Secure Access and Mobility Jason Kunst, Technical Marketing Engineer March 2016 Location Based Services with Mobility Services Engine ISE Location Services

2© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Agenda Overview Cisco Mobility Services Engine ISE Location Based Authorization Administrative Configurations Prime/MSE configuration Location Service configuration Authorization Policy configuration Movement Tracking Configuration Report & Alerts Troubleshooting/Logging MSE Server status troubleshooting Location Based Authorization Logging Movement Tracking Logging Demo

3© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Agenda Overview Cisco Mobility Services Engine ISE Location Based Authorization Demo

4© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Enhance control with location-based authorization Location-based authorization Admin defines location hierarchy and grants users specific access rights based on their location. Benefits Feature Highlight The integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user and/or endpoint to the context by which access is authorized. Enhanced policy enforcement with automated location check and reauthorization Simplified management by configuring authorization with ISE management tools Granular control of network access with location-based authorization for individual users Capabilities Enables configuration of location hierarchy across all location entities Applies MSE location attributes into access request to be used in authorization policy Checks MSE periodically for location changes Reauthorizes access based on new location With the integration of Cisco Mobility Services Engine (MSE) Lobby Patient room LabER Doctor No access to patient data Access to patient data No access to patient data Access to patient data Patient data Patient data access locations Patient room ER Lab Lobby

5© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Enhance Control with Location-Based Authorization With the Integration of Cisco Mobility Services Engine (MSE) Capabilities Enables configuration of location hierarchy across all location entities Applies Cisco MSE location attributes to access request to be used in authorization policy Checks Cisco MSE periodically for location changes Reauthorizes access based on new location Location-Based Authorization LobbyPatient RoomLabER Doctor No access to patient data Access to patient data No access to patient data Access to patient data Patient Data Patient Data Access Locations Admin defines location hierarchy and grants users specific access rights based on their location Patient Room ER Lobby Lab What’s New for Cisco ISE 2.0? The integration of Cisco ® Mobility Services Engine (MSE) adds the physical location of a user and/or endpoint to the context by which access is authorized. Benefits Granular Control of network access with location-based authorization for individual users Simplified Management by configuring authorization with Cisco ISE management tools Enhanced Policy Enforcement with automated location check and reauthorization

6© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Location Based Authorization Authorize user access to the Network based on their location What’s different in this location, USE CASES THAT CUSTOMER CARE ABOUT Cisco Mobility Services Engine (MSE) is a product that supplies location services. Cisco Prime Infrastructure provides GUI interface to configure MSE, Maps, and manage wireless MSE provides an API to request device location by its MAC address and to get the site location hierarchy structure. ISE will get a list of endpoint locations from MSE in a hierarchy format of Campus:Building:Floor:Zone DifferentiatorMajor Technical OutcomeMajor Business Outcome MSE Location IntegrationProvide Access Based on Physical Location Use More Accurate Means to Provide Access Heightened Value of Cisco+Cisco

7© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public MSE Integration: Focuses on Physical Location rather than logical location Ability to Use MSE’s Location Attributes in AuthZ Policy (Mobility Service Engine 8.0) Periodically Check MSE for Location Change Reauthorize Based on Location Changes Location Integration Location Physical Logical

8© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Step 1: Cisco Prime Define the entire hierarchy of location entities that would be used for authorization process and synchronize this data with the MSE server. Secured areas should be defined manually on the floor map Design / Setup instructions  ISE server communicates only with MSE server via REST APIs, so there is no need to define Prime server used for location configuration on ISE

9© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Step 2: Mobility Service Engine ISE will query Mobility Service Engine using REST API to get the location of the device by its MAC address. Site location hierarchy would be uploaded from the MSE server after it is configured on ISE. Design / Setup instructions MSE High Availability:  By Design, In case the primary MSE fails the secondary MSE takes over and the virtual address of the primary MSE is switched transparently.  This process should be transparent to ISE and only primary MSE IP address would be configured.

10© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Step 3: ISE 2.0 Administrator will configure authorizations rule with location based attribute, such as: MSE.Location Equals LND_Campus1:Building1:Floor2:SecureZone Design / Setup instructions End Point Movement:  ISE can be configured to Track Movement of the endpoint after authentication using MAC.  ISE will query this endpoint location about every 5 minutes after the last check to verify if the location was changed.  If no location change, do nothing  New location was received update the connection with the new info  Invoke CoaSession, new authorization rule applied

11© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Additional Info ISE will query one/multiple MSE servers using REST API to get site location structure and to evaluate endpoint location based on MAC address Supported for dot1x, MAB, Guest Webauth flows Location based services require an ISE Base license and MSE Base License On Prime the MSE Context Aware service must be enabled Supported Versions: Cisco MSE – (not MSE 10.1) Cisco Prime – 2.1/2.2 (not 3.0)

12© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public ISE queries MSE for location criteria Location information is not cached Location will be queried in the following instances Any authentication event (fresh auth or reauth) that hits an authorization rules with a location - like AD, LDAP and other IDStores. When the specific condition is hit, we go and fetch the attributes Dynamically Every 5 min for those devices already authenticated and match an authorization profile that has Tracking enabled. Every MAC address is polled at same time. One-way Communication We understand it would be nice to be updated more often or triggered with location change from the MSE. Currently ISE polls the MSE only.

13© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Updates every 5 minutes ALL tracked endpoints There is no way to tweak the 5 min setting Due to MSE's API limitations. The MSE’s API supports only 150 updates per second. in case of large deployments with lots of users, even if we were able to configure 1 minute on our side, the MSE won’t be able to provide the update that fast. 5 MSE’s per deployment are supported Suggested to have not more than 5000 active sessions with track movement option on per PSN node in deployment Performance info

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 14

15© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Prime/MSE configuration Create Hierarchy Location Structure on Prime in format Campus/Building/Floor

16© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Prime/MSE configuration – zone configuration Define zones

17© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Prime/MSE configuration – sync to MSE Make sure to sync location hierarchy structure to the MSE server Maps > Wireless Maps > Site Maps

18© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Location Service Configuration on ISE Define MSE server Administration > Network Resources > Location Services > Location Servers

19© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Location Service Configuration on ISE (cont.) Location Tree Get Update – after adding MSE or updating location structure on Prime Select/unselect the location entries that are exposed to the authorization policy and save

20© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Movement Tracking Configuration To allow movement tracking of authorized users select ‘Track Movement’ option on authorization profile Query the relevant MSE for the endpoint location every 5 minutes to verify if the location was changed If endpoint location was changed COA-push is sent to reauth Tracking multiple users may impact the performance. The Track Movement option can be used for high security locations. Example movement between ER/Patient Rooms and cafeteria (HIPPA)

21© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Authorization Policy Configuration Create Authorization policy condition using MSE dictionary and MapLocation attribute When tracking changes between secure/unsecure locations you will need to choose Authorization Profile using track movement

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 22

23© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Detail Radius Livelog for Successful Authentication

24© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Radius Authentication report Operations -> Reports -> Endpoint and Users -> RADIUS Authentications Select MSE related attributes

25© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public MSE Server Alerts Dashboard alert if MSE server is down (displayed only once per MSE when the disconnect is detected) Dashboard alert when MSE server is back online

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 26

27© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public MSE server status After MSE server is configured it is possible to test the connection status and REST service availability MSE server is up and REST service is available: MSE server REST service is unavailable: MSE server network issue:

28© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Endpoint Location Check It is possible to check the endpoint location using MAC address

29© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Location Based Authorization Debug Log Check prrt-management.log for authorization flow details and also for configuration troubleshooting Set prrt-JNI to DEBUG level

30© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Track Movement Debug Log Check prrt-management.log

31© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public MSE API reference : documentation documentation The following APIs will be used to get location data: curl -v -k -X GET -H 'ACCEPT: application/xml' ' /api/contextaware/v1/location/clients/ ' To get hierarchy structure: curl -v -k -X GET -H 'ACCEPT: application/xml' ' /api/contextaware/v1/maps' API’s Used

cisco.com/go/ise