Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from...

Deploying ISE in a Dynamic Public Environment

Clark Gambrel, CCIE #18179

Technical Leader, Engineering, Core Software Group

BRKSEC-2059

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

BRKSEC-2059 - Deploying ISE in a Dynamic Public Environment

Take the Hassel out

of your ISE deployment!

K.I.T.T.

Know ISE Through Training

BRKSEC-2059 3

Deploying ISE in a Dynamic Public Environment


Technical Leader, Engineering, Core Software Group

BRKSEC-2059

Managing a secure, yet flexible network in today's public access environments

can be very challenging. Public access networks in areas like universities,

hospitals and airports host a broad array of devices, both privately owned and

corporately managed. With the increasing importance of the Internet of Things,

the variety of devices that need to connect to these public networks is rapidly

increasing. Cisco Identity Services Engine (ISE) plays an integral role in

controlling the access to these dynamic public networks. This session will share

lessons learned (best practice) from an ISE escalation engineer in

troubleshooting complex customer environments.

Abstract

Introduction



Technical Leader – Engineering

Core Software Group

[email protected]

@ClarkGambrel

BRKSEC-2059 7

mailto:[email protected]


KENTUCKY

BRKSEC-2059 8


Here

BRKSEC-2059 9


KENTUCKY

Kentucky is known for…BRKSEC-2059 10


KENTUCKY

BRKSEC-2059 11


KENTUCKYIch bin ein “Redneck“

BRKSEC-2059 12

• Introduction

• Public environments, Why are they so challenging?

• Advice – Words to live by in any environment (Best Practice!)

• Education – What we have learned

• Hospitals/Medical – Protecting the heart of your network

• Public Transportation – Tips for the thrifty traveler

• Conclusion

Agenda


Please Fill Out The Survey!

BRKSEC-2059 14


ISE & Software Defined Segmentation SessionsBRKSEC-2059 (2h)

Deploying ISE in a

Dynamic Public

Environment

Fri 24-Feb 11:30

BRKSEC-2203

(90m)

Enabling Software-

Defined

Segmentation with

TrustSec

Tue 21 Feb 16:45BRKSEC-2344 (2h)

Device

Administration with

TACACS+ using

Identity Services

Engine 2.X

Tue 21 Feb 14:15

BRKSEC-3690 (2h)

Advanced Security

Group Tags: The

Detailed Walk

Through

Wed 22 Feb 09:00

BRKSEC-3697 (2h)

Advanced ISE

Services, Tips and

Tricks

Thu 23 Feb 09:00

BRKSEC-3699 (2h)

Designing ISE for

Scale & High

Availability

Fri 24 Feb 09:00

TECSEC-2222

(4 h)

Securing Networks with

Cisco Trustsec

TECSEC-2404 (8 h)

ACI Security

You are here

TECSEC-2672 (8 h)

Intermediate - Network

Access Control with ISE

(Identity Services Engine)

BRKSEC-3014 (2h)

Security Monitoring

with StealthWatch:

The detailed

walkthrough

Wed 22 Feb 09:00

BRKSEC-2059 15


Labs & Lunch and Learn Sessions

LABSEC-1007 (45m)

AnyConnect(4.2)

Posture with Identity

Services Engine

(ISE) 2.1

LABSEC-1300 (30m)

Configuring and

troubleshooting

TACACS+ in ISE 2.1

with Nx-OS devices,

IOS and WLC

LABSEC-2004

(30m)

Dot1x :

Troubleshooting

tips and tricks

LALSEC-2003

Lunch and Learn -

Cisco Identity

Services Engine

(ISE)

Tue 21 Feb

LALSEC-2006

Lunch and Learn -

Network as a

Sensor/Enforcer

Wed 22 Feb

LTRSEC-3400 (4h)

ISE

Troubleshooting

LAB

Tue 21 Feb 14:15

LTRSEC-2800 (90m)

Integrating TrustSec

and ACI Together

Thurs 23 Feb 14:00

BRKSEC-2059 16

Public environments, Why are they so challenging?



• On average each person carries 2.9devices

BRKSEC-2059 18




• Each year new devices are introduced

Kenny Louie under Creative Commons License BRKSEC-2059 19

https://creativecommons.org/licenses/by/2.0/





• Devices add new technology enhancements, i.e. TLS versions, mini browsers

New and Improved - http://tvtropes.org

BRKSEC-2059 20





• Devices add new technology enhancements, i.e. TLS versions, mini browsers

• Device behavior differs from one OS version to the next

Dilbert 2010

BRKSEC-2059 21



• Devices are mostly unmanaged

Source – www.huffingtonpost.com

BRKSEC-2059 22




• End users have different levels of knowledge when it comes to configuring their own devices

“Where’s the ANY key?”

BRKSEC-2059 23





• Users expect a simple experience, similar to home use

BRKSEC-2059 24





• Users expect a simple experience, similar to home use

• Lots of configuration parameters on ISE/Wireless Controller, which are correct?

BRKSEC-2059 25

Advice – Words to live by in any environment(Best Practice)


PSN

PSN

PSN

NODE GROUP A

(JGROUP A)

L2 or L3

PAN PAN

PSN

PSN

PSNPSN4 PSN5

PSN6

Inter-Node CommunicationsRadius Flapping can be a real mess!

MnT MnT

PSN1 PSN2

PSN3

NODE GROUP B

(JGROUP B)

• Profiling sync leverages JGroup channels

• All replication outside node group must traverse

PAN—including Ownership Change!

• If Local JGroup fails, then nodes fall back to

Global JGroup communication channel.

WLC

PSN5 says “I own this mac address”

PSN3 says “Ok PSN5 owns this mac address”


PSN

PSN

PSN

NODE GROUP A

(JGROUP A)

L2 or L3

PAN PAN

PSN

PSN

PSNPSN4 PSN5

PSN6

Inter-Node CommunicationsRadius Flapping can be a real mess!

MnT MnT

PSN1 PSN2

PSN3

NODE GROUP B

(JGROUP B)

• Ok, now Radius flapping occurs.

• This could be due to timeouts received to WLC

or due to the “Radius NAC” accounting bug

• This will also happen if a PSN receives profiling

information for an endpoint that it doesn’t own

WLC

PSN5 says “Ok PSN3 owns this mac address”

PSN3 says “I own this mac address”


Profiling and Data ReplicationBefore Tuning

PSNPSN PSNPSN PSN

PAN

MnT

MnT

PSNPSNPSN PSN

Node Group = DC1-group Node Group = DC2-group

RADIUS Auth

RADIUS Acctng

DHCP 1 DHCP 2

3

NMAP

NetFlow

14 5

#Ownership

Change

Global

Replication

2

BRKSEC-2059 29


Impact of Ownership ChangesBefore Tuning

PSNPSNPSN PSNPSNPSNPSN PSN


RADIUS Auth

RADIUS Acctng

DHCP 1 DHCP 2

NMAP

NetFlow

PSN

Owner? Owner? Owner? Owner? Owner?

BRKSEC-2059 30


Advice: Timers

Displaying a Clock Collection - www.doityourself.com

BRKSEC-2059 31


Advice: Timers

• Default timer value of 2 seconds is too short

WLC: Radius

BRKSEC-2059 32


Advice: Timers


• During busy times, Authentication latency may increase and exceed the default value

WLC: Radius

BRKSEC-2059 33


Advice: Timers


• During busy times, Authentication latency may increase and exceed the default value

• Use best practice value between 5-10 seconds, typically

WLC: Radius

BRKSEC-2059 34


Advice: TimersWLC: Radius

• Use timers appropriate to the environment (tune for your environment)

BRKSEC-2059 35


Advice: TimersWLC: Radius

• Use timers appropriate to the environment (tune for your environment)

• Some remote/cloud based radius servers may have higher authentication latency and require some tweaking.

BRKSEC-2059 36


Advice: Timers

• Setting timers too long and the client might restart its session, retries from radius server will be dropped

• Avoid unnecessary radius server flaps with timers that are too short

• Radius flapping can have some major impacts on an ISE deployment

WLC: Radius - Continued

PSN1 PSN2

Superman II, Warner Brothers 1980

BRKSEC-2059 38


Advice: Timers - Radius

Typically 5-10 seconds

BRKSEC-2059 39


Advice: Timers - Radius

Typically 5-10 seconds

Usually matches Auth

server timeout value

BRKSEC-2059 40


Advice: Timers

• Make sure that Aggressive Failover is disabled in the command line of the WLC

WLC: Radius - ContinuedThis can have a big impact

on ISE and Wireless Auths

in general

(Cisco Controller) >config radius aggressive-failover disable

BRKSEC-2059 41


Advice: Timers - WLANs

Increase Session Timeout

to 2+ hours (7200+ sec), if

Enabled (recommended)

BRKSEC-2059 42



This can also be sent as a Radius attribute in ISE under the AuthZProfile

BRKSEC-2059 43



Increase Client Exclusion

to 180+ seconds (3+ mins)

BRKSEC-2059 44



For 802.1X SSIDs, Increase

Client Idle Timeout to

1 hour (3600 sec)

For Guest/Hotspot SSIDs, leave this low (300 sec) to free up resources (http redirect sessions) for clients that have disconnected

BRKSEC-2059 45



• WLC 7.6:

• Recommended setting: Disabled

• Behavior: Only send update on IP address change

• Ensures we get critical IP updates (Framed-IP-Address) and Device Sensor updates.

• Device Sensor updates not impacted

Interim Update

BRKSEC-2059 46


Advice: Timers - WLANsInterim Update

• WLC 7.6:

• Recommended setting: Disabled

• WLC 8.0:

• Recommended setting: Enabled with Interval set to 0

• Behavior: Only send update on IP address change

• Device Sensor updates not impacted

• Settings mapped correctly on upgrades

BRKSEC-2059 47


Advice: VM ResourcesReservations

• To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance.

Specifications listed in ISE 1.3+ Installation Guide

BRKSEC-2059 48




Specifications listed in ISE 2.0.1+ Installation Guide

BRKSEC-2059 49




BRKSEC-2059 50




BRKSEC-2059 51




• In 1.3 we added OVA Templates for deploying SNS-3415 and SNS-3495 equivalent hardware. That has been expanded to include the SNS-3515 and SNS-3595 platforms as well.

• It is highly recommended that you use these templates!

BRKSEC-2059 52



• Admin and MnT nodes rely heavily on disk usage (read/writes).

• Deploying ISE in VMware environments where shared disk storage is utilized may not give a like disk performance when compared to physical appliances

• Increasing the number of disk shares that a node is allocated can in most cases increase performance of the node.

BRKSEC-2059 53


Advice: VM ResourcesReservations - Before & After Chart

BRKSEC-2059 54


Advice: VM ResourcesReservations – Before & After Graph

BRKSEC-2059 55


Advice: VM SettingsSettings

• Snapshots are not supported!

BRKSEC-2059 56


Advice: Avoid MeltdownsISE Settings

• Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications

BRKSEC-2059 57




AdministrationSettingsProtocolsRadius

BRKSEC-2059 58




• Only use the profiling probes/information that you need. Don’t have information overload. Avoid probes that use SPAN. Start with Radius only first. Use device sensors in network access device

AdministrationDeploymentProfilingBRKSEC-2059 59



• Enable EndPoint Attribute Filter

AdministrationSettingsProfiling

BRKSEC-2059 60


Load Balancing RADIUSSample Flow

PSN

PSN

PSN

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

User

Load Balancer

RADIUS AUTH response from 10.1.98.8

RADIUS AUTH request to 10.1.98.8

VIP: 10.1.98.8

PSN-CLUSTER

10.1.99.5

10.1.99.6

10.1.99.7

VLAN 99 (10.1.99.0/24)VLAN 98 (10.1.98.0/24)

Access

Device

RADIUS ACCTG request to 10.1.98.8

1. NAD has single RADIUS Server defined (10.1.98.8)

2. RADIUS Auth requests sent to VIP @ 10.1.98.8

3. Requests for same endpoint load balanced to different PSN because round-

robin(RR) load balancing is used without persistance (sticky).

4. RADIUS response received from VIP @ 10.1.98.8

(originated by real server ise-psn-3 @ 10.1.99.7 and source translated by LB)

5. RADIUS Accounting sent to/from different PSN based on RR and no sticky

2

4

5

1 radius-server host 10.1.98.8

3

RADIUS ACCTG response from 10.1.98.8

BRKSEC-2059 61


Load Balancing RADIUSSample Flow

PSN

PSN

PSN

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

User

Load Balancer

RADIUS AUTH response from 10.1.98.8

RADIUS AUTH request to 10.1.98.8

VIP: 10.1.98.8

PSN-CLUSTER

10.1.99.5

10.1.99.6

10.1.99.7

VLAN 99 (10.1.99.0/24)VLAN 98 (10.1.98.0/24)

Access

Device

RADIUS ACCTG request to 10.1.98.8

1. NAD has single RADIUS Server defined (10.1.98.8)

2. RADIUS Auth requests sent to VIP @ 10.1.98.8

3. Requests for same endpoint load balanced to same PSN via sticky based on

RADIUS Calling-Station-ID and Framed-IP-Address

4. RADIUS response received from VIP @ 10.1.98.8

(originated by real server ise-psn-3 @ 10.1.99.7 and source translated by LB)

5. RADIUS Accounting sent to/from same PSN based on sticky

2

4 5

1 radius-server host 10.1.98.8

3

RADIUS ACCTG response from 10.1.98.8

BRKSEC-2059 62


Profiling and Data ReplicationAfter Tuning

PSNPSN PSNPSN PSN

PAN

MnT

MnT

PSNPSNPSN PSN


RADIUS Auth

RADIUS Acctng

DHCP 1

NMAP

NetFlow

1

#Ownership

Change

Global

Replication

2

BRKSEC-2059 63


Impact of Ownership ChangesAfter Tuning

PSNPSN PSNPSN PSNPSNPSNPSN PSN


NetFlow

RADIUS Auth

RADIUS Acctng

DHCP 1

NMAP

Owner

BRKSEC-2059 64



• Enable EndPoint Attribute Filter

• Avoid Radius Flapping

BRKSEC-2059 65


Advice: Bugs!!!

BRKSEC-2059 66


Advice: Bugs!!!

BRKSEC-2059 67


Advice: Bugs

• If “Radius NAC” is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets

CSCuu68490 - duplicate radius-acct update message sent while roaming

BRKSEC-2059 68


Same data

Advice: Bugs


• These packets are unique (different radius IDs) but contain the same information


≈ 47ms

Different

ID

BRKSEC-2059 69


Advice: Bugs


• These packets are unique (different radius IDs) but contain the same information

• Currently resolved in 8.1.131.0+ and 8.2.100.0+ WLC code versions. 8.0 MR3+


BRKSEC-2059 70


Advice: BugsCSCuz76370 - Purging of EP's dependency is on Oracle to determine EP Owner

BRKSEC-2059 71


Advice: BugsCSCvc52228 - ISE does not delete endpoint mapping in REDIS when endpoint group is deleted from GUI

BRKSEC-2059 72


Advice: BugsCSCvc40801 - ISE MnT sluggishness and high I/O when integrated with Prime Infrastructure

BRKSEC-2059 73


Avoid Radius Flapping…

USE BEST PRACTICE!!!

BRKSEC-2059 74

Education – What we have learned


Education: High Authentication Latency

• eduroam allows users from participating organizations to use their local credentials while visiting other eduroam locations to access the internet.

• eduroam is a “cloud based” Radius proxy. It acts as a federation point between education/research based entities and their Radius servers.

• eduroam’s Radius proxy is accessed via the internet.

eduroam

BRKSEC-2059 76


Education: High Authentication Latencyeduroam

username: [email protected] Radius: Accept

[email protected]

High Latency?

BRKSEC-2059 77


Education: High Authentication Latency

• Due to the high authentication latency sometimes associated with cloud based radius servers, it may be necessary to adjust your radius timers.

• If using a load balancer, create a separate VIP for eduroam (can contain the same PSNs)

• If no load balancer, dedicate PSNs for eduroam (or other high latency SSIDs), if possible

eduroam

BRKSEC-2059 78


Education: Students Converge at Lunch…High Density

• Student’s roaming patterns especially during meal times and events can cause an increased load on your wireless and ISE infrastructure.

• Make sure that you have enough wireless density to handle this converged access.

• Distribute the load across multiple PSNs to avoid overwhelming a single server.

BRKSEC-2059 79


Education: User w/Multiple devices – PEAP ProblemGood reason to use EAP-TLS

• Students carry multiple devices

• PEAP-MSChapV2 as 802.1X Authentication Method may cause AD lockouts if not changed on all devices.

• Locked accounts generate Help desk calls.

• A single device with old password may cause repeated AD lockouts

BRKSEC-2059 80

Hospitals/Medical – Protecting the heart of your network


Hospital: Medical DevicesSecuring and Profiling

• Most medical devices don’t support 802.1X

BRKSEC-2059 82




• To protect patient data, use WPA2-PSK with Mac Filtering and Profiling

Encrypt!

BRKSEC-2059 83




• To protect patient data, use WPA2-PSK with Mac Filtering and Profiling

• Use unique attributes to profile your medical devices

• Typical attributes that work well for medical devices are dhcp-class-identifier, dhcp-parameter-request-list and host-name

BRKSEC-2059 84


Hospital: Beware of Profiling ChangesCauses for change

• OUI information changes and Device Feed Service updates.

Zebra Technologies Completes Acquisition of Motorola Solutions' Enterprise BusinessPress Releases 2014

ZIH Corp

BRKSEC-2059 85




What this means…Before acquisition:

BRKSEC-2059 86




What this means…After acquisition:

BRKSEC-2059 87




• Device OS/Firmware updates

www.apple.com

BRKSEC-2059 88





• Spoofed MAC Addresses with new or different profiling attributes

BRKSEC-2059 89





• Spoofed MAC Addresses with new or different profiling attributes

BRKSEC-2059 90


Hospital: Beware of Profiling ChangesAlternate Policy Match with Alarms

• It is possible to build a fallback policy

below your original policy that relies on

a static MAC Whitelist (No profiling)

BRKSEC-2059 91






• This policy would catch any device that

was in the configured whitelist and allow

network access, simple right?

BRKSEC-2059 92









• You can then add an alarm to send an

email, whenever a device matches that

policy. Currently we can enable for a

single policy only.

BRKSEC-2059 93









• You can then add an alarm to send an

email, whenever a device matches that

policy. Currently we can enable for a

single policy only.

BRKSEC-2059 94


Hospital: Paging Dr. IhatelogginginSuggestions for better user experience

• Doctors by nature are usually very busy

and the last thing they want to do is to

spend time logging into a webportal or

changing a PEAP password.

• Use EAP-TLS

BRKSEC-2059 95


Hospital: Paging Dr. IhatelogginginSuggestions for better user experience

• Doctors by nature are usually very busy

and the last thing they want to do is to

spend time logging into a webportal or

changing a PEAP password.

• Use EAP-TLS

• A better option, if available would be to

use EAP-TLS and CWA-Chaining to a

Single Sign On (SSO) server. This

would allow the end user to leverage the

SSO token for other portals as well. Add

an AUP check rule to stay logged in.

BRKSEC-2059 96


Hospital: Nurse Carts/IP PhonesAdvice on corporate devices

• Nurses typically use rolling computer

carts for charting patient information.

• To ensure continuous connections for

these devices, survey your wireless for

Voice applications.

• For ease of use and manageability, use

Active Directory Group Policy Objects

(GPO) to manage the supplicants and

certificates of AD joined devices.

BRKSEC-2059 97


Hospital: Medical NACProfiles custom built for medical devices

● Secure-access options for

healthcare-specific devices

● Identification and

classification of healthcare-

specific devices (250+

devices)

● Profiling methods and best

practices

● Segmentation of medical

devices

Thanks

Craig!

BRKSEC-2059 98

Public Transportation – Tips for the thrifty traveler


Airport: Hotspot setup with custom redirectUsing AP groups/names

• You can use ISE to target

advertising to your clients

BRKSEC-2059 100





• AP groups/names or some unique

Radius attributes returned from the

WLC during authentication can be

used as location

BRKSEC-2059 101








used as location

• Matched policies based on these locations can send unique portals that advertise local businesses and shops near the user.








used as location

• Matched policies based on these locations can send unique portals that advertise local businesses and shops near the user.

• Create unique portal pages for each area. Advertisements can be built into the portal page or referenced from an external server.

BRKSEC-2059 103


Airport: Hotspot setup with custom redirectUsing MSE and ISE 2.0

• New to ISE 2.0, you can now

leverage Mobility Services Engine

(MSE) for physical location tracking

• Location information returned from

the MSE can be used in the

Authorization rule for directing

clients to the portal serving their

location.


Soapbox: Buy Public CertificatesStop teaching users to accept Man-in-the-middle attacks!

Conclusion


ConclusionReview

• Public Environments can be challenging

• Avoid ISE “meltdowns”

• Keep up to date with versions and patches, be aware of software defects that might affect your environment

• Use advice in this guide to solve challenges in your environment

• Use Real Best Practice to ensure that you have a successful deployment.

BRKSEC-2059 107


Public ISE Community

• Public ISE Community: http://cs.co/ise-community

• Monitored and Responded to by TME’s on my Team

• Ask Questions There

• Get Answers by Cisco Experts & Partners

BRKSEC-2059 108

http://cs.co/ise-community


Security Joins the Customer Connection ProgramCustomer User Group Program

19,000+

Members

Strong• Who can join: Cisco customers, service

providers, solution partners and training partners

• Private online community to connect with peers & Cisco’s Security product teams

• Monthly technical & roadmap briefings via WebEx

• Opportunities to influence product direction

• Local in-person meet ups starting Fall 2016

• New member thank you gift* & badge ribbon when you join in the Cisco Security booth

• Other CCP tracks: Collaboration & Enterprise Networks

Join in World of Solutions

Security zone Customer Connection stand

Learn about CCP and Join

New member thank-you gift*

Customer Connection Member badge ribbon

Join Online

www.cisco.com/go/ccp

Come to Security zone to get your new member gift*

and ribbon

* While supplies lastBRKSEC-2059 109

http://www.cisco.com/go/ccp


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

BRKSEC-2059 110

CiscoLive.com/Online


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

BRKSEC-2059 111

Thank You

Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from...

Documents

Transcript of Deploying ISE in a Dynamic Public - clnv.s3.amazonaws.com · lessons learned (best practice) from...