Cisco Unified Access Roadshow One Policy · Access Control Turnkey BYOD Solution 1st System-wide...

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Unified Access RoadshowOne PolicyMarch, 2013

Manfred Brabec

Consulting Systems Engineer

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Policy Access Control: Challenges and Architecture

UA with Cisco ISE

Cisco Access Devices and Identity

Security Group Access and TrustSec

UA for BYOD


End-User Behaviors IT Trends

• Over 15 billion devices by 2015, with average worker with 3 devices

• New workspace: anywhere, anytime

• 71% of Gen Y workforce do not obey policies

• 60% will download sensitive data on a personal device

• Must control the multiple devices and guests

• Security: Top concern for BYOD

• Mobile malware hasdoubled (from 2010 to 2011)

• IT consumed with network fragmentation

Reduce Security Risk

Improve End-User Productivity

Increase Operation Efficiency


BYOD Improved productivity, lower cost, added security

Consistent Network-wide Policy ControlDifferentiated access control

Secure Access Control – Connecting ThingsDevice visibility (profiling), posture, contextual control, AAA

Challenge: Identifying what is on the network Device fingerprinting (identifying “things”), posture analysis,

Challenge: Ensure consistent E2E policy that is topology independent Cisco TrustSec and policy management

TECHNOLOGY UTILITY ENERGY HEALTHCARE HIGHER ED SECONDARY ED

Challenge: Support BYOD without increasing IT operational cost Zero-touch portal automates device registration, application containerization, device posture


Policy Management Solution

Unified Network Access Control

Turnkey BYOD Solution

1st System-wide SolutionDeep network integration

System-wide Policy Control from One Screen

Award Winning Product’12 Cisco Pioneer Award

Over 400 Trained and Trusted ATP Partners

Over 1,000 Wins—Year 1

Gartner 2013 NAC MQ


Who What Where When How

Virtual machine client, IP device, guest, employee, and remote user

Cisco® ISE

Wired Wireless VPN

Business-Relevant Policies

Replaces AAA and RADIUS, NAC, guest management, and device identity servers

Security Policy Attributes

Identity Context


Authentication Services

Authorization Services

Guest Lifecycle Management

Profiling and BYOD Services

Posture Services

TrustSec SGA

I Only Want to Allow the “Right” Users and Devices on My Network

I Want User and Devices to Receive Appropriate Network Services

I Want to Allow Guests into the Network and Control Their Behavior

I Need to Allow/Deny iPads in My Network (BYOD)

I Want to Ensure That Devices on My Network Are Clean

I Need a Scalable Way of Enforcing Access Policy Across the Network

One Network

One Policy

One Management

Folie 7

JB28 Add Cisco Prime to the left with ISE to highlight One Policy tying in to One Management.

Also do the same to add links from One Policy to One netowrk

Jay Bhansali; 22.08.2012


More Productivity

TrustedWi-Fi

Onboarding

Authenticate user

Fingerprint device

Apply corporate configuration

Enterprise applications

Automatic policies

Secure and customizable captive portal

Self-registration for any device

Remediate actions


Get users on the net in minutes, not hours

Simple self-service portal for any user to get quickly on the net without help or hassle

Reduce burden on IT and help desk staff

Reliable automation reduces user problems to near zero so…

Immediate secure access

Rigorous identity and access policy enforcement


ISEDevice Access Control

MDMMobile Devices Security Control

• Device Profiling

• BYOD On-boarding

• Device Access Control

• Device Compliance

• Mobile Application Management

• Securing Data at Rest

The New Way

MDM cannot ‘see’ non-registered devices to enforce device security – but the network can!

Best Practice Today

MDM: Mobile Device Management

• Forces on-boarding to MDM with personal devices used for work

• Register but restrict access for personal devices not managed by MDM

• Quarantine non-compliant devices based on MDM policy


• MDM device registration via ISEo Non registered clients

redirected to MDM registration page

• Restricted accesso Non compliant clients will be

given restricted access based on policy

• Endpoint MDM agento Complianceo Device application control

• Device Action from ISE• Device stolen -> wipe data on

client


• User connects to Secure SSID

• PEAP: Username/Password

• Redirected to Provisioning Portal

• User registers deviceDownloads CertificateDownloads Supplicant Config

• User reconnects using EAP-TLS

BYOD-Secure

Personal Asset

Access Point

ISE

Wireless LAN Controller

AD/LDAP


• User connects to Open SSID

• Redirected to WebAuth portal

• User enters employee or guest credentials

• Guest signs AUP and gets Guest access

• Employee registers deviceDownloads CertificateDownloads Supplicant Config

• Employee reconnects using EAP-TLS

BYOD-SecureBYOD-Open

Personal Asset

Access Point

ISE

Wireless LAN Controller

AD/LDAP


Cisco Prime™ Cisco® ISE

Third-Party MDM Appliance

MDM Manager

Cisco WLAN

Controller

Cisco ASA Firewall and IPS

Cisco CSM and ASDM

Cisco Web Cisco Web Security

Wired Network Devices

Cisco Catalyst®

Switches

Cisco AnyConnect® Cisco AnyConnect Cisco AnyConnect

Office Wired Access Office Wireless Access Remote Access


a

CiscoInnovation

Authentication Features

Cisco Catalyst Switch

Network Device

IP PhonesAuthorized Users

GuestsTablets

802.1X MAB WebAuth

Identity Differentiators

Monitor Mode• Unobstructed access• No impact on productivity• Gain visibilityFlexible Authentication Sequence• Enables single configuration for most use cases• Flexible fallback mechanism and policies

Rich and Robust 802.1X

IP Telephony Support for Virtual Desktop Environments• Single host mode• Multihost mode• Multiauth mode• Multidomain authenticationCritical Data/Voice Authentication• Business continuity in case of failure


CiscoInnovation

CDPLLDPDHCPMAC

Supported Platforms:IOS 15.0(1)SE1 for Cat 3KIOS 15.1(1)SG for Cat 4K WLC 7.2 MR1 - DHCP data onlyISE 1.1.1

Printer PolicyPrinter Policy

[place on VLAN X]

PersonaliPad PolicyPersonal

iPad Policy

[restricted access]

CDPLLDPDHCPMAC

Printer Personal iPadISE

CDPLLDPDHCPMAC

DEVICE PROFILINGFor wired and wireless networks

AccessPoint

Deployment Scenario With Cisco Device SensorsCOLLECTIONSwitch Collects Device Related Data and Sends Report to ISE

CLASSIFICATIONISE Classifies Device, Collects Flow Information and Provides Device Usage Report

AUTHORIZATIONISE Executes Policy Based on User and Device

Efficient Device Classification

Leveraging Infrastructure

The Solution

POLICYPOLICYPOLICY


Near-zero IT and help desk burden

• Employee hosted• Full guest lifecycle

Accommodate and control

• Limited to Internet • Time sensitive

Streamlined system

• Integrated into the all-in-one enterprise policy control—Cisco® ISE console


Distributed Enforcement Throughout Network

Switch Router DC Firewall DC Switch

Distributed Enforcement Throughout Network

Network

Context Classification

Security Group TagTag


ACL ArchitectureHard to Maintain

100s–1000s of ACEs

VLAN ArchitectureScaling Concerns

Highly topology dependent

802.1X


User and Device RoleIngress Tag

Unregistered Device(Unregist_Dev_SGT)

Employee(Employee_SGT)

Management(Management_SGT)

Credit Card Scanners(CC_Scanner_SGT)

SGA TAG—Policy

Credit_Card SSIDMember of group “Credit_Scanners”Profiled as “iphone”

Public SSID

Corporate SSIDMember of group “Employee”Certificate matches endpoint

Corporate SSIDMember of group Employee and ManagerCertificate matches endpoint

Cisco ISE

Employee

Manager

Finance

who what where when how


Employee TAG

Manager TAG

Credit Card Scanner TAG


Security Group Based Access Control

• ISE maps tags (SGT) with user identity

• ISE Authorization policy pushes SGT to ingress NAD ( switch/WLC)

• ISE Authorization policy pushes ACL (SGACL) to egress NAD (Catalyst or Nexus)

ManagerRegistered Device

SGT = 100

ManagerSGT = 100Manager

SGT = 100

SGACLSGACL

SRC\DST Time Card Credit Card

Manager (100) Access No Access

Cisco ISE

Time Card (SGT=4)

Credit Card Scanner (SGT=10)


Manager TAG Credit Card Scanner TAG

Folie 30

JB32 Follow up with slide on switchesJay Bhansali; 31.08.2012


CiscoInnovation

Security Group Access Protocol

• For transport through a non SGT core

ManagerRegistered Device

ManagerSGT = 100Manager

SGT = 100

SGACLSGACL

SRC\DST Time Card Credit Card

Manager (100) Access No Access

Cisco ISE

Time Card (SGT=4)

Credit Card Scanner (SGT=10)10.1.100.3

SXPSXP

IP Address SGT

10.1.100.3 100


User CustomLocationDevice Type TimePosture Access Method


Internet

Services 1Campus Cloud

Data CenterPolicy

Services 2

POLICYPOLICYPOLICYPolicy

SGT Inter net

Open Net

ServNet

Data Center

Restrict DC

Exec, IT Laptop Wired Net

Permit Permit Permit Permit Permit

All, iPadInternal

Permit Permit Permit Deny Deny

Exec, iPadVPN

Permit Permit Permit Permit Deny

Guest Any Permit Deny Deny Deny Deny

JohnIT Administrator

Restricted Data

CenterJohn updates Cisco® ISE for BYOD and guest access policies, which are pushed to the network.

IT


Internet


Data Center

Services 2Wired

Restricted Data

Center


Brice logs onto wired network on IT-issued laptop. Cisco® ISE authenticates, identifies context, and applies wired execution policy.

Wired

BriceCFO


Internet


Data Center

Dev

ice

Iden

tity

AAADID

Wireless

Restricted Data

Center


• Brice connects his new iPad to the WLAN and logs on.

• While Cisco® ISE performs AAA check of his ID, Cisco ISE Profiler identifies his device.

Onboarding

Wired

BriceCFO

Services 2


Internet


Data Center

Wired

Wireless

?R DIR

REG


• Cisco® ISE authenticates Brice, but does not recognize the iPad.

• Cisco ISE redirects Brice to the onboarding portal to register his iPad.

Onboarding

Services 2

Restricted Data

Center

BriceCFO


Internet


Data Center

Services 2Wired

Wireless

Policy

Policy

Restricted Data

Center


• Cisco® ISE forms a contextual identity: Brice + iPad + location.

• Cisco ISE assigns a policy based on the context and grants it role-based access.

Onboarding ContextualIdentity

BriceCFO


Internet


Data Center

Services 2Wired

VPN

Wireless

Restricted Data

Center


• Brice uses the same iPad from a hotel room. Cisco® ISE recognizes the context change and applies execution VPN policy..

VPN

BriceCFO


Internet


Data Center

Services 2Wired

VPN

Wireless


Restricted Data

Center

• Sarah receives password through text message. She selects Guest WiFi, and Cisco ISE directs her to the guest portal to register and obtain Internet access.

• Brice enters Cisco® ISE guest hotspot portal and sponsors Sarah for 1-day access.

Sponsor

Guest

BriceCFO

SarahVendor


Internet


Data Center

Wired

Wireless

BYOD

Guest

Policy Management

Restricted Data

Center


BriceCFO

SarahVendor

VPN

Services 2


BYOD

Access Control

HolisticSolution

• User Self Onboarding

• MDM Vendor Partnerships

• Context: Who/What/How/Where

• Visibility: Profiling

• SGA: Topology independent, Business language

• Enforcement: Router/Switch/Firewall

• Endpoint: Posture, VPN

• Info stores: AD, LDAP, MDM


Comprehensive Wired, Wireless, and VPN Secure Access More Productive Workers Lower Operating Costs

Rigorous Identity Enforcement

Extensive Policy Enforcement

Security Compliance

Automated Onboarding

Automated Device Security

Dependable-Anywhere Access

Operation Efficiency

Use Cisco® Infrastructure

Next-Generation Policy Networking

Control devices everywhere

Control PreciselyWho & whatIs allowed

Maintain & validate compliance

Secure everydevice

Get quick access with little IT intervention

Provideconsistentservice

Get the most from investments

Save time

End VLAN, ALC & FW Rule pain

ISEThat’s it.

k1

Folie 47

k1 It seems onboarding is a bigger benefit to IT vs End userktrahan; 18.12.2012


• ISE Information: http://www.cisco.com/go/ise

• Cisco TrustSec (SGA and certified solutions):www.cisco.com/go/trustsec

• Application Notes and How-To Guides:http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

• Design Zone—BYOD Reference Design:http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns743/ns1050/own_device.html#~overview


Features Cisco ISE Juniper UAC Aruba CP Forescout

ControlGuest Yes Yes Yes Yes

RADIUS Yes Yes Yes No Proxy only

TACACS+ Coming on ISE ACS today No Yes No

Posture Yes Yes Yes Yes

Integrated Profiling Yes No Yes Yes

Device Registration Yes Yes Yes Yes

BYOD Onboarding Provisioning and self serve management

Yes No self service BYOD No self service BYOD No self service BYOD

3rd Party Device Support No No Yes Yes

Integrated IPS/Threat Control No No No Yes



End-PointUnified Client Coming Yes No No

Secure Access (MACSec) Yes No Yes No

VPN Secure Access Client Yes Yes Yes No

VPN Clientless Yes Yes No No

EAP Chaining Yes No? No? No



EnforcementSecure Group Access (SGA) Yes No No No

VLANs Yes Yes Yes Yes

dACLS Yes Yes Yes No

Secure Access (MACSec) Yes No Yes No

Secure Access Client Yes Yes Yes No

NADs

Flexible Authentication Yes No No No

Monitor Mode Yes No No No

RADIUS CoA and CWA Yes Yes Yes No

Cisco Unified Access Roadshow One Policy · Access Control Turnkey BYOD Solution 1st System-wide...

Documents

Transcript of Cisco Unified Access Roadshow One Policy · Access Control Turnkey BYOD Solution 1st System-wide...