Cisco ISE for BYOD and Secure Unified Access

Fully updated: The complete guide to Cisco Identity Services Engine solutions Using Cisco Secure Access Architecture and Cisco Identity Services Engine, you can secure and gain control of access to your networks in a Bring Your Own Device (BYOD) world. This second edition of Cisco ISE for BYOD and Secure Unified Accesscontains more than eight brand-new chapters as well as extensively updated coverage of all the previous topics in the first edition book to reflect the latest technologies, features, and best practices of the ISE solution. It begins by reviewing today’s business case for identity solutions. Next, you walk through ISE foundational topics and ISE design. Then you explore how to build an access security policy using the building blocks of ISE. Next are the in-depth and advanced ISE configuration sections, followed by the troubleshooting and monitoring chapters. Finally, we go in depth on the new TACACS+ device administration solution that is new to ISE and to this second edition. With this book, you will gain an understanding of ISE configuration, such as identifying users, devices, and security posture; learn about Cisco Secure Access solutions; and master advanced techniques for securing access to networks, from dynamic segmentation to guest access and everything in between. Drawing on their cutting-edge experience supporting Cisco enterprise customers, the authors offer in-depth coverage of the complete lifecycle for all relevant ISE solutions, making this book a cornerstone resource whether you’re an architect, engineer, operator, or IT manager. · Review evolving security challenges associated with borderless networks, ubiquitous mobility, and consumerized IT · Understand Cisco Secure Access, the Identity Services Engine (ISE), and the building blocks of complete solutions · Design an ISE-enabled network, plan/distribute ISE functions, and prepare for rollout · Build context-aware security policies for network access, devices, accounting, and audit · Configure device profiles, visibility, endpoint posture assessments, and guest services · Implement secure guest lifecycle management, from WebAuth to sponsored guest access · Configure ISE, network access devices, and supplicants, step by step · Apply best practices to avoid the pitfalls of BYOD secure access · Set up efficient distributed ISE deployments · Provide remote access VPNs with ASA and Cisco ISE · Simplify administration with self-service onboarding and registration · Deploy security group access with Cisco TrustSec · Prepare for high availability and disaster scenarios · Implement passive identities via ISE-PIC and EZ Connect · Implement TACACS+ using ISE · Monitor, maintain, and troubleshoot ISE and your entire Secure Access system · Administer device AAA with Cisco IOS, WLC, and Nexus

Table of Contents:
Introduction xxix Part I Identity-Enabled Network: Unite! Chapter 1 Regain Control of Your IT Security 1 Security: Still a Weakest-Link Problem 2 Cisco Identity Services Engine 3 Sources for Providing Identity and Context Awareness 5 Unleash the Power of Centralized Policy 6 Summary 8 Chapter 2 Fundamentals of AAA 9 Triple-A 10 Compare and Select AAA Options 10 Device Administration 11 Network Access 12 TACACS+ 13 TACACS+ Authentication Messages 14 TACACS+ Authorization and Accounting Messages 15 RADIUS 17 AV Pairs 20 Change of Authorization 20 Comparing RADIUS and TACACS+ 21 Summary 21 Chapter 3 Introducing Cisco Identity Services Engine 23 Architecture Approach to Centralized and Dynamic Network Security Policy Enforcement 23 Cisco Identity Services Engine Features and Benefits 26 ISE Platform Support and Compatibility 30 Cisco Identity Services Engine Policy Construct 30 ISE Authorization Rules 33 Summary 34 Part II The Blueprint, Designing an ISE-Enabled Network Chapter 4 The Building Blocks in an Identity Services Engine Design 35 ISE Solution Components Explained 35 Infrastructure Components 36 Policy Components 42 Endpoint Components 42 ISE Personas 43 ISE Licensing, Requirements, and Performance 45 ISE Licensing 45 ISE Requirements 46 ISE Performance 47 ISE Policy-Based Structure Explained 48 Summary 49 Chapter 5 Making Sense of the ISE Deployment Design Options 51 Centralized Versus Distributed Deployment 52 Centralized Deployment 52 Distributed Deployment 55 Summary 58 Chapter 6 Quick Setup of an ISE Proof of Concept 59 Deploy ISE for Wireless in 15 Minutes 59 Wireless Setup Wizard Configuration 60 Guest Self-Registration Wizard 61 Secure Access Wizard 65 Bring Your Own Device (BYOD) Wizard 67 Deploy ISE to Gain Visibility in 15 Minutes 69 Visibility Setup Wizard 69 Configuring Cisco Switches to Send ISE Profiling Data 73 Summary 75 Part III The Foundation, Building a Context-Aware Security Policy Chapter 7 Building a Cisco ISE Network Access Security Policy 77 Components of a Cisco ISE Network Access Security Policy 78 Network Access Security Policy Checklist 79 Involving the Right People in the Creation of the Network Access Security Policy 79 Determining the High-Level Goals for Network Access Security 81 Common High-Level Network Access Security Goals 82 Network Access Security Policy Decision Matrix 84 Defining the Security Domains 85 Understanding and Defining ISE Authorization Rules 87 Commonly Configured Rules and Their Purpose 88 Establishing Acceptable Use Policies 89 Host Security Posture Assessment Rules to Consider 91 Sample NASP Format for Documenting ISE Posture Requirements 96 Common Checks, Rules, and Requirements 97 Method for Adding Posture Policy Rules 98 Research and Information 98 Establishing Criteria to Determine the Validity of a Security Posture Check, Rule, or Requirement in Your Organization 99 Method for Determining What Posture Policy Rules a Particular Security Requirement Should Be Applied To 100 Method for Deploying and Enforcing Security Requirements 101 Defining Dynamic Network Access Privileges 102 Enforcement Methods Available with ISE 102 Commonly Used Network Access Policies 103 Summary 105 Chapter 8 Building a Device Security Policy 107 ISE Device Profiling 107 ISE Profiling Policies 109 ISE Profiler Data Sources 110 Using Device Profiles in Authorization Rules 111 Threat-Centric NAC 111 Using TC-NAC as Part of Your Incident Response Process 113 Summary 116 Chapter 9 Building an ISE Accounting and Auditing Policy 117 Why You Need Accounting and Auditing for ISE 117 Using PCI DSS as Your ISE Auditing Framework 118 ISE Policy for PCI 10.1: Ensuring Unique Usernames and Passwords 126 ISE Policy for PCI 10.2 and 10.3: Audit Log Collection 128 ISE Policy for PCI 10.5.3, 10.5.4, and 10.7: Ensure the Integrity and Confidentiality of Audit Log Data 129 ISE Policy for PCI 10.6: Review Audit Data Regularly 130 Cisco ISE User Accounting 131 Summary 132 Part IV Let's Configure! Chapter 10 Profiling Basics and Visibility 133 Understanding Profiling Concepts 133 ISE Profiler Work Center 137 ISE Profiling Probes 137 Probe Configuration 138 DHCP and DHCPSPAN Probes 140 RADIUS Probe 142 Network Scan (NMAP) Probe 143 DNS Probe 147 SNMPQUERY and SNMPTRAP Probes 148 Active Directory Probe 149 HTTP Probe 150 HTTP Profiling Without Probes 152 NetFlow Probe 152 Infrastructure Configuration 153 DHCP Helper 153 SPAN Configuration 156 VLAN ACL Captures 157 Device Sensor 157 VMware Configurations to Allow Promiscuous Mode 159 Profiling Policies 160 Profiler Feed Service 160 Configuring the Profiler Feed Service 160 Verifying the Profiler Feed Service 162 Offline Manual Update 164 Endpoint Profile Policies 167 Context Visibility 169 Logical Profiles 178 ISE Profiler and CoA 179 Global CoA 180 Per-Profile CoA 181 Global Profiler Settings 182 Configure SNMP Settings for Probes 182 Endpoint Attribute Filtering 182 NMAP Scan Subnet Exclusions 183 Profiles in Authorization Policies 183 Endpoint Identity Groups 183 EndPointPolicy 187 Importing Profiles 187 Verifying Profiling 189 The Dashboard 189 Endpoints Dashboard 189 Context Visibility 190 Device Sensor Show Commands 191 Triggered NetFlow: A Woland-Santuka Pro Tip 191 Summary 194 Chapter 11 Bootstrapping Network Access Devices 195 Cisco Catalyst Switches 195 Global Configuration Settings for Classic IOS and IOS 15.x Switches 196 Configure Certificates on a Switch 196 Enable the Switch HTTP/HTTPS Server 197 Global AAA Commands 198 Global RADIUS Commands 199 Create Local Access Control Lists for Classic IOS and IOS 15.x 202 Global 802.1X Commands 204 Global Logging Commands (Optional) 204 Global Profiling Commands 205 Interface Configuration Settings for Classic IOS and IOS 15.x Switches 207 Configure Interfaces as Switch Ports 208 Configure Flexible Authentication and High Availability 208 Configure Authentication Settings 211 Configure Authentication Timers 212 Apply the Initial ACL to the Port and Enable Authentication 213 Configuration Settings for C3PL Switches 213 Why Use C3PL? 213 Global Configuration for C3PL 216 Global RADIUS Commands for C3PL 217 Configure Local ACLs and Local Service Templates 219 Global 802.1X Commands 220 C3PL Fundamentals 221 Configure the C3PL Policies 222 Cisco Wireless LAN Controllers 225 AireOS Features and Version History 225 Configure the AAA Servers 226 Add the RADIUS Authentication Servers 226 Add the RADIUS Accounting Servers 227 Configure RADIUS Fallback (High Availability) 229 Configure the Airespace ACLs 229 Create the Web Authentication Redirection ACL 230 Add Google URLs for ACL Bypass 231 Create the Dynamic Interfaces for the Client VLANs 232 Create the Employee Dynamic Interface 233 Create the Guest Dynamic Interface 234 Create the Wireless LANs 236 Create the Guest WLAN 236 Create the Corporate SSID 240 Summary 245 Chapter 12 Network Authorization Policy Elements 247 ISE Authorization Policy Elements 247 Authorization Results 251 Configuring Authorization Downloadable ACLs 251 Configuring Authorization Profiles 253 Summary 256 Chapter 13 Authentication and Authorization Policies 257 Relationship Between Authentication and Authorization 257 Enable Policy Sets 258 Authentication Policy Goals 261 Accept Only Allowed Protocols 261 Route to the Correct Identity Store 261 Validate the Identity 261 Pass the Request to the Authorization Policy 262 Understanding Authentication Policies 262 Conditions 263 Allowed Protocols 266 Authentication Protocol Primer 268 Identity Store 271 Options 272 Common Authentication Policy Examples 272 Using the Wireless SSID 272 Remote-Access VPN 277 Alternative ID Stores Based on EAP Type 278 Authorization Policies 280 Goals of Authorization Policies 280 Understanding Authorization Policies 280 Role-Specific Authorization Rules 286 Authorization Policy Example 286 Employee and Corporate Machine Full-Access Rule 286 Internet Only for Mobile Devices 288 Employee Limited Access Rule 292 Saving Attributes for Reuse 295 Summary 297 Chapter 14 Guest Lifecycle Management 299 Overview of ISE Guest Services 301 Hotspot Guest Portal Configuration 302 Sponsored Guest Portal Configuration 304 Create an Active Directory Identity Store 304 Create ISE Guest Types 305 Create Guest Sponsor Groups 307 Authentication and Authorization Guest Policies 310 Guest Pre-Authentication Authorization Policy 310 Guest Post-Authentication Authorization Policy 312 Guest Sponsor Portal Configuration 313 Guest Portal Interface and IP Configuration 313 Sponsor and Guest Portal Customization 313 Sponsor Portal Behavior and Flow Settings 313 Sponsor Portal Page Customization 315 Guest Portal Behavior and Flow Settings 316 Guest Portal Page Customization 317 Creating Multiple Guest Portals 318 Guest Sponsor Portal Usage 318 Sponsor Portal Layout 319 Creating Guest Accounts 320 Managing Guest Accounts 320 Configuration of Network Devices for Guest CWA 321 Wired Switches 321 Wireless LAN Controllers 322 Summary 325 Chapter 15 Client Posture Assessment 327 ISE Posture Assessment Flow 329 Configure Global Posture and Client Provisioning Settings 331 Posture Client Provisioning Global Setup 331 Posture Global Setup 335 Posture General Settings 335 Posture Reassessments 336 Posture Updates 337 Acceptable Use Policy Enforcement 338 Configure the AnyConnect and NAC Client Provisioning Rules 339 AnyConnect Agent with ISE Compliance Module 339 AnyConnect Posture Profile Creation 340 AnyConnect Configuration File Creation 341 AnyConnect Client Provisioning Policy 343 Configure the Client Provisioning Portal 343 Configure Posture Elements 345 Configure Posture Conditions 345 Configure Posture Remediations 349 Configure Posture Requirements 353 Configure Posture Policy 355 Configure Host Application Visibility and Context Collection (Optional) 357 Enable Posture Client Provisioning and Assessment in Your ISE Authorization Policies 359 Posture Client Provisioning 359 Authorization Based On Posture Compliance 360 Posture Reports and Troubleshooting 361 Enable Posture Assessment in the Network 362 Summary 363 Chapter 16 Supplicant Configuration 365 Comparison of Popular Supplicants 366 Configuring Common Supplicants 367 Mac OS X 10.8.2 Native Supplicant Configuration 367 Windows GPO Configuration for Wired Supplicant 369 Windows 7, 8/8.1, and 10 Native Supplicant Configuration 373 Cisco AnyConnect Secure Mobility Client NAM 377 Summary 382 Chapter 17 BYOD: Self-Service Onboarding and Registration 383 BYOD Challenges 384 Onboarding Process 386 BYOD Onboarding 386 Dual SSID 387 Single SSID 387 Configuring NADs for Onboarding 388 ISE Configuration for Onboarding 392 End-User Experience 393 Configuring ISE for Onboarding 408 BYOD Onboarding Process Detailed 423 MDM Onboarding 429 Integration Points 430 Configuring MDM Integration 431 Configuring MDM Onboarding Policies 433 The Opposite of BYOD: Identify Corporate Systems 435 EAP Chaining 436 Summary 437 Chapter 18 Setting Up and Maintaining a Distributed ISE Deployment 439 Configuring ISE Nodes in a Distributed Environment 439 Make the Policy Administration Node a Primary Device 440 Register an ISE Node to the Deployment 442 Ensure the Persona of All Nodes Is Accurate 445 Understanding the HA Options Available 446 Primary and Secondary Nodes 446 Monitoring & Troubleshooting Nodes 446 Policy Administration Nodes 448 Policy Service Nodes and Node Groups 450 Create a Node Group 451 Add the Policy Service Nodes to the Node Group 452 Using Load Balancers 453 General Guidelines 454 Failure Scenarios 455 Anycast HA for ISE PSNs 456 Cisco IOS Load Balancing 459 Maintaining ISE Deployments 460 Patching ISE 460 Backup and Restore 462 Summary 463 Chapter 19 Remote Access VPN and Cisco ISE 465 Introduction to VPNs 465 Client-Based Remote Access VPN 468 Configuring a Client-Based RA-VPN on the Cisco ASA 469 Download the Latest AnyConnect Headend Packages 470 Prepare the Headend 471 Add an AnyConnect Connection Profile 473 Add the ISE PSNs to the AAA Server Group 478 Add a Client Address Pool 481 Perform Network Reachability Tasks 484 Configure ISE for the ASA VPN 487 Testing the Configuration 488 Perform a Basic AAA Test 488 Log In to the ASA Web Portal 490 Connect to the VPN via AnyConnect 492 Remote Access VPN and Posture 494 RA-VPN with Posture Flows 495 Adding the Access Control Lists to ISE and the ASA 496 Adding Posture Policies to the VPN Policy Set 499 Watching It Work 501 Extending the ASA Remote Access VPN Capabilities 507 Double Authentication 507 Certificate-Based Authentication 509 Provisioning Certificates 509 Authenticating the VPN with Certificates 515 Connecting to the VPN via CertProfile 518 Summary 519 Chapter 20 Deployment Phases 521 Why Use a Phased Approach? 521 A Phased Approach 523 Authentication Open Versus Standard 802.1X 524 Monitor Mode 526 Prepare ISE for a Staged Deployment 527 Create the Network Device Groups 528 Create the Policy Sets 529 Low-Impact Mode 530 Closed Mode 532 Transitioning from Monitor Mode to Your End State 534 Wireless Networks 535 Summary 535 Part V Advanced Secure Access Features Chapter 21 Advanced Profiling Configuration 537 Profiler Work Center 537 Creating Custom Profiles for Unknown Endpoints 538 Identifying Unique Values for an Unknown Device 539 Collecting Information for Custom Profiles 541 Creating Custom Profiler Conditions 542 Creating Custom Profiler Policies 543 Advanced NetFlow Probe Configuration 544 Commonly Used NetFlow Attributes 546 Example Profiler Policy Using NetFlow 546 Designing for Efficient Collection of NetFlow Data 547 Configuration of NetFlow on Cisco Devices 548 Profiler CoA and Exceptions 550 Types of CoA 551 Creating Exceptions Actions 552 Configuring CoA and Exceptions in Profiler Policies 552 Profiler Monitoring and Reporting 553 Summary 556 Chapter 22 Cisco TrustSec AKA Security Group Access 557 Ingress Access Control Challenges 558 VLAN Assignment 558 Ingress Access Control Lists 560 What Is TrustSec? 562 So, What Is a Security Group Tag? 562 Defining the SGTs 564 Classification 565 Dynamically Assigning an SGT via 802.1X 566 Manually Assigning an SGT at the Port 567 Manually Binding IP Addresses to SGTs 568 Access Layer Devices That Do Not Support SGTs 569 Transport: SGT eXchange Protocol (SXP) 569 SXP Design 570 Configuring SXP on IOS Devices 572 Configur