Professional Documents
Culture Documents
TrustSec Overview
TrustSec
System of multiple products deployed to secure access to the network regardless of its type
Identity Services Engine (ISE)
NAD : switch, WLC, ASA or ISR router
Supplicant
External ID Store
Key technology used in TrustSec is 802.1x - three phases (modes) of deployment :
1. Monitor
2. Low Impact
3. Closed
Other TrustSec technologies
Profiling, Guest Services, Posture & Client Provisioning
ISE Licensing
ISE Architecture
ISE Overview
Fundamental TrustSec component
Combines several devices/technologies into a single unit :
Cisco Secure ACS
NAC Manager/Server/Collector/Guest Server/Profiler
Available in two different flavors
1. Physical Appliance
3315, 3355, 3395 - End of Life
Cisco Secure Network Server 3415 (small companies) and 3495 (large companies)
2. VMware ESX/ESXi 4.x and 5.x image
ISE Architecture
Key Features
Identity Enforcement
Discover, classify & locate connecting endpoints
Identity Management (RADIUS)
Offers strong policy enforcement
TACACS+ is not supported as of the current code relase (1.2)
Guest Management Service
Includes My Devices portal for device onboarding/registration
Posture Services (NAC)
Supports auto-remediation and periodic reassessment
ISE Architecture
ISE Architecture
ISE Architecture
ISE Design
Centralized
All nodes are physically located in one location
Recommended deployment
Distributed
Nodes are dispersed in multiple locations (mostly PSNs)
PAN & MNT devices are typically kept in a central location
ISE Architecture
Centralized
Design
ISE Architecture
Distributed
Design
Identity Stores
AAA Basics
AAA Basics
Architectural framework for configuring three different security functions
1. Authentication
2. Authorization
3. Accounting
Authentication is a process of verifying someones identity
Multiple factors (elements) can be used such as passwords, token cards, biometrics
Authorization is used to determine a level of access for the user (enforcing a policy)
For example access to a particular service or command can be given or not
Accounting is a process of tracking users activity
For example what services user accessed and when
AAA Basics
TCP 49
Entire body (username & password). Only the header is sent in clear
Seperates all AAA functions. Supports command authorization
Cisco proprietary
RADIUS Attributes
RADIUS Attributes
Standard-defined protocol structures used to carry information between AAA Clients & Server
There are 255 attributes defined by the original specification (most pre-defined)
Each attribute stores a certain value (implemented as TLV)
One attribute (#26 or 0x1A), called Vendor-Specific, has a special usage
Vendor Specific Attribute (VSA)
Allows vendors to define a set of additional 255 attributes to carry vendor-specific data
It is composed of Vendor-ID, Vendor Type, Vendor Length and the attribute data
An example of Cisco-specific attribute is Cisco AV-Pair (Vendor-ID 9, Vendor Type 1)
Cisco AV-Pair
Designed to extend RADIUS authorization capabilities by TACACS+ features
Formatted as : protocol:attribute=value e.g. shell:priv-lvl=15
AAA Basics
AAA Configuration
AAA Configuration
Initialize the AAA framework (aaa new-model)
Define a Method List (method/database to use for a particular AAA service, e.g. login or exec)
Default Method List is automatically enabled/applied to all lines/protocols; user-defined is not
User-defined List, once applied/enabled, overrides the Default Method List
Enabling a User-defined List depends on the service; e.g. authorization under a line
1. Authentication (aaa authentication service [name|default] method)
2. Authorization (aaa authorization service [name|default] method)
3. Accounting (aaa accounting service [name|default] method)
Configure NAS for RADIUS/TACACS+ (radius-server/tacacs-server) or LOCAL database
Configure AAA Server (ACS or ISE)
AAA Configuration
Authentication
Commonly used Authentication services :
1. IEEE 802.1x (dot1x)
2. Enable password (enable)
3. Login (login)
This method list (user-defined) must be applied to a line via login authentication
Fallback Authentication
Works by specifying multiple methods in a single list. For example :
aaa authentication login default group tacacs+ local
Only when no response is received from the first database (or an error is returned), subsequent
methods will be checked
AAA Configuration
Authorization
Commonly used Authorization services :
1. Network (network)
2. EXEC/Shell (exec)
3. Command (commands)
Remember about aaa authorization config-commands
EXEC and Command lists must be applied to a line via authorization exec/commands
Authorization for the Console Line is disabled by default (no aaa authorization console)
Fallback Authorization can be configured. E.g. :
aaa authorization exec default group tacacs+ local
AAA Configuration
EXEC Authorization
1. Should the user be given access to the EXEC Shell?
2. What Shell attributes should be assigned to the user? For example :
Privilege Level (username privilege)
CLI View (username view)
Auto Command (username autocommand)
Supported by RADIUS, TACACS+ and LOCAL databases
Command Authorization
Used to check if a particular CLI command should be available for a user
LOCAL database can be used to mimic this feature
By default all commands reside at privilege levels 0, 1 and 15
Real Command Authorization comes with TACACS+
AAA Configuration
Accounting
Commonly used Accounting services :
1. EXEC/Shell (exec)
The start-stop option will send an accounting record in the beginning and end of the
session
The stop-only option will only send an accounting record at the end
2. Command (commands)
EXEC and Command lists must be applied to a line via accounting exec/commands
The only two methods supported for accounting are RADIUS and TACACS+
Other Solutions
MAC Filtering
Local or with a RADIUS server
Access-Lists
ACL direction (inbound, outbound) is based on WLCs perspective
Can be applied per-user, to an interface, entire WLAN or the WLCs CPU
Management Frame Protection (MFP)
Protects management packets
Rogue Management
Detects, classifies and possibly contains rogue Access Points
AAA Override
Enables Identity Networking
CWA considerations
Redirection ACL
DHCP & DNS traffic should NOT be redirected
Switch permit entries determine what to redirect (deny DNS, permit HTTP, HTTPs)
WLC deny entries determine what to redirect (permit DNS and DHCP, deny rest)
Authorization Rules
To avoid Redirection Loop a portal-authenticated user should match new AuthZ Rule
Two ways to accomplish this :
1. Match the guest-assigned ID Group
2. Match Advanced Condition Network Access:UseCase Equals GuestFlow
Guest Services
ISE Profiling
Profiling
The process of detecting, classifying & localizing endpoints connecting/connected to the network
There are multiple methods used to discover devices & their attributes (aka Probes)
Information about the detected devices is stored in the ISEs Endpoint Database
Endpoints are uniquely represented by their MAC address
The main benefit of Profiling is associating endpoints with Identity Groups
Allows to create per-device type policies, e.g. for IP Phones authenticated with MAB
Allows to create policies for differentiated access - BYOD (Bring Your Own Device)
Profiling is an on-going process
ISE Profiling
ISE Profiling
ISE Profiling
ISE Profiling
Profiling Probes
A Probe (method) is an ISE component used to collect endpoint attributes
Different Probes collect different attributes (some overlap)
Almost all Probes are passive; the only active Probe is NMAP
Some Probes are only useful if an IP-MAC binding already exists (learned via other Probe)
Probe Types
RADIUS Probe
v Key Profiling Attributes : MAC address, if available (OUI -> vendor), IP address
v Provides IP to MAC bindings (Framed-IP, Calling-Station-ID)
v RADIUS Probe functionality can can be extended by enabling the Device Sensor feature
ISE Profiling
Device Sensor
Enables NAD (switch or WLC) to collect information through CDP, LLDP and DHCP
These attributes are then send to ISE in a RADIUS Accounting packet
Switch Configuration
RADIUS Accounting & VSA (aaa accounting dot1x + radius-s vsa send accounting)
CDP, LLDP (lldp run, lldp receive), DHCP Snooping
Activation : device-sensor accounting + device-sensor notify all-changes
WLC Configuration
RADIUS Accounting : WLAN->WLAN_ID->Security->AAA Servers
Activation : WLAN->WLAN_ID->Advanced; check Device Profiling
Both DHCP Proxy and Bridged modes are supported
ISE Profiling
ISE Profiling
ISE Profiling
NMAP Probe
v Active mechanism that communicates directly with the endpoint
v Three types of scans available are : OS, SNMP & Common Ports
v Scans can be started manually or dynamically by a Policy Rule Take Network Scan action
v IP address of an endpoint must be already known to ISE
ISE Profiling
Profiling Configuration
For distributed deployments make sure Profiling Service is enabled under System->Deployment
Every needed Probe must be activated under System->Deployment->Profiling Configuration
The only exception is manual NMAP scan
All Probes except DHCP & NMAP require a NAD to be added to Network Devices
Dont forget to configure the NADs themselves
Remaining configuration (if any) depends on the type of Probe we want to use
Last step is to validate/tune existing or add new Profiling Policy Rules
RADIUS
If you want to use Device Sensor, enable it
ISE Profiling
SNMP Trap
Configure NAD to send SNMP Traps (snmp-server host; snmp-server enable traps)
On ISE configure NAD to accept SNMP Traps (Network Device -> SNMP Settings)
SNMP Query
Configure NAD to accept polls (snmp-server community) or according for version 3
For WLC this is under Management -> SNMP
On ISE configure NAD with authentication credentials (Network Device -> SNMP Settings)
NetFlow
Configure NAD for NetFlow and then export collected data to ISE (e.g. flow exporter)
ISE Profiling
802.1x
802.1x
Port-Based (L2) authentication mechanism
Before the connecting client successfully authenticates, only EAPOL, CDP & STP packets
are allowed across the port
EAP frames are used to transport authentication information
Dot1x components :
1. Supplicant (installed on the client device)
2. Authenticator (policy enforcement point; typically a switch or an access point)
3. RADIUS Authentication Server (source of authentication information, e.g. ACS or ISE)
802.1x
The Process
Authentication can be initiated by both, supplicant or authenticator
Authenticator sends EAP Request Identity frames periodically and when the link goes up
Supplicant can speed up the process by sending EAPOL Start packet asking for EAP Req ID
Once Authenticator receives EAP Response ID, it encapsulates the content of the EAP frame
into RADIUS using two EAP-specific Attributes
First EAP Authentication method is negotiated
Then credentials are validated :
1. Auth OK -> return Access-Accept with the policy (e.g. dACL, VLAN)
2. Auth Fail -> return Access-Reject (EAP Failure). Result depends on switch config :
v Try next authentication method or assign the user to the Auth-Fail VLAN
v Deny access; then after quiet-period authenticate again
802.1x
802.1x
802.1x
802.1x
802.1x
Closed Mode
Downloadable ACLs
Downloaded ACL overrides the Pre-Authentication ACL for the user/device
For wired connections (switch) dACLs are defined locally on ISE
For wireless (WLC) they are defined locally on WLC; ISE pushes the ACL name
For any type of ACLs on WLC remember about the Direction
Inbound/Outbound/Any
Implicit deny at the end is for Any
If you only permit X -> Y Inbound, traffic Y -> X will get dropped
MACsec
MACsec types :
1. Host-to-Switch (aka downlink)
Uses MAC Security Key Agreement (MKA)
2. Switch-to-Switch (aka uplink)
Uses Security Association Protocol (SAP)
MACsec
Host-to-switch
If configured, follows regular 802.1x authentication
Uses four encryption settings (switch & client) :
Must-secure, should-secure
Must-not-secure, not-MACsec-capable
MACsec
Switch-to-switch
Manual Mode (no 802.1x)
Dynamic Mode (requires 802.1x and domain of trust / NDAC)
Posture Assesment
Posture Assesment
Process of checking systems settings and applications
OS patches
Anti- virus/malware sofware (including file definitions)
Personal firewall and more
BYOD