Cisco Unified Access Roadshow One Policy · Access Control Turnkey BYOD Solution 1st System-wide...
Transcript of Cisco Unified Access Roadshow One Policy · Access Control Turnkey BYOD Solution 1st System-wide...
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Unified Access RoadshowOne PolicyMarch, 2013
Manfred Brabec
Consulting Systems Engineer
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Policy Access Control: Challenges and Architecture
UA with Cisco ISE
Cisco Access Devices and Identity
Security Group Access and TrustSec
UA for BYOD
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
End-User Behaviors IT Trends
• Over 15 billion devices by 2015, with average worker with 3 devices
• New workspace: anywhere, anytime
• 71% of Gen Y workforce do not obey policies
• 60% will download sensitive data on a personal device
• Must control the multiple devices and guests
• Security: Top concern for BYOD
• Mobile malware hasdoubled (from 2010 to 2011)
• IT consumed with network fragmentation
Reduce Security Risk
Improve End-User Productivity
Increase Operation Efficiency
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
BYOD Improved productivity, lower cost, added security
Consistent Network-wide Policy ControlDifferentiated access control
Secure Access Control – Connecting ThingsDevice visibility (profiling), posture, contextual control, AAA
Challenge: Identifying what is on the network Device fingerprinting (identifying “things”), posture analysis,
Challenge: Ensure consistent E2E policy that is topology independent Cisco TrustSec and policy management
TECHNOLOGY UTILITY ENERGY HEALTHCARE HIGHER ED SECONDARY ED
Challenge: Support BYOD without increasing IT operational cost Zero-touch portal automates device registration, application containerization, device posture
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Policy Management Solution
Unified Network Access Control
Turnkey BYOD Solution
1st System-wide SolutionDeep network integration
System-wide Policy Control from One Screen
Award Winning Product’12 Cisco Pioneer Award
Over 400 Trained and Trusted ATP Partners
Over 1,000 Wins—Year 1
Gartner 2013 NAC MQ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Who What Where When How
Virtual machine client, IP device, guest, employee, and remote user
Cisco® ISE
Wired Wireless VPN
Business-Relevant Policies
Replaces AAA and RADIUS, NAC, guest management, and device identity servers
Security Policy Attributes
Identity Context
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Authentication Services
Authorization Services
Guest Lifecycle Management
Profiling and BYOD Services
Posture Services
TrustSec SGA
I Only Want to Allow the “Right” Users and Devices on My Network
I Want User and Devices to Receive Appropriate Network Services
I Want to Allow Guests into the Network and Control Their Behavior
I Need to Allow/Deny iPads in My Network (BYOD)
I Want to Ensure That Devices on My Network Are Clean
I Need a Scalable Way of Enforcing Access Policy Across the Network
One Network
One Policy
One Management
Folie 7
JB28 Add Cisco Prime to the left with ISE to highlight One Policy tying in to One Management.
Also do the same to add links from One Policy to One netowrk
Jay Bhansali; 22.08.2012
Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 9
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
More Productivity
TrustedWi-Fi
Onboarding
Authenticate user
Fingerprint device
Apply corporate configuration
Enterprise applications
Automatic policies
Secure and customizable captive portal
Self-registration for any device
Remediate actions
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Get users on the net in minutes, not hours
Simple self-service portal for any user to get quickly on the net without help or hassle
Reduce burden on IT and help desk staff
Reliable automation reduces user problems to near zero so…
Immediate secure access
Rigorous identity and access policy enforcement
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
ISEDevice Access Control
MDMMobile Devices Security Control
• Device Profiling
• BYOD On-boarding
• Device Access Control
• Device Compliance
• Mobile Application Management
• Securing Data at Rest
The New Way
MDM cannot ‘see’ non-registered devices to enforce device security – but the network can!
Best Practice Today
MDM: Mobile Device Management
• Forces on-boarding to MDM with personal devices used for work
• Register but restrict access for personal devices not managed by MDM
• Quarantine non-compliant devices based on MDM policy
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 13
• MDM device registration via ISEo Non registered clients
redirected to MDM registration page
• Restricted accesso Non compliant clients will be
given restricted access based on policy
• Endpoint MDM agento Complianceo Device application control
• Device Action from ISE• Device stolen -> wipe data on
client
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
• User connects to Secure SSID
• PEAP: Username/Password
• Redirected to Provisioning Portal
• User registers deviceDownloads CertificateDownloads Supplicant Config
• User reconnects using EAP-TLS
BYOD-Secure
Personal Asset
Access Point
ISE
Wireless LAN Controller
AD/LDAP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
• User connects to Open SSID
• Redirected to WebAuth portal
• User enters employee or guest credentials
• Guest signs AUP and gets Guest access
• Employee registers deviceDownloads CertificateDownloads Supplicant Config
• Employee reconnects using EAP-TLS
BYOD-SecureBYOD-Open
Personal Asset
Access Point
ISE
Wireless LAN Controller
AD/LDAP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Cisco Prime™ Cisco® ISE
Third-Party MDM Appliance
MDM Manager
Cisco WLAN
Controller
Cisco ASA Firewall and IPS
Cisco CSM and ASDM
Cisco Web Cisco Web Security
Wired Network Devices
Cisco Catalyst®
Switches
Cisco AnyConnect® Cisco AnyConnect Cisco AnyConnect
Office Wired Access Office Wireless Access Remote Access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 18
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
a
CiscoInnovation
Authentication Features
Cisco Catalyst Switch
Network Device
IP PhonesAuthorized Users
GuestsTablets
802.1X MAB WebAuth
Identity Differentiators
Monitor Mode• Unobstructed access• No impact on productivity• Gain visibilityFlexible Authentication Sequence• Enables single configuration for most use cases• Flexible fallback mechanism and policies
Rich and Robust 802.1X
IP Telephony Support for Virtual Desktop Environments• Single host mode• Multihost mode• Multiauth mode• Multidomain authenticationCritical Data/Voice Authentication• Business continuity in case of failure
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
CiscoInnovation
CDPLLDPDHCPMAC
Supported Platforms:IOS 15.0(1)SE1 for Cat 3KIOS 15.1(1)SG for Cat 4K WLC 7.2 MR1 - DHCP data onlyISE 1.1.1
Printer PolicyPrinter Policy
[place on VLAN X]
PersonaliPad PolicyPersonal
iPad Policy
[restricted access]
CDPLLDPDHCPMAC
Printer Personal iPadISE
CDPLLDPDHCPMAC
DEVICE PROFILINGFor wired and wireless networks
AccessPoint
Deployment Scenario With Cisco Device SensorsCOLLECTIONSwitch Collects Device Related Data and Sends Report to ISE
CLASSIFICATIONISE Classifies Device, Collects Flow Information and Provides Device Usage Report
AUTHORIZATIONISE Executes Policy Based on User and Device
Efficient Device Classification
Leveraging Infrastructure
The Solution
POLICYPOLICYPOLICY
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Near-zero IT and help desk burden
• Employee hosted• Full guest lifecycle
Accommodate and control
• Limited to Internet • Time sensitive
Streamlined system
• Integrated into the all-in-one enterprise policy control—Cisco® ISE console
Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 23
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Distributed Enforcement Throughout Network
Switch Router DC Firewall DC Switch
Distributed Enforcement Throughout Network
Network
Context Classification
Security Group TagTag
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
ACL ArchitectureHard to Maintain
100s–1000s of ACEs
VLAN ArchitectureScaling Concerns
Highly topology dependent
802.1X
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
User and Device RoleIngress Tag
Unregistered Device(Unregist_Dev_SGT)
Employee(Employee_SGT)
Management(Management_SGT)
Credit Card Scanners(CC_Scanner_SGT)
SGA TAG—Policy
Credit_Card SSIDMember of group “Credit_Scanners”Profiled as “iphone”
Public SSID
Corporate SSIDMember of group “Employee”Certificate matches endpoint
Corporate SSIDMember of group Employee and ManagerCertificate matches endpoint
Cisco ISE
Employee
Manager
Finance
who what where when how
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Employee TAG
Manager TAG
Credit Card Scanner TAG
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Security Group Based Access Control
• ISE maps tags (SGT) with user identity
• ISE Authorization policy pushes SGT to ingress NAD ( switch/WLC)
• ISE Authorization policy pushes ACL (SGACL) to egress NAD (Catalyst or Nexus)
ManagerRegistered Device
SGT = 100
ManagerSGT = 100Manager
SGT = 100
SGACLSGACL
SRC\DST Time Card Credit Card
Manager (100) Access No Access
Cisco ISE
Time Card (SGT=4)
Credit Card Scanner (SGT=10)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Manager TAG Credit Card Scanner TAG
Folie 30
JB32 Follow up with slide on switchesJay Bhansali; 31.08.2012
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
CiscoInnovation
Security Group Access Protocol
• For transport through a non SGT core
ManagerRegistered Device
ManagerSGT = 100Manager
SGT = 100
SGACLSGACL
SRC\DST Time Card Credit Card
Manager (100) Access No Access
Cisco ISE
Time Card (SGT=4)
Credit Card Scanner (SGT=10)10.1.100.3
SXPSXP
IP Address SGT
10.1.100.3 100
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
User CustomLocationDevice Type TimePosture Access Method
Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 33
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Internet
Services 1Campus Cloud
Data CenterPolicy
Services 2
POLICYPOLICYPOLICYPolicy
SGT Inter net
Open Net
ServNet
Data Center
Restrict DC
Exec, IT Laptop Wired Net
Permit Permit Permit Permit Permit
All, iPadInternal
Permit Permit Permit Deny Deny
Exec, iPadVPN
Permit Permit Permit Permit Deny
Guest Any Permit Deny Deny Deny Deny
JohnIT Administrator
Restricted Data
CenterJohn updates Cisco® ISE for BYOD and guest access policies, which are pushed to the network.
IT
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Internet
Services 1Campus Cloud
Data Center
Services 2Wired
Restricted Data
Center
JohnIT Administrator
Brice logs onto wired network on IT-issued laptop. Cisco® ISE authenticates, identifies context, and applies wired execution policy.
Wired
BriceCFO
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Internet
Services 1Campus Cloud
Data Center
Dev
ice
Iden
tity
AAADID
Wireless
Restricted Data
Center
JohnIT Administrator
• Brice connects his new iPad to the WLAN and logs on.
• While Cisco® ISE performs AAA check of his ID, Cisco ISE Profiler identifies his device.
Onboarding
Wired
BriceCFO
Services 2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Internet
Services 1Campus Cloud
Data Center
Wired
Wireless
?R DIR
REG
JohnIT Administrator
• Cisco® ISE authenticates Brice, but does not recognize the iPad.
• Cisco ISE redirects Brice to the onboarding portal to register his iPad.
Onboarding
Services 2
Restricted Data
Center
BriceCFO
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Internet
Services 1Campus Cloud
Data Center
Services 2Wired
Wireless
Policy
Policy
Restricted Data
Center
JohnIT Administrator
• Cisco® ISE forms a contextual identity: Brice + iPad + location.
• Cisco ISE assigns a policy based on the context and grants it role-based access.
Onboarding ContextualIdentity
BriceCFO
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Internet
Services 1Campus Cloud
Data Center
Services 2Wired
VPN
Wireless
Restricted Data
Center
JohnIT Administrator
• Brice uses the same iPad from a hotel room. Cisco® ISE recognizes the context change and applies execution VPN policy..
VPN
BriceCFO
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Internet
Services 1Campus Cloud
Data Center
Services 2Wired
VPN
Wireless
JohnIT Administrator
Restricted Data
Center
• Sarah receives password through text message. She selects Guest WiFi, and Cisco ISE directs her to the guest portal to register and obtain Internet access.
• Brice enters Cisco® ISE guest hotspot portal and sponsors Sarah for 1-day access.
Sponsor
Guest
BriceCFO
SarahVendor
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Internet
Services 1Campus Cloud
Data Center
Wired
Wireless
BYOD
Guest
Policy Management
Restricted Data
Center
JohnIT Administrator
BriceCFO
SarahVendor
VPN
Services 2
Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 44
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
BYOD
Access Control
HolisticSolution
• User Self Onboarding
• MDM Vendor Partnerships
• Context: Who/What/How/Where
• Visibility: Profiling
• SGA: Topology independent, Business language
• Enforcement: Router/Switch/Firewall
• Endpoint: Posture, VPN
• Info stores: AD, LDAP, MDM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Comprehensive Wired, Wireless, and VPN Secure Access More Productive Workers Lower Operating Costs
Rigorous Identity Enforcement
Extensive Policy Enforcement
Security Compliance
Automated Onboarding
Automated Device Security
Dependable-Anywhere Access
Operation Efficiency
Use Cisco® Infrastructure
Next-Generation Policy Networking
Control devices everywhere
Control PreciselyWho & whatIs allowed
Maintain & validate compliance
Secure everydevice
Get quick access with little IT intervention
Provideconsistentservice
Get the most from investments
Save time
End VLAN, ALC & FW Rule pain
ISEThat’s it.
k1
Folie 47
k1 It seems onboarding is a bigger benefit to IT vs End userktrahan; 18.12.2012
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
• ISE Information: http://www.cisco.com/go/ise
• Cisco TrustSec (SGA and certified solutions):www.cisco.com/go/trustsec
• Application Notes and How-To Guides:http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
• Design Zone—BYOD Reference Design:http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns743/ns1050/own_device.html#~overview
Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 50
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Features Cisco ISE Juniper UAC Aruba CP Forescout
ControlGuest Yes Yes Yes Yes
RADIUS Yes Yes Yes No Proxy only
TACACS+ Coming on ISE ACS today No Yes No
Posture Yes Yes Yes Yes
Integrated Profiling Yes No Yes Yes
Device Registration Yes Yes Yes Yes
BYOD Onboarding Provisioning and self serve management
Yes No self service BYOD No self service BYOD No self service BYOD
3rd Party Device Support No No Yes Yes
Integrated IPS/Threat Control No No No Yes
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Features Cisco ISE Juniper UAC Aruba CP Forescout
End-PointUnified Client Coming Yes No No
Secure Access (MACSec) Yes No Yes No
VPN Secure Access Client Yes Yes Yes No
VPN Clientless Yes Yes No No
EAP Chaining Yes No? No? No
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Features Cisco ISE Juniper UAC Aruba CP Forescout
EnforcementSecure Group Access (SGA) Yes No No No
VLANs Yes Yes Yes Yes
dACLS Yes Yes Yes No
Secure Access (MACSec) Yes No Yes No
Secure Access Client Yes Yes Yes No
NADs
Flexible Authentication Yes No No No
Monitor Mode Yes No No No
RADIUS CoA and CWA Yes Yes Yes No