Professional Documents
Culture Documents
http://www.networkworld.com/blog/secure-network-access/
http://cs.co/ise-community
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sarcasm
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Disclaimer
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Multiple Sessions to Choose From:
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
ForYour
For Your
Reference
Reference
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Look for me in 2018:
Advanced Security
Integrations, Tips &
Tricks
Important: Hidden Slide Alert
ForYour
For Your
Reference
Reference
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
NEW Content
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Watch Recordings of Prior Sessions
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions?
Use Cisco Spark to chat with the
speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Roadmap and Futures
Everything
You Want
ISE 1.0
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Roadmap and Futures
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Agenda
• Introduction
• ISE as Center of Security EcoSystem
• Context Sharing w/ pxGrid
• RTC and TC-NAC
• Passive vs. Active Identities
• Passive ID Enhancements in ISE 2.2
• The Future of Secure Network Access
• Conclusion
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
A Security EcoSystem is a Complex
Living Thing
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Ecosystems
Mobile
Provider
Guest
Campus
Bad USB
Internet
Data Center
ISE
EPS
pxGrid
FMC
Stealthwatch
NetFlow ( )
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ecosystems
Incident Response challenge
Contextual awareness key to security event prioritization and response
Check Endpoint
Associate User to Posture Where is it on
Authorization the Network?
Associate User What Kind of
to Event NAC Device is it?
IAM ???
Potential AAA
???
Logs
Breach How Do I
Event! Mitigate?
Security ???
Event ???
???
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Ecosystems
https://youtu.be/pafHZmWWGo8
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Ecosystems
The problem!
I have reputation info! I have application info!
I need threat data… I need location & auth-group…
I have NetFlow!
• Single-purpose function = need for manyProprietary
APIs/dev (and lots of testing)
I have location!
I need entitlement…
APIs aren’t I need identity…
• Not configurable = too much/little info for interface systems (scale issues)
the solution
I havedata
• Pre-defined threat data! = wait until next release if you need a change
exchange I have MDM info!
I need reputation… I need location…
• Polling architecture = can’t scale beyond 1 or 2 system integrations
I have firewall logs! I have app inventory info!
• Security can be “loose”
I need identity… I need posture…
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Ecosystems
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Ecosystems
ISE makes Customer IT Enrich ISE context. Make Enforce dynamic policies in ISE brokers Customer’s IT
Platforms User/Identity, ISE a better Policy to the network based on platforms to share data
Device and Network Aware Enforcement Platform Partner’s request amongst themselves
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
~10min
Agenda
• Introduction
• ISE as Center of Security EcoSystem
• Context Sharing w/ pxGrid
• RTC and TC-NAC
• Passive vs. Active Identities
• Passive ID Enhancements in ISE 2.2
• The Future of Secure Network Access
• Conclusion
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context Sharing
Strong Authorization
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Context Sharing
pxGrid components
TLS / 5222
HTTP / 443
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Context Sharing
pxGrid
Controller
Very important setting. If checked any client
with valid cert connects to the grid.
pxGrid
Pub/Sub
EndpointProfileMetada provides pxGrid clients with available device information from ISE.
pxGrid
Subscriber
GROUP
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Context Sharing
Basic provides ISE pxGrid node connectivity. ANC Adaptive Network Control, access to ’exception
No session data policy’
Session Members can subscribe to session notification, EPS Earlier version of ANC (used by Splunk,
query session info, download bulk session data. Lancope, FireSIGHT Management Center 5.4)
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Context Sharing
Publisher GCL Client pxGrid Controller XCP Server GCL Client Subscriber
Publish Success
I Published Message to Subscriber
N Subscribe Success
F Publisher Capability & JID Query
R Publisher JID
A XMPP:Bulk Download Query
pxGrid authentication
CERTIFICATES
PASSWORDS
New* in ISE 2.1
No clients yet.
Release Notes: http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/release_notes/ise21_rn.html#pgfId-678203
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Context Sharing
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Context Sharing
pxGrid Bulk Downloads 1. I need Bulk
(peer-to-peer) Session Data
2. Get it From
MnT
3. Direct Data
Transfer
Controller
FMC
MnT
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Context Sharing
Controller
FMC
MnT
3. Publish Topic
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Context Sharing
Controller
FMC
1. Subscribe
Vulnerable
Hosts
2. Direct
MnT
Transfer
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Context Sharing
ForYour
For Your
Reference
Reference
CAVEATS
• pxGrid clients must be updated to understand the topic
Schema by the vendor
• Currently no existing topics known – there are a few in the
works
• Remember: pxGrid clients must trust each other’s
certificates for bulk downloads, not just the ISE (pxGrid
controller)
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Context Sharing
MnT
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Context Sharing
Pro Tip
Context Sharing
Communication
Instant Full Mesh Trust!
X.509
X.509
X.509
X.509X.509
pxGrid
pxGrid
pxGrid
pxGrid
X.509
pxGrid pxGrid
MnT
ISE 2.1 CA
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Context Sharing
ISE
C
Grid Controller Grid Client
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Context Sharing
Generate Certificates
With or W/O CSR
Bulk Certs w/ CSV
Download Root PKCS12
Certificate Formats
Only Encrypted Options
All Include Root Certs
PEM or PKCS12
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Context Sharing
Friendly CN
Make it something that is
unique – like prefix pxGrid
Cert Template
Hard-Coded to use the
pxGrid Template.
Client + Server EKU’s
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Context Sharing
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Note from the Trenches:
ISE 1.3
Fixed in 2.2
Context Sharing
Admin
MnT
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Context Sharing
pxGrid
MnT
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
For Your
Reference
Step-by-Step
Configuration of
pxGrid, Cert Portal,
Firepower Manager,
& WSA Integration in
Hidden Slides
~10min
Agenda
• Introduction
• ISE as Center of Security EcoSystem
• Context Sharing w/ pxGrid
• RTC and TC-NAC
• Passive vs. Active Identities
• Passive ID Enhancements in ISE 2.2
• The Future of Secure Network Access
• Conclusion
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context Sharing
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Vocabulary Level Set (Here’s Those TLA’s)
ForYour
For Your
Reference
Reference
• Adaptive Network Control (ANC) – EPS renamed to ANC in 1.4. New ANC
Functionality added in 2.0.
• Create ANC “classifications” (aka: name spaces) – and endpoints can be assigned to those classifications.
• Quarantine, Kick_off_Network, Investigate, Nuke_From_Orbit, etc.
• Used with or without pxGrid in v2.2+.
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Threat Containment
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Threat Centric NAC
(TC-NAC)
TC-NAC
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
TC-NAC
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
TC-NAC
IOC CVSS
Compromised endpoints spread malware by exploiting Flag compromised and vulnerable hosts and limit
known vulnerabilities in the network access to remediation Segment
Most endpoint AMP deployed in ‘visibility only’ mode
Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC) | Advanced Malware Protection (AMP)
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
TC-NAC
Threat Centric NAC
Pick Vulnerability assessment vendor of your choice
ISE 2.2
Cisco CTA
VULNERABILITY
STIX framework for automatic
SCANS
quarantining of critically infected
endpoints.
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
TC-NAC
PAN
CONTEXT ATTRIBUTES
MnT
PSN
TC-NAC TC-NAC service runs in the ‘Policy Services Node’ when enabled.
Requires ISE Apex license
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
TC-NAC
Service disabled by default Core Engine responsible for handling threat based authorizations
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
TC-NAC
High-level flow
5
Qualys reports the CVSS score
1
Endpoint connects to
the network
Endpoint Network Access Device
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
TC-NAC
TC-NAC
Endpoint’s CVSS
(Vulnerability Score)
COA Vulnerability attributes
Change of Authorization
(Full or Quarantine access)
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
TC-NAC
‘Vulnerable Endpoints’
Based on Common Vulnerability Scoring System (CVSS)
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
TC-NAC
‘Vulnerable Endpoints’
Based on Common Vulnerability Scoring System (CVSS)
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
TC-NAC
Configuration ForYour
For Your
Reference
Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TC-NAC
sbg-bgla-pdp01 SJ-4
npf-sjca-pdp01 SJ-3
npf-sjca-pdp02 Qualys
SJ-2
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
TC-NAC
SCAN Results
Qualys Adapter • IP Address
(Docker instance) • Vulnerabilities (QID)
• Last SCAN time
• MAC Address
(maybe as a QID)
Check Last SCAN results (using IP Address)
ForYour
For Your
Reference
Reference
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
TC-NAC
Scan timers
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TC-NAC
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
TC-NAC
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
TC-NAC
TC-NAC
Change of Authorization
(Quarantine access)
Manual CoA
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
TC-NAC
‘Compromised Endpoints’
Based on Incidents and Indicators
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
TC-NAC
ForYour
For Your
Reference
Reference
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
TC-NAC
Manual Quarantine
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
TC-NAC
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
TC-NAC
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Rapid Threat
Containment
Threat Containment
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Threat Containment
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Threat Containment
ForYour
For Your
Reference
Reference
Remediation Options
• Quarantine- quarantines an endpoint based on
source ip address
• portBounce- temporarily bounces the endpoint or
host port
• Terminate- terminates the end-user session
• Shutdown- initiates a host port shutdown, this will
insert a “shutdown” command on the switch port
configuration
• reAuthenticate- reAuthenticates the end-user
• UnQuarantine- unquarantines the endpoint
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Threat Containment
Malware Events
• Network
• Endpoint
• Retrospection
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Threat Containment
Endpoint Malware
General Event from AMP for
Endpoints Cloud
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Threat Containment
Endpoint Malware
Specific Events from AMP
for Endpoints Cloud
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Threat Containment
The Remediation
Quarantine
Remediation that triggers
EPS Quarantine via pxGrid
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Threat Containment
Controller MnT
3. pxGrid EPS
1. Security Action: Quarantine
Events / IOCs + Re-Auth
NGFW Reported
2. Correlation
FMC
Rules Trigger
i-Net Remediation Action
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Threat Containment
4. Endpoint Assigned
Quarantine + CoA-
Reauth Sent
Controller MnT
NGFW
FMC
i-Net
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Threat Containment
1. Threat /
IOCs Reported
Controller MnT
3. pxGrid EPS
Action: Quarantine
+ Re-Auth
NGFW
2. Correlation
FMC
Rules Trigger
i-Net Remediation Action
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Threat Containment
4. Endpoint Assigned
Quarantine + CoA-
Reauth Sent
Controller MnT
NGFW
FMC
i-Net
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Threat Containment
3. Admin is Alerted of
Suspicious Behavior
WWW
Controller
NGFW
Flow Collector
FMC
i-Net
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Threat Containment
WWW
Controller
5. Endpoint Assigned
Quarantine + CoA-
NGFW Reauth Sent
Flow Collector
FMC
i-Net
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Threat Containment
Flow Collector
FMC
i-Net
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Threat Containment
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Threat Containment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Threat Containment
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Threat Containment
Pro Tip
Threat Containment
Conditions Results
EPS ANC Limited Access
OR
is is +
Quarantine Quarantine Quarantine Tag
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Threat Containment
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Threat Containment
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Threat Containment
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Threat Containment
Conditions Results
( EPS
is
Quarantine
OR
ANC
is
Investigate )&( CVSS
>
7
OR
CTA
Action
Eradicate ) Blacklist
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Threat Containment
Pro Tip
Threat Containment
www
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Threat Containment
Who: Doctor
What: Desktop
What: w/ AMP
Where: Office www
Who: Doctor
What: Desktop
What: Vulnerable
Where: Branch
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Threat Containment
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
~10min
Agenda
• Introduction
• ISE as Center of Security EcoSystem
• Context Sharing w/ pxGrid
• RTC and TC-NAC
• Passive vs. Active Identities
• Passive ID Enhancements in ISE 2.2
• The Future of Secure Network Access
• Conclusion
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Passive ID
Motivation
Identity is Critical to All Security Solutions
Problem: Each SBG Product has it’s Solution: Single product / one
own Method / Technology to provide implementation across SBG
Identity • Best features of each solution /
• Vast feature / functionality eliminate missing capabilities
discrepancies • Leverage existing expertise /
• Impacting Customer Satisfaction componentry for time to market
• Systems approach increasing cross-
product integration.
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
What is Passive
Identity?
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Passive ID
Active Authentication
Data Center
AD AD X.509
X.509
X.509
AD
CA
NGFW
RADIUS
EAP
802.1X – part of WPA2
Passive Authentication
Data Center
K AD AD
AD Login / Kerberos AD
NGFW
ISE
Source Fire User Agent (SFUA) Cisco Directory Agent (CDA) / pxGrid Built-in PBIS for Active-Auth, WMI type
[MS-AD Only] w/ ISE solution for Passive-Auth.
• Limited to 5 DC’s per FMC • Favorite of customers for WSA Identity • Joins 50 Domains, Queries 2000.
• No Multi-forest support • FREE -some key bugs prevent adoption • Huge investment right now in Passive a
• DCOM access required • Plans to EoL CDA or roll into ISE compliment to Active
• Registry hacks prevent adoption • Requirement to deploy ISE for a NGFW Sale
• No way to see Logoff’s leads to countless losses – Need FREE tool
• No way to check if endpoint no longer on
network
Context Directory Agent CWS Connector / ISR Agent Sends to Virtual Were OEM’ing A10 ID Broker.
(CDA) Connector w/ CDA Appliance Log-scraping with NXLog
• Favorite of customers for ASA • CDA has been quite Sends full LDIF export to Cloud Note: More duplication of efforts
Identity successful
• FREE -some key bugs • Registry hacks prevent
prevent adoption adoption
• Plans to EoL CDA or roll into • No way to see Logoff’s
ISE • No way to check if endpoint
no longer on network
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
~10min
Agenda
• Introduction
• ISE as Center of Security EcoSystem
• Context Sharing w/ pxGrid
• RTC and TC-NAC
• Passive vs. Active Identities
• Passive ID Enhancements in ISE 2.2
• The Future of Secure Network Access
• Conclusion
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE 2.2 Introduces Major
Enhancements to PassiveID
Capabilities
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Passive ID
Cisco ISE can reach deep into the network to deliver superior visibility into who
Asset Visibility and what is accessing resources.
Fully customizable branded mobile and desktop guest portals, with dynamic
Guest Access visual workflows to easily manage guest user experience.
Simplified BYOD management with built-in CA and 3rd party MDM integration
BYOD Access for on boarding and self-service of personal mobile devices
Context sharing with partner eco-system to provide a single source of user and
Context Sharing device details for better partner solution effectiveness.
Security ecosystem partners from a broad variety of technology areas integrate with
Threat Control ISE to take network mitigation and investigation actions in response to security events.
Cisco ISE supports device administration using the TACACS+ security protocol
Device Admin to control and audit the configuration of network devices
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Passive ID
Cisco ISE can reach deep into the network to deliver superior visibility into who
Asset Visibility and what is accessing resources.
Fully customizable branded mobile and desktop guest portals, with dynamic
Guest Access visual workflows to easily manage guest user experience.
Simplified BYOD management with built-in CA and 3rd party MDM integration
BYOD Access for on boarding and self-service of personal mobile devices
Context sharing with partner eco-system to provide a single source of user and
Context Sharing device details for better partner solution effectiveness.
Security ecosystem partners from a broad variety of technology areas integrate with
Threat Control ISE to take network mitigation and investigation actions in response to security events.
Cisco ISE supports device administration using the TACACS+ security protocol
Device Admin to control and audit the configuration of network devices
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Passive ID
Vision ASA
Cloud Web
Security
CWS / ISR
Connector
OpenDNS WWW
APIC-DC
OpenDNS
VA
APIC-EM
SSX CON
SSX Stealthwatch
ISE or PIC
Cloud
Syslog & REST
FMC Terminal
AD Services Agent
AD
AD
Session Directory
Context Attributes Needed
Username AD Group Membership (?) MSE Location
AD Domain Name Endpoint Profile NDG Location
Assigned SGT ISE ID Groups (User / Express Raw EPG?
Endpoint) LDAP ODBC
Users’ DN AD Attributes NSX Group Scraping?
Certificate Attribs & MDM Management Info
Template ID (may have to allow
SmartSearch Editing)
(Which MDM & State)
SAML
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Passive ID
WWW
FMC
AD AD AD AD Apps
AD AD
Almost Anything
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Passive ID
Learn Share
Update Use
• Verify
Endpoint • Management
• Inform of Interfaces
Changes • Caching
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Passive ID
Learn Share
Update Use
• Verify
Endpoint • Management
• Inform of Interfaces
Changes • Caching
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Passive ID
Learn Share
Update Use
• Verify
Endpoint • Management
• Inform of Interfaces
Changes • Caching
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Passive ID
Simply Put: What’s needed for Policy Authoring and binding of what
configured in the Policy to the information that is received from pxGrid.
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Passive ID
Stealthwatch:
Use • Stealthwatch 6.9 uses ISE 2.2 as the Single-Source-of-Truth
• SW 6.9 will work with ISE 1.3 – 2.1, but less data will be available.
• Endpoint Protection Services (EPS) works as always
• Stealthwatch 6.8 is last version of Stealthwatch that should
use the syslog method of ISE integration
• Upgrades from 6.8 to 6.9:
• If pxGrid was configured in 6.8, will continue to function
• If syslog only, will need to reconfigure ISE connection
• SW adds pxGrid session data to User Table and Flow
Attribution
• No separate Management/Metadata API Required
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Passive ID
Learn Share
Update Use
• Verify
Endpoint • Management
• Inform of Interfaces
Changes • Caching
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Passive ID
Identify Changes
Update • Logoff Detection
• Endpoint Probe uses WMI to remotely verify endpoint and user are
still there.
• DHCP lease expirations indicate to clear session
• Remove session from Syslog provider
• TS Agent removes session
• WMI Update Events
• Can renew session
• Can show logoff, and expire the session
• Session Timeouts
• Purge of inactive sessions
• Configurable 1-24 hours
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
A Day In the Life
of ID Sharing with
StealthWatch
Passive ID
USE Merge ID info into Stealthwatch User Table & Flow Attribution
Lease Expiration
(Optional) Syslog Delete Session
UPDATE
pxGrid: Notify
pxGrid: Notify
SHARE pxGrid: Get Info
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Passive ID
Join AD in ISE-PIC
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Passive ID
”Store Credentials”
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Passive ID
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Passive ID
Test Connection
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
Passive ID
ForYour
For Your
Reference
1. Registry Changes
Reference
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
Passive ID
ForYour
For Your
Reference
2. Permissions to Use DCOM
Reference
• User (Domain admin or special user) needs Local and Remote Access
• Dcomcnfg (for example add DCOM permission for the user shelisha)
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
Passive ID
ForYour
For Your
Reference
3. Permissions to use WMI Remotely
Reference
• The Active Directory users do not have the Execute Methods and Remote
Enable permissions by default. These can be granted by using the
wmimgmt.msc
• Allow Execute Methods and Remote Enable
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
Passive ID
PassiveID Settings
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
Passive ID
Limitations / Etc.
• Can only monitor DC’s in Domains that are Joined Directly
• i.e.: A Join Point must Exist
• Configuration need to be per domain controller (on all DCs)
• Uses DCOM (WMI is DCOM Based)
• 100 Monitored DC’s
• Supported Windows versions
• 2003 and above
• ‘Config WMI’ only works on 2008 and above
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
Passive ID
Store Credentials
• Join Creds will be stored encrypted
• Endpoint probe cannot work without it
• Needs the Admin credentials to enter endpoint
• Will be used for PassiveID monitored DCs
• If not checked, then credentials will have to be entered separately for each monitored DC
• Cannot be uncheck in ISE-PIC
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
Passive ID
PassiveID Wizard
• Simple and Easy way to configure AD for PassiveID
• Enter Active Directory and Credentials
• Select interesting AD groups
• Choose DCs to monitor
• Start wizard from two places
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
Passive ID
PassiveID Wizard
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
Passive ID
PassiveID Wizard
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
Passive ID
PassiveID Wizard
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 172
Passive ID
PassiveID Wizard
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
Passive ID
ISE-PIC Dashboard
• Monitor DCs
connection status
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
ISE-PIC Agent
Passive ID
ISE-PIC Agent
• Currently, the Agent comes when you Install ISE-PIC, or Upgrade to ISE 2.2.
• Upgrade and Download Agent from Agents tab in UI
• Manually Install or Push from ISE!! Yes, I said Push from ISE
• Native, 32-bit Application
• Agent Requires .Net 4.0 or Above
• Can be installed on Member Server or DC
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 176
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 177
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 179
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 180
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 181
Passive ID
Agent Is Running
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
Passive ID
Agent Directory
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 183
Passive ID
• For Manual Installs: Must put the PIC Nodes in the nodes file
• Read at startup
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 184
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 185
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 186
Passive ID
Binding Monitored DC to an Agent
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Passive ID
DC is monitored by Agent
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 188
Passive ID
Uninstall
• EASY!
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 189
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 190
Passive ID
DC2
Member
ISE
w/ Agent
DC5
Monitored
DC4
https://blogs.technet.microsoft.com/wincat/2008/08/11/quick- DC6
and-dirty-large-scale-eventing-for-windows/
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 191
Kerberos Sniffing
via SPAN
Passive ID
SPAN Configuration
• Make sure Passive Identity Service is enabled:
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 193
Passive ID
SPAN Configuration
• List of nodes and interfaces will be displayed, but only for those running the
PassiveID Service
• Pick Node, and then the interface. PassiveID must be running as a pre-requisite
• Work Center -> PassiveID -> Providers -> SPAN
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 194
Passive ID
Network Configuration
• Configure the switch to span network from AD
• Or create a VACL that sends only Kerberos traffic into the SPAN port
• Configure dedicated port on ISE for SPAN (use this interface only for span traffic)
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 195
For Your
Reference
REST API
Provider
Passive ID
ForYour
For Your
Reference
REST API Provider
Reference
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 197
Passive ID
ForYour
For Your
Reference
REST API Provider
Reference
• API provider enables you to interface with network applications such as the
TS-Agent on a Citrix server, where all users have the same IP address but are
assigned unique ports.
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 198
Passive ID
ForYour
For Your
Reference
REST API Provider flow
Reference
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 199
Passive ID
ForYour
For Your
Reference
Configure
Reference
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 200
Passive ID
ForYour
For Your
Reference
REST API Provider
Reference
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 201
Syslog
Provider
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 203
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 204
Passive ID
Example:
Paste The Syslog
Here & It Will Show
You the Identified
Data as a Validation
of the Parser
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 205
Passive ID
Built-In
• Large List of
Pre-Existing
Templates /
Parsers
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 206
Passive ID
DHCP Syslogs
• DHCP Syslogs from IPAM Providers
• Used for L2<>L3 Bindings (MAC to IP)
• Will not be presented by themselves in the Session Table
• Identity is the Key (Identity Connector)
• Will be merged to an existing session with Identity (based on IP)
• Used for Lease Renewal & Lease Expiration updates
• Expired DHCP Lease will Remove Session from Sessions Table
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 207
Passive ID
Details
• Syslog ID’s will not Be joined to EasyConnect
• The syslog service matches the host name from the message to that
which the administrator previously defined in the GUI in order to
identify the correct client template
• Ensure you have configured reverse lookup from the syslog client’s IP to
hostname for the relevant DNS server/s from ISE-PIC side
• Can configure with hostname instead of IP
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 208
Passive ID
Details
• High Availability - redundancy is to send syslogs to 2 nodes
• But is sending double logs & added noise
• Or use Anycast to do it cheaply
• Or use Load Balancer
• Not part of MnT syslogs parsing
• Running a separated process
• Different ports
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 209
Passive ID
Yes No
Is 5200 / 3000 / 3001 / 3002
message?
No
Has Session Id ? Drop message
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 210
Endpoint Probe
aka: “Is the user still there”
Passive ID
Endpoint Probe
• Is the user still there:
• Endpoint is reachable
• Same User is still Logged on
• Requires Administrative Privilege on Endpoint
• Domain Admins Group
• Uses the Stored Credentials from the Join Point
• Will not work without those
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 212
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 213
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 214
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 215
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 216
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 217
For Your
Reference
Mapping
Filters
Passive ID
ForYour
For Your
Reference
Mapping Filters
Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deploying ISE-PIC
Passive ID
Different License
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 221
Passive ID
ISE-PIC Platforms
• Install Choices:
• 3315 and 3595 Virtual Appliances
• Standard ISE .ISO / .OVA
• ISE-PIC .ISO & .OVA
• Hardware Shipping with PIC Pre-Installed is on Roadmap
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 222
Passive ID
Deployment
• Max of 2 nodes in deployment
• Secondary node is for High
Availability only
• In case of Primary failure all features
will still run on secondary except UI
• Only manual promotion to Primary will
enable the UI
• You cannot change the services
running on a PIC persona
• But you can change Primary /
Secondary
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 223
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 224
Passive ID
Simple
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 225
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 226
Licensing and
Upgrade To Full
Blown ISE
Passive ID
Licensing
• ISE-PIC installs with a 90-Day PIC License
• Enables PassiveID Functions
• Limited UI
• pxGrid for Cisco Consumers Only
• CA for pxGrid Only
• No Portals, No Guest
• No RADIUS or TACACS+
• No Profiling, No BYOD
• No Authentication. No EasyConnect.
• No TrustSec. No Authorization of any kind.
• No 802.1x
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 228
Passive ID
Licensing
• Each perpetual license is uploaded to a single ISE-PIC node and a separate
license is required for the second node, if you have two nodes in the deployment
• Generate a separate license for each UDI and then add the licenses to each
node separately
• After you install Cisco ISE-PIC and initially configure the appliance as the
primary node, you must obtain a license for Cisco ISE-PIC and then register that
license
• Register all licenses via the primary and secondary node hardware UID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 229
Passive ID
Upgrading to ISE
• Step 1: Install an Upgrade License
• Converts the low-cost PIC VM to a full-cost ISE VM
• Step 2: Install BASE license
• Now a full-blown ISE install
• Step 3: Shake your head in amazement. That is really all it takes.
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 230
Passive ID
Upgrading to ISE
• When upgrading from ISE-PIC to the base license for ISE, ISE continues to offer
all features that were available to you in ISE-PIC prior to upgrade and you will
not need to re-configure any settings that you had already configured
• You can perform the full upgrade process by first installing the ISE-PIC Upgrade
License on the node and then:
• Adding the upgraded ISE-PIC node to an existing ISE deployment
• The node receives the deployment’s configuration
• Installing at least a Base license
• Once you upgrade to a full ISE deployment, you cannot roll back to the previous
ISE-PIC installation
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 231
Passive ID
Licensing
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 232
For Your
Reference
Comparison
Tables
Passive ID
Authentication &
Authorization Types
Authorization Policies Yes – – –
TrustSec Yes – – –
Network Access AAA w/
Yes – – –
RADIUS
Device Admin AAA w/
Yes – – –
TACACS+
BYOD Yes – – –
GUEST Yes – – –
Posture Yes – – –
# of Subscribers 20 20 – 5 FMCs
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 235
Passive ID
pxGrid on Dedicated
Yes – – –
Node(s)
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 236
Passive ID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 237
Passive ID
Profiling Yes – – –
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 238
Passive ID
Provider
WMI Yes
ISE-PICAgent No
Syslog (Identity) No
Syslog (DHCP) No
SPAN (Kerberos) No
API Provider No
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 239
~10min
Agenda
• Introduction
• ISE as Center of Security EcoSystem
• Context Sharing w/ pxGrid
• RTC and TC-NAC
• Passive vs. Active Identities
• Passive ID Enhancements in ISE 2.2
• The Future of Secure Network Access
• Conclusion
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Future of Secure Network
Access
TEAP
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 242
TEAP
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 243
TEAP
Certificate
Provisioning in-band
Distribute EAP
Server Trust-List
User + Machine
EAP Chaining
Posture Transport
in-band (PT-TLS or
PT-EAP)
Certificate Renewals
in-Band
Fast Reconnect w/
Server
Fast Reconnect w/
PAC File
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 244
TEAP
Supplicant List:
• Kyocera, Asustek, Murata, Huawei, Motorola, HTC, Samsung, ZTE, RIM, SonyEric, ChiMeiCo,
Apple, Intel, Cybertan, Liteon, Nokia, HonHaiPr, Palm, Pantech, LgElectr, TaiyoYud, Barnes&N
5411 No response received during 120 seconds on last EAP message sent to the client
• This error has been seen at a number of Escalation customers
• Typically the result of a misconfigured or misbehaving supplicant not completing the EAP process.
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 245
TEAP
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 246
TEAP
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 247
TEAP
1 5
NAD
SSID
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 249
TEAP
A B C A B C D E F
3
EAP
Authentication
3 ✓ 1 ✓
EAP
Authentication MDM Pushes Network MDM MDM
Config + EAP Certs 2 1
2 Joins Network MDM Updates List
Joins Network of EAP Certs
Managed Endpoint is pre-populated with Network Managed Endpoints can be Updated Early to be
Configs and List of EAP Certs to Trust Ready for New RADIUS servers
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 251
TEAP
A B C A B C D E F
4 ✓ X
3
Contractor goes to work at Customer, and on-boards. When Servers are Added or Changed in Environment,
Is given the certificate of the RADIUS Server(s) the Endpoint Doesn’t get new Certs. Connection Fails
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 252
TEAP
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 253
TEAP
TEAP Solution to the EAP Server Cert Problem
Endpoint Auth ID
Wi-Fi
Servers Repository
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TEAP
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 255
TEAP
Employee &
2. ISE Issues Machine Employee if
Network
then Employee
Access:EAPChainingResult =
AuthZ PAC User and machine suceeded
NAD
SWITCHPORT
PSN
EAPoL Start
RADIUS Access-Request
[EAP-Tunnel = FAST]
EAP-Request:TLV RADIUS Access-Challenge
[EAP-TLV = “Machine”]
EAP-Response RADIUS Access-Request
TLV = “Machine” [EAP-TLV= “Machine”]
[EAP-ID=Corp-Win7-1] PAC
RADIUS Access-Accept
EAP Success
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 256
TEAP
NAD
SWITCHPORT
PSN
PAC
EAPoL Start
RADIUS Access-Request
[EAP-Tunnel = FAST]
EAP-Request:TLV RADIUS Access-Challenge
PAC
[EAP-TLV = “Machine”]
EAP-Response RADIUS Access-Request
TLV = “User” [EAP-TLV= “User”]
[EAP-ID=Employee1] PAC
RADIUS Access-Accept
EAP Success
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 257
TEAP
ForYour
For Your
Reference
EAP-Chaining FAQ
Reference
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 258
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 259
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 260
ForYour
For Your
Reference
Reference
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 262
Complete Your Online
Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile app
or on www.CiscoLive.com/us.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Ask Questions, Get Answers, Continue the Experience
The Spark Room will be open for 2 weeks after Cisco Live
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 264
Shameless Plug
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 265
Recommended Reading
Buy our books, help us afford more beer!
http://amzn.com/1587144263
http://a.co/5h1W1zK
http://a.co/iir9D6E
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 266
Please Fill Out The Survey!
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 267
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 268
Thank you
For Your
Reference
Step-by-Step
Configuration of
pxGrid, Cert Portal,
Firepower Manager,
Stealthwatch &
WSA Integration
Context Sharing
ForYour
For Your
Reference
Reference
Deployment Notes
• Can do CSR’s one at a time, but Bulk Download works well, too.
• Pro Tip: Don’t bother with CSR’s – just generate certificate pairs from the
Portal.
• Best Practice, Follow an Order of Operations:
• Don’t enable pxGrid until all nodes have a pxGrid certificate.
• Wait for all the services to come up on 1st PSN before you enable pxGrid on the 2nd
PSN
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 272
Context Sharing
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context Sharing
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context Sharing
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 275
Context Sharing
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 276
Context Sharing
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 277
Context Sharing
https://certs246.securitydemo.net
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context Sharing
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context Sharing
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 280
Context Sharing
ISE CA Certificates
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context Sharing
ForYour
For Your
For Cleanliness
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 283
For Your
Reference
After Services Start PAN & MnT will Automatically Publish Topics
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 286
Context Sharing
ForYour
For Your
Configuring
Stealthwatch 6.9
with ISE-PIC /
ISE
Context Sharing
A .zip file will be created. Unzip this file to access the .p12 file.
Note: You may need to unblock pop-up menus for the download
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 290
Context Sharing
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 291
Context Sharing
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context Sharing
IMPORTANT:
Scroll to the
Upload PCKS12
Bundle section to
create a friendly
name, add
password and
upload the .p12
file.
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 293
Context Sharing
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 294
Context Sharing
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 295
Context Sharing
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 296
For Your
Reference
FMC
Configuration
Example
Context Sharing
ForYour
For Your
Use the ISE Root CA for the pxGrid servers & the MnT Server
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context Sharing
ForYour
For Your
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 299
Context Sharing
ForYour
For Your
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 300
Context Sharing
ForYour
For Your
Success Reference
Reference
firesightisetest-sourcefire3d =
The Test Subscription (test button)
iseagent-sourcefire3d =
The FMC’s production Connection
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 301
For Your
Reference
WSA
Configuration
Example
Context Sharing
ForYour
For Your
Use the same ISE Root CA Cert for Both Monitoring Nodes
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 304
Context Sharing
ForYour
For Your
Install the WSA’s pxGrid Cert & Key from the ISE CA
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 305
Context Sharing
ForYour
For Your
Reference
Reference
Success
-pxgrid_client =
The WSA’s production Connection
-Test_client =
The WSA’s Test Connection
BRKSEC-3697 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 306
Context Sharing
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public