Design
The size and scope of the customers network requires a distributed architecture:
To assign an ISE persona to a dedicated appliance
important benefits :
- scalability : add nodes as demand requires
- high availability :
- 2 personas for administration, monitoring and troubleshooting
- 2 personas that will operate as policy service nodes
Dictionary
Authentication
- use a variety of identity stores with multiple protocols
- integrate authentication between network devices
and primary identity store
- use AD to authenticate users and computers
Authorization
- use AD
- use authorization policies to limit access to users and devices
Guest services
- provide the applications to facilitate secure guest access
- Sponsor and guest interfaces :
- sponsor interface provides the means to create and apply security policies to guest users
- guest interface : provides the means for guest users to authenticate the guest device and user
Profiling
- ISE determines device types with information that it receives from the network access device or the connecting device itself
- use this information to assign the device a profile
- ISE assigns various policies to different device types
Posture assessment
- validate and maintain security capabilities on any client machine that access the network
- verify proper virus protection
- check firewall settings
- check Windows updates
- in case of failure, ISE will assist with remediation the help the client meet posture requirements. If these devices fail remediation, they will be provided with limited network access
Implementation
The implementation will go through a number of phases:
- Start and preparation
- Authentication
- Authorization
- Monitor mode
- Low impact mode
- Closed mode
There are several infrastructure factors that must be considered before starting the deployment of Cisco ISE:
- Number of endpoints ( 20000 )
- Locations of endpoints
- approx 30 sites, mainly industrial environments
- EMEA and APAC, consider 200ms latency from APAC to ISE servers in Europe
- all LAN's are stadardized ( same vlan setup, standard up to date switches, standard OS, ... )
- same vlan setup
- standard up to date hardware ( Cisco and Meraki )
- standard OS
- standard printers and workstations
- non backoffice devices ( PLCs, fire detection, alarms, security cameras, etc are on a separated network that is not in scope of ISE )
- standard WIFI ( WLC and Meraki )
- high availiability of ISE cluster required ( install in 2 datacenters )
- Admin and monitor personas on VM - 1 in each DC - replicated
- PSN on hardware, 1 per datacenter
- Use active/standby mode
- type of Radius clients ( mainly Windows OS and Mac OSX - Cisco Anyconnect)
- WAN topology : MPLS and VPN with minimum 4Mbps
- Type of access : wired and wireless
- Bandwidth : Cisco informs the need of approx 125bps per client and ISE PSN with posture on
- Logging : Keep logs 90 days local and then pusht to external syslog servers
- Administrative access : both locally configured users and users located in AD
Choosing credentials for 802.1x:
- passwords, certificates, tokens depending on security policy, validation and distribution & maintenance
- re-use existing credentials
- understand the limitations of existing systems
- MAB ( Mac authentication Bypass ) : authentication for clientless devices via mac database
- use existing assett databases ( purchasing department, asset tools )
- methods to gather data : snmp, syslog, accounting
- automated device discovery --> profile in ISE
- MAB fails : ( control of session passed to switch )
- no access
- switch based web-auth
- guest vlan
- MAC unknown - MAB passes
- aaa server detrmines policy
- good for centralized control & visibility of guest policy
The following authorization options are available:
- Pre-authentication
- port closed by default ; except EAPoL
- port selecively open ; DHCP, TFTP, Kerberos, ...
- Port Open
- Passed authentication
- port open by default
- dynamic acl
- dynamic vlan
- Failed 802.1x
- port closed by default ; except EAPoL
- 'Next Method' ; for example MAB
- Auth-Fail vlan
- No client
- port closed by default ; except EAPoL
-'Next Method' ; for example MAB
- Guest Vlan
- AAA server dead
- port closed by default ; except EAPoL
- Critical vlan
- Single MAC filtering
- default Single Host mode
- problem for Hubs, VMware, Phones, Gratuitous ARP
- applies in open and closed mode
- Solution for Phones : MDA --> single device per domain per port
- Solution for Virtualized end points : MAC based enforcement for each device ; 802.1X/MAB
Characteristics:
- none disruptive
- authentication without access control
- see What is on the network, Who has a supplicant, Who has good credentials, ...
How to:
- enable 802.1x and MAB
- enable Open Access
- enable Multi-Auth host mode
- no authorization
- next steps to switch to low impact mode
- improve accuracy by monitoring the network
- evaluate remaining Risk
- prepare for access control
Characteristics:
- begin to control and differentiate network access
- minimize impact to existing access
- retain visibility
- no need to re-architect the network
How to:
- start from Monitor mode
- add acls, dacls and flex auth
- limit number of devices per port
- authorize phones with dacls
- ACL rules of tumb
- whenever possible use dacls
- when dacls are not possible use filter-id acls or per-user acls
Characteristics:
- no access before authentication : Disruptive !
- rapid access for non 802.1x capable devices
- return to default closed port access
How to:
- use timers or authentication order
- implement identity based vlan assignment
- use fewest vlans possible
- enable critical voice vlan
