CCNP Security

Implementing Cisco Secure Access Solutions

(300-208 SISAS)

TrustSec Overview

TrustSec
System of multiple products deployed to secure access to the network regardless of its type
Identity Services Engine (ISE)
NAD : switch, WLC, ASA or ISR router
Supplicant
External ID Store
Key technology used in TrustSec is 802.1x - three phases (modes) of deployment :
1. Monitor
2. Low Impact
3. Closed
Other TrustSec technologies
Profiling, Guest Services, Posture & Client Provisioning

ISE Licensing

ISE Licenses determine the following :

Type of supported deployment (wired/wireless/VPN)
Available features (e.g. posture, profiling)
Number of supported endpoints (100, 250, 500, ..., 100 000)
Account for a number of employees, devices per employee, used switchports, APs, etc.
Types of ISE Licenses :
1. Evaluation (90 days) full feature support for wired+wireless+VPN access up to 100 endpoints
2. Base (perpetual) basic AAA, guest management & link encryption for wired+wireless+VPN
3. Advanced (1/3/5 years) full feature support for wired+wireless+VPN access
4. Wireless (1/3/5 years) full feature support for wireless only
5. Wireless Upgrade (1/3/5 years) installed on top of Wireless license to enable wired+VPN access

ISE Architecture

ISE Overview
Fundamental TrustSec component
Combines several devices/technologies into a single unit :
Cisco Secure ACS
NAC Manager/Server/Collector/Guest Server/Profiler
Available in two different flavors
1. Physical Appliance
3315, 3355, 3395 - End of Life
Cisco Secure Network Server 3415 (small companies) and 3495 (large companies)
2. VMware ESX/ESXi 4.x and 5.x image

ISE Architecture

Key Features
Identity Enforcement
Discover, classify & locate connecting endpoints
Identity Management (RADIUS)
Offers strong policy enforcement
TACACS+ is not supported as of the current code relase (1.2)
Guest Management Service
Includes My Devices portal for device onboarding/registration
Posture Services (NAC)
Supports auto-remediation and periodic reassessment

ISE Architecture

ISE Deployment Terminology

Node - single ISE instance (appliance or VMware)
Node Type - ISE Node or Inline Posture
Persona determines services provided by an ISE Node
1. Administration (Policy Administration Node PAN)
2. Monitoring (Monitoring Node MNT)
3. Policy (Policy Services Node PSN)
Inline Posture Node (IPN) cannot assume any Persona
Role Affects the total number of supported endpoints
By default each ISE Node has a Standalone Role (PAN + MNT + PSN)
PAN and/or MNT Node (not PSN) can have Primary/Secondary Role for redundancy

ISE Architecture

Deployment Modes & High Availability

Small Networks
Standalone device (or two for redundancy)
Active/Primary device handles all Personas
2000 10 000 endpoints are supported depending on the ISE Platform
Medium Networks
PAN+MNT on a single ISE (two can be used for redundancy)
Dedicated PSNs (up to 5)
Up to 10 000 endpoints are supported depending on the platform
Large Networks
Dedicated PAN, MNT and PSNs units
Secondary PAN & MNT can be added for redundancy
Up to 100k (3395) or 250k endpoints (3495) are supported total

ISE Architecture

ISE Design
Centralized
All nodes are physically located in one location
Recommended deployment
Distributed
Nodes are dispersed in multiple locations (mostly PSNs)
PAN & MNT devices are typically kept in a central location

ISE Architecture

Centralized
Design

ISE Architecture

Distributed
Design

Identity Stores

Identity Store Types :

Local
Internal Users
Internal Endpoints
Certificate Store
External
Active Directory
LDAP Stores
RSA SecurID Server
Ligthweight Directory Access Protocol (LDAP) vs Active Directory
LDAP is a protocol used to access directories. It uses TCP/UDP port 389
Active Directory is Microsofts Directory Service implementation (+more)

AAA Basics

AAA Basics
Architectural framework for configuring three different security functions
1. Authentication
2. Authorization
3. Accounting
Authentication is a process of verifying someones identity
Multiple factors (elements) can be used such as passwords, token cards, biometrics
Authorization is used to determine a level of access for the user (enforcing a policy)
For example access to a particular service or command can be given or not
Accounting is a process of tracking users activity
For example what services user accessed and when

AAA Basics

AAA Security Protocols

RADIUS
1. Transport :
2. Encryption :
3. Protocol Design :
4. Standarization :
TACACS+
1. Transport :
2. Encryption :
3. Protocol Design :
4. Standarization :

UDP 1645/1646 (legacy) or 1812/1813

Users password. Usernames, services etc. are sent in clear
Combines Authentication with Authorization. No command authorization
Industry Standard

TCP 49
Entire body (username & password). Only the header is sent in clear
Seperates all AAA functions. Supports command authorization
Cisco proprietary

RADIUS Attributes

RADIUS Attributes
Standard-defined protocol structures used to carry information between AAA Clients & Server
There are 255 attributes defined by the original specification (most pre-defined)
Each attribute stores a certain value (implemented as TLV)
One attribute (#26 or 0x1A), called Vendor-Specific, has a special usage
Vendor Specific Attribute (VSA)
Allows vendors to define a set of additional 255 attributes to carry vendor-specific data
It is composed of Vendor-ID, Vendor Type, Vendor Length and the attribute data
An example of Cisco-specific attribute is Cisco AV-Pair (Vendor-ID 9, Vendor Type 1)
Cisco AV-Pair
Designed to extend RADIUS authorization capabilities by TACACS+ features
Formatted as : protocol:attribute=value e.g. shell:priv-lvl=15

AAA Basics

Cisco Secure ACS 5.3

Centralized solution for AAA services
User management
Administrative access and more
ACS 5.3 Characteristics
Available as a 1-RU hardware appliance or VMware ESX/ESXi software image
RADIUS & TACACS+ Server
Networking devices act as AAA Clients (Network Access Servers NASes)
Supports integration with existing databases (Active Directory, LDAP)
Uses rule-based Policy Model (as opposed to user/group-based seen in ACS 4.2)
Policy Logic is decoupled from users/groups
Authorization rules are used to enforce the policy (IF condition THEN result)

AAA Configuration

AAA Configuration
Initialize the AAA framework (aaa new-model)
Define a Method List (method/database to use for a particular AAA service, e.g. login or exec)
Default Method List is automatically enabled/applied to all lines/protocols; user-defined is not
User-defined List, once applied/enabled, overrides the Default Method List
Enabling a User-defined List depends on the service; e.g. authorization under a line
1. Authentication (aaa authentication service [name|default] method)
2. Authorization (aaa authorization service [name|default] method)
3. Accounting (aaa accounting service [name|default] method)
Configure NAS for RADIUS/TACACS+ (radius-server/tacacs-server) or LOCAL database
Configure AAA Server (ACS or ISE)

AAA Configuration

Authentication
Commonly used Authentication services :
1. IEEE 802.1x (dot1x)
2. Enable password (enable)
3. Login (login)
This method list (user-defined) must be applied to a line via login authentication
Fallback Authentication
Works by specifying multiple methods in a single list. For example :
aaa authentication login default group tacacs+ local
Only when no response is received from the first database (or an error is returned), subsequent
methods will be checked

AAA Configuration

Authorization
Commonly used Authorization services :
1. Network (network)
2. EXEC/Shell (exec)
3. Command (commands)
Remember about aaa authorization config-commands
EXEC and Command lists must be applied to a line via authorization exec/commands
Authorization for the Console Line is disabled by default (no aaa authorization console)
Fallback Authorization can be configured. E.g. :
aaa authorization exec default group tacacs+ local

AAA Configuration

EXEC Authorization
1. Should the user be given access to the EXEC Shell?
2. What Shell attributes should be assigned to the user? For example :
Privilege Level (username privilege)
CLI View (username view)
Auto Command (username autocommand)
Supported by RADIUS, TACACS+ and LOCAL databases
Command Authorization
Used to check if a particular CLI command should be available for a user
LOCAL database can be used to mimic this feature
By default all commands reside at privilege levels 0, 1 and 15
Real Command Authorization comes with TACACS+

AAA Configuration

Accounting
Commonly used Accounting services :
1. EXEC/Shell (exec)
The start-stop option will send an accounting record in the beginning and end of the
session
The stop-only option will only send an accounting record at the end
2. Command (commands)
EXEC and Command lists must be applied to a line via accounting exec/commands
The only two methods supported for accounting are RADIUS and TACACS+

Wireless Security Fundamentals

Fundamental Wireless Security Solutions

Layer 1
Client Exclusions (association, 802.1x authC failures, WebAuth failures, IP theft/reuse)
Disabling SSID broadcasts
Layer 2
Authentication & Key Management 802.1x
Encryption & Integrity WEP (never use it), WPA and WPA2
WPA and WPA2 can be configured in one of two modes :
a. Personal (PSK)
b. Enterprise (requires 802.1x)
Layer 3
IPSec
Web Authentication (WebAuth)

Wireless Security Fundamentals

Other Solutions
MAC Filtering
Local or with a RADIUS server
Access-Lists
ACL direction (inbound, outbound) is based on WLCs perspective
Can be applied per-user, to an interface, entire WLAN or the WLCs CPU
Management Frame Protection (MFP)
Protects management packets
Rogue Management
Detects, classifies and possibly contains rogue Access Points
AAA Override
Enables Identity Networking

Wireless Security Fundamentals

RADIUS Authentication Methods

Non-EAP protocols (PAP, CHAP, MS-CHAPv1, MS-CHAPv2)
EAP protocols Key Based
a. EAP-MD5
One-way client authentication with password
Vulnerable to MiTM attacks (atacker sees the challenge and the hash)
b. Lightweight Extensible Authentication Protocol (LEAP)
Used in wireless networks only
Offers username-password mutual authentication
c. EAP-FAST
Uses Protected Access Credentials (PAC) as a shared-secret
Provides mutual authentication (encrypted with PAC tunnel)
More secure than LEAP (it was designed to replace LEAP)

Wireless Security Fundamentals

RADIUS Authentication Methods

EAP protocols Certificate Based
a. Protected Extensible Authentication Protocol (PEAP)
First a TLS tunnel is negotiated (server sends its certificate to the client)
Then an inner method is used for authentication (EAP-MSCHAPv2, EAP-GTC or EAP-TLS)
Provides mutual authentication
b. EAP-TLS
Offers mutual certificate-based authentication (SSL v3.0)
More complex to implement due to client-side certificates
One of the most secure EAP standards
Client-side certificates private key may be stored on a Smart Card for maximum security

Central Web Authentication (CWA)

Central Web Authentication (CWA)

Useful in Low Impact & Closed Mode as a last-resort authentication method (e.g. for guests)
CWA workflow :
User connects to the port/associates with AP
MAB occurs (either success or fail) and the CWA Authorization Rule is matched (ISE)
v For failed MAB to work make sure Continue is set for User Not Found option
RADIUS returns Redirection ACL name + Redirection URL (ISE Guest Portal webpage)
User opens up a web browser and gets redirected to the ISE Guest Portal
Successful authentication triggers CoA (UDP 3799); L2 reauthentication occurs (user)
Upon successful authentication new authorization rule is matched and new policy is
returned

Central Web Authentication (CWA)

CWA considerations
Redirection ACL
DHCP & DNS traffic should NOT be redirected
Switch permit entries determine what to redirect (deny DNS, permit HTTP, HTTPs)
WLC deny entries determine what to redirect (permit DNS and DHCP, deny rest)
Authorization Rules
To avoid Redirection Loop a portal-authenticated user should match new AuthZ Rule
Two ways to accomplish this :
1. Match the guest-assigned ID Group
2. Match Advanced Condition Network Access:UseCase Equals GuestFlow

Guest Services

ISE Guest Services

Exposes two different Web Portals designed to streamline the entire Guest User lifecycle
1. Sponsor
Used to create, update and manage Guest Accounts (guests)
2. Guest
Used for guest user authentication
Optionally self-registration may be configured (no need for sponsors)
Multiple Sponsor Groups/Profiles can be created
This way different sponsor users can assign guests to different roles (ID Group)
Sponsor users are authenticated locally or via an External DB

ISE Profiling

Profiling
The process of detecting, classifying & localizing endpoints connecting/connected to the network
There are multiple methods used to discover devices & their attributes (aka Probes)
Information about the detected devices is stored in the ISEs Endpoint Database
Endpoints are uniquely represented by their MAC address
The main benefit of Profiling is associating endpoints with Identity Groups
Allows to create per-device type policies, e.g. for IP Phones authenticated with MAB
Allows to create policies for differentiated access - BYOD (Bring Your Own Device)
Profiling is an on-going process

ISE Profiling

Profiling Process Overview

1. Traffic is received by an actived Probe
2. ISE tries to associate the collected attributes with the appropriate endpoint :
If MAC address was present the endpoint will be updated or added to the DB (new device)
If MAC address was not present (but only IP), there must be a device already in the DB with
the corresponding IP address or the collected attributes will be lost
3. If a new endpoint was added to the DB (or existing updated with collected information), the
attributes will be validated against the Profiling Policy Rules
As a result the device will be associated with a Profile (or the Profile may change for an
existing device)
The Identity Group will be selected for the device (or possibly updated)
Profiling/Re-Profiling does NOT take place for endpoints assigned to a Policy statically

ISE Profiling

Profiling Policies (Profiles)

Each Profiling Policy (Profile) consists of a set of Rules (if condition then action)
Three actions available are :
1. Increase Certainty Factor (CF) value
2. Take Network Scan (scan the endpoint via NMAP)
3. Take Exception Action (assign the endpoint to a Profile statically + optionally trigger CoA)
Initially all endpoints attributes are only compared against all CF-action Rules in all Profiles
Since CF is cumulative, its value may be increased by multiple matching Rules
This results in selecting a single Profile for the endpoint (highest-CF Profile wins as long as
calculated CF >= Profiles Minimum CF value)
Selected Profile determines Identity Group for the endpoint; Profiles Rules for two remaining
actions are now considered (if any)

ISE Profiling

Change of Authorization (CoA)

During Profile transition it is possible for the endpoint to get reassigned to a new Identity Group
This means device should be now re-authenticated and re-authorized
CoA (RFC 3576) is an unsolicited RADIUS message sent to NAD to enforce a new policy
This process is triggered automatically (if enabled globally) under one of conditions below :
1. Endpoint is added/removed from an identity group that is used by an authorization policy
2. Endpoint is profiled for the first time
3. Endpoint is deleted from the ISE database
CoA can be also triggered by user-defined Exception Actions
But these are typically used to *prevent* CoA after transition to a statically assigned Policy
Static Policy assignment effectively disables Profiling of the endpoint

ISE Profiling

Profiling Probes
A Probe (method) is an ISE component used to collect endpoint attributes
Different Probes collect different attributes (some overlap)
Almost all Probes are passive; the only active Probe is NMAP
Some Probes are only useful if an IP-MAC binding already exists (learned via other Probe)
Probe Types
RADIUS Probe
v Key Profiling Attributes : MAC address, if available (OUI -> vendor), IP address
v Provides IP to MAC bindings (Framed-IP, Calling-Station-ID)
v RADIUS Probe functionality can can be extended by enabling the Device Sensor feature

ISE Profiling

Device Sensor
Enables NAD (switch or WLC) to collect information through CDP, LLDP and DHCP
These attributes are then send to ISE in a RADIUS Accounting packet
Switch Configuration
RADIUS Accounting & VSA (aaa accounting dot1x + radius-s vsa send accounting)
CDP, LLDP (lldp run, lldp receive), DHCP Snooping
Activation : device-sensor accounting + device-sensor notify all-changes
WLC Configuration
RADIUS Accounting : WLAN->WLAN_ID->Security->AAA Servers
Activation : WLAN->WLAN_ID->Advanced; check Device Profiling
Both DHCP Proxy and Bridged modes are supported

ISE Profiling

SNMP Trap Probe

v Typically used to trigger SNMP Query Probe
v MAC address can be collected if MAC Notifications are enabled for the port
v Traps from WLCs & APs are currently not supported
SNMP Query Probe (GET)
v Periodic or triggered on reception of a SNMP Trap/RADIUS Accounting message
v Key Profiling Attributes : CDP/LLDP & ARP Table
v Provides IP to MAC bindings (ARP Cache)
NetFlow Probe
v Used to identify endpoints based on the traffic they generate
v IP to MAC binding must be already known to ISE

ISE Profiling

DHCP & DHCP SPAN Probes

v Use SPAN Probe if there is no Relay configured (e.g. DHCP Server is local to the VLAN)
v Key Profiling Attributes : DHCP packet information
v Provides IP to MAC bindings (client-ID MAC, assigned IP address)
HTTP Probe
v Use SPAN Probe if URL Redirection or Client Provisioning is not available
v Key Profiling Attributes : User-Agent (HTTP Request)
v HTTP Traffic does not include MAC address; IP-MAC binding must already exists in ISE
DNS Probe
v Used to acquire FQDN based on reverse DNS lookup
v IP address of an endpoint must be already known to ISE

ISE Profiling

NMAP Probe
v Active mechanism that communicates directly with the endpoint
v Three types of scans available are : OS, SNMP & Common Ports
v Scans can be started manually or dynamically by a Policy Rule Take Network Scan action
v IP address of an endpoint must be already known to ISE

ISE Profiling

Profiling Configuration
For distributed deployments make sure Profiling Service is enabled under System->Deployment
Every needed Probe must be activated under System->Deployment->Profiling Configuration
The only exception is manual NMAP scan
All Probes except DHCP & NMAP require a NAD to be added to Network Devices
Dont forget to configure the NADs themselves
Remaining configuration (if any) depends on the type of Probe we want to use
Last step is to validate/tune existing or add new Profiling Policy Rules
RADIUS
If you want to use Device Sensor, enable it

ISE Profiling

SNMP Trap
Configure NAD to send SNMP Traps (snmp-server host; snmp-server enable traps)
On ISE configure NAD to accept SNMP Traps (Network Device -> SNMP Settings)
SNMP Query
Configure NAD to accept polls (snmp-server community) or according for version 3
For WLC this is under Management -> SNMP
On ISE configure NAD with authentication credentials (Network Device -> SNMP Settings)
NetFlow
Configure NAD for NetFlow and then export collected data to ISE (e.g. flow exporter)

ISE Profiling

DHCP & DHCP SPAN

For DHCP configure a Relay for real DHCP Server and ISE (ip helper-address twice)
On WLC disable DHCP Proxy (Controller -> Advanced -> DHCP)
For DHCP SPAN configure a SPAN/RSPAN session with ISE as the final destination
HTTP URL Redirection & HTTP SPAN
For HTTP Redirect configure ISE & NAD for particular service (e.g. CWA, Client Provisioning)
For HTTP SPAN configure a SPAN/RSPAN session with ISE as the final destination
DNS
Make sure ISE has a DNS server defined and that it supports Reverse IP Lookups

802.1x

802.1x
Port-Based (L2) authentication mechanism
Before the connecting client successfully authenticates, only EAPOL, CDP & STP packets
are allowed across the port
EAP frames are used to transport authentication information
Dot1x components :
1. Supplicant (installed on the client device)
2. Authenticator (policy enforcement point; typically a switch or an access point)
3. RADIUS Authentication Server (source of authentication information, e.g. ACS or ISE)

802.1x

The Process
Authentication can be initiated by both, supplicant or authenticator
Authenticator sends EAP Request Identity frames periodically and when the link goes up
Supplicant can speed up the process by sending EAPOL Start packet asking for EAP Req ID
Once Authenticator receives EAP Response ID, it encapsulates the content of the EAP frame
into RADIUS using two EAP-specific Attributes
First EAP Authentication method is negotiated
Then credentials are validated :
1. Auth OK -> return Access-Accept with the policy (e.g. dACL, VLAN)
2. Auth Fail -> return Access-Reject (EAP Failure). Result depends on switch config :
v Try next authentication method or assign the user to the Auth-Fail VLAN
v Deny access; then after quiet-period authenticate again

802.1x

Port Settings & Modes

There are three configurable port settings for 802.1x (authentication port-control) :
1. force-authorized (default) disables 802.1x on the interface
2. force-unauthorized port is statically put into the 802.1x-unauthorized state
3. auto activates real 802.1x on a port
802.1x Port Modes (authentication host-mode) :
1. single-host allows only a single client behind the port
2. multiple-host
allows multiple clients behind the port; only one needs to authenticate
to open access. Not recommended
3. multi-domain
allows only two endpoints : one in Data & one in Voice VLAN
4. multi-auth allows one Voice device and multiple clients in Data VLAN. Each
device is authenticated separately

802.1x

Port Violations & MAC Move

Port Security feature is built-in into 802.1x (authentication violation)
1. shutdown (default) put interface into the err-disabled state
2. restrict
generate a Syslog & drop the frames from new MAC
3. protect drop the frames from the new MAC
4. replace
known as MAC Replace. Removes currently authenticated MAC and triggers
authentication for the new one
Note that violations can be only triggered in two port modes : single-host or multi-domain
MAC Move (authentication mac-move permit globally)
When enabled, re-connecting an already authenticated device to another port will trigger reauthentication instead of a Violation

802.1x

MAC Authentication Bypass (MAB)

Alternative method of authenticating clients connecting to a 802.1x-enabled port/WLAN
MAB (by default) is only triggered when 802.1x times out (no supplicant on the client)
FlexAuth can be used to trigger MAB after 802.1x authentication failure (switches only)
Authentication is based on the devices MAC address (username=password=MAC)
Always make sure AAA server uses a separate database for MAB (typically Endpoint DB)
MAB authentication requests can be uniquely identified by RADIUS attributes :
1. Wired Service-Type set to 10 (Call-Check) and NAS-Port-Type to 15 (Ethernet)
2. Wireless Service-Type set to 10 (Call-Check) and NAS-Port-Type to 19 (Wireless)
Lowering the Tx-Period timeout is considered a best practice (dot1x timeout tx-period 10)
802.1x timeout is (max-reauth-req+1)*tx-period by default (90 seconds)

802.1x

Flexible Authentication (FlexAuth)

Alleviates the problems related to the default behavior of 802.1x & Auth-Fail VLAN
1. Allows to specify the order of authentication methods to be used
authentication order [dot1x|mab] [webauth]*
2. If authentication using one method fails, next method can be used
authentication event fail action next-method
3. Stronger method can be assigned higher priority to preemt once it becomes available
authentication priority
Not available on WLC
In wireless 802.1x if you fail authentication, you will not be given access to the WLAN

802.1x

Guest, Auth-Fail & Critical VLANs (switches)

Guest VLAN can be assigned to clients that dont have a supplicant installed (for limited access)
Compatible with MAB if MAB fails Guest VLAN will be assigned if one is configured
Not supported on multi-auth ports
Configure with authentication event no-response action authorize vlan
Auth-Fail (Restricted) VLAN can be assigned to clients who failed 802.1x authentication
Not compatible with MAB or WebAuth
v If Auth-Fail VLAN is configured any fallback method will NOT be used
Only supported on single-host ports
Configure with authentication event fail action authorize vlan
Critical VLAN can be assigned to clients if AAA Server is unavailable
Configure with authentication event server dead action authorize vlan

802.1x - Monitor Mode

Monitor Mode (wired networks only)

The goal of this Mode is to enable 802.1x authentication without affecting users and devices
Provides full visibility to the devices connecting to the network (MAB must be enabled)
Allows to address any authentication issues prior to moving to the next deployment Phase
Web Authentication is not used in this Phase
Wireless clients are not supported (unless they all dont have a supplicant and use MAB)
Monitor Mode deployment process consists of multiple components/features :
1. Profiling
2. RADIUS Accounting (802.1x)
3. Multi-Auth port mode
4. Open Authentication (authentication open)
Open Authentication ensures everyone gets connected

802.1x - Monitor Mode

Monitor Mode Configuration (Switch)

Enable AAA framework, configure authentication, authorization & accounting with default lists
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
Configure RADIUS Server, enable CoA & VSAs :
radius-server host 10.1.1.150 key ipexpert
aaa server radius dynamic-author
client 10.1.1.150 server-key ipexpert
radius-server vsa send authentication
radius-server vsa send accounting

802.1x - Monitor Mode

Monitor Mode Configuration (Switch)

Enable sending attributes useful for 802.1x & Posture assesment
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
Ensure RADIUS & SNMP Traps are sent from the correct interface :
ip radius source-interface
snmp-server trap-source
Create Permit-All access-list & turn Device Tracking on :
access-list 199 permit ip any any
ip device tracking [probe use-svi]

802.1x - Monitor Mode

Monitor Mode Configuration (Switch)

Enable 802.1x framework (globally) & configure 802.1x at the port level :
dot1x system-auth-control
int f0/1
switchport host
authentication order dot1x mab
authentication priority dot1x mab
authentication event fail action next-method
authentication open
authentication host-mode multi-auth
ip access-group 199 in
mab
authentication port-control auto
dot1x pae authenticator

802.1x - Monitor Mode

Monitor Mode Configuration (ISE)

Configure AD for 802.1x user authentication (if needed)
Enable all AD Groups you will be using when configuring Authorization Policy
Configure AuthC Policy to use AD for 802.1x
Configure AuthC Policy to use Endpoint DB for MAB (if user is not found -> Continue)**
Configure the Default Authentication Rule to use Internal DB / AD (or create a sequence for all
databases)
Make sure Phones gets assigned to the correct (Voice) VLAN -> Voice Permission = True
Create rules for other devices (APs, printers) and specific rules for users (RBAC)
Make sure Default Authorization Rule denies all access (no dACLs or VLANs!!!)

802.1x Low Impact Mode

Low Impact Mode (wired networks only)

At this stage all devices should be authenticating via 802.1x or MAB
Pre-Authentication access will be limited and extended to only authenticated users
Users/devices that failed authentication will retain Pre-Authentication access
Successful authentication should result in policy enforcement
Downloadable ACLs and/or VLAN assignment are commonly used
Pre-Authentication ACL should typically allow the following traffic :
DHCP & DNS
ICMP
Microsoft ports if Machine Authentication is used (Kerberos, LDAP, RPC etc.)

802.1x Low Impact Mode

Low Impact Mode Configuration (Switch)

Ensure CoA and Device Tracking features are enabled
aaa server radius dynamic-author
client 10.1.1.150 server-key ipexpert
ip device tracking
Tune the Host-Mode setting
authentication host-mode [single-host|multi-domain]
Create VLANs (if you plan to use them to enforce policy)
vlan
All other settings as in the Monitor Mode (Open Authentication is still enabled)

802.1x Low Impact Mode

Low Impact Mode Configuration (ISE)

Profiling should be already enabled
Authentication Policy Default Rule can be set to Deny (we only want MAB or 802.1x)
Define dACLs
Appropriate RBAC/Device Authorization Profiles should be now tuned :
Specify dACLs and/or VLANs (number or name)
Also create a profile for CWA
Authorization Rules should be created/tuned as needed
The Default AuthZ Rule should point to Central Web Authentication

802.1x Closed Mode

Closed Mode (wired & wireless networks)

No traffic (except for EAPOL/STP/CDP) flows through the port priort to successful authentication
Perfect mode for VLAN assignment
VLAN assignment or dACLs enforce the policy
Make sure all assignable VLANs are defined on every switch
v On WLC interfaces must be defined that correspond to the required VLANs
If a non-existing VLAN is attempted to be assigned, authorization fails
Avoid using multi-auth mode only the first assigned DATA VLAN will be used
Auth-Fail (Restricted) VLAN can be configured to be assigned to users who failed 802.1x

802.1x Closed Mode

Closed Mode
Downloadable ACLs
Downloaded ACL overrides the Pre-Authentication ACL for the user/device
For wired connections (switch) dACLs are defined locally on ISE
For wireless (WLC) they are defined locally on WLC; ISE pushes the ACL name
For any type of ACLs on WLC remember about the Direction
Inbound/Outbound/Any
Implicit deny at the end is for Any
If you only permit X -> Y Inbound, traffic Y -> X will get dropped

802.1x Closed Mode

Closed Mode Configuration (Switch)

Configure the starting VLAN it should provide DHCP service (needed for CWA)
switchport access vlan nr
Remove Pre-Authentication ACL and disable Open Authentication
no ip access-group PRE_AUTH_ACL in
no authentication open
Tune the Tx-Timer to speed up MAB; otherwise DHCP client timeout may expire
dot1x timeout tx-period 10
Create appropriate VLANs. Assign names if needed
vlan 500
name SALES_VLAN

802.1x Closed Mode

Closed Mode Configuration (WLC)

RADIUS Servers should be defined for Authentication & Accounting
Make sure CoA support (RFC 3576) is enabled
Internal Network (Employee) WLAN should use 802.1x
Guest WLAN should use L2 authentication of None but MAC Filtering should be enabled
Both WLANs should be configured with RADIUS servers and the following :
Allow AAA Override checked
RADIUS State set to RADIUS NAC
DHCP Profiling checked
All required ACLs should be configured under Security -> Access Control Lists

802.1x Closed Mode

Closed Mode Configuration (WLC cont.)

Create interfaces; there must be one for each dynamic VLAN you may assign
If you are assigning VLANs by name, the name of the interface must match
Closed Mode Configuration (ISE)
Add wireless MAB & 802.1x to the AuthC rules. Default AuthC rule should be set to Deny
Modify the Authorization Profiles
Add/modify dACLs/VLANs
Default AuthZ rule should be configured for CWA
Enable VLAN DHCP Release under the Guest Portal used (Multi-Portal section)
Only works for Microsoft clients

MACsec

MAC Security (MACsec) IEEE 802.1AE

L2 encryption protocol (AES-GCM-128)
Offers a significant advantage over higher-layer encryption protocols accurate QoS

MACsec types :
1. Host-to-Switch (aka downlink)
Uses MAC Security Key Agreement (MKA)
2. Switch-to-Switch (aka uplink)
Uses Security Association Protocol (SAP)

MACsec

Host-to-switch
If configured, follows regular 802.1x authentication
Uses four encryption settings (switch & client) :
Must-secure, should-secure
Must-not-secure, not-MACsec-capable

Configuration (in addition to 802.1x)

interface interface
mka [policy_name | default-policy]
authentication linksec policy [options]
macsec

MACsec

Switch-to-switch
Manual Mode (no 802.1x)
Dynamic Mode (requires 802.1x and domain of trust / NDAC)

Configuration (Manual Mode)

interface interface
cts manual
sap pmk key mode [gscm-encrypt] [gmac] [null] [no-encap]
no propagate sgt

Posture Assesment

Posture Assesment
Process of checking systems settings and applications
OS patches
Anti- virus/malware sofware (including file definitions)
Personal firewall and more

Whats needed on ISE?

1. Client Provisioning setup
2. Posture setup
3. Authorization Policy update

BYOD

Bring Your Own Device (BYOD)

Secure BYOD connectivity can be provided with TrustSec
This applies to wired & wireless networks
wireless BYOD can be deployed with Single or Dual SSID

Two approaches to BYOD

1. Simple self-serve device registration (My Devices portal)
2. Full On-Boarding (browser-enabled endpoints)
Self-Provisioning Flow, Native Supplicant Profile (NSP),
Client Provisioning Resources, Client Provisioning Policy
AuthZ Policy

Security Group Access (SGA)

Security Group Based Access Control

Designed to reduce administrative cost and scalability problems related to ACLs (dACLs)
Even with dACLs you can still run out of TCAM

SGA builds upon three components :

1. Security Group Tag (SGT)
Attribute (16-bit value) returned by ISE upon successful login on ingress
2. Security eXchange Protocol (SXP) used by non-native-tagging switches
TCP-based protocol used to propagate SGT-IP binding to upstream peers
3. Security Group ACL (SGACL)
Matrix-like ACL downloaded from ISE to enforce policy on egress

Security Group Access (SGA)

SGT assignment methods :

1. Dynamically - as a result of ISE Authorization
2. Configured manually on a switchport
cts manual
policy static sgt tag_value
3. SGT-IP bindings are configured manually on ISE
You then need to download this information to your NADs