Identity Services Engine Overview and Update

Identity Services Engine
Abhi Gupta, SE
30 September 2014
Overview & Update

Cisco Public 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Identity Services Engine (ISE)
All-in-One Enterprise Policy Control
Who What Where When How
VM client, IP device, guest, employee, remote user
Wired Wireless VPN
Business-Relevant
Policies
Replaces AAA & RADIUS, NAC, guest mgmt & device identity servers
Security Policy Attributes
Identity
Context

Cisco Identity Services Engine (ISE)
How
What
Who
Where
When
Network
Partner
Context Data
Consistent Secure
Access Policy
ISE
Cisco ISE is the Market Leader

ISE Provides Visibility, Context, and Control Across the Entire Continuum
BEFORE
Control
Enforce
Harden
DURING AFTER
Detect
Block
Defend
Scope
Contain
Remediate
Attack Continuum
Firewall
NGFW
NAC + Identity Services
VPN
UTM
NGIPS
Web + Email Security
Advanced Malware Protection
Network Behavior Analysis
pxGrid + ISE Ecosystem
Role of Cisco ISE in the Attack Continuum

Guest Access Management
Easily provide guests limited-time, limited-resource Internet access
BYOD and Enterprise Mobility
Seamlessly & securely onboard devices with the right levels of access
Secure Access across the Entire Network
Simplify & unify enterprise network access policy across wired, wireless, & VPN
With Cisco TrustSec®
Identity-aware Network Segmentation and Access Policy Enforcement
Customer use cases for ISE

Guest Access Flow
Redirection of the guest web session to Cisco®
ISE guest portal for authentication
ISE
Switches
WLC
AP
Imran
********
Sponsor
Local Radius
Workstations Mobile (iPhone)
Guest

Life Cycle Management
Provision Manage Notify Report
Create guest
accounts in the
sponsor portal
Create sponsor
policy
Manage sponsor
groups
Customize portals
Notify guest using
different method
Print
Email
SMS
Report on all
aspects of guest
accounts

Branding with Themes!
Themes give you complete
control over the look and feel of
your sponsor Portal.
Mobile Sponsors
You are free to move about the cabin!
Create a guest account on the fly from your
smartphone / tablet away from your desk.
Streamlined Guest Creation
Set up your sponsor portal to
show only the fields you need for
your business.
Create Accounts Create Accounts
Print Email
SMS
Sponsoring Guests

Guest Receipts with Your Brand
Whether you’re delivering guest credentials
on the printed page, over email or SMS, ISE
makes it easy to deliver your complete
branded experience.
SMS Notifications
Send credentials directly to a guests mobile phone.
Email Notifications
Do you have Guests visiting? Send
them login credentials before they
even arrive!
Your credentials
username: trex42
password: littlearms
Branded Guest Notifications

A Guest Button
With our new navigation, getting
to the Guest admin has never
been easier.
Prepackaged Flows
Ships with the default flows used
by 90% of our customers:
Hotspot, Self-Service (with or
without approval), & Sponsored.
One Stop Setup
Once you’re there, all the pieces
you need are accessed in one
place.
New Guest Portal Admin

End User Visibility
ISE makes the end user
experience crystal clear as it
updates the guest flow
diagram in real time with
each settings change.
Admin Friendly
Through extensive user
research we’re made guest
settings so easy to find that
setting up a guest flow can
be done in just a few clicks.
Guest Portal building made easy

Themes!
Themes give you complete
control over the look and feel of
your guest pages. Use our out-
of-the-box themes or create
your own using ThemeRoller for
jQuery Mobile or standard CSS.
Live Preview
See your pages as the guests
will see them as you customize.
Full Page Control
Use our defaults or customize
every field in multiple languages.
Customize with Themes

BYOD Spectrum
Managed User
Managed Device
Managed User + Unmanaged
Device + Secure +
Compliance
Managed User
Unmanaged Device +
Secure
Managed User
Unmanaged Device
Environment requires
tight controls
Basic services and
easy access for
everyone
Register, configure
connectivity
Company’s native
applications, new
services, and full control

What Does Cisco ISE offer?
Multiple Device
Support
Certificate
Provisioning
Multiple
Network
Topologies
Blacklisting and
Reinstating
of Devices
Self-Registration

 User connects to open SSID
 Redirected to WebAuth portal
 User enters employee or guest credentials
 Guest signs AUP and
gets guest access
 Employee registers device
 Downloads certificate
 Downloads supplicant configuration
 Employee reconnects using EAP-TLS
BYOD Flow
Use Case: Single SSID
BYOD-Secure
Access Point
ISE
Wireless
LAN Controller
AD/LDAP
Personal Asset

Managing certificates for BYOD adds significant
complexity and expense when using Microsoft
Public Key Infrastructure.
The ISE Certificate Authority is designed to
work in concert as a self contained solution or
with your existing Enterprise PKI to simplify
BYOD deployments.
 Single Management Console – Manage endpoints and
their certs. Delete an endpoint ISE deletes the cert.
 Simplified deployment – Supports stand alone and
subordinate deployments. Removes corporate PKI team
from every BYOD interaction.
Native Certificate Authority
Designed for BYOD use-cases only, not a general purpose CA
Optional
Enterprise
Root
Self-Contained
or Optional
Subordinate
Cisco ISE
Certificate
Authority

 PAN is Root CA for the ISE Cube
 All PSNs are Subordinate CA’s to
the PAN
 PSNs are SCEP Registration
Authorities (RA’s)
 ISE PAN may be Subordinate to an
existing Root CA or may be Stand-
Alone Root.
 Promotion of Standby PAN:
 Will not have any effect on operation
of the subordinate CA’s
 For Standby to become Root CA >
must manually install the
Private/Public keys from the Primary
PAN
PKI Hierarchy and Roles
PSN PSNPSNPSN
Primary
ISE CA
Enterprise
Root
(optional)
PAN
Standby PAN
Subordinate CA
SCEP RA
Subordinate CA
SCEP RA
Subordinate CA
SCEP RA
Subordinate CA
SCEP RA

Certificate Template(s)
• Define Internal or External CA
• Set the Key Sizes
• SAN Field Options
• UUID
• DNS Name
• MAC Address
• Serial #
• No Free-Form Adds..
• Set length of validity

• ISE can Query MDM server using APIs
• Compliance based on:
̶ General Compliant or ! Compliant Status
OR
̶ Disk encryption enabled
̶ PIN lock enabled
̶ Jail-broken status
• MDM attributes available for policy conditions
• “Passive Reassessment”: Bulk recheck against the MDM server
using a configurable timer
̶ If the result of a periodic recheck shows that a connected
device is no longer compliant, Cisco® ISE sends a CoA to
terminate the session.
MDM Integration
Macro level
Micro level
Survivability Attribute

Secure Access
Role-Based, Dynamic Provisioning
Context-
Aware
Classification
Context-
Aware Policy
Enforcement
1
2
3
ISE
Who? What? When? Where? How?

Cisco ISE Authentication Policy
Who = 802.1X Managed Users Who? How
Examples: Employees and staff, faculty and students, or extended access to partners and contractors
Primary authentication methods: 802.1X or agent-based

 Support for up to 50 concurrent Active
Directory multi-join points.
 No need for 2-way trust relationship
between domains
 Advanced algorithms for dealing with
identical usernames.
ISE 1.3 is designed for growing businesses. With
support for multiple Active Directory domains, ISE
1.3 enables authentication and attribute collection
across the largest enterprises.
example-1.com
example-2.com
example-n.com
ISE
Multi-Forest Active Directory Support

ScopeA
acs.com
Company-B.com
Company-C.com
Company-D.com
Company-E.com
acs.com
acs.com
oceania.acs.com
australia.oceania.acs.com
canberra.australia.oceania.acs.com
amer.acs.com
brazil.south.amer.acs.com
1.3 AD Instance == 1.2 AD
Scope defines selected instances.
Here we have 3 AD instances for
Scope A out of 5 AD instances
configured on the ISE
Terminology

Authentication Policy
Individual AD
Instance can be
selected
Scopes can be selected
(All_AD_Instances, is a
synthetic scope created
automatically to select all
configured AD instances)

Authorization Policy
Sample Policy
Permissions = Authorizations
• Employee_iPAD Set VLAN = 30 (Corporate Access)
• Contractor_iPAD Set VLAN = 40 (Internet Only)
Who?
Who?

What is Profiling ?
Collection Classification
Classifies based on Device fingerprint
• Process of collecting data to be used
for identifying devices
• Uses Probes for collecting device attributes
NMAP
SNMPHTTP
Radius DHCP
LLDP
NetFlow

ISE Authorization
Smartphones and Corporate Policy
Permissions = Authorizations
• Employee Phone Set VLAN = 601 (Internet Only)
• Employee PC Set VLAN = 603 (Full Access)
Who = EmployeeWhat=?
Who? What?

What is Posture ?
Posture is the state of compliance with the company’s security policy.
• Is the system running the current Windows patches?
• Do you have anti-virus software installed? Is it up to date?
• Do you have anti-spyware software installed? Is it up to date?

Cisco ISE Posture
Policy Example
Corporate Policy:
• Must have Kaspersky AV installed
• Automatic remediation enforced
Guest Policy:
• Must have AV installed but can be ANY vendor

Cisco ISE Posture Agents
Cisco NAC Agent Cisco AnyConnect 4.0

Tree View
AuthC
Protocols
Identity
Store

Filters in Live Log & Live Sessions

Off-Line Examination of Configuration
• Exportable Policy
Quick Link to
Export Page

Exports as XML

Consistent
Secure Access
A Solid Foundation
Today & Tomorrow
Simplified, Unified
Policy Management
for Access
Innovation & Market
Leadership in NAC, at
the core of Cisco
Security & Solutions
Unparalleled
Visibility & Context
Get a Clearer Picture
of Who and What Is
On Your Network
Detect Threats from
Compromised
Devices via Health
Checks & SIEM/TD
Advanced Threat
Containment
Only Cisco ISE delivers …

Abhi Gupta, SE
abhigup@cisco.com
Rob Bleeker, CSE
robleeke@cisco.com

Identity Services Engine Overview and Update

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie Identity Services Engine Overview and Update

Ähnlich wie Identity Services Engine Overview and Update (20)

Mehr von Cisco Canada

Mehr von Cisco Canada (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Identity Services Engine Overview and Update