Policy Administration – Policy Decission – ISE (Identity Services Engine)
Policy Enforcement – Network Access Devices – Switches, Wireless, Routers
Policy Information – NAC Agent, NAC Web Agent, 802.1X Supplicant (AnyConnect)
- 802.1x (NAC Agent, 802.1x supplicant)
- MAC Authentication bypass (MAB) – Database of the MAC Address of the devices that don’t support 802.1x (printers, cameras)
- Web Authentication
- VPN Authentication
- ACLs (dACL, Named ACL, time based ACL)
- VLANs assignation
- Security Group Access – Cisco TrustSec – SGT – Security Group Tagging
Change Of Authorization – Method to change an endpoint authorization status after meeting some conditions, such as checking the security compliance of the endpoint. Needs to be supported by the Network Access Device.
Radius: standard-based for AAA services.
TACACS+: AAA protocol developed by Cisco. Supports command by command basis authorization. Provides accounting for device changes audit.
Current version of ISE: 1.3 (November 2014)
ISE can run on 3415, 3455, 3495 servers or VMWare
- PAN – Policy Administration Node
- PSN – Policy Service Node
- MNT – Monitoring and Troubleshooting Node
- Admin persona, handles the administrator changes and publishes them to the Policy Service Node. Secondary node needs to be promoted manually.
- PSN – Redundant PSNs will work concurrently. If one files, the other will continue working.
- Monitoring Node – If primary fails, secondary will be promoted to primary automatically.
- All personas in the same box.
- Up to 10.000 endpoints
- Both boxes still have all the same personas. Primary node and Secondary node.
- Up to 10.000 endpoints
- Two redundant boxes with Admin and Monitoring personas
- Up to 5 Policy Service Nodes
- Up to 10.000 endpoints
Distributed deployment, up to 250.000 endpoints
- Two boxes with Admin roles
- Two boxes with Monitoring roles
- Up to 40 PSNs
PSNs can be clusterized in a L2 level.
NAD – Network Access Devices will have the prioritized list of the PSNs that they will use
802.1x Host Modes
- Single Host Mode – Only one device (MAC Address) per port. Second causes unauthorized port state.
- Multiple Host mode – (hub usage). first device defines authentication, other devices get same access.
- Multiple Domain Authentication (MDA) mode – Data + Voice. Independent authentication for each device.
- Multiple Authentication mode – Authenticates every MAC address. Same VLAN but ACL per device.
- Monitor mode
- Before authentication: Authentication Open + Full access
- After authentication: Full access
- configuration: authentication open
- Low impact mode
- Before authentication: Authentication OPEN + Pre ACL to limit the traffic
- After authentication: Full access or controlled access through ACL
- configuration: authentication open + ip access-group default-ACL in
- Closed mode
- Before authentication: No access allowed. Only EAPOL allowed.
- After authentication: Full access or controlled access through AC
EAP – Extensible Authentication Protocol
End user speaks 802.1x with the Network Access Device through a Suplicant. (EAPOL)
Network Access Device speaks Radius with the ISE PSN node. (EAP/Radius)
System uses EAP-X end to end
- EAP-FAST: Symetric Cryptography. It uses PAC keys (protected access credentials) that are exchange between endpoint and PSN. They could be eavesdropped. The keys are used to create a tunnel to send the credentials.
- EAP-PEAP: Only a certificate on the PSN is required. The certificate is delivered to the endpoint. The endpoint uses the public key of the PSN certificate to create a session key and setup a tunnel to send the User and Password through it
- EAP-TLS: Both PSN and endpoint requires a certificate. No encryption is required as they will do an exchange of the public keys. Downside is the big quantity of certificates to be managed.
- EAP-MD5 – CHAP: Challange – response. No server authentication. Vulnerable to MITM attacks
- EAP-MSCHAPv2: Challange – response with hashing. Active Directory Environment.
aaa new-model aaa authentication dot1x default group GROUPNAME aaa authorization network default group GROUPNAME aaa accounting dot1x default start-stop group GROUPNAME ip radius source interface vlan100 radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server dead-criteria time 30 tries 3 radius server SERVERNAME address ipv4 IP auth-port 1812 acct-port 1813 key PSK aaa group server radius GROUPNAME server name SERVERNAME !//Vendor specific attributes: radius-server vsa send accounting radius-server vsa send authentication ip device tracking dot1x system-auth-control !//MONITOR MODE interface GigabitEthernet0/1 switchport access vlan 10 switchport voice vlan 9 authentication host-mode multi-auth authentication open authentication priority dot1x mab authentication timer reauthenticate server authentication order dot1x mab authentication port-control auto authentication periodic mab dot1x pae authenticator dot1x timeout tx-period 10 !//TROUBLESHOOTING show authentication sessions interface gigabitEthernet0/1 show dot1x all test aaa group radius user it1 cisco new-code
ISE Policies: Authentication, Authorization, Profiling, Posture, Client Provisioning, SGA
Policy Elements: Dictionaries, Conditions, Results
If Condition Then Result
Dictionary is a predefined set of conditions <-> result
- Rule Based
- Condition – Simple or Compound – Based on the dictionary
- Result – Allowed EAP Protocols
- Result – ID Sources to be used
- Action Options – [Reject/drop/continue] depending on type of results (user not found, authentication failed, process failed,…)
- Version 1.2 supports only 1 AD and many LDAPs
- Version 1.3 supports up to 50 ADs
ISE PSNs need to be joined to the Active Directory, so it will relay on DNS and local Domain Controllers depending on the Site configuration.
Top-Down list of rules.
- Condition ID Source (users or endpoints)
- Condition Attribute (posture, groups,…)
- Permissions – Authorization Profile
Default rule allows all access.
Cisco TrustSec (CTS)
Security Group Access – Security Group Tagging
Tags are added after the 802.1Q information in the Ethernet frame.
Network Access Device will tag the L2 packets from the endpoint based on the ISE authorization policy. The tags will be used in Security Group ACLs around the network to allow or block access to the resources.
- Classification: at ingress, dynamic (802.1x, MAB, Web Authentication) or static (based on IP, subnet, VLAN)
- Transport: SGT is propagated via inline tagging or SXP
- Enforcement: Policy is applied via SGACL or SGFW
SXP – Secure Exchange Protocol (TCP). It’s used when middle devices don’t support SGT. A tunnel is created between SGT supported devices bypassing the non supported device.
- SXP Speaker
- SXP Listener
Cisco TrustSec switch configuration:
radius server ISE-PAC address ipv4 IP auth-port 1812 acct-port 1813 pac key PASSWORD aaa group server radius ISE-CTS server name ISE-PAC aaa authorization network CTS-LIST group ISE-CTS cts authorization list CTS-LIST cts credentials id NAME password PASSWORD //on privileged mode, not conf t cts role-based enforcement cts role-based enforcement vlan-list VLAN cts refresh environmnet-data
show cts pacs show cts environment-data show cts rbacl show cts role-based permissions show cts role-based counters
cts role-based sgt-map IP sgt TAG cts role-based sgt-map vlan-list VLANLIST sgt TAG
!Switch: cts sxp enable cts sxp connection peer FWIP password none mode local speaker show cts sxp connections brief !FW configuration: cts server-group ISE cts sxp enable cts sxp connection peer SWIP password none mode local listener show cts sgt-map
MAC Security (MACsec)
802.1AE (extension to 802.1x)
Encrypt and Authenticate L2 communication.
Packets are in the clear in the backplane, so inspection, filterin and QoS are available.
- Downlink MACsec (Endpoint using anyconnect and Network Access Device)
- Switch-to-Switch MACsec
interface gi0/1 macsec mka default-policy authentication linksec policy should-secure
Default setting is should-secre. ISE will override the policy.
show macsec interface gigabitEthernet 0/1 show authentication sessions interface gigabitEthernet 0/1
Authentication and authorization via HTTP(S)
CWA – Central Web Authentication – Hosted in the PSN
LWA – Local Web Authentication – Hosted in the NAD (usually wlc) – Doesn’t support CoA
!//enable CoA aaa server radius dynamic-author client 10.10.2.20 server-key 0 radius-key !//Local redirection ACL ip access-list extended ACL-WEBAUTH-REDIRECT permit tcp any any eq 80 permit tcp any any eq 443 permit tcp any any eq 8443 crytpo key generate rsa modulus 2048 !//enable http servers to intercept the traffic ip http server ip http secure-server int gig 0/2 ip access-group Basic-ACL in authentication host-mode multi-auth authentication open authentication order mab dot1x authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server mab dot1x pae authenticator dot1x timeout tx-period 10
Sponsor Groups with different privileges:
- Authorization levels
- Can manage only own account, accounts of other sponsors in the same group, or all accounts for all the sponsors
- Guest roles
- Time Profiles
Check the configuration and status of the endpoint through an agent. The agent will speak directly with the PSN box using SWISS protocol, not through the NAD.
- Anyconnect – installed in the computer, requires admin rights
- Web agent – Java based, no required to install. It can’t do automatic remediation.
- Non Complaint
- Unknown status – when there is no agent communication
Porbes: Netflow, DHCP, DHCP/Span, HTTP, Radius, DNS, SNMP, NMAP
– nmap and Netflow will have a performance impact on the PSN node.
Admin Password – By default, it expires after 45 days. To unlock it use the following command from cli:
application reset-passwd ise username
ISE Cisco Live presentation – Certificates + 40 minutes of tips – Advanced ISE services – Tips & Tricks