  2. Verify which probes are enabled under the Probe Config Tab
  3. Verify the switch you are testing is supporting the probe. For example, if you use SNMP RO, you need to have the switch use the SNMP-SERVER commands to send data to Cisco ISE Profiling. The switch also needs to be managed by ISE via network devices tab.
  4. You may need an ip helper address of the ISE device when using the DHCP probe so ISE sees the data.

2)   Devices remain as UNKNOWN

  1. Verify which catalog/profile you are attempting to hit. Click the UNKNOWN device and review the characteristics. Make sure the probes that are enabled are used by the category you are looking to achieve. See AVAYA PHONE example above. You may need to adjust category weights if specific data is not used or not seen by ISE.
  2. Click the UNKNOWN device and verify which probes are actually working. ISE Profiling will show what it knows. Go to the monitoring section and click the device details. ISE shows the communication in detail.
  3. Make sure you have updated your ISE system. If you haven’t updated ISE, it won’t have any categories. There are Air-gap steps for customers who don’t want ISE to touch the internet.

3)   Devices remain in a generic category.

  1. This problem is similar to remaining UNKNOWN. Verify the desired category weight attributes and match it to what ISE is seeing for the device under monitoring. You may either have to tune weights or not have enough data due to lack of probe information. Options are enable more probes or use MAC address based (MAB) authentication to recognize devices.

Hope this helps with your Cisco ISE Profiling adventures.

VN:F [1.9.22_1171]
Rating: 3.9/5 (8 votes cast)

22 Comments

Filed under Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

August 29, 2011

Cisco Identity Services Engine ISE 1.0.4 Released

Cisco new logo should be 300x218 Cisco Identity Services Engine ISE 1.0.4 Released

Information on the Cisco Identity Services Engine ISE 1.0.4 release:
Highlights of Cisco Identity Services Engine ISE 1.0.4
Release notes for Cisco Identity Services Engine ISE 1.0.4

Here is a summary of the Cisco Identity Services Engine ISE 1.0.4 release:

1) Integrating Cisco NAC Appliance, Release 4.9 with ISE 1.0.4. and available when you have installed an advanced or wireless license on the maintenance release of Cisco ISE. This is important for customers with NAC appliance looking to add profiling. Cisco NAC profiler appliance technology is no longer for sale so this new release permits using ISE 1.0.4 as a profiling element for NAC appliance installations.

2) New Wireless License options enable the same number of endpoints on existing ISE 1.0.4 Base and Advanced License package

3) Upgrade and Backup/Restore Enhancements: Upgrade ISE 1.0 to ISE 1.0.4. Migrate from ACS 5.1/5.2 to ISE 1.0 and then upgrade to ISE 1.0.4. Do not directly migrate from ACS to ISE 1.0.4

4) Administrator lockout following failed attempts and administrator password reset: In the new release, you can lockout your admin account after a failed number of login attempts. The instructions on how to reset the “locked” administrator password are described in the “Performing Post-Installation Tasks” chapter of the Cisco Identity Services Engine Hardware Installation Guide, Release ISE 1.0.4.

5) Client support for Windows Internet Explorer 9 and Mozilla Firefox 4.x browsers and the Mac OS 10.7 operating system

6) Cisco ISE 1.0.4 does not consume advanced licenses when endpoints are statically assigned to a profile

7) Profiling update: Correlating IP addresses and MAC addresses of endpoints using DHCP and RADIUS probes. The Cisco ISE 1.0.4 release implements an ARP cache in the profiler service so that you can reliably map IP addresses and MAC addresses of endpoints.

8) Some Cisco ACS-to-Cisco ISE 1.0.4 Migration updates

VN:F [1.9.22_1171]
Rating: 3.7/5 (3 votes cast)

Leave a Comment

Filed under Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

August 14, 2011

How To Migrate To Cisco Identity Services Engine (ISE): NAC to ISE /ACS to ISE

Borat1 300x300 How To Migrate To Cisco Identity Services Engine (ISE): NAC to ISE /ACS to ISE
Today you may have Cisco NAC appliance or ACS and have heard great things about Cisco’s latest access control technology known as Identity Services Engine (ISE). What are you options to migrate to ISE? Here are some things you should know.

NOTE: These tips apply to how things are August 2011.

OVERVIEW:
ISE provides all the functionality of legacy NAC appliance, NAC Profiler and NAC Guest server. ISE provides all the functionality of ACS except device administration. This makes all existing customers running these services except ACS device administration (TACACS /RADIUS) an upgrade candidate. Many customers are keeping ACS for device management and purchasing new ISE solutions.

SOFTWARE
ISE is a free software upgrade for customers who have NAC appliance or NAC profiler. This is for both for the base and advance licenses.

ISE is a 50% software discount for customers who have ACS or NAC guest server. The 50% discount is a migration part for the base license only. The advance features license will not be impacted by this discount.

HARDWARE
ISE is supported on current generation NAC appliance hardware (3315, 3355,3395) and ACS (1121) hardware.

ISE is not support on any previous generation hardware (3310,3350, 3390, 1120, 3140, etc.). There are hardware/vmware migration discounts for customers moving from these platforms to the latest appliance or VMware systems.

ISE is available in appliance and VMware. There are VMware bundle options to increase discount when purchasing multiple VMware instances.

ISE hardware is discounted if the customer owns older NAC appliance (3310,3350 or 3390) or ACS appliance (1120).

Example 1:
Customer has a NAC manager appliance, 2000 user Cisco NAC Server appliance, Cisco Profiler appliance and Cisco Guest server. All hardware is the newer model IBM appliances (3315,3355 or 3395). The customer can get ISE software at no cost. They can download ISE .ISO for free from cisco.com and reimage the appliances to the latest ISE software. They can order a license from a Cisco partner at no cost as long as they have an active Smartnet contract and the supported hardware. The customer only needs one license since license management is centralized regardless of the number of existing appliances.

Example 2:
Customer has a NAC manager appliance, 2000 user NAC Server, Cisco Profiler and Cisco Guest server. All hardware is older HP servers (3310,3350 or 3390). The customer can download ISE .ISO for free from cisco.com and order a license at no cost. The hardware will not support ISE. This customer will have to migrate to the latest ISE appliance or vmware system for each NAC appliance server. The cost of the hardware will be discounted.

Example 3:
Customer has Cisco ACS supporting 2000 users and wants to migrate to ISE. They will need to purchase the 50% discounted ISE base and full advance licenses. They will need to migrate to ISE via VMware or Appliance if they don’t own an ACS 1121 appliance.

VN:F [1.9.22_1171]
Rating: 5.0/5 (6 votes cast)

7 Comments

Filed under Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,