201210262

2012 Cisco and/or its affiliates. All rights reserved.
BRKEWN-2020 Cisco Public

BYOD
- Cisco
1
2012 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Authentication Services
Authorization Services
Guest Lifecycle
Management
Profiling
Services
Posture
Services
Secure Groups
Access
Cisco
Identity Services
Engine
Simplified Policy
Management
Platform

/iPads (BYOD)

One Policy!!
BYOD

Restrict
BYOD is not allowed
as per corporate
policy.
All non-corporate
assets should be
denied access.
Allow
BYOD used to allow
employee internet
access on mobile
devices.
Secure access to
email and other
corporate services is
possible.

Embrace
BYOD used to
enhance business
processes and
improve productivity.
Per device
identification via
certificates is used
for high security.
3
Restrict

Policy:
Deny All

Devices
Must
Be Authorized
Devices
Profiled
Restrict Deployment Strategy
The restrict deployment strategy only allows corporate assets onto the network
BYOD is not supported as per corporate policy and the network will enforce this.
Allowing Only Corporate Assets on the Network Infrastructure
ISE NCS Prime
Desktop/Notebooks

Tablets

Smart
phones

Wireless Wired
Remote
Access

Network Components:

Policy:
Full Network Access

Per Device
Credentials
4

Policy:
Internet-Only Access

Devices
Must
Be Authorized
Devices
Must
Register
Allow Deployment Strategy
The allow strategy enables employee brought devices to access Internet resources.
The per user credential of PEAP MS-Chap is used here along with device registration to
regulate the number of BYOD devices.
Allowing BYOD Devices for Internet Access Only
Allow
ISE NCS Prime
Desktop/Notebooks

Tablets

Smart
phones

Wireless Wired
Remote
Access

Network Components:

Policy:
Full Network Access

Per User
Credentials
Per Device
Credentials
5
Embrace

Policy:
Full Network Access

Devices
Must
Be Authorized
Devices
Must Be
Provisioned
Embrace Deployment Strategy
Both corporate assets and BYOD devices are allowed onto the network using
per-device credentials.
BYOD devices used to enhance business processes.

Using BYOD with Business Relevant Applications
ISE NCS Prime
Desktop/Notebooks

Tablets

Smart
phones

Wireless Wired
Remote
Access

Network Components:

Policy:
Full Network Access

Per Device
Credentials
Per Device
Credentials
3
rd
Party MDM
Optional
6
BYOD Solution Architecture

+ Group:
Contractor
Group:
Full-Time
Employee
Group:
Guest
BYOD

Time and Date
Access Type
Location
Posture
(Controlling
Access)
Broad Access
Limited Access
Guest/Internet
Deny Access
Quarantine
Track Activity for
Compliance
Device Type
Vicky Sanchez
Employee, Marketing
Wireline
3 p.m.
Frank Lee
Guest
Wireless
9 a.m.
Security Camera G/W
Agentless Asset
MAC: F5 AB 8B 65 00 D4

Francois Didier
Consultant
HQStrategy
Remote Access
6 p.m.

User Location Time
Access
Method
Policy Device
Guest
Contractor
Employee
Personal
Laptop
Personal
Device
Contractor
Computer
Personal
Device
Corporate
Computer
Personal
Device
Wireless
Conference
Rooms
Captive Portal
DMZ Guest Tunnel
Anywhere Anytime
Anytime
Anytime
Employee
VLAN
Anywhere
Anywhere
Cisco's Unified Policy Management Policy

Example of BYOD / Mobility Policy Table
IF $Identity AND $Device AND $Access AND $Location AND
$Time THEN $Permission
Wireless
Wired
Anywhere
Anywhere
Anytime
M S
8 am - 6 pm
Contractor
VLAN
Contractor
ACL
Wired
Wireless
VPN
Employee
ACL
Guest VLAN
M S
8 am - 6 pm
9
User and Device
Specific Attributes
Employee VLAN
Gold QoS
Employee Workstation
Employee VLAN
Gold QoS
Restrictive ACL
Employee BYOD
ISE
Device Profiling
Dynamic Policy
Cisco's Unified Policy Management Components
With the ISE, Cisco wireless can
support multiple users and device types
on a single SSID.
WLC
Employee
VLAN
Contractor
VLAN
Contractor VLAN
No QoS
Restrictive ACL
Contractor Workstation
No Access
Contractor BYOD
AP
ACLs
10
Cisco ISE Device Policy Steps
Phase 1 Authentication
Phase 2
Device Identification and
Policy Assignment
EAP
Allowed
Device?
Allowed
Access
Phase 3
Device Policy
Enforcement
Silver
QoS
Allow-All ACL
Employee
VLAN
WLC
Internet
-Only
MAC, DHCP, DNS, HTTP
ISE
ISE
11
2012 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public 2012 Cisco and/or its affiliates. All rights reserved. BRKEWN-2020 Cisco Public
Example WLAN Policy + Posture Flow Chart
Including both 802.1x and Web Authentication
802.1X
SSID
Machine
Authentication
Employee
Contractor
Compliant
Noncompliant Deny BYOD
Access
User
Authentication
Employee
Contractor
Compliant
Noncompliant
Web
Authentication
SSID
Guest
Deny Employee
Access
Deny Contractor
Access
Posture
Assessment
for Anti-
spyware,
Anti-virus,
etc.
12
Account
Sponsorship
Account Notification
Credentials Automatically
Provided to Guest Via Email,
SMS, or Printed Receipt
Web Browser Redirects to Login Screen
User Can Manage Access for Their Own Device
Successful Authentication
Isolated Guest Network on DMZ
Role Based Policy Applied
User granted access to Internet
BYOD / Unified Access
Approved Sponsor
Creates Account.
Captive Portal
Access
Granted
ISE
Policy /
Guest Engine
Internal WLC
Anchor WLC
Guest User on DMZ
DMZ
Internet
Integrating the WLAN infra and Policy
solution for Secure Authentication and
Profiling
Extensible Authentication Protocol (EAP)
Protocol Flow
Client
Authenticator
Authentication
Server
CAPWAP
The EAP Type
is negotiated
between Client
and RADIUS
Server
15
EAP Authentication Types
Tunneling-Based
EAP-
PEAP
EAP-
TTLS
EAP-
FAST
Inner Methods
EAP-GTC EAP-MSCHAPv2
Different Authentication Options Leveraging Different Credentials
Tunnel-based - Common deployments use a tunneling protocol (EAP-PEAP) combined
with an inner EAP type such as EAP-MSCHAPv2. PEAP Requires only a server-side
certificate.
This provides security for the inner EAP type which may be vulnerable by itself.
Certificate-based For more security EAP-TLS provides mutual authentication of both
the server and client.
Certificate-
Based
EAP-TLS
16
EAP Methods Comparison
EAP-TLS PEAP
Fast Secure Roaming (CCKM) Yes Yes
Local WLC Authentication Yes Yes
OTP (One Time Password) Support No Yes
Server Certificates Yes Yes
Client Certificates Yes No
Deployment Complexity* High Low
Choosing Between EAP-TLS and PEAP
17
Factors in Choosing an EAP Method
EAP Type(s)
Deployed
Client
Support
Security vs.
Complexity
Authentication
Server Support
The Most Common EAP Types are PEAP and EAP-TLS
Most clients such as Windows, Mac OS X, Apple iOS devices support EAP-TLS, PEAP (MS-CHAPv2).
Additional supplicants can add more EAP types (Cisco AnyConnect).
Certain EAP types (TLS) can be more difficult to deploy than others depending on device type.
Cisco ISE Supplicant Provisioning can aid in the deployment.
18
Cisco Wireless Controller User-Based Policy
AAA Override Attributes
Network Access
Airespace-Interface-Name
Sets the Interface to which the client is connected.
Network Restrictions
Airespace-ACL-Name
Sets the Access Control List used to filter traffic to/from the client.
Quality of Service
Airespace-QOS-Level
Sets the maximum QoS queue level available for use by the client (Bronze, Silver, Gold
or Platinum).
Airespace-802.1p-Tag and/or Airespace-DSCP-Tag
Sets the maximum QoS tagging level available for use by the client.
19
Change of Authorization (CoA)
Changing Connection Policy Attributes Dynamically
20
Before
Posture Assessment and Profiling
After
Employee Policy Applied
Unknown Client Status
Limited Access VLAN
Posture-Assessment
ACL
Silver QoS
Profiled, Workstation Client Status
Employee VLAN
None ACL
Gold QoS
User and Device
Specific Attributes
User and Device
Specific Attributes
ISE ISE
Cisco Wireless LAN Controller ACLs
ACLs provide L3-L4 policy and can be applied per interface or per user.
Cisco 2500, 5508 and WiSM2 implement hardware, line-rate ACLs.
Up to 64 rules can be configured per ACL.
Layer 3-4 Filtering at Line-rate.
21
Wired
LAN
Implicit Deny All at the End
Inbound
Outbound
Cisco Wireless User-Based QoS Capabilities
Allowing Per-User and Per-Devices Limiting of the Maximum QoS Level
22
Voice
Video
Best Effort
Background
Call Manager
Access
Point
Employee
Platinum QoS
WMM Queue
QoS Tagged Packets
Contractor
Silver QoS WLC
For the Employee user,
the AAA server returned
QoS-Platinum so
packets marked with
DSCP EF are allowed
to enter the WMM
Voice Queue.
For the contractor user,
the AAA server returned
QoS-Silver so even
packets marked with
DSCP EF are confined
to the Best Effort Queue.
Client Attributes Used for ISE Profiling
The ISE uses multiple attributes
to build a complete picture of the
end clients device profile.
Information is collected from
sensors which capture different
attributes
The ISE can even kick off an
NMAP scan of the host IP to
determine more details.
How RADIUS, HTTP, DNS and DHCP (and Others) Are Used to Identify Clients.
23
RADIUS
DHCP
DNS Server
A look up of the
DNS entry for the
clients IP address
reveals the
Hostname.

HTTP UserAgent
The device is redirected using a
captive portal to the ISE for web
browser identification.
ISE
3
4
DHCP
Snooping
The Clients DHCP
Attributes are captured
by the AP and provided
in RADIUS Accounting
messages.
2
This provides
the MAC
Address which
is checked
against the
known vendor
OUI database.
1
ISE Device Profiling Example - iPad
Once the device is profiled, it is stored within
the ISE for future associations:

Is the MAC Address
from Apple?
Does the Hostname
Contain iPad?
Is the Web Browser
Safari on an iPad?
ISE
Apple iPad
24
ISE Device Profiling Capabilities
Over 200 Built-in Device Policies, Defined Hierarchically by Vendor
Smart Phones
Gaming
Consoles
Workstations
Multiple
Rules to Establish
Confidence Level
Minimum
Confidence for a
Match
1
2
25
ISE 1.0 includes pre-built profiles for the following
devices:
n Android
n Apple-Device
n AlphaIphone
n Apple-MacBook
n Apple-iPad
n Apple-iPhone
n Apple-iPod
n Aruba-Device
n Aruba-AP
n Avaya-Device
n Avaya-IP-Phone
n BlackBerry
n Cisco-Device
n Cisco-Access-Point
n Cisco-AP-Aironet-1130
n Cisco-IP-Phone
n Cisco-IP-Conf-Station-7935
n Cisco-IP-Phone-7902
n Cisco-IP-Phone-7945G
n Cisco-WLC-2100-Series
n Linksys-Device
n DLink-Device
n DLink-DAP-1522
n Enterasys-Device
n HP-Device
n HP-JetDirect-Printer
n HTC-Device
n Lexmark-Device
n Lexmark-Printer-E260dn
n LinkSysWAP54G-Device
n Microsoft-Device
n XBOX360
n MotorolaMobile-Device
n MotorolaDroid-Device
n Netgear-Device
n NintendoWII
n Nortel-Device
n Nortel-IP-Phone-2000-Series
n SonyPS3
n SymbianOS-Device
n VMWare-Device
n Workstation
n FreeBSD-Workstation
n Linux-Workstation
n CentOS-Workstation
n Debian-Workstation
n Fedora-Workstation
n Gentoo-Workstation
n Kubuntu-Workstation
n LinuxMint-Workstation
n Mandriva-Workstation
n OracleEnterpriseLinux-
Workstation
n PCLinuxOS-Workstation
n RedHat-Workstation
n SUSE-Workstation
n Ubuntu-Workstation
n Xandros-Workstation
n Macintosh-Workstation
n OS_X-Workstation
n OS_X_Leopard-Workstation
n OS_X_SnowLeopard-Workstation
n OS_X_Tiger-Workstation
n Microsoft-Workstation
n Vista-Workstation
n Windows7-Workstation
n WindowsXP-Workstation
n OpenBSD-Workstation
n Sun-Workstation
n Solaris-Workstation
n Xerox-Device
n Xerox-Printer-Phaser3250
Profiling also good for Non-User Endpoints
Printers
Fax Machines
IP Phones
IP Cameras
Wireless APs
Managed UPS
Hubs
Cash Registers
Medical Imaging
Machines
Alarm Systems
Video
Conferencing
Stations
Turnstiles
HVAC Systems
RMON Probes
Vending
Machines
. . . and many others
Steps for Integrating the Controller and ISE
28
1. Configure WLAN for 802.1x Authentication
Configure RADIUS Server on Controller
Setup WLAN for AAA Override, Profiling and RADIUS NAC
2. Configure ISE Profiling
Enable profiling sensors
3. Setup Access Restrictions
Configure ACLs to filter and control network access.
Configuring the WLAN for Secure Connectivity
Enabling Secure Authentication and Encryption with WPA2-Enterprise
WPA2 Security with AES
Encryption
1
29
Setting the WLAN QoS Level for Override
If WMM is set to Allowed, the Quality of Service configuration serves as a limit for
the entire SSID.
Ensure all controller uplinks, media servers and Access Points have proper
Quality of Service trust commands in IOS.

Using WMM, the QoS Level is Based on the Marking of the Packet.
30

This Acts As An
Upper Limit, or
Ceiling for the
WLANs QoS
Configuration
1
Configuring the WLAN for ISE Identity-based
Networking Contd
Allow AAA
Override to
Permit ISE
to Modify
User
Access
Permissions
Enable
RADIUS NAC
to allow ISE
to use
Change of
Authorization.
Enable Client
Profiling to
Send DHCP
Attributes to
ISE.
1
2
3
31
Configuring the Web-Authentication Redirect ACL
The ACL is Used in HTTP Profiling as Well as Posture and Client Provisioning.
32
Use the ISE servers IP address to allow
only traffic to that site.
2
This ACL will be referenced by name
by the ISE to restrict the user.
1
Defining a Security Policy
33
ISE
ISE Authentication Sources
Cisco ISE can
reference variety of
backend identity stores
including Active
Directory, PKI, LDAP
and RSA SecureID.
The local database can
also be used on the
ISE itself for small
deployments.
34
EAPoL
User/
Password
user1
C#2!@_E(
Certificate
RADIUS
Token
Active Directory,
Generic LDAP or PKI
RSA SecureID
Local DB
Backend Database(s)
User and/or
Machine
Authentication
Steps for Configuring ISE Policies
1. Authentication Rules
Define what identity stores to reference.
Example Active Directory, CA Server or Internal DB.
2. Authorization Rules
Define what users and devices get access to resources.
Example All Employees, with Windows Laptops have
full access.
35
Authentication Rules
Example for PEAP and EAP-TLS
36
1
Create Another Profile to
Reference the Certificate Store
2
Reference Active Directory for PEAP
Authentication
1
Authorization Rules Configuration
37
Policy Authorization - Simple
Specific Device Type
Groups (such as
Workstations or iPods)
Can Be Utilized
1
Active Directory
Groups Can Be
Referenced
2
Flexible Conditions Connecting Both User and Device
The Authorization Rule Results in Attributes
to Enforce Policy on End Devices
3
Authorization Rule Results
The authorization rules
provide a set of conditions to
select an authorization profile.
The profile contains all of the
connection attributes
including VLAN, ACL and
QoS.
These attributes are sent to
the controller for enforcement,
and they can be changed at a
later time using CoA (Change
of Authorization).
The Actual Permissions Referenced by the Authorization Rules
38
Simple VLAN Override
by Specifying the Tag
1
All WLC Attributes are
Exposed to Override
2
Who/What/When/Where/How
Device Type Location User Posture Time Access Method Custom
BYOD Device Provisioning
40
CA-Server
Apple iOS Device Provisioning
Initial Connection
Using PEAP
ISE WLC
1
Device Provisioning
Wizard
2
Future Connections
Using EAP-TLS
3
ISE WLC
Change of
Authorization
CA-Server
41
CA-Server
Android Device Provisioning
Initial Connection
Using PEAP
ISE WLC
1
Redirection to Android
Marketplace to Install
Provisioning Utility
2
Future Connections
Using EAP-TLS
4
ISE WLC
Provisioning using
Cisco Wi-Fi Setup
Assistant
3
Change of
Authorization
CA-Server
42
Windows/Mac OS X Device Provisioning
Initial Connection
Using PEAP
ISE WLC
1
Redirection to ISE to
Install OS-Specific
Provisioning Utility
Future Connections
Using EAP-TLS
4
ISE WLC
Provisioning using
Cisco Wi-Fi Setup
Assistant
3 Change of
Authorization
2
CA-Server
CA-Server
43
Certificate Provisioning Steps Using SCEP
Providing Certificates Using Simple and Secure Methods
44
ISE WLC
CA-Server
1
Obtain the CA servers root certificate.
2
Ask the server for a device specific certificate
??
SCEP Client
SCEP Server
CA-Server
SCEP Server
3
Receive and store the new certificate for future use.
CA-Server
SCEP Server
My Devices Portal
Self-Registration and Self-Blacklisting of BYOD Devices
Devices can be
Blacklisted By the User.
Devices Can be Self-
Registered, Up to an
Administrator Defined Limit
3
2
New Devices Can be
Added with a
Description
1
45
BYOD Monitoring and Reporting
52
Cisco ISE Provides Policy for Wired and
Wireless LANs
Unified wired and wireless policy (ISE) and management (NCS).
NCS
Central Point of Policy for
Wired and Wireless Users and
Endpoints
Centralized Monitoring of
Wired and Wireless
Networking, Users and
Endpoints
ISE
53
Client Type and Policy Visibility with NCS and ISE Integration
Endpoint Identity is Shared with NCS
Device Identity
from ISE
Integration
Policy Information
Including Windows
AD Domain
AAA Override
Parameters
Applied to Client
Both Wired +
Wireless Clients in
a Single List
2
3
1
54
ISE Live Log

Providing Instant Troubleshooting of Identity and Policy.
55
Machine
Authentication
User Authentication
Device Profile
1
2
3
NCS Provides Cross-Linking to ISE Reports on
Profiling
56

201210262

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

201210262

Transféré par

Droits d'auteur :

Formats disponibles

2012 Cisco and/or its affiliates. All rights reserved.

BRKEWN-2020 Cisco Public

Vous aimerez peut-être aussi