Mais conteúdo relacionado
Semelhante a Identity Services Engine Overview and Update (20)
Mais de Cisco Canada (20)
Identity Services Engine Overview and Update
- 3. Cisco Public 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Identity Services Engine (ISE)
All-in-One Enterprise Policy Control
Who What Where When How
VM client, IP device, guest, employee, remote user
Wired Wireless VPN
Business-Relevant
Policies
Replaces AAA & RADIUS, NAC, guest mgmt & device identity servers
Security Policy Attributes
Identity
Context
- 4. Cisco Public 4© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Identity Services Engine (ISE)
How
What
Who
Where
When
Network
Partner
Context Data
Consistent Secure
Access Policy
ISE
Cisco ISE is the Market Leader
- 5. Cisco Public 5© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Provides Visibility, Context, and Control Across the Entire Continuum
BEFORE
Control
Enforce
Harden
DURING AFTER
Detect
Block
Defend
Scope
Contain
Remediate
Attack Continuum
Firewall
NGFW
NAC + Identity Services
VPN
UTM
NGIPS
Web + Email Security
Advanced Malware Protection
Network Behavior Analysis
pxGrid + ISE Ecosystem
Role of Cisco ISE in the Attack Continuum
- 6. Cisco Public 6© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Guest Access Management
Easily provide guests limited-time, limited-resource Internet access
BYOD and Enterprise Mobility
Seamlessly & securely onboard devices with the right levels of access
Secure Access across the Entire Network
Simplify & unify enterprise network access policy across wired, wireless, & VPN
With Cisco TrustSec®
Identity-aware Network Segmentation and Access Policy Enforcement
Customer use cases for ISE
- 7. Cisco Public 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.
- 8. Cisco Public 8© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Guest Access Flow
Redirection of the guest web session to Cisco®
ISE guest portal for authentication
ISE
Switches
WLC
AP
Imran
********
Sponsor
Local Radius
Workstations Mobile (iPhone)
Guest
- 9. Cisco Public 9© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Life Cycle Management
Provision Manage Notify Report
Create guest
accounts in the
sponsor portal
Create sponsor
policy
Manage sponsor
groups
Customize portals
Notify guest using
different method
Print
Email
SMS
Report on all
aspects of guest
accounts
- 10. Cisco Public 10© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Branding with Themes!
Themes give you complete
control over the look and feel of
your sponsor Portal.
Mobile Sponsors
You are free to move about the cabin!
Create a guest account on the fly from your
smartphone / tablet away from your desk.
Streamlined Guest Creation
Set up your sponsor portal to
show only the fields you need for
your business.
Create Accounts Create Accounts
Print Email
SMS
Sponsoring Guests
- 11. Cisco Public 11© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Guest Receipts with Your Brand
Whether you’re delivering guest credentials
on the printed page, over email or SMS, ISE
makes it easy to deliver your complete
branded experience.
SMS Notifications
Send credentials directly to a guests mobile phone.
Email Notifications
Do you have Guests visiting? Send
them login credentials before they
even arrive!
Your credentials
username: trex42
password: littlearms
Branded Guest Notifications
- 12. Cisco Public 12© 2013-2014 Cisco and/or its affiliates. All rights reserved.
A Guest Button
With our new navigation, getting
to the Guest admin has never
been easier.
Prepackaged Flows
Ships with the default flows used
by 90% of our customers:
Hotspot, Self-Service (with or
without approval), & Sponsored.
One Stop Setup
Once you’re there, all the pieces
you need are accessed in one
place.
New Guest Portal Admin
- 13. Cisco Public 13© 2013-2014 Cisco and/or its affiliates. All rights reserved.
End User Visibility
ISE makes the end user
experience crystal clear as it
updates the guest flow
diagram in real time with
each settings change.
Admin Friendly
Through extensive user
research we’re made guest
settings so easy to find that
setting up a guest flow can
be done in just a few clicks.
Guest Portal building made easy
- 14. Cisco Public 14© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Themes!
Themes give you complete
control over the look and feel of
your guest pages. Use our out-
of-the-box themes or create
your own using ThemeRoller for
jQuery Mobile or standard CSS.
Live Preview
See your pages as the guests
will see them as you customize.
Full Page Control
Use our defaults or customize
every field in multiple languages.
Customize with Themes
- 15. Cisco Public 15© 2013-2014 Cisco and/or its affiliates. All rights reserved.
- 16. Cisco Public 16© 2013-2014 Cisco and/or its affiliates. All rights reserved.
BYOD Spectrum
Managed User
Managed Device
Managed User + Unmanaged
Device + Secure +
Compliance
Managed User
Unmanaged Device +
Secure
Managed User
Unmanaged Device
Environment requires
tight controls
Basic services and
easy access for
everyone
Register, configure
connectivity
Company’s native
applications, new
services, and full control
- 17. Cisco Public 17© 2013-2014 Cisco and/or its affiliates. All rights reserved.
What Does Cisco ISE offer?
Multiple Device
Support
Certificate
Provisioning
Multiple
Network
Topologies
Blacklisting and
Reinstating
of Devices
Self-Registration
- 18. Cisco Public 18© 2013-2014 Cisco and/or its affiliates. All rights reserved.
User connects to open SSID
Redirected to WebAuth portal
User enters employee or guest credentials
Guest signs AUP and
gets guest access
Employee registers device
Downloads certificate
Downloads supplicant configuration
Employee reconnects using EAP-TLS
BYOD Flow
Use Case: Single SSID
BYOD-Secure
Access Point
ISE
Wireless
LAN Controller
AD/LDAP
Personal Asset
- 19. Cisco Public 19© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Managing certificates for BYOD adds significant
complexity and expense when using Microsoft
Public Key Infrastructure.
The ISE Certificate Authority is designed to
work in concert as a self contained solution or
with your existing Enterprise PKI to simplify
BYOD deployments.
Single Management Console – Manage endpoints and
their certs. Delete an endpoint ISE deletes the cert.
Simplified deployment – Supports stand alone and
subordinate deployments. Removes corporate PKI team
from every BYOD interaction.
Native Certificate Authority
Designed for BYOD use-cases only, not a general purpose CA
Optional
Enterprise
Root
Self-Contained
or Optional
Subordinate
Cisco ISE
Certificate
Authority
- 20. Cisco Public 20© 2013-2014 Cisco and/or its affiliates. All rights reserved.
PAN is Root CA for the ISE Cube
All PSNs are Subordinate CA’s to
the PAN
PSNs are SCEP Registration
Authorities (RA’s)
ISE PAN may be Subordinate to an
existing Root CA or may be Stand-
Alone Root.
Promotion of Standby PAN:
Will not have any effect on operation
of the subordinate CA’s
For Standby to become Root CA >
must manually install the
Private/Public keys from the Primary
PAN
PKI Hierarchy and Roles
PSN PSNPSNPSN
Primary
ISE CA
Enterprise
Root
(optional)
PAN
Standby PAN
Subordinate CA
SCEP RA
Subordinate CA
SCEP RA
Subordinate CA
SCEP RA
Subordinate CA
SCEP RA
- 21. Cisco Public 21© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Certificate Template(s)
• Define Internal or External CA
• Set the Key Sizes
• SAN Field Options
• UUID
• DNS Name
• MAC Address
• Serial #
• No Free-Form Adds..
• Set length of validity
- 22. Cisco Public 22© 2013-2014 Cisco and/or its affiliates. All rights reserved.
• ISE can Query MDM server using APIs
• Compliance based on:
̶ General Compliant or ! Compliant Status
OR
̶ Disk encryption enabled
̶ PIN lock enabled
̶ Jail-broken status
• MDM attributes available for policy conditions
• “Passive Reassessment”: Bulk recheck against the MDM server
using a configurable timer
̶ If the result of a periodic recheck shows that a connected
device is no longer compliant, Cisco® ISE sends a CoA to
terminate the session.
MDM Integration
Macro level
Micro level
Survivability Attribute
- 23. Cisco Public 23© 2013-2014 Cisco and/or its affiliates. All rights reserved.
- 24. Cisco Public 24© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Secure Access
Role-Based, Dynamic Provisioning
Context-
Aware
Classification
Context-
Aware Policy
Enforcement
1
2
3
ISE
Who? What? When? Where? How?
- 25. Cisco Public 25© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco ISE Authentication Policy
Who = 802.1X Managed Users Who? How
Examples: Employees and staff, faculty and students, or extended access to partners and contractors
Primary authentication methods: 802.1X or agent-based
- 26. Cisco Public 26© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Support for up to 50 concurrent Active
Directory multi-join points.
No need for 2-way trust relationship
between domains
Advanced algorithms for dealing with
identical usernames.
ISE 1.3 is designed for growing businesses. With
support for multiple Active Directory domains, ISE
1.3 enables authentication and attribute collection
across the largest enterprises.
example-1.com
example-2.com
example-n.com
ISE
Multi-Forest Active Directory Support
- 27. Cisco Public 27© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ScopeA
acs.com
Company-B.com
Company-C.com
Company-D.com
Company-E.com
acs.com
acs.com
oceania.acs.com
australia.oceania.acs.com
canberra.australia.oceania.acs.com
amer.acs.com
brazil.south.amer.acs.com
1.3 AD Instance == 1.2 AD
Scope defines selected instances.
Here we have 3 AD instances for
Scope A out of 5 AD instances
configured on the ISE
Terminology
- 28. Cisco Public 28© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Authentication Policy
Individual AD
Instance can be
selected
Scopes can be selected
(All_AD_Instances, is a
synthetic scope created
automatically to select all
configured AD instances)
- 29. Cisco Public 29© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Authorization Policy
Sample Policy
Permissions = Authorizations
• Employee_iPAD Set VLAN = 30 (Corporate Access)
• Contractor_iPAD Set VLAN = 40 (Internet Only)
Who?
Who?
- 30. Cisco Public 30© 2013-2014 Cisco and/or its affiliates. All rights reserved.
What is Profiling ?
Collection Classification
Classifies based on Device fingerprint
• Process of collecting data to be used
for identifying devices
• Uses Probes for collecting device attributes
NMAP
SNMPHTTP
Radius DHCP
LLDP
NetFlow
- 31. Cisco Public 31© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Authorization
Smartphones and Corporate Policy
Permissions = Authorizations
• Employee Phone Set VLAN = 601 (Internet Only)
• Employee PC Set VLAN = 603 (Full Access)
Who = EmployeeWhat=?
Who? What?
- 32. Cisco Public 32© 2013-2014 Cisco and/or its affiliates. All rights reserved.
What is Posture ?
Posture is the state of compliance with the company’s security policy.
• Is the system running the current Windows patches?
• Do you have anti-virus software installed? Is it up to date?
• Do you have anti-spyware software installed? Is it up to date?
- 33. Cisco Public 33© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco ISE Posture
Policy Example
Corporate Policy:
• Must have Kaspersky AV installed
• Automatic remediation enforced
Guest Policy:
• Must have AV installed but can be ANY vendor
- 34. Cisco Public 34© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco ISE Posture Agents
Cisco NAC Agent Cisco AnyConnect 4.0
- 35. Cisco Public 35© 2013-2014 Cisco and/or its affiliates. All rights reserved.
- 36. Cisco Public 36© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Tree View
AuthC
Protocols
Identity
Store
- 37. Cisco Public 37© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Filters in Live Log & Live Sessions
- 38. Cisco Public 38© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Off-Line Examination of Configuration
• Exportable Policy
Quick Link to
Export Page
- 39. Cisco Public 39© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Exports as XML
- 40. Cisco Public 40© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Consistent
Secure Access
A Solid Foundation
Today & Tomorrow
Simplified, Unified
Policy Management
for Access
Innovation & Market
Leadership in NAC, at
the core of Cisco
Security & Solutions
Unparalleled
Visibility & Context
Get a Clearer Picture
of Who and What Is
On Your Network
Detect Threats from
Compromised
Devices via Health
Checks & SIEM/TD
Advanced Threat
Containment
Only Cisco ISE delivers …