Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 ISE BYOD Jim Kotantoulas Consulting Systems Engineer – Security Technologies.

Published byCurtis Baldwin Modified over 8 years ago

Similar presentations

Presentation on theme: "Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 ISE BYOD Jim Kotantoulas Consulting Systems Engineer – Security Technologies."— Presentation transcript:

1 Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 ISE BYOD Jim Kotantoulas Consulting Systems Engineer – Security Technologies 02/26/2014

2 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 39% END USER EXPECTATIONS IT TRENDS Over 15 Billion devices by 2015, with average worker with 3 devices New workspace: anywhere, anytime 71% Next Gen Y workforce do not obey policies 60% will download sensitive data on personal device 50% workloads are virtualized — to increase efficiency 2/3 of workloads will be in the cloud by 2016 71% of the world’s mobile data traffic will be video in 2016 Mobile malware has doubled (2010 to 2011) REDUCE SECURITY RISK IMPROVE END USER PRODUCTIVITY INCREASE OPERATIONAL EFFICIENCIES

3 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 BYOD Improved productivity, lower cost, added security Consistent Network-wide Policy Control Differentiated access control Secure Access Control – Connecting Things Device visibility (profiling), posture, contextual control, AAA Challenge: Identifying what is on the network Device fingerprinting (identifying “things”), posture analysis, Challenge: Ensure consistent E2E policy that is topology independent Cisco TrustSec and policy management TECHNOLOGYUTILITYENERGYHEALTHCAREHIGHER EDSECONDARY ED Challenge: Support BYOD without increasing IT operational cost Zero-touch portal automates device registration, application containerization, device posture

4 ISE = BYOD Engine GUEST ACCESS It’s easy to provide guests limited time and resource access SECURE ACCESS ON WIRED, WIRELESS & VPN Control with one policy across wired, wireless & remote infrastructure BYOD Users get safely on the internet fast and easy TRUSTSEC NETWORK POLICY Rules written in business terms controls access

5 BYOx Agenda What is all the hype about? Example Strategies On-Boarding Provisioning Policies Building a BYOD AuthZ Policy 5

6 What is driving this new hype? TTop down demand & new generation: “Our CEO went to a Retail Conference recently and won an iPad. He demands we allow it access to the network, because it is a productivity tool and we prohibiting his productivity without the iPad” NNew Requirement: ‒A‒A llow access to i-devices NNew Term: “Bring Your Own Device” (BYOD) Executive Bling & the “i-Revolution” 6

7 What makes a BYOD policy? MachineAuth Approach… 7 Corp Asset? Start Here yes no Access-Accept Access-Reject  Only corporate devices may access my network, period. ‒ Use EAP-TLS with AD- issued non-exportable machine certificates. ‒ That is our “BYOD” Policy.  Not too common anymore.

8 What makes a BYOD policy? VDx Approach…  Only corporate devices may access my Corporate Network. ‒ Others should get RDP/ICA to a VDI farm. ‒ Could use Profiling to determine Corp Asset. ‒ Could use Certs or Machine- Auth w/ PEAP-MSChapv2  Happening a good bit. 8 Corp Asset? Start Here yes no Access-Accept Limited Access to VDI farm only

9 What makes a BYOD policy? Even more complicated 9 Access-Accept Start Here No Yes Employee Yes i-Device Yes Registered Device Internet Only No Access-Reject No Yes Registered GUEST

10 What makes a BYOD policy The policy server is critical to meeting your goals 10  Identity Services Engine = BYOD engine! Who? Known users (Employees, Sales, HR) Unknown users (Guests) What? Device identity Device classification (profile) Device health (posture) How? Wired Wireless VPN Where? Geographic location Department SSID / Switchport When? Date Time Start/Stop Access Other? Custom attributes Device/User states Applications used

11 ISE Device Onboarding Device Onboarding Cert Provisioning Supplicant Provisioning Self-Service Model iOS Android Windows MAC OS MyDevices Portal  Provision a Certificate for the device. ‒ Based on Employee-ID & Device- ID.  Provision the Native Supplicant for the Device: ‒ iOS, Android, Win & MAC-OSX ‒ Use EAP-TLS or PEAP  Employees get Self-Service Portal ‒ Lost Devices are Blacklisted  Self-Service Model ‒ IT does not need to be in the middle. 11

12 SSID = CORP Authorization Policy 1.Any PEAP authentications in the CORP SSID ‒ Send directly to Native Supplicant Provisioning. 2.Add Centralized Web Auth to Open/Guest SSID ‒ Need to know who they are, and IF we should provision them. 12 RADIUS Access-Request PEAP MSHACPv2 – EAP-ID = Employee1 RADIUS Access-Accept [cisco-av-pair] = url-redirect-acl=AGENT-REDIRECT [cisco-av-pair] = url- redirect=https://ISE:8443/guestportal/gateway?sessionId=Se ssionIdValue&action=nsp Matched Rule = PEAP… Redirect to Supplicant Provisioning… Matched Rule = PEAP… Redirect to Supplicant Provisioning… Employee

13 SSID = GUEST Authorization Policy 13 Employee 1. Employee Authentication Succeeded... User != Guest Start Self-Provisioning Flow User != Guest Start Self-Provisioning Flow RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] RADIUS Access-Accept [cisco-av-pair] = url-redirect-acl=AGENT-REDIRECT [cisco-av-pair] = url- redirect=https://ISE:8443/guestportal/gateway?sessionId=Se ssionIdValue&action=cwa 1.Any PEAP authentications: ‒ Send directly to Native Supplicant Provisioning. 2.Add CWA to Open SSID ‒ Need to know who they are, and IF we should provision them.

14 SSID = GUEST Authorization Policy 14 RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] Employee RADIUS Access-Accept [cisco-av-pair] = url-redirect-acl=ACL=NSP-ACL [cisco-av-pair] https://ip:port/guestportal/gateway?sessionId=Ses sionIdValue&action=nsp Change of Authorization Request CoA ACK/NAK Employee Authentication Succeeded… Send CoA… Start Native Supplicant Provisioning… Employee Authentication Succeeded… Send CoA… Start Native Supplicant Provisioning… User != Guest Self-Provisioning Flow Disabled; Continue with Onboarding User != Guest Self-Provisioning Flow Disabled; Continue with Onboarding 1.Any PEAP authentications: ‒ Send directly to Native Supplicant Provisioning. 2.Add CWA to Open SSID ‒ Need to know who they are, and IF we should provision them.

15 Native Supplicant Provisioning ( iOS use-case ) 15 Employee HTTPS to the NSP Portal ISE sends CA certificate to endpoint for trust with OTA User clicks register. ISE sends Profile Service to iOS Device CSR is Generated on iOS Certificate sent to ISE SCEP to MS Cert Authority Device Certificate Issued CN = 74ba333ef6548dfc82054d0c7fec36e6ddddcbf1 SAN = 00-0a-95-7f-de-06 CSR sent to ISE ISE sends Device Certificate to iOS Device SSID = CTS-CORP EAP-TLS Encrypted Profile Service: https://ISE:8905/auth/OTAMobileConfig?sessionID Signing Certificate + User Certificate: Wi-Fi Profile with EAP-TLS configured RegisteredDevices Certificate sent to ISE SCEP to MS Cert Authority CSR sent to ISE ISE sends User Certificate to iOS Device User Certificate Issued CN = Employee SAN = 00-0a-95-7f-de- 06 ISE sends Device BYOD_Profile to iOS Device Device Registration Device Enrollment Device Provisioning

16 Wi-Fi Profile: Client Provisioning Resource 16 Wired, Wireless or Both Specify SSID WPA or WPA2 TLS or PEAP

17 Client Provisioning Policy 17 User OS Supplicant

18 BYOD Policy in ISE 18 User Result Device AuthC Method

19 SSID = GUEST Authorization Policy - Guest 19 RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] GUEST RADIUS Access-Accept [cisco-av-pair] = url-redirect-acl=AGENT-REDIRECT [cisco-av-pair] = url- redirect=https://ISE:8443/guestportal/gateway?sessionId=Se ssionIdValue&action=cwa Matched Rule = Open Rule… Send HTTP traffic to CWA Portal... Matched Rule = Open Rule… Send HTTP traffic to CWA Portal... 1.Any PEAP authentications: ‒ Send directly to Native Supplicant Provisioning. 2.Add CWA to Open SSID ‒ Need to know who they are, and IF we should provision them.

20 SSID = GUEST Authorization Policy 20 RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] GUEST RADIUS Access-Accept [cisco-av-pair] = url-redirect-acl=AGENT-REDIRECT [cisco-av-pair] = url- redirect=https://ISE:8443/guestportal/gateway?sessionId=Se ssionIdValue&action=cwa Matched Rule = Open Rule… Send HTTP traffic to CWA Portal. Matched Rule = Open Rule… Send HTTP traffic to CWA Portal. 1.Any PEAP authentications: ‒ Send directly to Native Supplicant Provisioning. 2.Add CWA to Open SSID ‒ Need to know who they are, and IF we should provision them.

21 SSID = GUEST Guest Flow 21 RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] GUEST RADIUS Access-Accept Guest Authentication Succeeded... Send CoA… Guest Authentication Succeeded... Send CoA… Change of Authorization Request CoA ACK/NAK User = Guest Bypass Self-Provisioning Flow User = Guest Bypass Self-Provisioning Flow 1.Any PEAP authentications: ‒ Send directly to Native Supplicant Provisioning. 2.Add CWA to Open SSID ‒ Need to know who they are, and IF we should provision them.

22 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 ISE Device Access Control MDM Mobile Devices Security Control Device Profiling BYOD On-boarding Device Access Control Device Compliance Mobile Application Management Securing Data at Rest The New Way MDM cannot ‘see’ non-registered devices to enforce device security – but the network can! Best Practice Today MDM: Mobile Device Manager ISE and MDM Enforced Mobile Device Compliance Forces on-boarding to MDM with personal devices used for work Register but restrict access for personal devices not managed by MDM Quarantine non-compliant devices based on MDM policy ISE 1.2 Version: 6.2 Version: 5.0 Version: 7.1 Version: 2.3

23 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 MDM device registration via ISE o Non registered clients redirected to MDM registration page Restricted access o Non compliant clients will be given restricted access based on policy Endpoint MDM agent o Compliance o Device applications check Device Action from ISE Device stolen -> wipe data on client Survivability: New Attribute added

24 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 Compliance based on: –General Compliant or ! Compliant status OR –Disk encryption enabled –Pin lock enabled –Jail broken status MDM attributes available for policy conditions “Passive Reassessment”: Bulk recheck against the MDM server using configurable timer. –If result of periodic recheck shows that a connected device is no longer compliant, ISE sends a CoA to terminate session. Micro level Macro level ISE can Query MDM Server using API’s Survivability Attribute

25 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Access-Reject Registered? MyDevices ISE BYOD Registration MyDevices ISE BYOD Registration MDM Register MDM Compliant Access-Accept ISE Portal Link to MDM Onboarding ISE Portal for MDM non- compliance Internet Only

26 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Jail Broken PIN Locked Registration and Compliance Encryption ISE Registered PIN Locked MDM Registered Jail Broken

27 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Mobile Device Management Report

28 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 Deliver Native MDM & Integrate with AnyConnect 2 Integration of ISE & ASA Enforce ISE Policy for Remote Access Users 4 Deliver Highly Requested Features Multiple AD Forest Support Guest API 3 Deliver New Set of API - xGrid Expand ISE eco-system with new APIs (Lancope, Prime… ) 1 Native MDM Features in ISE Leverages ISE as the Device Manager Leverages AnyConnect Mobile as the MDM Agent

29 Thank you.

Download ppt "Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 ISE BYOD Jim Kotantoulas Consulting Systems Engineer – Security Technologies."

Similar presentations

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 BYOD: Security, Policy.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 BYOD: Security, Policy.
Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.

Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Internet of Things Security Architecture

Internet of Things Security Architecture
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Adaptive Trust Security Policies for Today’s Enterprise Mobility Pete Ryan – ClearPass.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved Adaptive Trust Security Policies for Today’s Enterprise Mobility Pete Ryan – ClearPass.
Avaya – Proprietary. Use pursuant to the terms of your signed agreement or Company policy. idEngines® Avaya Identity Engines And Mobile Device Management.

Avaya – Proprietary. Use pursuant to the terms of your signed agreement or Company policy. idEngines® Avaya Identity Engines And Mobile Device Management.
Beyond Brute Force Strategies for Securely leveraging Mobile Devices Rajesh Pakkath, Sr. Principal Product Manger, Oracle Bob Beach, CIO, Chevron October,

Beyond Brute Force Strategies for Securely leveraging Mobile Devices Rajesh Pakkath, Sr. Principal Product Manger, Oracle Bob Beach, CIO, Chevron October,
Sophos Mobile Control. Tablets on the rise 2 Trends 3 75% of 157 polled companies encourage employee owned smart phones and tablets to access corporate.

Sophos Mobile Control. Tablets on the rise 2 Trends 3 75% of 157 polled companies encourage employee owned smart phones and tablets to access corporate.
Meraki Mobile Device Management

Meraki Mobile Device Management
Beyond Brute Force Strategies for Securely leveraging Mobile Devices Rajesh Pakkath, Sr. Product Manager, Oracle Bob Beach, CIO, Chevron October, 2014.

Beyond Brute Force Strategies for Securely leveraging Mobile Devices Rajesh Pakkath, Sr. Product Manager, Oracle Bob Beach, CIO, Chevron October, 2014.
Enterprise Mobility Platform Microsoft Differentiation Managed Mobile Productivity Layered Protection Hybrid Solutions Office 365DynamicsWorkday.

Enterprise Mobility Platform Microsoft Differentiation Managed Mobile Productivity Layered Protection Hybrid Solutions Office 365DynamicsWorkday.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.

Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
SharePoint Server Exchange Server CORPORATE NETWORK Mobile devices PCs Browsers INTERNET DMZ Active Directory Policies Filter EAS Filter web access.

SharePoint Server Exchange Server CORPORATE NETWORK Mobile devices PCs Browsers INTERNET DMZ Active Directory Policies Filter EAS Filter web access.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Borderless Networks Enabling the Borderless Organisation Mark Jackson,

Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Borderless Networks Enabling the Borderless Organisation Mark Jackson,
Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:

Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:
All Rights Reserved © Alcatel-Lucent 2010 1 | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.

All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
Fermilab VPN Service What is a VPN ?.

Fermilab VPN Service What is a VPN ?.

Similar presentations

Ads by Google