Here are the key points:- Monitor mode allows you to enable 802.1X authentication on interfaces without enforcing access control initially. - It allows devices to authenticate and gain network access even if authentication fails, so you can monitor authentication attempts and identify issues before enforcing.- This is important for planning remediation and troubleshooting authentication problems before moving to a more restricted enforcement mode.- It provides visibility into who and what is attempting to authenticate so you can determine readiness for a phased enforcement approach.- The goal is to identify and address authentication failures through troubleshooting and remediation in monitor mode before moving to authenticated-only or closed access modes.- This phased approach avoids
Semelhante a Here are the key points:- Monitor mode allows you to enable 802.1X authentication on interfaces without enforcing access control initially. - It allows devices to authenticate and gain network access even if authentication fails, so you can monitor authentication attempts and identify issues before enforcing.- This is important for planning remediation and troubleshooting authentication problems before moving to a more restricted enforcement mode.- It provides visibility into who and what is attempting to authenticate so you can determine readiness for a phased enforcement approach.- The goal is to identify and address authentication failures through troubleshooting and remediation in monitor mode before moving to authenticated-only or closed access modes.- This phased approach avoids
Cloud Security @ TIM - Current Practises and Future ChallangesMichele Vecchione
Semelhante a Here are the key points:- Monitor mode allows you to enable 802.1X authentication on interfaces without enforcing access control initially. - It allows devices to authenticate and gain network access even if authentication fails, so you can monitor authentication attempts and identify issues before enforcing.- This is important for planning remediation and troubleshooting authentication problems before moving to a more restricted enforcement mode.- It provides visibility into who and what is attempting to authenticate so you can determine readiness for a phased enforcement approach.- The goal is to identify and address authentication failures through troubleshooting and remediation in monitor mode before moving to authenticated-only or closed access modes.- This phased approach avoids (20)
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Here are the key points:- Monitor mode allows you to enable 802.1X authentication on interfaces without enforcing access control initially. - It allows devices to authenticate and gain network access even if authentication fails, so you can monitor authentication attempts and identify issues before enforcing.- This is important for planning remediation and troubleshooting authentication problems before moving to a more restricted enforcement mode.- It provides visibility into who and what is attempting to authenticate so you can determine readiness for a phased enforcement approach.- The goal is to identify and address authentication failures through troubleshooting and remediation in monitor mode before moving to authenticated-only or closed access modes.- This phased approach avoids
2. Session Abstract
• This session is a technical breakout that will help demystify
the technology behind the Cisco TrustSec System,
including the Identity Services Engine.
• We will build use cases to introduce, compare, and contrast
different access control features and solutions, and discuss
how they are used within the TrustSec System.
• The technologies that will be covered include user & device
authorization, 802.1X, Profiling Technology, Supplicant‘s,
certificates/PKI, Posture, CoA, RADIUS, EAP, Guest
Access, Security Group Access (SGA), and 802.1AE
(MacSec).
• All of the technologies will be discussed in relation with
Cisco‘s Identity Services Engine
#CiscoPlus
3. Session Objectives
At the end of the session, you should understand:
• The many parts and pieces that make up Cisco‘s TrustSec
Solution
• How 802.1X and SGA work
• The benefits of deploying TrustSec
• The different deployment scenarios that are possible
You should also:
• Provide us with feedback!
• Attend related sessions that interest you
• Have a nice glossary of terms at your disposal
#CiscoPlus
5. What is TrustSec
• Yes, it can be confusing
• Think of it as ―Next-Generation NAC‖
• TrustSec is a System approach to Access Control:
IEEE 802.1X (Dot1x)
Profiling Technologies
Guest Services
Secure Group Access (SGA)
MACSec (802.1AE)
Identity Services Engine (ISE)
Access Control Server (ACS)
#CiscoPlus
6. So, TrustSec = Identity, Right?
• Yes, but it refers to an Identity System (or solution)
Policy Servers are only as good as the enforcement device
(Switches, WLC‘s, Firewalls, etc…)
• But what is ―Identity‖:
• Understanding the Who / What / Where / When & How of a user
or device‘s access to a network.
#CiscoPlus
8. Why Identity Is Important
Who are you?
Keep the Outsiders
1 802.1X (or supplementary method) Out
authenticates the user
Keep the Insiders
Where can you go? Honest
2 Based on authentication, user is
placed in correct VLAN
What service level to you receive? Personalize the
3 The user can be given per-user Network
services (ACLs, Macros, SGA)
What are you doing? Increase Network
4 The user‘s identity and location can Visibility
be used for tracking and accounting
#CiscoPlus
9. What Is Authentication?
• Authentication is the process of establishing and
confirming the identity of a client requesting services
I’d Like to Withdraw $200.00 Please.
Do You Have Identification?
Yes, I Do. Here It Is.
An Authentication System Is Only as Strong as the Method of Verification Used
#CiscoPlus
10. What Is Authorization?
• Authorization is the process of granting a level of access to the
network
I’d Like to Withdraw $200.00 Please.
Do You Have Identification?
Yes, I Do. Here It Is.
Thank You. Here is your money.
#CiscoPlus
12. Business Case
• Throughout the presentation, we will refer to a business
case. One that will continue to evolve:
Company: Retailer-X
Problem Definition:
The company stores credit card data from all sales transactions.
As with all companies: Vendors & Guests are constantly visiting Retailer-
X, to pitch new products to be sold, or even to sell network, security &
collaboration equipment to Retailer-X.
Company must ensure that only Retailer-X employees are gaining access to
the network.
Solution: Identity with 802.1X
#CiscoPlus
13. Default Port State State without
Default Port without 802.1X 802.1X
No Authentication Required
No visibility
No Access Control
?
?
USER
#CiscoPlus
14. Default Security with
Default Security with 802.1X 802.1X
Before Authentication
No visibility (yet)
Strict Access Control
One Physical Port ->Two Virtual ports
Uncontrolled port (EAPoL only)
Controlled port (everything else)
?
?
USER
ALL traffic except EAPoL is dropped
#CiscoPlus
15. Default Security with
Default Security with 802.1X 802.1X
After Authentication
User/Device is Known
Identity-based Access Control
• Single MAC per port
Looks the
same as
without
802.1X
?
Authenticated User: Sally
Having read your mind Sally, that
Authenticated Machine: XP-ssales-45 is true, unless you apply an
authorization, access is wide
open. We will discuss restricting
access at a later time.
#CiscoPlus
16. Revisit: Business Case
• Company: Retailer-X
• Problem Definition:
The company stores credit card data from all sales transactions.
As with most companies: Vendors & Guests are constantly visiting Retailer-X,
to pitch new products to be sold, or even to sell network, security &
collaboration equipment to Retailer-X.
Company must ensure that only Retailer-X employees are gaining
access to the network.
• Solution: Identity with 802.1X
#CiscoPlus
17. Revisit: Business Case
• Did we meet the business case? YES!
• But what was missing?
• What lessons have we learned?
We called Dot1x an "access prevention" technology
#CiscoPlus
18. What Happened? What went Wrong?
@ Retailer-X, BEFORE Monitor Mode is available …
I‘ve done my
homework in Proof of
Concept Lab and it
looks good. I‘m turning
on 802.1X tomorrow…
Enabled 802.1X
IT Mgr.
I can‘t connect to my
network. It says
Authentication failed
but I don‘t know how
to fix. My presentation
is in 2 hours…
Help Desk call increased by 40% #CiscoPlus
19. What was missing?
• What lessons were learned?
• Access-Prevention Technology
A Monitor Mode is necessary
Must have ways to implement & see who would succeed & who would fail
Determine why, and then remediate before taking Dot1x into a stronger enforcement
mode.
• Solution = Phased Approach to Deployment:
Monitor Mode
Authenticated Mode
Enforcement Mode
-or-
Closed Mode
#CiscoPlus
20. Monitor Mode
A process, not just a mode. • Enables 802.1X Authentication on the
Switch
Interface Config • But: Even failed Authentication will gain
interface GigabitEthernet1/0/1
authentication host-mode multi-auth
Access
authentication open • Allows Network Admins to see who
authentication port-control auto
mab
would have failed, and fix it, before
dot1x pae authenticator causing a Denial of Service
Pre-AuthC Post-AuthC
SWITCHPORT SWITCHPORT
P P
DH C TFTP D HC TFTP
5 P 5 P
KRB HT T KRB HT T
oL oL
E AP Permit All EA P Permit All
Traffic always allowed #CiscoPlus
21. Authenticated Mode
If Authentication is Valid, then Full Access!
Interface Config • Monitor Mode + ACL to limit traffic flow
interface GigabitEthernet1/0/1 • AuthC success = Full Access
authentication host-mode multi-auth
authentication open
• Failed AuthC would only be able to
authentication port-control auto communicate to certain services
mab
dot1x pae authenticator
• WebAuth for non-Authenticated
ip access-group default-ACL in
Pre-AuthC Post-AuthC
SWITCHPORT SWITCHPORT
P P
DH C TFTP DH C TFTP
5 P
HT T
P
KRB
5 HT T
KRB
L Permit L
E AP o E AP o Permit All
Some
#CiscoPlus
22. Enforcement Mode
If Authentication is Valid, then Specific Access!
Interface Config • AuthC Success = Role Specific Access
interface GigabitEthernet1/0/1 • dVLAN Assignment / dACLs
authentication host-mode multi-auth
authentication open
• Specific dACL, dVLAN
authentication port-control auto • Secure Group Access
mab
dot1x pae authenticator
• Still Allows for pre-AuthC Access for
ip access-group default-ACL in Thin Clients, PXE, etc…
• WebAuth for non-Authenticated
Pre-AuthC Post-AuthC
SWITCHPORT SWITCHPORT
P P
DHC TFTP DHC RDP
KRB
5
HTT
P
KRB
5 HTT
P
SGT
L Permit L
E APo E AP o
Some Role-Based ACL
#CiscoPlus
23. Closed Mode
No Access prior to Login, then Specific Access!
Interface Config • Default 802.1X Behavior
interface GigabitEthernet1/0/1 • No access at all prior to AuthC
authentication host-mode multi-auth
authentication port-control auto
• Still use all AuthZ Enforcement Types
mab • dACL, dVLAN, SGA
dot1x pae authenticator
• Must take considerations for Thin
Clients & PXE, etc…
Pre-AuthC Post-AuthC
SWITCHPORT SWITCHPORT
P
DHC
P
T FT P DH C TFTP
5
HTT
P SGT
K RB
5
HT T
P KR B
Permit oL Permit All
EA P
oL E AP
EAP
- or -
#CiscoPlus
Role-Based ACL
24. What was missing?
• What lessons were learned?
• No visibility from the supplicant
Little to no User-Interaction
User saw an ―Authentication Failed‖ message, and that was all.
When everything works – the user is unaware.
But, when things stop working…
No visibility. Just a call to the help-desk
• Solution: 3rd Party Supplicants
Cisco‘s AnyConnect Supplicant
Provides a Diagnostic and Reporting Tool (DART)
Detailed logs from the Client Side
Unique hooks with RDP and VDI environments
#CiscoPlus
25. What was missing?
• What lessons were learned?
• No Visibility at the RADIUS Server
#CiscoPlus
26. What was missing?
• What lessons were learned?
• Solution: ACS VIEW Identity Services Engine (ISE)
#CiscoPlus
27. What was missing?
• What lessons were learned?
• Solution: ACS VIEW & ISE
#CiscoPlus
28. What was missing?
• What lessons were learned?
• Solution: ACS VIEW ISE
#CiscoPlus
29. What was missing?
• What lessons were learned?
• Non-Authenticating Devices
These are devices that were forgotten
They don‘t have software to talk EAP on the network
Or, they weren‘t configured for it
Printers, IP Phones, Camera‘s, Badge Readers
How to work with these?
Don‘t configure Dot1x on the SwitchPort
But, what about when it moves
• Solution? Do not use dot1x on ports with Printers
----------------------------------------------------------------------
• Solution: MAC Authentication Bypass (MAB)
#CiscoPlus
30. MAC Authentication Bypass (MAB)
• What is it?
• A list of MAC Addresses that are allowed to ―skip‖
authentication
• Is this a replacement for Dot1X?
No Way!
• This is a ―Bandage‖
In a Utopia: All devices authenticate.
• List may be Local or Centralized
Can you think of any benefits to a centralized model?
#CiscoPlus
31. What was missing?
• What lessons were learned?
• Guests:
Guests will not have configured supplicants.
Plus: they won‘t be authorized for access.
Original Solution:
Dot1x Timeouts
How this works:
After a timeout period, the switchport is automatically put into a Guest VLAN
which provides Internet access.
No Supplicant has
responded for 90
seconds… So just
AuthZ the port for the
GUEST VLAN
#CiscoPlus
32. What was missing?
• What lessons were learned?
• Missing or Misconfigured Supplicants:
Group Policies may not have worked
Software Distribution may have missed a machine that‘s been off-
network for a period of time.
Etc…
Dot1x Timeouts would take effect
Someone who should have been an authorized user would end-up in the Guest
Network
HelpDesk gets a call from an unhappy user.
No Supplicant has
responded for 90
seconds… So just
AuthZ the port for the
GUEST VLAN
#CiscoPlus
33. Enter: Web Authentication
• Used to identify users without supplicants
Mis-configured, missing altogether, etc.
• Guest Authentication
#CiscoPlus
34. Business Case Continues to Evolve
• Requirements:
1. Retailer-X must ensure that only Retailer-X employees are
gaining access to the network.
Solution: Identity with 802.1X
2. Authorized Non-Authenticating Devices must continue to have
network access.
Solution: Centralized MAB
3. Need to Automate the building of the MAB List
Solution: <Let’s find out>
#CiscoPlus
36. Profiling Technology
• The ability to classify devices
• Why Classify?
Originally: identify the devices that cannot authenticate and
automagically build the MAB list.
i.e.: Printer = Bypass Authentication
Today: Now we also use the profiling data as part of an
authorization policy.
i.e.: Authorized User + i-device = Internet Only
#CiscoPlus
37. Profiling
PCs Non-PCs
UPS Phone Printer AP
• Visibility
Additional benefits of Profiling
- Visibility: A view of what is truly on your network
Tracking of where a device has been, what IP Addresses it has had, and
other historical data.
An understanding of WHY the device was profiled as a particular type (what
profile signatures were matched)
#CiscoPlus
42. Profiling
• Best Practice Recommendations
• HTTP Probe: Use URL Redirects over SPAN to
centralize collection and reduce traffic load on net and
ISE related to SPAN/RSPAN.
Or use VACLs or other ways to filter HTTP only traffic
DHCP Probe:
Use IP Helpers when possible—be aware that L3 device serving
DHCP will not relay DHCP, also!
For DHCP SPAN, make sure probe captures traffic to central DHCP
Server.
SNMP Probe:
ISE 1.1 added SNMP probe to pull ARP tables from Cisco Layer-3
Devices. Adds benefit when DHCP is not used.
#CiscoPlus
43. Profiling Technology
• Limitations of Profiling
• Best Guess: The profiling is based on Best-Effort
• MAB is a Filter: It was only used to determine what MAC
Addresses were allowed to ―skip‖ Authentication
Now we also use the profiling data as part of an authorization
policy.
i.e.: Authorized User + i-device = Internet Only
#CiscoPlus
44. Business Case Continues to Evolve
• Requirements:
1. Retailer-X must ensure that only Retailer-X employees are gaining
access to the network.
Solution: Identity with 802.1X
2. Authorized Non-Authenticating Devices must continue to have
network access.
Solution: Centralized MAB
3. Need to Automate the building of the MAB List
Solution: Use Profiling technology to automate the building MAB list.
#CiscoPlus
47. How does it work? Access authorized
for guest user
Redirection of the
guest web session to
ISE guest portal for
authentication ISE
Policy Server
WLC
Guest account needs to be
created:
Open SSID • via a sponsor
« guest » • or self service
With Web
authentication
Guest user
#CiscoPlus
48. Components of a Full Guest Lifecycle
Solution
Provisioning: Guest accounts via
sponsor portal
Notify: Guests of account
details by print, email, or SMS
Manage: Sponsor privileges,
guest accounts and policies,
guest portal
Authenticate/Authorize guest via
a guest portal on ISE
Guests
Report: On all aspects of guest
accounts
#CiscoPlus
49. Guest Users DB – Account Creation
Methods
• Two Ways to Populate ISE Internal Guest Database
• Self-Service
Option on ISE ‗Guest Portal‘
• Sponsoring
via ISE ‗Sponsor Portal‘
#CiscoPlus
51. ISE – Sponsor Portal
Customizable sponsor
pages
Sponsor privileges
tied to authentication/
authorization policy
• Roles sponsor can
create
• Time profiles can be
assigned
• Management of other
guest accounts
• Single or bulk account
creation
Sponsor and Guest
reporting and audit
#CiscoPlus
52. Sponsor Portal: Informing Guests
• Sponsor will have three ways to inform guest
1. Printing the details
2. Sending the details via e-mail
3. Sending the details via SMS
#CiscoPlus
53. Guest user roles
• When need for different policies for users
Guest Contractor
• Internet access only • Internet access
• Limited connection time: • Access to selected resources
½ day, one day • Longer connection time:
one week, one month
Use of several user identity groups in ISE:
#CiscoPlus
54. Sponsor groups and privileges
Sponsor group1 Sponsor group2
• Can create user in groups: • Can create user in group
‗contractor‘ and ‗guest‘ ‗guest‘ only
• Can use time profiles up to • Can use time profiles up to one
one week day
• Can see all accounts in group • Cannot do bulk creation
#CiscoPlus
55. Components of a Full Guest Lifecycle
Solution
Provisioning: Guest accounts via
sponsor portal
Notify: Guests of account details
by print, email, or SMS
Manage: Sponsor privileges,
guest accounts and policies,
guest portal
Authenticate/Authorize guest via
a guest portal on ISE
Guests
Report: On all aspects of guest
accounts
#CiscoPlus
57. Components of a Full Guest Lifecycle
Solution
Provisioning: Guest accounts via
sponsor portal
Notify: Guests of account details
by print, email, or SMS
Manage: Sponsor privileges,
guest accounts and policies,
guest portal
Authenticate/Authorize guest via
a guest portal on ISE
Guests
Report: On all aspects of guest
accounts
#CiscoPlus
59. Business Case Evolution
We have Identity… We have Guests Lifecycle Management…
Can we get more information?
#CiscoPlus
60. Business Case Continues to Evolve
• Requirements:
4. Employee‘s of Retailer-X Must be using a Corporate-owned
asset.
5. All Corporate assets must be running Trend Micro Anti-Virus,
and it must be up-to-date.
6. All guests must run Antivirus (any).
Solution: Let’s find out
#CiscoPlus
61. Posture Assessment Posture
• Does the device meet Security Requirements?
• Posture = the state-of-compliance with the company‘s
security policy.
Is the system running the current Windows Patches?
Anti-Virus Installed? Is it Up-to-Date?
Anti-Spyware Installed? Is it Up-to-Date?
• Now we can extend the user / system Identity to include
their Posture Status.
#CiscoPlus
62. ISE – Posture Assessment Checks
Files
• Microsoft Updates
Service Packs
Hotfixes
OS/Browser versions
• Antivirus
Installation/Signatures
• Antispyware
Installation/Signatures
• File data
• Services
• Applications/
Processes
• Registry keys
#CiscoPlus
63. Posture Assessment
• What if a user fail the check?
• New term: Remediation
The act of correcting any missing or out-of-date items from the
Posture Assessment.
This can trigger the use of:
Corporate Patching Systems (ex: BigFix, Altiris, etc.)
Windows Software Update Service (WSUS)
Windows Update
Anti-Virus product Update Services (LiveUpdate.exe, etc.)
#CiscoPlus
65. Posture Assessment Flow Posture
Uname / Pwd = OK
Posture = Unknown
Authorization = Temporary
Corp
VLAN
Permit ip any host Remediation
Permit ip any host PolicyServer
Deny ip any any
#CiscoPlus
66. Posture Assessment Flow
Posture
Uname / Pwd = OK
Posture = Compliant
Authorization = Full Access
Corp
VLAN
Permit ip any host Remediation
any
Permit ip any host PolicyServer
Deny ip any any
#CiscoPlus
67. Making this work well
• Change of Authorization (CoA)
• CoA allows an enforcement device (switchport, wireless
controller, VPN device) to change the
VLAN/ACL/Redirection for a device/user without having
to start the entire process all over again.
• Without it: Remove the user from the network & then
have the entire AAA process begin again.
i.e.: disassociate wireless device & have to join wireless again.
• RFC 3576 and 5176
#CiscoPlus
69. Network Access Controls
Multiple Options for Wired Access
• Identity Based Network • Cisco NAC Appliance:
Services (IBNS): VLAN control via SNMP
Control Plane
802.1X for wired access
Profiling by NAC Profiler
Profiling by NAC Profiler
Guest = NGS
Guest = NGS
Wired Wired
IBNS NAC
802.1X
SNMP
ACS NAC
#CiscoPlus
70. Network Access Controls
Wireless and VPN Access
• Wireless Access • Remote Access VPN
802.1X controlled by WLC Policy controlled by ASA, or:
WLC has local enforcement Policy controlled by in-line NAC
Separate Policies on ACS Separate Policies on ACS
Wireless VPN
802.1X Policy
ACS
#CiscoPlus
75. A Systems Approach
• Why is this so important?
• When Identity is an overlay (like NAC Appliance)
There is an appliance or some other device that is doing the
enforcement.
Called a Policy Enforcement Point (PEP)
The trick is to ―shape‖ traffic towards those PEP‘s
Some use DHCP or DNS Tricks
Others use MAC Spoofing (Man-in-the-Middle)
Cisco uses the network to get traffic to the Appliance:
Virtual Networks (VRF‘s)
Policy Based Routing (PBR), etc.
#CiscoPlus
76. Overlay solution
Internet
ASA
Set to Auth VLAN
Trusted
Set to Access VLAN
NAC Server
Global Network
Untrusted
DIRTY VRF Guest VRF
Access Switch
(Cat 3750)
VLAN 100 (DIRTY_VLAN) VLAN 200 (EMPLOYEES) VLAN 210 (CONTRACTORS) VLAN 300 (GUESTS)
Corporate PC
Connects
#CiscoPlus
77. A Systems Approach
• Why is this so important?
• When Identity is embedded (like 802.1X)
The Switch, WLC, or VPN is the enforcement device
Called a Policy Enforcement Point (PEP)
The Switch does all the work, instead of an appliance
URL Redirection
Policy Enforcement with ACL‘s, SGT‘s, VLAN Assignment, etc…
#CiscoPlus
81. Secure Group Access
• Topology Independent Access Control
• Term describing use of:
Secure Group TAG (SGT‘s)
Secure Group ACL‘s (SGACL‘s)
When a user log‘s in they are assigned a TAG (SGT) that identifies
their role
The TAG is carried throughout the Network
• Server Switch applies SGACL‘s based on a ―Matrix‖ (see
below).
SGT Public Private
Staff Permit Permit
Guest Permit Deny
#CiscoPlus
82. Customer Challenges - Ingress Access
Control • Can I create / manage the new VLANs or IP Address scope?
• How do I deal with DHCP refresh in new subnet?
• How do I manage ACL on VLAN interface?
• Does protocol such as PXE or WOL work with VLAN assignment?
• Any impact to the route summarization?
VLAN
Assignment
802.1X/MAB/Web Auth
ACL • Who‘s going to maintain ACLs?
Download • What if my destination IP addresses are changed?
• Does my switch have enough TCAM to handle all request?
Traditional access authorization methods leave some deployment concerns:
Detailed design before deployment is required, otherwise…
Not so flexible for changes required by today‘s business
Access control project ends up with redesigning whole network #CiscoPlus
83. What is Secure Group Access?
• SGA is a part of TrustSec
• Next-Generation Access Control Enforcement
Removes concern TCAM Space for detailed Ingress ACLs
Removes concern of ACE explosion on DC Firewalls
• An Additional Enforcement allowing stickiness of
Infrastructure
Now adds stickiness of Cisco ASA Firewalls, too.
• Assign a TAG at Login Enforce that tag in the
DataCenter.
#CiscoPlus
84. What is a Secure Group Tag?
A Role-Based TAG:
1. A user (or device) logs into network via 802.1X
2. ISE is configured to send a TAG in the Authorization
Result – based on the ―ROLE‖ of the user/device
3. The Switch Applies this TAG to the users traffic.
#CiscoPlus
85. Security Group Based Access Control
• SGA allows customers:
To keep existing logical design at access layer
To change / apply policy to meet today‘s business requirement
To distribute policy from central management server
Ingress Enforcement
SGT=100 Finance (SGT=4)
802.1X/MAB/Web Auth
SGACL HR (SGT=100)
I’m an employee HR SGT = 100
My group is HR Egress Enforcement
#CiscoPlus
86. Security Group Based Access Control
• Security Group Firewalling:
Extends the Concept to the ASA
Use Security-Group Tags (SGT‘s) in your ASA Firewall Policy!
Available in Arsenal (1HCY2012)
Ingress Enforcement Finance (SGT=4)
SGT=100
802.1X/MAB/Web Auth
I’m an employee HR SGT = 100
My group is HR Egress Enforcement
HR (SGT=100)
S-IP User S-SGT D-IP D-SGT DENY
#CiscoPlus
87. Media Access Control Security
• MACSec: Layer-2 Encryption (802.1AE)
• Industry Standard Extension to 802.1X
Encrypts the link between the host & the switch.
Traffic in the backplane is unencrypted for inspection, etc.
Requires a supplicant that supports MACSec and the encryption
key-exchange
Encrypted Link
SWITCHPORT
########
#CiscoPlus
90. Business Case Continues to Evolve
• The ―i-Revolution‖
• New Requirement:
―Our CEO went to a Retail Conference recently and won an iPad.
He demands we allow it access to the network, because it is a
productivity tool and we prohibiting his productivity without the
iPad‖
• New Requirement:
Allow access to i-devices
• New Term: ―Bring Your Own Device‖ (BYOD)
#CiscoPlus
91. Identity Services Engine
• Policy Management for the Borderless Networks
• Context-Based Access
Who? What? How?
Known users Device identity Wired
(Employees, Sales, HR) Device classification Wireless
Unknown users (Guests) (profile) VPN
Device health (posture)
Where? When? Other?
Geographic location Date Custom attributes
Department Time Device/User states
SSID / Switchport Start/Stop Access Applications used
• Policy Definition
• Policy Enforcement
• Monitoring and Troubleshooting
#CiscoPlus
92. How do we Build a BYOD Policy?
• What are the Required Parts of the Policy?
Corp Asset? AuthC Type Profile AuthZ Result
• AD • Machine • i-Device • Full Access
Member? Certs? • Android • i-Net only
• Static List? • User Certs? • Windows • VDI + i-Net
• MDM? • Uname/Pwd • Other
• Certificate?
#CiscoPlus
93. Example BYOD Policy in ISE
• Using a Pre-Defined List of Assets
Device Type User Results
#CiscoPlus
94. Example BYOD Policy in ISE
• Using a Pre-Defined List of Assets
Device Type User Results
ANY User
Any i-device Not in Above
Identity Group
Assign Guest VLAN
#CiscoPlus
98. We value your feedback.
Please be sure to complete the Breakout
Sessions Evaluation Form.
Access today‘s presentations at cisco.com/ca/ciscoplus
Follow @CiscoCanada and join the #CiscoPlus conversation
#CiscoPlus