Cisco ISE

By | 23/02/2015

Basic Concepts

Policy Administration – Policy Decission – ISE (Identity Services Engine)
Policy Enforcement – Network Access Devices – Switches, Wireless, Routers
Policy Information – NAC Agent, NAC Web Agent, 802.1X Supplicant (AnyConnect)

Authentication Methods:

  • 802.1x (NAC Agent, 802.1x supplicant)
  • MAC Authentication bypass (MAB) – Database of the MAC Address of the devices that don’t support 802.1x (printers, cameras)
  • Web Authentication
  • VPN Authentication

Authorization Methods:

  • ACLs (dACL, Named ACL, time based ACL)
  • VLANs assignation
  • Security Group Access – Cisco TrustSec – SGT – Security Group Tagging

Change Of Authorization – Method to change an endpoint authorization status after meeting some conditions, such as checking the security compliance of the endpoint. Needs to be supported by the Network Access Device.

Radius: standard-based for AAA services.

TACACS+: AAA protocol developed by Cisco. Supports command by command basis authorization. Provides accounting for device changes audit.

Current version of ISE: 1.3 (November 2014)

 

ISE Deployment

ISE can run on 3415, 3455, 3495 servers or VMWare

Personas:

  • PAN – Policy Administration Node
  • PSN – Policy Service Node
  • MNT – Monitoring and Troubleshooting Node

Failover behavior

  • Admin persona, handles the administrator changes and publishes them to the Policy Service Node. Secondary node needs to be promoted manually.
  • PSN – Redundant PSNs will work concurrently. If one files, the other will continue working.
  • Monitoring Node – If primary fails, secondary will be promoted to primary automatically.

Standalone deployment

  • All personas in the same box.
  • Up to 10.000 endpoints

Redundant deployment

  • Both boxes still have all the same personas. Primary node and Secondary node.
  • Up to 10.000 endpoints

Distributed deployment

  • Two redundant boxes with Admin and Monitoring personas
  • Up to 5 Policy Service Nodes
  • Up to 10.000 endpoints

Distributed deployment, up to 250.000 endpoints

  • Two boxes with Admin roles
  • Two boxes with Monitoring roles
  • Up to 40 PSNs

PSNs can be clusterized in a L2 level.

NAD – Network Access Devices will have the prioritized list of the PSNs that they will use

 

802.1x

802.1x Host Modes

  • Single Host Mode – Only one device (MAC Address) per port. Second causes unauthorized port state.
  • Multiple Host mode – (hub usage). first device defines authentication, other devices get same access.
  • Multiple Domain Authentication (MDA) mode – Data + Voice. Independent authentication for each device.
  • Multiple Authentication mode – Authenticates every MAC address. Same VLAN but ACL per device.

Deployment modes

  • Monitor mode
    • Before authentication: Authentication Open + Full access
    • After authentication: Full access
    • configuration: authentication open
  • Low impact mode
    • Before authentication: Authentication OPEN + Pre ACL to limit the traffic
    • After authentication: Full access or controlled access through ACL
    • configuration: authentication open + ip access-group default-ACL in
  • Closed mode
    • Before authentication: No access allowed. Only EAPOL allowed.
    • After authentication: Full access or controlled access through AC

 

EAP

EAP – Extensible Authentication Protocol

End user speaks 802.1x with the Network Access Device through a Suplicant. (EAPOL)

Network Access Device speaks Radius with the ISE PSN node. (EAP/Radius)

System uses EAP-X end to end

  • EAP-FAST: Symetric Cryptography. It uses PAC keys (protected access credentials) that are exchange between endpoint and PSN. They could be eavesdropped. The keys are used to create a tunnel to send the credentials.
  • EAP-PEAP: Only a certificate on the PSN is required. The certificate is delivered to the endpoint. The endpoint uses the public key of the PSN certificate to create a session key and setup a tunnel to send the User and Password through it
  • EAP-TLS: Both PSN and endpoint requires a certificate. No encryption is required as they will do an exchange of the public keys. Downside is the big quantity of certificates to be managed.
  • EAP-MD5 – CHAP: Challange – response. No server authentication. Vulnerable to MITM attacks
  • EAP-MSCHAPv2: Challange – response with hashing. Active Directory Environment.

 

Switch configuration

aaa new-model
aaa authentication dot1x default group GROUPNAME
aaa authorization network default group GROUPNAME
aaa accounting dot1x default start-stop group GROUPNAME

ip radius source interface vlan100
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius server SERVERNAME
 address ipv4 IP auth-port 1812 acct-port 1813
 key PSK
aaa group server radius GROUPNAME
 server name SERVERNAME
!//Vendor specific attributes:
radius-server vsa send accounting 
radius-server vsa send authentication

ip device tracking

dot1x system-auth-control

!//MONITOR MODE
interface GigabitEthernet0/1
 switchport access vlan 10
 switchport voice vlan 9
 authentication host-mode multi-auth
 authentication open
 authentication priority dot1x mab
 authentication timer reauthenticate server
 authentication order dot1x mab
 authentication port-control auto
 authentication periodic
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10

!//TROUBLESHOOTING
show authentication sessions interface gigabitEthernet0/1
show dot1x all
test aaa group radius user it1 cisco new-code

ISE Policies: Authentication, Authorization, Profiling, Posture, Client Provisioning, SGA

Policy Elements: Dictionaries, Conditions, Results

If Condition Then Result

Dictionary is a predefined set of conditions <-> result

ISE Authentication

Authentication Policy

Types

  • Simple
  • Rule Based

Components:

  • Description
  • Condition – Simple or Compound – Based on the dictionary
  • Result – Allowed EAP Protocols
  • Result – ID Sources to be used
  • Action Options – [Reject/drop/continue] depending on type of results (user not found, authentication failed, process failed,…)

External authentication:

  • Version 1.2 supports only 1 AD and many LDAPs
  • Version 1.3 supports up to 50 ADs

ISE PSNs need to be joined to the Active Directory, so it will relay on DNS and local Domain Controllers depending on the Site configuration.

ISE Authorization

Top-Down list of rules.

  • Description
  • Condition ID Source (users or endpoints)
  • Condition Attribute (posture, groups,…)
  • Permissions – Authorization Profile
    • dACLs
    • VLANs
    • SGA

Default rule allows all access.

Downloadable ACLs

 

 Cisco TrustSec (CTS)

Security Group Access – Security Group Tagging

Cisco Proprietary

Tags are added after the 802.1Q information in the Ethernet frame.

l2frame

 

Network Access Device will tag the L2 packets from the endpoint based on the ISE authorization policy. The tags will be used in Security Group ACLs around the network to allow or block access to the resources.

  • Classification: at ingress, dynamic (802.1x, MAB, Web Authentication) or static (based on IP, subnet, VLAN)
  • Transport: SGT is propagated via inline tagging or SXP
  • Enforcement: Policy is applied via SGACL or SGFW

SXP – Secure Exchange Protocol (TCP). It’s used when middle devices don’t support SGT. A tunnel is created between SGT supported devices bypassing the non supported device.

  • SXP Speaker
  • SXP Listener

Cisco TrustSec switch configuration:

radius server ISE-PAC
 address ipv4 IP auth-port 1812 acct-port 1813
 pac key PASSWORD

aaa group server radius ISE-CTS
 server name ISE-PAC

aaa authorization network CTS-LIST group ISE-CTS
cts authorization list CTS-LIST
cts credentials id NAME password PASSWORD //on privileged mode, not conf t

cts role-based enforcement
cts role-based enforcement vlan-list VLAN

cts refresh environmnet-data

Troubleshooting:

show cts pacs
show cts environment-data
show cts rbacl
show cts role-based permissions
show cts role-based counters

Static Classification:

cts role-based sgt-map IP sgt TAG 
cts role-based sgt-map vlan-list VLANLIST sgt TAG

SXP Configuration:

!Switch:
cts sxp enable
cts sxp connection peer FWIP password none mode local speaker
show cts sxp connections brief

!FW configuration:
cts server-group ISE
cts sxp enable
cts sxp connection peer SWIP password none mode local listener
show cts sgt-map


MAC Security (MACsec)

802.1AE (extension to 802.1x)

Encrypt and Authenticate L2 communication.

Packets are in the clear in the backplane, so inspection, filterin and QoS are available.

  • Downlink MACsec (Endpoint using anyconnect and Network Access Device)
  • Switch-to-Switch MACsec

frame2

 

interface gi0/1
 macsec
 mka default-policy
 authentication linksec policy should-secure

Default setting is should-secre. ISE will override the policy.

show macsec interface gigabitEthernet 0/1
show authentication sessions interface gigabitEthernet 0/1

WebAuth

Authentication and authorization via HTTP(S)

CWA – Central Web Authentication – Hosted in the PSN

LWA – Local Web Authentication – Hosted in the NAD (usually wlc) – Doesn’t support CoA

Switch configuration:

!//enable CoA
aaa server radius dynamic-author
 client 10.10.2.20 server-key 0 radius-key

!//Local redirection  ACL
ip access-list extended ACL-WEBAUTH-REDIRECT
 permit tcp any any eq 80
 permit tcp any any eq 443
 permit tcp any any eq 8443

crytpo key generate rsa modulus 2048

!//enable http servers to intercept the traffic
ip http server
ip http secure-server

int gig 0/2
 ip access-group Basic-ACL in
 authentication host-mode multi-auth
 authentication open
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10

Guest Access

Sponsor Groups with different privileges:

  • Authorization levels
    • Can manage only own account, accounts of other sponsors in the same group, or all accounts for all the sponsors
  • Guest roles
  • Time Profiles

Posture

Check the configuration and status of the endpoint through an agent.  The agent will speak directly with the PSN box using SWISS protocol, not through the NAD.

Agents:

  • Anyconnect – installed in the computer, requires admin rights
  • Web agent – Java based, no required to install. It can’t do automatic remediation.

Endpoint Status:

  • Complaint
  • Non Complaint
  • Unknown status – when there is no agent communication

Profiler

Porbes: Netflow, DHCP, DHCP/Span, HTTP, Radius, DNS, SNMP, NMAP

– nmap and Netflow will have a performance impact on the PSN node.

 

ISE Application

Admin Password – By default, it expires after 45 days. To unlock it use the following command from cli:

application reset-passwd ise username

Reference: https://www.packetmischief.ca/2012/01/16/resetting-admin-password-on-a-cisco-ise-appliance/

 

Resources

ISE Cisco Live presentation – Certificates + 40 minutes of tips –  Advanced ISE services – Tips & Tricks