Cisco ISE for BYOD and Secure Unified Access

Plan and deploy identity-based secure access for BYOD and borderless networks   Using Cisco Secure Unified Access Architecture and Cisco Identity Services Engine, you can secure and regain control of borderless networks in a Bring Your Own Device (BYOD) world. This book covers the complete lifecycle of protecting a modern borderless network using these advanced solutions, from planning an architecture through deployment, management, and troubleshooting.   Cisco ISE for BYOD and Secure Unified Access begins by reviewing the business case for an identity solution. Next, you’ll walk through identifying users, devices, and security posture; gain a deep understanding of Cisco’s Secure Unified Access solution; and master powerful techniques for securing borderless networks, from device isolation to protocol-independent network segmentation.   You’ll find in-depth coverage of all relevant technologies and techniques, including 802.1X, profiling, device onboarding, guest lifecycle management, network admission control, RADIUS, and Security Group Access. Drawing on their cutting-edge experience supporting Cisco enterprise customers, the authors present detailed sample configurations to help you plan your own integrated identity solution. Whether you’re a technical professional or an IT manager, this guide will help you provide reliable secure access for BYOD, CYOD (Choose Your Own Device), or any IT model you choose.   Review the new security challenges associated with borderless networks, ubiquitous mobility, and consumerized IT Understand the building blocks of an Identity Services Engine (ISE) solution Design an ISE-Enabled network, plan/distribute ISE functions, and prepare for rollout Build context-aware security policies Configure device profiling, endpoint posture assessments, and guest services Implement secure guest lifecycle management, from WebAuth to sponsored guest access Configure ISE, network access devices, and supplicants, step-by-step Walk through a phased deployment that ensures zero downtime Apply best practices to avoid the pitfalls of BYOD secure access Simplify administration with self-service onboarding and registration Deploy Security Group Access, Cisco’s tagging enforcement solution Add Layer 2 encryption to secure traffic flows Use Network Edge Access Topology to extend secure access beyond the wiring closet Monitor, maintain, and troubleshoot ISE and your entire Secure Unified Access system  

Table of Contents:
Introduction xxvi Section I The Evolution of Identity Enabled Networks Chapter 1 Regain Control of Your IT Security 1     Security: A Weakest-Link Problem with Ever More Links 2     Cisco Identity Services Engine 3         Sources for Providing Identity and Context Awareness 4         Unleash the Power of Centralized Policy 5     Summary 6 Chapter 2 Introducing Cisco Identity Services Engine 7     Systems Approach to Centralized Network Security Policy 7     What Is the Cisco Identity Services Engine? 9     ISE Authorization Rules 12     Summary 13 Section II The Blueprint, Designing an ISE Enabled Network Chapter 3 The Building Blocks in an Identity Services Engine Design 15     ISE Solution Components Explained 15         Infrastructure Components 16         Policy Components 20         Endpoint Components 20     ISE Personas 21     ISE Licensing, Requirements, and Performance 22         ISE Licensing 23         ISE Requirements 23         ISE Performance 25     ISE Policy-Based Structure Explained 27     Summary 28 Chapter 4 Making Sense of All the ISE Deployment Design Options 29     Centralized Versus Distributed Deployment 29         Centralized Deployment 30         Distributed Deployment 32     Summary 35 Chapter 5 Following a Phased Deployment 37     Why Use a Phased Deployment Approach? 37     Monitor Mode 38     Choosing Your End-State Mode 40         End-State Choice 1: Low-Impact Mode 42         End-State Choice 2: Closed Mode 44     Transitioning from Monitor Mode into an End-State Mode 45     Summary 46 Section III The Foundation, Building a Context-Aware Security Policy Chapter 6 Building a Cisco ISE Network Access Security Policy 47     What Makes Up a Cisco ISE Network Access Security Policy? 47         Network Access Security Policy Checklist 48     Involving the Right People in the Creation of the Network Access Security Policy 49     Determining the High-Level Goals for Network Access Security 51     Common High-Level Network Access Security Goals 52     Defining the Security Domains 55     Understanding and Defining ISE Authorization Rules 57         Commonly Configured Rules and Their Purpose 58     Establishing Acceptable Use Policies 59     Defining Network Access Privileges 61         Enforcement Methods Available with ISE 61         Commonly Used Network Access Security Policies 62     Summary 65 Chapter 7 Building a Device Security Policy 67     Host Security Posture Assessment Rules to Consider 67         Sample NASP Format for Documenting ISE Posture Requirements 72         Common Checks, Rules, and Requirements 74         Method for Adding Posture Policy Rules 74         Research and Information 75         Establishing Criteria to Determine the Validity of a Security Posture Check, Rule, or Requirement in Your Organization 76         Method for Determining Which Posture Policy Rules a Particular Security Requirement Should Be Applied To 77         Method for Deploying and Enforcing Security Requirements 78     ISE Device Profiling 79         ISE Profiling Policies 80         ISE Profiler Data Sources 81         Using Device Profiles in Authorization Rules 82     Summary 82 Chapter 8 Building an ISE Accounting and Auditing Policy 83     Why You Need Accounting and Auditing for ISE 83     Using PCI DSS as Your ISE Auditing Framework 84         ISE Policy for PCI 10.1: Ensuring Unique Usernames and Passwords 87         ISE Policy for PCI 10.2 and 10.3: Audit Log Collection 89         ISE Policy for PCI 10.5.3, 10.5.4, and 10.7: Ensure the Integrity and Confidentiality of Log Data 90         ISE Policy for PCI 10.6: Review Audit Data Regularly 91     Cisco ISE User Accounting 92     Summary 94 Section IV Configuration Chapter 9 The Basics: Principal Configuration Tasks for Cisco ISE 95     Bootstrapping Cisco ISE 95     Using the Cisco ISE Setup Assistant Wizard 98     Configuring Network Devices for ISE 106         Wired Switch Configuration Basics 106         Wireless Controller Configuration Basics 109     Completing the Basic ISE Setup 113         Install ISE Licenses 113         ISE Certificates 114     Installing ISE Behind a Firewall 116     Role-Based Access Control for Administrators 121         RBAC for ISE GUI 121         RBAC: Session and Access Settings and Restrictions 121         RBAC: Authentication 123         RBAC: Authorization 124     Summary 126 Chapter 10 Profiling Basics 127     Understanding Profiling Concepts 127         Probes 130         Probe Configuration 130         Deployment Considerations 133         DHCP 134         Deployment Considerations 135         NetFlow 137         Deployment Considerations 137         RADIUS 137         Deployment Considerations 138         Network Scan (NMAP) 138         Deployment Considerations 139         DNS 139         Deployment Considerations 139         SNMP 140         Deployment Considerations 140         IOS Device-Sensor 141         Change of Authorization 142         CoA Message Types 142         Configuring Change of Authorization in ISE 143         Infrastructure Configuration 144         DHCP Helper 145         SPAN Configuration 145         VLAN Access Control Lists (VACL) 146         VMware Configurations to Allow Promiscuous Mode 148         Best Practice Recommendations 149     Examining Profiling Policies 152         Endpoint Profile Policies 152         Cisco IP Phone 7970 Example 155     Using Profiles in Authorization Policies 161         Endpoint Identity Groups 161         EndPointPolicy 163         Logical Profiles 164     Feed Service 166         Configuring the Feed Service 166     Summary 168 Chapter 11 Bootstrapping Network Access Devices 169     Bootstrap Wizard 169     Cisco Catalyst Switches 170         Global Configuration Settings for All Cisco IOS 12.2 and 15.x Switches 170         Configure Certificates on a Switch 170         Enable the Switch HTTP/HTTPS Server 170         Global AAA Commands 171         Global RADIUS Commands 172         Create Local Access Control Lists 174         Global 802.1X Commands 175         Global Logging Commands (Optional) 175         Global Profiling Commands 177         Interface Configuration Settings for All Cisco Switches 179         Configure Interfaces as Switch Ports 179         Configure Flexible Authentication and High Availability 179         Configure Authentication Settings 182         Configure Authentication Timers 184         Apply the Initial ACL to the Port and Enable Authentication 184     Cisco Wireless LAN Controllers 184         Configure the AAA Servers 185         Add the RADIUS Authentication Servers 185         Add the RADIUS Accounting Servers 186         Configure RADIUS Fallback (High Availability) 187         Configure the Airespace ACLs 188         Create the Web Authentication Redirection ACL 188         Create the Posture Agent Redirection ACL 191         Create the Dynamic Interfaces for the Client VLANs 193         Create the Employee Dynamic Interface 193         Create the Guest Dynamic Interface 194         Create the Wireless LANs 195         Create the Guest WLAN 195         Create the Corporate SSID 199     Summary 202 Chapter 12 Authorization Policy Elements 205     Authorization Results 206         Configuring Authorization Downloadable ACLs 207         Configuring Authorization Profiles 209     Summary 212 Chapter 13 Authentication and Authorization Policies 215     Relationship Between Authentication and Authorization 215     Authentication Policies 216         Goals of an Authentication Policy 216         Accept Only Allowed Protocols 216         Route to the Correct Identity Store 216         Validate the Identity 217         Pass the Request to the Authorization Policy 217     Understanding Authentication Policies 217         Conditions 218         Allowed Protocols 220         Identity Store 224         Options 224         Common Authentication Policy Examples 224         Using the Wireless SSID 225         Remote-Access VPN 228         Alternative ID Stores Based on EAP Type 230     Authorization Policies 232         Goals of Authorization Policies 232         Understanding Authorization Policies 233         Role-Specific Authorization Rules 237         Authorization Policy Example 237         Employee and Corporate Machine Full-Access Rule 238         Internet Only for iDevices 240         Employee Limited Access Rule 243     Saving Attributes for Re-Use 246     Summary 248 Chapter 14 Guest Lifecycle Management 249     Guest Portal Configuration 251         Configuring Identity Source(s) 252     Guest Sponsor Configuration 254         Guest Time Profiles 254         Guest Sponsor Groups 255         Sponsor Group Policies 257     Authentication and Authorization Guest Policies 258         Guest Pre-Authentication Authorization Policy 258         Guest Post-Authentication Authorization Policy 262     Guest Sponsor Portal Configuration 263         Guest Portal Interface and IP Configuration 264         Sponsor and Guest Portal Customization 264         Customize the Sponsor Portal 264         Creating a Simple URL for Sponsor Portal 265         Guest Portal Customization 265         Customizing Portal Theme 266         Creating Multiple Portals 268     Guest Sponsor Portal Usage 271         Sponsor Portal Layout 271         Creating Guest Accounts 273         Managing Guest Accounts 273     Configuration of Network Devices for Guest CWA 274         Wired Switches 274         Wireless LAN Controllers 275     Summary 277 Chapter 15 Device Posture Assessment 279     ISE Posture Assessment Flow 280     Configure Global Posture and Client Provisioning Settings 283         Posture Client Provisioning Global Setup 283         Posture Global Setup 285         General Settings 285         Reassessments 286         Updates 287         Acceptable Use Policy 287     Configure the NAC Agent and NAC Client Provisioning Settings 288     Configure Posture Conditions 289     Configure Posture Remediation 292     Configure Posture Requirements 295     Configure Posture Policy 296     Enabling Posture Assessment in the Network 298     Summary 299 Chapter 16 Supplicant Configuration 301     Comparison of Popular Supplicants 302         Configuring Common Supplicants 303         Mac OS X 10.8.2 Native Supplicant Configuration 303         Windows GPO Configuration for Wired Supplicant 305         Windows 7 Native Supplicant Configuration 309         Cisco AnyConnect Secure Mobility Client NAM 312     Summary 317 Chapter 17 BYOD: Self-Service Onboarding and Registration 319     BYOD Challenges 320     Onboarding Process 322         BYOD Onboarding 322         Dual SSID 322         Single SSID 323         Configuring NADs for Onboarding 324         ISE Configuration for Onboarding 329         End-User Experience 330         Configuring ISE for Onboarding 347         BYOD Onboarding Process Detailed 357         MDM Onboarding 367         Integration Points 367         Configuring MDM Integration 368         Configuring MDM Onboarding Policies 369     Managing Endpoints 372         Self Management 373         Administrative Management 373     The Opposite of BYOD: Identify Corporate Systems 374         EAP Chaining 375     Summary 376 Chapter 18 Setting Up a Distributed Deployment 377     Configuring ISE Nodes in a Distributed Environment 377         Make the Policy Administration Node a Primary Device 377         Register an ISE Node to the Deployment 379         Ensure the Persona of All Nodes Is Accurate 381     Understanding the HA Options Available 382         Primary and Secondary Nodes 382         Monitoring and Troubleshooting Nodes 382         Policy Administration Nodes 384         Promoting the Secondary PAN to Primary 385     Node Groups 385         Create a Node Group 386         Add the Policy Services Nodes to the Node Group 387     Using Load Balancers 388         General Guidelines 388         Failure Scenarios 389     Summary 390 Chapter 19 Inline Posture Node 391     Use Cases for the Inline Posture Node 391         Overview of IPN Functionality 392         IPN Configuration 393         IPN Modes of Operation 393     Summary 394 Section V Deployment Best Practices Chapter 20 Deployment Phases 395     Why Use a Phased Approach? 395         A Phased Approach 397         Authentication Open Versus Standard 802.1X 398     Monitor Mode 399         Prepare ISE for a Staged Deployment 401         Create the Network Device Groups 401         Create the Policy Sets 403     Low-Impact Mode 404     Closed Mode 406     Transitioning from Monitor Mode to Your End State 408     Wireless Networks 409     Summary 410 Chapter 21 Monitor Mode 411     Endpoint Discovery 412         SNMP Trap Method 413         Configuring the ISE Probes 414         Adding the Network Device to ISE 416         Configuring the Switches 418         RADIUS with SNMP Query Method 420         Configuring the ISE Probes 420         Adding the Network Device to ISE 421         Configuring the Switches 422         Device Sensor Method 424         Configuring the ISE Probes 425         Adding the Network Device to ISE 425         Configuring the Switches 426     Using Monitoring to Identify Misconfigured Devices 428         Tuning the Profiling Policies 428         Creating the Authentication Policies for Monitor Mode 430         Creating Authorization Policies for Non-Authenticating Devices 433         IP-Phones 433         Wireless APs 435         Printers 436         Creating Authorization Policies for Authenticating Devices 438         Machine Authentication (Machine Auth) 438         User Authentications 439         Default Authorization Rule 440     Summary 441 Chapter 22 Low-Impact Mode 443     Transitioning from Monitor Mode to Low-Impact Mode 445     Configuring ISE for Low-Impact Mode 446         Set Up the Low-Impact Mode Policy Set in ISE 446         Duplicate the Monitor Mode Policy Set 446         Create the Web Authentication Authorization Result 448         Configure the Web Authentication Identity Source Sequence 451         Modify the Default Rule in the Low-Impact Policy Set 451         Assign the WLCs and Switches to the Low-Impact Stage NDG 452         Modify the Default Port ACL on the Switches That Will Be Part of Low-Impact Mode 453     Monitoring in Low-Impact Mode 454     Tightening Security 454         Creating AuthZ Policies for the Specific Roles 454         Change Default Authentication Rule to Deny Access 456         Moving Switch Ports from Multi-Auth to Multi-Domain 457     Summary 458 Chapter 23 Closed Mode 459     Transitioning from Monitor Mode to Closed Mode 461     Configuring ISE for Closed Mode 461         Set Up the Closed Mode Policy Set in ISE 461         Duplicate the Monitor Mode Policy Set 462         Create the Web Authentication Authorization Result 463         Configure the Web Authentication Identity Source Sequence 466         Modify the Default Rule in the Closed Policy Set 467         Assign the WLCs and Switches to the Closed Stage NDG 468         Modify the Default Port ACL on the Switches That Will Be Part of Closed Mode 469     Monitoring in Closed Mode 469     Tightening Security 469         Creating Authorization Policies for the Specific Roles 470         Change Default Authentication Rule to Deny Access 472         Moving Switch Ports from Multi-Auth to MDA 473     Summary 474 Section VI Advanced Secure Unified Access Features Chapter 24 Advanced Profiling Configuration 475     Creating Custom Profiles for Unknown Endpoints 475         Identifying Unique Values for an Unknown Device 476         Collecting Information for Custom Profiles 478         Creating Custom Profiler Conditions 479         Creating Custom Profiler Policies 480     Advanced NetFlow Probe Configuration 481         Commonly Used NetFlow Attributes 483         Example Profiler Policy Using NetFlow 483         Designing for Efficient Collection of NetFlow Data 484         Configuration of NetFlow on Cisco Devices 485 Profiler COA and Exceptions 488         Types of CoA 489         Creating Exceptions Actions 489         Configuring CoA and Exceptions in Profiler Policies 490     Profiler Monitoring and Reporting 491     Summary 494 Chapter 25 Security Group Access 495     Ingress Access Control Challenges 495         VLAN Assignment 495         Ingress Access Control Lists 498     What Is Security Group Access? 499         So, What Is a Security Group Tag? 500         Defining the SGTs 501         Classification 504         Dynamically Assigning SGT via 802.1X 504         Manually Assigning SGT at the Port 506         Manually Binding IP Addresses to SGTs 506         Access Layer Devices That Do Not Support SGTs 507     Transport: Security Group eXchange Protocol (SXP) 508         SXP Design 508         Configuring SXP on IOS Devices 509         Configuring SXP on Wireless LAN Controllers 511         Configuring SXP on Cisco ASA 513     Transport: Native Tagging 516         Configuring Native SGT Propogation (Tagging) 517         Configuring SGT Propagation on Cisco IOS Switches 518         Configuring SGT Propagation on a Catalyst 6500 520         Configuring SGT Propagation on a Nexus Series Switch 522     Enforcement 523         SGACL 524         Creating the SG-ACL in ISE 526         Configure ISE to Allow the SGACLs to Be Downloaded 531         Configure the Switches to Download SGACLs from ISE 532         Validating the PAC File and CTS Data Downloads 533         Security Group Firewalls 535         Security Group Firewall on the ASA 535         Security Group Firewall on the ISR and ASR 543     Summary 546 Chapter 26 MACSec and NDAC 547     MACSec 548         Downlink MACSec 549         Switch Configuration Modes 551         ISE Configuration 552         Uplink MACSec 553     Network Device Admission Control 557         Creating an NDAC Domain 558         Configuring ISE 558         Configuring the Seed Device 562         Adding Non-Seed Switches 564         Configuring the Switch Interfaces for Both Seed and Non-Seed 566         MACSec Sequence in an NDAC Domain 567     Summary 568 Chapter 27 Network Edge Authentication Topology 569     NEAT Explained 570     Configuring NEAT 571         Preparing ISE for NEAT 571         Create the User Identity Group and Identity 571         Create the Authorization Profile 572         Create the Authorization Rule 573         Access Switch (Authenticator) Configuration 574         Desktop Switch (Supplicant) Configuration 574     Summary 575 Section VII Monitoring, Maintenance, and Troubleshooting Chapter 28 Understanding Monitoring and Alerting 577     ISE Monitoring 577         Live Authentications Log 578         Monitoring Endpoints 580         Global Search 581         Monitoring Node in a Distributed Deployment 584         Device Configuration for Monitoring 584     ISE Reporting 585         Data Repository Setup 586     ISE Alarms 587     Summary 588 Chapter 29 Troubleshooting 589     Diagnostics Tools 589         RADIUS Authentication Troubleshooting 589         Evaluate Configuration Validator 591         TCP Dump 594     Troubleshooting Methodology 596         Troubleshooting Authentication and Authorization 596         Option 1: No Live Log Entry Exists 597         Option 2: An Entry Exists in the Live Log 603         General High-Level Troubleshooting Flowchart 605         Troubleshooting WebAuth and URL Redirection 605         Active Directory Is Disconnected 610         Debug Situations: ISE Logs 611         The Support Bundle 611     Common Error Messages and Alarms 613         EAP Connection Timeout 613         Dynamic Authorization Failed 615         WebAuth Loop 617         Account Lockout 617     ISE Node Communication 617     Summary 618 Chapter 30 Backup, Patching, and Upgrading 619     Repositories 619         Configuring a Repository 619     Backup 625     Restore 628         Patching 629         Upgrading 632     Summary 634 Appendix A Sample User Community Deployment Messaging Material 635 Appendix B Sample ISE Deployment Questionnaire 639 Appendix C Configuring the Microsoft CA for BYOD 645 Appendix D Using a Cisco IOS Certificate Authority for BYOD Onboarding 669 Appendix E Sample Switch Configurations 675 TOC, 9781587143250, 5/15/2013