Device Administration with TACACS+ using ISE...
Transcript of Device Administration with TACACS+ using ISE...
Device Administration with TACACS+ using ISE 2.X
Aaron T. Woland, CCIE #20113Principal Engineer, Security Business Group
BRKSEC-2344
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
You are in right place if your interest is…
Control and Visibility…
Of the Administration of the Devices that form the fabric of your network…
Using ISE with TACACS+.
Laughing and Enjoying a Session at Cisco Live
BRKSEC-2344 3
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Principal EngineerSecurity Business Group
[email protected]@AaronWoland
http://www.networkworld.com/blog/secure-network-access/
Aaron Woland, CCIE# 20113
BRKSEC-2344 4
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
About Me
BRKSEC-2344 5
Live in North Carolina.
”the South”
Southerners Known for:
• Politeness
• Courtesy
• Manors
• BBQ
• Frying Everything!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
About Me
But, I am from
New York
New Yorkers Known For:
• Speaking their Mind
• Being Blunt but Truthful
• Not known for our Manors
• Pizza & Bagels!!!!!!!New Yorker
BRKSEC-2344 6
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
About Me
I am a Father…
Of 4 Daughters!
So... Nothing Scares me anymore!
BRKSEC-2344 7
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
“If we can’t laugh at ourselves, Then we cannot laugh at anything at all”
Sarcasm
BRKSEC-2344 8
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Disclaimer:
BRKSEC-2344 9
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Please Fill Out The Survey!
BRKSEC-2344 10
• Introduction – Why and What is Device Administration AAA
• Device Administration AAA in ISE
• Design Principles
• Components (Policy Elements, Policy Sets)
• NAD Types
• AAA Models
• Configuring the NADs
• Configuring Device Administration in ISE
• IOS / WLC / Nexus
• Proof is in the Pudding
• Migrating from ACS to ISE
• Final Questions?
Agenda v2
• Introduction
• Device Administration AAA in ISE 2.x
• Network Devices
• Configuring ISE for Device Administration
• The Proof is in the Puddin’
• Migrating from ACS to ISE
• Final Conclusions
Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why Do Device Administration AAA?
• Centralized Control of Network Devices
• Ensure Network Devices remain correctly configured
• Who may do what actions to which devices, under which conditions
• Centralized Visibility of Those Actions
• Reliably record those actions• Who accessed a network device and commands did they execute?
• What configuration changes were made
• When did this all occur?
• Compliance: • SOX, HIPPA, PCI DSS
• Requires secure auditing and reporting of network configuration changes
BRKSEC-2344 13
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Authentication, Authorization and Accounting (AAA)
• Authentication: who the user is
• Authorization: what they are allowed to
• Accounting: recording what they have done
AAA: a Key Security Concept
BRKSEC-2344 14
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I’d like 40K from John Chambers Account
Do You Have Identification?
Authentication vs. Authorization
BRKSEC-2344 15
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I’d like 40K from John Chambers Account
Do You Have Identification?
Yes, I Do. Here It Is.
Authentication vs. Authorization
BRKSEC-2344 16
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I’d like 40K from John Chambers Account
Do You Have Identification?
Yes, I Do. Here It Is.
Sorry, Aaron Woland is not Authorized
for John Chambers’ Account
Authentication vs. Authorization
BRKSEC-2344 17
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I’d like 40K from John Chambers Account
Do You Have Identification?
Yes, I Do. Here It Is.
Sorry, Aaron Woland is not Authorized
for John Chambers’ Account
Authentication vs. Authorization
BRKSEC-2344 18
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I’d like 40K from John Chambers Account
Do You Have Identification?
Yes, I Do. Here It Is.
Sorry, Aaron Woland is not Authorized
for John Chambers’ Account
Authentication vs. Authorization
BRKSEC-2344 19
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I’d like 40K from John Chambers Account
Do You Have Identification?
Yes, I Do. Here It Is.
Sorry, Aaron Woland is not Authorized
for John Chambers’ Account
Authentication vs. Authorization
BRKSEC-2344 20
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Two Main Types of AAANetwork Access AAA
Authentication Protocol
RADIUS
Common Authentication
Protocols
• PAP
• CHAP
• MS-CHAP
NAS / NAD
AAA Client
BRKSEC-2344 22
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Device Administration
Terminal User AAA Client AAA Server
Telnet, SSH, Serial
BRKSEC-2344 23
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• 2 Main Protocols Designed for AAA:
• Remote Access Dial-in User Service (RADIUS)
• Terminal Access Controller Access-Control System (TACACS)
AAA Protocols
See if we can make this page more exciting??
BRKSEC-2344 25
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• IETF standard for AAA
• Most common AAA protocol for Network Access
• Why? Because IEEE 802.1X uses RADIUS
• 802.1X is used with vast majority of secure Wi-Fi• Note: CAN be used for Device Administration, but not as powerful as
TACACS+ for that form of AAA
Remote Access Dial-in User Service
BRKSEC-2344 26
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
A long time ago in a development lab far,
far away…
BRKSEC-2344 27
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2344 28
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Terminal Access Controller Access-Control System
AAA standard protocol designed for controlling access to UNIX terminals
Cisco enhanced it and created TACACS+ and published as open standard in the early 1990s
Mainly used for Device Administration
Can authenticate once and authorize many times
Perfect for command authorizations
AuthZ results sent for each attempt, not just ONCE with AuthC
BRKSEC-2344 29
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AuthC Once + AuthZ Many
SSH to Network Device
REPLY (authentication) – request username
CONTINUE (authentication) – username
REPLY (authentication) – request password
CONTINUE (authentication) – password
REPLY (authentication) – Pass
START (authentication) – User trying to connect
Authentication
is Complete
TACACS+
REQUEST (authorization) – service = shell
RESPONSE (authorization) – PASS_ADD
REQUEST (accounting) – START / RESPONSE - SUCCESS
REQUEST (authorization) – service = command
RESPONSE (authorization) – Pass_ADD
# show run
EXEC is
Authorized
REQUEST (accounting) – CONTINUE / RESPONSE - SUCCESS
Command is
Authorized
AuthC
Shell
AuthZ
Command
AuthZ
BRKSEC-2344 30
• Introduction
• Device Administration AAA in ISE 2.x
• Components (Policy Elements, Policy Sets)
• Design Principles
• Network Devices
• Configuring ISE for Device Administration
• The Proof is in the Puddin’
• Migrating from ACS to ISE
• Final Conclusions
Agenda
Device Administration AAA in ISE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TACACS+ is in ISE
34
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
So where do we begin?...
BRKSEC-2344 38
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
IntroducingThe ISE Device Administration Work Center
Order of Operations: Left to Right on the Menu Bar
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Overview: T+ Live Log
BRKSEC-2344 40
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Overview: Deployment (ISE 2.2+)
41
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Policy Service Node for Protocol Processing
• Session Services (e.g. Network Access/RADIUS) On by default
• Device Admin Service (e.g. TACACS+)
MUST BE ENABLED
FOR DEVICE ADMINISTRATION!!
ISE Deployment NodeConfiguration
OLD WAY
42BRKSEC-2344
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identities
Separate Enable
PasswordCan be defined if User is
to be allowed privileged
access after login
Internal Users
May Leverage AD
For Passwords
Random Secure
Passwords
Internal Users – External
Password Management
BRKSEC-2344 43
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identities
Internal Users
• Reality of Internal Identities:
• Allows ISE Admin to Control Group Membership
• Can Leverage External DB for Password Management• Provides a 2nd Level of Authentication if
• In my Experience, Not used too Often Anymore• Everyone just leverages their AD / LDAP single-source-of-truth
• Saves the double maintenance and duplication of effort
BRKSEC-2344 44
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identities
Same List of Sources
as Network AccessCan be defined if User is
to be allowed privileged
access after login
External IDsMore Commonly Used
BRKSEC-2344 45
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identities
External IDsMore Commonly Used
• Reality of External Identities:
• Way more common in today’s enterprise• Identity Source Sequences can be Used
• Active Directory Connector is VERY powerful• Can Query over 2,000 AD Domains
• Multi-Forest Support (up to 50 Join Points)
• See BRKSEC-2132 @ CiscoLive.com for more on Active Directory
• One Time Password (OTP) Servers• 2-factor Authentication for very Secure Environments
BRKSEC-2344 46
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
For More on Identities
• BRKSEC-2059 – Deploying ISE in a Dynamic Public Environment
• BRKSEC-3699 – Designing ISE for Scale & High Availability
• Online Recorded Sessions:
• BRKSEC-2132 – What’s new in ISE Active Directory Connector
• BRKSEC-2695 - Building Enterprise Access Control Architecture using ISE & TrustSec
BRKSEC-2344 47
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
NADs
Network Device
Groups (NDG)Build a Detailed Hierarchy
to make Policy Sets and
Rule Creation More
Powerful
BRKSEC-2344 48
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
NADs
Network DevicesTACACS+ Shared Secret
Single Connect Mode
Retire the Secret
Retire SecretAccept Old and New Secret
for Configured Time Period
BRKSEC-2344 49
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Results
TACACS ProfilesAKA: Shell Profiles
Different Types
Assigned Level
Policy ElementsAuthorization Results
BRKSEC-2344 52
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Results
Command SetsLists of Commands to
Permit / Deny
Policy ElementsAuthorization Results
BRKSEC-2344 53
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
We Will Dive into These Elements more in the Config Section
BRKSEC-2344 54
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Sets
Policy Set
Ordered List
Provides both
Management
AND
Execution order
Condition For
Policy Set
How Policy Set
is engaged
Policy Set
BRKSEC-2344 55
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Sets
Policy Set
Summary View
Provides Overview of
Execution Conditions
BRKSEC-2344 56
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Authentication Processing
Policy Set Selection
Authentication Policy
Evaluation
Determine Authentication
protocols
Select Identity Store
Validate Credentials
Evaluate Enable
Authorization
Are you who you say you are?
BRKSEC-2344 57
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication in the Policy Set
Authentication
Policy Area
BRKSEC-2344 58
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Set Authentication Results
Allowed
Protocols
Identity
Source
BRKSEC-2344 59
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Authorization Processing
Policy Set Selection
Identity SelectionAuthorization
Policy Evaluation
Evaluation (Command Set
or Profile)
Reply
BRKSEC-2344 61
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Device Administration Authorization in ISE
Authorization
Policy Area
BRKSEC-2344 62
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Best Practices for Policy SetsOrganization
• Optimal Size Mix for Policy Set breakdown in ISE 2.0:
• 6-10 Policy Sets
• 60-100 rules
• Divide Complete Policy into robust Silos representing Use Cases
• e.g.• By Device Type
• By Region
BRKSEC-2344 63
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example Policy
Helpdesk SuperuserSuperuser Admin
US EMEA
Device\Identity US Helpdesk EMEA Helpdesk US Superuser EMEA Superuser
Device: US Helpdesk Superuser Helpdesk
Device:EMEA Helpdesk Helpdesk Superuser
BRKSEC-2344 64
Design PrinciplesSee BRKSEC-3699 – Designing ISE for Scale & High Availability
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deployment Considerations
• Should we dedicate an ISE Policy Service Node (PSN) to TACACS+?
• How many PSNs should we dedicate to TACACS+
• Should we dedicate a deployment to TACACS+?
• i.e. separate PAN + MnT
BRKSEC-2344 66
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Options for Deploying Device Admin
Priorities
- According to policy
Separate Deployment Separate PSN Mode Mixed PSN Mode
Separation of
Configuration
Yes: Specialization for TACACS+ ✔
No: Avoid Duplication of Shared
Items
Avoid cost of duplicate PAN/PSN
✔ ✔
Separation of
Logging Store
Yes: Optimize Log Retention VM ✔
No: Centralized Monitoring ✔ ✔
Independent
Scaling of
Services
Yes: Scale as Needed
Avoid NAC/Device Admin Load✔ ✔
No: Avoid underutilized PSNs ✔
TACACS RADIUS RADIUS TACACS TACACSRADIUS/
BRKSEC-2344 67
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Large Deployments: Separate Cubes
Terminal User
PSN
VIP1
Network
Device
PSN
VIP2
Network User
ISE Cube 1 ISE Cube 2
PAN
MNT MNT
PAN
68BRKSEC-2344
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Medium Deployments: Separate Cubes
Terminal User Network User
PSN
VIP1
PSN
VIP2
Single ISE Cube
PAN MNT
Network
Device
69
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Small Deployments: Separate Cubes
PSN
VIP1PSN
VIP2
Single ISE Cube
PAN MNT
Network
Device
70
Terminal User Network User
BRKSEC-2344
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why does Aaron Prefer Separate Cubes?
BRKSEC-2344 72
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Logging Capacity
• In Large scale appliance (3595), 320GB allocated to TACACS+ logs
• Capacity requirements variable… Assuming:
• 4K log for Authentication/Session, 3K log for Command Author/Session
• Each admin has 40 Sessions/day, with 25 commands per session…
Admins\Disk Size 320 GB 1024 GB 2048 GB
20 1062 3398 6796
50 425 1360 2719
250 85 272 544
Example Calculation of Days Capacity
See BRKSEC-3699
BRKSEC-2344 73
The Network Devices
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Devices do AAA Differently
• Cisco IOS – The Ultimate in Flexibility
• 16 Privilege Levels (0-15)• User Authorized to a level of privilege, can execute all commands at that level
• Authorization into the Shell
• Authorization per-command
• Cisco WLC – Nice and Easy
• Assigns a “role” to a User
• Role = Which Menus they get Write Access to.
• Cisco Nexus – Blended
• Users Authorized to a Role
• Role = List of Features and Commands Available to User
BRKSEC-2344 75
Cisco IOS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The AAA Method List
aaa type { default | list-name } method-1 [method-2 method-3 method-4 ]
Authentication, Authorization or Accounting
Will affect all things that use the aaa type if you don’t specify otherwise
Creates a Custom Method List: Name Should Mean Something to You
Methods in Order: [group radius | group tacacs | local-case | local | enable | none]
For Your Reference For Your Reference
77BRKSEC-2344
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuring IOS for TACACS+ authentication
• Device configuration for TACACS+ is vendor/product specific
• Example for IOS
aaa new-model
tacacs server ISE-PRIMARY
address ipv4 10.56.122.51
key th3k3yu5ed
aaa group server tacacs+ ISE-GROUP
server name ISE-PRIMARY
aaa authentication login VTY group ISE-GROUP local
aaa authentication enable default group ISE-GROUP enable
line vty 0 4
login authentication VTY
Required for TACACS+ aaa
Authentication control
TACACS+ server definition
BRKSEC-2344 78
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuring IOS for TACACS+ authorization
• Device configuration for TACACS+ is vendor/product specific
• Example for IOS
aaa authorization exec VTY group ise-group local
aaa authorization config-commands
aaa authorization commands 0 VTY group ISE-GROUP local
aaa authorization commands 1 VTY group ISE-GROUP local
aaa authorization commands 15 VTY group ISE-GROUP local
line vty 0 4
authorization exec VTY
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
Enable Session Authorization
Enable Command Authorization
BRKSEC-2344 79
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuring IOS for TACACS+ accounting
• Device configuration for TACACS+ is vendor/product specific
• Example for IOS
aaa accounting exec default start-stop group ISE-GROUP
aaa accounting commands 1 default start-stop group ISE-GROUP
aaa accounting commands 15 default start-stop group ISE-GROUP
BRKSEC-2344 80
Cisco WLC
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuring WLC for TACACS+ AAA
82BRKSEC-2344
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuring WLC for TACACS+ AAA
T+ First
Fallback to
Local – if T+
non-responsive
BRKSEC-2344 83
Configuring ISE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The User Account & Group Types
Users Groups Description
NetAdmin1
NetAdmin2NetAdmin
Network Administrators – Get full Access to
Everything Possible
NetOps1
NetOps2NetOps
Network Operators – Access, but Limited to what
Changes can be Made
SecAdmin1
SecAdmin2SecAdmin
Security Administrators – Read-only to absolutely
everything, including configurations.
Helpdesk1
Helpdesk2Helpdesk
Helpdesk Personell – Read-only to all show
commands, not including show-run. No changes
permitted at all.
Employee1
Employee2Employees Any other Employee – No access to Shell or UI.
BRKSEC-2344 85
Cisco IOS Device Admin Results
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TACACS Profile – NetAdmin (IOS)
IOS Privilege LevelDefault = Assigned at Login
Max = Limit with “enable”
command
Task TypeSpecific for the Device
Is a nice UI feature, to
provide specific UI per
device type
Idle TimeFor High-Powered Access,
Limit the session time when
no activity
BRKSEC-2344 87
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TACACS Profile – NetOps (IOS)
IOS Privilege LevelDefault = Assigned at Login
Max = Limit with “enable”
command
Allows privilege escalation
when necessary
BRKSEC-2344 88
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TACACS Profile – SecAdmin (IOS)
IOS Privilege LevelSecAdmin will be limited by
Command Set instead of
Privilege
Idle TimeFor High-Powered Access,
Limit the session time when
no activity
Timer (absolute time)Because you want to mess
with them.
BRKSEC-2344 89
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TACACS Profile – Helpdesk (IOS)
IOS Privilege LevelWill get all Priv1
commands, and any
specially moved to Priv2
only.
BRKSEC-2344 90
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Command Set – NetAdmin (IOS)
Permit all CommandsSince nothing below, all
commands will be
permitted.
BRKSEC-2344 91
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Command Set – NetOps (IOS)
Permit all CommandsAnything not Listed Below
will be allowed
DENY_ALWAYSShutdown and Reload will
never be permitted, even
when stacking permissions.
If DENY instead of
DENY_ALWAYS, then
Permit wins in a Stack
BRKSEC-2344 92
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Command Set – SecAdmin (IOS)
Permit all CommandsAnything besides configure
will be permitted
DENY_ALWAYSConfigure will never be
allowed for Security
Admins. All other
commands will work.
BRKSEC-2344 93
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Command Set – Helpdesk (IOS)
Deny All CommandsExcept what is below
PERMITAllow all show commands
for the privilege level.
BRKSEC-2344 94
Cisco WLC Device Admin Results
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TACACS Profiles for the WLC
• No command sets for WLC. It is role based, with its Menus.
BRKSEC-2344 96
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TACACS Profile – NetAdmin (WLC)
All MenusFull Access to the WLC
BRKSEC-2344 97
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TACACS Profile – SecAdmin (WLC)
WLAN & SecurityRead/Write to WLAN
Read/Write to Security
Read-Only to everything else
BRKSEC-2344 98
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TACACS Profile – Helpdesk (WLC)
MonitorRead-Only to Entire UI
BRKSEC-2344 99
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TACACS Profile – Employees (WLC)
LobbySpecial role that does not give
access to WLC UI. Only to a
Guest Management UI
BRKSEC-2344 100
Proof is in the Puddin’
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Login to an IOS Device
Username:secadmin1
Password:
3750-X# show privilege
Current privilege level is 15
3750-X# show run
Building configuration...
<SNIP>
3750-X#config t
Command authorization failed.
Username:netops1
Password:
3750-X# show priv
Current privilege level is 7
3750-X# conf t
^
% Invalid input detected at '^' marker.
3750-X# show run
Building configuration...
Current configuration : 3191 bytes
3750-X#show run | i priv
privilege configure all level 6 interface
privilege configure level 6 authentication
privilege exec level 7 show running-config
This is how:
BRKSEC-2344 104
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Device Admin Live Log
Exec AuthZ
Authentication
Command
AuthZ
BRKSEC-2344 105
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TACACS+ Command Accounting
• ISE Accounting Report records all commands
• Purpose is to audit and fault find device configuration
• Comprehensive and flexible searching for commands: who, what, when, where
BRKSEC-2344 106
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TACACS+ AAA Authentication Reporting
• ISE Authentication Reporting records all passed and failed authentication attempts
• Purpose is to audit and fault find device – ISE interactions
BRKSEC-2344 107
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Login to a WLC Device
BRKSEC-2344 109
Backup Slides: Device Admin
Migration from ACS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Comparing ISE to ACS 5
• Core TACACS+ Protocol engine is shared with ACS 5
• However: ISE is not ACS…
• Different management system (RBAC, GUI etc)
• Different policy system and GUI
• Different internal identity store
• “Parity” can be subtle…
BRKSEC-2344 128
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example Parity Issue: ACS 4 vs 5 custom AttributesACS 4: ACS 5:
BRKSEC-2344 129
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example Parity Issue: ACS 4 vs 5 custom AttributesACS 4: ACS 5:
BRKSEC-2344 130
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Using the Migration tool
Migrate to Correct version of ACS
•ACS 5.5 or ACS 5.6
•Back up ISE
Download the tool from ISE
•Link Provided in Device Administration work center
Enable migration interface in ACS/ISE
•ACS: acs config-web-interface migration enable
• ISE: application configure ise / option 11
If you are migrating to ISE with configuration: Backup ISE
•Save Certificates (Export including Private Keys)
•Back up ISE Configuration
•Back up System Logs
•Obtain AD credentials to rejoin if needed.
BRKSEC-2344 132
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Using the Migration tool
Run Export
Report
Issues Found: Update ACS
Run Export
Run Import
Report
Issues Found: Update ACS
Run Import
BRKSEC-2344 133
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACS 5 to ISE Migration: Identity
• Internal Users Issues
• Parity Gap• Password Type
• Password Change Next Login + Lifetime
• Naming Constraints: More illegal chars in ISE
• External Identity Stores
• Migrate cleanly (As always, check names)
BRKSEC-2344 134
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACS 5 to ISE Migration: Network Devices/NDGs
• Network Device migration caveats for ISE 2.0:
• IP Ranges not supported in ISE• Exclusions supported by “overlapping IPs”
• IPV4 only
• Default Device must have RADIUS enabled
• Reconciliation flow for Migration Tool
• If Device does not exist in ISE (Defined by no overlap of IP configuration)• Then add it
• If Device does exist (IP/subnet exactly matches) and (name exactly matches)• Then update details to add TACACS+ elements
• If only approximate match. (name matches exactly, or IP/subnet matches exactly, but not both)• Then generate error report
BRKSEC-2344 135
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACS 5 to ISE Migration: Authorization Results
• Command Sets and Shell Profiles migrate well
• Main gotcha: object names
• ISE stricter about names
• Policy Results namespace shared with Network Access • Recommend using a prefix for Device admin Authorization Results
BRKSEC-2344 136
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACS 5 to ISE Migration: Policy
• ACS 5 Access Service Maps to ISE Policy Set
• ACS 5 Access Service separated from Selection Policy• Can have Services that are not engaged
• Can have services selected by different Service Selection rules
• ACS 5 Group Map
• Group Map intended as transition step from ACS 4
• Group Map content must be migrated to authorization Policy
• Authentication Allowed Protocols
• Part of Service configuration in ACS 5
• Policy Result in ISE
BRKSEC-2344 137
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACS 5 to ISE Migration: TACACS+ Proxy• ACS 5 Proxy Service maps to ISE Policy Set in Proxy Sequence Mode:
BRKSEC-2344 138
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Migration Best Practices
• Follow recommendations from Migration tool Reports
• Rename ACS objects using ISE legal chars
• Move Group Map Policy to Authorization
• Consider ACS 5 to ISE migration as opportunity to review and refresh Policy
• Especially if Migrating from ACS 4
BRKSEC-2344 139
ACS to ISE 2.2 feature comparison
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACS vs ISE feature comparison -RADIUS
BRKSEC-2344 141
RADIUS ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2
PAP Yes Yes Yes Yes Yes
CHAP Yes Yes Yes Yes Yes
MS-CHAPv1 and v2 Yes Yes Yes Yes Yes
EAP-MD5 Yes Yes Yes Yes Yes
EAP-TLS Yes Yes Yes Yes Yes
PEAP (with EAP-MSCHAPv2 inner method) Yes Yes Yes Yes Yes
PEAP (with EAP-GTC inner method) Yes Yes Yes Yes Yes
PEAP (with EAP-TLS inner method) Yes Yes Yes Yes Yes
EAP-FAST (with EAP-MSCHAPv2 inner method) Yes Yes Yes Yes Yes
EAP-FAST (with EAP-GTC inner method) Yes Yes Yes Yes Yes
EAP-FAST (with EAP-TLS inner method) Yes Yes Yes Yes Yes
EAP Chaining with EAP-FAST No No Yes Yes Yes
RADIUS Proxy Yes Yes Yes Yes Yes
RADIUS VSAs Yes Yes Yes Yes Yes
LEAP Yes Yes Yes Yes Yes
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACS vs ISE feature comparison – TACACS+
BRKSEC-2344 142
TACACS+ ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2
TACACS+ per-command authorization and accounting Yes Yes Yes Yes Yes
TACACS+ support in IPv6 networks No Yes No No No
TACACS+ change password Yes Yes Yes Yes Yes
TACACS+ enable handling Yes Yes Yes Yes Yes
TACACS+ custom services Yes Yes Yes Yes Yes
TACACS+ proxy Yes Yes Yes Yes Yes
TACACS+ optional attributes Yes Yes Yes Yes Yes
TACACS+ additional auth types (CHAP / MSCHAP) Yes Yes Yes Yes Yes
TACACS+ attribute substitution for Shell profiles Yes Yes Yes Yes Yes
TACACS+ customizable port Yes Yes No Yes Yes
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACS vs ISE feature comparison –Internal users and Admins
BRKSEC-2344 143
Internal Users / Administrators ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2
Users: Password complexity Yes Yes Yes Yes Yes
Users: Password aging
1. Warning and disable after defined interval. Grace period is not supported
Yes Yes1
Yes1
Yes1
Yes1
Users: Password history Yes Yes Yes Yes Yes
Users: Max failed attempts Yes Yes Yes Yes Yes
Users: Disable user after n day of inactivity Yes Yes No Yes Yes
Admin: Password complexity Yes Yes Yes Yes Yes
Admin: Password aging Yes Yes Yes Yes Yes
Admin: Password history Yes Yes Yes Yes Yes
Admin: Max failed attempts Yes Yes Yes Yes Yes
Admin: Password inactivity Yes Yes No Yes Yes
Admin: entitlement report Yes Yes Yes Yes Yes
Admin: session and access restrictions Yes Yes Yes Yes Yes
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACS to ISE feature comparison –MAR, Conditions, Logs, Network Devices
BRKSEC-2344 144
Machine Access Restriction, Conditions,
Logs, Network devices ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2
Machine Access Restrictions
Machine Access Restrictions caching and Distribution
1. ISE 2.0 supports only MAR cache. ISE 2.1 supports MAR cache between restarts but
not distribution
Yes Yes Yes 1 Yes 1
Yes 1
Conditions/Filters
Network Access Restrictions (NARs) Yes Yes No No Yes
Time based permissions Yes Yes Yes Yes Yes
Log Management
Log Viewing and reports Yes Yes Yes Yes Yes
Export logs via SYSLOG Yes Yes Yes Yes Yes
Network Devices
Configure network devices with IP address ranges
1. When migrating from ACS to ISE, the Migration Tool automatically converts IP ranges in
the last octet of the IP.
Yes Yes No No Partially 1
Lookup Network Device by IP address
1. Can search by IP address but this can’t be used in combination with other fields as
search criteria
Yes Yes Yes 1
Yes Yes
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACS to ISE feature comparison –Security management, Tools and utilities
BRKSEC-2344 145
PKI / Security Management, Tools and utilities ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2
PKI / Security management
Configurable management HTTPS certificate Yes Yes Yes Yes Yes
CRL: Multiple URL definition Yes No No No No
CRL: LDAP based definition Yes No Yes Yes Yes
Online Certificate Status Protocol (OCSP) Yes Yes Yes Yes Yes
Secure Syslogs No Yes Yes Yes Yes
EAP-TLS Certificate lookup in LDAP or AD Yes Yes Yes Yes Yes
Tools and Utilities
Programmatic Interface for network device CRUD operations Yes Yes Yes Yes Yes
Command line / scripting interface (CSUtil) Yes No No No No
API for users, groups and end-point CRUD operations Yes Yes Yes Yes Yes
Import and Export of Command Sets Yes Yes No No No
Users: User change password (UCP) utility Yes Yes No No No
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACS to ISE feature comparison - Miscellaneous
BRKSEC-2344 146
Miscellaneous ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2
Group Mapping
1. Workaround: Use authorization conditions in ISE authorization policyYes Yes No No
1No 1
RSA Token caching Yes Yes No No Yes
Adding hosts with Wildcards Yes Yes No No No
Alarm notification on a per-item level N/A Yes No No No
Configurable RADIUS ports Yes No No Yes Yes
Allow Special characters in object name
1. Migration tool converts automatically any special character unsupported by ISE to "_"Yes Yes No No Partially 1
Multiple NIC interfaces N/A Yes Yes Yes Yes
Maximum concurrent sessions per user/group
1. For internal usersYes Yes No No Yes 1
Dial-in Attribute Support Yes Yes No No Yes
RBAC for ISE Admin to allow administrators' rights to access/modify only subset(s) of a
class of objectsYes No No Yes Yes
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Non-Supported features
BRKSEC-2344 147
Features that will have no ISE support ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2
Leap Proxy Yes No No No No
Ability to select logging attributes for syslog messages Yes No No No No
Logging to external DB (via ODBC)
1. Data can be exported from M&T for reporting. Not supported as log
target that can be defined as critical logger
Yes Yes 1 No No No
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
BRKSEC-2344 148
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKSEC-2344 149
Q & A
Thank You