Cisco ISE for BYOD and Secure Unified Access

Cisco Press
  • 1. Auflage
  • |
  • erschienen am 7. Juni 2013
  • |
  • 751 Seiten
E-Book | ePUB mit Adobe-DRM | Systemvoraussetzungen
978-0-13-310363-2 (ISBN)

Plan and deploy identity-based secure access for BYOD and borderless networks

Using Cisco Secure Unified Access Architecture and Cisco Identity Services Engine, you can secure and regain control of borderless networks in a Bring Your Own Device (BYOD) world. This book covers the complete lifecycle of protecting a modern borderless network using these advanced solutions, from planning an architecture through deployment, management, and troubleshooting.

Cisco ISE for BYOD and Secure Unified Access begins by reviewing the business case for an identity solution. Next, you'll walk through identifying users, devices, and security posture; gain a deep understanding of Cisco's Secure Unified Access solution; and master powerful techniques for securing borderless networks, from device isolation to protocol-independent network segmentation.

You'll find in-depth coverage of all relevant technologies and techniques, including 802.1X, profiling, device onboarding, guest lifecycle management, network admission control, RADIUS, and Security Group Access.

Drawing on their cutting-edge experience supporting Cisco enterprise customers, the authors present detailed sample configurations to help you plan your own integrated identity solution. Whether you're a technical professional or an IT manager, this guide will help you provide reliable secure access for BYOD, CYOD (Choose Your Own Device), or any IT model you choose.

  • Review the new security challenges associated with borderless networks, ubiquitous mobility, and consumerized IT
  • Understand the building blocks of an Identity Services Engine (ISE) solution
  • Design an ISE-Enabled network, plan/distribute ISE functions, and prepare for rollout
  • Build context-aware security policies
  • Configure device profiling, endpoint posture assessments, and guest services
  • Implement secure guest lifecycle management, from WebAuth to sponsored guest access
  • Configure ISE, network access devices, and supplicants, step-by-step
  • Walk through a phased deployment that ensures zero downtime
  • Apply best practices to avoid the pitfalls of BYOD secure access
  • Simplify administration with self-service onboarding and registration
  • Deploy Security Group Access, Cisco's tagging enforcement solution
  • Add Layer 2 encryption to secure traffic flows
  • Use Network Edge Access Topology to extend secure access beyond the wiring closet
  • Monitor, maintain, and troubleshoot ISE and your entire Secure Unified Access system

1. Auflage
  • Englisch
  • Indianapolis
  • |
  • USA
Pearson Education (US)
  • Für höhere Schule und Studium
  • 130,36 MB
978-0-13-310363-2 (9780133103632)

Aaron Woland , CCIE No. 20113, is a Senior Secure Access Engineer at Cisco Systems and works with Cisco's largest customers all over the world. His primary job responsibilities include secure access and ISE deployments, solution enhancements, futures, and escalations. Aaron joined Cisco in 2005 and is currently a member of numerous security advisory boards. Prior to joining Cisco, he spent 12 years as a consultant and technical trainer. His areas of expertise include network and host security architecture and implementation, regulatory compliance, and routing and switching. Aaron is the author of many white papers and design guides, including the TrustSec 2.0 Design and Implementation Guide and the NAC Layer 3 OOB Using VRFs for Traffic Isolation design guide. He is also a distinguished speaker at Cisco Live for topics related to identity and is a security columnist for Network World , where he blogs on all things related to identity. Additional certifications include CCSP, CCNP, CCDP, Certified Ethical Hacker, MCSE, and many other industry certifications.

Jamey Heary , CCIE No. 7680, is a Distinguished Systems Engineer at Cisco Systems, where he works as a trusted security advisor to Cisco customers and business groups. He is also a featured security columnist for Network World , where he blogs on all things security. Jamey sits on the PCI Security Standards Council-Board of Advisors, where he provides strategic and technical guidance for future PCI standards. Jamey is the author of Cisco NAC Appliance: Enforcing Host Security with Clean Access . He also has a patent pending on a new DDoS mitigation technique. Jamey sits on numerous security advisory boards for Cisco Systems and is a founding member of the Colorado Healthcare InfoSec Users Group. His other certifications include CISSP, and he is a Certified HIPAA Security Professional. He has been working in the IT field for 19 years and in IT security for 15 years.

Introduction xxvi

Section I The Evolution of Identity Enabled Networks

Chapter 1 Regain Control of Your IT Security 1

Security: A Weakest-Link Problem with Ever More Links 2

Cisco Identity Services Engine 3

Sources for Providing Identity and Context Awareness 4

Unleash the Power of Centralized Policy 5

Summary 6

Chapter 2 Introducing Cisco Identity Services Engine 7

Systems Approach to Centralized Network Security Policy 7

What Is the Cisco Identity Services Engine? 9

ISE Authorization Rules 12

Summary 13

Section II The Blueprint, Designing an ISE Enabled Network

Chapter 3 The Building Blocks in an Identity Services Engine Design 15

ISE Solution Components Explained 15

Infrastructure Components 16

Policy Components 20

Endpoint Components 20

ISE Personas 21

ISE Licensing, Requirements, and Performance 22

ISE Licensing 23

ISE Requirements 23

ISE Performance 25

ISE Policy-Based Structure Explained 27

Summary 28

Chapter 4 Making Sense of All the ISE Deployment Design Options 29

Centralized Versus Distributed Deployment 29

Centralized Deployment 30

Distributed Deployment 32

Summary 35

Chapter 5 Following a Phased Deployment 37

Why Use a Phased Deployment Approach? 37

Monitor Mode 38

Choosing Your End-State Mode 40

End-State Choice 1: Low-Impact Mode 42

End-State Choice 2: Closed Mode 44

Transitioning from Monitor Mode into an End-State Mode 45

Summary 46

Section III The Foundation, Building a Context-Aware Security Policy

Chapter 6 Building a Cisco ISE Network Access Security Policy 47

What Makes Up a Cisco ISE Network Access Security Policy? 47

Network Access Security Policy Checklist 48

Involving the Right People in the Creation of the Network Access Security Policy 49

Determining the High-Level Goals for Network Access Security 51

Common High-Level Network Access Security Goals 52

Defining the Security Domains 55

Understanding and Defining ISE Authorization Rules 57

Commonly Configured Rules and Their Purpose 58

Establishing Acceptable Use Policies 59

Defining Network Access Privileges 61

Enforcement Methods Available with ISE 61

Commonly Used Network Access Security Policies 62

Summary 65

Chapter 7 Building a Device Security Policy 67

Host Security Posture Assessment Rules to Consider 67

Sample NASP Format for Documenting ISE Posture Requirements 72

Common Checks, Rules, and Requirements 74

Method for Adding Posture Policy Rules 74

Research and Information 75

Establishing Criteria to Determine the Validity of a Security Posture Check, Rule, or Requirement in Your Organization 76

Method for Determining Which Posture Policy Rules a Particular Security Requirement Should Be Applied To 77

Method for Deploying and Enforcing Security Requirements 78

ISE Device Profiling 79

ISE Profiling Policies 80

ISE Profiler Data Sources 81

Using Device Profiles in Authorization Rules 82

Summary 82

Chapter 8 Building an ISE Accounting and Auditing Policy 83

Why You Need Accounting and Auditing for ISE 83

Using PCI DSS as Your ISE Auditing Framework 84

ISE Policy for PCI 10.1: Ensuring Unique Usernames and Passwords 87

ISE Policy for PCI 10.2 and 10.3: Audit Log Collection 89

ISE Policy for PCI 10.5.3, 10.5.4, and 10.7: Ensure the Integrity and Confidentiality of Log Data 90

ISE Policy for PCI 10.6: Review Audit Data Regularly 91

Cisco ISE User Accounting 92

Summary 94

Section IV Configuration

Chapter 9 The Basics: Principal Configuration Tasks for Cisco ISE 95

Bootstrapping Cisco ISE 95

Using the Cisco ISE Setup Assistant Wizard 98

Configuring Network Devices for ISE 106

Wired Switch Configuration Basics 106

Wireless Controller Configuration Basics 109

Completing the Basic ISE Setup 113

Install ISE Licenses 113

ISE Certificates 114

Installing ISE Behind a Firewall 116

Role-Based Access Control for Administrators 121

RBAC for ISE GUI 121

RBAC: Session and Access Settings and Restrictions 121

RBAC: Authentication 123

RBAC: Authorization 124

Summary 126

Chapter 10 Profiling Basics 127

Understanding Profiling Concepts 127

Probes 130

Probe Configuration 130

Deployment Considerations 133

DHCP 134

Deployment Considerations 135

NetFlow 137

Deployment Considerations 137


Deployment Considerations 138

Network Scan (NMAP) 138

Deployment Considerations 139

DNS 139

Deployment Considerations 139

SNMP 140

Deployment Considerations 140

IOS Device-Sensor 141

Change of Authorization 142

CoA Message Types 142

Configuring Change of Authorization in ISE 143

Infrastructure Configuration 144

DHCP Helper 145

SPAN Configuration 145

VLAN Access Control Lists (VACL) 146

VMware Configurations to Allow Promiscuous Mode 148

Best Practice Recommendations 149

Examining Profiling Policies 152

Endpoint Profile Policies 152

Cisco IP Phone 7970 Example 155

Using Profiles in Authorization Policies 161

Endpoint Identity Groups 161

EndPointPolicy 163

Logical Profiles 164

Feed Service 166

Configuring the Feed Service 166

Summary 168

Chapter 11 Bootstrapping Network Access Devices 169

Bootstrap Wizard 169

Cisco Catalyst Switches 170

Global Configuration Settings for All Cisco IOS 12.2 and 15.x Switches 170

Configure Certificates on a Switch 170

Enable the Switch HTTP/HTTPS Server 170

Global AAA Commands 171

Global RADIUS Commands 172

Create Local Access Control Lists 174

Global 802.1X Commands 175

Global Logging Commands (Optional) 175

Global Profiling Commands 177

Interface Configuration Settings for All Cisco Switches 179

Configure Interfaces as Switch Ports 179

Configure Flexible Authentication and High Availability 179

Configure Authentication Settings 182

Configure Authentication Timers 184

Apply the Initial ACL to the Port and Enable Authentication 184

Cisco Wireless LAN Controllers 184

Configure the AAA Servers 185

Add the RADIUS Authentication Servers 185

Add the RADIUS Accounting Servers 186

Configure RADIUS Fallback (High Availability) 187

Configure the Airespace ACLs 188

Create the Web Authentication Redirection ACL 188

Create the Posture Agent Redirection ACL 191

Create the Dynamic Interfaces for the Client VLANs 193

Create the Employee Dynamic Interface 193

Create the Guest Dynamic Interface 194

Create the Wireless LANs 195

Create the Guest WLAN 195

Create the Corporate SSID 199

Summary 202

Chapter 12 Authorization Policy Elements 205

Authorization Results 206

Configuring Authorization Downloadable ACLs 207

Configuring Authorization Profiles 209

Summary 212

Chapter 13 Authentication and Authorization Policies 215

Relationship Between Authentication and Authorization 215

Authentication Policies 216

Goals of an Authentication Policy 216

Accept Only Allowed Protocols 216

Route to the Correct Identity Store 216

Validate the Identity 217

Pass the Request to the Authorization Policy 217

Understanding Authentication Policies 217

Conditions 218

Allowed Protocols 220

Identity Store 224

Options 224

Common Authentication Policy Examples 224

Using the Wireless SSID 225

Remote-Access VPN 228

Alternative ID Stores Based on EAP Type 230

Authorization Policies 232

Goals of Authorization Policies 232

Understanding Authorization Policies 233

Role-Specific Authorization Rules 237

Authorization Policy Example 237

Employee and Corporate Machine Full-Access Rule 238

Internet Only for iDevices 240

Employee Limited Access Rule 243

Saving Attributes for Re-Use 246

Summary 248

Chapter 14 Guest Lifecycle Management 249

Guest Portal Configuration 251

Configuring Identity Source(s) 252

Guest Sponsor Configuration 254

Guest Time Profiles 254

Guest Sponsor Groups 255

Sponsor Group Policies 257

Authentication and Authorization Guest Policies 258

Guest Pre-Authentication Authorization Policy 258

Guest Post-Authentication Authorization Policy 262

Guest Sponsor Portal Configuration 263

Guest Portal Interface and IP Configuration 264

Sponsor and Guest Portal Customization 264

Customize the Sponsor Portal 264

Creating a Simple URL for Sponsor Portal 265

Guest Portal Customization 265

Customizing Portal Theme 266

Creating Multiple Portals 268

Guest Sponsor Portal Usage 271

Sponsor Portal Layout 271

Creating Guest Accounts 273

Managing Guest Accounts 273

Configuration of Network Devices for Guest CWA 274

Wired Switches 274

Wireless LAN Controllers 275

Summary 277

Chapter 15 Device Posture Assessment 279

ISE Posture Assessment Flow 280

Configure Global Posture and Client Provisioning Settings 283

Posture Client Provisioning Global Setup 283

Posture Global Setup 285

General Settings 285

Reassessments 286

Updates 287

Acceptable Use Policy 287

Configure the NAC Agent and NAC Client Provisioning Settings 288

Configure Posture Conditions 289

Configure Posture Remediation 292

Configure Posture Requirements 295

Configure Posture Policy 296

Enabling Posture Assessment in the Network 298

Summary 299

Chapter 16 Supplicant Configuration 301

Comparison of Popular Supplicants 302

Configuring Common Supplicants 303

Mac OS X 10.8.2 Native Supplicant Configuration 303

Windows GPO Configuration for Wired Supplicant 305

Windows 7 Native Supplicant Configuration 309

Cisco AnyConnect Secure Mobility Client NAM 312

Summary 317

Chapter 17 BYOD: Self-Service Onboarding and Registration 319

BYOD Challenges 320

Onboarding Process 322

BYOD Onboarding 322

Dual SSID 322

Single SSID 323

Configuring NADs for Onboarding 324

ISE Configuration for Onboarding 329

End-User Experience 330

Configuring ISE for Onboarding 347

BYOD Onboarding Process Detailed 357

MDM Onboarding 367

Integration Points 367

Configuring MDM Integration 368

Configuring MDM Onboarding Policies 369

Managing Endpoints 372

Self Management 373

Administrative Management 373

The Opposite of BYOD: Identify Corporate Systems 374

EAP Chaining 375

Summary 376

Chapter 18 Setting Up a Distributed Deployment 377

Configuring ISE Nodes in a Distributed Environment 377

Make the Policy Administration Node a Primary Device 377

Register an ISE Node to the Deployment 379

Ensure the Persona of All Nodes Is Accurate 381

Understanding the HA Options Available 382

Primary and Secondary Nodes 382

Monitoring and Troubleshooting Nodes 382

Policy Administration Nodes 384

Promoting the Secondary PAN to Primary 385

Node Groups 385

Create a Node Group 386

Add the Policy Services Nodes to the Node Group 387

Using Load Balancers 388

General Guidelines 388

Failure Scenarios 389

Summary 390

Chapter 19 Inline Posture Node 391

Use Cases for the Inline Posture Node 391

Overview of IPN Functionality 392

IPN Configuration 393

IPN Modes of Operation 393

Summary 394

Section V Deployment Best Practices

Chapter 20 Deployment Phases 395

Why Use a Phased Approach? 395

A Phased Approach 397

Authentication Open Versus Standard 802.1X 398

Monitor Mode 399

Prepare ISE for a Staged Deployment 401

Create the Network Device Groups 401

Create the Policy Sets 403

Low-Impact Mode 404

Closed Mode 406

Transitioning from Monitor Mode to Your End State 408

Wireless Networks 409

Summary 410

Chapter 21 Monitor Mode 411

Endpoint Discovery 412

SNMP Trap Method 413

Configuring the ISE Probes 414

Adding the Network Device to ISE 416

Configuring the Switches 418

RADIUS with SNMP Query Method 420

Configuring the ISE Probes 420

Adding the Network Device to ISE 421

Configuring the Switches 422

Device Sensor Method 424

Configuring the ISE Probes 425

Adding the Network Device to ISE 425

Configuring the Switches 426

Using Monitoring to Identify Misconfigured Devices 428

Tuning the Profiling Policies 428

Creating the Authentication Policies for Monitor Mode 430

Creating Authorization Policies for Non-Authenticating Devices 433

IP-Phones 433

Wireless APs 435

Printers 436

Creating Authorization Policies for Authenticating Devices 438

Machine Authentication (Machine Auth) 438

User Authentications 439

Default Authorization Rule 440

Summary 441

Chapter 22 Low-Impact Mode 443

Transitioning from Monitor Mode to Low-Impact Mode 445

Configuring ISE for Low-Impact Mode 446

Set Up the Low-Impact Mode Policy Set in ISE 446

Duplicate the Monitor Mode Policy Set 446

Create the Web Authentication Authorization Result 448

Configure the Web Authentication Identity Source Sequence 451

Modify the Default Rule in the Low-Impact Policy Set 451

Assign the WLCs and Switches to the Low-Impact Stage NDG 452

Modify the Default Port ACL on the Switches That Will Be Part of Low-Impact Mode 453

Monitoring in Low-Impact Mode 454

Tightening Security 454

Creating AuthZ Policies for the Specific Roles 454

Change Default Authentication Rule to Deny Access 456

Moving Switch Ports from Multi-Auth to Multi-Domain 457

Summary 458

Chapter 23 Closed Mode 459

Transitioning from Monitor Mode to Closed Mode 461

Configuring ISE for Closed Mode 461

Set Up the Closed Mode Policy Set in ISE 461

Duplicate the Monitor Mode Policy Set 462

Create the Web Authentication Authorization Result 463

Configure the Web Authentication Identity Source Sequence 466

Modify the Default Rule in the Closed Policy Set 467

Assign the WLCs and Switches to the Closed Stage NDG 468

Modify the Default Port ACL on the Switches That Will Be Part of Closed Mode 469

Monitoring in Closed Mode 469

Tightening Security 469

Creating Authorization Policies for the Specific Roles 470

Change Default Authentication Rule to Deny Access 472

Moving Switch Ports from Multi-Auth to MDA 473

Summary 474

Section VI Advanced Secure Unified Access Features

Chapter 24 Advanced Profiling Configuration 475

Creating Custom Profiles for Unknown Endpoints 475

Identifying Unique Values for an Unknown Device 476

Collecting Information for Custom Profiles 478

Creating Custom Profiler Conditions 479

Creating Custom Profiler Policies 480

Advanced NetFlow Probe Configuration 481

Commonly Used NetFlow Attributes 483

Example Profiler Policy Using NetFlow 483

Designing for Efficient Collection of NetFlow Data 484

Configuration of NetFlow on Cisco Devices 485

Profiler COA and Exceptions 488

Types of CoA 489

Creating Exceptions Actions 489

Configuring CoA and Exceptions in Profiler Policies 490

Profiler Monitoring and Reporting 491

Summary 494

Chapter 25 Security Group Access 495

Ingress Access Control Challenges 495

VLAN Assignment 495

Ingress Access Control Lists 498

What Is Security Group Access? 499

So, What Is a Security Group Tag? 500

Defining the SGTs 501

Classification 504

Dynamically Assigning SGT via 802.1X 504

Manually Assigning SGT at the Port 506

Manually Binding IP Addresses to SGTs 506

Access Layer Devices That Do Not Support SGTs 507

Transport: Security Group eXchange Protocol (SXP) 508

SXP Design 508

Configuring SXP on IOS Devices 509

Configuring SXP on Wireless LAN Controllers 511

Configuring SXP on Cisco ASA 513

Transport: Native Tagging 516

Configuring Native SGT Propogation (Tagging) 517

Configuring SGT Propagation on Cisco IOS Switches 518

Configuring SGT Propagation on a Catalyst 6500 520

Configuring SGT Propagation on a Nexus Series Switch 522

Enforcement 523


Creating the SG-ACL in ISE 526

Configure ISE to Allow the SGACLs to Be Downloaded 531

Configure the Switches to Download SGACLs from ISE 532

Validating the PAC File and CTS Data Downloads 533

Security Group Firewalls 535

Security Group Firewall on the ASA 535

Security Group Firewall on the ISR and ASR 543

Summary 546

Chapter 26 MACSec and NDAC 547

MACSec 548

Downlink MACSec 549

Switch Configuration Modes 551

ISE Configuration 552

Uplink MACSec 553

Network Device Admission Control 557

Creating an NDAC Domain 558

Configuring ISE 558

Configuring the Seed Device 562

Adding Non-Seed Switches 564

Configuring the Switch Interfaces for Both Seed and Non-Seed 566

MACSec Sequence in an NDAC Domain 567

Summary 568

Chapter 27 Network Edge Authentication Topology 569

NEAT Explained 570

Configuring NEAT 571

Preparing ISE for NEAT 571

Create the User Identity Group and Identity 571

Create the Authorization Profile 572

Create the Authorization Rule 573

Access Switch (Authenticator) Configuration 574

Desktop Switch (Supplicant) Configuration 574

Summary 575

Section VII Monitoring, Maintenance, and Troubleshooting

Chapter 28 Understanding Monitoring and Alerting 577

ISE Monitoring 577

Live Authentications Log 578

Monitoring Endpoints 580

Global Search 581

Monitoring Node in a Distributed Deployment 584

Device Configuration for Monitoring 584

ISE Reporting 585

Data Repository Setup 586

ISE Alarms 587

Summary 588

Chapter 29 Troubleshooting 589

Diagnostics Tools 589

RADIUS Authentication Troubleshooting 589

Evaluate Configuration Validator 591

TCP Dump 594

Troubleshooting Methodology 596

Troubleshooting Authentication and Authorization 596

Option 1: No Live Log Entry Exists 597

Option 2: An Entry Exists in the Live Log 603

General High-Level Troubleshooting Flowchart 605

Troubleshooting WebAuth and URL Redirection 605

Active Directory Is Disconnected 610

Debug Situations: ISE Logs 611

The Support Bundle 611

Common Error Messages and Alarms 613

EAP Connection Timeout 613

Dynamic Authorization Failed 615

WebAuth Loop 617

Account Lockout 617

ISE Node Communication 617

Summary 618

Chapter 30 Backup, Patching, and Upgrading 619

Repositories 619

Configuring a Repository 619

Backup 625

Restore 628

Patching 629

Upgrading 632

Summary 634

Appendix A Sample User Community Deployment Messaging Material 635

Appendix B Sample ISE Deployment Questionnaire 639

Appendix C Configuring the Microsoft CA for BYOD 645

Appendix D Using a Cisco IOS Certificate Authority for BYOD Onboarding 669

Appendix E Sample Switch Configurations 675

TOC, 9781587143250, 5/15/2013

Dateiformat: ePUB
Kopierschutz: Adobe-DRM (Digital Rights Management)


Computer (Windows; MacOS X; Linux): Installieren Sie bereits vor dem Download die kostenlose Software Adobe Digital Editions (siehe E-Book Hilfe).

Tablet/Smartphone (Android; iOS): Installieren Sie bereits vor dem Download die kostenlose App Adobe Digital Editions (siehe E-Book Hilfe).

E-Book-Reader: Bookeen, Kobo, Pocketbook, Sony, Tolino u.v.a.m. (nicht Kindle)

Das Dateiformat ePUB ist sehr gut für Romane und Sachbücher geeignet - also für "fließenden" Text ohne komplexes Layout. Bei E-Readern oder Smartphones passt sich der Zeilen- und Seitenumbruch automatisch den kleinen Displays an. Mit Adobe-DRM wird hier ein "harter" Kopierschutz verwendet. Wenn die notwendigen Voraussetzungen nicht vorliegen, können Sie das E-Book leider nicht öffnen. Daher müssen Sie bereits vor dem Download Ihre Lese-Hardware vorbereiten.

Bitte beachten Sie bei der Verwendung der Lese-Software Adobe Digital Editions: wir empfehlen Ihnen unbedingt nach Installation der Lese-Software diese mit Ihrer persönlichen Adobe-ID zu autorisieren!

Weitere Informationen finden Sie in unserer E-Book Hilfe.

Download (sofort verfügbar)

31,99 €
inkl. 7% MwSt.
Download / Einzel-Lizenz
ePUB mit Adobe-DRM
siehe Systemvoraussetzungen
E-Book bestellen