Tech update – security30 / 5 -2017

ISE 2.2 + 2.3 update

Context Visibility Enhancements

PassiveID Enhancements

• WMI

• Agent

• SPAN

• Syslog

• TS Agent

ISE-PIC

• Installation

• Licensing and Upgrade

• Integration Status

• Deployment

PxGrid Enhancements

All about Wizards – ISE the easy way

• Visibility

• Secure access wizard / Wireless wizard

• PassiveID

Posture

TC-NAC

Tips and Tricks – nice to know

What´s new in ISE 2.3 ?

Roadmap

Cisco ISE – role based access control

ACCESS POLICY

WHO

WHAT

HOW

WHEN

WHERE

HEALTH

THREATS

CISCO ISE

CVSS Partner Eco System

PxGRID& APIs

Cisco ISE

Context aware policy service, to control access and threat across wired, wireless and VPN networks

Cisco Anyconnect

Supplicant for wired, wireless and VPN access. Services include: Posture assessment, Malware protection, Web security, MAC Security, Network visibility and more.

SIEM, MDM, NBA, IPS, IPAM, etc.

WIRED WIRELESS VPN

Role-based Access Control | Guest Access | BYOD | Secure Access

FOR ENDPOINTS FOR NETWORK

Device Admin

Threat Control

Segmentation

BYOD Access

Guest Access

Access Control

Asset Visibility

ISE use casesCisco ISE can reach deep into the network to deliver superior visibility into who and what is accessing resources.

Consistent access control in to wired, wireless and VPN Networks. 802.1X, MAC, Web Authentication and Easy connect for admission control.

Fully customizable branded mobile and desktop guest portals, with dynamic visual workflows to easily manage guest user experience.

Simplified BYOD management with built-in CA and 3rd party MDM integration for on boarding and self-service of personal mobile devices

Topology independent Software-defined segmentation policy to contain network threats by using Cisco TrustSec technology.

Context sharing with partner eco-system to improve their overall efficacy and accelerate time to containment of network threats.

Cisco ISE supports device administration using the TACACS+ security protocol to control and audit the configuration of network devices

Context Visibility Enhancements

• Email• Phone• Department• Number of Endpoints

End User Context

• Guest TypeDaily, weekly, etc.

• Number of Endpoints• Sponsor• Portal used

Guest Context

• Endpoints that have been inactive for a set number of days without any attribute changes

Context Visibility: Endpoint Inactivity

• Compliant• Non Compliant

Context Visibility: Status Trend

Network Device Summary• Number of Endpoints per NAD• Port Config Status

PassiveID Enhancements

• Must enable per node• On by default in PIC• Turns on all Passive ID

features• Username to IP forms the

basis of PassiveID session creation!

PassiveID in ISE

ISE Live Sessions

Which is Which?

• Simple to set up PassiveID1. Join Active Directory2. Select Interesting Groups3. Chose Controllers to monitor4. Done!

PassiveID Wizard in ISE-PIC

PassiveID Wizard in ISE

• Join Point• AD Domain• Admin user• Password

PassiveID Wizard

• Security Groups• Used by API

PassiveID Wizard

• All controllers• Site controllers• Custom

PassiveID Wizard

PassiveID Wizard

WMI Provider

• “Config WMI”: The new easy button!• Remotely connects to controllers• Monitor specific security events:

4768 (Kerberos Ticket Granting)4770 (Kerberos Ticket Renewal)

WMI Provider

NOTE:• Requires Domain Admin Credentials• Access through Windows Firewall• Windows 2008 and above

AD Agent Provider

• Native Windows app• Can be installed on:

• Domain Controller• Member Server

• Manual installation• Automatic installation• 1 agent: Up to 10 servers!• Can provide visibility into past

logon events

PassiveID AD Agent

SPAN Provider

• Don’t touch my AD!• 2 interface max with PIC• 1 interface per PassiveID node

in ISE• Use ISE for scale and large

deployments• Historical events not possible

(point in time)• Pro Tip: Use dedicated

interface and VACL regardless of the deployment

Kerberos SPAN

Great for PoV!

Syslog Provider

• Allows ISE / PIC to receive syslog messages

• DNS must be correctly configured• TCP or UDP syslog supported

• TCP port 11468• UDP port 40514

• Large list of built in templates• Ability to create custom templates

Syslog Provider

REST API Provider

• Designed for use with Terminal Services Agent

• Can also be used by custom integrations

• Uses certificate-based authentication

• User information is sent to the passive ID node over SSL in JSON format

REST API Provider

ISE Passive Identity Connector

• Single ID Solution for ALL Cisco Security Portfolio• Best of All Existing Solutions• True Single Source of ID

• No Longer Need Separate Connection to AD, LDAP, etc.

• Very Low Cost• Passive Identity Only

• No Authorization. No Policies.

• New Features & Sources• Agents, WMI, Syslog, REST• Remotely Check with Endpoints

• Is Endpoint Still on Network?• Is User Still Logged In?

• Simple to Install and Use• Scale to 100’s of DC’s

ISE PIC at a Glance

AD

AD

AD

WWW ASAFMC

pxGrid Pub/Sub BusLegacy CDA-RADIUS

REST APISyslogWMI

AD

AD

AD

Input to ISE-PIC / ISE

SPANKerberos

Almost Anything

OutputOutput

Custom Apps

EndpointProbe

Still There?

Same User?

ISE-PIC Agent

ISE-PIC

• VM only, No hardware support• 3515 based VM: 100K sessions• 3595 based VM: 300K sessions• Setup similar to ISE VM• Includes 90 Eval License

ISE-PIC Installation

Don’t forget resource reservations!

• Standalone node• Form factors:

ISE-PICISE-PIC Upgrade

• HA PairNo certificate import / export

• No service modificationServices cannot be started/stopped

Deployment Options

HA

Standalone

Remember ISE has all the features of ISE-PIC. Need to Distribute? Upgrade to ISE!

• Orderable today• Both PIDs required for ISE-PIC Upgrade (300K sessions)• 2x licenses for HA pair

ISE-PIC LicensingStandalone High Availability

Up to 3,000 sessions Qty 1 – R-ISE-PIC-VM-K9= Qty 2 – R-ISE-PIC-VM-K9=

Up to 300,000 sessions Qty 1 – R-ISE-PIC-VM-K9=Qty 1 – L-ISE-PIC-UPG=

Qty 2 – R-ISE-PIC-VM-K9=Qty 2 – L-ISE-PIC-UPG=

• StealthWatch 6.9• FirePower Management Center

ISE-PIC 2.2 patch 1 / FMC 6.2 + QA Validation

• IDFW for ASARequires CDA RADIUS Interface (roadmap)

• Web Security ApplianceRequires CDA RADIUS Interface (roadmap)

• Cisco Solutions only with ISE-PIC!• Upgrade to ISE with Plus for 3rd party support

ISE-PIC Integration Status

FMC

WWW

ASA

pxGrid Enhancements

CA Signed pxGrid Certificates

ISE

Client

CGrid Controller Grid Client

Trusted Certificates

Public Private Key

Trusted Certificates

Public Private Key

Public

ISE Root CASpecial cert template with EKU for both client and server authentication

pxGrid Certificate Template

Generate CertificatesWith or W/O CSRBulk Certs w/ CSVDownload Root PKCS12

Certificate FormatsOnly Encrypted OptionsAll Include Root CertsPEM or PKCS12

Within pxGrid UINo Longer Have to Create Portal / Add Portal User, Etc.

pxGrid Certificate Best Practice

Cert TemplateHard-Coded to use the pxGrid Template.Client + Server EKU’s

Friendly CNMake it something that is unique – like prefix pxGrid

Real FQDN in SANEnsure the Real FQDN and IP Address are in SAN, just in-case.

New wizards ISE the easy way

All About Wizard’s

SMB NMAPSNMP

SCAN’s

Cisco ISE

NAD’s

Active Directory

Visibility Setup

§ Discovers NAD’sConnect

§ Discovers Devices Connected to Network

§ Discovers Users (AD)

Visibility Setup

Visibility Setup

Secure Access Wizard (BETA)

PassiveID Setup

All About Wizard’sVisibility Setup

Secure Access Wizard (BETA)

PassiveID Setup

Radius

BYODGuest

Setup Wireless

Cisco ISE

NAD’s

Secure Access Wizard

WLC• WLAN’s (SSID’s)• Radius AuthC, AuthZ and

Key• Account Duration Settings• Redirect ACL’s (Interesting

Traffic)• Radius COA Settings

ISE• ISE AuthC and AuthZ

Policies• ISE Policy Authz Results• Customized Captive

Portals• & alot more ….

Easy Wireless ManagementOne place to configure all security and access setting

For Major Use casesEnterprise (802.1X), Guest and BYOD Use cases

Portal managementEasy portal creation and customization

All About Wizard’sVisibility Setup

Secure Access Wizard (BETA)

PassiveID Setup

WMISetup EasyConnect

Cisco ISE

NAD’s

PassiveID Setup

Active Directory• Setup WMI Security Event

Logs (registry settings etc..)

• EasyConnect Use Case

ISE• Create WMI connection to

Active Directory

Easy ConnectNon802.1x User

Active Directory

- STIX- Threat events

ISE Secure Access Wizard (SAW)

Cisco ISE 2.2

ISE Policy Config’s

Security & Access Policy Configuration

Easy Wireless ManagementOne place to configure all security and access setting

For Major Use casesEnterprise (802.1X), Guest and BYOD Use cases

Portal managementEasy portal creation and customization

Network Access Devices

Security Settings

Redirect ACL’s (Interesting Traffic)

Radius AuthC, AuthZ and Key

Account Duration Settings

WLAN’s etc ..

A non-security user to Setup in 10 minutes

Best PracticesDesign

Guest Access

Recommendation is to run SAW in a standalone setup.

ISE NodeISE Node

Primary Admin

Primary Monitoring

Secondary Admin

Secondary Monitoring

PSN

MnT

PAN

PSN

MnT

PAN

PXG PXGPrimary PxGridController

Secondary PxGridController

If using HA or multiple PSNs, then manually add the ISE IP address of PSNs to WLC’s

Add radius config

Cisco Identity Services Engine Cisco Wireless LAN Controller

Guest requires an ISE Base license, BYOD requires a Plus license.

We recommend using a Green Field ISE deployment

An AD Domain is required to create Sponsored Guest, 802.1x, and BYOD.

Only Active Directory groups and users are supported. (Manual config for others ID stores)

Best PracticesDesign

ISE 2.2 (Fresh Install)

Standard WLC Licensing

WLC can be Green Field or Brown Field with existing configuration.

Multiple WLC’s & AD’s can be added, but the flow can configure one at a time.

Dual SSID is supported for BYOD. The Open SSID does not support guest access, due to conflicts.

Cisco WLC running AireOS 8.x or higher.

If you need a portal that supports both guest and BYOD, its not supported today by SAW.

Do use spaces in your SSID names

OperatingSystem

Licensing

Deployment

Multiple AD & WLC’s

Operations

Demo : SAW on Dcloud

Posture

What is ‘Posture’ ?

State of Compliance with Corp Security Policies

Application Anti Malware File Check

Anti Spyware Compound Patch mgmt

Anti VirusDisk

Encryption Registry

Service USB Check Others

Capabilities

Benefits

What’s new for ISE 2.2?

Next-level posture capabilitiesSimplify posture administration and user experience

Admin

AnyConnectAutomatic Download

ENABLED

Available NADsþ HPþ Brocadeþ Arubaþ Ruckusþ Cisco¨ Other

Stealthmode installations in progressUser123UserABC…

User123

– x

Terms of Service

I Agree

Administrators can now gain better inventory and compliance visibility without impacting the end user. Broader support for 3rd party NADs increases flexibility for admins. Additionally, users can onboard to AnyConnect faster and without interruptions.

• Set up automatic AnyConnect installations

• Install AnyConnect and enforce posture in the background with AnyConnect Stealthmode

• Gain better visibility into endpoint activity without a user-disrupting agent

• Streamline client provisioning with 3rd party NAD support

• Avoid cert errors using common posture certificates

More flexibilityDeploy AnyConnect even with non-Cisco NADs

Less user errorEnforce policy automatically

Better user experienceEliminate interruptions with posture in the background

Key Posture Highlights in ISE 2.2Enhanced Posture Discovery and Client Provisioning

Posture on 3rd party devices (non URL redirect agent to ISE communication)

AnyConnect Headless Win/OS X option (no UI module)

Firewall enabled checks and remediation

AnyConnect Profile Provisioning using JSON (OpenDNS Umbrella provisioning support)

UDID context sharing (exposure in Context Directory)

Common Certificates and http ports for Posture (avoiding the un-known Cert errors)

Apex enforcement (Posture admin UI shuts down)

FOR YOUR REFERENCE

Application Visibility, Control and Enforcement

TC-NAC

- STIX- Threat events- CVSS- IOC

- Vulnerability assessments- Threat notifications

What is Threat Centric NAC ?

AMP

Cisco ISE

Endpoints

Cisco ISE protects your network from data breaches by segmenting compromised and vulnerable endpoints for remediation.

Compliments PostureVulnerability data tells endpoint’s posture from the outside

Expanded controldriven by threat intelligence and vulnerability assessment data

Faster responsewith automated, real-time policy updates based on vulnerability data and threat metrics

Who

What

When

Where

How

Posture

Threat

Vulnerability

P

Create ISE authorization policies based on the threat and vulnerability attributes

Network Access Policy

STIX over TAXII | Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC)

Qualys

CTA

ISE 2.2

Threat Centric NACPick Vulnerability Assessment vendor of your choice

SCAN REQUEST

VULNERABILITY SCANS

SCANNERCVSS Score

• Starting from ISE 2.2, TC-NAC

supports Tenable, Cisco Threat

Analytics (CTA) and Rapid7.

• A standard “listener” will be

supported for threats using the

STIX framework for automatic

quarantining of critically infected

endpoints.

ISE 2.2

STIX

Cisco CTA

Tips and tricks - nice to know

§ Configure NAD with single or multiple IP address ranges + wildcard support

§ Single Range Example:• 192.168.1.100-120/192.168.1.*

§ Multiple Range Example (each range listed separately):• 192.168.1.100-120 or 192.168.1.*• 192.168.1.121-130• 192.145.2.*

Flexible Pattern Matching for multiple NADs – Last Octet OnlyNetwork Device Address Ranges

Note: Last octet only, but possible to define multiple class C entries to achieve same ranges at higher subnet level

§ Before ISE 2.2…

§ ISE 2.2…

Network Device Group (NDG) Hierarchies

New Attribute Types include IP / Boolean / DateCustom User Attributes

Administration > Identity Management > Settings

61BRKSEC-3699

Per-PSN LDAP Servers

• Assign unique Primary and Secondary to each PSN

• Allows each PSN to use local or regional LDAP Servers

Reintroduced in ISE 2.2 (Last-minute Pull from ISE 2.1)MySQL Support

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210521-Configure-ISE-2-2-for-integration-with-M.html

§ Sponsor Enhancements§ Single-Click guest account approvals§ Pending approval filtering based on person

visited (AD/LDAP support)

§ Sponsor Portal enhancements

§ Guest Enhancements§ Background image support

§ Hotspot COA (Change of Authorization)§ Sponsor Portal set password on import

§ ERS API update

§ Dynamic variable message Id for SMS message

§ Legacy Guest Features§ Custom portal files§ Sponsor Group by additional attributes

§ Auto-send notification to guest when email address present

§ Allow guest credentials to be hidden from Sponsor but guest still be notified

Guest Enhancements

What´s new in ISE 2.3 ?

Read-Only Admin, a.k.a RO Admin

Social Network Guest Login

Supported Flows• Facebook login will be supported for Self Registration only; with and without

sponsored approval • With Social Login the registration form is optional.

• If displayed, some fields will be pre-populated with information from social media providers.

• Admin may allow guests to override information (except Facebook Username)

• Facebook login is on top of regular guest flows. Hotspot can be achieved by using self registration without sponsored approval and without displaying the registration form. Guests will be able to click on the Facebook button and get access to the network immediately.

Facebook login for guest (phase 1)

Login using local ISE account

Create local ISE account

Login with social account

First Time Access

Endpoints

john.doe@gmail.com

***************

Cisco ISE

Upon first access the guest must approve ISE to get basic information from Facebook.

Posture Improvements

§ Temporal Agent Push§ Better SCCM Integration§ Flexible Notifications Framework§ Even Better Application Visiblity

Posture Features

Group Policy Connector

TBD

Simplifying Security Policy Across Domains

Goal:Share group information between cloud domains and Enterprise to simplify policy management

Share classifications to reduce SecOps effort, deliver consistency and simplify audit tasks

Enable adoption of different cloud environments without duplicating group policy management

Enterprise Security Groups

APICDC

ACI EndPoint Groups

AWSSecurity Groups

Azure Network Security Groups

Planning

Available

In Progress

Group Policy ConnectorODL

Groups

ACS Migration

• ACS will soon reach End of Sale (August 30th), followed by 1 year of software maintenance (Sev1s and PSIRT fixes only)

• ISE Base Migration Licenses will reach EoS the same time

• The clock is ticking – NOW is the time to migrate

• ISE 2.3 is the LAST Release to Include ACS Migration Features

ACS End of Life is a fact!

ISE Public ResourcesISE Public Communityhttp://cs.co/ise-community

Customer Connection Programhttp://cisco.com/go/ccp > Security

ISE Compatibility Guideshttp://cs.co/ise-compatibility

ISE Design & Integration Guideshttp://cs.co/ise-guides

ISE Licensing / Ordering Guidehttp://cs.co/ise-licensinghttp://cs.co/ise-ordering

Free, 90-day ISE Evaluationhttp://cs.co/ise-eval

Q&A