Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 ISE BYOD Jim Kotantoulas Consulting Systems Engineer – Security Technologies 02/26/2014
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 39% END USER EXPECTATIONS IT TRENDS Over 15 Billion devices by 2015, with average worker with 3 devices New workspace: anywhere, anytime 71% Next Gen Y workforce do not obey policies 60% will download sensitive data on personal device 50% workloads are virtualized — to increase efficiency 2/3 of workloads will be in the cloud by % of the world’s mobile data traffic will be video in 2016 Mobile malware has doubled (2010 to 2011) REDUCE SECURITY RISK IMPROVE END USER PRODUCTIVITY INCREASE OPERATIONAL EFFICIENCIES
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 BYOD Improved productivity, lower cost, added security Consistent Network-wide Policy Control Differentiated access control Secure Access Control – Connecting Things Device visibility (profiling), posture, contextual control, AAA Challenge: Identifying what is on the network Device fingerprinting (identifying “things”), posture analysis, Challenge: Ensure consistent E2E policy that is topology independent Cisco TrustSec and policy management TECHNOLOGYUTILITYENERGYHEALTHCAREHIGHER EDSECONDARY ED Challenge: Support BYOD without increasing IT operational cost Zero-touch portal automates device registration, application containerization, device posture
ISE = BYOD Engine GUEST ACCESS It’s easy to provide guests limited time and resource access SECURE ACCESS ON WIRED, WIRELESS & VPN Control with one policy across wired, wireless & remote infrastructure BYOD Users get safely on the internet fast and easy TRUSTSEC NETWORK POLICY Rules written in business terms controls access
BYOx Agenda What is all the hype about? Example Strategies On-Boarding Provisioning Policies Building a BYOD AuthZ Policy 5
What is driving this new hype? TTop down demand & new generation: “Our CEO went to a Retail Conference recently and won an iPad. He demands we allow it access to the network, because it is a productivity tool and we prohibiting his productivity without the iPad” NNew Requirement: ‒A‒A llow access to i-devices NNew Term: “Bring Your Own Device” (BYOD) Executive Bling & the “i-Revolution” 6
What makes a BYOD policy? MachineAuth Approach… 7 Corp Asset? Start Here yes no Access-Accept Access-Reject Only corporate devices may access my network, period. ‒ Use EAP-TLS with AD- issued non-exportable machine certificates. ‒ That is our “BYOD” Policy. Not too common anymore.
What makes a BYOD policy? VDx Approach… Only corporate devices may access my Corporate Network. ‒ Others should get RDP/ICA to a VDI farm. ‒ Could use Profiling to determine Corp Asset. ‒ Could use Certs or Machine- Auth w/ PEAP-MSChapv2 Happening a good bit. 8 Corp Asset? Start Here yes no Access-Accept Limited Access to VDI farm only
What makes a BYOD policy? Even more complicated 9 Access-Accept Start Here No Yes Employee Yes i-Device Yes Registered Device Internet Only No Access-Reject No Yes Registered GUEST
What makes a BYOD policy The policy server is critical to meeting your goals 10 Identity Services Engine = BYOD engine! Who? Known users (Employees, Sales, HR) Unknown users (Guests) What? Device identity Device classification (profile) Device health (posture) How? Wired Wireless VPN Where? Geographic location Department SSID / Switchport When? Date Time Start/Stop Access Other? Custom attributes Device/User states Applications used
ISE Device Onboarding Device Onboarding Cert Provisioning Supplicant Provisioning Self-Service Model iOS Android Windows MAC OS MyDevices Portal Provision a Certificate for the device. ‒ Based on Employee-ID & Device- ID. Provision the Native Supplicant for the Device: ‒ iOS, Android, Win & MAC-OSX ‒ Use EAP-TLS or PEAP Employees get Self-Service Portal ‒ Lost Devices are Blacklisted Self-Service Model ‒ IT does not need to be in the middle. 11
SSID = CORP Authorization Policy 1.Any PEAP authentications in the CORP SSID ‒ Send directly to Native Supplicant Provisioning. 2.Add Centralized Web Auth to Open/Guest SSID ‒ Need to know who they are, and IF we should provision them. 12 RADIUS Access-Request PEAP MSHACPv2 – EAP-ID = Employee1 RADIUS Access-Accept [cisco-av-pair] = url-redirect-acl=AGENT-REDIRECT [cisco-av-pair] = url- redirect= ssionIdValue&action=nsp Matched Rule = PEAP… Redirect to Supplicant Provisioning… Matched Rule = PEAP… Redirect to Supplicant Provisioning… Employee
SSID = GUEST Authorization Policy 13 Employee 1. Employee Authentication Succeeded... User != Guest Start Self-Provisioning Flow User != Guest Start Self-Provisioning Flow RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] RADIUS Access-Accept [cisco-av-pair] = url-redirect-acl=AGENT-REDIRECT [cisco-av-pair] = url- redirect= ssionIdValue&action=cwa 1.Any PEAP authentications: ‒ Send directly to Native Supplicant Provisioning. 2.Add CWA to Open SSID ‒ Need to know who they are, and IF we should provision them.
SSID = GUEST Authorization Policy 14 RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] Employee RADIUS Access-Accept [cisco-av-pair] = url-redirect-acl=ACL=NSP-ACL [cisco-av-pair] sionIdValue&action=nsp Change of Authorization Request CoA ACK/NAK Employee Authentication Succeeded… Send CoA… Start Native Supplicant Provisioning… Employee Authentication Succeeded… Send CoA… Start Native Supplicant Provisioning… User != Guest Self-Provisioning Flow Disabled; Continue with Onboarding User != Guest Self-Provisioning Flow Disabled; Continue with Onboarding 1.Any PEAP authentications: ‒ Send directly to Native Supplicant Provisioning. 2.Add CWA to Open SSID ‒ Need to know who they are, and IF we should provision them.
Native Supplicant Provisioning ( iOS use-case ) 15 Employee HTTPS to the NSP Portal ISE sends CA certificate to endpoint for trust with OTA User clicks register. ISE sends Profile Service to iOS Device CSR is Generated on iOS Certificate sent to ISE SCEP to MS Cert Authority Device Certificate Issued CN = 74ba333ef6548dfc82054d0c7fec36e6ddddcbf1 SAN = 00-0a-95-7f-de-06 CSR sent to ISE ISE sends Device Certificate to iOS Device SSID = CTS-CORP EAP-TLS Encrypted Profile Service: Signing Certificate + User Certificate: Wi-Fi Profile with EAP-TLS configured RegisteredDevices Certificate sent to ISE SCEP to MS Cert Authority CSR sent to ISE ISE sends User Certificate to iOS Device User Certificate Issued CN = Employee SAN = 00-0a-95-7f-de- 06 ISE sends Device BYOD_Profile to iOS Device Device Registration Device Enrollment Device Provisioning
Wi-Fi Profile: Client Provisioning Resource 16 Wired, Wireless or Both Specify SSID WPA or WPA2 TLS or PEAP
Client Provisioning Policy 17 User OS Supplicant
BYOD Policy in ISE 18 User Result Device AuthC Method
SSID = GUEST Authorization Policy - Guest 19 RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] GUEST RADIUS Access-Accept [cisco-av-pair] = url-redirect-acl=AGENT-REDIRECT [cisco-av-pair] = url- redirect= ssionIdValue&action=cwa Matched Rule = Open Rule… Send HTTP traffic to CWA Portal... Matched Rule = Open Rule… Send HTTP traffic to CWA Portal... 1.Any PEAP authentications: ‒ Send directly to Native Supplicant Provisioning. 2.Add CWA to Open SSID ‒ Need to know who they are, and IF we should provision them.
SSID = GUEST Authorization Policy 20 RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] GUEST RADIUS Access-Accept [cisco-av-pair] = url-redirect-acl=AGENT-REDIRECT [cisco-av-pair] = url- redirect= ssionIdValue&action=cwa Matched Rule = Open Rule… Send HTTP traffic to CWA Portal. Matched Rule = Open Rule… Send HTTP traffic to CWA Portal. 1.Any PEAP authentications: ‒ Send directly to Native Supplicant Provisioning. 2.Add CWA to Open SSID ‒ Need to know who they are, and IF we should provision them.
SSID = GUEST Guest Flow 21 RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] GUEST RADIUS Access-Accept Guest Authentication Succeeded... Send CoA… Guest Authentication Succeeded... Send CoA… Change of Authorization Request CoA ACK/NAK User = Guest Bypass Self-Provisioning Flow User = Guest Bypass Self-Provisioning Flow 1.Any PEAP authentications: ‒ Send directly to Native Supplicant Provisioning. 2.Add CWA to Open SSID ‒ Need to know who they are, and IF we should provision them.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 ISE Device Access Control MDM Mobile Devices Security Control Device Profiling BYOD On-boarding Device Access Control Device Compliance Mobile Application Management Securing Data at Rest The New Way MDM cannot ‘see’ non-registered devices to enforce device security – but the network can! Best Practice Today MDM: Mobile Device Manager ISE and MDM Enforced Mobile Device Compliance Forces on-boarding to MDM with personal devices used for work Register but restrict access for personal devices not managed by MDM Quarantine non-compliant devices based on MDM policy ISE 1.2 Version: 6.2 Version: 5.0 Version: 7.1 Version: 2.3
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 MDM device registration via ISE o Non registered clients redirected to MDM registration page Restricted access o Non compliant clients will be given restricted access based on policy Endpoint MDM agent o Compliance o Device applications check Device Action from ISE Device stolen -> wipe data on client Survivability: New Attribute added
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 Compliance based on: –General Compliant or ! Compliant status OR –Disk encryption enabled –Pin lock enabled –Jail broken status MDM attributes available for policy conditions “Passive Reassessment”: Bulk recheck against the MDM server using configurable timer. –If result of periodic recheck shows that a connected device is no longer compliant, ISE sends a CoA to terminate session. Micro level Macro level ISE can Query MDM Server using API’s Survivability Attribute
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Access-Reject Registered? MyDevices ISE BYOD Registration MyDevices ISE BYOD Registration MDM Register MDM Compliant Access-Accept ISE Portal Link to MDM Onboarding ISE Portal for MDM non- compliance Internet Only
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Jail Broken PIN Locked Registration and Compliance Encryption ISE Registered PIN Locked MDM Registered Jail Broken
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Mobile Device Management Report
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 Deliver Native MDM & Integrate with AnyConnect 2 Integration of ISE & ASA Enforce ISE Policy for Remote Access Users 4 Deliver Highly Requested Features Multiple AD Forest Support Guest API 3 Deliver New Set of API - xGrid Expand ISE eco-system with new APIs (Lancope, Prime… ) 1 Native MDM Features in ISE Leverages ISE as the Device Manager Leverages AnyConnect Mobile as the MDM Agent
Thank you.